OpenVPN on Mac OS X

I have been using Tunnelblick to connect to the VPN I have configured on my Linksys WRT54GL router running DD-WRT. DD-WRT provides several different tutorials for configuring OpenVPN on your router. Tunnelblick works fairly well on my laptop running Mac OS X most of the time, but every now and then I have had issues connecting. Therefore, I decided to investigate alternatives.

I decided to try some variation of what was described in this post on Tony’s Cafe. The first step was to install the TunTap driver for Mac OS X. This provides the necessary network interfaces to connect to an OpenVPN. It appears that a reboot is no longer required. For command line simplicity and for scripting purposes, you can use the following to install the TunTap driver.

cd /tmp/
curl -O http://superb-east.dl.sourceforge.net/sourceforge/tuntaposx/tuntap_20080804.tar.gz
tar xzvf tuntap_20080804.tar.gz
installer -verbose -pkg tuntap_20080804.pkg -target /
rm -Rf tuntap*

The post on Tony’s Cafe then shows the steps necessary to build OpenVPN from source. You are welcome to do this and you can check it out in the post. However, the simply way is to make use the openvpn binary inside of the Tunnelblick application package. I simply copied it out of the .app and into /usr/sbin. The following again automates the entire process for installing the openvpn binary.

cd /tmp/
curl -O http://tunnelblick.googlecode.com/files/Tunnelblick_3.0b10.dmg
hdiutil attach Tunnelblick_3.0b10.dmg
cp /Volumes/Tunnelblick/Tunnelblick.app/Contents/Resources/openvpn \
    /usr/sbin/openvpn
hdiutil detach $( df | grep Tunnelblick | awk '{print $1}' )
rm -Rf Tunnelblick*

I then created a new OpenVPN configuration file using the example provided in the referenced Tony’s Cafe post. The example I used is provided below.

client
dev tap0
# In the next line, specify the IP address and subnet mask of the tap0 device
ifconfig [IP Address] [Subnet Mask]
proto udp
remote [OpenVPN Server DNS Address] [port]
resolv-retry infinite
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
mute-replay-warnings
# If using SSL Certificates, use the following 3 lines:
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
# If using a SSL static key, use the following line:
secret “/etc/openvpn/vpn.key”
# Use the next line if utilizing LZO compression:
comp-lzo
verb 3
mute 20

I then plugged in the host to connect to, the IP address and subnet mask for my laptop to use while it is on the road, and the path to the certificates and keys stored on my machine. All that was left was to launch OpenVPN from the command line:

/usr/local/sbin/openvpn --config /path/to/openvpn.conf

I haven’t used this new method of connecting to my VPN extensively; however, so far it appears to be working well.

Finger Daemon on Ubuntu

Since I set up my Ubuntu servers and desktops at home I have wanted to be able to remotely finger the different computers on my network. By default, a remote finger request will look like this:

zac@dakara:~$ finger @athos
[athos.lund]
finger: connect: Connection refused

The solution is to install the required packages:

apt-get install inetutils-inetd fingerd

Then start the Internet super server:

/etc/init.d/inetutils-inetd start

According to the package details: “Inetd is the daemon that listens on various TCP and UDP ports and spawns programs that can’t or won’t do it for themselves.”

Now a remote finger request will look like:

zac@dakara:~$ finger @athos
[athos.lund]
Login     Name           Tty      Idle  Login Time   Office     Office Phone
zac       Zachary Lund   pts/2          May  4 20:12 (dakara.lund)

The contents of the file /etc/inetd.conf show what is necessary for finger:

finger		stream	tcp	nowait	nobody	/usr/sbin/tcpd	/usr/sbin/in.fingerd

It simply takes an incoming finger request and spawns the appropriate process.

Configure SpamAssassin with Postfix on Ubuntu

I’ve been running a mail server for the last year and a half. When I initially set up my Postfix mail server on Ubuntu, I knew that eventually I would need to add a spam filter. I recently decided that SpamAssassin was the best choice to filter email on my mail server.

I now receive on average more than one spam message each day. Interestingly, all of my spam is sent to an email address that I have only given out to Marquette University. I guess that means they have either sold my email address or poorly secured it in their database. Neither would surprise me.

I used the content from two different tutorials to get SpamAssassin up and running on my server.

First, I installed SpamAssassin.

apt-get install spamassassin spamc

Next, I created the spamd user and group. You can specify a specific uid and gid if you want.

groupadd spamd
useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd

Then I created the spamd home directory and set the permissions.

mkdir /var/log/spamassassin
chown spamd:spamd /var/log/spamassassin

Then I set up some configuration for SpamAssassin. You can edit the file directly, but I use Sed so that I can automate the installation process in a script. This enables SpamAssassin, Cron, and some other options.

DEFAULT_SPAMASSASSIN=/etc/default/spamassassin
mv $DEFAULT_SPAMASSASSIN $DEFAULT_SPAMASSASSIN.default
sed '
    s/ENABLED=0/ENABLED=1/
    s/CRON=0/CRON=1/
    s/^OPTIONS.*/SAHOME="\/var\/log\/spamassassin"\nOPTIONS="--create-prefs --max-children 5 --username spamd -H ${SAHOME} -s ${SAHOME}\/spamd.log"/
' $DEFAULT_SPAMASSASSIN.default > $DEFAULT_SPAMASSASSIN

Then I set up the rest of the configuration for SpamAssassin. I initially set the required score to 2.0, but this caused a lot of legitimate emails (ham) to be marked as spam. The following configuration will rewrite subjects of spam messages to identify them as spam.

SA_LOCAL_CF=/etc/spamassassin/local.cf
mv $SA_LOCAL_CF $SA_LOCAL_CF.default
echo "
rewrite_header Subject [***** SPAM _SCORE_ *****]
required_score           5.0
# to be able to use _SCORE_ we need report_safe set to 0
# If this option is set to 0, incoming spam is only 
# modified by adding some \"X-Spam-\" headers and no 
# changes will be made to the body.
report_safe     0

# Enable the Bayes system
use_bayes               1
use_bayes_rules         1
# Enable Bayes auto-learning
bayes_auto_learn        1

# Enable or disable network checks
skip_rbl_checks         0
use_razor2              0
use_dcc                 0
use_pyzor               0
" > $SA_LOCAL_CF

Now that I have been running the spam filter for a couple weeks, I have had to whitelist some email addresses that send me emails with strange headers or get sent from “shady” IP addresses. This goes into the same local.cf file.

whitelist_from *@hq.acm.org

I find it amusing that emails from the ACM keep getting marked as spam. Next I started SpamAssassin.

/etc/init.d/spamassassin start

Next, I modified Postfix to send emails through the SpamAssassin filter.

POSTFIX_MASTER_CF=/etc/postfix/master.cf
mv $POSTFIX_MASTER_CF $POSTFIX_MASTER_CF.default
sed 's/smtp      inet  n       -       -       -       -       smtpd/smtp      inet  n       -       -       -       -       smtpd\n\t-o content_filter=spamassassin/'  \
$POSTFIX_MASTER_CF.default > $POSTFIX_MASTER_CF
echo 'spamassassin unix -     n       n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -f -e    
  /usr/sbin/sendmail -oi -f ${sender} ${recipient}' >> $POSTFIX_MASTER_CF

Next, reload Postfix so it will use SpamAssassin.

/etc/init.d/postfix reload

Once SpamAssassin is running, you can train it by passing it spam and ham emails.

sa-learn -u spamd --spam --mbox /path/to/spam_mbox
sa-learn -u spamd --ham --mbox /path/to/ham_mbox

After adjusting the spam threshold, training the filter with spam messages that I have acquired over the last year, and whitelisting a few problematic senders, my spam filter has been doing a good job of marking spam as spam. At this point it is easy enough to sort through the email manually and confirm that they are spam. In the future, if it ever gets bad enough, I will be able to automatically delete the messages or filter them into a different mailbox on delivery.

Configure a Reverse Proxy with Apache

In a previous post, I discussed the details required to set up Subsonic on Ubuntu Server. The problem with Subsonic is that it runs on Tomcat on a non-standard port. The rest of my web applications run in Apache on port 80. Therefore, it would be nice if instead of having to go to http://athos.zacintosh.com:8180/subsonic/, I could simply go to http://athos.zacintosh.com/subsonic/. The solution is called a reverse proxy. Reverse proxies can do things like load balance between multiple web servers or simply make resources on an internal web server available externally. In this case, I am using a reverse proxy to make a web application available on a different port available on the standard port 80.

The set up is fairly simple. On Ubuntu, it should be as simple as issuing this command (as root) to enable the proxy modules:

a2enmod proxy_http

Next I inserted the following into /etc/apache2/conf.d/subsonic.conf to make it available on all websites running on my server. If you only wanted it to be available for a single website, you could insert this into a site inside of /etc/apache2/sites-available/.

ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
    Order allow,deny
    Allow from all
</Proxy>
ProxyPass /subsonic/ http://localhost:8180/subsonic/
ProxyPassReverse /subsonic/ http://localhost:8180/subsonic/

The configuration above says to not proxy all requests (not act as a forward proxy server). The ProxyPass and ProxyPassReverse set up the actual retrieval of data from Subsonic running on Tomcat. You need to replace the localhost and the port number with the specific items for your configuration. Finally, you need to reload the Apache configuration:

/etc/init.d/apache2 force-reload

Now Subsonic should be available on port 80 just like everything else running on your web server with Apache.

Install Subsonic on Ubuntu Server

Subsonic is a free, web-based media streaming application. After evaluating it alongside Jinzora and Sockso, I selected it for use on my servers. Internally, I have been using Firefly Media Server (previously called mt-daapd) to make music available to different desktop music players. Subsonic had several features that made it a good choice including allowing music from several different directories, Last.fm scrobbling support/integration, and multiple users with passwords and support for LDAP integration.

I installed Subsonic on a server running Ubuntu Hardy Heron Server. I built on a previous tutorial for installing Subsonic on Ubuntu.

First, I install the necessary Java packages, Tomcat, and Lame. I broke it into three installs to be safe. It could probably be done in one.

apt-get install java-common sun-java6-bin sun-java6-jdk sun-java6-jre
apt-get install tomcat5.5
apt-get install lame

Next, I stopped Tomcat before changing the Tomcat configuration and installing the Subsonic web application.

/etc/init.d/tomcat5.5 stop

Next, I disabled the Tomcat security stuff. It’s required for Subsonic to work. You could do this by editing the file directly (/etc/init.d/tomcat5.5), but I use Sed so that I can automate the installation process in a script.

cd /etc/init.d/
mv tomcat5.5 tomcat5.5.bak
sed "s/TOMCAT5_SECURITY=yes/TOMCAT5_SECURITY=no/" tomcat5.5.bak > tomcat5.5
chmod +x tomcat5.5
rm tomcat5.5.bak

Next, I downloaded, decompressed, and installed the subsonic application.

cd /tmp/
wget http://superb-east.dl.sourceforge.net/sourceforge/subsonic/subsonic-3.6-war.zip
unzip subsonic-3.6-war.zip -d subsonic
mv subsonic/subsonic.war /var/lib/tomcat5.5/webapps/

Subsonic expects certain directories to exist. The following creates those directories and sets the permissions.

mkdir /var/subsonic
mkdir /var/subsonic/playlists
mkdir /var/subsonic/transcode
chown -R tomcat55:nogroup /var/subsonic

Subsonic uses Lame to transcode/compress mp3s for streaming. The next two lines make Lame available to Subsonic.

cd /var/subsonic/transcode
ln -s /usr/bin/lame lame

Now we can start Tomcat again.

/etc/init.d/tomcat5.5 start

I always like to clean up after my installs. This removes the files we downloaded and no longer need any more.

rm -R /tmp/subsonic*

Subsonic should now be running and available at http://localhost:8180/subsonic/. The port might vary depending on the installation of Tomcat. Log in. You can change the password by clicking on “Settings” and then “Users” and then selecting the admin account.

Next, I configured LDAP authentication. It was as simple as clicking on “Settings” and then “Advanced” and then “Enable LDAP authentication.” I then filled in the following:

  • LDAP URL: ldap://athos.lund:389/dc=lund
  • LDAP search filter: (uid={0})

I left the “LDAP manager DN” and “Password” blank. I checked “Automatically create users in Subsonic” so that any user in LDAP can automatically log into Subsonic.

If you would like to make Subsonic available on port 80 like most web applications instead of port 8180, check out my post on Reverse Proxies.

Configuring a Mail Server with Postfix

I gave a presentation about Postfix to the Marquette University ACM chapter. It should be a useful starting point for configuring a Postfix mail server. I include details about much of the configuration including canonical maps which was something that I initially found difficult to figure out.

Rather than creating my presentation in Microsoft PowerPoint or OpenOffice.org Impress, I decided to check out the LaTeX Beamer package for my presentation. Since I’ve been using LaTeX for a while, it wasn’t too difficult to figure out, and it worked particularly well because most of the presentation is Postfix configuration text which I could easily include in the presentation.

The presentation is available as a PDF for download.

Resizing LVM Partitions

My brother Ben has installed quite a few games and other things on his Ubuntu desktop. Because most of these are programs are available as packages, his 6 GB root partition started getting a bit small. He has a 500 GB hard drive partitioned into root, swap, and home. Ben and I decided to transfer 20 GB from his home partition to his root partition. The drive was configured with LVM which is supposed to make this procedure simple. It turns out it was mildly more complicated than simple, but it wasn’t too bad.

The first step is to boot from a CD like GParted. GParted provides the necessary LVM command line tools to resize the partitions. We need to boot from a CD or another drive because we will be modifying the root partition.

Because I was booted from a CD, I did not capture the output from the commands that I used. The first step is to find the name of the LVM volume group:

lvdisplay

On Ben’s computer, the volume group was “loki”. Next, we make that volume group available:

vgchange --available y loki

Then we decrease the size of the home partition. First we resize the EXT3 file system and then we resize the LVM partition. The “e2fsck” commands check and repair the file system as we go. We are resizing the home partition from 440 GB down to 420 GB.

e2fsck -f /dev/loki/home
resize2fs /dev/loki/home 420G
e2fsck -f /dev/loki/home
lvreduce --size 420G /dev/loki/home
e2fsck -f /dev/loki/home

Once the 20 GB is available, we increase the size of the root partition. We do this in reverse order. First we increase the size of the LVM partition and then increase the size of the file system.

e2fsck -f /dev/loki/root
lvextend --size +20.15G /dev/loki/root
e2fsck -f /dev/loki/root
resize2fs /dev/loki/root 26G
e2fsck -f /dev/loki/root

We rebooted Ben’s computer again, and he now had 26 GB root partition.

OWA Sync on Ubuntu

Update: OWA Sync V0.6 (the current version) is not compatible with Exchange 2007. When I set this up, I was connecting to Exchange 2003.

I use OWA Sync to get all of my calendar information onto my Ubuntu desktop. I recently rediscovered the Little Brother’s Database and decided to make my OWA contacts available in Mutt on my Ubuntu desktop, too. (I used lbdb to make my contacts in Apple Address Book available to Mutt when I was still using Mac OS X as my primary operating system.)

The OWA Sync website has a decent explanation of creating a owaSyncrc file. After I created that, I wrote a script that runs as a cron job.

#! /bin/bash

export PATH=$PATH:/usr/local/bin/

/usr/local/bin/owaSync.kit -update

cat $HOME/.owa/Calendar/*.ics > $HOME/.calendar.ics
cat $HOME/.owa/Contacts/*.vcf > $HOME/.contacts.vcf

After a bit of trial and error, I figured out that “/usr/local/bin/” needed to be in the path for the owaSync.kit script to run. After the synchronization is complete, I then concatenate all of the calendar events into a single file and all of the contact cards into a single file. I now have a single calendar file that I can use with PHP iCalendar and a single contacts file that I can use with lbdb. It requires a fairly simple rc file that looks something like this:

METHODS="$METHODS m_vcf m_muttalias"

VCF_FILES="$HOME/.contacts.vcf"
MUTTALIAS_FILES="$HOME/.mutt/aliases"

I add “m_vcf” and “m_muttaliases” to the “METHODS” and then I specify the locations of my OWA contacts and my Mutt aliases. Now when I launch Mutt, I can query for addresses that I downloaded from OWA.

Adobe Flash 10 on Ubuntu Hardy Heron

I finally got sick of having to use Hulu on my MacBook Pro instead of my Ubuntu desktop and decided to see if I could fix the Flash player problems. It turns out that the fix was simple. This article from Ubuntu Geek makes it easy. Since I am running a 64-bit OS, I used the 64-bit instructions:

wget http://queleimporta.com/downloads/flash10_en.sh
chmod +x flash10_en.sh
sudo bash ./flash10_en.sh

Now Hulu works just fine in Firefox on Ubuntu.

April Fools Prank

Inspired by Upside-Down-Ternet, I decided to get two of my housemates back for the Tabasco and Whiskey shot that they gave me when we went out for my birthday. Flipping all of the images upside down was a little too subtle though. I prefer the all-out, in-your-face kind of April Fools revenge prank.

It turns out all I had to do was find the IP addresses for my housemates’ computers, create the awesome pwned page, and issue two commands on my DD-WRT router:

root@Madrona:~# iptables -t nat -I PREROUTING -s 192.168.1.187 -p tcp -j DNAT --to-destination 192.168.1.42
root@Madrona:~# iptables -t nat -I PREROUTING -s 192.168.1.190 -p tcp -j DNAT --to-destination 192.168.1.42

When those two housemates went to check Facebook (or any site) this morning, they were greeted with this instead:

Pwned by the Zaxor!
Pwned by the Zaxor!

Their reactions made it worth it. Tyler said, “Pwned? What is pwned?” David said, “What the hell is a Zaxor?”

Even though I downed the entire Tabasco and Whiskey shot, let this be a lesson that I always take my revenge convey my thanks in kind.