Shot 28…

Hello hello, A few of us are currently in the kitchen battling with a centurion!

*shot 29*

(If anyone dosn’t know what that is A, Don’t come to uni, and B, allow me to explain:
Every minute, on the minute, you all drink a shot glass of beer *shot30* the idea is to get too 100 shots (100 mins) it may sound easy, as its only about 4 pints, but damn! its hard!)

So anyway, since the laptops in the living room (where we are) to do the 1 min recursive countdown, and play music, I thought I may as well get my blog upto date, as well as read some crazy new BOFH! *shot 31 and 32 somewhere in there*

Anyway, Today and yesterday (Mainly in the early morning, as iv’e been pretty nocturnal these past few days) *37* my focus has been on one of the things on my todo list.. VOIP!

(This post will be updated throughout the centurion! So thats all for now! (more on voip later, or maybe tomorrow) *38*

Back again!
im sure the ‘dings’ for each minuite are getting closer together, either way, I think we are all feeling the effects! Were now on shot 45! Anyway, VOIP, I have been looking into asterisk (*) which is a software PBX for the linux platform. It allows for all the standard pbx features (call routing, extensions, call transfer multiple trunks etc) plus voicemail, Automated attendants, queueing, and as its GPL’d there are a tonne of add in modules. It supports SIP and AIX2 Voip Trunk protocols (amongst others) and then inbound and outbound routes based on anything from caller id, to incoming line, or serial port (for POTS ‘Plain old telephone system’ lines… (you do need a seperate (80 quid) voice card for that tho))

So yeah, i’d suggest you try it out if you need a small-medium pbx. Im just using it at home, but its great, because as I will be moving out of student halls soon, my phone number will stay with me wherever I am, and I dont need to pay BT a line rental ๐Ÿ˜€

Im using a VOIP company called ‘voiptalk.co.uk’ to buy the IAX trunk credit. (This gives you setting to route calls through a IAX asterisk trunk… to the POTS (ie 0161 xxx xxx – standard phone numbers
(mobiles too)) for really cheap prices (1.2p/Min UK Landline, 11p/min Mobile UK) which I didn’t think was bad.

Anyway, if your interested have a gander. (Search for ‘trixbox’ its asterisk packaged up in an easy to install Linux distro, based on CentOS, with built in web gui (freepbx) and call routing manager)

//Matt

PS. Me and Joe beat the hell out of the centurion, stopping at 138 out of sheer ‘This is getting tedious now’-ness Not really sure what the fuss is about ๐Ÿ˜› good fun tho!

Chess

Back at uni again, about to goto bed (Gotta do tech for a gig at the pint pot tomorrow so can’t sleep in) martin and joe are having a friendly game of chess in the living room/box listening to music from our house’s TASTY NEW SHOUTCAST SERVER!

We had a spare pc knocking around, so thats now in the living room, with a t-amp and some speakers, on ubuntu, constantly connected to a shoutcast server which martin is currently running. This in turn is getting its content from a instance of winamp on the same server, which is running the winamp web interface, so anyone in the house can put songs on / add / change the playlist from their pc / pda. Seems to be working quite well.

Of course, anyone else in the house can also connect to the stream and listen to the same music in their rooms! (Killers – Everything will be alright) at the mo ๐Ÿ™‚

apart from that, has been quite a quiet day, Although i have started putting together the pieces (based on an old laptop) for an in car music PC (made a lot easier due to the winamp web interface) that will sit in my boot, and hold my music library, connected up to my cars speakers, allowing me to then use my phone/pda as a remote (woo.. no more radio1!)

Still on my todo list are IPv6, Solaris ZFS (think i may do that on vmware with a few virtual disks, instead of having to wait till I have the money to buy new hardware) and now, BGP (cisco’s border gateway routing protocol).

Funfun!

Later people

//Matt

Routing Update + Dad’s Birthday

Back at home tonight as it’s my dads birthday, and it gives me a perfect excuse to bring my laptop home and try my new remote access system properly!

Connected through it now, Have both a direct windows fileshare open (//192.168.1.1) and an RDP session to my main PC, both are working perfectly, and the vpn is stable, hasn’t died on me once!

I also found an openVPN client for my windows mobile phone, which works really well through UTMS! So i think in future a web-page listing of all my NAS folders will be on the cards, so I can stream music to my phone on the move etc.

Talking of streaming music though, The upload speed from my uni room is just a little to slow for non-juddery audio, which sucks, but will hopefully be sorted by moving down south ๐Ÿ˜› (somehow doubt I can ask our tech people at uni to give my room higher tube speeds!)

Heard some feedback about my last post regarding this project, Which was cool, as this blog is really just a reference for myself, but it’s also good to know people read it! (seems slightly less pointless that way)

I think the next stage In this remote access system is going to be setting up another public/private key pair for martin, so he can use the vpn tunnel to access his stuff, and to put some access controls on that connection via openvpn to restrict access to just the 2.x subnet.

Hmm.. Also thinking about it, maybe we could establish a new p2p tunnel from my server to martins UNI connection, then via our fast internal house network up to my linux server. Then we could use bonded PPP or BGP to double the upload bandwidth for remote access! (Must ask martin about that!)

Anyway, guests are arriving, and i’m going to go and partake in some Guinness drinking (Happy Paddy’s day!!)

//Matt

(Ps, as a side note, it occurred to me today I could have used a GRE tunnel for the p2p section instead of openvpn. Would there be any advantages to this? I used openvpn as it was handy, but im guessing it’s better due to the encryption!)

IP Routing, Rules and Redirects!

Hello again my minions!

Randomly started an interesting project last night, while thinking about wanting access to my NAS and network via wifi (but secure) and also better, more reliable remote access to my pc’s even when they are behind a nat or two.

My Current Layout Involves a Custom WRT54G Router performing NAT onto the 200.x subnet, and then connected to my multi-homed linux server/router that routes and firewall’s between the 200.x subnet for internet, my personal 1.x subnet, and the rest of my houses 2.x subnet (martin’s NAS, Sams server etc) (My server also serves apache, samba etc etc but that dosnt matter here)

I decided the way to go was OpenVPN, as I am very comfortable with its configuration, and prefer a fully routed vpn over port by port client less ssl (web based) access solutions.

I Set up a PKI based openvpn system. allowing a client to logon with the correctly signed certificate and private key pair, instead of a username/password combination.

The wifi point is built into my nat router, and so by default, wireless clients get assigned an IP in the ‘internet only’ 200.x range with access to the web via NAT but on the wrong side of the linux firewall to gain access to the network. (It’s still WPA2 -PSK Protected, but I guess thats just my paranoia :P)

After setting up my laptop with a client configuration which tries to establish a tunnel to 192.168.200.2 (linux server from 200.x subnet.. only openvpn allowed through firewall) first, and an internet route able IP if that should be unreachable (I’ll explain that in a mo)

I also configured openvpn to push route information for my subnets to clients at logon, minimizing configuration.

I started the openvpn server and connected my client. Everything worked first time. I am still using 192.168.200.1 as my default gateway, (as i dont want internet traffic having to route in and out of my net again) however trying to connect to my webserver or file shares on any of my pc’s works perfectly, and speedy enough over 54Mbps WIFI.

With all this working, My plan was then to purchase another fixed IP address on my dedicated server (this webserver) and use IPTables to route all traffic to that destination IP to my Linux Firewall/Router down a Static p2pVPN tunnel between the webserver and my linux server.

Then I had a better idea, as forwarding everything (especially UDP) in IPtables was a horrible way to do things as i’d most probably have to use NAT, which seemed to lack elegance somewhat.

I created the p2p Openvpn tunnel as planned, but instead of adding the new internet ip address to my webservers network card (ip addr add blah.blah.blah.blah dev eth0) and then IPtables-ing the traffic down the tunnel. I instead added the ip address to the p2p VPN tunnels tun interface on my (local.. in my room) side, then added a static route to my webserver informing it that the new internet IP address i had purhased was reachable at 10.0.0.2 (the linux server side of the p2p vpn tunnel) and finally enabled IP forwarding on my webserver.

So Far so good! I had an actual internet IP available to me in my room now, behind university’s NAT, properly routed back to the web! I opened a UMTS connection to the internet through my phone + bluetooth + laptop, and tried pinging my new IP, I did not get replies, But loading wireshark on my linux server did show the ping requests were getting to me down the tunnel!

However (And I should have seen this coming.. but I was tired as it was now about 5am) my server replied.. to an internetย  IP… and so of course… it routed via the default route.. which was my local NATed internet connection, so no wonder the replies did not get through. I still had a bit to go before getting a full TCP session to occur!

So now I needed a way to change the default route depending on where the traffic was going to / coming from.

A quick refresher on ‘ip rule’ toolset within iproute2 software and I was able to create a separate routing table called table_tunnel. In it I placed the single route ‘ip route add default via 10.0.0.1 tun1’. I then Created a rule that told the system that any IP Data with a source address ofย  my new internet IP. Should traverse the ‘table_tunnel’ routing table to find out where to go, and so consequently, all data coming in to my new internet IP, also leaves via the tunnel, allowing proper TCP communication, while allowing my normal internet browsing to continue working normally via the standard ‘Main’ and ‘Local’ Routing tables.

Success! I finally got ping replies from my dial-up (UMTS) laptop!

I then just had to script all the changes to make them survive reboots. Daemonise the openvpn processes, and tighten up the firewall on the incoming p2p vpn tunnel to only allow the openvpn UDP port (as thats what i will be doing all my remote access over, so why leave anything else open, when openvpn will give me access into my subnet anyway.)

And so now, When I start openvpn on my laptop. If im not connected to my WIFI (Ie, somewhere around the world on the internet), it cannot connect to 192.168.200.2, and so tries the internet IP.. which ends up at the same openvpn server on my local network, but via a real internet IP and a bit of clever routing!

Downside: Ive been up all night
Upside: I can access all my data wherever I am… and even if i move house in the future, that internet IP will still allow me to access my systems, as theres nothing dependant on the local home internet IP/details ๐Ÿ˜‰

Also… should I want to host other things from home to the public (quickly set up apache/ftp/voice server.. Its as easy as changing one IPTables rule!)

I Have intertubes in my room!!!!

//Matt

More life ramblings!

Evening,

Once again no posts for days and days, Have been pretty busy with a few things. We currently have internetworking coursework, studying the joys of traceroute. Our mail server at work was pretty much DDos’d by some n00b trying to use us as a spam relay, even though it wouldn’t let spam through!

Other than that, Im currently planning on building a media center box, But maybe i’ll wait to see if I move upto reading, nice 32″ TFT and media center for the living room!

I also want to have a play with some GPL PABX software, get more to grips with solaris (especially zfs! looks amazing) aaand tackle IPv6! But all in time ๐Ÿ˜›

(ooh, also watching a lot of scrubs, but ahh well).

8iuy6t7itgvo76tg7ytg67ytg87opty7 < Joe’s Input to this conversation…. chump!

Connor (to be sure) and Lucinda are always buzzing around at the moment as he’s recording his film project, tonight Lucinda’s having her eye cut out by her ex boyfriend.. who got her pregnant! (apparently)

In other news, Reformatted my Linux NAS and routing server. Realized one day that uploads and downloads to/from my server were pretty slow for a gigabit link. and connections to martins NAS (also gigglebeet) even slower. So i started to diagnose everything, client drivers, cables, switches server programs (samba, iptables etc etc) And finally decided it MUST be the linux drivers for the gigabit PCI cards I am using.

To make sure of this, I re-installed my linux server, and a hell of a lot of googling on those gigabit cards seemed to back up my diagnosis. So im currently trying to find myself some cheap Intel PRO 1000 MT Dual port server gigabit network cards. as the linux drivers are rock solid!

Anyone willing to donate one? two?

Anyway, thats about all for now, Need to finish up some coursework and maybe hit up an asda/kfc with housemates.

//Matt