OpenVPN between Solaris and MacOSX
I decided to see if I could get a VPN connection working between my laptop (running MacOSX) and my home server running Solaris 10. It turned out to be pretty easy to do a simple config. I am using OpenVPN. To compile the software on my Solaris box I needed to download 3 items:
- Virtual Point-to-Point (Tun) and Ethernet (TAP) devices driver. I got the version 1.1 from http://vtun.sourceforge.net/tun/ in source code form.
- LZO version 1.08 compression software from : http://www.oberhumer.com/opensource/lzo/download/LZO-v1/
- OpenVPN software, I am using the version 2.1RC because I wanted the version to match what I am going to run on the Mac. It can be downloaded from http://openvpn.net/index.php/open-source/downloads.html
Once I got everything downloaded, just compile the LZO, Tun, and OpenVPN:
I decided to have everything related to the vpn installed in /opt/vpn. One thing to note, I tried using the new version 2.x of LZO, and OpenVPN would not find it, so I had to use Version 1 even though 2 is supposed to be supported. So I did the following to compile LZO:
tar -xvf lzo-1.08.tar
cd lzo-1.08
./configure --prefix=/opt/vpn/lzo
make
sudo make install
Next was to compile TUN
tar -xvf tun-1.1.tar
cd tun-1.1
./configure --prefix=/opt/vpn/tun
make
sudo make install
Only issue with tun was that it did not use the --prefix, it puts everything where it needs to be in /usr/kernel/drv on solaris.
Next is openvpn:
tar -xvf openvpn-2.1_rc19.tar
cd openvpn-2.1_rc19
./configure --prefix=/opt/vpn/openvpn --with-lzo-headers=/opt/vpn/lzo/include --with-lzo-lib=/opt/vpn/lzo/lib
make
sudo make install
Once that is installed I did the simple 1 to 1 vpn connection (static key) for just testing to see if it would work. So in the /opt/vpn/openvpn/sbin directory I did this:
./openvpn --genkey --secret static.key
I then copy that key to my client via some "secure" means
Then created a server.conf that looks like this:
dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key cipher AES-256-CBC keepalive 10 120
On my client (MacOSX) I downloaded Tunnelblick from http://code.google.com/p/tunnelblick/downloads/list and installed it. Next I copied that static.key from the server to the client and put it in ~/Library/openvpn. I also created a openvpn.conf in that directory that looked like this:
remote a.b.c.d dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key cipher AES-256-CBC route 10.0.0.0 255.255.255.0
In the above, a.b.c.d represents my public IP address for my solaris server.
Now when you start tunnelblick it will search that directory and find that config file and ask if you want to load it. But we are not quite ready to start yet. The next thing I had to do was forward port 1194 UDP off of my router to my OpenVPN server. I will leave this exercise to you. You will also need to make sure IP forwarding is enabled on the Solaris 10 server (because I only have 1 network card in it, but "two" different networks on the box. IP Forwarding will allow your remote machine to be able to see your local network. And since my OpenVPN server is not the router for the entire network, I had to add a static route on my router to say that 10.8.0.0 is available via the openvpn servers local network address, I.e. 10.0.0.1.
You should be able to start the openvpn server now:
Once it is started you can use tunnelblick to connect. Once you are connected, you should see that is is connected and the icon has changed from this:
to look like this:
You should also see a tun0 device show up:
tun0: flags=8851 < up ,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST > mtu 1500
inet 10.8.0.2 --> 10.8.0.1 netmask 0xffffffff
open (pid 608)
You should now be able to see all your hosts on the "remote" network. Next up I am going to work on doing the pki infrastructure so I can hopefully link other clients both static and dynamic.
This make is really nice to be able to see your "home" network while you are away.
Changes to Leopard that most people won’t see or care about
One of the things I like about Leopard is that it is UNIX.. With that one of the changes I first noticed was that now you can use "ps -eaf" instead of "ps -aux". Nice, I hated doing ps -aux, as I use solaris all the time and /usr/ucb/ps is almost never used. The one draw back is that it does not print the username it prints the uid in the output:
UID PID PPID C STIME TTY TIME CMD
0 1 0 0 0:01.06 ?? 0:01.14 /sbin/launchd
0 10 1 0 0:00.58 ?? 0:00.66 /usr/libexec/kextd
0 11 1 0 0:02.75 ?? 0:04.55 /usr/sbin/DirectoryService
0 12 1 0 0:00.52 ?? 0:00.75 /usr/sbin/notifyd
0 13 1 0 0:00.65 ?? 0:01.05 /usr/sbin/syslogd
0 17 1 0 0:01.57 ?? 0:02.86 /usr/sbin/configd
1 18 1 0 0:00.42 ?? 0:01.01 /usr/sbin/distnoted
65 19 1 0 0:00.05 ?? 0:00.09 /usr/sbin/mDNSResponder -launchd
0 24 1 0 0:00.12 ?? 0:00.30 /usr/sbin/securityd -i
0 28 1 0 0:00.33 ?? 0:00.48 /usr/sbin/ntpd -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift
0 30 1 0 0:06.96 ?? 0:06.96 /usr/sbin/update
0 34 1 0 5:20.79 ?? 11:21.33 /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framewo
rk/Support/mds
501 35 1 0 0:00.39 ?? 0:00.84 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow conso
le
0 36 1 0 0:00.01 ?? 0:00.01 /usr/sbin/KernelEventAgent
0 38 1 0 0:00.01 ?? 0:00.01 /usr/libexec/hidd
Some notes from the ps man page...
and this one is very interesting:
The ps utility supports the Version 3 of the Single UNIX Specification (``SUSv3'') standard.
HISTORY
The ps command appeared in Version 4 AT&T UNIX.
BUGS
Since ps cannot run faster than the system and is run as any other scheduled process, the information it displays can never be exact.
The ps utility does not correctly display argument lists containing multibyte characters.
So if you want the output to have usernames in it, do a "ps -ej"
Another change is to the iostat command, the old iostat command mostly printed the disk io and User/Sys/Idle time. Looks like they have now added the load average to every line so it looks like this now:
disk0 disk1 cpu load average
KB/t tps MB/s KB/t tps MB/s us sy id 1m 5m 15m
24.95 85 2.08 22.38 65 1.42 16 14 70 0.86 1.14 1.35
49.14 154 7.39 33.47 251 8.20 17 26 58 0.86 1.14 1.35
93.75 110 10.06 59.62 148 8.61 17 20 64 0.86 1.14 1.35
38.05 191 7.09 35.92 241 8.44 18 30 51 0.95 1.15 1.35
53.78 190 9.97 38.98 272 10.34 20 28 52 0.95 1.15 1.35
Another command I found is "zfs", but it does not appear any where in the gui. So I wonder if it is not fully implemented yet.
They also changed the sar command:
23:29:36 %usr %nice %sys %idle
23:29:37 34 0 42 24
23:29:38 35 0 44 21
23:29:39 24 0 30 46
23:29:40 17 0 22 60
23:29:41 16 0 21 64
23:29:42 19 0 22 59
23:29:43 26 0 30 44
23:29:45 32 0 42 25
23:29:46 28 0 34 38
23:29:47 25 0 31 44
Average: 25 0 31 42
They added a %nice column
First couple of hours with Leopard
Went and picked up MacOSX Leopard today... I decided to do a fresh install instead of trying to upgrade my current Tiger installation on my MacBook Pro. Well after backing up my entire hard drive to a external drive. I started the Installation. It took about an hour for it to install. The funny part is 30 minutes of it, was the installer verifying the integrity of of the DVD. First time I have seen an OS verify the entire disk before it started to even do an install to the hard drive. Anyways, 30 minutes after the verification was done, it was installed. The opening video is pretty cool basically flying through space. I then started the restoration of my files from the external USB Drive. Funny thing was as soon as I plugged the drive in to the MBP, time machine kicked in and asked if I wanted to use the external drive as a back up device. So I said yes and it started backing up what I had just installed while I was restoring files from the same drive.
Some little things I have noticed now:
- If you leave iCal on the Doc, it now shows the current date, unlike Tiger only showing it if you had it actually running.
- Everything seems a lot quicker than Tiger. But it could also be that I had not reinstalled Tiger since I had bought the MBP.
- Coverflow in finder. It is cool for going through my documents folder.
I also picked up the new iLife 08. I like the new iPhoto. Now to just get everything set back up the way I had it before.. So far I like what I see, and like the new speed..
MS Vista better than Mac OS X?
ThinGuy over at Sun linked to this article Windows Security - Bill Gates Attacks Mac Security, Apple Ads
Needless to say, I think Gates is just realizing that for once he may be in a losing position. Maybe for once there will not be a monopoly in the home OS front. I am also not recommending any one upgrade to vista, unless you plan on having one kick ass desktop to run it on, otherwise stick with XP or move to Mac, or Solaris!!!!
A video to sum up my feelings about MS Vista
The lastest Get A Mac ad sums up my feelings about vista.
tags
Categories
Blogroll
Computer Stuff
- Casper Dik’s Weblog
- Chris Quenelle's Weblog
- Christopher Saul's Weblog
- Glenn Brunette’s Security Weblog
- Kool Aid Served Daily
- Martin Englund’s Weblog
- PlanetSun.org
- Sun Ray Blog
- SunRay Group Blog
- The Clingan Zone
