PPTP VPN on Ubuntu 10.04 for your iPhone / iPad

Below are the steps necessary to connect your iPhone / iPad or any other computer via a PPTP VPN.

Why would I want to do this? For various reasons such as allow you to access information and servers that are behind a firewall, or maybe you just need to route traffic through different servers.

I’ve tested this on a 256mb Rackspace Cloud instance running Ubuntu 10.04 and with an iPhone and an iPad. Thanks to Yaniv for debugging the instructions.

Disclaimer: This is for educational uses only and I take no responsibility as to what you may do with it. The PPTP VPN setup via the instructions below has no encryption and uses the simplest and lowest form of password authentication. If you require stricter encryption and authentication methods you’ll need to read more about pptpd configuration.

Assumptions:

  • The instance you are using is blank, specifically from firewall rules in iptables, otherwise, you’ll need to patch things up.
  • All commands assume you are current a root user. If you logged in as root, that’s great. If not, run:
    sudo su
  • Instead of messing a lot with iptables commands, I’m using ufw (Uncomplicated FireWall). In general, to most people, it will be easier to manage and work with.

Setting up the PPTP Server

In general we are going to create a PPTP VPN that is very basic without encryption and with basic authentication security (not fancy authentication protocols). Since Rackspace Cloud instance has an external interface (eth0) that has the instance public IP and an internal interface (eth1) with an internal IP used to communicate with your other Rackspace Cloud server (if you have them), we’ll create an alias network interface card that will have some other set of internal ips, which will be given to the devices connected via the VPN.

  1. Install the necessary software (pptpd, pptp-linux, ppp and ufw – for firewall):
    apt-get install pptpd pptp-linux ppp ufw
  2. Enable port 22 (ssh) in the firewall, so we don’t get locked out of our instance:
    ufw allow 22
  3. Enable port 1723 (pptpd) in the firewall to enable access to the pptpd dameon:
    ufw allow 1723
  4. Enable ufw:
    ufw enable
  5. Add an aliased network interface card (eth0:0): (We use the address space of 192.168.88.0/24 since its usually free for most networks for most users. You can feel free to change this address if it is already taken)
    Edit /etc/network/interfaces:

    nano /etc/network/interfaces

    Enter the following text at the end of the file:

    auto eth0:0
    iface eth0:0 inet static
    address 192.168.88.1
    netmask 255.255.255.0
    gateway (same value as listed for eth0)
    dns-nameservers (same value as listed for eth0)

    Replace the value of “gateway” with the same value you will see in this file for “eth0″, the real public network interface.
    Replace the value of “dns-nameservers” with the same value you will see in this file for “eth0″

  6. Configure the pptpd daemon:
    Edit /etc/ppp/pptpd-options:

    nano /etc/ppp/pptpd-options

    Comment out (add a “#” char at the start of the line) the following lines:
    “refuse-pap”
    “refuse-chap”
    “refuse-mschap”
    “refuse-mschap-v2″
    “require-mppe-128″replace “#ms-dns 10.0.0.1″ with “ms-dns 8.8.8.8″
    replace “#ms-dns 10.0.0.2″ with “ms-dns 8.8.4.4″

    The last 2 lines above sets the DNS server the devices connecting to your PPTP VPN will use. The addresses above are for the Google Public DNS server, but can be any other DNS server (including the same DNS servers as Rackspace or your hosting provider use)

    Edit /etc/pptpd.conf :

    nano /etc/pptpd.conf

    Add at the bottom of the file:

    localip 192.168.88.1
    remoteip 192.168.88.2-20

    The value of “remoteip” will be the set of IP addresses the devices connecting to the VPN will get upon successful connection. Currently, we have here 18 addresses, which is enough for 18 concurrent devices. You can make this range bigger if needed.

  7. Configure the username and password that will be used to authenticate client accessing the VPN:
    Edit /etc/ppp/chap-secrets:

    nano /etc/ppp/chap-secrets
    # client server secret IP addresses
    [UserName] pptpd [Password] *

    Replace [UserName] with the username you wish to use.
    Replace [Password] with the password you wish to use (I suggest a long random password. Try this generator)

  8. Enable IP forwarding in the kernel:
    Edit /etc/sysctl.conf :

    nano /etc/sysctl.conf

    Uncomment the line “net.ipv4.ip_forward=1″
    For IPv6, uncomment “net.ipv6.conf.all.forwarding=1″

  9. Enable IP forwarding in ufw:
    Edit /etc/default/ufw:

    nano /etc/default/ufw

    Change the value of “DEFAULT_FORWARD_POLICY” from “DROP” to “ACCEPT”

  10. Add IP masquerading rule in ufw, so that NAT will work and devices connecting to the VPN will be seen as if the traffic goes out of the VPN server:
    Edit /etc/ufw/before.rules:

    nano /etc/ufw/before.rules

    Paste the text below after the header and before the “*filter” rules:

    # nat Table rules
    *nat
    :POSTROUTING ACCEPT [0:0]

    # Allow forward traffic from eth0:0 to eth0
    -A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE

    # don’t delete the ‘COMMIT’ line or these nat table rules won’t be processed
    COMMIT

  11. Reboot the machine, cross your fingers and hope for the best :-)

Configuring your iPhone / iPad

  1. In your iPhone / iPad go to “Settings” -> “General” -> “Network” -> “VPN”
    PPTP VPN Configuration
  2. Select “Add VPN Configuration”
  3. Select “PPTP”
  4. In “Description” enter the name of the VPN connection
  5. In “Server” enter the IP address of the server (or a server name, if you mapped the server’s IP address to a domain name)
  6. In “Account” enter the username you have entered into the “/etc/ppp/chap-secrets” file
  7. In “Password” enter the password you entered for the above username in “/etc/ppp/chap-secrets”
  8. Make sure “Send All Traffic” is turned to “ON”
  9. Set “Encryption Level” to “None” (this is how we configured the PPTP server in this post, if you setup an encryption try to keep it in “Auto”
  10. Select save

 


Google AppEngine – Python – issubclass() arg 1 must be a class

If you are getting the error “”issubclass() arg 1 must be a class”” with Google App Engine SDK for Python on Linux its probably because you are running Python 2.6 (and will probably happen to you when you run Ubuntu 9.04 – 2.6 is the default there).

Just run the dev server under python 2.5 (i.e. python2.5 dev_appserver.py)

“Unable to retrieve MSN Address Book” on Pidgin on Ubuntu / Debian?

Today I got the following error on Pidgin (I’m running version 2.5.2 on Ubuntu 8.10 Intrepid Ibex) while it tried to connect to MSN:

“Unable to retrieve MSN Address Book”

After searching a bit I found this post by Gijs Nelissen which said to use a different MSN plugin for Pidgin called msn-pecan.

I’ll reiterate the instructions for those with Ubuntu / Debian:

  1. Close Pidgin (make sure the process is really down)
  2. Run “apt-get install msn-pecan”
  3. Start pidgin
  4. Change your MSN account type from MSN to WLM
  5. Reconnect

I don’t know if this error affects other libpurple based multi-headed IMs (such as Adium) (UPDATE: It appears this IS a libpurple issue – so Adium IS affected), however, the msn-pecan project has a Windows binary release as well as source release (if you care/need/want to compile it for Mac OS X or other Linux distributions).

Failed to run /usr/sbin/synaptic Unable to copy the user’s Xauthorisation file

If you get the following error while running Synaptic:

Failed to run /usr/sbin/synaptic
Unable to copy the user’s Xauthorisation file.

Make sure to that you have enough space in your /tmp directory.

To check if that is indeed the problem run the following command in your terminal:

df -h

This command will show you each mounted volumes you may have including the one mounted to /tmp.

/tmp usually contains temporary data for applications while they run. It sometimes may reach a point where it 100% full (might have happened to me while I upgraded to Hardy Heron 8.04).

To clear /tmp run the following commands (BE CAREFUL NOT TO RUN rm -rf ON ANYWHERE OTHER THAN /tmp):

cd /tmp

pwd # just to make sure you are really in /tmp

rm -rf *

Assembling a Linux based Home Storage Server

I’ve decided that I have enough data I want/need to store and backing it up with removable drives and/or burning DVDs is getting less useful each passing day.

I also like to have everything available all the time instead of going through backup DVDs searching for the right one and extract the information from it.

I have a friend who takes too many pictures in RAW format and have greater storage needs than I do but have little time or nerves to mess with installing and configuring something so he got a Thermaltake Muse NAS-RAID.

He is quite pleased with and it works flawlessly at his home adding yet another blue led to an ever growing group of blue led devices blinking in the darkness of his home at night ;-) .

Being me, I cannot bare the thought of using a hardware device that I can’t fully control and can’t fully expand to whatever needs I may or may not have in the future, so I’ve decide to build my own home storage server.

I wanted it to be a bit cheaper than the Thermaltake MUSE box and I actually managed to do that (cost of the drives are the same so the real difference is in the box itself).

The hardware specs I’ve settled for and eventually ordered are:

  • CPU: AMD Athlon 3800+ Dual core (AM2 socket) – It’s an over kill but it was very cheap and was the cheapest CPU in stock at my favorite high end (and high quality) hardware supplier.
  • MoBo: Gigabyte GA-M61SME-S2 – It was either that or a comparable ASUS mobo. This one won because of the price. I really like the quality of Gigabyte and ASUS mobos and have used them for years. The specs are more than fine with a gigabit ethernet card on board and a hardware RAID support of both 0,1,5 (not that I’m going to use them, it’s all software RAID for me baby!)
  • RAM: 512Mb (more than enough)
  • Case: Thermaltake Matrix – It was relatively cheap. It’s Thermaltake (need I say more?!). It’s an aluminum case that is very ventilated and eventually if I want to mount some 3.5″ drives on the 5.25″ spaces using a kit I can get to a total of 8 drives.

The sweet spot for hard drives in terms of gigabytes per buck (at least for me) was the 500Gb drives (more specifically, the Western Digital WD5000AAKS 7200 RPM with 16Mb Buffer) so I’ll grab 3 of those which should be enough for my current needs.

I haven’t decided on the configuration and drive size for the OS itself. It might even be a jump drive as a friend suggested (2 in a RAID 1 configuration). I still need to decide.

The software I’m planning on using is:

  • OS: Ubuntu Server 7.10 (I know it’s due out very soon)
  • RAID Configuration: RAID5 with LVM (I might go for EVMS if I’ll have time to mess with it)
  • File System: XFS (cause I can grow it without unmounting it!)
  • Samba – so that the rest of the machins in the house will have access.

All of this set me back ~$750 (these are Israeli prices for the hardware and some taxes applied in there as well), but I’m quite pleased with the price.

It’s going to be a fun weekend! Muhahahahahaha :-)

VmWare Server 1.0.4 on Ubuntu Server 7.04 (a.k.a Feisty Fawn)

2 days after my previous post about installing VmWare Server 1.0.3 from Canonical’s repository, VmWare released version 1.0.4.

I tried using its built-in install script on a vanilla Ubuntu Server 7.04 (a.k.a Feisty Fawn) and it worked flawlessly.

Aside from certain libraries which it needs to compile the vmmon and vmnet kernel modules (the installation script will tell you which ones are missing and you can get them from the repositories using apt-get), you’ll also need to install xinetd.

All in all, the installation script did all the job and it works fine without patching the vmmon code.

Keep up the good work VmWare Team!

Google Israel – Where Art Thou in the Development Community?

I know that Google‘s original Googleplex at Mountain View is very active for non googlers. There are frequent open lectures there and they host a bunch of other things like Summer of Code (well, not always host, but sponsor and make sure people know about it) and Google Developer Day (which is happening at 10 different locations worldwide, but NOT in Israel).

I know there are suppose to be two development centers in Israel, one in Haifa (which I know is located in MATAM cause you can see it from road #2 leading from Tel Aviv to Haifa near Intel and Microsoft Haifa) but I have no idea where the other development center in Israel is located, other than the fact that its suppose to be in the Tel Aviv area.

I don’t know how active Google is in the development community in other countries besides the US but I think that Google Israel (and the rest of Google) as well as the rest of the development community in Israel will benefit if they’ll open up a bit and become a major player in the development community.

Microsoft Israel figured this out a long time ago and there are quite a few communities (warning: Hebrew link) that meet once a month. There is also at least one full time Microsoft employee (at least that I know of) that is logistically leading this effort and making sure everyone stay happy and use MS products. I don’t even talk about the big events Microsoft Israel holds at least once a year to show off new things and to educate people about the new technology.

I guess this effort paid off since most of the companies developing in Israel today (and quite a few startups, even in the web 2.0 arena) are using Microsoft technologies and not Open Source products and technologies.

If Google Israel (hopefully the R&D part) will open up a bit and start hosting lectures and events in Israel, the same way the original Googleplex (and possibly other Google centers around the world, I don’t really know) does, the Israeli development community may gain a valuable player that can educate people about the usage of Open Source development environment, products and solutions.

It can become a driving force that can change how the Israeli development community looks and acts.

I’m not saying there is no open source community and activity in Israel. There is quite a few. Heck, even PHP (from v3 I think) is in part Israeli and Zend (the company behind PHP which supports its development) is in Israel. There are more than a few Linux kernel hackers that I know of that contribute on a daily basis to the Linux kernel and other sub systems and more than a few companies that base their products on open source products and give back to the community in the form of patches, fixes and features.

What I am saying is that having a major player that can concentrate the efforts and help cultivate and educate the development community in Israel on things other than Microsoft and Microsoft Technologies can have a major effect on the Israeli development community and there is no better time than now.

If one of you Israeli Googlers are reading this, you are more than welcome to comment or even comment privately directly to me.

Of course, I might be imaging all of this but some quick Google searches didn’t put anything up in an obvious way.

Speaking of development and the development community, since MS already has a development center in Israel (and is creating additional ones besides the one in Haifa) and Google has 2 development centers in Israel, where is Yahoo? I guess that’s something for another post :-)

Feisty Fawn – Works as advertised

Whenever a new version of Ubuntu comes out I download the CD, run it in LiveCD mode and see if my Laptop (Thinkpad T43) works with everything included (video card – ATI, sound, Wireless card the Intel a/b/g wireless thingy) and succeeds in connecting to my home wireless network (using WPA2 encryption).

Previous versions usually missed either in the wireless card or the WPA (or it was really cumbersome to configure WPA).

I tested Feisty Fawn (7.04) and surprise, surprise, it works as advertised.

Everything was correctly configured and recognized including the cool new wireless applet for Gnome which found my network and even figured that its WPA.

Good work Ubuntu team! You are on the right path!

Being the geek that I am, I always find myself trying to figure out whether I should install a Linux distribution that simply works (up until Feisty Fawn there wasn’t really something that did that without further tweaks) or should I go 100% geek/developer and run Gentoo.

After all, if I’m going to tweak thing, at least give me 100% control over what I am doing…

I guess that from now on I’ll really have a dilemma…

libtool: compile: unable to infer tagged configuration

I got the following annoying little error after I tried to upgrade to a newer mod_python on my Gentoo Linux box:

libtool: compile: unable to infer tagged configuration

It seems that the main problem was due to the fact that I’ve switched to GCC 4.1.1 and when compiling mod_python, the compilation uses libtool that is brought and compiled with Apache (located under /usr/share/apr-0/build/) which should have been recompiled after I’ve upgraded to the new GCC (I was too lazy to continue running the “emerge -e system” command so I stopped it after GCC was recompiled).

To solve it, simple recompile Apache and emerge upgrade mod_python.

Could not run/locate “i386-pc-linux-gnu-gcc”

I have Gentoo Linux on my home machine and after I’ve upgraded GCC (and subsequently the whole toolchain) I wanted to compile a perl related library – crypt-rsa.

When I tried to emerge it, it failed with the following error:

Could not run/locate “i386-pc-linux-gnu-gcc”

After searching around I found this thread on the Gentoo forums which had some instructions how to handle this issue, but it didn’t help much.

In one of the posts on that thread they said to re-emerge the offending package (if you find it). I figured, since I’m trying to compile something related to Perl, perhaps Perl is the problem.

I re-emerged it and, surprise surprise, it worked so I thought I’d share it with the world.