This note is for a setup that allows using Linksys WRT54 router for VPNing into remote network and providing multiple PCs on your home network access to that remote network in similar fashion as they access Internet (through NAT). It is assumed that the VPN server is already available on the remote network and the “openvpn” client can be used to connect to that server. The WRT54 router is assumed to be connected to the local network and not used for WAN/Internet access.
The standard Tomato distribution as of today does not include openvpn, so a modded version is required (download from here):
http://www.tomatomod.de/TomatoMod_1.19.1464-OnlyEssentials.7z
The script below has to be updated to include correct addresses, VPN parameters, certificates and the private key.
Then it can be put into the “Firewall” script textbox under the “Administration->Scripts” in tomato menu.
The iptables commands for DNS_ADDRESS settings are not necessary, but might be useful for making the
router mimic the remote network DNS. The local DNS then can be set up to forward DNS requests for the remote
network domain directly to the router on the local network.
insmod tun.o
cd /tmp
ln -s /usr/sbin/openvpn /tmp/vpn
./vpn --mktun --dev tap0
ifconfig tap0 up
sleep 5
iptables -t nat -A POSTROUTING -s A.B.C.D/MASK -o tap0 -j MASQUERADE
iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to DNS_ADDRESS
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to DNS_ADDRESS
echo "
================== use your config here ======================
client
dev tap0
remote VPN.SERVER.IP
resolv-retry infinite
tls-client
persist-key
persist-tun
ca ca.crt
cert cl.crt
key cl.key
ns-cert-type server
comp-lzo
verb 3
================ end use your config here =====================
" > /tmp/cl.conf
echo "
-----BEGIN CERTIFICATE-----
Cut&paste the CA or server certificate here.
-----END CERTIFICATE-----
" > /tmp/ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
Cut&paste client private key here.
In order to decrypt it first use (for RSA):
> openssl rsa -in key.pem
-----END RSA PRIVATE KEY-----
" > /tmp/cl.key
chmod 600 /tmp/cl.key
echo "
-----BEGIN CERTIFICATE-----
Cut&paste client certificate here.
-----END CERTIFICATE-----
" > /tmp/cl.crt
./vpn --config cl.conf &
I have just read an interesting NewScientist article. It mentioned that they have had an unprecedented success with artificial aging of wine. To be precise, they mentioned taking a cheap 3-month old cabernet sauvignon and making it taste and smell like a really good wine according to a blind test of a group of wine experts. The chemical analysis also showed that the treatment sped up production of chemical compounds usually found in aged wine.
The process involved placing the wine for 3 min. into 600V/cm. electric field.
That should not be that hard to try at home unless some important details were missing from the article.
Maybe I should take an old TV and replace the picture tube with appropriately sized wine container between two plates under high voltage…
Note that they said that overexposure will ruin the wine…
It has happened many times that I’d spend long hours looking for a solution for a particular software or hardware problem or just searching for information on an interesting subject. After the problem is solved, the details usually fade away from memory pretty quickly and if similar problem resurfaces a lot needs to be rediscovered. The blogging software allowing to publish a quick memo and associate images, links etc. with it from anywhere in the world seems to be the most convenient way of keeping track record for the future references and sharing.
After looking around a little bit, I finally decided to go ahead with Wordpress mainly due to its famous 5-min install claim and despite the fact that it drags MySql and PHP to my site…
I’m using IIS under W2K (for historical reasons) and the quick research showed that there should be no problems with installation of any of the packages needed. Moreover, there are even MSI distributions for PHP and MySql available.
The MySql MSI setup was relatively painless. The only problem encountered was the failure to start the installed service. That problem appears to be caused by some racing conditions. Clicking the “Back” button, and asking the installer to install the MySql service under different name solved the problem (just needed to cleanup the first service entry from HKLM\System\CurrentControlSet\Services after that).
The PHP MSI created much more troubles. It only allowed the installation for running PHP in CGI mode, and did not do any file associations setup in IIS (maybe it only works w/ IIS6 and up). Anyway I completed the setup manually, the phpinfo.php script worked fine and everything appeared to be up and running, but not the Wordpress. The server error 500 with no any other information showed up any time I tried to access the Wordpress pages. After a painful investigation the problem narrowed down to the “new” operator on the WP_Error class. At that moment I just replaced the MSI distribution, with the PHP ZIP binary distribution for windows, set up the server to use PHP ISAPI DLL and finally everything started to work (and worked noticeably faster).
Conclusion: it is better to stay away from php-cgi.exe
After that point there seems to be no nasty surprises. It is probably an overkill to run that much software for a personal blog, but the Wordpress UI is really nice, there are tons of plugins and support information. All that is unlikely to be as easily available for a simple personal blog solution.
Microsoft has changed how the raw sockets behave several times throughout their OS release history. Starting from XP SP2 the transmissions through raw sockets are limited to prevent sending hand crafted frames of particular types (TCP, UDP with foreign source addresses, …) on client family of OSes. Fortunately the ICMP frames can still be sent and the applications that were using ICMP and raw sockets are still compatible or easily portable to various Windows OSes.
The only reasonable alternative to the raw sockets when it comes to working with ICMP under Windows is to use the ICMP API DLL. That method is acceptable for simple use cases, but does not allow customizations or fine control over what is transmitted and received. If an application has to manage TTL, payload and types of the ICMP messages, examine the responses, needs to be portable or is built around winsock for all other operations the ICMP API is not an acceptable or desired choice.
The problem is that starting from Windows Vista the applications that under XP would successfully receive ICMP responses like “Destination Unreachable” or “TTL Expired” no longer see them. In order for such applications to work correctly under Windows Vista small adjustments have to be made. The following code snippet shows how to set up a raw socket under Vista to assure that it receives frames as it used to do under Windows XP or 2K.
/* Get the address of the interface to work with (using the first one found here) */
hostent *host_addr_list = gethostbyname(NULL);
if(host_addr_list == NULL)
{
/* Handle error here */
}
else
{
src.sin_addr.S_un.S_addr = *((u_long *)(host_addr_list->h_addr_list[0]));
}
/* Bind the socket */
if(bind(s, (sockaddr *)&src, sizeof(src)) != NO_ERROR)
{
/* Handle error here */
}
/* Run the IOCTL that disables packet filtering on the socket. */
DWORD tmp, prm = 3; /* "RCVALL_IPLEVEL" (Vista SDK) */
if(WSAIoctl(s, SIO_RCVALL, &prm, sizeof(prm), NULL, 0,
&tmp, NULL, NULL) == SOCKET_ERROR)
{
/* Handle error here */
}
Note that you have to bind the socket to a specific interface address. This is required for the RCVALL_IPLEVEL IOCTL to work.
