Saturday, September 23, 2006

HAMSTER DANCE VIDEO

Hamster dance...multicolour style.
I a remember back when the little guy was just a set of animated gifs in a row

Sunday, August 06, 2006

Openvpn with Clarkconnect 3.2

I recently installed and configured openvpn 2.0.7-1 to work on my Clarkconnect 3.2 firewall.

Here is what I did.

Down load the openvpn rpm from:
http://dag.wieers.com/packages/openvpn/
The specific one I downloaded was:
http://dag.wieers.com/packages/openvpn/openvpn-2.0.7-1.el3.rf.i386.rpm

Down load lzo from:
http://dag.wieers.com/packages/lzo/
The specific one I downloaded was:
http://dag.wieers.com/packages/lzo/lzo-1.08-4.1.el3.rf.i386.rpm

Then install both RPM's with rpm -ivh
lzo needs to be installed first.

Okay then the configuration part.

Take a look at the documentation for openvpn
http://openvpn.net/howto.html#install

The first thing I did was cd to /usr/share/doc/openvpn-2.0.7/
Then cd to easy-rsa

And follow the instructions on creating your on PKI from the openvpn howto guide.

After that cd back up one level to /usr/share/doc/openvpn-2.0.7/

Then cd in to the sample-config-files directory

Copy the server.conf file to /etc/openvpn

You will also need to copy the the following files from /usr/share/doc/openvpn-2.0.7/easy-rsa/keys folder
ca.crt
dh1024.pem
server.crt
server.key

Then you will need to modify the server.conf file in /etc/openvpn to reflect your set up.

The conf file has a pretty good set of comments to tell you all about what needs to be filled in and how it needs to be set. I really did not do anything special for the Clarkconnect firewall.

I did set
push "redirect-gateway"
So all traffic would go through the vpn and be encrypted.

Okay here is the magic part for Clarkconnect

You need to go to the clarkconnect web admin. Select the network tab under firewall select incoming.

You want to allow incoming connections port 1194 (or what ever port you set up in your /etc/openvpn/server.conf file) for UDP or TCP depending on how you set up your server.conf file.

Here is what stumped me for awhile.

The problem is with all the iptables examples that are given on the openvpn site use the A option which is append. This errrr appends the rule at the bottom of the table the problem with this is it places the new rule after the very useful for a firewall rule that says "deny anything from anywhere" the packets hit the deny anything and boom they get dropped on the firewall floor.

So to get around that do this.

cd to /etc/rc.d
vi rc.firewall.local

I added something like this
iptables -I INPUT -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT

Okay I changed that entry a little.
iptables -I OUTPUT -s 192.168.7.100 -d 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT

On iptables -I OUTPUT the -s (source) address is the ip for the internal interface on your clarkconnect box.

where 10.8.0.0/24 is the subnet for the openvpn connections. I guess it would work with the interface instead of the source port
The -i tun0 worked except for the output rule

This way the rule gets added higher in the iptables and the packets are passed on instead of dropped. Also by using the rc.firewall.local the rules will survive a firewall restart.

That pretty much configures the server.

For clients I used.
For OS X tunnelblick
http://tunnelblick.net/
Go right for the version 3.0 product (it was rc3 when I grabbed it) the 2.0 version just did not work.

For Windows Openvpn Gui for windows :-)
http://openvpn.se/

You will need to check the instructions on where to copy the client certificates that you created in /usr/share/doc/openvpn-2.0.7/easy-rsa/ folder.

That pretty much is all I did to get it to work.

I'm still having a problem with routing to the CC box using the inside interface, when the tunnel is up. I can now get to the internal interface after entering the OUTPUT iptables rule shown above And anything to the outside interface, the public IP is unencrypted I think. This means any service I normally get from the clarkconnect box is not working right.

Oh yeah and it really does not work to good when I'm trying to connect from the inside you really need to be on the outside connecting to get a good test.

So far though it seems to work.

Sunday, July 30, 2006

Lightening



Tabblo: Lightening


This was from a strom that came out of the North East on July 19, 2006.  It is one of the few storms I can remember that followed that track.  There were 90 mph winds recorded. 

One of the things that was unique was nearly constant lightening for a period of time.  That is what made these shots possible.
... See my Tabblo>


Wednesday, May 31, 2006

The joy of a Digital Camera


CIMG1760
Originally uploaded by reboot95.
Hey check this photo out. I have the plant in front of my house one evening when I got home I thought I would take some macro photos of it.

Well this Bee kept buzzing around and around. It was pretty hard to catch it still long enough to snap the photo. That is one thing nice about digital cameras even if you take 8 shots to get one good one you don't feel so bad because you can only print off the one good one.

Oh go check out the big picture on Flickr it looks pretty cool

Thursday, May 04, 2006

Disney

I'm in Florida we arrived about 12:00 on Southwest. Had a nice stroll through the airport. Rented a Red Saturan Vue. Nice care. Had lunch and we are now at the condo. Pretty nice and every things is going very well. We will be hitting EPcot in a little bit.

I'm on Dial up so I'm having flash backs 1993..... :-)