RPS » Researching

VPN for OSX client via SSH and the tun device driver

rshah21 — Tue, 12 May 2009 22:18:05 +0000

For a long time, I have used SSH port forwarding to access a lot of my home files and services, but I’ve found myself hitting the limits of usefulness. So I decided to try and create a VPN. This isn’t a true VPN – it’s NAT over SSH with tun. Good enough for me.

Much of the heavy lifting for this post was done by daleroberts at his wiki site. My only real contribution here is around the last steps of getting the routing working.

So, here’s what you’ll need:

Two macs – one is the remote “client” and one is the home “server”. Both should be running OS X 10.4.10+ client. If you have OS X Server, I’d suggest looking around for OpenVPN.
Both machines connected to the network. You’ll probably want to use a service like DynDNS so you can access the server machine via a hostname, especially if your ISP uses dynamic IP addresses
Your should know how to SSH to your home server
Your should know how to enable and use the root account on both your remote machine and home server
You should know how to handle yourself on the command line via Terminal.

Conventions used

The remote “client” (aka. the client) is the machine you are VPN-ing from. It is off the target network (aka. the home network). This is the machine you’re sitting at saying “I wish I had access to this file on my home network”
The home “server” (aka. the server) is the machine you are VPN-ing to. It serves as the gateway to all the other machines on your home network.
For the purposes of this example, the “home network” has an IP of ranges 192.168.0.1 to 192.168.0.255 – which will be notated as 192.168.0.0/24
I have used en0 as the interface on both the client and server machines – this is the Ethernet inteface. If either your client or server are connected via another mechanism (e.g. Airport), then you will need to use the appropriate interface at the appropriate time. This is only applicable to the client and server – if machines on your home network are connected wirelessly, etc. it should not be an issue.

Getting the Tun drivers setup

Even though OS X has a tun manpage, it appears to not actually have tun installed. The easiest way to get the tun/tap drivers is to download tunnelblick. You will need it both on the client and server machines. Once you have it, mount the disk image, and copy the application somewhere (for illustrative purposes, I put it on my Desktop).

At the command line, execute the following (assuming you are in your home dir):

sudo cp -rp Desktop/Tunnelblick.app/Contents/Resources/*kext /System/Library/Extensions/

cd /System/Library/Extensions

sudo chown -R root:wheel tun.kext

sudo chmod -R go-w tun.kext

sudo chown -R root:wheel tap.kext

sudo chmod -R go-w tap.kext

sudo kextload /System/Library/Extensions/tun.kext

Repeat the above on the server

The first SSH connection

Edit /private/etc/sshd_config on the server as root to permit tunnelling. Make sure the following lines are uncommented (in a default OS X install, they should be there, but will be commented out with a ‘#’ sign – you just need to delete the ‘#’)

PermitRootLogin yes
PermitTunnel yes

Then, from the client, execute:

sudo ssh -w 0:0 root@home while true \; do echo . \&\& sleep 60 \; done

Replace “home” with the internet available hostname of the server. The output should be a “period”, with a new “period” every 60 seconds.
If this worked correctly, you should be able to open a new command prompt on the client and execute the following:

ifconfig tun0

which should return

tun0: flags=8851 mtu 1500
open (pid ABCDE)

where ABCDE isn’t really relevant. If you execute the same ‘ifconfig tun0′ on the server, you should see something similar.

Setting up the VPN

Execute the following on the client:

sudo ifconfig tun0 172.16.0.1 172.16.0.2

ssh root@home ifconfig tun0 172.16.0.2 172.16.0.1 \&\& sysctl -w net.inet.ip.forwarding=1

Again, replacing “home” with the internet available hostname of the server.
To test this, add the route on your client

sudo route add -net 172.16.0 -interface tun0

You should now be able to access your server from your client via the IP address 172.16.0.2. Congrats, you now have a basic VPN

NAT

So, what if you have more machines on your home network than just your server? You’ll need to set up NAT and some routing rules
First, a route to push traffic to 172.16.0.* via the tun0 interface:

sudo route add -net 172.16.0 -interface tun0

Second, a route to push traffic headed to the home network via the 172.16.0.2 gateway

sudo route add 192.168.0 172.16.0.2

Finally, you need to set up NAT on the server:

sudo /usr/sbin/natd -interface en0 -l -s -m

sudo ipfw add 00002 allow ip from any to any via tun0

sudo ipfw add 00003 divert 8668 ip from any to 192.168.0/24 via en0

sudo ipfw add 00004 allow ip from any to 172.16.0.1

You should now be able to access any of the machines on the home network by IP address!

Getting it running the next time

I have setup some aliases and scripts so I don’t have to remember the exact commands to execute. This is probably not the most efficient way to do this, but it’s better than nothing.

(Optional) If NAT is not running on the server, you will need to get it setup. I have dumped the server commands from above into a shell script and just ssh into the box, and execute the script
Execute the first ssh tunnel on the client: “sudo ssh -w 0:0 root@home while true \; do echo . \&\& sleep 60 \; done” Leave it running
Execute the second ssh tunnel on the client: “sudo ifconfig tun0 172.16.0.1 172.16.0.2; sudo ssh root@home ifconfig tun0 172.16.0.2 172.16.0.1 \&\& sysctl -w net.inet.ip.forwarding=1″ If successful, this will return the prompt to you
Setup the routes on the client: “sudo route add -net 172.16.0 -interface tun0; sudo route add 192.168.0 172.16.0.2″ The VPN is running

Remove the routes on the client: “sudo route delete 172.16.0; sudo route delete 192.168.0″
Kill the running ssh client with a Control-C

That’s it. I’m sure some people will comment on how this could be made better, but it’s meant to be quick and dirty but work.

Yes, you can move your own files onto the iPhone Kindle Reader

rshah21 — Wed, 04 Mar 2009 19:17:52 +0000

If you have a jailbroken iPhone, you can move files onto the iPhone for use in the Kindle reader. The reader stores data in /User/Applications/[App ID]/Documents/eBooks. You’ll need to figure out the correct App ID for the Kindle app on your phone (you can probably figure it out by looking at the date associated with the directory).

I have tested this with an unsecured .prc file (similar to what I have loaded onto my Kindle via USB) and the reader opens the document just fine. You may need to relaunch the application to get it to update the available books on the Home screen. Whispernet syncing will obviously not work.

Building your own Alltop or PopURLs*

rshah21 — Fri, 11 Apr 2008 13:21:09 +0000

For a while, I have been using PopURLs as a quick and dirty way of scanning interesting websites for what’s new. It is not a RSS reader substitute, but if I have a couple of minutes and just want to see something new, it’s a good spot to stop. A few weeks ago, with a few free cycles, I wondered just how difficult it would be to roll my own. Nothing as pretty, but something that would give me some exposure to what’s under the covers.>

A couple of days ago, buzz started to build around Alltop which was built by Guy Kawasaki’s Nononina, also behind the site Truemors. Alltop is a very pretty site with a wide variety of content, but it too is based on the same content (and looking at the page sources, potentially the same code base).

If you want to build your own, I offer you my findings, code and lessons learned

Technorati Tags: php, popurls, alltop

The source code:

As this is a quick and dirty implementation, I apologize if the code base contains some minor bad practices. In most cases, I’ve adhered to standards that should allow you to unzip and deploy, but if something doesn’t quite work, take a look at the code. It was intended to be deployed on the URL news.delic.com so take a look for any part of that string if paths don’t work.

Please leave all of the GPL, BSD, CC and other licenses in the code intact, if you publish this. Any changes I have made to the code are extensions of these licenses. You are free to reuse any code I have written, but if there’s a license embedded in there, you should leave it there.

News aggregation source code (zip format, 490Kb)

System components (aka. “the credits”) and requirements

If you are interested in rolling your own version of the aggregator, I have listed the components below, along with links to some of the relevant installation instructions and documentation

PHP:

PHP core components – minimum

PHP 4.3 or higher (including PHP 5)
PHP‘s XML extension (enabled by default)
PHP‘s PCRE extension (enabled by default)
Either PHPmultibyte string extension OR iconv extension. There is a bug in the current version of SimplePie one or the other.

PHP core components – recommended

Ability to change file/folder permissions (dependent on how much access your host provides)
Both PHP‘s multibyte string extension AND iconv extension.
PHP‘s cURL extension (disabled by default)
PHP‘s Zlib extension (disabled by default)

If you are hosted on Dreamhost and running PHP 5+, you will have all of the minimum and recommended components listed above available to you via the php5 default install.

SimplePie

The PHP installfor SimplePie. Installation instructions (if you are rolling your own from scratch) begin here
The SimplePie Newsblocks Demo Source. The documentation for the demo is also available

Javascript

The SimplePie Newsblocks Demo contains Prototype, Script.aculo.us, and Behaviour.js, along with SweetTitles. I have replaced SweetTitles with the jQuery based ClueTip (see below) due to some text flicker issues on Firefox.
Cluetip, which is ajQuery based tooltip replacement. The Cluetip download has all of the jQuery libraries needed (jquery 1.2.2 minimized, dimensions, hoverIntent and cluetip). Since both prototype and jQuery are being used, you will need to run jQuery in noConflict mode.

CSS/Theme

The theme used for the aggregator is based on the black style of the Simplr theme for WordPress, although the aggregator is not actually running WordPress. The CSS for the theme has been modified to work with the SimplePie scripts, and can be found here.

Tips and tricks

Setting up feeds in index.php is extremely easy. For most feeds, the following code will work flawlessly:

The SimplePie Documentation has all of the options one might need to increase the number of articles pulled from the feed, the cache periods, etc.
If you need to modify the output of the SimplePie parser (for example, to just pull the image out a feed), you need to work in the /php/includes/newsblocks.inc file. Included in the newsblocks demo file is a function called render_wide which will return any images in the thumbnail enclosure. If that does not work, you may need to familiarize yourself with the PHP function preg_match_all and PCRE.

To get Cluetip to work, there are two necessary steps:

run jQuery in noConflict mode. In the code below, the class “ctip” has been assigned to all links that have associated tips we want to show in Cluetip:
Modify newsblocks.inc so that the html output for each link for each item in the rss feed contains the “ctip” class as well as the “|” delimiters for the title and body of the tooltip. Look for the code:
$html .= ‘
get_permalink() . ‘” title=”‘ . newsblocks::cleanup ($item->get_description(), $length) . ‘”>’ . $item->get_title() . ‘

and change it to:

$html .= ‘

get_permalink() . ‘” title=”|’ . newsblocks::cleanup ($item->get_description(), $length) . ‘”>’ . $item->get_title() . ‘

* = Alltop and PopURLs are registered trademarks and/or servicemarks of Nononina and Thomas Marban respectively. This site is not affiliated with them in any way.