RTFM Josh!

One of my latest projects has been to get a VPN link up between my parent’s house and ours, so that I can help them out with computer issues without having to make the trek down to West Chester. Not that I don’t love visiting them (shamless parental plug, they do read this after all), but what with Taylor’s arrival and all we don’t get out much these days. Anyway, after thinking about how best to accomplish this I decided I should use a DD-WRT (open source alternative firmware) flashed Linksys router for the job, for a number of reasons:

  • Thanks to the generousity of a local gentlemen I know from Twitter I acquired one of these devices for free. Don’t ever say Twitter can’t get you stuff!
  • It’s low power and unobtrusive. While I love my big ol’ quad core monster, I didn’t really want to take up space at my parents house.
  • With DD-WRT, it functions great as an OpenVPN client.

Now, the setup was to look something like this:

VPN Diagram

(Please excuse the rather awful drawing, I’m afraid I’m used to Visio)

Once I had everything setup, everything appeared to work, except I couldn’t ping anything at my parent’s end of the tunnel from my home network (vice versa worked fine). Well, normally I might try and sniff the traffic at the two endpoints, but this was a little more complicated than you might think, since the router at my parents doesn’t support such an operation.

In then end, I was able to collect some data after hacking a solution (<geekery>I used an already compiled version of tcpdump and manually moved it to the router</geekry>), and figured out that for some reason the VPN router at my paren’t house was performing what’s known as “masquerading”, or “NATing”. What this means is that any traffic that passed out of it was translated such as to appear that it came directly from the router itself, and not some machine behind it. This novel concept is actually the basis for how pretty much every home router functions; but in this case it was bad, in that it made the tunnel between our networks essentially one way.

So what did I do? Well get royally annoyed of course, proceed to spend the next several hours pouring over the setup of both ends, trying various hacks, googling like crazy, and perhaps questioning my intellect (or that of the programmers of OpenVPN, DD-WRT, and Linux in general) a few times. Finally after giving up for a day, I decided I’d look at a tutorial on the OpenVPN site itself I remembered. It took awhile to find, but there was the answer, right in front of me.

Apparently OpenVPN needs a little special tweaking to allow for traffic from both the “client” (my parent’s house) and “server” (my house) networks to fully talk to each other:


Next, we will deal with the necessary configuration changes on the server side. If the server configuration file does not currently reference a client configuration directory, add one now:

In the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs. On Linux this tends to be /etc/openvpn and on Windows it is usually \Program Files\OpenVPN\config. When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client. If a matching file is found, it will be read and processed for additional configuration file directives to be applied to the named client.

The next step is to create a file called client2 in the ccd directory. This file should contain the line:

This will tell the OpenVPN server that the subnet should be routed to client2.

Next, add the following line to the main server config file (not the ccd/client2 file):

Why the redundant route and iroute statements, you might ask? The reason is that route controls the routing from the kernel to the OpenVPN server (via the TUN interface) while iroute controls the routing from the OpenVPN server to the remote clients. Both are necessary.

Yep, you read correctly. “Both are necessary.” Long story short, I only had one of the two necessary configurations in place. Basically, while the normal

command got the packets as far as the OpenVPN tunnel, the software required that extra

configuration line to correctly send the traffic on its merry way from there. Without it, the traffic would just appear to go out the proper interface, but actually go to that awful place where packets disappear and are never seen again.


Hi everyone, my name is Josh, and yes, I admit it, I should have read the… oh hell you know what the rest means.

Requirements For A GTD Home Office

Lately I’ve been spending time working on the third floor of my house, preparing it to be the ultimate productivity / GTD / geek lair. Well, at least as much of an “ultimate” room as current economic conditions allow. Anyway, like any good GTD practitioner, I’ve been doing some good brainstorming around how to make this space as GTD friendly as possible, and thought I’d share some of the highlights.

  1. A clearly accessible inbox
    While I mostly use e-mail as my collection point, the need for the occasional use of paper as a reminder still remains. Now I’m not a fan of fancy, gold-plated desk accessories, so instead I found a great little wire-metal set at the local IKEA. Eight bucks and I have a great three-tray collection point. I’m thinking one tray for things to read, one for general collection, and one for… TBD I suppose, suggestions welcome.
  2. A functional way to archive materials, sans paper
    My @Reference folder is far and away the largest in my Outlook mailbox, as well it should be. But for those things like statements, receipts, magazine articles, etc, I’m thinking a nice, fast, feed-style scanner will do the trick. While I’m considering the Fujitsu ScanSnap, but its lackluster support of Linux may end that idea. I’m hoping to find a way to make indexed, search able PDFs from documents, so that I can easily find things based on search phrases like “December 2007 IRA Statement”. But that will be the subject of another post.
  3. A large white-board like surface
    While I probably can’t afford the real thing, I’ve read about using tileboard as a good (and cheap) replacement. Nothing beats it for broad, brainstorm-style thinking and planning, or loud reminders of some home task left undone.

That’s about it for the practical, now what about the impractical? Think about what you would want if money were no hindrance whatsoever. Maybe along the lines of the ultimate GTD dashboard? Picture a huge, 60+ inch LCD, touch screen display, permanently showing your Remember The Milk (or other suitable GTD tool) homepage. Now you really have no excuse not to know what needs to be done.

And why not see how the man himself does it?

So what’s your dream GTD office like?

Two Security Notes

MS08-067: The Worms are Loose

For anyone who hasn’t yet heard, last week Microsoft released a critical security bulletin regarding a serious vulnerability in the Server service, affecting nearly every version of Windows. Just today, Sans ISC reported that there is a worm loose in the wild that appears to be exploiting this nasty problem. If you haven’t already patched your personal computers and your servers, do so now.

Cross Site Request Forgery

You know how nice it is that whenever you head back to Amazon.com, it already knows who you are? This is because of a neat feature in web browsers called “Cookies”, which are basically little bits of information that web sites place on your computer. From that point on, every time you visit that site, the cookie is sent along with all the other information your computer uploads to the site, such as what web page you are requesting to view. This allows the site to recognize who you are without requesting you log in. Nice, right?

Well, it turns out that this same feature will allow hackers to essentially back-door a request to your favorite sites, and perform any available action using your cached credentials.  Steve Gibson over at Security Now does a nice job explaining the more technical aspects of the problem in episode #166, which aired around two weeks ago, so I’ll leave the details to the experts.  Suffice it to say, if Steve says this is a big deal (and he does), you need to pay attention.

Basically speaking, the ways to avoid this are two-fold.  First, Gibson recommends actively logging out of any web sites that you aren’t actively using.  This would include things like Amazon, E-Bay, and especially sites such as banks or brokers.  If you happen to see one of those little “remember me” checkboxes when logging in, leave it blank!  This will prevent the problem from occuring in the first place.  But because we are all human, and tend to forget to do such things from time to time (present company most definitely included), there’s also a plug-in available for Firefox, called CSRF Protector, which stands for “Cross Site Request Forgery”.  It all but transparently blocks this kind of exploit from occurring, so it comes highly recommended.