Patrick’s Blog(2)

It took me a bit too long to figure out how to add a masquerade rule to the server’s firewall so openvpn clients can reach the Intarweb too. So here it is in case you are looking to do the same:

# service iptables stop
# iptables -t nat -A POSTROUTING -s <network/cidr> -o <interface> -j MASQUERADE
# service iptables save
# service iptables restart

Example of <ip network/cidr>: 192.168.1.0/24
Example of <ethernet interface>: eth0

You can find the added rule in /etc/sysconfig/iptables

A while back the excellent Dutch ISP Xs4all introduced a VoIP service for its subscribers. Here is the configuration to make Asterisk 1.2 work with Xs4all. But before we go into the config one remark. There is a problem with Asterisk and how the Cirpack switch that Xs4all uses sends DTMF tones. You have to patch the file rtp.c of the Asterisk source and rebuild Asterisk. If you use Fedora, RHEL or CentOS then you can use these (S)RPMs that already have this problem solved.

Search in rtp.c for the following lines:

[34] = {1, AST_FORMAT_H263},
[103] = {1, AST_FORMAT_H263_PLUS},
[97] = {1, AST_FORMAT_ILBC},
[101] = {0, AST_RTP_DTMF},
[110] = {1, AST_FORMAT_SPEEX},

and add this line:
[96] = {0, AST_RTP_DTMF},

Now let’s get on with the configuration.

In sip.conf add the following lines. Obviously you need to replace 08787xxxxx with your number and replace ******** with your password.

register => 08787xxxxx:********@sip.xs4all.nl/08787xxxxx

[xs4all-in]
type=friend
username=08787xxxxx
fromuser=08787xxxxx
fromdomain=sip.xs4all.nl
secret=********
host=sip.xs4all.nl
insecure=invite
context=from-xs4all
canreinvite=no
dtmfmode=inband
disallow=all
allow=alaw


In extensions.conf add something like the following (adjust to your needs):

[from-xs4all]
exten => 08787xxxxx,1,Dial(SIP/100,30,t)
exten => 08787xxxxx,n,Hangup()

I did not need to use “nat=yes” although my Asterisk box is behind nat. It may depend on the modem. This setup works with a Thomson SpeedTouch 716.

The quest for today’s holy grail is to setup a subversion repository that can be accessed through Apache with DAV and SSL and setting up WebSVN, both using self-signed certificates. These steps apply to Fedora 7 (F7) and should probably also work for CentOS and RHEL.

Assumptions:
a) public svn repos are available through https://FQDN/svn
Don’t use anything other than the Fully Qualified Domain Name (FQDN) or this setup will not work.
b) The source for the public svn repos can basically be anything. I took /var/www/svnrepos. Make sure the directory you choose exists.

$ sudo mkdir -p /var/www/svnrepos

1) Install prerequisite packages
If you want to be able to use Apache with SVN then you need to install mod_dav_svn:

$ sudo yum install mod_dav_svn

2) Create the self-signed SSL certificates
Generate your own Certificate Authority (CA).

$ cd
$ openssl genrsa -des3 -out ca.key 1024

Here is what the output should look like:

[patrick@test ~]$ openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
………………………………….++++++
e is 65537 (0×10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

With this next command when asked for the “Common Name” (CN) use something like “FQDN CA”. Whatever you put here, do *not* use this same CN with the server certificate that you are going to create below.

$ openssl req -new -x509 -days 365 -key ca.key \
-out ca.crt

Here is what the output should look like:

[patrick@test ~]$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:NL
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:The Hague
Organization Name (eg, company) [My Company Ltd]:Acme CA
Organizational Unit Name (eg, section) []:Acme CA Security
Common Name (eg, your name or your server’s hostname) []:Acme CA
Email Address []:root@example.org

Generate a server key and request for signing (csr). This step creates an unsigned server key, and a request that you want it signed (the .csr file) by the CA that you just created.

Create the unsigned server key:
$ openssl genrsa -des3 -out server.key 4096

Here is what the ouput should look like:

[patrick@test ~]$ openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
……………………………………………………………………………………………………..++
……………………………………………………………………………++
e is 65537 (0×10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

Next create the Certificate Signing Request. For the CN do not use the same as you used for the CA. Instead use for example the FQDN of your webserver. Leave the challenge password and optional company name empty (just press enter).
$ openssl req -new -key server.key -out server.csr

Here is what the output should look like:

[patrick@test ~]$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:NL
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:The Hague
Organization Name (eg, company) [My Company Ltd]:Acme Server Corp.
Organizational Unit Name (eg, section) []:Acme Server Certificates
Common Name (eg, your name or your server’s hostname) []:www.example.org
Email Address []:root@example.org

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign the certificate signing request (csr) with the self-created certificate authority (CA) that you made earlier.

$ openssl x509 -req -days 365 -in server.csr \
-CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Here is what the output should look like:

[patrick@test ~]$ openssl x509 -req -days 365 -in server.csr \
> -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=NL/L=The Hague/O=Acme Server Corp./OU=Acme Server Certificates/CN=www.example.org/emailAddress=root@example.org
Getting CA Private Key
Enter pass phrase for ca.key:

Make a server.key which doesn’t cause apache to prompt for a password. Guard it for permissions VERY carefully!

$ openssl rsa -in server.key -out server.key.insecure
$ mv server.key server.key.secure
$ mv server.key.insecure server.key

If you want to have a look what’s in all the resulting files use these commands:

$ openssl rsa -noout -text -in server.key
$ openssl req -noout -text -in server.csr
$ openssl rsa -noout -text -in ca.key
$ openssl x509 -noout -text -in ca.crt

3) Copy the certificates where Apache can find them

$ sudo mkdir /etc/httpd/ssl
$ sudo cp server.key /etc/httpd/ssl/
$ sudo cp server.crt /etc/httpd/ssl/
$ sudo cp ca.crt /etc/httpd/ssl/

4) Change the default certificates in ssl.conf
Change the SSLCertificateFile, SSLCertificateKeyFile and the SSLCACertificateFile as follows:

SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt


5) Create and edit /etc/subversion/servers
Add the following lines to /etc/subversion servers

[globals]
ssl-trust-default-ca = true

[groups]
some_name = FQDN

[some_name]
ssl-authority-files = /etc/httpd/ssl/ca.crt

6) Add the CA certificate to the ca-bundle.crt file

$ cd
$ echo '' > ca.tmp
$ openssl x509 -noout -text -in ca.crt >> ca.tmp
$ cat ca.crt >> ca.tmp
$ echo '' >> ca.tmp
$ sudo cp /etc/pki/tls/certs/ca-bundle.crt \
/etc/pki/tls/certs/ca-bundle.crt.org
$ sudo cat ca.tmp >> /etc/pki/tls/certs/ca-bundle.crt


7) Edit /etc/httpd/httpd.conf
Here I use a NameVirtualHost setup. If you need a different setup please check the Apache documentation. Put the following lines in /etc/httpd/httpd.conf. Make sure that the FQDN you use for ServerName is the same that you used when you created the self-signed SSL certificates!

Replace FQDN with the name of your webserver
Replace 10.1.2.3 with the IP address of your webserver

ServerName FQDN
NameVirtualHost 10.1.2.3:80
NameVirtualHost 10.1.2.3:443

<VirtualHost 10.1.2.3:80>
ServerAdmin you@FQDN
DocumentRoot /var/www/html
DirectoryIndex index.php index.html index.htm index.shtml
ServerName FQDN
ErrorLog logs/error_log
CustomLog logs/access_log combined
ServerSignature email
LogLevel warn
HostNameLookups off
</VirtualHost>

<virtualhost 10.1.2.3:443>
ServerAdmin you@FQDN
ServerName FQDN
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLOptions
</virtualhost>

SVNAutoVersioning On

<Location /svn>
DAV svn
SVNPath /var/www/svnrepos
SVNListParentPath on
SSLRequireSSL
# allow read access to the repos but authenticate a user
# if they want to write etc.
AuthType Basic
AuthName “Subversion repository”
AuthUserFile /var/www/svnrepos/svnuserpass
# For other operations require an authenticated user.
<Limitexcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</limitexcept>
</Location>

If you want to force a redirect to https if the websvn page is browsed through http than also add the following lines:

<Location /websvn>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</Location>

8) Create the password file for users that need write access to the repos

$ sudo htpasswd -c /var/www/svnrepos/svnuserpass \
some_user

9) Restart Apache

$ sudo /sbin/service httpd restart

Check /var/log/httpd/error_log for any errors!

10) Create the svn repo structure

$ sudo svnadmin create /var/www/svnrepos/

11) Create svnusers group and add user apache to it
In order to give the apache user access to the svn repo we need to create the svnusers group (or whatever you want to call it) and add the apache user to this group.

$ sudo groupadd svnusers
$ sudo usermod -G svnusers -a apache

12) Change the group of the svn repo

$ sudo chgrp -R svnusers /var/www/svnrepos/

13) Give write access to the svnusers group

$ sudo chmod -R g+w /var/www/svnrepos/

14) Prepare to import some data into the svn repo
I will be using my setup with Asterisk so I setup my svn repo with:

$ mkdir ~/svn_temp
$ cd ~/svn_temp
$ mkdir -p Asterisk12/zaptel/{trunk,branches,tags}
$ mkdir -p Asterisk14/zaptel/{trunk,branches,tags}


Import the data into the svn repo:

$ svn import ~/svn_temp/Asterisk12 \
https://FQDN/svn/Asterisk/Asterisk12 -m "Initial import"
$ svn import ~/svn_temp/Asterisk14 \
https://FQDN/svn/Asterisk/Asterisk14 -m "Initial import"


When you are done then you can remove the ~/svn_temp directory

$ rm -rf ~/svn_temp

15) Get and install the latest WebSVN
Download the latest WebSVN
Install it for example in /var/www/html/websvn and create the config file

$ sudo tar -xvzf websvn-2.0.tar.gz /var/www/html/
sudo mv /var/www/html/websvn-2.0 /var/www/html/websvn

Edit /var/www/html/websvn/include/config.php:

$config->addRepository(’Asterisk’, ‘https://FQDN/svn/Asterisk’, NULL, ”, ”);
$config->allowDownload();
$config->setMinDownloadLevel(2);
$config->setMinDownloadLevel(3, ‘Asterisk’);
$config->useEnscript();

16) Test

$ svn list https://FQDN/svn/Asterisk

Point Firefox at https://FQDN/websvn or https://FQDN/svn

Last week I upgraded my Acer Ferrari 4005 laptop to Fedora Core 6. On rpm.livna.org I noticed that the ATI proprietary drivers where available too. I am not a supporter of proprietary solutions if there is a good Open alternative (good in the 2D sense only I’m afraid) but thought I try them too get a feel for the difference between the Open driver and proprietary one. Kudos to the Livna folks since they installed like a charm and worked right away. For some background info have a look at the Phoronix website.

With the fglrx drivers working it was time to see how fast it would go. Not being a gamer I don’t have any games so downloaded the free Wolfenstein: Enemy Territory (ET) demo. It took me way too long to figure out how to get ET going. The problem is that the game is x86 and not x86_64. So you need to do a couple of things to make it work:

0) I’m assuming here that you already have the x86_64 ATI proprietary drivers installed from rpm.livna.org
1) download the x86 version of the ATI proprietary drivers from the ATI website
2) make the directory: /usr/X11R6/lib32/modules/dri
3) make the directory: /usr/lib/ati-fglrx
4) from the rpm copy the files atiogl_a_dri.so and fglrx_dri.so to /usr/X11R6/lib32/modules/dri
5) from the rpm copy the files libGL.so.1.2 libfglrx_dm.so.1.0 libfglrx_gamma.so.1.0 libfglrx_pp.so.1 and libfglrx_tv.so.1.0 to /usr/lib/ati-fglrx
6) change to the /usr/lib/ati-fglrx directory
7) create a bunch of symlinks: ln -s libGL.so.1.2 libGL.so.1 && ln -s libfglrx_tvout.so.1.0 libfglrx_tvout.so.1 && ln -s libfglrx_pp.so.1.0 libfglrx_pp.so.1 && ln -s libfglrx_gamma.so.1.0 libfglrx_gamma.so.1 && ln -s libfglrx_dm.so.1.0 libfglrx_dm.so.1
8) change the ET startup script (”et”) to look like this:

#!/bin/sh
# Needed to make symlinks/shortcuts work.
# the binaries must run with correct working directory
cd “/home/patrick/et/”
export LIBGL_DRIVERS_DIR=/usr/X11R6/lib32/modules/dri
export LD_LIBRARY_PATH=/usr/lib/ati-fglrx:/usr/lib:$LD_LIBRARY_PATH:.
exec ./et.x86 “$@”

If all is well, ET should now start on your FC6 x86_64 box. Enjoy!

Update: it may be possible that the 32bit fglrx libs at rpm.livna.org are a much cleaner solution. I have not tried it. Keep in mind that you still need to change the “et” startup script as described above.

An interesting article on linux.com gave me the last bit of info to get WiFi (or is it Wi-Fi?) with WPA2 working between my Acer Ferrari 4005 laptop and Speedtouch 716 ADSL modem. I run kernel 2.6.16-1.2080_FC5 and the Gnome desktop. I have not verified if this works with the latest 2.6.17-1.2157_FC5 kernel (update: seems to work reasonably ok with the latest FC5 kernel).

Here are the ingredients:

Ndiswrapper
Install ndiswrapper and configure it. The version I have is 1.18. I’m assuming you have the livna yum repo installed. If not get it from rpm.livna.org and install ndiswrapper with a simple “yum install ndiswrapper kmod-ndiswrapper”. Next get Acer’s 64bit WinXP WiFi driver here. Unpack the driver somewhere and import the driver into ndiswrapper with:

ndiswrapper -i bcmwl5.inf

Add the following lines to /etc/modprobe.conf:

alias eth1 ndiswrapper
options ndiswrapper if_name=eth1

I use “eth1″ as my WiFi interface. If you use another change accordingly. In case you run a recent FC5 kernel you also need to blacklist the bcm43xx module to prevent it from interfering with the ndiswrapper module. Add the following line to /etc/modprobe.d/blacklist:

blacklist bcm43xx

You can now manually load the ndiswrapper and check /var/log/messages if all went well. The messages I get in /var/log/messages are:

Jul 18 15:27:08 laptop kernel: eth1: ndiswrapper ethernet device 00:14:c4:92:34:6a using driver bcmwl5, 14A2:3246.2.conf
Jul 18 15:27:08 laptop kernel: eth1: encryption modes supported: WEP; TKIP with WPA, WPA2, WPA2PSK; AES/CCMP with WPA, WPA2, WPA2PSK

Wpa_supplicant
Install wpa_supplicant with:

yum install wpa_supplicant wpa_supplicant-gui

The version I have is 0.4.8 from updates-testing. It should become available as a regular update for FC5. If it’s not (yet) get it from updates-testing with:

yum –enable=updates-testing install NetworkManager

Once installed create or modify /etc/wpa_supplicant/wpa_supplicant.conf and make it look like this (so delete anything that’s different):

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1

network={
ssid=”name_of_your_access_point”
psk=”yourverysecretpassword”
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
}

Network services
Verify that NetworkManager, NetworkManager-gnome and NetworkManager-glib are installed. If they are not then install them with:

yum install NetworkManager

Make sure that the “network” service is disabled. Instead the “wpa_supplicant”, “NetworkManager” and “NetworkManagerDispatcher” services need to be run when you boot your box. You can easily turn off the “network” service and turn on the “wpa_supplicant”, “NetworkManager” and “NetworkManagerDispatcher” by executing from a terminal the command:

ntsysv –level 5

Configure the eth1 network device
Start system-config-network and add a new wireless device by clicking on “New” then click on “Wireless connection”. Click on the ndiswrapper entry followed by “Forward”. On the next page make sure “Mode” shows “Managed”. On the line with “Network name (SSID)” click on “specified” and enter the name of your Access Point. This name should be the same as you specified in the wpa_supplicant.conf file. Leave the rest as is and click “Forward”. On the next page select DHCP or enter a static IP address and click “Forward”. On the final page check the settings and if all is ok click on “Apply”. Save the setup by clicking on “File” -> “Save” or just press Ctrl+S.

Testing your setup
Make sure the ndiswrapper module is loaded, manually stop the network service with:

/sbin/service network stop

Next make sure that the LAN cable is removed from the laptop (if you have any attached). Then start wpa_supplicant, NetworkManager and NetworkManagerDispatcher with:

/sbin/service wpa_supplicant start
/sbin/service NetworkManager start
/sbin/service NetworkManagerDispatcher start

If all goes well you should now see a successful authentication using WPA2 and the assigment of an IP address to the laptop via DHCP. Enjoy!