woensdag 19 december 2007

Setting up an OpenVPN server behind a router (nat) and ALL client traffic pass through server

Introduction

In some countries webpages get blocked because they do not suffice to the rules (moral, ethical, religious) of that country.

But sometimes other sites who shouldn't be blocked are not available.

This is possible to circumvent (all traffic will pass through your home OpenVPN server) and all traffic will be encrypted (until it arrives home).
So no possibility of local evesdropping.

This also comes in handy to transfer files safely between computers or secure any insecure UPD/TCP protocol.
You also DONT NEED ANY EXTRA HARDWARE:) isn't that cool?

This howto shows how you do it.


Network Setup


OpenVPN can work in bridged mode or in tun mode. In this setup I use tun.
If you want to know the difference read these:
http://openvpn.net/faq.html#tunnel-principal
http://openvpn.net/faq.html#bridge
http://openvpn.net/faq.html#bridge1
http://openvpn.net/faq.html#bridge2
http://openvpn.net/faq.html#bridge3
http://openvpn.net/howto.html#vpntype

As you see on the image my setup is probably almost identically to yours.

The OpenVPN server is connected to the router as like all other hosts.
NAT is applied to outgoing packets.
Incoming connections are not allowed by the standard firewall configuration.

The OpenVPN server has FreeBSD 6.2 installed and the client Debian Lenny.



What to do
  1. Configure static IP for OpenVPN server
  2. Configure OpenVPN server and client (and generate authentication keys and certificates)
  3. Open firewall and forward port on router
  4. Test the basic VPN
  5. Configure NAT on the OpenVPN server

Configure static IP for OpenVPN server (FreeBSD)

First we have to configure the range of IP addresses given to hosts.
I configered from 192.168.33.10 to 192.168.33.20.
Look in the manual of your router where you can configure this.


Edit /etc/rc.conf and add a line like this:
Code:
 ifconfig_re0="inet 192.168.33.3 netmask 255.255.255.0"
 defaultrouter="192.168.33.1"

Do correct the "re0" to whatever the name is for your network interface.
For example interface vr0 would be ifconfig_vr0.

To point to what DNS should be used execute the following:
Code:
 echo "nameserver 192.168.33.1" > /etc/resolv.conf

This will only be applied after rebooting(or restart your network service). I hate rebooting... so lets do it manually :p
Code:
 ifconfig re0 192.168.33.3 netmask 255.255.255.0
 route add default gateway 192.168.33.1


Configure OpenVPN server and client

Add to the /etc/rc.conf file to start the openvpn server automatically when booting the server:
Code:
 openvpn_enable="YES"
Place this config(/usr/local/etc/openvpn/server.conf) at the server
(NOTE: ONLY try root and wheel group for testing if you are expecting permissions to be the problem! Normally you can use nobody as user and group):
Code:
# This is OpenVPN server, over UDP(better performance because of less overhead) with a tun device(routing).
proto udp
dev tun
mode server

# Authentication with OpenSSL
tls-server
tls-auth keys/ta.key 0
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
duplicate-cn

# Configure the IP range of the VPN clients
server 192.168.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1" # this will make all traffic go through the VPN (web requests for example do not go directly to the internet, but the OpenVPN server sends them outside.)

user root
group wheel

ping 15
verb 5
log-append /var/log/openvpn/openvpn.log
status /var/log/openvpn/status.log


#comp-lzo # Compression to get better performance
#persist-key
#persist-tun
Create the log directory:
Code:
 mkdir /var/log/openvpn
The config for the client(/etc/openvpn/client.conf) is almost the same:
Code:
proto udp
dev tun
remote 213.219.138.69 # host to connect to

tls-client
tls-auth keys/ta.key 1
ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key

pull # this will execute the "push" options shown in the server config. 

port 1194
user root
group root

ping 15
verb 5
log-append /var/log/openvpn/openvpn.log
status /var/log/openvpn/status.log

#persist-key
#persist-tun
#comp-lzo
Also create the log directory:
Code:
 mkdir /var/log/openvpn
OpenVPN is delivered with a nice tool to create the necessary keys and certificates called easy-rsa.
Code:
 cd /usr/local/share/doc/openvpn/easy-rsa/
Be sure you have openssl installed.

First edit the settings in the "vars" file to your likings (I recommend you keep the standard setting, or only highten the Diffie Hellman key size to 2048)

Execute:
Code:
 . vars
 ./clean-all
 ./build-ca
 ./build-key-server server
 ./build-key client1
 ./build-dh

First the settings get read. Then clean-all creates the key dir, the serial file and the index.txt file.
Build-ca creates a Certificate Authority.
Build-key-server creates a key for the server. For one OpenVPN server you have to do this only once.
After this for each client you have, you execute build-key client1, buildkey client2, ...
Be sure that the Common Name is unique.
Build-dh does create Diffie Hellman parameters.

Copy the files dh1024.pem, ca.crt, server.crt and server.key to the /usr/local/etc/openvpn/keys directory on the server (create it).
Copy ca.crt, client1.crt and client1.key to the /etc/openvpn/keys directory on the client side.


Open firewall and forward port on router

I have a Linux based router (US Robotics). I configured the firewall using SSH login.(you can enable this in the graphical interface)

First allow packets that are arriving from the internet on the router to be forwarded to your OpenVPN server.
Code:
 iptables -I FORWARD 1 -d 192.168.33.3 -p tcp --dport 1194 -j ACCEPT
Forward the packets that have as destination port 1194 to your OpenVPN server:
Code:
 iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to 192.168.33.3:1194
Enable packet forwarding in the kernel:
Code:
 echo 1 > /proc/sys/net/ipv4/ip_forward

Test the basic VPN


After all this configuration, let's check if it works.

Start openvpn on the server:
Code:
 cd /usr/local/etc/openvpn
 openvpn/openvpn server.conf
Start openvpn on the client:
Code:
 cd /etc/openvpn/
openvpn client.conf

Normally you should see scrolling text on the logs of both, with at the end ... "Completed".
(It may be easier to remove the lines about logging in the configuration file: log-append, status. Then the output will be printed in the terminal)
This is my log-file after starting the server:
Code:
 
Thu Dec 20 07:59:01 2007 us=619831 Current Parameter Settings:
Thu Dec 20 07:59:01 2007 us=621081   config = 'server.conf'
Thu Dec 20 07:59:01 2007 us=621192   mode = 1
Thu Dec 20 07:59:01 2007 us=621255   show_ciphers = DISABLED
Thu Dec 20 07:59:01 2007 us=621314   show_digests = DISABLED
Thu Dec 20 07:59:01 2007 us=621373   show_engines = DISABLED
Thu Dec 20 07:59:01 2007 us=621431   genkey = DISABLED
Thu Dec 20 07:59:01 2007 us=621488   key_pass_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=621547   show_tls_ciphers = DISABLED
Thu Dec 20 07:59:01 2007 us=621605   proto = 0
Thu Dec 20 07:59:01 2007 us=621663   local = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=621721   remote_list = NULL
Thu Dec 20 07:59:01 2007 us=621782   remote_random = DISABLED
Thu Dec 20 07:59:01 2007 us=621840   local_port = 1194
Thu Dec 20 07:59:01 2007 us=621900   remote_port = 1194
Thu Dec 20 07:59:01 2007 us=621958   remote_float = DISABLED
Thu Dec 20 07:59:01 2007 us=622017   ipchange = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=622075   bind_local = ENABLED
Thu Dec 20 07:59:01 2007 us=622134   dev = 'tun'
Thu Dec 20 07:59:01 2007 us=622204   dev_type = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=622264   dev_node = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=622322   tun_ipv6 = DISABLED
Thu Dec 20 07:59:01 2007 us=622381   ifconfig_local = '192.168.100.1'
Thu Dec 20 07:59:01 2007 us=622441   ifconfig_remote_netmask = '192.168.100.2'
Thu Dec 20 07:59:01 2007 us=622499   ifconfig_noexec = DISABLED
Thu Dec 20 07:59:01 2007 us=622558   ifconfig_nowarn = DISABLED
Thu Dec 20 07:59:01 2007 us=622616   shaper = 0
Thu Dec 20 07:59:01 2007 us=622675   tun_mtu = 1500
Thu Dec 20 07:59:01 2007 us=622732   tun_mtu_defined = ENABLED
Thu Dec 20 07:59:01 2007 us=622791   link_mtu = 1500
Thu Dec 20 07:59:01 2007 us=622849   link_mtu_defined = DISABLED
Thu Dec 20 07:59:01 2007 us=622908   tun_mtu_extra = 0
Thu Dec 20 07:59:01 2007 us=622967   tun_mtu_extra_defined = DISABLED
Thu Dec 20 07:59:01 2007 us=623026   fragment = 0
Thu Dec 20 07:59:01 2007 us=623084   mtu_discover_type = -1
Thu Dec 20 07:59:01 2007 us=623262   mtu_test = 0
Thu Dec 20 07:59:01 2007 us=623331   mlock = DISABLED
Thu Dec 20 07:59:01 2007 us=623390   keepalive_ping = 0
Thu Dec 20 07:59:01 2007 us=623449   keepalive_timeout = 0
Thu Dec 20 07:59:01 2007 us=623508   inactivity_timeout = 0
Thu Dec 20 07:59:01 2007 us=623568   ping_send_timeout = 15
Thu Dec 20 07:59:01 2007 us=623627   ping_rec_timeout = 0
Thu Dec 20 07:59:01 2007 us=623686   ping_rec_timeout_action = 0
Thu Dec 20 07:59:01 2007 us=623745   ping_timer_remote = DISABLED
Thu Dec 20 07:59:01 2007 us=623804   remap_sigusr1 = 0
Thu Dec 20 07:59:01 2007 us=623863   explicit_exit_notification = 0
Thu Dec 20 07:59:01 2007 us=623921   persist_tun = DISABLED
Thu Dec 20 07:59:01 2007 us=623980   persist_local_ip = DISABLED
Thu Dec 20 07:59:01 2007 us=624039   persist_remote_ip = DISABLED
Thu Dec 20 07:59:01 2007 us=624097   persist_key = DISABLED
Thu Dec 20 07:59:01 2007 us=624156   mssfix = 1450
Thu Dec 20 07:59:01 2007 us=624229   passtos = DISABLED
Thu Dec 20 07:59:01 2007 us=624289   resolve_retry_seconds = 1000000000
Thu Dec 20 07:59:01 2007 us=624348   connect_retry_seconds = 5
Thu Dec 20 07:59:01 2007 us=624407   username = 'root'
Thu Dec 20 07:59:01 2007 us=624466   groupname = 'wheel'
Thu Dec 20 07:59:01 2007 us=624525   chroot_dir = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=624584   cd_dir = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=624670   writepid = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=624730   up_script = './server.up'
Thu Dec 20 07:59:01 2007 us=624789   down_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=624848   down_pre = DISABLED
Thu Dec 20 07:59:01 2007 us=624906   up_restart = DISABLED
Thu Dec 20 07:59:01 2007 us=624965   up_delay = DISABLED
Thu Dec 20 07:59:01 2007 us=625023   daemon = DISABLED
Thu Dec 20 07:59:01 2007 us=625082   inetd = 0
Thu Dec 20 07:59:01 2007 us=625140   log = ENABLED
Thu Dec 20 07:59:01 2007 us=625211   suppress_timestamps = DISABLED
Thu Dec 20 07:59:01 2007 us=625271   nice = 0
Thu Dec 20 07:59:01 2007 us=625331   verbosity = 5
Thu Dec 20 07:59:01 2007 us=625443   mute = 0
Thu Dec 20 07:59:01 2007 us=625512   gremlin = 0
Thu Dec 20 07:59:01 2007 us=625572   status_file = '/var/log/openvpn/status.log'
Thu Dec 20 07:59:01 2007 us=625632   status_file_version = 1
Thu Dec 20 07:59:01 2007 us=625691   status_file_update_freq = 60
Thu Dec 20 07:59:01 2007 us=625751   occ = ENABLED
Thu Dec 20 07:59:01 2007 us=625812   rcvbuf = 65536
Thu Dec 20 07:59:01 2007 us=625873   sndbuf = 65536
Thu Dec 20 07:59:01 2007 us=625934   socks_proxy_server = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=625996   socks_proxy_port = 0
Thu Dec 20 07:59:01 2007 us=626056   socks_proxy_retry = DISABLED
Thu Dec 20 07:59:01 2007 us=626116   fast_io = DISABLED
Thu Dec 20 07:59:01 2007 us=626226   comp_lzo = ENABLED
Thu Dec 20 07:59:01 2007 us=626294   comp_lzo_adaptive = ENABLED
Thu Dec 20 07:59:01 2007 us=626356   route_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=626416   route_default_gateway = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=626476   route_noexec = DISABLED
Thu Dec 20 07:59:01 2007 us=626536   route_delay = 0
Thu Dec 20 07:59:01 2007 us=626596   route_delay_window = 30
Thu Dec 20 07:59:01 2007 us=626656   route_delay_defined = DISABLED
Thu Dec 20 07:59:01 2007 us=626721   route 192.168.100.0/255.255.255.0/nil/nil
Thu Dec 20 07:59:01 2007 us=626783   management_addr = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=626845   management_port = 0
Thu Dec 20 07:59:01 2007 us=626904   management_user_pass = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=626967   management_log_history_cache = 250
Thu Dec 20 07:59:01 2007 us=627028   management_echo_buffer_size = 100
Thu Dec 20 07:59:01 2007 us=627089   management_query_passwords = DISABLED
Thu Dec 20 07:59:01 2007 us=627150   management_hold = DISABLED
Thu Dec 20 07:59:01 2007 us=627226   shared_secret_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=627287   key_direction = 1
Thu Dec 20 07:59:01 2007 us=627348   ciphername_defined = ENABLED
Thu Dec 20 07:59:01 2007 us=627409   ciphername = 'BF-CBC'
Thu Dec 20 07:59:01 2007 us=627469   authname_defined = ENABLED
Thu Dec 20 07:59:01 2007 us=627580   authname = 'SHA1'
Thu Dec 20 07:59:01 2007 us=627649   keysize = 0
Thu Dec 20 07:59:01 2007 us=627710   engine = DISABLED
Thu Dec 20 07:59:01 2007 us=627769   replay = ENABLED
Thu Dec 20 07:59:01 2007 us=627830   mute_replay_warnings = DISABLED
Thu Dec 20 07:59:01 2007 us=627890   replay_window = 64
Thu Dec 20 07:59:01 2007 us=627950   replay_time = 15
Thu Dec 20 07:59:01 2007 us=628011   packet_id_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628071   use_iv = ENABLED
Thu Dec 20 07:59:01 2007 us=628132   test_crypto = DISABLED
Thu Dec 20 07:59:01 2007 us=628209   tls_server = ENABLED
Thu Dec 20 07:59:01 2007 us=628271   tls_client = DISABLED
Thu Dec 20 07:59:01 2007 us=628333   key_method = 2
Thu Dec 20 07:59:01 2007 us=628394   ca_file = 'keys/ca.crt'
Thu Dec 20 07:59:01 2007 us=628456   dh_file = 'keys/dh1024.pem'
Thu Dec 20 07:59:01 2007 us=628517   cert_file = 'keys/server.crt'
Thu Dec 20 07:59:01 2007 us=628578   priv_key_file = 'keys/server.key'
Thu Dec 20 07:59:01 2007 us=628640   pkcs12_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628700   cipher_list = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628761   tls_verify = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628822   tls_remote = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628884   crl_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=628945   ns_cert_type = 0
Thu Dec 20 07:59:01 2007 us=629006   tls_timeout = 2
Thu Dec 20 07:59:01 2007 us=629068   renegotiate_bytes = 0
Thu Dec 20 07:59:01 2007 us=629130   renegotiate_packets = 0
Thu Dec 20 07:59:01 2007 us=629206   renegotiate_seconds = 3600
Thu Dec 20 07:59:01 2007 us=629269   handshake_window = 60
Thu Dec 20 07:59:01 2007 us=629331   transition_window = 3600
Thu Dec 20 07:59:01 2007 us=629391   single_session = DISABLED
Thu Dec 20 07:59:01 2007 us=629453   tls_exit = DISABLED
Thu Dec 20 07:59:01 2007 us=629514   tls_auth_file = 'keys/ta.key'
Thu Dec 20 07:59:01 2007 us=629594   server_network = 192.168.100.0
Thu Dec 20 07:59:01 2007 us=629666   server_netmask = 255.255.255.0
Thu Dec 20 07:59:01 2007 us=629796   server_bridge_ip = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=629876   server_bridge_netmask = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=629947   server_bridge_pool_start = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=630019   server_bridge_pool_end = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=630083   push_list = 'redirect-gateway def1,route 192.168.100.1'
Thu Dec 20 07:59:01 2007 us=630144   ifconfig_pool_defined = ENABLED
Thu Dec 20 07:59:01 2007 us=630233   ifconfig_pool_start = 192.168.100.4
Thu Dec 20 07:59:01 2007 us=630306   ifconfig_pool_end = 192.168.100.251
Thu Dec 20 07:59:01 2007 us=630376   ifconfig_pool_netmask = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=630439   ifconfig_pool_persist_filename = 'ipp.txt'
Thu Dec 20 07:59:01 2007 us=630502   ifconfig_pool_persist_refresh_freq = 600
Thu Dec 20 07:59:01 2007 us=630564   ifconfig_pool_linear = DISABLED
Thu Dec 20 07:59:01 2007 us=630625   n_bcast_buf = 256
Thu Dec 20 07:59:01 2007 us=630685   tcp_queue_limit = 64
Thu Dec 20 07:59:01 2007 us=630747   real_hash_size = 256
Thu Dec 20 07:59:01 2007 us=630807   virtual_hash_size = 256
Thu Dec 20 07:59:01 2007 us=630868   client_connect_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=630929   learn_address_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=630990   client_disconnect_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=631051   client_config_dir = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=631112   ccd_exclusive = DISABLED
Thu Dec 20 07:59:01 2007 us=631185   tmp_dir = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=631248   push_ifconfig_defined = DISABLED
Thu Dec 20 07:59:01 2007 us=631318   push_ifconfig_local = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=631387   push_ifconfig_remote_netmask = 0.0.0.0
Thu Dec 20 07:59:01 2007 us=631449   enable_c2c = DISABLED
Thu Dec 20 07:59:01 2007 us=631508   duplicate_cn = ENABLED
Thu Dec 20 07:59:01 2007 us=631569   cf_max = 0
Thu Dec 20 07:59:01 2007 us=631628   cf_per = 0
Thu Dec 20 07:59:01 2007 us=631689   max_clients = 1024
Thu Dec 20 07:59:01 2007 us=631750   max_routes_per_client = 256
Thu Dec 20 07:59:01 2007 us=631858   client_cert_not_required = DISABLED
Thu Dec 20 07:59:01 2007 us=631925   username_as_common_name = DISABLED
Thu Dec 20 07:59:01 2007 us=631986   auth_user_pass_verify_script = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=632048   auth_user_pass_verify_script_via_file = DISABLED
Thu Dec 20 07:59:01 2007 us=632110   client = DISABLED
Thu Dec 20 07:59:01 2007 us=632183   pull = DISABLED
Thu Dec 20 07:59:01 2007 us=632247   auth_user_pass_file = '[UNDEF]'
Thu Dec 20 07:59:01 2007 us=632314 OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Oct 15 2006
Thu Dec 20 07:59:01 2007 us=632618 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Dec 20 07:59:01 2007 us=632700 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Dec 20 07:59:01 2007 us=632754 WARNING: you are using user/group/chroot without persist-key/persist-tun -- this may cause restarts to fail
Thu Dec 20 07:59:01 2007 us=632807 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Thu Dec 20 07:59:01 2007 us=632858 WARNING: --keepalive option is missing from server config
Thu Dec 20 07:59:01 2007 us=682193 Diffie-Hellman initialized with 1024 bit key
Thu Dec 20 07:59:01 2007 us=698533 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file
Thu Dec 20 07:59:01 2007 us=698745 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 20 07:59:01 2007 us=698844 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 20 07:59:01 2007 us=698937 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Dec 20 07:59:01 2007 us=699549 gw 192.168.1.1
Thu Dec 20 07:59:01 2007 us=700008 TUN/TAP device /dev/tun0 opened
Thu Dec 20 07:59:01 2007 us=700181 /sbin/ifconfig tun0 192.168.100.1 192.168.100.2 mtu 1500 netmask 255.255.255.255 up
Thu Dec 20 07:59:01 2007 us=720889 ./server.up tun0 1500 1542 192.168.100.1 192.168.100.2 init
Thu Dec 20 07:59:01 2007 us=742528 /sbin/route add -net 192.168.100.0 192.168.100.2 255.255.255.0
add net 192.168.100.0: gateway 192.168.100.2
Thu Dec 20 07:59:01 2007 us=759919 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Dec 20 07:59:01 2007 us=763642 GID set to wheel
Thu Dec 20 07:59:01 2007 us=763810 UID set to root
Thu Dec 20 07:59:01 2007 us=763942 Socket Buffers: R=[42080->65536] S=[9216->65536]
Thu Dec 20 07:59:01 2007 us=764033 UDPv4 link local (bound): [undef]:1194
Thu Dec 20 07:59:01 2007 us=764098 UDPv4 link remote: [undef]
Thu Dec 20 07:59:01 2007 us=764210 MULTI: multi_init called, r=256 v=256
Thu Dec 20 07:59:01 2007 us=764382 IFCONFIG POOL: base=192.168.100.4 size=62
Thu Dec 20 07:59:01 2007 us=764487 IFCONFIG POOL LIST
Thu Dec 20 07:59:01 2007 us=764683 Initialization Sequence Completed


And this gets added to it when I stop openvpn:
Code:
 
Thu Dec 20 07:59:36 2007 us=859158 event_wait : Interrupted system call (code=4)
Thu Dec 20 07:59:36 2007 us=860092 TCP/UDP: Closing socket
Thu Dec 20 07:59:36 2007 us=860316 /sbin/route delete -net 192.168.100.0 192.168.100.2 255.255.255.0
delete net 192.168.100.0: gateway 192.168.100.2
Thu Dec 20 07:59:36 2007 us=880020 Closing TUN/TAP interface
Thu Dec 20 07:59:36 2007 us=880585 SIGINT[hard,] received, process exiting



Look at the output of ifconfig if there are extra interfaces:
Code:
 ifconfig

Code:
 tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.100.1  P-t-P:192.168.100.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

This should be what you see on the server (The number in tun0 could be different).
Notice the IP address: 192.168.100.1
The 192.168.100.2 is not of any use for you.

On the client you will see almost the same.
For example 192.168.100.6 as IP (always the first one)

Now we can ping to see if transmission is possible:
From the client:
Code:
 ping 192.168.100.1

From the server:
Code:
 ping 192.168.100.6

Both should give you a reply. (If not, be sure your firewalls do not block ICMP echo requests)

Reply == You did it:D


Do mind, that on Debian, OpenVPN gets automatically restarted if you boot. So if you can't go online anymore if the OpenVPN is not available then first try to shutdown the service:
Code:
 /etc/init.d/openvpn stop
You still can't go online through your VPN. See the next step how to do this last step.



Troubleshooting the OpenVPN tunnel

If you want more detailed information about your tunnel, you can change "verb 3" to "verb 5" in the config file.


Configure NAT on the OpenVPN server

Because the router is in the 192.168.33.1/24 range and the OpenVPN client is 192.168.100.6, the OpenVPN server(192.168.33.3) is not able to receive responses because the 192.168.100.6 can't be routed in the local network(network where OpenVPN server is). This means you need NAT for this.
So every packet coming from 192.168.100.6 will look as if it comes from the OpenVPN server (192.168.33.3). After the response it received on the OpenVPN server, NAT will correct the IP address and the port number of the packet and will send it to the OpenVPN client.

Because there is also NAT on the router this seems confusing. But in the end it is very logical. I also wondered if my OpenVPN traffic would be NATed. The solution for this is to only NAT the traffic coming from 192.168.100.6.


Setting up NAT in this case is very easy:
Code:
kldload ipl


Put those NAT rules into /etc/ipnat.rules
Code:
 map re0 192.168.100.0/24 -> 0/32 portmap tcp/udp 30001:40000 map re0 192.168.100.0/24 -> 0/32

re0 is your interface where the packets leave to the internal network (192.168.1.0/24) or the internet.
Correct the range (192.168.100/24)
NOTE: I only used one physical NIC to do this. The OpenVPN creates it's own virtual device: tun0. As long as the NAT rules are correct this shouldn't give you any problem.
NOTE: packets that have 192.168.100.1 (server end in the OpenVPN) will not be NATted because they are not destined for another host.

Now start ipnat:
Code:
 /etc/rc.d/ipnat start ipnat -f /etc/ipnat.rules


The last thing is allowing packets to be forwarded by the host:
Code:
 sysctl net.inet.ip.forwarding=1


! Important: you need the following in the OpenVPN server config:
Code:
 push "redirect-gateway def1"


Try to ping google for example


Troubleshooting you can do with tcpdump:
Code:
 tcpdump -tt -i re0

(you can do this on all hosts and interfaces(physical and virtual: re0 and tun0 in this example) to understand how the traffic is flowing)
or
Code:
 ipnat -l

for looking at the ipnat mappings and nat rules.


Now lets automate it:
Add the following to /etc/rc.conf
Code:
 gateway_enable="YES"

 firewall_enable="YES"
 firewall_type="open"

 ipnat_enable="YES" # Set to YES to enable ipnat functionality
 ipnat_program="/sbin/ipnat"     # where the ipnat program lives
 ipnat_rules="/etc/ipnat.rules"  # rules definition file for ipnat



op Geen opmerkingen:

woensdag 5 december 2007

Install Xorg on Dell Latitude D630 with Intel GM965 (X3100) graphics chipset (CentOS 5.1)

Important

DISCLAIMER: You cannot held me responsible for any loss or data or inoperability of your system. You do this on your own responsibility.
NOTE: - I will place synonyms in brackets to help people find this topic and fix there graphics problems.
- If you are not an experienced user, please let someone who knows more about it do it for you. (feel free to ask for help to me if you want)


Introduction and explanation

I installed CentOS and the graphics worked out of the box. BUT !!! It looked like, even the resolution was set correctly (checked with xrandr) I still got blurry (vaporous, not sharp) graphics. It seemed like there was an ancient chipset in the notebook although it was pretty new.

During tests in different distros (distributions: Gentoo, Debian, ArchLinux) I have noticed that the standard installed (stable) drivers were not working like they should.
On ALL distros I got it fixed by installing the correct version of some packages:
X.org (xorg): >= v1.3.0 (cat /var/log/Xorg.0.log | grep Window)
i810: >= v2.0.0 (cat /var/log/Xorg.0.log | grep intel)
or (cat /var/log/Xorg.0.log | grep i810)
libdrm: >= v2.3.0 (ls /usr/lib | grep libdrm)
or (ls /usr/lib64 | grep libdrm)
Software, minimum version, Command to show version


You might think, ok, just update these packages and it is done. In Gentoo, Fedora 7, Debian and ArchLinux this is true.
But CentOS introduces a problem: these versions are not in the repos.
Because CentOS is based on RedHat/Fedora I had the idea to install the RPM for the Fedora distribution. This was a success.
Let's see


How I did it

I visited rpm.pbone.net. It is a search engine for RPM packages.
I searched for the Xorg package with version 1.3 or higher for Fedora (Fedora 7; I took 7 because it are testing drivers, in 8 there are development drivers).
I downloaded it and tried to install it:
rpm --install xorg-x11-server-Xorg-*

This gives alot of messages about conflicts. This is very normal because the old version is still there.
Removing it will make it possible to install the new version (maybe there is a nicer way of doing this, let me know if so)
rpm remove xorg-x11-server-Xorg

This asked me if it is OK to remove some other packages as well (total of 32). Confirm.

Lets retry installing it
rpm --install xorg-x11-server-Xorg-*

This time I get a warning about some unsolved dependencies.
Go download the packages for the same Fedora version that are mentioned by the output.
Now lets install them:
rpm --install xorg-x11-server-Xorg-1.3.0.0-9.fc7.x86_64.rpm xorg-x11-drv-evdev-1.1.2-3.fc7.x86_64.rpm xorg-x11-drv-keyboard-1.1.0-3.fc7.x86_64.rpm xorg-x11-drv-mouse-1.2.1-2.fc7.x86_64.rpm xorg-x11-drv-vesa-1.3.0-6.fc7.x86_64.rpm xorg-x11-drv-void-1.1.0-4.fc7.x86_64.rpm libdrm-2.3.0-5.fc7.x86_64.rpm

At last we have to install the new intel(xorg-x11-drv-i810 package) driver. Be the version is above 2.0.0.
rpm --install xorg-x11-drv-i810-2.0.0-4.fc7.x86_64.rpm

(Be sure you have printed this out or on another screen.) Now press CTRL-ALT-BACKSPACE. Xorg will not be able to start anymore. Type CTRL-ALT-F1.
Log in as the root user.

Let Xorg generate the basic config file:
X -configure

Only one thing to do :D: Copying the config to the correct place.
cp /root/xorg.conf.new /etc/X11/xorg.conf


Testing
Go to runlevel 2 and back to runlevel 5 (or restart by typing shutdown -r now or by CTRL-ALT-DELETE)
init 2; init 5

If this gives problems, type them in seperately.


I noticed after the next login (and also when removing the xorg server) that KDE was not installed anymore on the system.
Just reinstall it:
yum install kdebase


Have fun!
op Geen opmerkingen:
Labels: , , , , , , , , ,

maandag 3 december 2007

Getting Compiz Fusion to work on Dell Latitude D630 with AIGLX (965GM; X3100)

Preparing the system

Preparing Xorg:

The important parts are in bold.
The bold parts that begin with a # are options you can experiment it... but this was the way I got my Compiz Fusion working.
PS: be sure you have a backup.


Section "Files"
EndSection

Section "InputDevice"
Identifier "Generic Keyboard"
Driver "kbd"
Option "CoreKeyboard"
Option "XkbRules" "xorg"
Option "XkbModel" "pc105"
Option "XkbLayout" "gb,us,be"
Option "XkbOptions" "grp:alt_shift_toggle"
EndSection

Section "InputDevice"
Identifier "Configured Mouse"
Driver "mouse"
Option "CorePointer"
Option "Device" "/dev/input/mice"
Option "Protocol" "auto"
Option "ZAxisMapping" "4 5 6 7"
Option "Emulate3Buttons" "true"
EndSection

Section "InputDevice"
Identifier "Synaptics Touchpad"
Driver "synaptics"
Option "SendCoreEvents" "true"
Option "Device" "/dev/psaux"
Option "Protocol" "auto-dev"
Option "HorizScrollDelta" "0"
EndSection

Section "Device"
Identifier "Generic Video Card"
Driver "intel"
# Option "AllowGLXWithComposite" "true"
Option "XAANoOffscreenPixmaps" "true"
# Option "AccelMethod" "exa"
EndSection

Section "Monitor"
Identifier "Generic Monitor"
Option "DPMS"
HorizSync 30-70
VertRefresh 50-160
EndSection

Section "Screen"
Identifier "Default Screen"
Device "Generic Video Card"
Monitor "Generic Monitor"
DefaultDepth 24
# Option "AddARGBGLXVisuals" "true"
# Option "DisableGLXRootClipping" "true"
EndSection

Section "ServerLayout"
Identifier "Default Layout"
Screen "Default Screen"
InputDevice "Generic Keyboard"
InputDevice "Configured Mouse"
InputDevice "Synaptics Touchpad"
Option "aiglx" "true"
EndSection

Section "Module"
Load "glx"
Load "dbe"
Load "dri"
Load "freetype"
Load "extmod"
EndSection

Section "Extensions"
Option "Composite" "Enable"
EndSection

Section "DRI"
Mode 0660
EndSection

After doing these changes you need to restart your Xorg.
This is accomplished with the key combination CTRL-ALT-BACKSPACE.


Preparing for Compiz Fusion installation:

First we need to add a repository to aptitude.
Change the line according to what release you have, (go to the directory for your release in your webbrowser and copy that location) mine was Lenny.
Add the following line to /etc/apt/sources.list:

deb http://download.tuxfamily.org/shames/debian-lenny/desktopfx/stable/ ./


And add the certificat to prevent an apt warning.
wget http://download.tuxfamily.org/shames/A42A6CF5.gpg -O- | apt-key add -

And eventually update the package database:
apt-get update


Installing and test-run:

Lets now install Compiz Fusion :D :
apt-get install compiz-fusion-kde

And Emerald which has some nice themes:
apt-get install emerald


To run it, in a terminal you type:
emerald --replace

If you loose the window decorations you should put focus on your shell and type
kwin --replace
or just
kwin


Starting Compiz Fusion automatically at logon:

Create the following file with your favorite file editor (mine is VIM):
vi ~/.kde/Autostart/compiz.desktop

In this file you put this:

[Desktop Entry]
Encoding=UTF-8
Exec=compiz –replace & emerald &
GenericName[en_US]=
StartupNotify=false
Terminal=false
TerminalOptions=
Type=Application
X-KDE-autostart-after=kdesktop


THATS IT :D

In the beginning I had some problems with shadows which where shown as white borders around menus.
If I recall correctly, I turned of the Menu shadows in the KDE Control Center.


Powered by ScribeFire.

op Geen opmerkingen:
Labels: , , , , , , , , ,

woensdag 14 november 2007

Using encryption on your home folder (Debian; also usable for other distros)

Introduction

Imagine someone boots your laptop with a bootable CD and just copies all your data.
The attacker can see whatever data on your home folder (most critical data for most users).

So what I wanted was:
- NO extra partitions (most people have all HDD space partitioned; backup of the encrypted image file is easy)
- NO compiling (I want to be able to quickly setup a system for rescue)

Now I read some stuff and cryptsetup seemed the best solution for this.
All is in the debian package manager and setup is really easy ... so let's go!

Setup

First install cryptsetup:
apt-get install cryptsetup

In this example we use AES encryption.
You can see the supported encryption types:
cat /proc/crypto

If you don't see AES then you (in Debian) you have to load the module (In other distributions it could be that you have to recompile your kernel):
modprobe aes

Now lets create the image file that will hold the filesystem.
This will create the image "cryptedhome" with a blocksize of 1024 bytes with 20000000 blocks (20GB)
dd if=/dev/urandom of=/home/username.crypto.img bs=1024 count=20000000

Now we need to create a loopback device file. This makes your image file transparent so Linux does see it as if it was a device (/dev/sda , /dev/hda, ...):
losetup /dev/loop0 /home/username.crypto.img


The following will setup encryption for this loopback device, so everything that is written to it, will be encrypted.
-c defines what encryption algorithm has to be used.
-s defines the size of the key
--verify-passphrase will make the program ask 2 times for your password before accepting it.
luksFormat tells cryptsetup what to do (others are: luksAddKey, luksDelKey, luksOpen, luksClose)
cryptsetup -c aes-cbc-essiv:sha256 -s 256 --verify-passphrase luksFormat /dev/loop0


The next step is making a device file that makes the encrypted device accessible.
After that we create a filesystem on it.
cryptsetup luksOpen /dev/loop0 cryptedhome

mkfs.ext3 /dev/mapper/cryptedhome

cryptsetup luksClose /dev/loop0 cryptedhome



Usage
Everytime you will want to use the encrypted image, you will need to do the following:
cryptsetup luksOpen /dev/loop0 cryptedhome
mount /dev/mapper/cryptedhome /home/username/

After use just unmount it and use luksClose.
cryptsetup luksOpen /dev/loop0 cryptedhome


Adding/Removing Keys
Adding key:
cryptsetup luksAddKey --verify-passphrase /dev/loop0


Removing key:
cryptsetup luksDelKey --verify-passphrase /dev/loop0



Getting it all automatically done
What we gonna do is for every user that has a ..img file mounting this encrypted filesystem to there home directory.

Install pam_mount. This library makes it possible to mount and unmount devices while authenticating.
apt-get install libpam-mount



Powered by ScribeFire.

op 2 opmerkingen:
Labels: , , , , , ,

donderdag 1 november 2007

PokerTH 0.6 on Debian Lenny AMD64(testing; x86_64)

I downloaded the installer and try to run it but I got the following error:
cd ~/PokerTH-0.6-beta
./pokerth.sh
/home/gvm/PokerTH-0.6-beta/./pokerth: error while loading shared libraries: libmikmod.so.2: cannot open shared object file: No such file or directory

Because of my problem with skype I thought that this is maybe the same problem.
So I copied the script and only changed the first line from:
lib=`skype 2>&1 | awk '{print $7}' | cut -d':' -f1`
to
lib=`./pokerth.sh 2>&1 | awk '{print $7}' | cut -d':' -f1`

For the full script: see my post about Skype
op Geen opmerkingen:
Labels: , , , , ,

Skype on Debian Lenny AMD64 (testing; x86_64)

First I tried to install through the package manager:
apt-cache search skype

This didn't gave any result.

So I went to the skype website and looked for a debian package.
I found one, but it was for i386 architecture so installing it fails.
Still we can force it to install:
apt-get install --force-architecture skype-debian_1.4.0.118-1_i386.deb

Then I tried to run it but got an error saying that libsigc-2.0.so.0 is missing:
skype: error while loading shared libraries: libsigc-2.0.so.0: cannot open shared object file: No such file or directory

So I thought, I have an unmet dependecy, lets install libsigc package:
sudo apt-get install libsigc++-2.0-0c2a

Now I have the library but still the same error message so it seems that there is another problem.
After some googling I had an explanation why installing the libsigc package did not solve it: skype for i386 architecture needs the 32bit library, not the 64bit library.

Eventually I found a small script that solves these issues:


#!/bin/bash
lib=`skype 2>&1 | awk '{print $7}' | cut -d':' -f1`
echo "lib: $lib" pkg=`dpkg -S $lib | awk '{print $1}' | cut -d':' -f1 | sort -u`
url=`wget -qO- http://packages.debian.org/lenny/$pkg/i386/download | awk '/ftp\.br\.debian\.org/' | cut -d'"' -f2`
file=`echo $url | awk '{n=split($0,a,"/"); print a[n]}'`
if [ ! -f deb/$file ]; then
wget -q $url
mv $file deb
fi
ar -x deb
libfile=`tar ztf data.tar.gz | grep ${lib}$`
tar zxf data.tar.gz $libfile
sudo cp -d $libfile /usr/lib32/
if ls -l $libfile | grep -qF ' -> '; then
lnlib=`ls -l $libfile | awk '{print $10}' | cut -d':' -f1`
libfile2=`tar ztf data.tar.gz | grep ${lnlib}$`
tar zxf data.tar.gz $libfile2
sudo cp -d $libfile2 /usr/lib32/
fi

Source: http://www.debian-administration.org/users/figjam/weblog/1
Note that there is an error in the original script


Now after putting this into a file and making it executable:
chmod +x script

Lets run it:
./script
./script
lib: libQtGui.so.4

Now you will see that each time you run it, another library dependancy get solved (libQtGui will change).
You have to RUN IT MULTIPLE TIMES (this is in CAPITALS for copy-paste people who don't read).

If skype starts, then all librarys are available. From now on you can use "skype" on the command line or launch it from your favorite desktop environment.

Have fun!

Powered by ScribeFire.

op Geen opmerkingen:
Labels: , ,

woensdag 31 oktober 2007

Using proxy with Debian for apt-get(or Ubuntu) and other apps

If you are in a corporate environment you probably need to pass through a proxy to get on the internet.

The same for getting your debian/ubuntu packages.
You can easily configure this.

There are two possibilities:
  1. Define http_proxy variable for HTTP
    export http_proxy="http://user:password@proxy-dns-name-or-ip:portnumber"
    If you want to use this in a script, make sure you run it as follows:
    . ./proxy-script
    For FTP it is slightly different:
    export ftp_proxy="http://user:password@proxy-dns-name-or-ip:portnumber"
    For RSYNC (NOTICE that there is NO http:// at the start of the value):
    export rsync_proxy="user:password@proxy-dns-name-or-ip:portnumber"
  2. Adding this to the apt.conf file (does only makes apt-get to use the proxy)
    Aqcuire::http::Proxy "http://user:password@proxy-dns-name-or-ip:portnumber"
This will work for alot of shell tools (ftp, wget, ...) but some programs do create there own system for using a proxy.
  1. Firefox: "Edit", "Preferences", "Advanced", "Network", "Settings" and then select "Auto-detect proxy settings for this network"
  2. In KDE you can also change the proxy using the Control Center. Just search on proxy and you will find it
  3. (to be continued)

Hopes this is helpful.
op Geen opmerkingen:
Labels: , , , ,

Using Debian Lenny (testing)

I needed Debian Lenny (testing) to get my graphics working.

This is how you do it:
  1. edit /etc/apt/sources.list and replace "etch" with "lenny"
  2. update the apt cache
    apt-get update
  3. Now you can upgrade your packages:
    apt-get upgrade
  4. And finally:
    apt-get dist-upgrade


Ain't that easy?

op Geen opmerkingen:
Labels: , , , , ,

HDA Intel Audio on Dell Latitude D630 (tested on Debian)

First let us look what hardware my audio card is:
lspci | grep -i audio
00:1b.0 Audio device: Intel Corporation 82801H (ICH8 Family) HD Audio Controller (rev 02)

More detailed:
lspci -vv | grep -i audio
00:1b.0 Audio device: Intel Corporation 82801H (ICH8 Family) HD Audio Controller
(rev 02)
Subsystem: Dell Unknown device 01f9
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Step
ping- SERR+ FastB2B-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 21
Region 0: Memory at fe9fc000 (64-bit, non-prefetchable) [size=16K]
Capabilities: [50] Power Management version 2
Flags: PMEClk- DSI- D1- D2- AuxCurrent=55mA PME(D0+,D1-,D2-,D3ho
t+,D3cold+)
Status: D0 PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [60] Message Signalled Interrupts: Mask- 64bit+ Queue=0/0
Enable-
Address: 0000000000000000 Data: 0000
Capabilities: [70] Express Unknown type IRQ 0
Device: Supported: MaxPayload 128 bytes, PhantFunc 0, ExtTag-
Device: Latency L0s unlimited, L1 unlimited
Device: Errors: Correctable- Non-Fatal- Fatal- Unsupported-
Device: RlxdOrd- ExtTag- PhantFunc- AuxPwr- NoSnoop+
Device: MaxPayload 128 bytes, MaxReadReq 128 bytes
Link: Supported Speed unknown, Width x0, ASPM unknown, Port 0
Link: Latency L0s <64ns, L1 <1us
Link: ASPM Disabled CommClk- ExtSynch-
Link: Speed unknown, Width x0
Capabilities: [100] Virtual Channel
Capabilities: [130] Unknown (5)

Ok, it seems that I need the hda-intel modules.
But it looks like the necessary modules are already loaded.

This is what you have to do to fix this:
Download this source tarball:
wget ftp://ftp.alsa-project.org/pub/driver/alsa-driver-1.0.15rc3.tar.bz2
tar jxvf alsa-driver-1.0.15rc3.tar.bz2
cd alsa-driver-1.0.15rc3
./configure
make
make install # as root


Source: http://forum.ubuntu-nl.org/topic/14940/1

To configure alsa for your audio card use alsaconf:
apt-get install alsa-utils
alsaconf

Select the appropriate card (hda-intel)
Be sure your audio channels aren't muted
alsamixer

See for the "front" channel, it should have "00" at the bottom.
If there is "MM" instead of "00" under the channel it is muted; use the "m" on your keyboard to unmute.

That's it!

HINT: if you have problems getting your audio to work it is always good to use the testing (lenny branch) for apt-get and update your system(or only the packages that have to do with alsa).

Powered by ScribeFire.

op Geen opmerkingen:

Installing Debian 4.0r (amd64) on KVM (KQEMU)

First you create a image to install debian on:
qemu-img create -f qcow debian.img 5G

The -f option tells what the format of this image is.
vmdk is for VMware compatible images.
raw does create the image and allocates the whole size immediately.

The qcow advantages:
  1. qcow does only allocates the size that is used. So if you create an image of 5GB (like above) and install a 200MB distro on it, the file will only be 200MB
  2. Snapshot support, where the image only represents changes made to an underlying disk image
  3. Optional zlib based compression
  4. Optional AES encryption
Source: http://www.gnome.org/~markmc/qcow-image-format.html

So I use qcow.
If you want to see image information use:
qemu-img info debian.img

Now we can start the virtual machine:
/usr/bin/qemu-system-x86_64 -hda cluster-node.img -cdrom /dev/cdrom -m 348 -localtime -boot d -net nic,vlan=0 -net tap,vlan=0,ifname=tap0,macaddr=00:18:8B:D9:41:2F,script=/mnt/vm/qemu-ifup

Note the "-boot d" which selects that I want to boot from the cdrom-drive that is defined by "-cdrom /dev/cdrom".
The -net part does has to do with network bridging and it depends on what networking you want for your VM.

I can boot into the net-install disk just fine.
But after selecting my language and keyboard layout Qemu crashes with an "unknown return code":(.
This will probably a bug, so lets try to install without kqemu support (KVM) and see after installation if all goes fine:
/usr/bin/qemu-system-x86_64 -hda cluster-node.img -cdrom /dev/cdrom -m 348 -localtime -boot d -net nic,vlan=0 -net tap,vlan=0,ifname=tap0,macaddr=00:18:8B:D9:41:2F,script=/mnt/vm/qemu-ifup -no-kqemu

Now the installation goes fine... UNTIL installing GRUB (the bootloader).
grub-install just hangs there (retried it and let it wait for like half an hour).
Eventually I killed the processes and tried it manually:
grub-install /dev/hda

This gives following error:
/dev/sda does not have any corresponding BIOS drive

So first I tried this to rebuild the devices.map file:
grub-install --recheck /dev/hda

Didn't help, let's try it the ultra-manual way :p (the way I love it the most). Run grub and then:
install (hd0,0)/grub/stage1 (hd0) (hd0,0)/grub/stage2 p (hd0,0)/grub/menu.lst

Same problem :(

Now I looked what the mounts were, and /boot was not the hard drive partition.
So I mounted the /boot partition on my hard disk to /boot:
NOTE: Boot with a linux rescue cd and mount the hard drive... the install environment is clumsy because it is so limited.
mkdir /mnt/tmpboot
mount /dev/hda1 /mnt/tmpboot
mount -o bind /boot /mnt/tmpboot
grub-install /dev/hda

This went smoothly.


After installation I started the VM (same command as above but without "-boot d") and that went fine.
But when removing the -no-kqemu I it did crash again.


TODO:
  1. Try with kqemu on my arch-linux system (maybe the bug does not exist there)
  2. If the first does not solve it, try another boot cd
  3. Try with i386 boot cd instead of amd64
op Geen opmerkingen:

maandag 29 oktober 2007

KVM, KQEMU on Debian (Lenny)

On my arch linux I had a virtual machine for using Windows (I use Windows at work).
So I wanted this also on Debian.

I have to say it took me some time to get it done. But in the end it seemed a ./configure misconfigure.

NOTICE that your hardware should support the vanderpool extensions (intel; dont know for amd).
Check this by doing:
cat /proc/cpuinfo | grep vmx

And also be sure that it is enabled in your BIOS!
DO CORRECT all values according to your kernel version etc.


We need kvm and kqemu(kvm enables the virtualization of your hardware).

First we need the kernel sources:
- search the correct package name with:
apt-cache search linux-source
Then, in the results I see the exact package name. Install:
apt-get install linux-source-2.6.22
We also need the sources for kqemu:
apt-cache search kqemu
Install:
apt-get install kqemu-common kqemu-source kvm
Despite what is on the qemu website, I've found that the kqemu accelerator does not compile if you have not at least compiled a kernel in the kernel source directory.
==> http://blog.unixlore.net/2006/03/using-qemu-and-kqemu-under-debian-or.html

Compiling it is enough, you dont need to install it.
cd /usr/src
tar xjf kernel-source-*.bz2
ln -s kernel-source-* linux
cp /boot/config-2.6.22-2 /usr/src/linux/.config
cd /usr/src/linux && make oldconfig && make bzImage

Now we can configure, compile and install kqemu (dont use the symlink "linux" because it points to the kernel headers):
NOTE: In later versions --kernel-path is changed to --kernel-dir
./configure --kernel-path=/usr/src/linux-source-2.6.22

If you don't specify the kernel path you will get this while compiling (make):
ld -r -o ../kqemu-mod-x86_64.o kernel.o x86_64/kernel_asm.o
make[1]: Leaving directory `/usr/src/modules/kqemu/common'
make -C /lib/modules/2.6.22-2-amd64/build M=`pwd` modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.22-2-amd64'
Makefile:275: /usr/src/linux-headers-2.6.22-2-amd64/scripts/Kbuild.include: No such file or directory
make[1]: *** No rule to make target `/usr/src/linux-headers-2.6.22-2-amd64/scripts/Kbuild.include'. Stop.
make[1]: Leaving directory `/usr/src/linux-headers-2.6.22-2-amd64'
make: *** [kqemu.ko] Error 2
Do this to clean and start the correct way to solve this:
make clean
Compile and install:
make
make install # as root user

Now you should be able to load the module:
modprobe kqemu
Also load kvm for your CPU:
modprobe kvm-intel # for Intel CPUs
modprobe kvm-amd # for AMD CPUs
You will need this:
apt-get install libsdl1.2-dev
Do this for auto loading the necessary modules:

cat >> /etc/modules
kqemu
tun
^D

NOTE ^D is CTRL-D

Let's create our virtual disk(a dedicated disk will provide far better performance; also be sure you have alot of memory):
qemu-img create disk.img 10G


Start the Virtual Machine:
qemu-system-x86_64 -m 384 disk.img -cdrom cdimg.img -localtime


-m tells qemu how much memory should be reserved for the VM.
-cdrom determines what your cdrom drive is in the virtual machine.
You could also use /dev/cdrom here but sometimes this gives some problems.
-localtime gives the time on your hostmachine as the time for your VM.


I will later talk about howto setup networking for your virtual machine.
op Geen opmerkingen:

dinsdag 16 oktober 2007

How to install Intel GM965 Graphics (X3100 chip; intel video driver) on Ubuntu

Unfortunately the Ubuntu install CD does not supports the 965 chipset graphics card yet so the graphical install will not work.

This is how to install ubuntu anyway, and after it install the graphics driver

  1. Download the Alternate Installation ISO and install it

  2. Then download and install these packages:

    • gcc-4.2-base_4.2.1-5ubuntu4_amd64.deb
    • libc6_2.6.1-1ubuntu9_amd64.deb
    • libgcc1_4.2.1-5ubuntu4_amd64.deb
    • tzdata_2007f-3ubuntu1_all.deb
    • xserver-xorg-core_1.3.0.0.dfsg-12ubuntu8_amd64.deb
    • xserver-xorg-video-intel_2.1.1-0ubuntu6_amd64.deb
    If you have downloaded them, go to the directory where you put them.
    Now install all of them by doing this in a terminal (console; tty):
    sudo dpkg -i libgcc1_4.2.1-5ubuntu4_amd64.deb gcc-4.2-base_4.2.1-5ubuntu4_amd64.deb libc6_2.6.1-1ubuntu9_amd64.deb
    sudo dpkg -i tzdata_2007f-3ubuntu1_all.deb xserver-xorg-core_1.3.0.0.dfsg-12ubuntu8_amd64.deb
    sudo dpkg -r --force-depends xserver-xorg-video-i810
    sudo dpkg -i xserver-xorg-video-intel_2.1.1-0ubuntu6_amd64.deb
    The dpkg -r --force-depends removes the i810 driver even if the intel driver isnt installed. You should have OR i810 OR intel. This is why I first force to remove it, even if the intel driver is not there. After it I install the intel driver.
    (mind that with package removal there is no version number and architecture, only the name)


  3. You can test if it works by doing
    4. sudo X -configure
    and then
    sudo X -config /root/xorg.conf.new
    Now if you get a grey background with a pointer then it is working :D
    Now end X and copy the config by doing:
    CTRL-ALT-BACKSPACE
    sudo cp /root/xorg.conf.new /etc/X11/xorg.conf
    Does linux rocks? HELL YEAH :D

    Probably you have to install your windowmanager and loginmanager ( kde+kdm / gnome+gdm / ... + xdm ).
op Geen opmerkingen:
Labels: , , , , ,

Gentoo vs Sabayon

I have been a Gentoo user for a while but lately gave it up and tried ArchLinux.
The reason was that packages sometimes break and all the compiling and the lengthy install process.
What I really really like about gentoo is the package management. For each package you can choose whether you want the stable (extensively tested) or the unstable (you shouldn't take this unstable not very literally; ~x86) version.
Further, it is possible for each package to determine which specific version you want. Or if a version does not work, you can just mask it and it will go back to the old version.
If there is a newer version (than the masked one) it will be installed.

Now, Sabayon Linux is based on Gentoo.
But it uses an overlay (package repository that the Sabayon team have made available).
Also it has a very easy and fast installation. It let's you choose between a desktop (KDE, Gnome, Fluxbox) install and for example a server (core install).
Sabayon has announced Enthropy, which is a package manager which uses precompiled packages. Yes, indeed this has some disadvantages for optimizing all packages for your architecture but it saves you loads of time and it will still be possible to compile the packages.

So be ready for some post about Sabayon Linux
op Geen opmerkingen:
Labels: , ,

My test system

My test system is a Dell Latitude D630.
As the hardware is quite new there are some problems getting everything to work.
But this makes it even more interesting.

Here is the hardware present shown by the lspci output:

00:00.0 Host bridge: Intel Corporation Mobile PM965/GM965/GL960 Memory Controller Hub (rev 0c)
00:02.0 VGA compatible controller: Intel Corporation Mobile GM965/GL960 Integrated Graphics Controller (rev 0c)
00:02.1 Display controller: Intel Corporation Mobile GM965/GL960 Integrated Graphics Controller (rev 0c)
00:1a.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Contoller #4 (rev 02)
00:1a.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #5 (rev 02)
00:1a.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #2 (rev 02)
00:1b.0 Audio device: Intel Corporation 82801H (ICH8 Family) HD Audio Controller (rev 02)
00:1c.0 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 1 (rev 02)
00:1c.1 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 2 (rev 02)
00:1c.5 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 6 (rev 02)
00:1d.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #1 (rev 02)
00:1d.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #2 (rev 02)
00:1d.2 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #3 (rev 02)
00:1d.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #1 (rev 02)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev f2)
00:1f.0 ISA bridge: Intel Corporation 82801HEM (ICH8M) LPC Interface Controller (rev 02)
00:1f.1 IDE interface: Intel Corporation 82801HBM/HEM (ICH8M/ICH8M-E) IDE Controller (rev 02)
00:1f.2 IDE interface: Intel Corporation 82801HBM/HEM (ICH8M/ICH8M-E) SATA IDE Controller (rev 02)
00:1f.3 SMBus: Intel Corporation 82801H (ICH8 Family) SMBus Controller (rev 02)
03:01.0 CardBus bridge: O2 Micro, Inc. Cardbus bridge (rev 21)
03:01.4 FireWire (IEEE 1394): O2 Micro, Inc. Firewire (IEEE 1394) (rev 02)
09:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5755M Gigabit Ethernet PCI Express (rev 02)
0c:00.0 Network controller: Intel Corporation PRO/Wireless 3945ABG Network Connection (rev 02)

If someone wants the lspci -vv output you can ask me.
op Geen opmerkingen:

Introduction

Hi all,

I am a Linux/BSD enthousiast. Some of the distros I used where Ubuntu, Fedora, Gentoo, FreeBSD, ...
I would like to do my part to make the world a better place, but murder is illegal. :)
So instead I will document my experiments here so it can be of use for other people.

But there is more in life than Linux/BSD (is there actually? :p )
So once in a while you will find some thoughts coming straight from my disturbed mind. ;)

I hope I, and you will enjoy this blog and/or find it useful.

Comments are always greatly appreciated!
op Geen opmerkingen:
Abonneren op: Posts (Atom)