Skip to content

How to Remove Malware and Viruses

Thanks to the people at MajorGeeks.com for this one. I’ve removed my share of viruses and malware in my day. This is the procedure I always use. I’ve been able to clean up some really nasty viruses, malware, and even rootkits by following these instructions so I though I’d share.

I recommend reading through all the instructions before getting started. At the end of the first page, there are links to operating system specific instructions. Make sure you follow the correct link when you get to that point. Good luck!

MajorGeeks surefire malware removal guide

Posted in Malware & Virus Removal, Windows.

Tagged with , , .

No comments

By jeremy December 16, 2010

Enhance Productivity and Achieve Cost Savings by Embracing the Cloud

If you’ve been reading business magazines or blogs over the past few years, you’ve undoubtably run across authors touting the benefits of embracing the cloud. In my experience talking with business owners, I’ve found that many of them have heard of the cloud, but very few have any idea of how to integrate it into their enterprise and achieve the much publicized cost savings.

The key to achieving success with the cloud is to know which systems will work well in the cloud and which will not. Certain software, such as client/server databases applications that make use of ODBC connections, will slow to the point of being unusable in the cloud. Others, such as email and web-based ERP systems will run beautifully. Let’s examine several cloud-based systems that work well and save money.

Phone Systems

For businesses with less than 20 employees and a reliable internet connection, moving your private branch exchange (PBX) into the cloud can provide tremendous benefits and cost savings. A typical on-site PBX can range from a few thousand dollars on up to the tens of thousands. In addition, most PBX systems still use analog lines for external access, requiring several analog phone numbers or an expensive T1 circuit. Either of these options will cost from a few hundred to a few thousand dollars each month.

In contrast, cloud-based phone systems eliminate the costly capital expenditure of purchasing a PBX and the monthly recurring cost of analog lines or a T1. They work over your business’s broadband internet connection and provide many of the same features as an on-site PBX including extension transfers, auto attendant, direct inward dial numbers, voicemail, hunt groups, call-forwarding, call routing, and many others. The only up-front cost of the system is the phones, which range from $50 for a softphone to $500 for an executive Polycom or Cisco model.

There are a few downsides to cloud-based phone service. For one, if your Internet goes down, your phones are down as well. With most employees having cell phones as a backup, many business can work around this limitation. To avoid call quality problems, your broadband Internet router should be configured to give priority to voice traffic so web surfing and downloads don’t interfere with phone calls. Before making the switch to the cloud, speak with your IT service provider to determine if your Internet connection can handle the volume of call traffic. For businesses with less than 5 extensions, any DSL or cable should do. Once you get above that number, you’ll need to make sure you do your homework.

Even very small businesses can present a professional appearance over the phone and save hundreds or thousands of dollars a month by having their phone system to the cloud. Some vendors include:

Business Software

Over the past few years, the number of cloud offerings in the software as a service (SaaS) model has grown at a staggering rate. With the growth of early entrants such as salesforce.com, the market has exploded with new offerings. 37signals.com has a suite of business productivity apps that help small businesses and departments manage their customers and internal business processes. Google Docs offers a free Office suite that is often a viable substitute for Microsoft Office.

When considering moving to the cloud for business software, the key issues to consider are intellectual property and information portability.

First, intellectual property protection should be considered any time you are shopping for a cloud vendor. If you’re going to place your company’s IP crown jewels on a third party system, make sure they have the reputation and the ability to protect your data. If the company you are considering is local, ask for a tour of their data center. Ask if they are regularly audited and certified by an impartial expert. Find out what physical and logical separation exists between your data and the rest of their equipment and the Internet.

Secondly, make sure that information placed in a data center can be retrieved in the event of disaster, bankruptcy, or a breakdown in the relationship. Sometimes migrating your data into a SaaS system is a one way operation. It may not be easily retrievable. If things turn south, you may find yourself printing out hundreds of pages of data that need to be manually re-entered into another system. Worse, you may not be able to get to your data at all. Make sure you can get regular exports of your data and store them on a local system or encrypted portable hard drive.

Email

In the current state of affairs, email is the number one system to migrate to the cloud. Given the nature of email, (low bandwidth, not real-time, asynchronous) the requirements, (always on, business critical), and the nature of email administration (time consuming, high-skill) it makes perfect sense to move it out of your office and into the cloud.

There are currently two choices for cloud-based email, Google Apps and Hosted Exchange. POP3 is not cloud email since there is no ability to synchronize email between devices. IMAP email can provide some cloud-like functionality, but I do not recommend it because IMAP technology is not well defined or developed.

There are many providers of Hosted Exchange email, which is a Microsoft technology. Google is the only provider of Google Apps. You can get more information and read more about the pros and cons of each in my post Google Apps vs. Hosted Exchange.

When choosing a cloud email solution, you will want to consider how well it will support your mobile users. iPhone and Android users are able to receive near real-time email alerts on Google Apps and Hosted Exchange. Blackberry users will require an additional license or Blackberry Enterprise Server to achieve the same functionality.

Final Thoughts

The cost savings to be realized by migrating to the cloud are achieved by a reduced need for both infrastructure and labor. When doing net present value calculations, you should view it as not just one less server to purchase, but one less system to support. Any cloud system worth its salt will be nearly maintenance-free from an IT perspective. All patches and upgrades should flow transparently from the cloud vendor.

Which brings me to the downside of being in the cloud. There is a complete lack of control and often poor communication when things go wrong. System downtime may be unpredictable and it’s frustrating to have no ability to commit resources to getting things back online. Will the system be down for 10 minutes or 10 hours? The good news is cloud vendors know their reputation hangs in the balance when it comes to downtime and most companies do everything possible to avoid it.

There is no doubt that the cloud is the wave of the future. In the 1990′s, Sun Microsystems said “The Network is the Computer.” Twenty years later, that vision is finally becoming reality. With the recent developments in Google’s ChromeOS, the embrace of the cloud by Microsoft, and the move to high-speed 4G wireless networks, the vision of the always-on network is about to become a reality.

Posted in Cloud Computing.

Tagged with , , .

No comments

By jeremy December 13, 2010

Google Apps vs. Hosted Exchange

Cloud applications are increasingly seen as a way to save on IT infrastructure and labor costs. With low bandwidth requirements and high scalability, perhaps no application is better poised for complete migration to the cloud than email. Email management is a onerous time sink for most companies. A host of fixed costs, including hardware management, patches, SPAM filtering, mobile access, storage, backup, and a plethora of other issues can be eliminated by getting an email system out of the computer room and into a data center. By spreading these fixed costs across thousands or millions of email accounts, the cost per account is drastically reduced, resulting in savings for everyone in the value chain.

Two email systems that are making waves in the cloud are Google Apps and Hosted Exchange. Like any good competitors, both systems have their merits and both should be considered when evaluating cloud strategies for email.

Google Apps Hosted Exchange
25GB storage/user for $50/yr 25GB storage/user for $96/yr*
Hosted by Google Hosted by various providers
Mobile access included Mobile access extra
Accessible with a web browser via Gmail interface Accessible with a web browser via Outlook Web Access
Works with Outlook via Plugin Works natively with Outlook
Does not integrate with MS SharePoint Integrates with SharePoint

* Best price we’ve found from Sherweb. Other providers may charge more or less

Hosted Exchange is currently more expensive than Google Apps. This is the premium you pay for full integration with Outlook. I’ve been a Gmail user for years and I prefer the Gmail web interface to Outlook. If your users are already familiar with Gmail and willing to give up Outlook, Google Apps is very attractive. If Outlook integration is required, Google provides an Outlook plugin that makes Google Apps act like Exchange, but it has some limitations:

  • Google uses labels, which get correspond to folders in Outlook. Unfortunately labels and folders don’t always play well together. In Google, you can have multiple labels attached to a single email. An email can’t live in multiple folders in Outlook.
  • The Google Outlook plugin works fairly well, but it provides very little information as to what is happening. This can be frustrating if something goes wrong and you’re trying to debug it.
  • Not all Outlook features work through the plugin. For instance, away messages and email delegation cannot be configured through Outlook with the plugin. The user must go to the Gmail interface to configure these settings.

These limitations are usually not show stoppers, but it’s good to be aware of them before undertaking a migration to Google Apps.

If you choose Hosted Exchange, it’s critical that you choose your hosting company wisely. Exchange hosting has low barriers to entry and a company can be setup with minimal capital investment in a relatively short period of time. Consequently, some companies are not on the best financial footing and if you choose poorly, you my find your host closed and your email inaccessible. Do your homework when choosing a hosting provider.

Google Apps has the Google brand and company reputation behind it. With over three million businesses already on Google Apps, you can be confident it will be around for the foreseeable future.

Finally, before transitioning email to the cloud, make sure your existing systems will integrate with a hosted solution. Integrating a cloud solution with your Active Directory environment is critical to a successful transition. Without proper integration, users will have password synchronization issues, resulting in headaches for users and extra work for sysadmins. Both Google Apps and Hosted Exchange provide tools for synchronizing with Active Directory. Make sure you test this functionality before deployment.

Integration requirements with other Microsoft products may eliminate Google Apps as an option. Companies heavily invested in SharePoint or MS Project may find that Google Apps does not work with the email functionality of these products. For companies with very basic SharePoint setups, Google Sites (included with Google Apps) may be a valid substitute. A company called LTech has a piece of software that migrates from SharePoint to Google Sites called CloudMove. We have not tried it, but it may be worth looking at.

Email migration to the cloud is here and widespread adoption is already happening. Cost savings realized from infrastructure and labor reductions are compelling and IT managers will be hard pressed in the coming years to justify maintaining email systems in-house. For more information or help in your email to cloud migration strategy, contact us today.

Posted in Cloud Computing.

Tagged with , , .

1 comment

By jeremy October 29, 2010

BlueBear Kodiak

Recently, I was perusing the web in search of a good vSphere client replacement or solution for Linux or Mac OS X. I had come across many articles praising Kodiak, yet could not find myself an invite key anywhere. Kodiak uses Adobe AIR  to create a cross-platform comparable version of the VMware vSphere client. It seemed as though everyone had stopped talking about it as of late.

Not giving up, I emailed the head of BlueBear LLC, Matt Miller, in search of these elusive invites. Being the generous guy that he is, he gave me a bunch of invites to pass around to all who wish to have it.

## Update ##

It seems as though beta keys are no longer needed to access their application. Check it out here

Posted in Linux, VMware.

Tagged with , .

4 comments

By john December 28, 2009

Accessing User Profile Folders in Windows 2008 Server When Access is Denied

When you create a new user in Active Directory, Windows does not, by default grant permissions to the Administrators or Domain Admins group. This can make it difficult for administrators to determine the size of a user’s profile and also to debug any profile problems that may arise. To avoid this problem, create a GPO that grants privileges to the Administrators group when new profiles are created.

Open "Group Poloicy Management Console" in Administrative Tools
Create and link a GPO titled "User Profile Permissions for Administrators"
Open computer config>Admin Templates>System>User Profiles
Set the "Add administrators security group to roaming user profiles" to enabled

This will take effect on all accounts created after the GPO is in place. But what about existing accounts? This GPO will have no effect on them. The traditional solution has been to take ownership of the profile through advanced security settings. This has the unfortunate side effect of making the profile temporarily unreadable by the user. In addition, the administrator also has to correctly reset permissions and ownership on the profile when maintenance operations are completed.

Wouldn’t it be great if there was a way to grant administrators access to the profile without these nasty side effects? Thanks to Microsoft’s Sysinternals tools, there is.

First, download psexec. Next, use psexec to open a command prompt as the SYSTEM account. This is important, because by default, only the SYSTEM account and associated user account have access to the profile.

psexec.exe -i -s cmd.exe

The -i flag tells psexec to run the command interactively and the -s tells it to run as the SYSTEM user. In the newly popped command window,  cd to one level above the folder you wish to add permissions to. The command to modify permissions in Windows 2008 is Icacls. If your profiles are stored in D:\profiles, you would run the command like this:

d:\
cd \Profiles
Icacls * /grant "DOMAIN\Administrators":(oi)(ci)(f)

Viola, Administrators now have access to the profile folders while retaining all other permissions and ownership. As always, be extremely careful when running these commands. One typo, or misapplication could cause serious damage to your system.

Posted in Windows.

No comments

By jeremy September 14, 2009

Reinstalling Cisco VPN Client for Vista

While working with a Vista PC, I came across a problem where I was unable to install the VPN client, yet it had already been uninstalled.

Error 28000: Before installing the Cisco Systems VPN Client 5.0.01.0530. you must uninstall the previous version of Cisco Systems VPN Client, using the Add/Remove Program Files option in the Control Panel.  Then restart your system.

After extensive searching, we came across this article which sheds some light on the subject.

Basically you need to create a .ini file which has the same name as the installer, in this case vpnclient_setup.ini . Copy and paste the following text into the document, and make sure that your installer, product name  and  versions match up with values below. If they do not, change them as you see fit.

After that has been completed, then run the installer with the /quiet flag from the command line (Example: `c:\vpnclient_setup.msi /quiet` ). There will be no feedback, and the computer will restart automatically.

[WiseInstaller]
Runtime9XVersion=2.0.2600.2
RuntimeNTVersion=2.0.2600.2
ProductFile=vpnclient_setup.msi
ProductCode={14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}
ProductVersion=5.0.1
ProductName=Cisco Systems VPN Client 5.0.01.0600
Remove Previous=1
AdminError=You must have administrator rights to run this installation. Please login as an administrator and re-run this installation.
ExistError=%s Version %s is already installed. You must uninstall the existing version before installing %s Version %s. Do you want to uninstall the existing version of %s?
SpaceError=Could not create temporary file, not enough free temporary disk space. Please free up disk space and rerun this installation.
WiseInitPrefix=Initializing
WiseInitSuffix=Wizard…
WiseInitLangPrompt=
WiseInitLangDefault=English,1033
Runtime9X=instmsi.exe
RuntimeSize9X=1708856
RuntimeNT=instmsiw.exe
RuntimeSizeNT=1822520
DelayReboot=1

Original Article:

http://social.technet.microsoft.com/Forums/en-US/itprovistaapps/thread/f8e50899-4598-4f31-9802-15e46c7e827e

http://social.technet.microsoft.com/Forums/en-US/itprovistaapps/thread/f8e50899-4598-4f31-9802-15e46c7e827e

Posted in Networking, Windows.

No comments

By john July 17, 2009

Remote Uninstall of Symantec Endpoint Protection 11 with CleanWipe

Symantec Endpoint Protection 11 has got to be one of the worst anti-virus products ever produced. Not only is it a resource hog, but it also will fill your entire hard drive with virus definition updates. I recently switched a client from SEP 11 to Kaspersky, a much better product IMO, and needed to remotely uninstall SEP 11. I wrote a batch file to accomplish the removal of SEP. There are several things you need to make the batch file work:

  1. pstools from Microsoft – psexec is what we’ll be using
  2. Windows 2003 Resource Kit Tools – we’ll be using robocopy
  3. CleanWipe from Symantec – you’ll need to call Symantec support for this one

There may be other ways of getting CleanWipe, but I wouldn’t know about them.

Once you’ve got these tools, extract CleanWipe to a folder, say c:\utilities\cleanwipe. Create a file in that folder called remote_uninstall_sep.cmd and paste the following script into it:

@echo off
if “%1″ == “” goto error

“c:\Program Files\Windows Resource Kits\Tools\robocopy.exe” . \\%1\c$\temp\cleanwipe
psexec \\%1 -w c:\temp\cleanwipe cmd.exe /c runcleanwipe.bat -silent
psexec \\%1 -w c:\temp cmd.exe /c rmdir /s /q cleanwipe
echo “Cleanwipe is finished”
goto end

:error
echo “missing argument!”
echo “usage remote_uninstall_sep <machinename>”

:end

You can then run the script as follows:

c:\utilities\cleanwipe>remote_uninstall_sep machinename

You’ll see the files being copied over and then cleanwipe starts its magic. Once it’s complete, SEP should be gone and you can install the AV program of your choice.

Posted in Windows.

9 comments

By john March 19, 2009

Shell script to copy a virtual machine in VMWare Server

The following script make will copy one virtual machine to another with VMWare Server. Note that this script assumes vmware-vdiskmanager is in your path. Simply go to the directory where your VMs are located and issue this command:

% ./copyVM.sh OLDVM NEWVM

Script:

#!/bin/sh
cp -a $1 $2
cd $2
vmware-vdiskmanager -n $1.vmdk $2.vmdk
mv $1.vmsd $2.vmsd
mv $1.vmx $2.vmx
sed -i “s/$1/$2/” $2.vmx
rm -f *.log
cd ..

Posted in Linux.

No comments

By john February 21, 2008

Making PostfixAdmin and MySQL play nice with hashed passwords

I recently setup a Postfix email server more or less following this tutorial on Howto forge. One feature I desired as part of my setup was PostfixAdmin, a web interface that enables easy administration of Postfix.

PostfixAdmin has a database schema that is different from the one described in the tutorial, but altering the Postfix configuration given in the tutorial to mesh with the PostfixAdmin schema was easier than I thought. It was simply a matter of editing the mysql-virtual*.cf files in /etc/postfix to point to the correct tables and fields in the updated schema.

The problem I ran into when trying to get PostfixAdmin working with the tutorial configuration was that the PostfixAdmin password hashing routines were not compatible with the the MySQL ENCRYPT function or the pam_mysql.so hashing routines. This is because MySQL’s ENCRYPT function and pam_mysql.so use the UNIX crypt() function by default to hash passwords. The crypt hashing algorithm is system dependent, but on my Ubuntu Feisty server, it was using DES. The pacrypt() function in PostfixAdmin’s functions.inc.php file was hashing passwords with MD5.

To make pacrypt() use DES encryption and allow for compatibility with MySQL and PAM, open config.inc.php in the base PostfixAdmin directory. Find the option called $CONF['encrypt'] and make sure it’s set to ‘system’. Now open functions.inc.php and go to the pacrypt function. After the line

if ($CONF['encrypt'] == ‘system’)

Insert the following code:

if ($pw_db == “”)
{
$salt = substr(create_salt(), 0, 2);
}

You will also need to change the line

if (ereg (“\$1\$”, $pw_db))

to

elseif (ereg (“\$1\$”, $pw_db))

These changes cause pacrypt() to generate a two character salt, which will cause the PHP crypt() function to hash the password with DES. This ensures your PostfixAdmin installation will be compatible with the MySQL ENCRYPT function and also pam_mysql.so.

Posted in Linux.

1 comment

By john June 5, 2007

A routed VPN with DD-WRT and OpenVPN

A client of mine recently had need of a VPN link between their main office and a remote office. Based on previous experience, I decided the OpenVPN version of DD-WRT running on two low-cost routers would provide a cost-effective solution to the problem. My goal was to create a VPN that would allow systems on either side of the connection to have connectivity with systems on the other side, but not pass broadcast traffic. I also wanted the routers to automatically connect on startup and continually try to reconnect if Internet connectivity was lost. I couldn’t find any other documentation on the Interwebs that described this solution, so I decided to lay it out here on ShortBus.

Installing the Firmware
The first thing you will need is two routers capable of running DD-WRT. In my case, I chose two Buffalo WHR-G54S’s. Next, you will need to download the latest VPN version of DD-WRT. Make sure your get the right version for your brand of router. Finally, follow the firmware installation instructions making sure you check for any special procedure for your router. Buffalo routers require a unique procedure for the initial flash of DD-WRT.

The LAN subnets of the routers must be different for this configuration. This needs to be setup in the web interface of DD-WRT. For the purposes of this tutorial, the OpenVPN server subnet is 192.168.1.0/255.255.255.0 and the OpenVPN client subnet is 192.168.2.0/255.255.255.0

Creating OpenSSL Keys
The next step is to generate Public Key Infrastructure (PKI) certificates and keys for your routers. The easiest way to do this is to download a copy of OpenVPN onto your local system. If you use Ubuntu Linux, you can do this with

# apt-get install openvpn

The key generation scripts are located in /usr/share/doc/openvpn/examples/easy-rsa. cd there and follow the PKI generation instructions on the OpenVPN web site. You need to generate a client cert/key pair the server and one for each client. Be sure to give each client certificate a unique Common Name.

Creating the DD-WRT Startup Scripts
The procedure here is to generate the OpenVPN config files and cert/key files from the startup script in /tmp on each boot.

Replace the …INSERT YOUR OWN CONTENT HERE… with the certs/keys generated in the last section.

rc_startup – server

# all files will be created in /tmp
cd /tmp
openvpn –mktun –dev tun0
ifconfig tun0 10.8.0.1 netmask 255.255.255.0 promisc up

echo \”
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tun0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of –ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression
client-config-dir ccd
route 192.168.2.0 255.255.255.0
client-to-client
server 10.8.0.0 255.255.255.0
push \\\”route 192.168.1.0 255.255.255.0\\\”
push \\\”route 192.168.2.0 255.255.255.0\\\”

# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer’s signed certificate
key server.key # Local peer’s private key
\” > openvpn.conf

echo \”
—–BEGIN CERTIFICATE—–
…INSERT YOUR OWN CONTENT HERE…
—–END CERTIFICATE—–
\” > ca.crt
echo \”
—–BEGIN RSA PRIVATE KEY—–
…INSERT YOUR OWN CONTENT HERE…
—–END RSA PRIVATE KEY—–
\” > server.key
chmod 600 server.key
echo \”
—–BEGIN CERTIFICATE—–
…INSERT YOUR OWN CONTENT HERE…
—–END CERTIFICATE—–
\” > server.crt
echo \”
—–BEGIN DH PARAMETERS—–
…INSERT YOUR OWN CONTENT HERE…
—–END DH PARAMETERS—–
\” > dh1024.pem

#Client routing setup
mkdir ccd
echo \”
iroute 192.168.2.0 255.255.255.0
\” > ccd/client1

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn –config openvpn.conf

This configuration file will allow clients on either subnet to see clients on the other subnet (see addendum at the end of this post for a problem I ran into with this). The push lines push the routes to each client. This allows for file sharing, client/server communication, etc. between subnets without passing broadcast traffic across the VPN, which it what would happen if we created a bridged connection with a tap interface. For more information on what each parameter does, see the openvpn man page or HOWTO.

In the second-to-last section

rc_startup – client

cd /tmp
openvpn –mktun –dev tun0

echo \”
# Tunnel options
client # Set OpenVPN major mode
dev tun0 # TUN/TAP virtual network device
proto udp # Setup the protocol (server)
remote <SERVER WAN ADDRESS> 1194 # TCP/UDP port number
resolv-retry infinite
nobind
daemon
persist-key
persist-tun
ca ca.crt # Certificate authority (CA) file
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo # Use fast LZO compression
verb 3 # Set output verbosity to n
\” > openvpn.conf

echo \”
—–BEGIN CERTIFICATE—–
…INSERT YOUR OWN CONTENT HERE…
—–END CERTIFICATE—–
\” > ca.crt

echo \”
—–BEGIN CERTIFICATE—–
…INSERT YOUR OWN CONTENT HERE…
—–END CERTIFICATE—–
\” > client1.crt

echo \”
—–BEGIN RSA PRIVATE KEY—–
…INSERT YOUR OWN CONTENT HERE…
—–END RSA PRIVATE KEY—–
\” > client1.key
chmod 600 client1.key

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn –config openvpn.conf

This client configuration will continuously retry to connect to the server. If the Internet connection goes down, the VPN link will reconnect when Internet connectivity is restored.

rc_firewall – client and server

/usr/sbin/iptables -I INPUT 2 -p udp –dport 1194 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
/usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT

The firewall rules can be used on both the client and server.

These files need to be saved in the router’s flash memory with the nvram set command. We will be saving rc_startup and rc_firewall scripts for both the server and client. Execute the commands below for both the client and server, pasting the appropriate file where indicated:

# nvram set rc_startup=”
><paste rc_startup here>
>”
# nvram set rc_firewall=”
><paste rc_firewall here>


>”
# nvram commit

Testing The Connection
This setup can be tested on a LAN by connecting the WAN ports of each router to your LAN switch. Enable remote administration in the DD-WRT web interface so you can login to both routers. Also, the LAN subnet you are testing on must not be the same as either of the router LAN subnets. In this case, it could be 192.168.10.0/255.255.255.0.

Once the startup scripts have been saved to flash memory, reboot both routers. SSH into both routers and check that openvpn is running with # ps | grep myvpn. If it is running, congratulations, you have a VPN link. If it is not running on one or both routers, uncomment the daemon line in /tmp/openvpn.conf and start openvpn manually with # /tmp/myvpn –config openvpn.conf. You should receive an error message on the console to help with debugging. I found it very handy to put OpenVPN in the background by issuing a CTRL-Z and then bg. This allows you to issue commands but still see any error messages echoed to the console. If your connection is established but you can’t ping across it, check the OpenVPN FAQ.

Conclusion
If you followed this correctly, you should now have a routed VPN network allowing systems on both the server and client side to ping and connect to systems on the other side.

Addendum
I did run into one strange problem that has me stumped. Routing from the server subnet (192.168.1.x) to the client subnet (192.168.2.x) does work correctly if the server is in daemon mode. If I take the daemon line out of the server configuration file and restart OpenVPN, packets are routed correctly. Routing from the client subnet to the server subnet works correctly either way. If anyone knows why this is, please leave a comment.

Posted in Linux, Networking.

No comments

By john May 7, 2007