Thursday, March 31, 2011

مواصفات رئيس مصر القادم


تأثرا بالاعلان الدستوري الذي أعلنه المجلس الأعلى للقوات المسلحة والذي يحدد الشروط الدستورية  التي يجب أن تنطبق على مرشحي  الرئاسة في الإنتخابات القادمة، انطلق نشطاء موقع تويتر هم الآخرون في إعلان شروطهم التي يريدون أن تتوفر في الرئيس الجديد المنتظر.

كما أن معظم الذين شاركوا في وضع تلك الشروط هم من أبناء العصر المباركي المخلوع، وهو ما يبرر وجود الكثير الشروط التي تريد ابعاد أي كلمة أو وصف أو تعليق أو حركة أو ايماءه كان يصدرها الرئيس المخلوع!

  • غير منوفي ومن أبوين غير منوفيين ولم يسبق له الحصول علي الجنسيه المنوفيانيه ولااتجوز مونوفييايه
  • كل يوم الصبح يسمع أغنية دامت لمين.
  • ما يعملش زيارات مفاجئة للمصانع يوم السبت الساعة حداشر، احنا اللي حنعمل له زيارات مفاجئة كل تلات ساعات
  • مايفتكرش انه عشان بقى رئيس انه قائد الثورة
  • مايقولناش الإخوة و الأخوات.. أمي ما خلفتش غيري انا واخواتي
  • الي يقول كلمة بناء علي تعليمات السيد الرئيس يعدمه مباشرة من غير محاكمة
  • يكون بيتكلم و  يفهم إنجليزى من غير ما يطرطق ودانه
  • ولو نجح بنسبة  اكتر من 60% في الانتخابات يتحاكم
  • يبقى عارف اننا منتخبينه هوه مش هوه ومراته و ابنه واخواته وامه وعيلته كلها
  • يبقى عنده فيسبوك و تويتر بس معندوش فارم فيل ..ويكتب  تويت واحده ف اليوم عشان ميضيعش وقت الشعب
  • ميكونش ف لمعان  و بريق حمادة هلال
  • يكون متواضع جدا ...اه طبعا .....لا مش لدرجة يقعد في خيمه دي تبقي فال شؤم
  • مراته لازم تاخد لقب  سيدة مصر الأخيرة
  • مايقعدش فى القصر  الجمهورى ياخد شقة ايجار جديد احسن
  • لازم كل جمعة بعد  الصلاة يزور منطقة ويتكلم مع اهلها
  • ياكل العيش أبو  شلن ويشرب من الحنفية
  • ماتكونش البدله بتاعتو مكتوب عليها اسمه.. عايزينه يجيب بدل من عند ابو نسمه
  • المفروض يقعد يفر  كل حاجة في البلد ، يا راجل كبر  مخك.
  • لازم يبقي عنده ريسيفر وتيلفزيون وبيتفرج علي قناة الجزيرة
  • بيقول الكيان دوله الإحتلال مش دوله إسرائيل
  • مايكونش عمل أي ضربات  جوية أو أرضية أو فضائية يذلنا بيها
  • مش كل ما نكلمه  يقولنا عيب انا زي ابوكم ولو حبكت يعنى وعاوز مشاعر أسريه عائلية .. ممكن يعتبر نفسه أختنا الصغيرة
  • ميعطلش المرور عشان يروح مشوار يمشي في الشارع زيه زينا ياما يستخدم الطياره
  • لا يبدأ اي جملة بكلمة "سنظل"
  • ما يقولش على  منتخبنا كويس ومايتصلش بحسن شحاته  ولا يزور اللاعبين في التمرين.
  • لازم مايكونش راعى الرياضة والرياضيين ولا راعى الثقافة والمثقفين ولا راعى الفن والفنانين.
  • ميضحكش علينا ويروح يفتتح نفس الحاجه عشرين مرة. 
  • ميكونش بيصلي العيد قبل العيد ما يبدأ و تلاقي صورته ملطوعه عالاهرام يوم الوقفه الساعه اتناشر بليل.
  • يبطل كلمة نشجب و ندين.
  • مايكونش من محبي الاستقرار.
  • ألا يستخدم مصطلحات "محدودي الدخل"، "المرحلة المقبلة"، "لا مساس"، وغيرها من العبارات والجمل التي كان تردد كل أول مايو!
  • يستنى بالساعات لما مواكب السادة المواطنيين تعدى ولو وصل قصر الرئاسة متاخر ياخد جزا
  • مايكونش ساكن فى مصر الجديدة و كل يوم يقفلوا صلاح سالم عشانه هو ومراته وعياله
  • يكون نصه عامل او فلاح عشان يعبر عن ارادة الشعب
  • ميكنش عنده رئيس وزرا بيلبس بلوفر
  • أول ما نقوله طير انت .. يطير فى ثوانى مش لازم بقى نعمله زار فى التحرير علشان نصرفه
  • مفيش حاجه إسمها علاج بره مصر, ييجى يتعالج فى التأمين الصحى اللى الشعب بيتعالج فيه
  • يحظر عليه تسمية شارع أو حمام عمومي أو إنشالله محطة تكاتك على اسمه
  • يكون بيمشى بعريبته عال الدائرى ويشوف الميكروباصات والنقل بيعملوا فينا ايه :-)
  • يقول لنا هيطلع يخطب الساعة كام بالضبط عشان ميذنبناش عشر ساعات على ما يتكرم ويطل علينا
  • لو اتحرق فى عهده قطر وغرقت عباره .. يتم اعدامه مربوطا فى كرسى فى كابينة قطر مولعه جوه عباره بتغرق .. والبث مباشر
  • وامين الشرطة كل ما يشوفه يقوله بطاقتك يالا وكل ما تحصل حادثة ياخدوه يحققوا معاه ويلطشوه بالقلم ويقولوا له رد عدل ياض
  • يستحسن يكون فاقد الذاكرة، عشان مش كل خطاب يطلع يحكي قصة حياته
  • يحبنا حب من طرف واحد و يقعد يبعتلنا جوابات و ورد و احنا منعبروش
  • و مايقولناش ايها الاخوة المواطنون احنا مالناش اخ مستواه تدنى لدرجة رئيس
  • يكون عمره.. عمره.. عمره ما ساق طيارة ولا ركبها ولا حتى طير طيارة ورق وهو عيل وما يكونش قتل واتقتل
  • اسمه ما يتكتبش على اي حاجة، خالص، ولا حتى يتكتب في الجرايد، ولا اخباره تتنشر في الصفحة الاولى، ينشروا اخباره جنب السودوكو
  • لازم يزور مصانع شبرا الخيمة و يقعد جمب الفلاتر بتاعت الدخان الخربانة و يشم العادم لمدة 10 ساعات اسبوعيا علي الاقل
  • ميعرفش شرم الشيخ دي بيروحولها منين
  • يكون مبيعرفش يتكلم عشان يبقي سهل نوقعة فالكلام ونعرف هو هيهرب فلوسة فين
  • يلغى ميدان مصطفى محمود وما ينزلش المهندسين طول فترة ولايته

Wednesday, March 30, 2011

Troubleshooting OpenVPN 2: Configurations


Routing gives an insight into troubleshooting routing problems when setting up a VPN using OpenVPN. You will learn how to detect, diagnose, and repair common routing issues.
In this article by Jan Just Keijser, author of OpenVPN 2 Cookbook, we will cover:
  • Cipher mismatches
  • TUN versus TAP mismatches
  • Compression mismatches
  • Key mismatches
  • Troubleshooting MTU and tun-mtu issues
  • Troubleshooting network connectivity
  • Troubleshooting client-config-dir issues
  • How to read the OpenVPN log files

OpenVPN 2 Cookbook

OpenVPN 2 Cookbook 100 simple and incredibly effective recipes for harnessing the power of the OpenVPN 2 network
  • Set of recipes covering the whole range of tasks for working with OpenVPN
  • The quickest way to solve your OpenVPN problems!
  • Set up, configure, troubleshoot and tune OpenVPN
  • Uncover advanced features of OpenVPN and even some undocumented options

Introduction

The topic of this article is troubleshooting OpenVPN. This article will focus on troubleshooting OpenVPN misconfigurations.
The recipes in this article will therefore deal first with breaking the things. We will then provide the tools on how to find and solve the configuration errors. Some of the configuration directives used in this article have not been demonstrated before, so even if you are not interested in breaking things this article will still be insightful.

Cipher mismatches

In this recipe, we will change the cryptographic ciphers that OpenVPN uses. Initially, we will change the cipher only on the client side, which will cause the initialization of the VPN connection to fail. The primary purpose of this recipe is to show the error messages that appear, not to explore the different types of ciphers that OpenVPN supports.

Getting ready

Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf (download code, ch:2) and the client configuration file basic-udp-client.conf at hand.

How to do it...

  1. Start the server using the configuration file basic-udp-server.conf:
    [root@server]# openvpn --config basic-udp-server.conf
  2. Next, create the client configuration file by appending a line to the basic-udp-client.conf file:
    cipher CAST5-CBC
    Save it as example7-1-client.conf.
  3. Start the client, after which the following message will appear in the client log:
    [root@client]# openvpn --config example7-1-client.conf ... WARNING: 'cipher' is used inconsistently, local='cipher CAST5- CBC', remote='cipher BF-CBC' ... [openvpnserver] Peer Connection Initiated with server-ip:1194 ... TUN/TAP device tun0 opened ... /sbin/ip link set dev tun0 up mtu 1500 ... /sbin/ip addr add dev tun0 192.168.200.2/24 broadcast 192.168.200.255 ... Initialization Sequence Completed ... Authenticate/Decrypt packet error: cipher final failed
  4. And, similarly, on the server side:
    ... client-ip:52461 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher CAST5-CBC' ... client-ip:52461 [openvpnclient1] Peer Connection Initiated with openvpnclient1:52461 ... openvpnclient1/client-ip:52461 Authenticate/Decrypt packet error: cipher final failed ... openvpnclient1/client-ip:52461 Authenticate/Decrypt packet error: cipher final failed
The connection will not be successfully established, but it will also not be disconnected immediately.

How it works...

During the connection phase, the client and the server negotiate several parameters needed to secure the connection. One of the most important parameters in this phase is the encryption cipher, which is used to encrypt and decrypt all the messages. If the client and server are using different ciphers, then they are simply not capable of talking to each other.
By adding the following configuration directive to the server configuration file, the client and the server can communicate again:
cipher CAST5-CBC

There's more...

OpenVPN supports quite a few ciphers, although support for some of the ciphers is still experimental. To view the list of supported ciphers, type:
$ openvpn --show-ciphers
This will list all ciphers with both variables and fixed cipher length. The ciphers with variable cipher length are very well supported by OpenVPN, the others can sometimes lead to unpredictable results.

TUN versus TAP mismatches

A common mistake when setting up a VPN based on OpenVPN is the type of adapter that is used. If the server is configured to use a TUN-style network but a client is configured to use a TAP-style interface, then the VPN connection will fail. In this recipe, we will show what is typically seen when this common configuration error is made.

Getting ready

Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates (Download code-ch:2 here). For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf (Download code-ch:2 here) and the client configuration file basic-udp-client.confat hand.

How to do it...

  1. Start the server using the configuration file basic-udp-server.conf:
    [root@server]# openvpn --config basic-udp-server.conf
  2. Next, create the client configuration:
    client proto udp remote openvpnserver.example.com port 1194 dev tap nobind ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/client1.crt key /etc/openvpn/cookbook/client1.key tls-auth /etc/openvpn/cookbook/ta.key 1 ns-cert-type server
    Save it as example7-2-client.conf.
  3. Start the client
    [root@client]# openvpn --config example7-2-client.conf
    The client log will show:
    ... WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun' ... WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1541' ... WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500' ... [openvpnserver] Peer Connection Initiated with server-ip:1194 ... TUN/TAP device tap0 opened ... /sbin/ip link set dev tap0 up mtu 1500 ... /sbin/ip addr add dev tap0 192.168.200.2/24 broadcast 192.168.200.255 ... Initialization Sequence Completed
    At this point, you can try pinging the server, but it will respond with an error:
    [client]$ ping 192.168.200.1 PING 192.168.200.1 (192.168.200.1) 56(84) bytes of data. From 192.168.200.2 icmp_seq=2 Destination Host Unreachable From 192.168.200.2 icmp_seq=3 Destination Host Unreachable From 192.168.200.2 icmp_seq=4 Destination Host Unreachable

How it works...

A TUN-style interface offers a point-to-point connection over which only TCP/IP traffic can be tunneled. A TAP-style interface offers the equivalent of an Ethernet interface that includes extra headers. This allows a user to tunnel other types of traffic over the interface. When the client and the server are misconfigured, the expected packet size is different:
... WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
This shows that each packet that is sent through a TAP-style interface is 32 bytes larger than the packets sent through a TUN-style interface.
By correcting the client configuration, this problem is resolved.

Compression mismatches

OpenVPN supports on-the-fly compression of the traffic that is sent over the VPN tunnel. This can improve the performance over a slow network line, but it does add a little overhead. When transferring uncompressible data (such as ZIP files), the performance actually decreases slightly.
If the compression is enabled on the server but not on the client, then the VPN connection will fail.

Getting ready

Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf (Download code-ch:2 here) and the client configuration file basic-udp-client.confat hand..

How to do it...

  1. Append a line to the server configuration file basic-udp-server.conf:
    comp-lzo
    Save it as example7-3-server.conf.
  2. Start the server:
    [root@server]# openvpn --config example7-3-server.conf
  3. Next, start the client:
    [root@client]# openvpn --config basic-udp-client.conf
    The connection will initiate but when data is sent over the VPN connection, the following messages will appear:
    Initialization Sequence Completed ... write to TUN/TAP : Invalid argument (code=22) ... write to TUN/TAP : Invalid argument (code=22)

How it works...

During the connection phase, no compression is used to transfer information between the client and the server. One of the parameters that is negotiated is the use of compression for the actual VPN payload. If there is a configuration mismatch between the client and the server, then both the sides will get confused by the traffic that the other side is sending.
With a network fully comprising OpenVPN 2.1 clients and an OpenVPN 2.1 server, this can be fixed for all the clients by just adding another line:
push "comp-lzo"

There's more...

OpenVPN 2.0 did not have the ability to push compression directives to the clients. This means that an OpenVPN 2.0 server does not understand this directive, nor do OpenVPN 2.0 clients. So, if an OpenVPN 2.1 server pushes out this directive to an OpenVPN 2.0 client, the connection will fail.

Key mismatches

OpenVPN offers extra protection for its TLS control channel in the form of HMAC keys. These keys are exactly the same as the static "secret" keys used in point-to-point style networks. For multi-client style networks, this extra protection can be enabled using the tls-auth directive . If there is a mismatch between the client and the server related to this tls-auth key , then the VPN connection will fail to get initialized.

Getting ready

Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the first recipe. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf (Download code-ch:2 here) and the client configuration file basic-udp-client.conf at hand.

How to do it...

  1. Start the server using the configuration file basic-udp-server.conf:
    [root@server]# openvpn --config basic-udp-server.conf
  2. Next, create the client configuration:
    client proto udp remote openvpnserver port 1194 dev tun nobind ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/client1.crt key /etc/openvpn/cookbook/client1.key tls-auth /etc/openvpn/cookbook/ta.key ns-cert-type server
    Note the lack of the second parameter for tls-auth. Save it as example7-4-client.conf file.
  3. Start the client:
    [root@client]# openvpn --config example7-4-client.conf
    The client log will show no errors, but the connection will not be established either. In the server log we'll find:
    ... Initialization Sequence Completed ... Authenticate/Decrypt packet error: packet HMAC authentication failed ... TLS Error: incoming packet authentication failed from client- ip:54454
This shows that the client openvpnclient1 is connecting using the wrong tls-auth parameter and the connection is refused.

How it works...

At the very first phase of the connection initialization, the client and the server verify each other's HMAC keys. If an HMAC key is not configured correctly, then the initialization is aborted and the connection will fail to establish. As the OpenVPN server is not able to determine whether the client is simply misconfigured or whether a malicious client is trying to overload the server, the connection is simply dropped. This causes the client to keep listening for the traffic from the server, until it eventually times out.
In this recipe, the misconfiguration consisted of the missing parameter 1 behind:
tls-auth /etc/openvpn/cookbook/ta.key
The second parameter to the tls-auth directive is the direction of the key. Normally, the following convention is used:
  • 0: from server to client
  • 1: from client to server
This parameter causes OpenVPN to derive its HMAC keys from a different part of the ta.key file. If the client and server disagree on which parts the HMAC keys are derived from, the connection cannot be established. Similarly, when the client and server are deriving the HMAC keys from different ta.key files, the connection can also not be established.

OpenVPN 2 Cookbook

OpenVPN 2 Cookbook 100 simple and incredibly effective recipes for harnessing the power of the OpenVPN 2 network

Troubleshooting MTU and tun-mtu issues

One of the more advanced features of OpenVPN is the ability to tune the network parameters of both the TUN (or TAP) adapter and the parameters of the encrypted link itself. This is a frequent cause of configuration mistakes, leading to low performance or even the inability to successfully transfer data across the VPN tunnel. This recipe will show what happens if there is an MTU (Maximum Transfer Unit) mismatch between the client and the server and how this mismatch can cause the VPN tunnel to fail only under certain circumstances.

Getting ready

Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf and the client configuration file basic-udp-client.conf at hand (Download code-ch:2 here).

How to do it...

  1. Start the server using the configuration file basic-udp-server.conf:
    [root@server]# openvpn --config basic-udp-server.conf
  2. Next, create the client configuration file by appending a line to the basic-udp-client.conf file:
    tun-mtu 1400
    Save it as example7-5-client.conf.
  3. Start the client and look at the client log:
    [root@client]# openvpn --config example7-5-client.conf ... WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1441', remote='link-mtu 1541' ... WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1400', remote='tun-mtu 1500' ... [openvpnserver] Peer Connection Initiated with server-ip:1194 ... TUN/TAP device tun0 opened ... /sbin/ip link set dev tun0 up mtu 1400 ... /sbin/ip addr add dev tun0 192.168.200.2/24 broadcast 192.168.200.255 ... Initialization Sequence Completed
    There are a few warnings when the tunnel comes up, but the connection is initialized.
  4. It is possible to send a traffic over the link, which we can verify using the ping command:
    [client]$ ping -c 2 192.168.200.1 PING 192.168.200.1 (192.168.200.1) 56(84) bytes of data. 64 bytes from 192.168.200.1: icmp_seq=1 ttl=64 time=30.6 ms 64 bytes from 192.168.200.1: icmp_seq=2 ttl=64 time=30.7 ms
  5. However, when sending larger packets, for example:
    [client]$ ping -s 1450 192.168.200.1
    Then, the following messages appear in the client log file:
    ... Authenticate/Decrypt packet error: packet HMAC authentication failed ... Authenticate/Decrypt packet error: packet HMAC authentication failed
The same thing will happen if the client tries to download a large file.

How it works...

The MTU or Maximum Transfer Unit determines how large packets can be that are sent over the tunnel without breaking up (fragmenting) the packet into multiple pieces. If the client and the server disagree on this MTU size, then the server will send packets to the client that are simply too large. This causes an HMAC failure (if tls-auth is used, as in this recipe) or the part of the packet that is too large is thrown away.

There's more...

On the Windows platform, it is not easy to change the MTU setting for the Tap-Win32 adapter that OpenVPN uses. The directive tun-mtu can be specified but the Windows version of OpenVPN cannot alter the actual MTU setting, as Windows did not support this until Windows Vista. OpenVPN, however, does not yet have the capability of altering the MTU size on Windows Vista or Windows 7.

Troubleshooting network connectivity

This recipe will focus on the type of log messages that are typically seen when the OpenVPN configurations are fine, but the network connectivity is not. In most cases, this is due to a firewall blocking access to either the server or the client. In this recipe, we explicitly block access to the server and then try to connect to it.

Getting Ready

Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf and the client configuration file basic-udp-client.conf at hand (Download code-ch:2 here).

How to do it...

  1. Start the server using the configuration file basic-udp-server.conf
    [root@server]# openvpn --config basic-udp-server.conf
  2. On the server, explicitly block access to OpenVPN using iptables:
    [root@server]# iptables -I INPUT -p udp --dport 1194 -j DROP
  3. Next, start the client using the configuration file basic-udp-client.conf:
    [root@client]# openvpn --config basic-udp-client.conf
The client will try to connect the server using the UDP protocol. After a while, a timeout will occur because no traffic is getting through and the client will restart:
... TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) ... TLS Error: TLS handshake failed ... SIGUSR1[soft,tls-error] received, process restarting
Abort the client and stop the server.

How it works...

When OpenVPN is configured to use the default UDP protocol, the client will wait for an answer from the server for 60 seconds. If no answer was received, the connection is restarted. As we are explicitly blocking UDP traffic, the timeout occurs and the client is never able to connect.
The amount of time the client waits for the connection to start is controlled using the directive:
hand-window N
Here, N is the number of seconds to wait for the initial handshake to complete. The default value is 60 seconds.
Of course, the connection can be repaired by removing the firewall rule.

There's more...

One of the major differences between the UDP protocol and the TCP protocol is the way connections are established: every TCP connection is started using a TCP handshake by both the client and the server. If the handshake fails, then the connection is not established. There is no need to wait for traffic coming back from the server, as the connection itself is dropped:
... Attempting to establish TCP connection with openvpnserver:1194 [nonblock] ... TCP: connect to openvpnserver:1194 failed, will try again in 5 seconds: Connection refused

Troubleshooting 'client-config-dir' issues

In this recipe, we will demonstrate how to troubleshoot issues related to the use of the directive client-config-dir. This directive can be used to specify a directory for so-called CCD files. CCD files can contain OpenVPN directives to assign a specific IP address to a client, based on the client's certificate. Experience has shown that it is easy to misconfigure this directive. In this recipe, we will make one of the common misconfigurations and then show how to troubleshoot it.

Getting ready

Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf and the client configuration file basic-udp-client.confat hand (Download code-ch:2 here). For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf (Download code-ch:2 here).

How to do it...

  1. Append the following lines to the configuration file basic-udp-server.conf:
    client-config-dir /etc/openvpn/cookbook/clients ccd-exclusive
    Save it as example7-7-server.conf.
  2. Make sure the directory /etc/openvpn/cookbook/clients is accessible only to root:
    [root@server]# chown root /etc/openvpn/cookbook/clients [root@server]# chmod 700 /etc/openvpn/cookbook/clients
  3. Start the server:
    [root@server]# openvpn --config example7-7-server.conf
  4. Next, start the client using the configuration file basic-udp-client.conf:
    [root@client]# openvpn --config basic-udp-client.conf
Then, the client will fail to connect with a message:
... [openvpnserver] Peer Connection Initiated with server-ip:1194 ... AUTH: Received AUTH_FAILED control message
The server log file is a bit confusing: first, it mentions that there was a problem reading the CCD file openvpnclient1 but then it states that the client is connected:
... client-ip:42692 TLS Auth Error: --client-config-dir authentication failed for common name 'openvpnclient1' file= '/etc/openvpn/cookbook/clients/openvpnclient1' ... client-ip:42692 [openvpnclient1] Peer Connection Initiated with client-ip:42692
The VPN connection has not been properly initiated, however.

How it works...

The following directives are used by the OpenVPN server to look in the directory /etc/openvpn/cookbook/clients for a CCD file with the name (CN) of the client certificate:
client-config-dir /etc/openvpn/cookbook/clients ccd-exclusive
The purpose of the second directive, ccd-exclusive, is to only allow clients for which a CCD file is present. If a CCD file for a client is not present, the client will be denied the access.
The name of the client certificate is listed in the server log:
But, it can also be retrieved using:
... client-ip:42692 TLS Auth Error: --client-config-dir authentication failed for common name 'openvpnclient1'
But, it can also be retrieved using:
openssl x509 -subject -noout -in client1.crt
Look for the first part starting with /CN= and convert all spaces to underscores.
The OpenVPN server process is running as user nobody and because we have set very restrictive permissions on the directory /etc/openvpn/cookbook/clients, this user is not capable of reading any files in that directory. When the client with certificate openvpnclient1> connects, the OpenVPN server is not capable of reading the CCD file (even though it might be there). Because of the ccd-exclusive directive, the client is then denied access.

There's more...

In this section, we will explain how to increase the logging verbosity and what some of the most common client-config-dir mistakes are.

More verbose logging

Increasing the verbosity of logging is often helpful when troubleshooting client-config-dir issues. With verb 5 and the right permissions, you will see the following log file entries in the OpenVPN server log:
openvpnclient1/client-ip:39814 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/cookbook/clients/openvpnclient1
If this message is not present in the server log, then it is safe to assume that the CCD file has not been read.

Other frequent client-config-dir mistakes

There are a few frequent client-config-dir mistakes:
  • A non-absolute path is used to specify the client-config-dir, for example:
    client-config-dir clients
  • This might work in some cases, but you have to be very careful when starting the server or when combining this with directives such as --chroot or --cd>. Especially when the --chroot directive is used, all paths, including the absolute path, will be relative to the chroot path.
  • The CCD file itself must be correctly named, without any extension. This typically tends to confuse the Windows users. Look in the server log to see what the OpenVPN server thinks; the /CN= name is of the client certificate. Also, be aware that OpenVPN rewrites some characters of the /CN= name, such as spaces. For the full list of characters that will be remapped, see the manual page, section String Types and Remapping.
  • The CCD file and the full path to it must be readable to the user under which the OpenVPN server process is running (usually nobody).

OpenVPN 2 Cookbook

OpenVPN 2 Cookbook 100 simple and incredibly effective recipes for harnessing the power of the OpenVPN 2 network

How to read the OpenVPN log files

Troubleshooting an OpenVPN setup often comes down to reading and interpreting the OpenVPN log file correctly. In this recipe, no new features of OpenVPN will be introduced, but a detailed walk-through of an OpenVPN log file will be given. The setup from the recipe Troubleshooting MTU and tun-mtu issues earlier in this article will be used as a starting point.

Getting ready

Use the same setup as in the recipe Troubleshooting MTU and tun-mtu issues earlier in this article. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 13 Linux and OpenVPN 2.1.1. Keep the configuration file, basic-udp-server.conf, at hand. For the client, keep the configuration file, example7-5-client.conf, from the recipe Troubleshooting MTU and tun-mtu issues at hand.

How to do it...

  1. Start the server using the configuration file basic-udp-server.conf:
    [root@server]# openvpn --config basic-udp-server.conf
  2. Next, start the client with an increased verbosity setting and without timestamps in the log file:
    [root@client]# openvpn --config example7-5-client.conf \ --verb 7 --suppress-timestamps
    The connection will initiate, but it will not be possible to send large packets.
  3. Trigger an error by typing:
    [client]$ ping -c 1 192.168.200.1 [client]$ ping -c 1 -s 1450 192.168.200.1
  4. Abort the client. The log file will have become large quite quickly.
  5. Open the log file using a text editor and browse through it. An explanation of the general structure of the log file is given in the next section

How it works...

The first part of the log file contains the configuration as specified in the configuration file and from the command-line parameters. This is the section starting with:
Current Parameter Settings: config = 'example7-5-client.conf'
It ends with the following line:
OpenVPN 2.1.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan 5 2010
This section is about 250 lines long depending on the configuration and it contains what OpenVPN thinks is the configuration. Check this section carefully to make sure that you agree.
The next interesting section is:
Control Channel Authentication: using '/etc/openvpn/cookbook/ta.key' as a OpenVPN static key file Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Outgoing Control Channel Authentication: HMAC KEY: 51cc24c0 ... Outgoing Control Channel Authentication: HMAC size=20 ... Incoming Control Channel Authentication: Using 160 bit ... Incoming Control Channel Authentication: HMAC KEY: 1c748f91 ... Incoming Control Channel Authentication: HMAC size=20 ...
This part shows that a tls-auth key is read and used and that the two separate HMAC keys are derived. The keys are actually printed in the log file, so you can reference them with the output from the server log file. The server incoming key should be the same as the client outgoing key and vice versa. The misconfiguration from the recipe Key mismatches earlier in this article would have appeared here.
Right after this section is the warning that is the root cause of the misconfiguration from the recipe Troubleshooting MTU and tun-mtu issues earlier in this article:
WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Log file messages starting with WARNING should always be given special attention to. In some cases, they can be ignored but in this case it was the root cause of the VPN connection not working properly.
After this warning come a whole range of messages of the following form:
DPv4 WRITE [50] to server-ip:1194: P_ACK_V1 kid=0 pid=[ #74 ] [ 37 ] UDPv4 READ [108] from server-ip:1194: P_CONTROL_V1 kid=0 pid=[ #73 ] [ ] pid=38 DATA len=66
These messages are all part of the initial handshake between the client and the server to exchange configuration information, encryption keys, and other information for setting up the VPN connection. Right after this is another hint about the misconfiguration:
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1441', remote='link-mtu 1541' WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1400', remote='tun-mtu 1500'
We skip forward over a lot of TLS_prf messages to come to the processing of the configuration directives pushed by the server:
PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.200.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.200.2 255.255.255.0'
This is another important line to check for, as it shows what the server has actually pushed to the client. Verify that this actually matches what you thought the server should push.
After this the local TUN adapter is opened and initialized and the first packets can begin to fiow.
The first ping command worked fine, as we can see from this part:
TUN READ [84] ... UDPv4 WRITE [125] to server-ip:1194: P_DATA_V1 kid=0 DATA len=124 UDPv4 READ [125] from server-ip:1194: P_DATA_V1 kid=0 DATA len=124 TLS: tls_pre_decrypt, key_id=0, IP=server-ip:1194 TUN WRITE [84]
The TUN READ is the ping command being read from the TUN interface, followed by a write over the encrypted channel to the remote server. Notice the difference in packet size: the packet sent over the encrypted tunnel is 125 bytes, which is 41 bytes larger than the original packet read from the TUN interface. This exactly matches the difference between the link-mtu and tun-mtu as shown earlier in the log file.
Next comes the section where the ping -s 1450 breaks down. A ping of 1450 bytes cannot be read in one piece if the MTU of the interface is set to 1400, hence two TUN READS are necessary to capture all data:
TUN READ [1396] ... UDPv4 WRITE [1437] to server-ip:1194: P_DATA_V1 kid=0 DATA len=1436 TUN READ [102] ... UDPv4 WRITE [141] to server-ip:1194: P_DATA_V1 kid=0 DATA len=140
Notice that the data is actually sent as two separate packets to the server. This is perfectly normal behaviour, as the packet needs to be fragmented. Calculation of the packet sizes versus the MTU sizes breaks down in this case, as the second packet is not a complete IP packet.
The server receives the large ping command and sends an equally large reply. As the server has an MTU setting of 1500, there is no need to fragment the data, so it arrives at the client as a single packet:
UDPv4 READ [1441] from server-ip:1194: P_DATA_V1 kid=0 DATA len=1440 TLS: tls_pre_decrypt, key_id=0, IP=server-ip:1194 Authenticate/Decrypt packet error: packet HMAC authentication failed
The client, however, is expecting a packet with a maximum size of 1400 bytes. It is not able to properly decode the larger packet and write out the packet HMAC authentication failed message.
Finally, when we abort the client, we see an interrupted system call message (in this case, Ctrl-C was used to abort the client, plus a range of clean-up message before the clientactually stops:
event_wait : Interrupted system call (code=4) PID packet_id_free ... TCP/UDP: Closing socket Closing TUN/TAP interface /sbin/ip addr del dev tun0 192.168.200.2/24 PID packet_id_free SIGINT[hard,] received, process exiting
If the client configuration had included:
user nobody
Then we would also have seen messages of the form:
SIOCSIFADDR: Permission denied SIOCSIFFLAGS: Permission denied Linux ip addr del failed: external program exited with error status: 255
In this case, these are harmless.

There's more..

On UNIX-based operating systems, it is also possible to send the OpenVPN log output via syslog. This allows a system administrator to effectively manage a large set of computers using a single system logging interface. To send log messages via syslog, replace the directive log-append with:
syslog [name]
Here, name is an optional parameter to specify the name of the OpenVPN instance in the syslog log files. This is particularly useful if there are multiple instances of OpenVPN running on a single host and they are all using syslog to log their output and error messages.

Summary

Routing gives an insight into troubleshooting routing problems when setting up a VPN using OpenVPN. You learned how to detect, diagnose, and repair common routing issues.

Tuesday, March 29, 2011

Qmail-Scanner With ClamAV And SpamAssassin On Ubuntu


In continuation of my document http://www.howtoforge.com/qmail-openldap-on-ubuntu about setting up qmail-ldap on Ubuntu this document will help you to set up Qmail-Scanner with ClamAV antivirus and SpamAssassin spamfilter with your qmail server.

Introduction

Qmail-Scanner is an add-on that enables a Qmail email server to scan email for certain characteristics. It is typically used for its anti-virus and anti-spam protection functions, in which case it is used in conjunction with external scanners. It also enables a site (at a server/site level) to create "Policy blocks": i.e. react to email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.EXE attachments even in a zip file).
Its archival features helps ISPs and corporations around the world with new or pending legislation, and regulatory requirements. It can archive all processed email into an archive maildir. This is ideal for backup purposes for audit policy reasons. Unlike certain Windows-based server solutions, the mail envelope headers (the "rcpt to:" and "mail from:" headers) are kept intact - appended to the bottom of each message - confirming true sender and destination addresses. Archiving also supports filtering to a subset of addresses (e.g. only archive "support@domain.name" emails instead of all).
We will bind spamassasin and clamav with qmailsacnner. Spamassassin is a open Source mail filter, written in Perl, to identify spam using a wide range of heuristic tests on mail headers and body text. It can also use some use full plugins like Pyzor, Razor, and DCC. Clamav will scan mail message for virus infected mails.

Installation

We will install and configure Qmail-Scanner, ClamAV and SpamAssassin with the plugins Pyzor, Razor, and DCC.

Clam Antivirus

ClamAV is an open source antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates.

Download

Download latest version from http://downloads.sourceforge.net/project/clamav:
wget http://nchc.dl.sourceforge.net/project/clamav/clamav/0.97/clamav-0.97.tar.gz

Install and Configure ClamAV

cd /download
tar zxvf clamav-0.97.tar.gz
useradd -c "Qmail-Scanner Account" -s /bin/false qscand
cd clamav-0.97
./configure --with-user=qscand --with-group=qscand
make && make install
ldconfig -v
Now, we configure its configuration files, these are as follows:
vi /usr/local/etc/clamd.conf
#Example
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 20M
LogTime yes
LogClean yes
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /usr/local/share/clamav
LocalSocket /var/run/clamav/clamd.cl
MaxConnectionQueueLength 30
User qscand
MaxThreads 20
Scanmail yes
Now, create some directories with the ownership of qscand:
mkdir /var/run/clamav
chown -R qscand.qscand /var/run/clamav
mkdir /var/log/clamav
chown -R qscand.qscand /var/log/clamav
chmod -R 755 /var/log/clamav
By this, clamav is successfully installed.
/usr/local/sbin/clamd &
vi /usr/local/etc/freshclam.conf
#Example
DatabaseDirectory /usr/local/share/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog yes
DatabaseOwner qscand
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror database.clamav.net
DatabaseMirror db.in.clamav.net
NotifyClamd /usr/local/etc/clamd.conf
Save and exit.
freshclam -v
crontab -e
25 1 * * * /usr/local/bin/freshclam -l /var/log/clamav/freshclam.log

SpamAssassin

SpamAssassin is a mail filter to identify spam. It is an intelligent email filter which uses a diverse range of tests to identify unsolicited bulk email, more commonly known as Spam. These tests are applied to email headers and content to classify email using advanced statistical methods.

Install and configure SpamAssassin

apt-get install spamassassin libdigest-sha1-perl libnet-dns-perl libmail-spf-query-perl libgeo-ip-perl libnet-ident-perl libio-socket-ssl-perl libio-socket-inet6-perl perl-modules
groupadd spamd
useradd -g spamd -s /bin/false spamd
vi /etc/default/spamassassin
ENABLED=1
OPTIONS=" --user-config --username=spamd --max-children 5 --debug --helper-home-dir=/home/spamd"
vi /etc/mail/spamassassin/local.cf
required_score 5.0
dns_available yes
use_pyzor 1
use_razor2 1
use_bayes 1
bayes_auto_learn 1
bayes_file_mode 0700
include /etc/mail/spamassassin/autowhitelist
bayes_path /etc/mail/spamassassin/.spamassassin/bayes
bayes_auto_learn_threshold_nonspam       0.1
bayes_auto_learn_threshold_spam         12.0
ok_languages en hi
ok_locales en
Now start up SpamAssassin...
/etc/init.d/spamassassin start
Now add some plugins..

Razor

cd /downloads/
wget "http://citylan.dl.sourceforge.net/project/razor/razor-agents/2.85/razor-agents-2.85.tar.bz2"
wget 'http://citylan.dl.sourceforge.net/project/razor/razor-agents-sdk/2.07/razor-agents-sdk-2.07.tar.bz2'
tar xvf razor-agents-sdk-2.07.tar.bz2
cd razor-agents-sdk-2.07
perl Makefile.PL
make
make test
make install
cd /downloads/
tar xvfj razor-agents-2.85.tar.bz2
cd razor-agents-2.85
perl Makefile.PL
make
make test
make install
Make sure your firewall is allowing port tcp/2703.
razor-admin -home=/home/spamd/.razor -create
razor-admin -home=/home/spamd/.razor -register
razor-admin -home=/home/spamd/.razor -discover

DCC

cd /downloads/
wget http://www.rhyolite.com/anti-spam/dcc/source/dcc.tar.Z
tar xvfz dcc.tar.Z
cd dcc-1.3.120/
./configure
make && make install
Make sure your firewall is allowing port udp/6277.

Pyzor

cd /downloads/
wget http://space.dl.sourceforge.net/project/pyzor/pyzor/0.5.0/pyzor-0.5.0.tar.gz
tar xvf pyzor-0.5.0.tar.gz
cd pyzor-0.5.0
python setup.py build
python setup.py install
python -c 'import gdbm' && echo 'gdbm found'
Run the next command to complete pyzor installation.
pyzor --homedir /home/spamd discover
vi /etc/mail/spamassassin/v310.pre
enable the line
loadplugin Mail::SpamAssassin::Plugin::DCC
spamassassin –lint

Qmail-Scanner

cd /downloads/qmailrocks
tar xvfz qmail-scanner-1.25.tgz
tar zxvf qms-analog-0.4.2.tar.gz
cd qms-analog-0.4.2
make all
cp qmail-scanner-1.25-st-qms-20050219.patch ../qmail-scanner-1.25/
cd ../qmail-scanner-1.25
patch -p1 < qmail-scanner-1.25-st-qms-20050219.patch
vi qms-config
./configure --domain yourdomain.com \
--admin postmaster \
--local-domains "yourdomain.com" \
--add-dscr-hdrs yes \
--dscr-hdrs-text "X-Antivirus-YOURDOMAIN" \
--ignore-eol-check yes \
--sa-quarantine 0 \
--sa-delete 0 \
--sa-reject no \
--sa-subject ":SPAM:" \
--sa-alt yes \
--sa-debug yes \
--sa-report yes \
--notify "psender,admin" \
--redundant yes \
--unzip yes \
--qms-monitor no \
"$INSTALL"
chmod 755 qms-config
./qms-config
If configuration is ok then...
./qms-config install
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g
vi /var/qmail/bin/qmail-scanner-queue.pl
msg_size > 500000
chown -R qscand:qscand /var/spool/qmailscan
vi /service/qmail-smtpd/run
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" ; export QMAILQUEUE
Now restart your qmail server and see if everything works...

Installation Of PlaySMS And SMS Server Tools 3 On Debian Server


This tutorial will show you how you can set up an SMS server on Debian with playsms and smstools. In my example I have used an old Nokia 5140i with a USB datacable.
What we need before we start is apache2, mysql server, php5, lynx, wget, curl.
Now we install updates, and install dependencies:
apt-get update
apt-get upgrade
apt-get install apache2 mysql-server php5 php5-cli php5-cgi php-pear php-db phpmyadmin make gcc sendmail lynx wget curl
Now create a password for mysql root user, and remember it.

Installing playsms

adduser playsms
mkdir -p /var/www/playsms
mkdir -p /var/spool/playsms
mkdir -p /var/log/playsms
chown -R www-data /var/www/playsms
chown -R www-data /var/spool/playsms
chown -R www-data /var/log/playsms
And next download latest version of playSMS, find latest here, or grab my url: http://sourceforge.net/projects/playsms/
wget http://downloads.sourceforge.net/project/playsms/playsms/Version%200.9.5.2/playsms-0.9.5.2.tar.gz
This will extract playsms to /usr/local/src.
tar -zxvf playsms-0.9.5.2.tar.gz -C /usr/local/src
Now go to the following folder:
cd /usr/local/src/playsms-0.9.5.2/web
Now run the following commands:
Type mysql root password, when you are asked for the password.
cp -rR * /var/www/playsms
chown -R www-data /var/www/playsms
mysqladmin -u root -p create playsms
And now we import the mysql database from playsms, remember to change the path, if you install another version.
Type mysql root password, when you are asked for the password.
mysql -u root -p playsms < /usr/local/src/playsms-0.9.5.2/db/playsms.sql
Here we will make the config file, you have to fill out the fields:
cd /var/www/playsms
cp config-dist.php config.php
nano config.php
So it looks like this (replace 'my_password_for_mysql_root_user' with your password, and do not remove ' '):

// PHP PEAR DB compatible database engine:
// msql, mssql, mysql, oci8, odbc, pgsql, sqlite
$core_config['db']['type'] = 'mysql';        // database engine
$core_config['db']['host'] = 'localhost';    // database host/server
$core_config['db']['port'] = '3306';        // database port
$core_config['db']['user'] = 'root';        // database username
$core_config['db']['pass'] = 'my_password_for_mysql_root_user';    // database password
$core_config['db']['name'] = 'playsms';        // database name
$core_config['db']['pref'] = 'playsms';        // table's prefix without trailing underscore


// SMTP configuration
$core_config['smtp']['relm'] = ''; // yes, not realm, its relm
$core_config['smtp']['user'] = '';
$core_config['smtp']['pass'] = '';
$core_config['smtp']['host'] = 'localhost';
$core_config['smtp']['port'] = '25';


// Do not change anything below this line unless you know what to do

// -----------------------------------------------------------------

// you can turn on or off PHP error reporting
// on production level you should turn off PHP error reporting (set to 0), by default its on

//error_reporting(0);
//error_reporting(E_ALL ^ (E_NOTICE | E_WARNING | E_DEPRECATED));
error_reporting(E_ALL ^ (E_NOTICE | E_WARNING));

// logs directories
$apps_path['logs']    = '/var/log/playsms';

// log level: 0=disabled, 1=info, 2=warning, 3=debug, 4=verbose

// WARNING: log level 3 and 4 will also save sensitif information such as password for used gateway
$core_config['logstate']    = 0;

// 0 for single session login; 1 for multi session login
// multi session login is not secure because playsms leaves md5 crypted username and password

// on admin's computer
$core_config['multilogin']    = 0;

// are we using http or https ? the default is using http instead https
$core_config['ishttps']        = false;

?>
Now run the following commands:
cd /usr/local/src/playsms-0.9.5.2/bin
cp playsmsd playsmsd.php playsmsd_start /usr/local/bin/
cp playsms /etc/default/
Now we have to make sure that the program will start everytime the systems boots; do the following:
nano /etc/init.d/rc.local
Add on the bottom of the file (before exit if there's an exit command). This way playsmsd_start will start automatically on boot. Save and exit.
.... last line ....

/usr/local/bin/playsmsd_start

Install smstools

cd
wget http://smstools3.kekekasvi.com/packages/smstools3-3.1.14.tar.gz
tar -zxvf smstools3-3.1.14.tar.gz -C /usr/local/src
cd /usr/local/src/smstools3
make
make install
Now we make playsms and smstools work together:
cd /usr/local/src/playsms-0.9.5.2
cp contrib/smstools/smsd.conf /etc/
Now we have to edit the config file.
My Nokia 5140i with USB datacable is detected as ttyUSB0 so I don't have to edit the port, but if your phone is detected as something else, change it on line 27 to etc. ttyUSB1, ttyACM0
nano /etc/smsd.conf
My config file looks like this:
# Global configuration
devices = modem1
loglevel = 4
logfile = /var/log/sms/smstools.log
outgoing = /var/spool/sms/outgoing
checked = /var/spool/sms/checked
failed = /var/spool/sms/failed
incoming = /var/spool/sms/incoming
sent = /var/spool/sms/sent
delaytime = 6
errorsleeptime = 12
blocktime = 180
autosplit = 3
receive_before_send = yes
# Modem configuration # iTegno 3000 USB
[modem1]
#init = device = /dev/ttyUSB0
incoming = yes
#pin = baudrate = 115200
Now run the following commands:
mkdir -p /var/spool/sms/checked
mkdir -p /var/spool/sms/failed
mkdir -p /var/spool/sms/incoming
mkdir -p /var/spool/sms/outgoing
mkdir -p /var/spool/sms/sent
mkdir -p /var/log/sms
chown -R www-data /var/spool/sms
update-rc.d sms3 defaults
Browse http://your-server-ip/playsms/ and log in using default administrator user:
Username: admin

Password: admin
Click Gateway, click Manage smstools, click (click here to activate).
Your server is now up and running, ready to be used.

Set Up OpenVPN Server With Authentication Against OpenLDAP On Debian 6.0 (Squeeze)


OpenVPN, or Open Virtual Private Network, is a tool for creating networking "tunnels" between and among groups of computers that are not on the same local network. This is useful if you have services on a local network and need to access them remotely but don't want these services to be publicly accessible. By integrating with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.
The OpenLDAP backend of iRedmail allows you to integrate all kinds of applications and to realize centralized account management. This tutorial shows you how to integrate OpenVPN into the iredmail ldap backend on Debian 6.0; passwords will be stored in ldap and you can change passwords through webmail.
This tutorial is based on Debian 6.0, so I suggest you set up a minimal Debian 6.0 system with SSH; make sure you install all updates. Install iredmail 0.7.0 and choose openldap as backend, as shown in this tutorial:

1 Install OpenVPN

Install OpenVPN and ldap support:
apt-get install openvpn openvpn-auth-ldap
Install dnsmasq:
To forward DNS traffic through the VPN you will need to install the dnsmasq package:
apt-get install dnsmasq

2 easy-rsa

The OpenVPN package provides a set of encryption-related tools called "easy-rsa". These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these scripts should be located in the /etc/openvpn directory.
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

Configure Public Key Infrastructure Variables

Before we can generate the public key infrastructure for OpenVPN we must configure a few variables that the easy-rsa scripts will use to generate the scripts. These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file. Here is an example of the relevant values:
Edit /etc/openvpn/easy-rsa/2.0/vars according to your environment.
[...]
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BeiJing"
export KEY_ORG="iRedMail"
export KEY_EMAIL="www@example.com"

Initialize the Public Key Infrastructure (PKI)

Issue the following commands in sequence to internalize the certificate authority and the public key infrastructure:
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
source ./vars
./clean-all
./pkitool --initca

Generate Certificates

With the certificate authority generated you can generate the private key for the server. This script will also prompt you for additional information. By default, the Common Name for this key will be "server". You can change these values in cases where it makes sense to use alternate values. To accomplish this, issue the following command:
./pkitool --server server

Generate Diffie Hellman Parameters Link

The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. Issue the following command to generate these parameters:
./build-dh

Relocate Secure Keys

The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:
  • ca.crt
  • ca.key
  • dh1024.pem
  • server.crt
  • server.key
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/
These files don't need to leave your server. Maintaining integrity and control over these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they're encrypted and secured.

3 Configure OpenVPN Support For LDAP Auth

Find cn=vmail password

The vmail password was randomly created during the iredmail installation. You can find the password in /etc/postfix/ldap_virtual_mailbox_domains.cf:
cat /etc/postfix/ldap/virtual_mailbox_domains.cf
[...]
bind_dn         = cn=vmail,dc=example,dc=com
bind_pw         = 4LFqZFiT6yx8oP7R2BctvUSLpYWRdJ #cn=vmail password
[...]

Configure OpenVPN auth OpenLDAP

Issue the following two commands in sequence to create the /etc/openvpn/auth folder and copy the example files of OpenVPN auth LDAP to the /etc/openvpn/auth directory.
mkdir /etc/openvpn/auth
cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/auth
Now edit /etc/openvpn/auth/auth-ldap.conf.

# LDAP server URL
URL             ldap://127.0.0.1
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN                cn=vmail,dc=example,dc=com
# Bind Password cn=vmail password
Password      4LFqZFiT6yx8oP7R2BctvUSLpYWRdJ

# Network timeout (in seconds)
Timeout         15




# Base DN
BaseDN          "o=domains,dc=example,dc=com"
# User Search Filter
SearchFilter    "(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
# Require Group Membership
RequireGroup    false

4 Configuring OpenVPN

We'll now need to configure our server file. There is an example file in the /usr/share/doc/openvpn/examples/sample-config-files directory. Issue the following sequence of commands to retrieve the example configuration files and move them to the required directories:
cd /usr/share/doc/openvpn/examples/sample-config-files
gunzip -d server.conf.gz
cp server.conf /etc/openvpn/
Now edit /etc/openvpn/server.conf:
[...]
;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
[...]
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 10.8.0.1"
[...]
##Add it at the bottom line
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
client-cert-not-required


5 Enable VPN Service For Mail User

Use phpLDAPadmin or other tools to add LDAP values for existing mail users.
Log into phpLDAPadmin:

Find the existing mail user www@example.com:

Enable the VPN service for the user www@example.com:



6 Enable IP Forwarding And Configure iptables

 
Edit the /etc/sysctl.conf file to modify the following line to ensure that your system is able to forward IPv4 traffic:
[...]
#net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[...]
Issue the following command to ensure that your system is able to forward IPv4 traffic:
echo 1 > /proc/sys/net/ipv4/ip_forward
Edit /etc/default/iptables and add the below. Let iptables open port 1194.
[...]
#openvpn
-A INPUT -p udp -m multiport --dport 1194 -j ACCEPT
[...]
Issue the following commands to set this variable for the current session:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Before continuing, insert these iptables rules into your system's /etc/rc.local file to ensure that theses iptables rules will be recreated following your next reboot cycle:
#!/bin/sh
#
# [...]
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
exit 0

7 Restart Related Services

We need to restart all related services to make the configuration work.
/etc/init.d/slapd restart
/etc/init.d/openvpn restart
/etc/init.d/iptables restart

8 Client Settings

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/2.0/keys/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/keys
Edit the client.ovpn file to modify the following line:
[...]
# Add the vpn server
remote mail.example.com 1194
[...]
#Comment out the below two line  
#cert client.crt
#key client.key
[...]
#Add thes line at the botton
auth-user-pass
Copy the client.ovpn and ca.crt files to your client system. Also you can use mutt to send the files to your mailbox. You can log into your email account and download the files.
apt-get install mutt zip
cd /etc/openvpn/easy-rsa/2.0/keys
zip config.zip client.ovpn ca.crt
mutt -s "OpenVPN client config files" www@example.com -a /etc/openvpn/easy-rsa/2.0/keys/config.zip < /usr/share/doc/openvpn/README

Installing OpenVPN GUI On Windows XP / Vista / Windows 7

Download the client software here: http://openvpn.net/index.php/open-source/downloads.html. After installation, put the client.ovpn and ca.crt files to C:\Program Files\OpenVPN\config.
IMPORTANT NOTE FOR VISTA and Windows 7 USERS:
Note that on Windows Vista and Windows 7, you will need to run the OpenVPN GUI with administrator privileges, so that it can add routes to the routing table that are pulled from the OpenVPN server. You can do this by right-clicking on the OpenVPN GUI desktop icon, and selecting "Run as administrator".
Now you can use the account www@example.com to connect to the vpn.

Now you can access the Internet through VPN; you can check on http://www.whatismyip.com if the IP address is the server IP address.

9 Troubleshooting

Before you troubleshoot, you can try to restart the server and check whether it works then.
To enable ldap logging, edit /etc/ldap/slapd.conf:
[...]
loglevel    256 # <-- change form 0 to 256  
[...]

Separate OpenVPN Log

By default, log messages will go to the syslog. We use "log" to override this by changing/etc/openvpn/server.conf.
Issue the following command to create log files and set the right permissions:
touch /var/log/openvpn.log
chown nobody.nogroup /var/log/openvpn.log
Edit /etc/openvpn/server.conf:
[...]
user nobody
group nogroup
[...]
log    /var/log/openvpn.log

Restart the related services.
/etc/init.d/slapd restart
/etc/init.d/openvpn restart
Monitor the log:
# tail -0f /var/log/openldap.log
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 fd=15 ACCEPT from IP=127.0.0.1:42020 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=1 SRCH base="o=domains,dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 fd=19 ACCEPT from IP=127.0.0.1:42021 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1 BIND anonymous mech=implicit ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1
BIND dn="mail=www@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1
BIND dn="mail=www@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=1 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1001 fd=19 closed
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1000 fd=15 closed
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 fd=15 ACCEPT from IP=127.0.0.1:42022 (IP=0.0.0.0:389)
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=0 RESULT tag=97 err=0 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=1
SRCH base="o=domains,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 op=2 UNBIND
Sep 20 06:01:22 li163-121 slapd[3846]: conn=1002 fd=15 closed
# tail -0f /var/log/openvpn.log
Mon Sep 20 06:01:20 2010 MULTI: multi_create_instance called
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Re-using SSL/TLS context
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 LZO compression initialized
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Local Options hash (VER=V4): '530fdded'
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 Expected Remote Options hash (VER=V4): '41690919'
Mon Sep 20 06:01:20 2010 211.99.216.18:50094 TLS: Initial packet from [AF_INET]211.99.216.18:50094, sid=216fe588 ae0a6a58
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 TLS: Username/Password authentication succeeded for username 'www@example.com'
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 [] Peer Connection Initiated with [AF_INET]211.99.216.18:50094
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 MULTI: Learn: 10.8.0.10 -> 211.99.216.18:50094
Mon Sep 20 06:01:22 2010 211.99.216.18:50094 MULTI: primary virtual IP for 211.99.216.18:50094: 10.8.0.10
Mon Sep 20 06:01:23 2010 211.99.216.18:50094 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 20 06:01:23 2010 211.99.216.18:50094 SENT CONTROL [UNDEF]: 'PUSH_REPLY,
redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)
 

10 Links