ipsidixit.net

Scouts and discrimination

sgroarke — Fri, 30 Mar 2012 11:46:48 +0000

Another UK newspaper article about the Scouts today, with yet more nonsense hiding the nature of this discriminatory organisation.

Various of the great and good in scouting say, as quoted by The Guardian:

“…scouting is continuing to move with the times and adapt to the growing number of people from different communities who are choosing to be a part of the movement. Scouting has something to offer everyone, no matter your religion, ethnicity or belief, and I’m so proud that we offer an environment for people of all backgrounds to come together and enjoy themselves.”

That is a lie. They do not welcome people of all backgrounds. If you are an atheist, you are not welcome and are prohibited from joining.

It’s essential to continue to make scouting accessible to all. We welcome all communities and this initiative helps to ensure that no one misses out on the numerous benefits and adventure of scouting…

That is a lie. It is not accessible to all. It does not welcome all communities. If you are an atheist, you are not welcome and are prohibited from joining.

It doesn’t matter who you are, what you are or what colour your skin is or what faith you are.

That is a lie. It does matter who you are. You are required to “have a faith”. If you are an atheist, you are not welcome and are prohibited from joining.

What saddens me even more than the fact such discrimination still exists is the fact that in 2012, in an apparently developed, western country, this sort of discrimination is entirely legal and, apparently, tolerated by the citizens.

That, and the hypocrisy of the people who run the Scouts… If you profess membership of a religion, any religion, they will bend over backwards to “accommodate” you. As per today’s news story, they might even be prepared to wind back several decades of female emancipation and ensure that you do not sexually excite men by showing an elbow. That’s fine. You’re “a believer” of….. something. Anything. And that’s ALL that matters.

But if you happen to not believe in a God or Gods, you are flat out not allowed to join. You are unsuitable. You are not welcome. Go away. We don’t want you.

What a very sad, somewhat unpleasant, group of people.

npd6 – Software now available

sgroarke — Thu, 04 Aug 2011 12:50:45 +0000

As per previous posts and discussions, my project to develop npd6 (Neighbor Proxy Daemon 6) is now advancing very rapidly.

If you have a Linux gateway router terminating your ISP feed supporting IPv6, this may be just what you need. To summarise the problem it solves: your ISP has given you an /64 (or some other size) IPv6 prefix, with the last 64 bits (or whatever) entirely for your own use on a private-side of the network. The IPv6 addresses in use by your own devices may well not even be known to you – it’s possible that you use DHCP6 to statically pre-allocate them (yuck!) or more likely you are using radvd on the gateway to advertise the ISP-supplied IPv6 prefix and let the devices themselves choose what they wish to tag on to that. It may be vaguely predictable (based upon the device’s Ethernet MAC address) or totally unpredictable (as per the Windows 7 box I looked at the other day!)

For these devices to be able to reach the outside IPv6 world, there is a good chance that your ISP will use the ICMP6 Neighbor Solicitation mechanism – and your gateway needs to play along. Other articles on this site go into painful details about this mechanism, so let’s sum it up as: in a very vaguely similar way to IPv4 ARPs, a device may receive an IPv6 Neighbor Solicitation for a specific global address and, if it knows how to reach it, respond with a Neighbor Advertisement. So for example, your ISP has given you the global prefix:

AAAA:AAAA:AAAA:AAAA:

and your home devices thus all end up with addresses using this prefix plus a variable suffix, of the form:

AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB

So the Windows workstation which has chosen the 128-bit global address AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB tries to connect to ipv6.google.com. Out goes the connection, and when the response comes back, the ISP’s router says to your gateway: “Neighbor Solicitation: Do you know how to reach AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB?”

And you want to say back “Neighbor Advertisement: Sure, AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB is known to me – send me his traffic.”

And to do this today you need to statically pre-configure that full address into the Linux system. And if it changes, you need to change it. And if a new one appears, you need to ad it. And so on. Oh, and to add insult to injury, you cannot even display a list of which ones you have already configured in the system!!

And thus I offer npd6 as a solution: it runs on the gateway, and requires little configuration. You tell it your prefix and which is the ISP’s interface. There are a few optional knobs and levers. Then it runs and automatically responds to any Neighbor Solicitation received from the ISP for a device with your prefix.

Status

The code today is working well. It is easy to build on any typical Linux system. Soon I will package it and offer .debs, RPMs etc. It is highly efficient and low-impact in terms of CPU an so on. Also, extensive debug options are built in, to assist if any problems occur.

To get it, please visit the GoogleCode hosting site at: http://code.google.com/p/npd6/ and specifically the code at: http://code.google.com/p/npd6/source/checkout (Subversion) or a tarball at https://code.google.com/p/npd6/downloads/list

If you want to try it out, please do download and build it. If you need help, please ask! Feel free to raise issues via: http://code.google.com/p/npd6/issues/list

Good luck!

npd6 – IPv6 neighbor proxy daemon – It lives!

sgroarke — Tue, 05 Jul 2011 21:14:02 +0000

As threatened in article IPv6 neighbor proxy daemon – npd6 and the associated design ramblings here, the npd6 project now lives and breathes.

EDIT: 22 July – The project has really taken shape. Version 0.3 is now useful enough to be considered a working beta version. Building is very simple – do please try it out and let me know of any issues, good or bad.

It’s absolutely early days, but, with plenty of limits and as-of-yet-unknown bugs, it does work…

I’m hosting it on Googlecode. It’s here. For a while yet I’ll not be making any binary or packaged versions available, or even autoconf/configure shenanigans – strictly source + Makefile.

If you want to give it a spin, do feel free. It’s going to change a LOT – we’re probably a month or so away from something I’d call “a usable, early beta“. Today it’s a “works for me pre-alpha“!

IPv6 neighbor proxy daemon – npd6

sgroarke — Wed, 08 Jun 2011 20:30:39 +0000

I admit defeat… You know how it is: you’re searching for a solution to a technical problem, and you KNOW that someone else has had the same problem. In fact thousands of people have had the same problem. And it was fixed years ago. If I can just find that solution…

And find it, eventually (Google, Bing et al – Thank You!) you do.

Except when you don’t. Back in this post I wrote about a specific, but key, problem in implementing an IPv6 firewall/router on a Linux box, when attached to a “normal” ISP.

What was the problem?

In a nutshell, it was as follows. My ISP gives me a full IPv6 service, with a staticically allocated (i.e. fixed) global IPv6 address. They give me a /64, so I in turn have a full /64 to play with in my private net. Enough to network every dust particle in the house. (And this is one dusty house).

As I found, not surprisingly the ISP does not let me advertise address space back to them regarding which devices in my private-but-globally-addressed network actually exist. Given that, I rather naively hoped that they would thus blindly forward anything that was addressed to my (global prefix + private part) network to me regardless, and treat my gateway device as, in effect, a sort of default route for my IPv6 prefix.

Could you give an example?

Sure. Say my ISP has given me the IPv6 prefix of 2a01:e35:8b25:7ea9:… A device inside my network then, by the magic of radvd, gets an address of, say: 2a01:e35:8b25:7ea9:1111:2222:3333:4444.

(If you need a primer on this stuff, read all about it here!)

Then assuming all the other myriad options are set up right, from that inside device I do a test ping6 of ipv6.google.com. And it fails.

As per my earlier article, it’s all down to my ISP, when they get traffic from the remote host (in fact in this case the ICMP6 echo reply from Google) destined for 2a01:e35:8b25:7ea9:1111:2222:3333:4444 rather than just “knowing” that such a global address must, by definition, be behind my connection, they go to the irritating lenghts of instead doing the whole Neighbor Solicitation dance with me.

And I find that unless I have performed the following command on my Linux gateway:

ip -6 neigh add proxy 2a01:e35:8b25:7ea9:1111:2222:3333:4444 dev eth0

the gateway device will not reply to the neighbor solicitation. And hence nothing works.

OK, does it matter much?

Heck yes.

Each inside device must be statically configured on the gateway.
It is currently not possible (I know this seems implausible…) from user-space to list or show what devices you have configured in this way.
The biggie: if you are dynamically allocating addresses in the network, you will not even KNOW what the end-point address is.

Item 3 is in large part a consequence of using radvd. But even if one used (at the cost of a lot more work) an IPv6 DHCP server, you still have to statically pre-configure the end devices addresses on it, and lose the ability to add devices on-the-fly.

So we have a real stumblin block. Sure, for test purposes I can dig out the IPv6 address which my end station has picked, and bang in the neighbor proxy command on the gateway. And it works fine.

But in terms of manageability and scalability it’s a freakin’ disaster.

Must be easy to fix, surely?

Well if it is, no one I’ve spoken to has any idea! It’s a great, glaring black-hole. IPv6 on Linux simply currently appears to have no support for automating the proxying of global/private addresses using the Neighbor Solicitation mechanism. I can only assume that it was never thought this would be a problem, and Neighbor Solicitation would only ever be used to directly connected devices.

The ability to force a neighbor proxy as shown here is pretty obviously an after-thought. The real give away is the inability to list current defined proxies…

So what we gonna do?

I intend to fix it!! I’m going to use the article linked to HERE as a working document to put together a rough and ready design for a user-space daemon to fix this. It’s going to be simple to use – that’s key.

The main elements I can think of as a start are as follows:

Run in user-space (I hope!)
Have a single, simple config file.
To have no prior knowledge of devices inside the networks.
Only prior knowledge, via static config, is the IPv6 prefix.
If a neighbor solicitation is received for our prefix, regardless of the suffix, we respond positively.

Easy? No idea! I’m a useful enough network programmer but not at all familiar with the Linux IPv6 stack from the code perspective. But the functionality is, conceptually, not complex.

The key gotchas I forsee are:

How we hook incoming neighbor solicitations. Period.
Then as per (1), but now with the “I want to run in user-space” goal.
What I do when someone points out (and they will…) that I’m going to violate several dozen RFCs by doing this.

Piece of cake. As per above link, the working design doc will be here. Very soon. All contributions welcome – and I really do mean that!

Linux file-sharing in a home wifi network

sgroarke — Thu, 12 May 2011 11:33:34 +0000

The scenario: the home network is centered around a Linux server. This acts as (amongst a number of other things) a large data repository. All our media files, photos, music and so on are stored on it. Apart from the convenience of having it all centrally located, it also provides data security: all critical data is archived hourly using rsnapshot, such that there is always a backup from at least one month ago in the event of data being e.g. accidentally deleted. It uses a single 1TB disk as the main data store, with a second 1TB disk for the snapshots. Then in addition to that, really really critical data (the irreplaceable stuff) is archived every night to an off-site location. Anyway, in recent times my children have discovered the pleasures of photography… Vast quantities of pictures to be put on a PC and secured. To date it’s gone like this:

Kids use a single laptop, running Linux.
Each has an account on the laptop.
Plug camera in to laptop and pull the pictures on to the laptop.
In background, cron archives them off to the server using rsync over ssh.

As far as the kids themselves are concerned, there’s (a) a single laptop and (b) it has all their photos on it and (c) papa has assured them that if something terrible happened to the laptop, the pictures can be restored from the server.

Thus far, fine.

The network expands

Time to change… Precipitated by an additional laptop, things get kinda complicated. I want the laptops to be “floating”, and used by either child. No “the HP is mine, the IBM is his”. However that then makes it tricky: with only the single laptop it is the primary (since only) data store for their photos. Backups aside, it’s straightforward. So I need to shift the primary data stores off the laptops themselves and having them full-time on the server, and accessed over the network. Which is fine, except that performance it going to be an issue: these are laptops, and they are connected to the home network using wifi, so network file systems are potentially a problem (you ever tried regularly scanning several thousand photos over a wifi connection…? …it’s not what you want to do regularly!)

So we’re going to need network file systems with some sort of magical optimisation…

The solution

We’re going to create a solution with several key elements:

The server is going to have data stores for each laptop user, shared out on the network using NFSv4.
The clients (the laptops) are going to use a caching file system on top of the NFS shares, to attempt to provide less load on the wifi connections.
The clients are going to need to auto-mount the correct data stores depending upon which user is using them.

A quick word on file system caching here: books can (and have!) been written on such subjects… Suffice to say that it’s easy to fall in to the trap of thinking that caching is always a good idea, and simply must improve performance. Not at all. Any file system cache can provide improved OR degraded performance depending upon how it is used (e.g. lots of small files, or large files, regularly accessed, infrequently accessed, underlying file system type,…. the list is long and has multiple permutations)

Suffice to say that here the “performance improvement” we are after is load reduction on the wifi network. I am not going to go in to the whys and wherefores, but here will blindly assume that a caching layer between the client and the NFS shares is a good idea in the circumstances. Your mileage may vary – and BTW, it’s rather fun to test and compare. Try it!

The Elements

The server is a Linux server running Ubuntu Server 11.04. (None of this configuration is going to be too highly Ubuntu, or even Debian-derived, specific, so any Linux will do)
NFS Server on the, er, server.
Ubuntu laptop clients, again 11.04, but also fairly generically applicable.
Clients to have NFS v4 client code, Cache-fs and automouting capability.

Setting up the Server side

We’ve 3 users to be catered for in this exercise. For the rest of this article I’m going to call them A, B and C. The server itself goes by the name bobby.

On bobby, if not there already, I need to install the following packages:

nfs-common
nfs-kernel-server
portmap

The locations, on the server, of my data stores are going to be:

/data/A
/data/B
/data/C

First step is to create binding within the exports directory. Edit /etc/fstab to look like this:

# NFS bindings to /export
/data/A              /export/A        none    bind    0 0
/data/B              /export/B        none    bind    0 0
/data/C              /export/C        none    bind    0 0

Make sure that the directories /export/A, B & C are created, then a

mount -a

should bind the real locations to the export locations. Check with a

mount

which should be display something like this:

/mnt/DATA1/data/A on /export/A type none (rw,bind)
/mnt/DATA1/data/B on /export/B type none (rw,bind)
/mnt/DATA1/data/C on /export/C type none (rw,bind)

and shows that the bindings are there. This also actually illustrates another point: in actual fact, the ultimate location of the data stores are /mnt/DATA1/data/A, …B etc. These are then symlinked to /data/A, …B etc. for convenience. One can refer to the symlinked location on fstab no problem. However the mount command dereferences that and shows the final location as here. That’s all fine.

Now a word about NFS server configuration….! It’s a potential minefield. If you need to, start off over here: Ubuntu Guide to NFS

But you may be better off trying this ultra-simplified version I present, before thinking about tweaking stuff.

For now, all I do is edit /etc/exports to contain:

/export	 192.168.0.0/24(rw,fsid=0,insecure,no_subtree_check,async)
/export/A    192.168.0.0/24(rw,nohide,insecure,no_subtree_check,async)
/export/B    192.168.0.0/24(rw,nohide,insecure,no_subtree_check,async)
/export/C    192.168.0.0/24(rw,nohide,insecure,no_subtree_check,async)

The only parts of that I’ll go in to are:

The /export locations are those that you bind to in the fstab declarations.
The ip range (note it’s a range, not a single address) covers the location of my clients (i.e. the laptops on the home network all have addresses of the form 192.168.0.XXX)
That first line is required!
rw = read/write access (probably what you want)

and then fire up the NFS server with:

/etc/init.d/nfs-kernel-server start

All being well, we’re then pretty much done on the server side.

A word on user IDs…

NFS is….. kinda quirky. Some of those quirks relate to how remote clients are recognised (authenticated) by the server. There are a multitude of ways this can happens, all optional and all somewhat different. Many are also rather complex… Want some advice? OK: since the server and the clients are all under “your” control, make it easy. And “easy” here means as follows: ensure that users’ UIDs are the same on the server and all the clients.

Put practically, here’s what I’m talking about: on the server, do:
cat /etc/passwd
to produce something reminiscent of this (lightly obfuscated)

.
.
.
A:x:1001:100:person named A:/home/A_directory:/bin/sh
B:x:1002:100:person named B:/home/B_directory:/bin/sh
C:x:1003:100::/home/c_directory:/bin/sh

It’s the numbers you care about: for example, User A has UID=1001 and GID=100.

Now check the same file on either future client laptop:

.
.
.
C:x:1003:1000:c,,,:/home/ccc:/bin/bash
A:x:1001:1001:a:/home/aaa:/bin/bash
B:x:1002:1002:b:/home/bbb:/bin/bash

Note that we’ve used the same UIDs for a given user.

If you’ve a lot of users, or an existing setup which you cannot easily change, then pick (and learn about!) one of the many NFS schemes for dealing with this. But if you’ve a small, and/or changeable set up, do yourself a big favour and go with matched UIDs…!

The Clients – Basic NFS

This is where things get fun. Before we dive in to caching, automounting and so on, let’s make sure that basic NFS works OK for us. On a laptop, edit /etc/fstab to be like this:

.
.
.
# NFS
bobby:/C /home/cc/bobby    nfs4     rw,hard,intr    0 0
bobby:/A /home/aa/bobby    nfs4     rw,hard,intr    0 0
bobby:/B /home/bb/bobby    nfs4     rw,hard,intr    0 0

Note:

bobby is the server name. You could use the raw IP address here, or if DNS is working (or you’ve a static entry ion /etc/hosts) you can use the name.
Note the server location is only given as “/A”, not “/export/A”. This is a difference between NFS3 and NFS4.
the mount point on the client is entirely arbitrary, but it makes sense for it to be “under” the particular user’s home directory, as here.

With that done, do a

mount -a

and check that all the three mounts work. Apart from checking via a mount command’s output, also login as each user, go to that user’s NFS-mounted directory, and create a file, edit it, and delete it. Does that all work OK? If so, grand. If not, STOP and get the basic NFS setup working before proceeding! This is really important… Debug basic NFS issues first.

The Clients – Caching

The next layer we are going to introduce is client-side caching.

Again, I’m going to present a highly simplified (and highly effective!) setup, glossing over a vast array of optional complexity and trouble… (If you fancy it, here’s a good starting point for the details: Red Hat Guide to FS-Cache

We’re going to use FS-Cache. Install it using:

apt-get install cachefilesd

All you really need to then change is to edit /etc/default/cachefilesd and set:

RUN=yes

Then start it using:

/etc/init.d/cachefilesd start

Note that you may need to add the mount-attribute user_xattr on the file system containing the cache files (which will typically be the root file system or, if you have /var broken out on a separate partition, then that one) So your /etc/fstab entry might look like this:

UUID=5f63b76a-d367-49e4-a540-d7ab77b891fe /               ext4    errors=remount-ro,user_xattr 0       1

Go back to your /etc/fstab and edit each NFS line to include the option fsc, like this:

.
.
.
# NFS
bobby:/C /home/cc/bobby    nfs4     rw,fsc,hard,intr    0 0
bobby:/A /home/aa/bobby    nfs4     rw,fsc,hard,intr    0 0
bobby:/B /home/bb/bobby    nfs4     rw,fsc,hard,intr    0 0

Then (re)mount the NFS shares and see if it works!

Here’s a good point, if you wish, to test one mount with caching and one without, and run some comparisons in your environment and mode of using it, to see how much (if at all!) caching helps… If you alternatively wish to skip that and just check that “caching is doing doing something so I know it works in some manner or other” then you can just

cat /proc/fs/fscache/stats

and check for signs of any life. See some? Great. Plough on.

The Clients – Automounting

Why not just leave things as they are? Each laptop, when powered up, mounts all the users’ NFS shares? Well, you could. But it’s not ideal.

Bandwidth and time. Mounting all, when likely only one will be used takes time and bandwidth.
Concurrency. In theory, and hopefully practice, NFS will handle this. But it’s just so much neater and less contentious (joke intended…) to only mount the share where and when it’s being used. Then it gets dropped when it’s not used.

So unmount the NFS shares in place, and then edit /etc/fstab to comment them out there too. From here on the shares will not be mounted from fstab, but by the automounter.

We need to install automounter first, so do that using:

apt-get install autofs

The autofs documentation, and many of the online resources, are fairly confusing for a newcomer! The automounter is a very flexible piece of software, and has to handle many different situations – hence the complexity. But we can keep it simple…

First, edit /etc/default/autofs
Add/uncomment

MOUNT_NFS_DEFAULT_PROTOCOL=4

In theory, you can leave this and specify we’re using NFSv4 on the mount options – however I had a lot of trouble with this, and given that we’re in a simple all-v4 environment, it’s a lot simpler to just change it here.
You might want to think of tuning the timeouts here, but don’t feel obliged. Leave everything else as-is.
Edit /etc/auto.master
Comment out the last line, and add a new one, like this:

.
.
.
# Commented out next line:
#+auto.master
# My new nfs automount details:
/-	/etc/auto.nfs

So you comment out the +auto.master and add in the reference to /etc/auto.nfs
Now create /etc/auto.nfs and make it similar to this:

/home/aa/bobby	-rw,fsc,hard,intr	bobby:/export/A
/home/bb/bobby	-rw,fsc,hard,intr	bobby:/export/B
/home/cc/bobby	-rw,fsc,hard,intr	bobby:/export/C

Note the /home/aa/bobby line is arbitrary – it is the local mount point and can have any name.
Note also the fsc parameter, to ensure we use the caching filesystem layer as previously setup.

Conclusion

And that’s about it. With such a configuration, my kids can logon to either laptop, open “their” folder called bobby/ and, hey presto, they have full access to their data on the server, all invisibly assisted by a caching layer.

It’s a little fiddly to set up, but not so confusing if you remember how it breaks down:

Set up NFS on the server and share out the server locations.
Set up NFS on the clients and ensure simple mounting works.
Set up FS-Cache on the clients and check that NFS uses it OK via normal mounting.
Finally set up automounter on the client to have NFS automagically only mount as and when required.

Addendum 1: Shutdown hangs…

With everything up and running nicely, I noticed one frequent problem with the client machines: they would no longer shutdown (or thus reboot) properly. The shutdown started but usually “hung” before completion. I’m pretty certain it’s a “shutdown job ordering” type of issue, whereby NFS unmounts, turning of caching and killing the wifi are either in the wrong order or maybe just too close in time.. So one may need to tweak the shutdown/reboot kill tasks. Which these days is more of a headache than it used to be “in the good old days” since we have to consider tasks run via SysV rcN.d/ jobs and “upstart” jobs as well…

When I’ve tuned them right, I’ll try and remember to update here. But if you see the shutdown/reboot hanging issue, the solution is in that whole area. Strictly speaking, it’s a Ubuntu distro bug.

EDIT: 17 May. The hang on shutdown/reboot issue is surprisingly difficult to resolve! Looking in to it it seems that autofs and wifi have a long history of not getting along – Ubuntu has a heap of bug reports concerning this issue, over quite a period of time. Yet they seem to not get resolved. For my part, for now I’ve actually stopped using the auto-mounting feature, as it’s just a “nice to have” and far and away the least critical aspect of the above setup. A shame, but not a big shame.

Content filtering in a home network

sgroarke — Mon, 07 Feb 2011 11:04:23 +0000

With two young children starting to make increasing use of the Internet, my attention has turned in recent times to the thorny subject of Content Filtering. This posting is actually going to look at a technical approach I settled upon, however one cannot help mentioning, at least in passing, some of the wider issues involved.

As a parent I do not believe in raising children in some sort of bubble, totally devoid of anything that could possibly “harm” them. That applies to the Internet too – my hope is to raise children who are able to understand and deal with things, rather than require protection from them. To that end, Internet access for my children involves their parents first and foremost! They use a laptop, after asking permission, in the kitchen, in view of everyone else. I’m interested in what they are doing on it (genuinely so, not as some excuse to snoop!) and they want me to help and guide them. Email? Sure, make full use of it. But all emails sent to your address also get forwarded to me too guys… Why? So I can see what you’re receiving! Very open. Very honest. Nothing underhand. Those are the rules in this house.

And that approach actually covers probably 90% of what is required. However there’s still a small part that needs attention. As most adults know, there’s some weird stuff in some corners of the Internet. Really weird. Disturbingly weird. Stuff which I do not want my young children to see, even if accidentally. Being a very liberal sort, and totally anti-censorship with regard to what consenting adults view, I do not support any move to remove such stuff from the Internet. Weird, sick, depraved, whatever… Some of it may not be at all nice, but it’s there and it can be found. I just don’t want young children to accidentally find it. So what is a network engineer father to do…?

Content filtering – 4 approaches

Broadly speaking there are four way of approaching content filtering in the home environment:

Workstation filtering
Network filtering
ISP filtering
DNS blocking

The first three are all variations on the same theme. They vary in terms of the “Where do you do it?”

Workstation

There are many software packages out there which will filter content locally on the PC being used to browse the web. In a similar manner to that used by the more familiar virus detection software, one can purchase and run content filtering software which aims to identify and block various categories of content. The difficulty faced with this approach is that it’s not at all easy to identify what to block! Just to take the most obvious candidate category for blocking: pornography. The software can, and will, have lists of the names of the popular, known web-sites with porn. And with some enormous proportion of the Internet being porn, that will already be a long long list! Then we have the challenge of the fact that every day goodness knows how many hundreds of new porn sites will appear, and old ones disappear. The list of sites cannot be fully up to date. So the software will also need to include elements of heuristic detection: identifying porn indirectly and blocking it. So we’re now into looking and scanning all the traffic to and fro for words or patterns which might identify it as porn. And so on. It’s a computationally intensive exercise, and requires frequent updating with new lists of patterns, URLs, IP addresses and so on.

The task is very similar to virus detection, with the frequent updates required, slowing down of communication to an extent, higher CPU usage, and so on.

The software out there is worth consideration for some – I’m not saying it’s a bad approach. But it has unavoidable limitations. Two obvious ones which apply to me are:

Locked to a particular PC – If I install the software on one PC, then I cannot let the kids use another PC as it will be unprotected, unless I pay for and install the software there too.
Linux. A big issue for me is that we only have a single Windows PC in the house (hooray!) All the others (too many… way too many…) including that used by the children, run Linux. And such packages are few and far between for Linux…

Home network

An approach I used for a while, with success, was to filter on the gateway device on my network. A quick summary here: at home my Internet connection terminates on a gateway firewall/router system. This system performs all manner of network-related functions. The key one is to run my Linux-based firewall. A host of other jobs get handled by this box too: VPN termination, media serving, DHCP, IPv6 routing, the list is long. Given that all of our Internet traffic traverses this system it is ideally suited to perform a filtering function.

To that end, for a while I ran Dans Guardian on my firewall. This is a sophisticated bit of software, and not entirely trivial to set up and get working. Apart from quite a lot of configuration itself, it also requires a web-proxy to be running on the firewall. I ran squid to fulfil that requirement. And then there’s the requirement to “hook” users into it. That involves either configuring the workstation to use a designated web proxy (and possible authentication required there – depends upon what exactly you want to achieve) or using IPTables on the firewall to intercept traffic from a given workstation and force it via the proxy. Various approaches, all quite interesting, but only if you find networks interesting… Many would find it simply “complicated”.

Once up and running, however, there are then further challenges to be faced. Firstly there’s the question of overhead. That is, how much load does it place on the gateway device, and hence how much delay or slowness does it introduce to the web browsing. My kids may not need the snappiest, lightening fast response times possible, but nor do they want to wait tens of seconds to see a page, or have some You Tube video constantly stop and start. Let me be clear here (and make sure I’m fair to Dans Guardian): if the device running it is powerful (in terms of CPU, memory, disk and so on) then it’s great. Really good. Trouble is, however, that a lot of boxes used as gateway routers/firewalls are not, by their nature, so highly specified. And that applied to me. My installation was, frankly, not fast enough. Much of the time it would work OK-ish, but often there would be very long delays indeed.

If you have a powerful box you can dedicate to such filtering, then do go ahead and consider it.

On other issue I also had to tackle was that of updates: as described for the Workstation solution, filtering software, wherever it is located, needs to be kept up to date. Dans Guardian does not come with an update mechanism, nor source of updates. There are sources of such updates out there if you search, but again, it’s an extra piece of work to do this and get it all set up correctly, auto updating silently every day. As before, not a criticism of the software that has been made freely available – but something that does need to be taken in to account.

ISP

Many ISPs offer a filtering service to their customers. This is of course attractive, as it entirely removes the need to perform the filtering and blocking locally to the home network. The work is offloaded to the ISP. While there may be a charge associated with this, it may be worth considering. The main, and maybe for many significant, disadvantage to it is the all-or-nothing approach. If you have many PCs (and hence different users) within the home network, you may only want to block certain stuff from certain PCs. I may not want my kids viewing DominatrixFrenchMaids.com, but (purely for research purposes, of course) their father may need to. (God knows, such a site probably exists, but I dare not look…) More realistically, there are other sites which are more genuinely OK for adults, but not for young children. If one has an interest in 20th Century history, a sad reflection on humankind is that there are some horrible things which can be seen… For older children and adults, that’s fine and indeed educational. But not below a certain age. I’d like to maintain the illusion of a nice world for at least a little while longer.

So ISP filtering is attractive in terms of removing the work from the home. But it does come, in general, with a certain amount of inflexibility.

DNS blocking

This last technique is somewhat different from the others. Most people have at least some awareness that the names we use on the Internet (www.ipsidixit.net) actually map on to so-called IP addresses. For example www.ipsidixit.net is mapped via a DNS (Domain Name Service) to the IP address 217.70.191.54 (And to IPv6 2001:4b98:dc0:41:216:3eff:feaa:964a – I’m soooo hip and trendy…)

Yet no one in their right mind (nor even a network engineer) bothers with the numerical version. You just bang in the name and have your computer us DNS to resolve it to an IP address.

Most PCs will use one or more DNS devices specified and operated by their ISP. Used “normally, for example, my ISP (free.fr) provides two DNS systems for workstations to use.

However one does not need to use their suggestions. One can, in general, use other DNSs operated by third-parties.

The point is, then, that if one used a DNS service which had a constantly updated blacklist of sites which are “undesirable”, one could block access to them by simply declining to resolve them to their correct address. This then offers the benefits of ISP Blocking in so far as the load of shifted outside of the home network, but with the added flexibility that only workstations that require protection need use the “filtering” DNS. Other workstations can use the normal DNS.

I found that OpenDNS provide such a service, and have stated to make use of it. It’s free (they have some paid options too – but the free one seems fine for me) I have no association with OpenDNS, and am only “promoting” them as what they offer seems neat and useful. If others have knowledge of other similar services, please do post them in a comment – I’m not trying to make this exclusive to OpenDNS! In fact I’d like to compare OpenDNS to some others.

The service they offer is to provide DNS addresses which can have a selectable level of filtering applied. The spectrum is covered, from porn, violence, drug use, etc. through to shopping sites, social networking sites, etc. You get to choose which categories to block and which to allow.

And it does seem to work really rather well indeed. Below I am going to detail how I set it up within my network, integrating it within the DNS caching system already used.

The main weakness of the system is that with some knowledge and effort it can be circumvented (as, of course, can most systems) One could take the trouble to manually find the Name <–> IP mapping for a domain and enter that directly into a browser, thereby bypassing the DNS. However such a bypass would be very cumbersome to use, since even if you use an IP to land on a page, probably any link off that page will in turn require DNS, and would then need to be manually decoded, etc. Workable, but hard work. By the time my kids are knowledgeable enough to work all that out, they will probably be old enough to look after themselves!

Integrating OpenDNS into a Linux firewall, already running DNSMasq

My home network has DNSMasq running on a central gateway/server/firewall box. DNSMasq is responsible for DHCP (i.e. allocating IP addresses on my home network) and also DNS caching. To that end, it announces, via DHCP, that it is the DHCP server to be used by devices. Then it, in turn, resolves addresses via the ISP-supplied DNSs. It caches then DNS lookups locally.

In the DHCP configuration it has a pool of addresses available for any device to use, but most of the devices on the network have pre-allocated addressees reserved for them within the DNSMasq configuration. These are allocated based upon the Ethernet MAC address of a device. This is a very common technique to use with DHCP.

Given that, where now a device will be handed an IP address and the address of a DNS server to use (where that DNS server will actually be the same as the DNSMasq device itself) we want to change the config so that for certain devices (the childrens’ PC) when an IP address is handed out it will instead be given with the DNS addresses of the OpenDNS filtering systems. Then all DNS requests from that PC will no longer be locally forwarded to the gateway device, but will instead be routed out externally to OpenDNS, where they can be answered or blocked as appropriate.

The DNSMasq config to achieve this is slightly fiddly, so I am providing it here more or less in its entirety (a few names omitted and some light obfuscation of MACs etc.), but only highlighting the parts that particularly pertain to the OpenDNS filtering setup.

# Configuration file for dnsmasq.
domain-needed
resolv-file=/etc/resolv.conf
no-resolv
no-poll

# Add other name servers here, with domain specs if they are for
# non-public domains.
server=/localnet/192.168.0.22

This part is not related to OpenDNS in any way: I don't use my ISP's DNS for normal use - I instead use Google's Public DNS.
# Google Public DNS servers
server=8.8.8.8
server=8.8.4.4

# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
local=/localnet/

interface=eth1
expand-hosts
domain=localnet

# For general purpose use, use this range.
dhcp-range=192.168.0.128,192.168.0.160,12h

This is for OpenDNS. We use the dhcp-mac config to tag these special devices for filtering:
# MAC list for openDNS filtering
dhcp-mac=opendns,00:c0:9f:12:34:56	# Laptop on-board
dhcp-mac=opendns,00:90:4b:12:34:56	# Laptop wifi

Here we're back for normal dhcp-host preallocation for known unfiltered devices:
# Most ip addresses are pre-allocated here
dhcp-host=00:50:ba:12:34:56,aname,192.168.0.2,720m
dhcp-host=00:18:8B:12:34:56,anothername,192.168.0.3,5m
dhcp-host=00:90:4b:12:34:56,laptop_wifi,192.168.0.4,720m
dhcp-host=00:26:37:12:34:56,galaxy,192.168.0.5,60m
dhcp-host=00:18:41:12:34:56,magic,192.168.0.6,60m
dhcp-host=00:26:82:12:34:56,eva9150,192.168.0.7,720m
dhcp-host=00:c0:9f:12:34:56,laptop_eth,192.168.0.8,720m
dhcp-host=00:14:29:12:34:56,camera,192.168.0.10,120m
dhcp-host=00:21:5A:12:34:56,printer,192.168.0.11,720m
dhcp-host=00:40:63:12:34:56,aservername,192.168.0.22,infinitem

The devices tagged "opendns" above here get special DHCP options pointing them to the OpenDNS filtering-servers.
# OpenDNS content filtering servers
# Specify the two OpenDNS first, then ourselves third for local stuff
dhcp-option=opendns,6,208.67.222.222,208.67.220.220,192.168.0.22

Note also the "192.169.0.22" on the end - this is optional, if you still want the filtered devices to be able to resolve local names.

dhcp-authoritative
cache-size=150
clear-on-reload

Anyone who has an existing DNSMasq configuration should find the above more than enough to change it to point arbitrary devices at the OpenDNS systems.

Summary

Nothing, but nothing, replaces a conscientious adult supervising, guiding and helping get to grips with the Internet. However even with that it’s still all too easy for some stuff to pop up which is better left hidden! This article highlight some of the general technical approaches one can take, and in particular that of DNS filtering with a service such as OpenDNS, optionally using a Linux device to semi-automatically allocate filtering to some device but not others.

Kindle-gouging

sgroarke — Thu, 07 Oct 2010 13:06:01 +0000

Love technology toys? Check. Read a lot? Check. Often would read if had remembered or had space to bring book? Checkitycheck.

I am absolutely in the prime target audience for a Kindle. Amazon having just launched their latest and greatest (by all accounts) Kindle 3, I was on the very brink of buying it. The concept has me completely won over. Having many books available in a easy to read, use and carry form is just what I want. Here in France Amazon have not yet opened up a localised Kindle store, but the international version would suffice for now.

Before plonking down the cash, I look to see how much it would cost to buy the last few books I bought, plus a few others I already have but would like to have on the Kindle. Now I know that there is also quite a lot of free Kindle content available - mainly out-of-copyright “classics” – that appeals greatly. But looking at the paid-for content, I was actually quite shocked at the prices. It’s going to be an imperfect comparison: the paper-version of a book has different attributes and drawbacks compared with the Kindle version. But ultimately the content is the key thing.

Shocked. I was shocked. Shocked was I. Was I shocked? Yes.

Just yesterday I finished Stephen Fry’s The Fry Chronicles. I paid £9.50 (UK pounds) for it (I bought from Amazon UK, as was cheaper than the same book from Amazon France). Kindle version: $19.04. So Kindle about 30% more expensive.
Bill Bryson’s A Short History of Nearly Everything: Kindle $13.79. Hardcopy Amazon France: about $16.30 – so Kindle is cheaper.
Richard Dawkins’ The God Delusion. Kindle store: $13.79. Hardcopy Amazon France: (equiv)$13.71 (So almost the same, but Kindle very slightly more)
Neil Gaiman’s Anansi Boys Kindle: $11.03. Hardcopy Amazon France: (equiv)$8.25
Levitt & Dubner’s Freakonomics Kindle $13.79, Hardcopy Amazon France: (equiv)$7.66
Larry Wall’s Perl Bible Programming Perl (I’ve hard copy and would love a portable version!) Kindle: $36.42. Harcopy Amazon France: (equiv)$7.31 (yes, really)
Lord of the Rings. The Kindle shop has it at $18.88. Not so bad when the paper form requires (typically) 3 volumes (or at least that’s how I’ve got it) and costs, plus or minus, a similar amount.. Hmmm. I scroll down the page, looking at the reviews, wondering if they are Kindle-specific, to give me a feel for how these things come across. And there it is, Amazon’s Kindle Store top-placed review for The Lord of the Rings. Let me quote the first part of it:

While the price of this book is steep, this is easily the best version of this book in existance. The gilded pages and high-quality leather look, smell and feel wonderful. This is not the questionable quality leather used on previous versions, this is the real deal. More importantly, this version has, as J.R.R. recorded in letters, reproductions of the Book of Marzubul. These are the pages from the Dwarven book found in the Mines of Moria by Gandalf and the Fellowship. In the begining and ending of the book are also included maps that fold out to render Middle-earth for the reader, again as the author originally wanted.

Oh dearie me. There was me, teetering on the edge. Price premium for content? Yes, but maybe worth it… Maybe. Then the realisation that, unless I’m very much mistaken, the Kindle does not have affixed to it a little device which emits tiny wafts of leather scent when in use, nor the ability for its no doubt extraordinarily clever ePaper to transform itself into gilded pages.

Yes, I know it’s not what matters for 99% of the time when you read a book! And of course I realise that the benefits of a Kindle might outweigh, or at least balance, the benefits of paper. But I just found myself jolted out of my “I’m going to buy a Kindle!” trance by this review. And then found myself chuckling over the fact that it’s the top review of the book in the Kindle store itself.

Yet those selections above are not some carefully crafted list, selected to ensure an unfavourable comparison. Quite genuinely they are the first few items I thought to compare. Indeed in one case the Kindle version comes out (very slightly) cheaper. And also note that if I lived in the UK or US the prices of the hardcopy versions would typically be even lower – seeing as how Amazon France is not always cheapest for English books… In fact a quick check on The Book Despository suggests that, with the exception of the Perl book, if I can tolerate the longer delivery times every one of those books can be delivered to me in France even more cheaply than Amazon France.

I have no doubt that, one day, the Kindle, or some descendent thereof, will be just what I want. But I’ve concluded that for now the price of the content is way too high. The consumer is being price-gouged, for a product which is interesting but not yet compelling. Today a book gets typeset, printed, bound, trimmed, trucked to the book store and stocked (or alternatively, stocked and then delivered by post), before one day being picked up by me. There’s a lot of financial overhead there. So someone tell me why for a electronic version, which loses almost all of that overhead, I must pay a premium? When new technology lowers costs, I expect to share in that cost saving, not be taken for a sucker.

Amazon will blame the publishers, the publishers will blame the authors and Amazon, and all parties will point fingers at each other while telling me “The artist deserves payment, y’know?” While entirely agreeing, I repeat: when technology lowers costs, I expect a share of it. And if you don’t offer me my share, you won’t get your share either.

When and if the price gouging stops, I’ll buy a Kindle. Not before.

In praise of VirtualBox

sgroarke — Tue, 06 Jul 2010 06:52:35 +0000

VirtualBox. What a splendid piece of software.

Just a quick post to flag up this software, which deserves recognition. It’s a VMware lookalike, but entirely Free (as in beer and as in GNU GPL)

Digiblue boo

As owner of a Digital Blue QX5 microscope (one of the cheapest, greatest, ”serious educational toys” you can lay your hands on – and it’s not even clear if they still make it) my daughter wanted to use it the other day. It’s been unused for a while and during that period my only Windows machine has moved to Windows 7 64-bit. And the QX5 driver software supplied is, of course, Windows XP 32-bit. Off to the Digiblue web-site and relieved to see that they assure me that they have Windows 7 64-bit drivers available. Turns out to be a big fat lie. They have them available for a slightly revised model of the QX5. Not the original (different USB ids, etc.)

WINE?

Thoughts turn to Linux WINE. Hmmmm. Nope. USB drivers and WINE are one area that still doesn’t really do what it needs to do.

I need XP

OK – I realise that to get the thing working I need a Windows XP machine. Simple. Yet I can’t be arsed to set up a dual-boot or anything like that. So remember how neat VMware was all those years ago when I used to use it. I even bought a license for some early version! But I don’t fancy buying a new license which would cost about €130.

I have the dimmiest recollection of some sort of freebie workstation VM called virtual-something. Google around a bit and quickly find VirtualBox. And it’s just like the VMware I remember, but without the credit card requirement.

Now I’ve only used it in the simplest of manners: running an XP 32-bit VM on a Windows 7 64-bit host. Not tried any other permutation of host/VM, of which there are all sorts claimed. (Linux hosts, MAC, different Windows – and even more VMs, extending to the BSD and so on) But for what I wanted it’s absolutely spot on. Really neat.

Oracle, not a company I’ve ever been a fanatical supporter of, earns a few brownie points from me.

OpenVPN over IPv6

sgroarke — Mon, 21 Jun 2010 12:38:09 +0000

Previous articles have detailed various aspects of getting IPv6 running on a home-gateway router. The aim is to migrate as much as possible towards an IPv6-only situation.

Here I cover the steps required to implement a simple point-to-point OpenVPN (SSL) VPN tunnel using PSK over IPv6 infrastructure.

One key element for me is to migrate my VPN connection to a remote host I own off IPv4 and entirely onto IPv6. This was not entirely straightforward! In fact it took hours and hours of research and experimentation to get this working. The eventual config required is not so mind-boggling. But getting there was tricky. As I’ve found out so many times before with regard to IPv6, the building bricks are lying around, but there are very few sources of information to help you stack them up. Once the steps are laid out, as you’ll see below, it’s actually pretty easy.

Migrating from what to OpenVPN IPv6?

We’re going to migrate an IPv4 OpenVPN point-to-point PSK VPN tunnel on Linux to an equivalent on native IPv6 infrastructure. We’re not trying to have an IPv4 tunnel over IPv6, nor an IPv6 tunnel over IPv4 (both of which are possible and useful in different situations). Here I aim to have an IPv6 OpenVPN SSL tunnel over pure IPv6 infrastructure.

My current VPN set up is:

Home gateway running Ubuntu 10.04 (Lucid)
Remote host running the same
Fixed public IPv4 and IPv6 (global) addresses on each.
OpenVPN point-to-point tunnel between them.
Simple PSK authentication.
Shorewall config as appropriate to OpenVPN.

To put some detail on it, there is a standard build of OpenVPN installed, with a config file such as /etc/openvpn/otherhost.conf:


remote 
dev tun
ifconfig 192.168.2.22 192.168.2.1
secret topsecret.psk
comp-lzo
keepalive 60 180
ping-timer-rem
persist-tun
persist-key
user nobody
group nogroup
daemon

At the other host we’ve a similar config, without the “remote

” part, and with the VPN addresses specified by the ifconfig flipped around.

This all works a treat. It’s about as plain an OpenVPN config as you could really get – a simple point to point tunnel using private IPv4 addressing.

OpenVPN and IPv6

This is really where things go all over the place. My starting point was over at the OpenVPN site, looking for details on IPv6. I found that:

Is IPv6 support planned/in the works?

Currently, there’s limited support for IPv6.

Point-to-point IPv6 tunnels are supported on OSes which have IPv6 TUN driver support (this includes Linux and the BSDs). IPv6 over TAP is always supported as is any other protocol which can run over Ethernet.

When OpenVPN 2.0 is run in server mode, IPv6 is currently only supported in TAP mode, not TUN mode (Server mode IPv6 TUN support will likely be added post-2.0).

The VPN carrier connection must currently use IPv4 endpoints, however there’s a patch which can be found in the openvpn-devel archives which adds IPv6 support. This patch will probably be merged into the mainline post-2.0.

So just what do we conclude from that? It says that point-to-point works with the TUN driver. But I couldn’t find any useful information about how to set it up.

Researching further, I find that the version of OpenVPN we’re using with Ubuntu (which is the latest) has very limited IPv6 support indeed. Indeed somewhat less than the OpenVPN web-site led me to believe! Now it may well be that the problem is my inability to understand the nuances of what the OpenVPN folks are saying. But I sure couldn’t get it working with the installed, standard version.

So I then find a lot more information here, which strongly suggests that I need to use a special IPv6 payload patch to achieve what I want to achieve. Specifically it says:

in point-to-point TUN mode, OpenVPN can transport IPv6 packets with the –tun-ipv6 option. No support for configuring the IPv6 endpoints and routes from within OpenVPN either, you need to run external “up” scripts.

That implies that I could use the unpatched OpenVPN and then manual scripts. As we’ll see below, in fact I had to use the patched version and external scripts! Again, likely due to a lack of knowledge on my part. But as a network engineer, I figure if I can’t work it all out then others will be in the same predicament.

VPN addressing

With IPv6, as discussed previously, the whole notion of private and public is done away with. Or at least, the meaning is seriously changed. Since we no longer have NAT in IPv6 (due to the address space being so very large) we do not have private address ranges for use inside a NATted network. So when choosing IPv6 addresses to use on our VPN it would seem that we can use any values. Well, yes and no. Back in IPv4 we could also have used any values too, while running the risk of accidentally using addresses which do really exist in the public Internet. So it is with IPv6, where we might collide with real addresses. It’s unlikely in these early days of IPv6, but we want to avoid it.

Another point to note, as with IPv4, is security. If VPN traffic inadvertently ”leaks” out of a public interface (and this is easier to achieve than you might think, particularly when you are setting things up!) then it would be good to use addresses which any compliant adjacent router will simply drop as unroutable, rather than propagate them in to the wider world. Indeed this desire to avoid “leaks” is also a reason to not simply use a chunk of IPv6 addresses out of your allocated pool. It’s not as if they are scarce – but mixing VPN addresses and public addresses so intimately is just asking for trouble. In a perfect world, then fine. But I do not live in that world. So an arbitrary addressing barrier betwen my VPN and the Internet is no bad thing.

So for this IPv6 VPN, we shall use so-called Unique Local Addresses, (Over here I touched upon Link Local addresses which are, as the name suggests, valid only within a single network.) as per RFC 4193. The history of all this is damn messy, but the bottom line is you should choose addresses in the range fd00::/8. So I will, merrily ignoring all the rest of RFC 4193, with its try-and-make-it-random stuff, use the following:

fd22::22 – the gateway device
fd22::1 – the remote host

What does good look like

What’s our definition of a working IPv6 VPN? How will I know when “it’s working”? My criteria include:

if I do an ifconfig I see a discrete VPN interface.
I can ping6 from one host to another.
during a ping6 I can tcpdump the tunnel interface and see clear traffic.
during a ping6 I can tcpdump the real WAN interface and see encrypted traffic.

Install a patched OpenVPN

As mentioned in the introduction, I ended up using a patched OpenVPN. I still believe that, based upon what the OpenVPN website says that this should not be required! But I ended up doing it. If you trust the use of a pre-built binary (I did) then it’s actually pretty easy to install. Bearing in mind that the system being used are running Ubuntu Lucid, follow these steps and you should be good to go:

Go to this page and have a bit of a read.
Towards the bottom, you should find a link that takes you to this page.
At the time of writing, this page only has builds for Intrepid and Karmic. And we’re Lucid. But fear not, and assume Karmic is correct…
As per the instructions, add the repository and signing key as per karmic.
Then perform the usual apt-get update followed either by a apt-get install openvpn or just a apt-get upgrade if openvpn was already installed.

And you should be all set with the required version.

Ancillary config

I’m just going to cover the IPv6-specific OpenVPN config file. I’m not going to go in to every last detail required “around the edges”. Just a few reminders:

You will point to your new IPv6 OpenVPN config from /etc/default/openvpn
You need to add the required config, just as for IPv4, to your shorewall6 config.

Core config

Here we get to the details. The configs used will actually be very similar to the IPv4 versions, with obvious changes for IPv6.

I’ll say again: I simply do not understand why the config has to be this way. Based upon the documents and info above, I should be able to put this all neatly within the OpenVPN config. But I could not, and hence the configs below reference simple ‘helper’ script to bring the tunnel up correctly.
Here is the config for the home gateway device:

local local6address_as_per_hosts_file remote remote6address_as_per_hosts_file

# Local and remote unique-local addresses ifconfig-ipv6 fd22::22 fd22::1 # Allow external script to be run script-security 2 # Script to do the rest of the work... up /etc/openvpn/helper.up

proto udp6 dev tun tun-ipv6 secret topsecret.psk comp-lzo keepalive 60 180 ping-timer-rem persist-tun persist-key user root group root daemon

And here is the referenced helper script helper.up:

#!/bin/bash ip -6 link set tun0 up ip -6 addr add fd22::22 dev tun0 ip -6 route add fd22::1 dev tun0

(And remember to make the script executable)

And here’s one for the remote server:

# Local and remote addresses ifconfig-ipv6 fd22::1 fd22::22

# Allow external script to be run script-security 2 # Script to do the rest of the work... up /etc/openvpn/helper.up proto udp6 dev tun tun-ipv6 secret supersecret.psk comp-lzo keepalive 60 180 ping-timer-rem persist-tun persist-key user nobody group nogroup daemon

And the helper.up for that one is:

#!/bin/bash ip -6 link set tun0 up ip -6 addr add fd22::1 dev tun0 ip -6 route add fd22::22 dev tun0

Again, make sure it’s executable.

Note that each makes use of names, where posible, rather than IPv6 addresses, which have been added to /etc/hosts to make everything easier to read and less prone to typos!

Static addressing

Yes, the addressing scheme is kinda static, I know. I wanted to keep this as simple as possible (which already isn’t so very simple…) and have everything point-to-point, with all routing being host-specific routing, rather than ranges. The obvious way to slightly adapt this is to allocate two IPv6 subnets within the unique-local adresses being used, and then of course adapt the helper scripts to add the route for the subnets rather than the specific hosts. I’m sure anyone who has got this far can make that change.

Success!

That’s about all that’s required. With the above config in place and the firewall set up correctly an ifconfig on the home router returns:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet6 addr: fd22::22/128 Scope:Global

UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

RX packets:44 errors:0 dropped:0 overruns:0 frame:0

TX packets:44 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:4576 (4.5 KB)  TX bytes:4576 (4.5 KB)

and the routing table shows two new entries:


fd22::1 dev tun0  metric 1024  mtu 1500 advmss 1440 hoplimit 0
fd22::22 dev tun0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0

And if I ping6 the other VPN address I get a response! Checking with tcpdump directly on the virtual tun0 interface I see meaningful ping-like traffic. While a similar scoping of the bearer interface, eth0, shows me the expected random-looking traffic (i.e. my highly sophisticated test for “Yes, it’s encrypted”!)

Netgear EVA9150

sgroarke — Thu, 10 Jun 2010 12:15:36 +0000

My much-loved Pinnacle Showcenter (written about previously here, for example) finally packed up. Not sure what killed it – did the obligatory open-it-up-and-buzz-it-a-bit routine. PSU seemed OK, but when the main board was connected up, something was dragging the PSU down big-time. No obviously failed components, so you are left with the likelihood that some chip somewhere has gone bad in a big way. So after shedding a tear, one quickly cheers up and realises that it’s a perfect excuse to replace it with something new!

Not self-build?

I wanted a device with similar functionality, to play my large collection of videos stored on a server and also allow occasional photo browsing. I didn’t have many hard and fast requirements, but as far as they went they were:

support a wide range of media formats, particularly DivX variants and MKV hi-def.
support a wide range of output (today we still have a large but rather old normal-def TV – I am sure in the lifetime of a new device our TV will get replaced with something HDMI-ish)
smart networking: my house is a mixture of Ethernet-over-power and wi-fi, with little cabled Ethernet)
Open. Very important. No proprietary crap, either in terms of what it can play or what I am allowed to do with it.

Given this and my propensity for building my own kit, a self-build seemed like an obvious idea. I toyed with the obvious mini-ITX options, with appropriately funky video cards and one of the Linux TV-based distros. But when I did a rough calculation of both the cost and the work required I couldn’t help but check if there was anything ready-built which would also do the job. I didn’t expect to find anything, to be honest. It was almost a “Due Diligence” exercise which I had to perform so that when I then spent day after day getting my self-build working OK I could mentally justify the effort. However the formality of proving there was nothing which met my needs turned out to have a surprise ending.

Netgear EVA9150

To cut a long story short, I came across the Netgear EVA 9150. Lovely device. Absolutely spot on. And no, I have no affiliation with Netgear! I paid € 270 of my hard-earned cash for it. I’ll not run through the spec (you can get that here) but will mention some key features it has which make it rather special and ideal for my requirements.

Server support

Go back to the recent past and devices such as the Pinnacle Showcenter used a web-based client-server architecture. The mediaplayer was, for many purposes, a web-client. It obtained metadata, menus, etc. from the server which had to run either proprietary software or, thanks to some open-source projects, a web server. Either way, you had to run “special” software on the media server. Then, to actually play something, the mediaplayer would initiate a web-streaming transfer of the data. Given the limited buffering capability available this meant that the server and network had to, more or less, deliver the required bit-rate in real-time. Any variations (due to a server hit or a network glitch) would result in degraded or completely stopped video playback.

The EVA9150, as I gather with many of the newer generation of mediaplayers, has a quite different architecture. They are actually simpler. The player itself is now much smarter and so demands correspondingly less smarts of the server. All the server has to be is what it already is: a network file server. The mediaplayer runs a local operating system (Linux in the case of the EVA9150) and just scans the server and, when required, copies stuff across. See below where I talk about caching for what this means in practice…

The version of firmware that came installed on my EVA9150 only supported Samba (i.e. Windows) shared file systems from the server. However the EVA9150 software seems to be under pretty active development, and a newer version (easy install: USB key in the front panel) now provides NFS support too. Since I run a Linux-based file server, this is great.

Networking

It has the almost obligatory 10/100 wired Ethernet port. I’m currently using that into a Ethernet-over-power adapter. The box also has built-in (and it really is built-in: the antennae are completely hidden inside the casing) 802.11a/b/g/n. That last one is interesting: nominal 300Mbps, 5GHz band, wi-fi. I’ve not tested it yet, but it could be useful in the future.

Caching

Ahhhh. This is, for me anyway, the killer feature. My home network works OK most of the time. Like most home networks, it will occasionally hiccup. And during a 2 hour movie even the occasional hiccup or two can become madly apparent when one is streaming in near-real time. Here the EVA9150 does something so simple. It’s not at all unique, it’s just done so well and transparently. It caches to the local 500GB disk. So you start a 2 hour movie and, probably within a few minutes of the start, it’s cached the whole thing successfully to the local disk. Network glitches be dammed. Simple. Perfect. Me like.

Media formats supported

The independent reviews of the EVA9150 make this point pretty strongly: try and find something, anything, it can’t play. OK, I best they exist. But it does everything I’ve chucked at it. I’ve got the output connected to a low-def standard TV. I start playing a hi-def Matroska file. Apart from the fact that is support MKV in the first place, I don’t get any crap about “this is hi-def, the output is not” etc. It just PLAYS IT, and down-specs (or, apparently, up-specs under other conditions) as required.

Physical support

There’s a plug on the back for anything I’ve ever heard about. From SCART up to HDMI, with loads in between.

Value for money?

All in all, it’s a very good mediaplayer. Not cheap, but if I’d built a box with the same spec myself, quite apart from my time, I don’t think the parts would have come to less than the €270 I paid anyway.