For quite some time I’ve been making use of a dd-wrt modified linksys box on my home network as an openvpn endpoint so that when I’m out and about in the world, I connect the vpn, switch firefox to route through a squid proxy server on the home network and I’ve got a nice fairly secure web browsing setup. But, as they say there’s more than one way to skin a cat. And, that’s what I’ve played around with the last couple days. First off, I guess I should describe the concept. 1) Let’s say that you’re browsing the web at an open wireless access point and you don’t trust the network or 2) let’s say you need to be able to access an intranet web server that is not accessible from the internet side of a network or scenario 3) let’s say a web site is blocking access based on ip address (for instance say you’re behind the great firewall of xyz business/company)…. how can you still manage to access the web pages you want to 3,2) at all or 1) securely with as little snooping as possible.

All in all, this will make it possible to look as though you’re browsing the web from a different location than you really are and is also one way how to get around blocked websites. Now, it’s up to you to accept the responsibility for your actions if you use this to get around blocked sites

There are several ways you can do this. The first IS via openvpn and a web proxy like squid, but that’s a fair amount of setup for you on your home network to maintain browsing from outside – besides what if you’re home connection is down and you want a quick plan b?

Here’s one approach….

SSH – secure shell to the rescue…. from a console window make a secure connection to a secure shell server you have access to, with dynamic port forwarding enabled.

ssh -D 1080 username@hostyoucanaccess.com

go ahead and authenticate and then in your firefox settings, instruct firefox to browse through a SOCKS 5 server at localhost port 1080. (frankly, you could probably pick any higher port number if you like.)

(BTW if you want to get fancier with ssh you can pass any of the following:
-q :- be quiet – don’t output more information than necessary.
-T :- Do not allocate a pseudo tty – i.e. no login shell.
-f :- move the ssh process to background, as we don’t want to interact with this ssh session directly.
-N :- Do not execute remote command.
-n :- redirect standard input to /dev/null.

In addition on a slow line you can gain performance by enabling compression with the -C option.
)

I like to pull up my ip check page to verify which public internet address I’m browsing from. SO, now it’s as if you’re browsing the internet from your ssh server machine.

Now, if you needed to access an intranet page within the network that your secure shell server is hosted, you should be able to. It should behave actually just as though you were on the destination lan for everything within the web browser. If you wanted to get really fancy, you could probably set it as a system wide proxy and not have to manually configure your applications to tunnel through it.

It should be noted that your web traffic will only be encrypted between you and the remote ssh server. After that it leaves the pipe and will only be encrypted if you’re visiting encrypted sites.

Now, for reasons of very restrictive firewalls it might be nice if you knew of a ssh server listening on port 443 so that it would bypass even the most draconian restrictions. (BTW, that’s how I’ve previously setup openvpn connections – ports 53 udp or 80/443 tcp are good candidates – 53 udp because it’s dns and shouldn’t be blocked if they expect domain lookups to work, however… it’s typically unencrypted and might look suspicious – besides they may do internal dns so it’s not my first choice. Port 80 is a good candidate because if they allow outside world web access then you should be able to pass data, still port 80 is typically unencrypted and it might look a bit suspect. My preference then is port 443. It’s necessary for https: sites and is expected to be encrypted, so it makes a nice openvpn (or ssh) alternate port.

It’s also possible to tunnel your web traffic through something called tor to enhance your privacy on the internet and essentially make it appear as though you’re browsing the web from a location where you aren’t physically. So, if a forum is only allowing connections from ip address in Poland and you really want to connect you can configure tor to only use endpoints that are in Poland and all your web browsing bits will ping pong through several machines in an encrypted tunnel until they exit a machine in Poland and connect to the forum your trying to connect to. To use tor, you need to also install a proxy server like privoxy.

By the way, tor can be a slow network – they are typically fairly oversaturated, but there are some ways to get a faster link going by tweaking your torrc file. I should point out that it’s somewhat abusive of the tor network resources to try to suck down giant bittorrents through tor….

I should also mention that there is a great firefox plugin for managing your proxy settings. (It got to be a pain manually switching them, so you might look at foxyproxy. It let’s you configure multiple proxys and switch between them for all traffic, OR more interestingly using text matching it could allow you to use a proxy only for certain sites.

Also – Set your proxy server to resolve DNS requests instead of your computer; in Firefox’s about:config area, set network.proxy.socks_remote_dns = true.

(From what I see that is the default – either that or I’ve already been there and done that.)

Other links that may be interesting are :a site to check if you are using tor and an ip locator.

And if you’re command-line phobic on linux you might take a look at gnomes ssh tunnel manager (GSTM I think in packages.) Really whether you are comfortable at the command line or not, this looks like a neat, quick interface.

I’ve had a couple of small wireless projects lately and have really been having a great time playing around with the Linksys-Cisco WRT54GL Wireless-G Broadband Router and one of the many GREAT 3rd party firmwares dd-wrt. I know, for a couple years I’ve meant to get a hold of one of these little linksys boxes for testing. I had read about OpenWRT and found it an interesting idea. For those that don’t know, the original linksys wrt54g wireless routers were designed based around a customized linux firmware. What made this nice is linksys made the source code available for their firmware which made it a lot easier for others to improve upon linksys’ built in software.

So, where the original device may have had shortcomings in the software community members quickly started coming up with improvements. Well, somewhere along the line, linksys moved to a different embedded OS which allowed them to cut the memory use in half and get the boxes out a bit cheaper, but the continued to make the original device with the wrt54gl designation – the L supposedly denoting linux.

Some of these firmwares allow for features that are truly amazing out of these cheap network routers. (I should stop at this point to mention that it’s not just a linksys only party here, there are other brands, buffalo, acer, netgear among others that are supported.) In fact, dd-wrt’s support devices list is here. Some of these devices have usb ports, more memory, etc. which of course makes the potential for the device much greater.

So, what can you do?

For starters, my interest in the project was to run two SSID wireless networks off the same hardware. That is something that is just becoming easy to setup in the dd-wrt firmware with the V24 series of dd-wrt which is at release candidate stage. From what I saw it was easy to setup virtual SSID’s which allowed both wireless network names to share the same MAC address. This arrangement gave me a weekends worth of playing. (I was working with v 24 RC4 of dd-wrt, there are newer releases v 24 rc6.2 is out, but seemed to be a bit buggier.) The newer releases seem to implement making up a MAC address for the virtual SSID’s which should improve matters greatly. (All this depends on your hardware though – it looks as though the wrt54gl should support it.)

Here’s the problem I saw with virtual SSID’s and the same MAC address. Wireless clients would see either one or the other network each refresh of the list, connecting to one would then make connecting to the other more challenging. One scenario this could work is if you have an existing WEP network and want to upgrade to WPA. Set the WEP legacy network to not broadcast an SSID, allow the new WPA network to broadcast SSID and that would make for a decent transitional setup. Unfortunately I was setting up two new networks a WPA members only network and an open guest. With shared MAC addresses I saw no good way to accomplish this yet without lot’s of end user support. (Maybe when dd-wrt v24 is a bit more finished I’ll revisit.)

Okay, enough of the side trip… what can you do with this box. Besides the usual router possibilities, you can now setup virtual lans… do you need to divide users into several different isolated networks with a shared gateway to the internet? Okay, easily done. You can even setup dhcp to give out addresses to each network. (And firewall either both from each other or just one from the other.)

QOS – quality of service. Do you want to make sure the users of this device don’t eat up all your internet bandwidth? Easily setup with quality of service limits. Set the total bandwidth and then priority levels for each type of traffic (peer to peer, voip, web, smtp, etc.)

Open wireless access – there are several hotspot possibilities here, either with a roll your own captive portal implementation (or you could use the prefconfigured setup for nocatsplash which is just a single enter button.) Or, you can integrate with chilispot, or sputnik or other online services.

If your device has enough memory you can install other software on the box, from game servers, print server software, network tools, etc. With a usb port that means you could have a file server, print server, or scanner server.

Finally, I’ve got a setup that I’m happy with. I wound up using two of the boxes for ease of setup. (The recent release candidates did not seem to be stable enough in ALL areas for me to be really comfortable, so I used version 23.) I essentially setup a members only access point with WPA encryption that setup a vlan on one port of the switch which the guest network will plug into. The guest network will have open access, terms of use captive portal that redirects to a portal page of our choosing. (As well as having isolation between wireless users.) This way the internal members only network not only has WPA, but is firewalled off from the free wireless users. The guest access point has a strict bandwidth limit at around 1/3 of our total bandwidth to avoid disruption of the members only network from outside leeches… All in all, it has turned into a very nice setup. It has seemed quite stable so far and includes the option to schedule daily or weekly reboots if necessary.

Another plus to this is that when the newer firmware stablizes, if I want to upgrade I can just setup another box with the free firmware and when I have all the configuration done I can just swap the boxes. I now have a couple other projects lined up with the wrt54gl (including a replacement for a home firewall which I estimate will wind up saving a few dollars a month in power.)

First, I guess I should give a primer, what’s an RBL? RBL stands for Realtime Black List (or Realtime Block List depending on who you talk to.) The idea is there are machines that either 1) have no business DIRECTLY trying to deliver a mail message to a legitimate mail server or 2) are known to spew out junk mail, or viruses or other bad content. So, many service providers make use of blacklists to decline messages from suspect machines. In some cases these lists are cultivated in house, in other cases people make use of various publicly available lists online.

But…

These lists block IP addresses from sending mail, what if you’re webhost is simply forwarding mail on to your ISP account and the ISP then blames your webhost’s machine for this spam? Or more likely, what if your website is sharing an IP address with other websites (Name based hosting) and one of those is sending out junk. Or, even still… your ISP decides it’s time to launch a new outbound mail machine and they pull an address from a block of addresses that used to be reserved for dial up users. In any of these cases, the end result is your mail doesn’t get from point A (you) to point B (your recipient), and the machine along the way rejects the message.

So… several weeks ago I ran into problems with mail FROM bellsouth(at&t) mailservers getting blocked due to the ip’s of the mail servers formerly being in the dynamic ip space….

well I also ran into problems with AT&T (@bellsouth.net address) blocking inbound mail from a particular site and was lucky enough to be helped with the following link where you can request delisting from AT&T’s blacklist. It’s a handy link to have on hand. I’ve needed it once again for another site since the first inquiry I sent to AT&T.

I’ve got a home project to run more network cable here lately and found techtoolsupply to be an interesting resource for network and other cabling supplies. I don’t recall who I ordered from last time, it’s been several years (and those big spools of cable last for years unless you do a LOT of cabling.) On other notes…. There are many very good do it yourself wiring resources from electrical like this link to network wiring. Many people think that wireless means that it’s just backwards to install network cabling. (I don’t know how many people told me “why don’t you just use wireless” when I mentioned that when we built I wanted to get cat5 cable installed.) Well – here goes – wired is 1)faster and 2) more secure – yes I’ve heard of WPA for wireless, but my wired lan is between 10 and 100 times faster than my current wireless (yes, I’m running 802.11b still and an upgrade to the wireless wouldn’t get it up to the same speed yet either. then my wired network would be 2-20 times faster. (Of course that’s best case – clear line of sight to the wireless access point.)

I thought this writeup was interesting on the idea of using a web interface to customize a livecd. I’ve built a couple livecd’s (that I still use) for tech support, but I’m always thinking of one more tool that I’d like to have. After looking through their wizard it seems a bit limited in the granularity of what can be chosen (at least for what I’m thinking of.) But… it might introduce a new interest in the use of livecds.

I haven’t tried it yet, but there’s a “ready for primetime” open source x86 virtual machine program called virtualbox that’s just recently released version 1.5 It sounds pretty good. I’ve got a fair amount of disk images invested in vmware at the time so I don’t know if I would swap, but I want to look over the features and just see how it stacks up.

Along those lines… I saw someone mention seamless rdp with regards to virtualbox and had to have a look – basically you install seamless rdp on a windows xp or other remote access windows server, then you use rdesktop to connect to the machine specifying the path to the seamless rdp executable and you can get the single application window on your desktop instead of the full blown user interface. (Much like the way remote X applications work.) In fact you can redirect sound/etc and it works fairly well (although I’ve found programs that don’t work well with it too.) Here’s an example command line from the client…
rdesktop -A -s “c:\seamlessrdp\seamlessrdpshell.exe notepad” ipaddressofrdpserver

My server that I setup with mirrored hard drives has really been a fine machine, but I am missing one thing (optical drive.) This Lite-on SATA dvdrw might fit the bill ($32).

I found this link of plugins for wordpress to aid in multilingual site building. I’ve been experimenting with English/Spanish designs of one site I maintain using plain html (index.html.en index.html.es and the server gives the correct page depending on the browser localization. It seems as though there was an .htaccess change that I had to make as well although I don’t recall off the top of my head. (Maybe I can update if I read through it again.)

How many times have I seen the same chain email about who knows what… it always ends in something along the lines of “I don’t know if this is true, but I figure I don’t have anything to lose, so pass it along and let’s see what happens.” Computers were supposed to improve productivity, sometimes I think they’ve fueled other things though…. breakthechain.org is a good site to refer people to that forward messages to you that may be hoaxes or chains… some of them are real, some are hoaxes, some are absurd but why do we keep emailing them back and forth? Try to get some of your time back by sending folks to breakthechain.org

Of course, we’ve heard of skype, vonage, and our dsl/cable providers hawking VOIP. I thought I’d make a note of this one though as the name is a bit more obscure… packet8

I would dare say there are more than a couple people “out there” right now that are puzzled as to WHY some of their mail is bouncing back to them as being rejected. Right now I’m talking about Bellsouth / AT&T mail users…. it appears that this week AT&T is in the process of transitioning it’s outbound mail relays to a new address block. 207.115.11.51 – 207.115.11.56 – the names of these machines are fmailhost01.isp.att.net – fmailhost06.isp.att.net …. Yesterday I noticed 4/5/6 had been moved – today 3 has been moved over and I noticed only because a test message that I RUN through a (formerly) bellsouth system bounced back and made it through…. The problem is the address space that AT&T is making use of used to be in the dial up block of their service and SEVERAL online blacklists have not been notified of the change. It is not possible for an end user to FIX this problem, AT&T technicians need to contact http://www.au.sorbs.net/ (SORBS) Among other locations to help their customers. The only thing techs in control of individual mailservers can do is whitelist the new AT&T addresses. (Well you could disable whitelisting altogether, but that would probably be a big HELLO SPAM).

It may be even murkier a situation – they may using BOTH sets of IP addresses (old and new) for the time being… here are two log entries that would seem to confirm that…

Jul 25 16:47:09 xxxxx postfix/smtpd[7812]: disconnect from fmailhost03.isp.att.net[207.115.11.53]
Jul 25 16:47:09 xxxxx postfix/smtpd[7812]: connect from fmailhost03.isp.att.net[204.127.217.103]

Strange… They may have some scheme to help work around this – because the connect from the 204. address immediately followed a DNS block of the connect from the 207 range address.

Why do I always wind up being the one to discover problems? …. Today in checking mail I found a mail that had bounced back from one of my clients that uses bellsouth… Now bellsouth has recently been bought by AT&T and it appeared as though the mail had been rejected because the mailserver trying to deliver it was in an email blacklist. *(What – a bellsouth mailserver in a blacklist?) Well, we’ve gone through this before with some of the passive blacklists where people might relay junk through their isp, but… on searching the AT&T outbound mailserver 207.115.11.54 was in the dial up block lists at sorbs and nomorefun…. (as was 207.115.11.55) These seem to be the new fmailhost04.isp.att.net and fmailhost05.isp.att.net outbound mail machines.

So, if you send mail via the old bellsouth, new AT&T you have around a 2 out of 5 chance that your mail is going out through a blacklisted server (the 01-03 machines are in a different netblock.) Ah… just discovered 06 at 207.115.11.56 – so you might have a 50/50 chance at sending mail out through a blocked ip. Now that doesn’t mean that if your mail touches one of those machines it will automatically be rejected… only by those using sorbs or nomorefun blacklists and some only use blacklists to tag mail as junk, so your bellsouth mail may wind up in junk folders instead of rejected outright.

I’ve filed a delisting request at both the blacklists in question. (REALLY THIS IS SOMETHING AT&T SHOULD BE RESPONSIBLE FOR.) I’m afraid it would take me an hour through their tech support to get to somebody that had a CLUE as to what needed to be done though. (And I don’t think I can really stomach having someone tell me…. “I’m sorry sir, I can’t help you with your mail problem if your not sitting at a computer at the location using outlook or outlook express.” (I got that response once from bellsouth when I had a remote console open on a machine that was having trouble delivering mail and I was simply trying to verify outbound machine names such as mail.bellsouth.net, etc….)

Anyway, I don’t know when this started, but the first bounce I’ve noticed was this afternoon and the addresses were previously in the dynamic ip space. Maybe someone else online has noticed as well, but you would think if you were AT&T and provisioning a new mailserver you MIGHT contact maintainers of well publicized blacklists and say… “By the way, we’re about to put new mailservers online at the following IP’s….”

OK – just got the SORBS response back and basically the answer is NO -AT&T needs to contact SORBS

http://www.au.sorbs.net/faq/dul.shtml

–update — 7-25-07–

OK – I’m seeing fmailhost03.isp.att.net at 207.115.11.53 today – so I’m ASSUMING I’ll see 02 show up at 207.115.11.52 tomorrow – they must be making the changeover this week – that IP block is STILL on the blacklist and I’m WHITELISTING about 30 mailservers as fast as I can. –Sorry 30 was an exaggeration – 10 certainly isn’t though. (Didn’t help that the first time through I forgot there was an fmailhost06……)

Gee thanks ATT – didn’t have anything else to do….