Virtual Private Networking in AWS

Been doing lots of VPN setup and configuration lately, especially inside of Amazon Web Service (AWS) Virtual Private Clouds (VPCs.)  They have a built-in VPN capability using IPSec but it generally seems specifically focused on device-to-device (D2D) configurations.  Depending on the need I have turned up StrongSwan and/or OpenVPN as a solution.

OpenVPN has an advantage of being able to do SSL VPN on 443 making it look exactly like HTTPS web traffic (effectively making it unbreakable by network administrators.)  Things like proxy-servers don’t even know you are creating a VPN tunnel.  However, on Windows OpenVPN client software has to be installed to use it.

StrongSwan is a IPSec VPN option that works well with existing P2P VPN systems.  The native Windows VPN tools work out of the box with a standard StrongSwan configuration (as long as your certs have been signed by a trusted CA.)  Performance is also very good.

So far, I really really like OpenVPN as once it is configured it works everywhere, regardless of network policy or ISP limitations.  Linux Network Manager has built in support for it making is very very easy to configure clients to use it as well.  That said, for IPSec configurations needing to connect to Windows Clients; StrongSwan has been my go-to solution.

Useful links follow:

Linux StrongSwan Server

Workstation StrongSwan Setup/Install Client

OpenVPN on Ubuntu

drift toward unparalleled catastrophe

My home configuration has two Planar 20″ monitors as my primary display.  They have worked fairly well with the exception that any sudden change in input signal seems to cause them to freak out and changed their sync levels to non-standard ranges.  Resetting them is the fix but Planar is kind enough to NOT mention how to do that in any of their documentation.  So, for the benifit of mankind here is the process for resetting a Planar PL2010MW to factory default>

Unplug the monitor.  Counting from the left, there are five buttons on the bottom of the monitor (the right most being the power button.)  Press the second and fourth buttons from the left and hold them down while plugging the monitor back in.  Count to five, and release.

Other models of Planar use the second and third buttons with variations of releasing immediately after plugging in; or waiting until the main power light turns green.  In addition, if you are using some versions of Linux you may have to restart X before you see the minor in your hardware setup.

All I see are tabs

Cloud:

  • BitTorrent Sync – Multiple source file syncing using bit torrent client.  Thank of it as headless Dropbox.
  • Own Cloud – Open Source personnel cloud solution. Includes things like data, music, contacts, calendar and can even be used by multiple clients. Even set it up on your own server.
  • SparkleShare – Dropbox like functionality on Linux, Mac, and Windows systems. Includes versioning as well.
  • Gmail Forwarder –  Correctly configure gmail when using your own smtp settings, domain, and email forwarder.
  • Github For Everything – Using Github to manage everything in your company; from your hiring process to your internal documentation.
  • Using Gnu StowStow is a open source tool for managing your dotfiles in a universal way across multiple machines.  This also simplifies the process of using a version control system to track your dotfile history.
  • Git-Annex – Headless, versions, unlimited, decentralized file syncronization for Unix systems.  Based on Git and includes a mobile app.  Possibly the best replacement for Dropbox available anywhere.

App Dev

  • Apple App Distribution – All 100 freggin pages of it.  Includes beta testing and is almost like developing software back in the 90’s.
  • Android App Distribution – Eight pages and you can even using Google Groups to manage your beta test groups.  Includes automatic updates.
  • Ruby Rack nginx – Very clean, very simple example of setting up a Ruby Rack nginx configuration.
  • Source Code Comments – A list of the most humorous source code comments people have read.
  • Testing Code, Simply – I love this post.  Best simplification of how/why TDD should be used.  The examples can even be modified to allow testing of things like Bash or VBA.

Bash & SSH

  • More cool bash commands and shortcuts.
  • Need a web server, how about a single line of bash.
    while true; do { echo -e 'HTTP/1.1 200 OK\r\n'; cat index.html; } | nc -l 8080; done
  • Resetting an unresponsive SSH session.
    newline ~.
  • Setting up SSH to use shared concurrent connections.  Came from a tutorial on speeding up Git, but useful everywhere.
  • More SSH Awesomeness – This was how I learned ssh-copy-id.  Lots of other amazing advice.
  • Improve SSH Key Security – Things to do AFTER you have placed a passphrase on your SSH keys.  You have done, at least, that?  Right??
  • Passing SSH commands in git clone – Stackoverflow reponse on how to configure .ssh/config options for specific hosts.  They, in tern, get picked up by git.

Go

  • Go Tutorial Exercises – I have really enjoyed GO lately.  C language power with a language actually built for multi-core processors in a network connected world.
  • Effective Go FAQ – Some really great tutorials and information for developers trying out a new language.
  • Hermans Go – Project Euler solutions written in Go.  Great example code for learning algorithms in Go.

Vim

  • Nouns & Version – Understanding the basic structure of how VIM works.
  • Colons are Bad – How to stop using colon commands in VIM.
  • YADR – Sample dot files, vimrc, git support and other useful vim tools.
  • Vim Bookmarks – How to use and manage bookmarks in Vim.
  • Yankstack – A plugin to give kill ring capabilities to the Vim.
  • Block Shift – Visual block shifting in Vim.  Tab and un-tabbing, spacing, and block selections are all covered.
  • Vim Adventures – Learn Vim while playing a video game.
  • Awesome Vimrc – That is the name its developer gave it, not mine.  Still, it is a pretty cool, VERY clean vimrc file that has a lot of good examples in it.  Also can be found on github.

Misc

  • Programming Books – List of freely available programming books.
  • Effing Package Manager – Create rpm, deb package building directly from gems and bundler.
  • View your Axciom Data – Axciom is one of the largest data brokers of personnel information on the planet.  This website allows you to see the data that Axciom has on you.  The downside?  They get to keep the data you have to submit to see the data they already have.
  • Large Distributed System – Advice from people who build Google.
  • Faynmen Lectures on Physics – Everything you have ever wanted to know about almost everything that we think we know.
  • Nginx Secure Configuration – Setting up and securing nginx with ssl.
  • Debugging Broken postinst on Debian – Basically the postinst file gets installed anyway, so you just need to edit it on the semi-installed machine and then run it again… until it is fixed.
  • Bruce Schneier’s Sept 2013 Cryptogram –  Read this if you want a better explanation of why you should be VERY VERY afraid of what the NSA and large internet companies are doing.  Some articles are very technical but others are surprisingly approachable to the lay person.

This is how the world end

I have a family member who recently said to me that if I posted pictures of them on Facebook, they would stop speaking to me.  This, entirely understandable, concern stems from their conscious concern that personnel information collection by large companies has a tendency to be abused.  Once you have surrender your privacy it is nearly impossible to get back.

What made the conversation stand out to me wasn’t their “fear” of business; but that this particular family member is one that inherently trusts government to solve this (and many other) issues.  There seems to be a fundamental disconnect between the perceived danger from business and the real danger of government.

Coca-cola cannot force my soda consumption (or limit the size of my cup.)  Google cannot regulate which sites I am allowed to visit, or what the content of those sites can be.  Phillip-Morris is entirely unable to limit the extent of my free speech by defining who is, or is not, a “legitimate” reporter.  And while Facebook may want to use your personnel information to sell you crap, or profile you activities; it doesn’t have the ability levy punitive damages, listen in on any phone conversation you have ever had, or target you with a drone strike.

One’s personnel privacy should certainly be protracted, but a healthy fear of the abuse of capitalism should always be tempered with a real fear of the only institution that has the ability to use force against us.  An institution that has demonstrated time and time again that it abuses that force to the detriment of both our privacy and our liberty.

I am not a link bot… I hope

Once again my desktop has become to cluttered with links.  Here are some of the ones I have been using the last couple weeks.

Vim

  • Vim Cheet Sheet – A short list of useful Vim commands & short-cuts.
  • Vim copy and past commands – Setting blocks, yank, paste, cut, etc.. in vim
  • Vim word completion  – Found this more useful after binding it the completion command to the tab key (aka bash mode.)
  • Remove unwanted spaces – Because some “people” think using spaces instead of tabs is a good idea.
  • Accessing the System clipboard in Vim – Because Vim registers do not necessarily map to the OS clipboard.  The quick summary is that I would strongly recommend putting the following alias in your .bashrc if type “gvim” > /dev/null; then alias vim=”gvim -v”; fi then make sure you have gvim installed.
  • Using Vim Registers – Actually using the registered mentioned above.
  • Pasting in Visual mode – Using registers is great but not really useful if you keep having to switch back to command mode to use them.

DBus

Ruby

  • Singing with Sinatra Pt. 2 – Sinatra is a ultra simplified application server environment for Ruby.   Think Rails only about 1/10th its size.  This was the best of the tutorials I found for it.
  • Thin Server Production and static files – This little blurb was something I caught on StackOverflow and knew I would need for later as our production system is running into the same issue.
  • fpm (freggin package manager) – Tool for creating deb/rpm packages from lists of filesystem files.  Particularly useful for gem files (it even has it as an option.) I am in the process of moving over my existing ruby build scripts over to fpm.

Debian

  • Creating Meta Packages – Meta packages are simply empty deb packages that contain nothing but a list of dependancies.  This way you can create a batch of files to be installed for a given purpose (like installing KDE Desktop.)
  • equivs-control man page- Used in the creation of Meta packages
  • Binary Package building tutorial for Debian – The deb build package environment basically builds itself around have source for all software.  This is a problem for packaging non-open source programs that don’t provide a source.  This is a tutorial for how to do it.
  • Template Changes file – Debian apt repositories generally work with .changes files to actually publish their packages.  This is an example of a changes file for the package dpkg-ruby.
  • Create you own apt repository – Includes information on upload support (which uses changes files mentioned above.)
  • Creating a basic Ruby application structure – How to create you base dependencies, directory structure, and file-system layout for a base Ruby project.

Unless you continue to remember it

The dynamic device interface for Linux is called udev.  Generally it works without complaint or frustration but it does have some interesting side effects if you are doing more involved system configuration.  The one that tripped me up today is that udev keeps a record of every nic card that has been dynamically created during it’s lifetime.  For example, if you are using wireless USB nic (see my post yesterday) and you plug in a different one than you used before; the new nic ID is going to be wlan1 instead of wlan0.  Generally nobody would care; but in this case I did.  Thankfully modifying these records is pretty easy.  The device history is stored in /etc/udev/rules.d/70-persistent-net.rules and can be modified by hand.  Just change the wlan1 to wlan0 and delete the other entry.

Once again, text file configuration is FREAKING AWESOME!

The gap between the ones and the zeroes

Wireless configuration on embedded Linux systems has been pretty well documented for a while now.  If you are running a Desktop version of Linux then the probability of your wireless device being supported (either natively or through the WindowXP visualization layer NDIS) is likely to be transparent to you.  The situation is slightly different when you enter the embedded side of Linux where non-native driver support is really not an option.  That said, I have fallen in love with the Edimax Technology wireless USB nic (it uses the RealTek chipset) because they are smaller than my thumbnail, work with any Linux distribution you can think of (even Raspberry Pi), and  cost about  10 bucks.  Heck, they even support 802.11n.  To get this thing enabled/working on Debian from the command-line has been pretty simple.

apt-get install firmware-realtek
modprobe rt18192cu
ifconfig wlan0 up

Then iwlist wlan0 scan will show you a list of the available wireless networks.  Basically apt-get download the drivers, modprobe installs the the drivers, ifconfig turns on the wireless device (otherwise you get a wlan0 Interface doesn’t support scanning : Network is down when you try to scan the.  Not exactly the best error message, but anyway…

The evils which have never happened

I found this stupidly useful shortcut inside of cron.  Generally crontab entries look like this:

* * * * *  username dosomething

With the * corresponding to minute, hour day of month, month, day of week.  But cron also has a couple shortcuts that are useful for general system maintenance.  Specifically @reboot which replaces  ALL of the “*”‘s and will be run after each system reboot.  There is also a system wide directory under  /etc called cron.d which is wonderfully useful for package management because you can drop custom package cron jobs into the directory without directly editing the crontab file.

All of this information is well know among the Unix community as a whole and fairly well mentioned is about 10,000 different places.  Here is something that isn’t quite as easy to find but still ends up being pretty important…

File entries in cron.d cannot have a period in their name…. no file extension… no period separator… NOTHING… otherwise cron simply doesn’t run the file!!!

I just about killed myself debugging this one over the last two days. </crying>  Now if you will excuse me, I am going to drink my body weight in beer.

Frittered away by detail

My first reading of the http 2.0 draft proposal left me with the feeling that they were trying to address issues that are not really problems.  At least, not a problem unless you happen to be someone like Google or Cisco.  Part of what has made the internet so ubiquitous is the easy ability for people to see and understand the basic underpinnings of how everything works.  For example, I challenge you to find a developer who didn’t start their career by right-click -> View Source’ing a website. This is the very same reason that exceedingly popular web specifications are commonly NOT industry specifications. For example something like XML is so obnoxiously complex and excessive that it often seems like the only companies using (and making money) of such technologies are large institutional players like Oracle and IBM.  Instead start-ups, innovation creators, and entrepreneur continually choose things like JSON because it is simple and easy to make robust.  Honestly, I don’t know a single developer using AJAX that actually uses XML (the X in AJAX) because all it does is add size and complexity.

If you get the chance please read this great post by The Accidental Businessman.  It does a good job of explaining some of the issues I see in http 2.0 and what we are loosing by making a more “computer focused” internet.

Its appointed time for everthing

If you are a command line junkie, you really need to check out @climagic on twitter.  Some days are better than others but I am constantly amazed at what is possible in bash/csh.  That said, here are a couple commands I have needed recently, many will be worthless to anyone else but oh well:

  • ar vx mypackage.deb Unpackage a Debian binary install package. The result is actually three tar.gz files
  • dpkg -l  – List all installed Debian packges on a given system.
  • dpkg -c mypacakge.deb  –  List all files provided by the named Debian package.
  • hub pull-request -i 123 -b account/project:master -h account/project:branchtomerge  –  hub is a github utility that allows you to use some github functionality directly from the command line.  The preceding command will issue a pull request for branchtomerge into master and even tie the request to a given issue number (in this case issue #123.)
  • echo $(sha256sum $DEB | cut -f1 -d’ ‘) $(ls -l $DEB | cut -f5 -d’ ‘) $(basename $DEB)  –  This command creates the package hash structured named used INSIDE of Debian changes files.  Using the same command with (sha1sum|md5sum|sha256sum) will provided all three needed package id’s.  The reason this is useful is when you need to recreate a changes file without the original source package.  The rest of the file is fairly straight-forward but the signed package section has to absolutely precise. Also check out this link for more information.
  • asciiquarium  – OK, you might have to install this one first, but it is a full aquarium in ascii characters, including sharks that eat the fish.  Submarines, fishing hooks, and even the lock ness monster.
  • grc tail -f /var/log/maillog –  Note to self, I need to make an rpm for this package.  grc is a generic colorizer for other command line programs that don’t use color by default (like tail, traceroute, syslog, etc…)
  • isohybrid -h 64 -s 32 mycdimage.iso  –  Adds a simple filesystem layout to a standard iso image so it can be written to USB drive as well as an regular CD.  Really useful for building custom Linux CD/USB images.