Tuesday, 4 June 2013

Howto: L2TP VPN with PSK on EC2 Linux AMI to support your Google Chromebook

Chromebooks are great devices. Unfortunately they do not support a wide range of VPN technologies, and PPTP - what we tend to use at Astyran since it is supported by most devices – is not in the list.
No choice thus but to modify our standard images to support L2TP over IPsec with PSK (Pre-shared key). Chromeos also supports L2TP over IPsec with certificate-based authentication and OpenVPN but these are more complicated to set-up, especially if you need to support a wide range of devices.

Goal of our set-up

The goal of this procedure is to document a quick and dirty method to set-up a single L2TP VPN server with PSK to be used for our Chromebooks. It should work with other clients too.
Note that we will be using a Google DNS server (8.8.8.8) and once a client is connected, all traffic is allowed through the VPN, including internet traffic.
The documented method should be fine for a single VPN server in a simple environment. If you have a more complicated setup, please spend some weeks cursing and reading on the intricacies of a VPN set-up using Linux.

Procedure

First create a (micro) EC2 instance (64 bits). We used the latest available Amazon Linux AMI (v2013.03.1). Login as ec2-user, and enter the following in the shell:

sudo su -
yum update
yum install -y --enablerepo=epel openswan xl2tpd

Note that the enablerepo switch enables the Amazon Extra Packages for Enterprise Linux repository.
Use your favourite editor (e.g. ‘nano’) to modify the file /etc/xl2tpd/xl2tpd.conf to read:

ip range 192.168.22.70-79
local ip 192.168.22.1
require chap=yes
name = myVPNServer

You can of course use other IP addresses. The above instructs the VPN to use 192.168.22.1 as a local address, and give remote clients an IP address between 192.168.22.70 and 192.168.22.79. Note the name myVPNServer that we will need in the next step.

Edit the file /etc/ppp/chap-secrets:

# Secrets for authentication using CHAP
# client     server        secret        IP addresses
Zaphod       myVPNServer   Beeblebrox        *

This will set the user-id to “Zaphod” and the password to “Beeblebrox”. Next edit /etc/ipsec.conf and add the following:
conn EC2
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        auto=add



Now edit/create the file /etc/ipsec.d/ec2.secrets and insert the following:

%any %any : PSK "milliways;2013"



This will set the shared secret (PSK) for the L2TP VPN connection to “milliways;2013”. Please do change this password and use a much, much longer one.

Open /etc/sysctl.conf via a text editor and change the following line to read ‘= 1” (default is “0”):
net.ipv4.ip_forward = 1



Now execute the following commands:
# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
# for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done


We are nearly there:
sysctl -p
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
service iptables restart
chkconfig xl2tpd on
chkconfig ipsec on

If there are no errors, execute:

init 6

Now configure your EC2 security groups for this VPN to allow:

  • UDP port 1701 (for L2TP)
  • UDP port 500 (for IKE)
  • UDP port 4500 (for IPSec over UDP)

That’s it! Check here for more information on how to set-up your Chromebook for a L2TP VPN with pre-shared key.
Enjoy!

Tuesday, 21 May 2013

Installing Ruby 2.0.0 on an Amazon Linux AMI

Earlier we already explained how to get Ruby 1.9.3 running on an Amazon AMI.  This is just a quick update to get version 2.0.0 up. We used the current 64 bits Amazon AMI (2013.03.1).
Note that the complete procedure might take a few hours on a Amazon Micro instance. Deleting the old version of Ruby also removes the package aws-amitools-ec2. As long as you don’t need to create your own AMIs with this instance, you will be fine.
Here is the procedure, as usual log in as ec2-user and perform the following from the shell:
sudo su -
cd
yum remove ruby
yum groupinstall 'Development Tools'
yum groupinstall development-libs
yum install libffi-devel
yum install libyaml-devel
yum update
wget ftp://ftp.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p195.tar.gz
tar xzvf ruby-2.0.0-p195.tar.gz
cd ruby-2.0.0-p195
./configure
make
make install
make clean
gem update –system
exit
ruby --version (this should give you the newly installed version)

I did not get any errors related to Doxygen this time (the dreaded "make: *** [doc/capi/.timestamp] Killed"). If you do, please refer to our earlier post on how to fix this by installing the latest version of Doxygen from source.

That’s it! Have fun with Ruby!

History

2013/05/21 Initial version.

Monday, 20 May 2013

3 Tips to Create a Responsive HTML5 Website

I miss the excitement, wonder and awe that was part of the early web. I try to hide my feelings but I fondly remember those wonderful sites with “Under Construction“ signs and flashing text to make certain you did not miss the important stuff. Annoying pop-ups and unstoppable music play came later.
Progress has now brought us unstoppable video-ads, banks using spamming techniques such as Flash pop-ups to circumvent your pop-up blocker, sites pushing for Facebook sign-on to steal your friends data, unimportant sites that requires registration in order to better track and monitor you. And then scientists wonder why people use weak passwords …
The push for applications to move into browser-land is also heavily driven by the same companies that create those browsers. If the browser has access to everything, those companies will have access too, don’t they?    
The above has nothing to do with this blog.  I just started the process to update our venerable old public web-site and was a bit carried away. Sorry about that.
Since I like to create the website myself, it was time to dig into the thinking processes, technologies, designs and tools that are used in modern websites. After all I am hopeless with design so I have to steal from the best. I liked our previous website better then the current one, so back to the drawing board.

Requirements

I had some very basic and simple requirements for the website:
  • Content is our corporate information;
  • Content is static;
  • Look must be contemporary;
  • Readable on all devices and support for screen-readers;
  • It must be in HTML5 ( I know, requirements should not be based on but drive the technology choice, but hey, rules are there to be broken).
I received one complaint that there is too much text on the site now. I kind of disagree, but let’s see if something can be done about it, maybe using principles of the Visual Understanding Environment, but that might be overkill.

Preparations

This is what I came up with.
Tell me what you think? Did I make the wrong choices? Did I miss anything? I will probably develop with the Brackets Open-Source Code Editor.

Result

Give me a few weeks to bring everything together and then have a look at the new Astyran website.