Tunneling OpenVPN Through SSH

I have recently discovered that it is fairly easy to tunnel OpenVPN through SSH. This is useful if you are behind a restrictive firewall that uses SPI to block services rather than plain old port blocking. An SPI firewall is able to distinguish between one packet type and another, without just checking the port that is in use. You can, of course, get a much more in-depth and accurate account of what SPI does/doesn’t do from Wikipedia, however that it’s really the purpose of this post.

You’ll need root access to the OpenVPN Server, as you have to change some of the server config files

So, on to the technical part of the procedure. You need to do the folllowing:

  1. Set the OpenVPN server config file to use TCP rather than UDP. This is done by changing the line proto udp to proto tcp in the server config file (normally located at /etc/openvpn/server.conf).
  2. Set the OpenVPN client config file to use TCP rather than UDP. You can do this by changing the line proto udp to proto tcp-client in the client config file.
  3. Change the OpenVPN client config to connect to localhost rather than the remote server address. This is done by changing the “remote” line of the server to remote localhost 1194
  4. Create an SSH tunnel between the client machine and the OpenVPN Server, and forward from remote:1194 to localhost:1194. This can be done by running the command:
    ssh user@server -L 1194:localhost:1194 on the client machine (assuming you’re running Linux/Unix with the OpenSSH client binary installed)

All being well, after making those config file changes and creating your SSH tunnel, you’ll be able to tunnel OpenVPN through SSH.

It’s not the ideal solution – the is a lot more overhead when running OpenVPN in TCP mode, and even more when tunneling TCP over TCP, which is what you’re doing by using an SSH tunnel with VPN Traffic. However, needs must – and this is one way of getting round an SPI Firewall when SSH connections are allowed

Dedicated to VPS Migration

If you’re reading this, then my blog has successfully been migrated to a different server!

I decided that it didn’t make much sense to have my old dedicated server any more, now that I’ve got a VPS node – so I span up a Debian Instance, and setup nginx, mysql and php-fcgi, and started migrating my sites over. So far, it’s been a great experience – there have been no issues, and I’m pretty sure that the site is much much faster. Just try out the search function!

I’m also hosting the previously mentioned VPS wiki on this machine, and have plenty of resources left to host several more dynamic sites.

I hope to do a quick writeup for the VPS wiki in the near future.

GNUPanel on Debian Squeeze

I was recently playing around with the “GNUPanel” Hosting control panel software. While trying to install the dependencies (with the install-dep.sh file), I encountered the error:

Debian version not supported

Even though the GNUPanel site seemed to say that Debian Squeeze was supported.

A quick look at the install-dep.sh file showed that it relied on the mawk unix utility.

By running apt-get install mawk, we can solve this problem and continue with the installation.

UPDATE:

I’ve now had a chance to play around with GNUPanel a bit more, and unfortunately, I don’t think it’s fully up to scratch. The installation process was pretty clunky – the automated installed script forced me to manually confirm the installation of at least 10 groups of packages. Once the software was installed, I had to guess at the username – and the web interface was also pretty…. “ropey”. These are mainly minor issues, and I’m sure that with some TLC, the project can progress, and become much more useable.

VPS Wiki

I have recently started work on what is currently called “VPS Wiki”.

The aim of the Wiki is to provide a centralised location for information about using Linux, performing general sysadmin duties, as well as some programming basics. I think the site will naturally change in time – It might lean more strongly towards a particular topic. If that happens, then I will rename the site – I thought “VPS Wiki” was a good starting point, especially given my recent venture.

Some people might think “What’s the point in this – can’t people just google for the answer?”. However, Because technology is rapidly changing, I find that it can be difficult to find relevant, up-to-date solutions to problems that I encounter. I think having a central database of of useful content could be very handy.

I’d really appreciate any contributions towards the wiki – at the moment, you need an account to edit/create pages. You can check the Wiki out here.

Getting into VPS Hosting…

So, I have taken things a step further. I started off being interested in buying VPS machines – I then turned to low end Dedicated Servers, and now, I’m dabbling in hosting my own VPS machines.

To start off with, I am doing this not for profit. I will not be offering any formal support for my customers, and have negotiated a deal with RapidSwitch, who are providing me with a discount (because I’m not making any money from it). I will be offering OpenVZ VM’s to people on my University course for £5.00/m, with the following spec: 18GB hard disk space, 400MB Ram, 128MB VSwap, and 750GB Bandwidth.

I’ve chosen to use the OpenVZ Web Panel control panel software, as it is easy to use and free.

If this is a successful endeavor, then I may go on to provide commercial VPS’s to customers. Who knows!

You can probably expect some  OpenVZ/CentOS based posts in the not too distant future…

 

UPDATE:

I had to go with SolusVM, due to OWP’s lack of bandwidth tracking. This meant increasing the price by £0.50 to £5.50/m – however, I think the users are probably getting a slightly better experience with the commercial control panel.

iTunes and DTrace

Earlier today, I was using iotop to check the disk activity for the processes on my machine, and immediately started seeing the following error (or variations on this error):

dtrace: error on enabled probe ID 5 (ID 992: io:mach_kernel:buf_strategy:start): invalid user access in action #3 at DIF offset 0

I thought my SSD was dying (it’s something I fear!) – however, after some messing around I discovered iotop doesn’t work when iTunes is running, because Apple have disabled dtrace while iTunes is running. Quitting iTunes sorted the problem for me. There is more about this “quirk” here: http://www.securitypronews.com/insiderreports/insider/spn-49-20080124AppleAlteredDTraceToolSaysLeventhal.html

Diaspora* Pod

So, I’ve set up a Diaspora* pod. Diaspora* is a service similar to twitter/facebook, but it with (at least) one crucial difference. Rather than being run by one big company who has control over everyones data, many nodes (known as pods) are run by groups or individuals. Depending on how you see it, this could mean that your data is more secure – if you trust the owner of the pod, then you know that your information will not be sold or traded with anyone. I’m not expecting everyone in the world to abandon other social media sites – but it’s something you can try out if you’re interested. There is a lot more information about Diaspora* here.

I have recently acquired a few domain names, one of which is 23p.net. While this doesn’t really mean anything, I have decided to use it as the name of my Diaspora* pod because it is short, and easy to remember.

I hope to do a more technical writeup soon, but in the mean time, why not check it out? My Diaspora Username is josephredfern@23p.net.

LogBox

So, I’ve decided to try and publish more things to GitHub this year – starting with LogBox. LogBox will hopefully soon become a collection of scripts that can be used to monitor the performance of websites hosted on shared hosting servers. At the moment, LogBox contains only the one script, which goes by the name of “loadavg”. If you’ve every used a *nix machine before, you’ll probably know what the load average is – it is a measurement of the current CPU load, usually over the last 1, 5 and 15 minutes.

The loadavg script will check the load average of the server which it is being run on, and if the reported load averages cross a certain threshold, then a warning email will be sent to an email address of your choice. In addition to this, the current load averages will be logged to a MySQL Database.

The script is designed to be run as a cronjob (which most shared hosts support) – however, if cron is not available then it is possible to use “fakecron”, which is available here: http://quirm.net/2008/10/02/fake-cron/.

Click Here to check out LogBox on GitHub