Posts tagged: linux

Introducing NeoRouter VPN: A Star Is Born

In our last article, we introduced PPTP VPNs for interconnecting remote users and branch offices to a central network hub. Known as a hub-and-spoke VPN, the advantage of this design is it lets remote users participate as peers in an existing home office LAN. It’s simple to set up and easy to maintain. The drawback is vulnerability to man-in-the-middle attacks.

Today, we want to turn our attention to the more traditional client-server VPN which still relies upon a central server but uses a star topology to connect remote nodes. The major difference is that only registered devices participate in the virtual private network so there is no direct access to other machines on the LANs of the registered devices. If you have servers scattered all over the countryside, this is an excellent way to manage and interconnect them. All data and communications between the nodes can then be routed through the encrypted VPN tunnel for rock-solid security.

With NeoRouter’s free software, you can set up your VPN server using a PC, a Mac, a Linux or FreeBSD machine, OpenWrt Backfire, and Tomato. VPN clients are available for PCs, Macs, Linux and FreeBSD PCs, OpenWrt, Tomato as well as Android phones and tablets. There’s even an HTML5 web application in addition to a Chrome browser plug-in. With the OpenWrt and Tomato devices or if you’re an extreme techie, you can broaden your NeoRouter star configuration to include bridging of remote LANs. See pp. 47-50 of the NeoRouter User’s Manual. And you can interconnect up to 256 devices at no cost. For $999, you can enlarge your VPN to support 1,000 devices. Screen sharing, remote desktop connections, HTTP, and SSH access all work transparently using private IP addresses of the VPN nodes which are automatically assigned to the 10.0.0.0 private network.

You may be wondering why we’ve moved on from Hamachi. Suffice it to say, LogMeIn has put the squeeze on the free version to the point that it’s now next to worthless. In fact, you’d be hard-pressed to find any mention of a free version of Hamachi (other than a trial edition) on LogMeIn’s current web site. Here’s a feature comparison which says it better than we could:

Today we are introducing the first of two NeoRouter VPN solutions. First, we have a simple installation script that works with any PBX in a Flash 2™ server. See also our more recent column for the dedicated server edition of NeoRouter VPN known as VPN in a Flash. It’s suitable for use on a dedicated server or running as a virtual machine. For smaller VPNs, we prefer the add-on module for PBX in a Flash. For larger deployments, you probably should opt for the dedicated machine. It also isolates your VPN server from your PBX which generally is the better network strategy. Regardless of the installation scenario you choose, keep in mind that neither option requires exposure of your entire server to the Internet. Only a single TCP port needs to be opened in your hardware-based firewall and IPtables Linux firewall.

NeoRouter Setup with PIAF2™. We’re assuming you already have a PBX in a Flash 2 server set up behind a hardware-based firewall. If not, start there. Next, we’ll need to download and run the installer for your new NeoRouter Server. It also installs the client. Just log into your server as root and issue the following commands:

wget http://incrediblepbx.com/install-neorouter
chmod +x install-neorouter
./install-neorouter

The installer will walk you through these five installation steps, but we’ll repeat them here so you have a ready reference down the road.

First, on your hardware-based firewall, map TCP port 32976 to the private IP address of your PIAF2 server. This tells the router to send all NeoRouter VPN traffic to your PIAF2 server when it hits your firewall. If you forget this step, your NeoRouter VPN will never work!

Second, we’re going to use your server’s public IP address as the destination for incoming traffic to your NeoRouter VPN. If this is a dynamic IP address, you’ll need an FQDN that’s kept current by a service such as DynDNS.com.

Third, each administrator and user is going to need a username to access your NeoRouter VPN. You can use the same credentials to log in from multiple client machines, something you may or may not want to do. We’re going to set up credentials for one administrator as part of the install. You can add extra ones by adding entries with one of the following commands using the keyword admin or user. Don’t use any special characters in the username and password!

nrserver -adduser username password admin
nrserver -adduser username password user

Fourth, make up a very secure password to access your NeoRouter VPN. No special characters.

You’re done. Review your entries very carefully. If all is well, press Enter. If you blink, you may miss the completion of the install process. It’s that quick.

Fifth, after your NeoRouter VPN is installed, you can optionally go to the NeoRouter web site and register your new VPN by clicking Create Standalone Domain. Make up a name you can easily remember with no periods or spaces. You’ll be prompted for the IP address of your server in the second screen. FQDNs are NOT permitted.

When a VPN client attempts to login to your server, the server address is always checked against this NeoRouter database first before any attempt is made to resolve an IP address or FQDN using DNS. If no matching entry is found, it will register directly to your server using a DNS lookup of the FQDN. Whether to register your VPN is totally up to you. Logins obviously occur quicker using this registered VPN name, but logins won’t happen at all if your server’s dynamic IP address changes and you’ve hard-coded a different IP address into your registration at neorouter.com.

Setting Up a NeoRouter Client. As mentioned previously, there are NeoRouter clients available for almost every platform imaginable, except iPhones and iPads. Hopefully, they’re in the works. So Step #1 is to download whatever clients are appropriate to meet your requirements. Here’s the NeoRouter Download Link. Make sure you choose a client for the Free version of NeoRouter. And make sure it is a version 1.7 client! Obviously, the computing platform needs to match your client device. The clients can be installed in the traditional way with Windows machines, Macs, etc.

CentOS NeoRouter Client. As part of the installation above, we have automatically installed the NeoRouter client for your particular flavor of CentOS 6, 32-bit or 64-bit. In order to access resources on your NeoRouter server from other clients, you will need to activate the client on your server as well. This gets the server a private IP address in the 10.0.0.0 network.

To activate the client, type: nrclientcmd. You’ll be prompted for your Domain, Username, and Password. You can use the registered domain name from neorouter.com if you completed step #5. Or you can use the private IP address of your server. If your router supports hairpin NAT, you can use the public IP address or server’s FQDN, if you have one. After you complete the entries, you’ll get a display that looks something like this:

To exit from NeoRouter Explorer, type: quit. The NeoRouter client will continue to run so you can use the displayed private IP addresses to connect to any other online devices in your NeoRouter VPN. All traffic from connections to devices in the 10.0.0.0 network will flow through NeoRouter’s encrypted VPN tunnel. This includes inter-office SIP and IAX communications between Asterisk® endpoints.

Admin Tools for NeoRouter. Here are a few helpful commands for monitoring and managing your NeoRouter VPN.

Browser access to NeoRouter Configuration Explorer (requires user with Admin privileges)

Browser access to NeoRouter Network Explorer (user with Admin or User privileges)

To access your NeoRouter Linux client: nrclientcmd

To restart NeoRouter Linux client: /etc/rc.d/init.d/nrservice.sh restart

To restart NeoRouter Linux server: /etc/rc.d/init.d/nrserver.sh restart

To set domain: nrserver -setdomain YOUR-VPN-NAME domainpassword

For a list of client devices: nrserver -showcomputers

For a list of existing user accounts: nrserver -showusers

For the settings of your NeoRouter VPN: nrserver -showsettings

To add a user account: nrserver -adduser username password user

To add admin account: nrserver -adduser username password admin

Test VPN access: http://www.neorouter.com/checkport.php

For a complete list of commands: nrserver –help

To change client name from default pbx.local1:

  • Edit /etc/hosts
  • Edit /etc/sysconfig/network
  • Edit /etc/sysconfig/network-scripts/ifcfg-eth0
  • Edit /etc/asterisk/vm_general.inc
  • reboot

For the latest NeoRouter happenings, follow the NeoRouter blog on WordPress.com.

GPL2 License. The install-neorouter application is open source software licensed under GPL2. The NeoRouter Server and Client software is freeware but not open source. This installer has been specifically tailored for use on PBX in a Flash 2 servers, but it can easily be adjusted to work with virtually any Linux-based Asterisk system. If you make additions or changes, we hope you’ll share them on our forums for the benefit of the entire VoIP community. Enjoy!

Originally published: Wednesday, April 18, 2012




Need help with Asterisk? Visit the NEW PBX in a Flash Forum.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. We’ve built a script to rename your PIAF2 server in all the right places. You can download it here. []

Taming the Cloud: Introducing Gobble for Google docs

With the exception of SourceForge and Project Hosting on Google Code, there really is no free ride for Open Source, freeware, and shareware projects insofar as storage and bandwidth are concerned. As one of the earliest members of the Association of Shareware Professionals (circa 1985) and as a Hall of Fame inductee of the Shareware Industry Awards Foundation, we’ve always had a special relationship with shareware developers, most of whom are starving. So today we’re making a contribution to the community for the benefit of everyone involved in software development of any kind who needs an inexpensive storage and bandwidth solution for products they wish to distribute.

If you didn’t know, Google docs expanded its free offering this year in several ways. First, you now can upload any type of file up to a gigabyte in size. Second, for files that aren’t converted into recognized Google document formats, Google docs provides a free gigabyte of storage at no cost. And third, you now can buy additional storage in increments of 20 GB for only $5 a year.

You may also be unaware that the PBX in a Flash project provides an enormous source repository of just about everything connected with Internet telephony. Some of these products are open source while others are freeware or shareware, but they’re all available for your use from a single repository. We also provide one of the best forums in the business providing support from literally hundreds of telephony and Linux gurus around the world. While the gurus provide their time at no cost, the resources to support these projects are not free.

Google knols are one of the few cost-free platforms for preserving tutorials such as the main articles on Nerd Vittles. Our PBX in a Flash tutorial in knol format receives over 1,000 page views a week and is one of the highest rated, most frequently accessed knols on Google’s site. As time permits, we’re going to be migrating all of the more popular Nerd Vittles articles to Google knol-ville for posterity. Google knols house an incredible repository of medical reference materials. Hopefully others in the software development community will take advantage of this terrific resource in the future.

One of the drawbacks of Google docs has been Google’s insistence that you use a web browser and jump through several hoops even to download files which are tagged as publicly-accessible. Because many of our tutorials and scripts depend upon programmatically downloading files, we simply had to have a solution before Google docs storage would work for our project and many of our contributors.

Because many of you have contributed to Nerd Vittles in many ways over the years to keep the lights on, today we’re returning the favor. We’re releasing our new Gobble for Google docs app as GPL2 open source code. That means you can build your own public repositories on Google docs and download or let others download the files from the Linux command prompt whenever the need arises. Think of it as wget or curl for Google docs.

Before we get to the code and a brief tutorial on how to use it, we want to put in a good word for the folks that made this possible. If you haven’t heard of RentACoder.com, you’ve missed another great secret. The site actually has undergone a name change recently to better reflect their current offerings. vWorker.com (which stands for Virtual Worker) describes their new mission like this:

We changed our name to reflect the diversity of the many talented workers we have on the site. Back when I founded the company in 2001 we concentrated just on programming, and the name Rent a Coder fit us. But today in 2010, the site is not just coders, but also graphic artists, writers, translators, marketers, personal assistants and numerous other types of workers. Our new name reflects that and reminds employers that they can find all kinds of talent here.

As it happened, we needed a coder, someone who could translate HTML mumbo jumbo into a bash script to download files off of Google docs with no user intervention so we posted the following job announcement:

We distribute a CentOS-based, open-source Asterisk® PBX known as PBX in a Flash. The install requires booting of an ISO-based CD that sets up CentOS 5.5 and then downloads a payload file which is used to install the remaining components. We want to store these payload files in Google Docs for downloading and then use a bash install script (without user interaction or Google credentials) to retrieve the file anonymously for processing. We anticipate that the successful design will entail use of a combination of python or perl plus wget or curl. All of these tools are available in our base install of CentOS.

We knew at the outset that this would be a thorny problem with Google’s penchant for using multiple cookies and multiple layers of obfuscation. We learned all of that from our Google Voice adventures this past year. So we limited our search to top-ranked experts on the web site and ultimately accepted a bid from CoderDan in Romania. He spoke fluent English and finished the job in a matter of days. We had a dialog which consisted of about a half dozen emails before the final code was delivered. Once you’re happy with the code, then you release the funds which you’ve placed in escrow via PayPal at the beginning of the job. Because we had never used the site or CoderDan, we opted to use a Pay-for-Deliverables contract with an Expert Guarantee. What that means is that the contractor also must pay 10% of the cost of the job into the escrow account to essentially guarantee that they will complete the job and will do so in a timely manner. Not only did CoderDan complete the job, but he finished it in record time with some terrific code as you will see when you download it. All rights to the code belong to us, and we now are releasing it as GPL2 open source for the benefit of all of you. So… thanks to all of you who have donated to Nerd Vittles over the years. Here’s just one of what we hope have been many rewards from Nerd Vittles for your contribution. For the rest of you, enjoy! And don’t be shy about clicking the Donate button at the top of the page. Even small contributions matter and are greatly appreciated!


Gobble for Google docs Prerequisites. We’ve tested this application with CentOS 5.2 through 5.5, but it should work fine with most other Linux distros that have bash and wget support. It also should work fine with Mac OS X once wget support is added.

Installing Gobble for Google docs. We’re assuming that /usr/bin is in your search path and is an appropriate place to house this application. If not, substitute an appropriate directory in the first line below and execute these commands to install the software:

cd /usr/bin
wget http://nerdvittles.com/wp-content/gobble.tgz
tar zxvf gobble.tgz
rm gobble.tgz

Using Gobble for Google docs. Complete documentation for using Gobble for Google docs is available by simply executing the script with no parameters: gobble. In a nutshell, you first must use a web browser to upload a file to Google docs making sure to change the Private setting for the file upload to Public on the Web. This is very important since Gobble can’t download files from Google docs that require authentication with user credentials. Once the file is uploaded to Google docs, click on the Folder where you stored the file and then click on the File name you wish to download. In the right column of Google docs, there will be an entry entitled Link to this page. Click on the link and copy it to your clipboard. Using SSH, log into the server with Gobble and type gobble followed by the link you copied to your clipboard. For example, to download the latest version of PBX in a Flash, the command would look like this:

gobble http://docs.google.com/leaf?id=0B5oMpKm8e6A9Y2JlZDcyOWQtN2RiMy00NDhiLWFjODctOWFhYjIxZDU3ODc2&sort=name&layout=list&num=50


When the download completes, you’ll have a file in your current directory matching the name displayed in Google docs, e.g. pbxinaflash17551-i386.iso in our example. You’re now a Gobble expert. For any gurus who embellish this script and we would encourage you to do so, please document and share your enhancements with all of us. Just leave a comment below, and we’ll take care of the rest. Enjoy!


News Flash: Many of you know Jared Smith, who has been a fixture at Digium® for many years and was one of the authors of the first two editions of Asterisk: The Future of Telephony. We’ve just learned that Jared has recently taken over as the Fedora Project Manager which is excellent news for the Fedora project. You can read all about it here. Best of luck and best wishes in your new role, Jared!




Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Ringbinder theme by Themocracy