pfSense 2.0 Release Now Available!

The 2.0 release is finally available.

Here is the news:

2.0 Release Now Available!

My experience so far is good, I’ve already upgrade some of my machines.

You can take a look at the upgrade process from RC3 to RTM here:

 

 

Before performing any kind of upgrade read carefully the Upgrade Guide!!!

 


Using your OpenVPN Road Warrior setup as a Secure Relay

Introduction

If you are in a café or another place with free wireless Internet access you are under a security risk. Your traffic can be monitored, captured and analysed. Your sensitive data can be stolen or your laptop infected with malicious application.

To avoid as much as possible of the above we can route all your traffic through the internet connection at home or in your office.

Configuration

As a base configuration you can use pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

up until the Tunnel Settings section of the OpenVPN Configuration.

There tick the Redirect Gateway.

 

Under Client Settings enter DNS Server 1 as the IP address of you LAN interface.

Explanation

By doing so you will redirect all your traffic through the VPN connection and avoid the risks related to the publicly available Internet access hotspots. The addition of DNS server address is needed in order to use you own device to resolve web sites IPs instead of the publicly available DNS server of the hotspot.

Testing

As a test you can trace route (tracert bbc.co.uk for example) a popular internet site with or without established VPN Connection.

Conclusion

At the cost of building just another VPN Server on your device you are gaining a little peace of mind while surfing the net from insecure location.


OpenVPN on pfSense 2.0 RC3 with OpenLDAP Authentication on CentOS 5.6

Introduction

After writing OpenVPN with LDAP authentication on pfSense 2.0 RC1, a reader of my blog shared some problems with configuring OpenLDAP on CentOS.  So I decide to build such a setup and test.

Scenario

The scenario is as follows, authenticating users requiring access to the OpenVPN server against OpenLDAP service running on CentOS.

Setup

I’ve spent most time in preparing the CentOS server. Initially my decision was to use CentOS 6.0, but after a few failed attempts to configure it and the absence of how to guides for this purpose, I’ve decided to fall back to 5.6.

For this version there is a wonderful how to guide here:

OpenLDAP on CentOS 5.6

Install And Configure OpenLDAP 2.4.25 On CentOS 5.6

Following this instructions I’ve managed to setup OpenLDAP very fast.  The only comment that I have is in this section:

All data loaded is in LDIF format. Create a file to initialize the LDAP database:

# vi ldap-init.ldif

dn: dc=mycompany,dc=com

objectclass: dcObject

objectclass: organization

o: Example

dc: mycompany

dn: cn=Admin,dc=mycompany,dc=com

objectclass: organizationalRole

cn: Admin

 

you have to have one new row, otherwise the import in the next step fails. So the above should look like:

# vi ldap-init.ldif

dn: dc=mycompany,dc=com

objectclass: dcObject

objectclass: organization

o: Example

dc: mycompany

 

dn: cn=Admin,dc=mycompany,dc=com

objectclass: organizationalRole

cn: Admin

 

 

Next step is to create a few test users.  For that purpose I’ve used :

LDAP Admin

Ldap Admin is free Win32 administration tool for LDAP directory management. This application lets you browse, search, modify, create and delete objects on LDAP server. It also supports more complex operations such as directory copy and move between remote servers and extends the common edit functions to support specific object types (such as groups and accounts).

You can use it to manage Posix groups and accounts, Samba accounts and it even includes support for Postfix MTA. Ldap Admin is free Open Source software distributed under the GNU General Public License.

Configuration

It is time to configure the pfSense. I will skip all the steps described in the previous posts. You can find them here:

pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

OpenVPN with LDAP authentication on pfSense 2.0 RC1

Now let’s get straight to System > User Manager and on the Servers leaf.

Hostname or IP address: this it the address of the CentOS server

Base DN: this is the domain name

Authentication container: after insterted the Bind credentials, it was visible, but when I’ve click on the Save button, nothing happen. So I’ve typed it in manually.

Bind Credentials: enter User DN and Password. , I’ve tested it and with Use anonymous binds to resolve distinguished names, it works also.

Group Member Attribute: you can modify this with the Uid=%s, if you need.

Testing

Just for reference this is my test user.

After preforming the OpenVPN configuration, enter the user name and the password.

If everything is OK, you should be successfully connected and see something similar in the OpenVPN logs:

You can also test the connection using the Diagnostics > Authentication, Select the Authentication Server, in my case the CentOS OpenLDAP connection is named Test. Enter Username and Password, and see the result.

If you get error, you can check the Status> System Logs on the System leaf for errors.

I’ve got this error when the CentOS server was turn off.

Issues

The issues that I faced was the problem with selecting the OU in which my users resides. Hope this will be fixed in future versions. On the CentOS side the problems were releted with the changes of OpenLDAP in the 6.0 version.

Conclusion

That’s it. Thank you for reading.


Install Open VM Tools package on pfSense 2.0 RC3 for VMWare

In my previous posts we’ve Install pfSense 2.0 RC1 on VMWare Workstation 7 and adjusted the memory of the Virtual Machines in pfSense 2.0 RC1 on VMware Workstation 7.1.4 – RAM size.

Now let’s continue with the setup of the Virtual Machine with the installation of VMware Tools for pfSense.

For that purpose go to System > Packages

, and on the Available Packages find Open-VM-Tools. Click on the “+” next to it and start the installation.

Wait it to finish, and on the Installed packages you should see it listed. Click on the link below Package Info, to see the instructions how to verify successful installation.

The operation boils down to connecting to the console and executing first and monitor the output.

ps ax|grep vmware

 

kldstat

That's it.


Upgrade pfSense 2.0 from RC1 to RC3.

In this post we will upgrade pfSense 2.0 from RC1 to RC3.

For the purpose go to this page with the news about the RC3 release:

2.0-RC3 now available!

and click on the Upgrades link: http://www.pfsense.org/mirror.php?section=updates

select a mirror and download the image that suits you, in my case it was:

pfSense-Full-Update-2.0-RC3-i386-20110621-1542.tgz

Now go to System > Firmware and click on Enable Firmware uploads.

Click on Choose File button, select the file that we just downloaded, and click on Upgrade Firmware button.

Wait for the firmware upgrade process complete.

That’s it. If you want more graphical representation, I’ve just uploaded a video here with the whole process.

 

 


Packt Publishing OpenVPN 2 Cookbook Review

OpenVPN 2 Cookbook

100 simple and incredibly effective recipes for harnessing the power of the OpenVPN 2 network
By Jan Just Keijser

OpenVPN 2 Cookbook

Introduction

I was approached by Packt Publishing representative, asking if I would be willing to make a review of this book. This was interesting because at that moment I was reading pfSense 2.0 Cookbook from the same publishing company. I was generously provided with the book, and here we are a month later.

The OpenVPN 2 Cookbook main subject is the use of OpenVPN in different scenarios. Its aim is to help you along the way of implementing an OpenVPN solution. For more detail description take a look at the detailed description Here.

My experience with OpenVPN is based on three years of different deployments. You can find more details at the bottom of this post.

What’s the book about?

The book is an in depth examination of OpenVPN and how to use is in your every work. If you are in a hurry you can find a quick fix in the huge amount of recipes, or read it from cover to cover and get extensive knowledge of OpenVPN, its capabilities and different usage scenarios.

The book states that prior knowledge and experience of system administration, TCP/IP is required, also in OpenVPN installation. The examples in the book are made mostly on Linux based systems, so prior knowledge in the field is required too.  If you are fresh to field, probably first step is to take a look at Beginning OpenVPN 2.0.9 and then continue with this book.

As the cover states: Quick answers to common problems.

The book is structured in twelve chapters, and each chapter consists of about eight to ten sub topics that are called recipes. These recipes are like short How Tos for a particular case. The valuable thing is that throughout the chapter the recipes build on each other, starting from very basic configuration to more advanced ones. To get an impression you can take a look at the Table of Contents.

Every recipe has a How it works sections. They are extremely useful to understand what and how is happening behind the scenes. And that’s not all, after this section additional value is provided in the There’s more sections, where additional explanations and further developments are delivered.

Does it achieve its promises?

The first topic that really gets me going was 3-way routing in the first chapter. I was planning to implement this for small number of fixed endpoints which are less than four. For more you have to read further in the book.

The next this that surprise me pleasantly was the PKI, Certificates and OpenSSL chapter. It helped me better understand OpenSSL and give me better idea how to manage certificates. This topic continues in the next chapters about Two-factor Authentication. I was very surprised to see that even hardware tokens can be used to authenticate users.

In The Scripting and Plugins, there is a very important secret about scripts execution, which was not known to me, and definitely will help me in future.

The Troubleshooting sections can save you precious blood, sweat and tears especially with problems related to Routing. Those are the two chapters I appreciate the most because they provide you with analytical way to diagnose and eliminate problems in deployments. You can have a peek in the sample chapter here: Troubleshooting OpenVPN: Configurations

Logically after you have fixed all the problems a Performance Tuning is your next step.

The following two chapters are related to OS integrations and advanced configuration. They help me better understand how to better integrate OpenVPN with the unique environment of the client.

The last chapter is all about the new features in 2.2 version of OpenVPN. It is quite useful to have a well arranged section with new features that you might have not known existed up until now.

Conclusion

I really like reading this book, and the systematic knowledge that it provides. Whether you are a full time System Administrator or just a part time occupied with the IT in your company, or just wants to establish a secure connection to your home this book will definitely give you the needed advices how to get there.

Biography

My experience with OpenVPN is based on three years’ of deployments.  My first deployment was on OpenWRT where I had to use predominantly command line to configure it and Secure copy (SCP) for certificate transfer, then on DD-WRT where most of the work is done through the Web GUI, with exemption for more advanced configuration that have to be placed in start-up scripts. After that on I used Windows based systems as clients and servers, and lately as you can see from my blog I’m working with pfSense.

SoHo PBX with DD-WRT and Asterisk 1.4

Здравейте, от известно време изследвам една тема, а именно как да си направим телефонна централа за дома и малкия офис.

Първо си поиграх със Asterisk 1.4/1.6 на виртуална машина със soft phones.

Имах желание да изпробвам и с hard phones, въпроса беше коя марка и модел да избера. Тук на помощ дойде един от най – добрите сайтове, поне според мен за информация относно VoIP http://www.voip-info.org/. След продължително търсене на подходящи телефони съвместими с Asterisk, избрах Linksys SPA 941. Избрах го защото, не са ми необходими цветен екран, видеокамера, power over Ethernet, wireless и повече от 1, 2 линии.

Тук може да видите повече информация за него: http://www.voip-info.org/wiki/view/SPA-941

За да добиете представа какви алтернативи има вижте новата гама на Cisco, тук има едно прилично ревю:

http://www.asterisktutorials.com/first-look-at-the-cisco-spa500-phones/

В един момент ми попадна брошура на JAR, и какво да видя в нея SPA 921/941 на доста приятни цени. Не се сдържах и си взех два. Все още са в каталога им като цената на 941 вече е 200 лева.

С помощ на този видео tutorial ги свързах с Asterisk-a за 10 минути.

http://www.asterisktutorials.com/linksys-spa941942-sip-phones/

Впоследствие ги flash-нах до последната версия на firmware-a, която в момента е 5.1.8. Става лесно и и бързо.

http://www.cisco.com/en/US/products/ps10038/index.html

От няколко години използвам OpenWRT и DD-WRT чудесни дистрибуции побираща се на безжични рутери. И двете предлагат уникални функции които са недостъпни от stock firmware-a на който и да е безжичен рутер.

На един етап започнаха да се появяват версии включващи и Asterisk. Реших да пробвам как ще се държи ако сложа и телефонната централа на устройство. Като се има предвид ползите от такава играчка, без движещи се части,  без шум и ниска консумация на електричество.

Разбира се тук е момента да спомена че е добре да се провери за съвместимост на модела със въпросната дистрибуция.

Ето тук за DD-WRT:

http://www.dd-wrt.com/wiki/index.php/Supported_Devices

и тук за OpenWRT

http://wiki.openwrt.org/toh/start

Като се замисля последните няколко безжични рутери които са ми попадали в ръцете не са издържали повече от 5 минути със stock firmware.

Като критерии за оценка на устройство може да се вземе Flash Memory. Това е памет на която се инсталира операционната система.  Тоест ако имате 4 MB не можете да сложите такава която изисква 8 MB, примерно. Правилото на Мечо Пух “Колкото повече, Толкова Повече” тук е валидно с пълна сила. Поради факта че ползвам големите build-ове на dd-wrt изискващи поне 8 MB си харесах Asus RT-N16. Той е със 128MB RAM, 32 MB Flash Memory,  a процесор му е на 480 MHz. Освен това има 2 USB 2.0 порта на които може да включи флашка, външен диск или принтер.

Незнам защо но този модел не се предлагаше в България доста време, въпреки че е излязъл още преди една – две години. Както и да е, от преди месец – два се предлага в Мост. Цената му е около 270 лева.

Последния hardware който ми беше необходим е един USB Flash Drive, или както ги наричаме флаш-ки. На него сложих Optware, за повече информация : http://en.wikipedia.org/wiki/Optware

Не можах да си намеря PQI Cool Drive U338 Pro която има доста прилични скорости и се задоволих с една PQI Cool Drive U339H, Titanium 4 GB за около 25 лева. Забелязвате ли как вече не пишат скоростите на read/write на флашките?

И така да видим разходите до тук:

Asus RT-N16 – 270 лв.

Linksys SPA 941 x2 – 350 лв.

PQI U339H, Titanium 4GB – 25 лв.

Общо: 645 лв.

Преди да пристъпя към инсталация и конфигурация прочетох тази тема във форума:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=43787&postdays=0&postorder=asc&start=0

GUI-то описано там не сработи и за мен, за това реших да рискувам с asterisk-gui, вместо него.

Да преминем към инсталацията:

Свалих последната налична версия от www.dd-wrt.com: dd-wrt.v24-14471_NEWD-2_K2.6_big.bin, вече има по – нови.

След това следвах този guide за да инсталирам и Optware:

http://www.dd-wrt.com/wiki/index.php/Optware%2C_the_Right_Way

и вече имам и този пакет

asterisk14 – 1.4.22.1-1 – Asterisk is an Open Source PBX and telephony toolkit.

След което добавих всички пакети със звуци използвайки ipkg-opt:

asterisk14-core-sounds-en-alaw – 1.4.8-1 – asterisk-core-sounds-en-alaw

asterisk14-core-sounds-en-g729 – 1.4.8-1 – asterisk-core-sounds-en-g729

asterisk14-core-sounds-en-gsm – 1.4.8-1 – asterisk-core-sounds-en-gsm

asterisk14-core-sounds-en-ulaw – 1.4.8-1 – asterisk-core-sounds-en-ulaw

asterisk14-extra-sounds-en-alaw – 1.4.7-1 – asterisk-extra-sounds-en-alaw

asterisk14-extra-sounds-en-g729 – 1.4.7-1 – asterisk-extra-sounds-en-g729

asterisk14-extra-sounds-en-gsm – 1.4.7-1 – asterisk-extra-sounds-en-gsm

asterisk14-extra-sounds-en-ulaw – 1.4.7-1 – asterisk-extra-sounds-en-ulaw

asterisk14-moh-freeplay-alaw – 0.0.0-1 – asterisk-moh-freeplay-alaw

asterisk14-moh-freeplay-g729 – 0.0.0-1 – asterisk-moh-freeplay-g729

asterisk14-moh-freeplay-gsm – 0.0.0-1 – asterisk-moh-freeplay-gsm

asterisk14-moh-freeplay-ulaw – 0.0.0-1 – asterisk-moh-freeplay-ulaw

и накрая добавих и GUI-то:

asterisk-gui – 2.0svn-r4045-1 – Asterisk-GUI is a framework for the creation of graphical interfaces for configuring

За да конфигурирам GUI-то използвах това упътване:

http://www.asteriskguru.com/tutorials/asterisk_gui.html

След като настроих Asterisk-a по мой вкус, вече имам няколко soft phone-a и двата SPA 941 свързани и работещи.

Това което ми липсваше на този момент е връзка със останалия свят.

Много добра тема по въпроса може да намерите тук:

http://www.kaldata.com/forums/index.php?showtopic=6681&st=0

ето и няколко упътвания:

http://akrozia.org/?tag=asterisk

http://ygeorgiev.net/archives/56

http://forum.spectrumnet.bg/showthread.php?t=2573

Накрая се насочих към BGOpen.

Регистрирах се, захраних сметката си с известна сума. И вече имам телефонен номер ала +3592490ХХХХ.

Прегледах няколко интересни статии по въпроса:

http://ygeorgiev.net/archives/56

http://forum.spectrumnet.bg/showthread.php?t=2573

Сега е необходимо да научим Asterisk-a за този номер, и как да го ползва.

Първо отиваме в Trunks, VOIP Trunks и избираме + New SIP/IAX Trunk

Избираме тип-а – SIP

Така и не успях да го подкарам с IAX, ако някой го е подкарал и има впечатления нека ги сподели.

За Hostname: sip.bgopen.net

Username / Password – каквито сте избрали при регистрация в bgopen.

Codecs: според FAQ-a на BGOpen

Можем да ползваме G.729, G.723.1, GSM, iLBC (поне един от изброените)

За CallerID и Enable Remote MWI не съм сигурен, за това ги оставих празни.

След това отидох в Outgoing Calling Rule, и създадох нов като Pattern: _9. – тоест всички номера които имат 9 от пред се насочват към създадения преди малко Trunk.

Избрах името което съм дал на Trunk-a в полето Use Trunk

Strip – 1 тоест да маха 9-тката при набиране на вън.

Редактирах DialPlan-a си да включва и Outgoing Calling Rule-a

Сега вече мога да набирам не само слушалките директно свързани към Asterisk, но и каквито ми хрумне навън. Единствено трябва да сложа една 9-ка пред номера.

Дойде време да могат и мен да ме търсят по новия ми номер +3592490ХХХХ.

За целта отидох в Incoming Calling Rules, създадох ново, като избрах

Trunk – който създадох по – горе

Time Interval – None

Pattern: _X. – да препраща всички номера към

Destination: Тук мога да избера номер или voice mail на някоя от слушалките. За тестове избрах един номер, но аз не искам това, а Voice Menus за да си създам IVR.

Вече имате входящи и изходящи обаждания и гласова поща.

Да нагласим Voice Menus

Създадох ново, избрах му name и extension

Тук трябва да се добавят Actions, действия които ще се извършват едно след друго.

Ето и моите:

Answer the call – все пак трябва да вдигнем на човека

Set(TIMEOUT(digit)=5) – колко време чакаме преди да спрем да чакаме за бутон

Set(TIMEOUT(response)=20) – колко време да чакаме за натискане на бутон

Play record/X & Listen for KeyPress events – пускаме на човека записано съобщение с инструкции коя цифра с кого ще го свърже, ако бъде натисната

Play record/Silance & Listen for KeyPress events – наложи се да направя втори запис, със тишина, за да дам време на обаждащия се да натисне някоя цифра, иначе веднага след приключването на предишния запис затваряше линията.

Hangup call – затваряме линията ако не е натисната цифра.

Тук имах див проблем с extension-a. В option има секция Extensions preferences в която за Voice Menus са заделени номера от 7000 до 7500. Проблема ми беше че ако избера в този диапазон не можех да набера номера, а ако се опитам да избера извън него не ми позволява. За това се наложи да го разширя до 8000 и сработи.

След това в Incoming Calling Rule само Destination полето се насочва към Voice Menu-то Extension-a който създадох.

Вече ако някой се обади на номера ми +3592490ХХХХ ще го посрещне записано съобщение което ще го информира кой номер да натисне за да се свърже с мен. Ако ме няма ще бъде насочен към гласовата ми поща, за да остави съобщение.

Какво следва

Когато намеря време и пари за това ми се иска да свържа и POTS към Asterisk-a. Тоест и

стария ми домашен телефонен номер от БТК да влезе в играта.

За целта ще ми е необходимо някакво устройство което да направи връзката.

Това устройство много ми харесва: CISCO SPA3102 2-Port Router with 1 FXO + 1 FXS

http://www.voip-info.org/wiki/view/Linksys-Cisco+3102

То може да свърши тази работа за мен.

Ето малко локална информация за него:

http://hardwarebg.com/forum/showthread.php?p=1780708

http://www.comelsoft.com/product.php?mf=cisco&lang=bul

Създаване на Phone Book, тоест входящите обаждания да се идентифицират по Caller ID, и да се изписва Име и номер на търсещия, не само номера му.

Последното нещо което трябва да пробва е да получавам факсове, по принцип услугата е активиране по подразбиране от bgopen, но никога да сега не съм я ползвал и незнам точно как работи. Както и ми е интересно какви възможности за изпращане на факсове имам.

Надявам се темата да ви е била полезна.