marcfargas.com

I started to get tired of managing my own exim+spamassassin+clamav+dovecot only to serve my domain, so I dediced to give Google Apps a try.

The move was fairly easy, simply register and change MX records (and use imapsync to copy mail). I guess I didn't loose anything but If you sent me a mail in the last two weeks and I haven't answered, please resend.

The only downside, I hoped google would have some "easy" way to move my google account from *@gmail.com to my Google Apps domain.

Today I had some connection problems in one of our offices, so I needed to connect in some alternative way. A good moment for experimenting... The alternative connection was my laptop acting as a router connected with my mobile phone via bluetooth.

The problem's come with the VPN connections, IPSec is nice, but you can hate it on lots of things... i.e. all tunnels are setup using static ip addresses so in order to use the alternate connection (dynamic IP) I need to change the ipsec config of the other offices.

So today I wanted to try something new, tunneling ip traffic from one network to another over an ssh connection. And it works, Gentoo's wiki has some information on the subject: here

In brief, you need to, on the server:

• Add "PermitTunnel yes" to /etc/ssh/sshd_config

Now, on the client it's as easy as to run ssh with some parameters, my script for launching it is:

#!/bin/sh
HOST=REMOTE_PARTY_ADDRESS
HOST_PORT=22
TUN_LOCAL=0   # tun device number here.
TUN_REMOTE=0  # tun device number there
IP_LOCAL=192.168.111.2 # IP Address for tun here
IP_REMOTE=192.168.111.1 # IP Address for tun there.
IP_MASK=30 # Mask of the ips above.
NET_REMOTE=192.168.0.0/16 # Network on the other side of the tunnel
NET_LOCAL=192.168.8.0/24  # Network on this side of the tunnel
 
echo "Starting VPN tunnel ..."
modprobe tun
ssh -w ${TUN_LOCAL}:${TUN_REMOTE} -f ${HOST} -p ${HOST_PORT} "\
	ip addr add ${IP_REMOTE}/${IP_MASK} dev tun${TUN_REMOTE} \
	&& ip link set tun${TUN_REMOTE} up \
	&& ip route add ${NET_LOCAL} via ${IP_LOCAL} \
	&& true"
sleep 3
ip addr add ${IP_LOCAL}/${IP_MASK} dev tun${TUN_LOCAL}
ip link set tun${TUN_LOCAL} up
ip route add ${NET_REMOTE} via ${IP_REMOTE}
echo "... done."

You'll maybe want to run this as root, because of the "ip" commands, and so

It's still far from perfect (i.e: the tunnel dies too often for some reason... although keep alive is set). But at least people around can print again! Luckily VoIP is handled out of the VPN.

A friend of mine has a nice MythTV box on his bedroom. Suddently the box decided to not open outgoing connections anymore... I say outgoing because I could still connect to it from my home.

I could not find out what was last changed, maybe an aptitude upgrade or did he change ISP?

After some time looking around the only thing I could find out was a small difference between a SYN packet send from a remote place and the SYN packets send by the broken system:

22:56:47.855219 IP Banner.local.33509 > google.es.www: S 206185417:206185417(0)
    win 5840 <mss 1460,sackOK,timestamp 218414628 0,nop,wscale 5>

23:24:16.072713 IP golfos.net.42742 > Banner.local.ssh: S 1705835822:1705835822(0)
    win 5840 <mss 1460,sackOK,timestamp 5636642 0,nop,wscale 4>

You see, his box was sending wscale 5 and remote sites sent wscale 4, google, google, more google until I read this:

I think OpenBSD's claim (they did have the bug and probably still do for all that I know) was that they wanted to make their firewalling "stateless".

from: http://kerneltrap.org/node/6723

Maybe the router does not know what wscale means? I disabled the router's firewall completelly (I was sure I already did this...) and suddently everything worked fine...

Sure, I have to read more about windows scaling and try to understand what is wrong with the router's firewall but for now: things work.