The Iggblog

Just wrote this up for packetpushers.net , figured I’d paste it down here too so I can say I’ve posted something this year.

 

Being the networking nerd I am, I have a pretty big network at home.  And as the denizens of the Packet Pushers IRC channel know, I do a lot of work with VPNs.  One of my use cases is sharing the resources on my home network.  My friends, family, and coworkers sometimes like to use my network for any number of reasons.  As such, my internet router performs a decent amount of VPN duty.  Historically when someone wants to connect their network to mine, and they don’t have the knowledge or resources to handle their end of the connection, I’d dig out an old netbook or something to use as a termination point.  Preconfigure a few things on it, ship it out to them, make a couple changes on their “Best Buy Grade” router, and be done with it.  But this isn’t a great solution.  Wasting a netbook/laptop for the sake of bringing up a LAN-to-LAN tunnel is a bit silly.

Recently I got a Raspberry Pi to play with.  I figured for 35 bucks I couldn’t go wrong.  I think I’ve bought cappuccinos more expensive.  My idea was that if I could get it to bring up a VPN and pass packets at a decent speed, it’d be a great solution for a super cheap super easy remote VPN endpoint.  Turns out it works pretty good in this role, quite a bit more flexible than I’d planned on:

• Dynamic WAN IP of the network it’s living on
• Dynamic LAN IP of the unit itself
• Automatic establishing of VPN to head-end
• Unique IP to ping/ssh to, regardless of DHCP address
• No need to port-forward anything to the device
• No need to change routing to get return traffic back to your network

 

First, we need to enable packet forwarding on the Pi so we can actually pass traffic through it:

sudo sysctl net.ipv4.ip_forward=1

and to make the above persistent through reboot, add “net.ipv4.ip_forward=1”  to /etc/sysctl.conf .

 

Install the a few packages.  Some error messages may come up during the install but they can probably be safely ignored.  I don’t recall if ssh is on the raspberry pi by default, so I’m tossing it down there just in case.  Openswan checks for support on a lot of different options whether or not you’re going to use them.  The other packages support openswan.

sudo apt-get install openssh-server openswan uml-utilities chkconfig

I noticed that by default “PermitRootLogin” was set to “Yes” in /etc/ssh/sshd_config .  If you plan on port-forwarding TCP/22 to the device, you should probably edit this and set it to “No”

 

Next, add “tun” to the end of the /etc/modules file, so that after reboot we can create a tun0 interface.  Edit /etc/network/interfaces and add the following chunk after the section for eth0:

auto tun0
iface tun0 inet static
  pre-up /usr/sbin/tunctl -t tun0
  address 172.31.100.1
  netmask 255.255.255.255
  up ifconfig tun0 up

In my case I’m using 172.31.100.1 as my unique “loopback” to hit from my head-end network.  This gives me a pre-determined IP to hit, regardless of what the local address ends up being.  To get traffic passing to/from this properly, we have to add a static route.  I do this with an “@reboot” cronjob.  I’m sure there’s a more graceful way to do it, but you want something like the following to be run a few seconds after boot when the tunnel interface has been brought up:

route add -net 10.213.100.0/24 gw 172.31.100.1

 

Time to get to the IPSec config!  I’m using PSK auth for simplicity of this scenario.  Drop the key at the end of the /etc/ipsec.secrets file.  In this scenario the head end vpn endpoint is vpn1.iggdawg.com and the local IP isn’t important.  “%any” will let you have a dynamic local address.

%any vpn1.iggdawg.com: PSK "DERPDERPDERPDERPDERP"

It’s strongly advised to use a big pre-shared-key here.  I reccommend doing something like “man sendmail | sha512sum” and using the hash as a PSK.  Obviously, pipe a different manpage than I did here.

 

Configure a profile in /etc/ipsec.conf to handle traffic from whatever your local address is to your local network  to the network you’re interested in on the head end, 10.213.1.0/24 in this case.  Set the ID on the far end to be the same thing as the peer hostname.  :

version 2.0
config setup
 interfaces=%defaultroute
 protostack=netkey
 nat_traversal=yes
 keep_alive=30
conn tunnelipsec-10.213.1.0.24
 type= tunnel
 authby= secret
 left=%defaultreoute             # auto-configured as local interface IP
 #leftsubnet=192.168.1.0/24      # local network, commented out initially
 right=vpn1.iggdawg.com          # remote peer hostname or IP address
 rightsubnet=10.213.1.0/24       # network behind the head end
 rightid="vpn1.iggdawg.com"      # this makes setting the PSK much easier
 ike=aes128-sha1;modp1536        # This is the phase 1 policy.  
 phase2alg=aes128-sha1           # This is the phase 2 policy.
 keyexchange= ike
 pfs= yes
 auto= start

conn tunnelipsec-10.213.100.1.24
 type= tunnel
 authby= secret
 left=%defaultroute
 leftsubnet=172.31.100.1/32
 right=vpn1.iggdawg.com
 rightsubnet=10.213.100.0/24
 rightid="vpn1.iggdawg.com"
 ike=aes128-sha1;modp1536
 phase2alg=aes128-sha1
 keyexchange= ike
 pfs= yes
 auto= start

Next is getting traffic in and out of the tunnel on the remote side.

sudo service ipsec start

This is all you need to get the remote device going.  with these settings, specifically with “start= auto” configured, the device will start trying to connect right away.

 

Return traffic depends a bit on the other end.  If you can get away with putting a static route on the Pi’s default gateway saying “everything destined to the network on the other end of the VPN, send traffic to the Raspberry Pi here”.  But if that’s not an option, or you want to just play some more, we can use iptables (which is in the default Raspbian install) to source NAT the traffic to the ethernet interface’s IP.  This makes some windows machines behave more nicely since it looks like all VPN traffic is LAN traffic.  There are 2 options to perform the source NAT (replace <eth0 addr> with the address of eth0):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <eth0 addr>

Both options perform basically the same function, but from what I gather the second option is easier on CPU.

So let’s get to our router config.  The setup below is written to be a very simple way of handling remote peers with dynamic addresses.  This is how I have my head end router configured for the earlier example config.  call me out if I forgot something.  I have so much crypto config on this device it’s sometimes hard to pick out all the pieces for one particular connection

crypto isakmp policy 5
 encr aes 128
 hash sha
 authentication pre-share
 group 5
!
! "address 0.0.0.0 0.0.0.0" means "anyone can auth via this key"
crypto keyring spokes
 pre-shared-key address 0.0.0.0 0.0.0.0 key 6 DERPDERPDERPDERPDERP
!
! similarly, 0.0.0.0 here matches all peers 
crypto isakmp profile sites
 keyring spokes
 match identity address 0.0.0.0
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map vpnmap-dynamic 5
 set transform-set ESP-AES-128-SHA 
 set pfs group5
 set isakmp-profile sites
!
crypto map vpnmap 1000 ipsec-isakmp dynamic vpnmap-dynamic
!
interface GigabitEthernet0/0
 description Outside interface
 crypto map vpnmap

Obviously there are some security implications here.  Since the profile will match connections from any device, and the defined key matches any device, if someone out there has your PSK they can hook up pretty easily.  So make sure you have proper security controls in place in and behind the head end router.

So there you have it.  This should be enough of a framework to get up and running using Raspberry Pi as a remote IPSec endpoint for a LAN-to-LAN tunnel.  In my testing, I got 15-20 mbps to pass through the tunnel with iperf, which isn’t bad considering the platform.  To my knowledge this is absolutely the cheapest way to throw a VPN spoke out onto the internet.  And if you haven’t played with Raspberry Pi yet, and you’re a networking nerd, it’s a great way to blow 35 bucks and have a little fun playing with a new toy.

The other day I was driving around with Emily, and I mentioned to her the origin of the name and logo of Cisco Systems.  I can’t remember how it came up, but it did.  I’m constantly tinkering with stuff in my lab, so she knows what the logo looks like even though it isn’t her field at all.  Her mind was a little blown when she made the connection between the logo and its origins.  I mentioned this to a couple coworkers, and they hadn’t heard the history behind it either.  Their minds were also a little blown.  So I thought I’d post it here, because that’s what the internet is for.  Posting random crap, I mean…  Not Cisco history.

1) Cisco: short for San Fransisco.

Found this snippet below a couple websites, with sources leading back to cisco.com.  The link was identical on the sites, but was broken.  And cisco’s search function only really returns technical articles regardless of how hard I searched.   but…

Cisco Systems is the world leader in manufacturing of Network related equipment. The name “Cisco” is not an acronym, but an abbreviation of San Francisco. According to John Morgridge, employee 34 and the company’s first president, the founders hit on the name and logo while driving to Sacramento to register the company — they saw the Golden Gate Bridge framed in the sunlight.

The name cisco Systems (with the lowercase “c”) continued in use within the engineering community at the company long after the official company name was changed to Cisco Systems, Inc. Users of Cisco products can still see the name ciscoSystems occasionally in bug reports and IOS messages.

2) Cisco’s logo IS the Golden Gate Bridge

Exhibit A:

Exhibit B:

From the internets as well, a different but similar account of the above story:

According to John Morgridge, the company’s first president, the founders Len Bosack and Sandy Lerner hit on the name and logo while driving to Sacramento to register the company. They saw the Golden Gate Bridge framed in the sunlight. The logo was seen by them as a modified version of the past that would shape the future. Plus it looked really “cool”. They hoped the logo would convey something about creating an authentic life and making a living at something you believe in, in a place you love, with people you really like to be with.

I couldn’t find any working links back to cisco.com in the 15 minutes I spent searching around, but many sites mirror the same story. Wikipedia references what appears to be one of the sources over at famouslogos.us. So while I can’t link a solid article from Cisco at the moment, my magic 8-ball tells me “all signs point to yes”

We’ve had a more interesting winter than usual here in New England this year. Average snowfall in Boston is around 40 inches per year, and we’ve had nearly 70 this year (as of January) spread across 10 or so snowfalls. So I’ve had some time to watch how people react to snow (whether I like it or not). I’ve noticed something this winter about the driving habits of the unwashed public. I’m sure its always been this way but for whatever reason I haven’t really noticed till now. It’s going to sound obvious, but it’s a newish perspective for me.

I’ve noticed a trend that drivers could care less about how much snow there is on the roads. Don’t get me wrong… the smallest amount of snow in the air turns most people into either terrified retards barely capable of breathing, or into trailblazing juggernauts of fury who drive where they want when they want (ATTN: Every SUV driver – this is not you: clicky). What I mean is that the decision of whether or not to stay home from work due to snowy conditions seems to have nothing to do with how much snow there is outside. It has only to do with how much hype the storm received before it hit. You’d think the sequence would go something like “get up, look outside, become terrified of conditions (or not), call into work (or not)”. But no. If a storm was heralded as a Ragnarok-like event scheduled to end all life, everyone stays home regardless of actual conditions. “The news said it was gonna suck, so it’s ok if I call in”. If the storm was predicted to fizzle out but ends up dumping 6-10 inches on us by morning, people look outside and say “Ha ha holy fuck, that is a TON of snow… fuck me, this commute is gonna suck”. Every time the news predicted the second coming of Snow Christ, my commute was great. Terrible road conditions, but no drivers around to cause trouble. Any time we got a crap-ton of snow we didn’t expect, nobody seemed to pay attention to the tundra outside. Refer to the following scientific analytic analysis chart:

As you can see, so long as a huge deal has been made about the storm during the week prior, an inch or so is all it takes to keep mere mortals cowering indoors. But without this hype, the number only gradually goes up, mostly due to people actually being physically incapable of getting their cars out of their driveways. This “Fusion of Conditioning and Timing Arising in Responsibility Degradation” (or the “FUCTARD effect”) makes even lesser storms complete hell to drive in if nobody makes a buzz about it. I blame the internet. No, really. Everyone’s so used to information being shoved in their faces that they really can’t recognize a poor condition outside their own doors unless their iPhone or Weatherbug or Weatherbug on their iPhone tells them “hey bro, you better watch out lol!”

Floating around on the internet is a rant about the naming of hurricanes:

“Who the fuck is the one naming hurricanes? They somehow manage to give them the least threatening names ever. If I turned on the news and heard that Hurricane Erin was coming I’d think to myself, “Erin? I could take that slut.” If I turned on the news and heard that Hurricane Dicksmasher was approaching, I’d grab all the money in the house, shove it in my pockets, and get the fuck out of there.”

Every time I’ve seen it it’s looked like copypasta, so I can’t credit the original author. But I’d like to see snowstorms get this treatment. I know if it was Snowstorm “Assured Fatality”, Blizzard “Blood Orgy”, or “Icefest the Great Deductible Nightmare”, I would really assess the situation before getting on the road.

I was in an airport yesterday and, despite my best efforts, overheard a clip of a speech Obama was giving somewhere. He was rebutting against some sort of rumor that he was a Muslim, and stating he was brought up as a good and proper Christian of some flavor. At which point the audience cheers. If you’re a politician, have any faith you want. Faith isn’t a bad thing. But it has no place in a political setting. I shouldn’t know what faith a politician follows unless I do some digging and look it up. It’s a firm opinion of mine that faith and religion should not be allowed to be mentioned during a political campaign. Decisions that affect everyone in a city/state/country should never ever ever be brought about with influence from one’s faith or the faith of those it will affect. So electing someone should not have anything to do with their faith or yours. Yelling “Christianity!” in the deep south is like a rock band yelling “Boston!” when playing at the Garden (or whatever bank it is that owns it nowadays). You’re looking to buy votes with your faith. And that’s not cool. It degrades your platform, and (in my humble opinion) makes the voter’s ballot worthless.

I’m going to keep writing people in on my ballots until a candidate comes along who declares he’s an atheist, or never mentions religion at all. I want the decision maker I elect to make decisions based on what is best for the people, as decided by logic. This year my vote is split between Feynman (don’t care if he’s dead, I’d still pick him) or Cthulhu. I really can’t pick. Any feedback on this is appreciated.

PS – I know I’ll get some flak for not picking a real candidate, but I can’t pick among any of them in good conscience. Please do “bring it” though, it should be talked about imo.

Originally published at The IggBlog. You can comment here or there.

Korean scientists have apparently cloned glow-in-the-dark cats. linky:

I has a color

They were showing vids of RedCat all day on CNN, and he does indeed glow red under UV light. His nose, eyelids, and parts of his ears specifically. GreenCat seems to glow all over.

First: What the mother fuck?

Second: Where can I get one?!

Originally published at The IggBlog. You can comment here or there.

So there’s this house near me. It steals holidays. 2 years ago around this time they put up a nativity scene in the barn they had connected to the house. Basically it was lifesize scarecrow-esque straw dolls all arranged in the proper fashion. They have it in the basement of this barn with the storm doors open so it’s visible to the road. It was pretty cool for a season I guess, but they left it up. All year. For 2 years now. The dolls are all faded and whatever dyes they used are running from moisture. Moisture has gotten to the straw too… the dolls are all hunched over and saggy. Honestly, it looks like a family of zombies about to feast on a baby Jesus. It’s looked like that for a solid year now.

They didn’t stop there though. Last year they put up electric candles in the windows. Pretty typical, except of course that they never took them down. This spring I noticed that they hung easter eggs in the dead tree out front, dangling them from strings. It’s almost terrifying. This halloween they put electric lit plastic pumpkins in the windows, right next to the electric candles. There’s no consistency to their placement with respect to the candles, they were just kind of tossed in the windows.

This family is collecting holidays and violating them. I half expect them to steal a turkey from the turkey farm down the street and crucify it in the front yard next thanksgiving. Maybe steal a baby, dress it up like a Leprechaun, and hang it from the barn roof for St.Patty’s day.

Originally published at The IggBlog. You can comment here or there.

Pretty much everyone is used to getting spam by now. And it’s usually all the same, and usually pretty benign. Subject lines like “Enlarge your penis”, “Go up one chest size in a month, naturally!”, and stuff like that. As a guy it’s a little odd getting both emails back to back, but whatevs. It’s the internet. They’re simply suggesting my junk may need enhancing to please the massive throng of “ladiez” that clearly travels in my wake. One I got today stood out a little though. I guess suggesting wasn’t enough… Here was the subject line: “All jokes aside, yeah you do got a tiny cock”. I laughed when I read it since it’s so far from the standard boring spam I’m used to getting. I guess if spam starts becoming funny it will bug me less to find my inbox full of it.

Originally published at The IggBlog. You can comment here or there.

They need to mint a new set of dollar coins. It’d have a picture of a carwash on one side, and a quarter with a line through it and “For your convenience” embossed on the back. I don’t know what the connection is between carwashes and the dollar coin is, but they have it for eachother big time. For a while it was great, most DIY carwashes would take quarters, $1 and $5 bills, and some even took plastic. Now it’s “Use the goddamn dollar coin or get the FUCK out!”. The best are the machines that dispense their almighty tokens and don’t take quarters, you can only change bills into dollar coins. They tell you this is “for your convenience” using reasoning that’s clearly over my head. I swear, carwashes are the only reason the dollar coin is still in circulation. Thusly my idea for the new coin design. Someone from the US mint must have taken a bullet in the dick for someone at the Underground Carwash Illuminati or something.

Originally published at The IggBlog. You can comment here or there.