Stefano Rivera (tumbleweed)'s Website, Blog, collected bits of code, cruft and other stuff.

PHP4 for feisty - pbuilder for beginners

I helped Robbster out on #clug today, building php4 for feisty (it’s been dropped after edgy, in favour of php5). If you want to install it, don’t care about security holes, and want to use the debs I created, add this line to your apt sources list, and go wild:

deb http://ftp.leg.uct.ac.za/pub/stuff/tmp/php4-feisty ./

If on the other hand you want to know how to do it (so when the next PHP security hole appears tomorrow, you can build the latest version yourself), read on:

I’ve never used pbuilder before, so it was fun:

# aptitude install pbuilder

Edit /etc/pbuilderrc to point to your closest mirror, and uncomment the COMPONENTSline (so that you get universe included)

# pbuilder create

Now pbuilder is ready for work. Get the latest sources from debian (Download those 3 files at the end, dsc, orig.tar.gz and diff)

# pbuilder build *.dsc

Sit back and watch…

When it’s done, you probably want to create a trivial repository of your debs:

# cd /var/cache/pbuilder/result/; dpkg-scanpackages . /dev/null | gzip -c -9 > Packages.gz

Then add this to your sources.list

deb file:///var/cache/pbuilder/result/ ./

Wohoo. Remember to watch out for those security holes…

OpenVPN / WPAD Mania

I’ve just spent an afternoon tweaking an OpenVPN install, and I thought it would be a good idea to document it here. Not the world’s most interesting post, but it’s my method, and I want to document it.

OpenVPN:

The best solution I found was to have the server on it’s own subnet:

dev tun0
comp-lzo
keepalive 10 120
server 10.20.2.0 255.255.255.0
push "dhcp-option DNS 10.20.1.1"
push "dhcp-option DOMAIN rivera.co.za"
push "route 10.20.1.0 255.255.255.0"
ca /etc/ssl/vpn-cacert.pem
dh /etc/ssl/dh1024.pem
cert /etc/ssl/certs/vpn.rivera.co.za.pem
key /etc/ssl/certs/vpn.rivera.co.za.key.pem

This sets up a Windows-friendly, routed OpenVPN. (TAP32, the windows tap driver, can’t handle arbitrary IP routed VPNs, each link has to have a private /30 network)

Then, the Windows client side:

client
dev tun
dev-node VPN-Connection
proto udp
remote vpn.rivera.co.za 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca cacert.pem
cert winlaptop.pem
key winlaptop.key.pem
ns-cert-type server
comp-lzo
verb 3
pull
keepalive 10 60
explicit-exit-notify 2

This is nice and simple, and has the advantage of pulling a lot of configuration from the server rather than statically storing it on the client.

WPAD:

My network has Proxy Autodetection. While I wanted DNS queries to go through the VPN, I didn’t want web traffic to. (DNS through vpn, is ugly, but necessary for finding private servers).

My solution was: dnsmasq.conf:

dhcp-option=252,"http://ixia.rivera.co.za/wpad.dat"

Apache, default site config snippet:

<Location /wpad.dat>
        ForceType "application/x-ns-proxy-autoconfig"
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        Allow from 10.20.1.0/24
</Location>

And a fallback, in-case the wpad is already cached, this at the top of the wpad:

// VPN:
if (isInNet(myIpAddress(), "10.20.2.0", "255.255.255.0")) return "DIRECT";

Some CLUG Park work

I’ve spent some hours wasted on CLUG Park :-) Here are some improvements:

Rafiq is back:

I’ve been trying to get him to give me a feed to only his posts, but got no response. For a while, I told the park that his feed was http://www.webaddict.co.za/we-need-a-feed-for-rafiq-only-for-clug-park/, to make my point in 404s in his apache logs, but that didn’t bring me a reply, either :-)

So now I’ve got an XSLT filter in place that strips out other webaddict’s posts.

The Atom feed now has the person’s name at the beginning of the title (like the RSS feed has)

Nesting Dachshunds

Rainy weather in Cape Town…

Nesting Dachshunds

This cave is only really big enough for one, but that doesn’t stop them :-)

Before the cave it was a cushion:

Cocoa

Sharing a 3G connection with Ubuntu

Seeing as I carry around a vast array of equipment, in my massive, 10Ton backpack, I normally have a 3G card at hand. If I’m visiting someone who doesn’t have broadband themselves, or I’m sitting in a Coffee Shop with other laptop-lugging friends I might want to share my 3G connection with friends, via WiFi. (assuming I have a data bundle that month, or they understand the horrific 3G data pricing)

I wrote a little script to make this easy

  • It’s clearly Atheros-specific, but I’ve included more generic commands in comments. Obviously interface names would need to be changed
  • I dial the 3G connection before I run this, and disconnect afterwards, but it would be trivial to change that…
  • My dnsmasq.conf contains only the line dhcp-range=10.42.42.10,10.42.42.254,12h
  • Dnsmasq is configured not to run on startup, via update-rc.d

/usr/local/sbin/3g-ap:

#!/bin/sh

/etc/dbus-1/event.d/25NetworkManager stop
# Atheros:
wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode ap
# Other:
#iwconfig ath1 mode master

iwconfig ath0 chan 3
iwconfig ath0 essid SR
iwconfig ath0 enc s:13Char-Passwd

ifconfig ath0 up 10.42.42.1 netmask 255.255.255.0
/etc/init.d/dnsmasq start

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o ppp0 -s 10.42.42.0/24 -j MASQUERADE
sysctl -w net/ipv4/ip_forward=1

echo "Done - when finished, hit enter"
read ignoreme

/etc/init.d/dnsmasq stop
iptables -t nat -F POSTROUTING
sysctl -w net/ipv4/ip_forward=0

# Atheros:    
wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode sta
# Other:
#iwconfig ath0 mode managed

/etc/dbus-1/event.d/25NetworkManager start
Syndicate content