blog @ anarchius.org

This post is the last in the series of upgrades I completed on my router running the new TomatoUSB router firmware. Most data for this post is thanks to this tutorial

Requirements:

• A router running TomatoUSB
• Install and configure Optware on the router
• A way to address the router from outside the home network - like setting up a dynamic DNS maybe
• A VPN client to connect to the router

Installation

Log onto your TomatoUSB via SSH and run the following on the shell

ipkg install poptop

That is it. Wait for ipkg to do it's thing and you are done installing.

Configuration

Edit the file /opt/etc/pptpd.conf

I installed what is called a Single-Net configuration, after logging in, the entire network is available to the VPN. This was a home network, and I wasn't going to implement any sort of zoning on it.

Ensure the following line is commented

logwtmp

Establish the list of available IP addresses. Here is what I have

localip 192.168.1.1 #This is the local IP address of the router remoteip 192.168.1.245-254 #These are the available remote IPs to be used when a remote VPN connection is made

Edit the file /opt/etc/ppp/options.pptpd

Here is what I have as the final configuration. I have removed the prompts & help text to keep it clean(er).

name pptpd #chapms-strip-domain # BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o # {{{ refuse-pap refuse-chap refuse-mschap # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. require-mschap-v2 # Require MPPE 128-bit encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) require-mppe-128 # }}} # OpenSSL licensed ppp-2.4.1 fork with MPPE only, kernel module mppe.o # {{{ #-chap #-chapms # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. #+chapms-v2 # Require MPPE encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) #mppe-40 # enable either 40-bit or 128-bit, not both #mppe-128 #mppe-stateless nomppe-stateful # }}} # Network and Routing ms-dns 192.168.1.1 #ms-dns 10.0.0.2 #ms-wins 10.0.0.3 #ms-wins 10.0.0.4 proxyarp # Logging #debug #dump # Miscellaneous lock nobsdcomp

Authentication & Credentials

Create the file /opt/etc/ppp/chap-secrets with the VPN setup credentials. My file looks like below, of course with a valid username & password.

# Username Server Password AllowedIPs myusername * myawesomepassword *

As with any password file, ensure it is only readable by root by running the following as root.

chmod 600 /opt/etc/ppp/chap-secrets

Configure Firewall

Create the file /opt/etc/config/vpn.fire and put the following in it

#!/bin/sh iptables -A INPUT -p gre -j ACCEPT iptables -A INPUT -p tcp --dport 1723 -j ACCEPT iptables -A INPUT -i ppp+ -j ACCEPT iptables -A FORWARD -i ppp+ -j ACCEPT iptables -A FORWARD -o ppp+ -j ACCEPT

Make the script executable by running the following

chmod +x /opt/etc/config/vpn.fire

Restart the firewall service

service firewall restart

Start VPN server

This is the last step. Create the file /opt/etc/config/vpn.wanup and add the following

#!/bin/sh if [ ! -f /tmp/ppp/chap-secrets ]; then mkdir -p /tmp/ppp ln -s /opt/etc/ppp/chap-secrets /tmp/ppp fi /opt/etc/init.d/S20poptop restart

Make this script executable

chmod +x /opt/etc/config/vpn.wanup

That is it, this will ensure the vpn always runs whenever the WAN comes back up. The VPN is up and running.

Testing it may end up being a bit tricky. You cannot log into the network while you are on it. I used my phone, disabled WiFi, and configured it to log in via the mobile network to ensure that the VPN was indeed accessible and working. Presto, I could log into my home network from anywhere in the world.

Check out the original post about ways to configure a VPN client on an iOS or Android device.

I had waxed eloquent about the flexibility, freedom and capabilities extended by open source tools in general, and the Tomato USB in particular. Little did I know, that this was just the tip of the iceberg of capabilities offered by the third party firmware on my Netgear router.

The big extension to the core capabilities offered by the firmware is available via the installation of Optware. At its core, Optware is an advanced package manager, built for distribution of software packages across a number of platforms, including the TomatoUSB router firmware.

Optware comes with a variety of packages compiled and available in it's repository. This repository extends the capabilities of the router firmware, from their stripped down, small-footprint cousins to the full featured Linux box tools.

Tomato has inbuilt support for Optware. But it needed a bunch of work, to prepare the setup for Optware. In particular there were two things that had to be done:

• Format the connected storage in EXT3. My terabyte RAID had been originally formatted in NTFS. While TomatoUSB has support for NTFS, but it is slow and painful, and fundamentally missing capabilities. Not something that lends itself for Optware.
• Figure out where /opt is going to mounted.

There is no easy way to convert NTFS to EXT3 - other that the slow and methodical approach. Take files off the NTFS file system, format the disk as EXT3, and copy the files back. There are several tutorials out there, like this one - the only tweak was that I ended up using the mkfs.ext3 script available on the router to format the disk.

An aside, the cheap Terabyte RAID survived and is thriving through this all - including the EXT3 formatted drive.

Now mounting storage on /opt where Optware will be installed, seemed tricky at first, but ended up being pretty simple. The reason it seemed tricky was that I created only one partition on the storage when I formatted it as EXT3. My worry was that I'd have to re-size the partition and add a new one, which could then be mounted on /opt.

Turns out, you can mount the same device on multiple mount points. And given that I am already automounting the USB device, I figured all I had to do was to mount a sub-folder on /opt. Adding the following in the “Run after mounting” script-box, did the trick.

if [ -d /mnt/Teranarchy/optware ]; then mount -o bind /mnt/Teranarchy/optware /opt fi

Once I had space available on /opt - installing Optware is simple. As simple as running the following on a shell after logging in via Telnet or SSH.

wget http://tomatousb.org/local--files/tut:optware-installation/optware-install.sh -O - | tr -d '\r' > /tmp/optware-install.sh chmod +x /tmp/optware-install.sh sh /tmp/optware-install.sh

That is it. Optware does a great job of obtaining and installing all the packages. And because Tomato already has the correct folders in $PATH variables, all the tools and capabilities are available instantly from any shell.

Now that I have Optware, it is time to start doing something more interesting. Like installing a VPN on the router. Coming up next.

Ira Glass has the most absorbing tales. This one is no different, and it is about a topic that I am familiar with. The whole show is embedded below, and if that does not work - the link to the original story on This American Life is here.

Favorite quote from the show: Shenzen looks like Bladerunner threw up on itself.

Over a period of 35 minutes, the narrative evolves slowly, from a funny self-effacing confession to a pondering, visceral narrative designed, not as much to shock, as to prod new life into a story that has almost nothing new to give. To round it all up, Act II of the show is typical NPR - the other side of the story - including this opinion arguing the benefits of sweatshops.

Finally, it is easy to see this as something specific to Apple, while it is not. Having Apple on the headline does bring in the eye-balls, but the story is no different for Samsung, or any of the other makers of electronics. Once again, it is the Apple side of the camp, that put it together in an easy to use package.

The whole story is an hour long - but well worth it.

Google just announced design standards for applications on Android. Having three different Android devices at home, I have first hand experience of the UI fragmentation on the platform. However, Google needs to go beyond Android for design unification. Google is broader than mobile, and having design consistency is going to be crucial for a standard user experience across all Google properties.

Consider the Gmail app, and in particular the menu item to “Report Spam”, for example. I use three different flavors of GMail, and the design across the three avenues is not only non-intuitive, but inconsistent. Even with an abundance of access, I have yet to develop the sort of muscle memory that I would associate with the typical Google user interface.

On the desktop, it is part of a grouped threesome, and looks like a happy stop sign. And it's relative position remains the same whether I am in the inbox view or the message view. That feels like a UI that I could get used to.

On my Galaxy SII, the SPAM icon looks like an alien, with a varying location on the menu. When I select a thread from my inbox, it shows up as an option in first menu page. When I am within an email, however, it takes two menu clicks to get to the option.

Finally on my Thrive, it is an option available only on the overflow menu. While that might say a lot about how good Google thinks it's filters are, it still makes for a very annoying user experience.

Three form factors, and three different ways of thinking about Spam. It is time Google thought about design standards for across it's solutions, and not just for a platform.

Here is the problem statement - now that I had my router running a custom TomatoUSB build, I wanted to open it up to the Internet so that I could access my music and data from anywhere.

The first step though, was to establish a way to address my router via the Internet. Now, I get a dynamic IP address from my ISP; so I had to find a way to keep track of the latest address. The answer, of course, was to use a dynamic DNS (DDNS) solution, of which there are dozens available. But as it turned out, my case was more complicated than that.

I chose the FreeDNS service offered by afraid.org. Tomato firmware has native support for their dynamic DNS service built in. But more importantly the tagline on their website read “Why is it free? It's quite simple. We wanted a challenge... that's it.”.

To set my site up, I had to delegate the nameserver function for my domain to my hosting provider. My initial idea was to delegate a subdomain to the FreeDNS service, and then update the IP address directly from my router. Unfortunately my hosting provider did not allow delegation of sub-domains to a different DNS provider. In other words, they did not allow NS records to be created for their inconsequential customers like me. They only allowed A, TXT or CNAME records. CNAME records - that gave me a way out.

I created a sub-domain on one of the free domains provided by the FreeDNS service - in my case it was mooo.com. The name of the sub-domain did not really matter, any available one worked just fine. Then I set up my Tomato router to update the IP address of this sub-domain automatically.

Finally, I set-up a CNAME pointing a sub-domain from anarchius.org to the newly created sub-domain on mooo.com. Presto - sub-domain.anarchius.org now resolved to my WAN IP address. Here is how my DNS records look now:

There you are, Dynamic DNS on my Tomato router up and running, linked directly to my own domain. Bring on the possibilities.

Check out the photograph above. This was taken while traveling in a car. Of particular focus are the lines on the road - they are actually straight, but show up as curved in the photograph.

When cameras were first added to cell phones, they were small, slow and blurry. The sensors were tiny, the lenses were basically plastic and the processors were slow. While the megapixel count has gone up, the optics have gotten better, the biggest bottleneck still remains the processing speed.

At least the Android platform has taken an interesting approach to overcoming this processing speed bottleneck. It seems the sensor is read in sequence, line by line, starting from the top. The advantage with the approach is obvious - the camera can process one line at a time, keeping the picture sharp and well processed.

The side effect is the effect showing up in the picture above. The straight lines on the road, show up as curved because the car moved in the time between when the first line of the sensor was read and the last.

At long last, my Nokia 5800 has been retired from active service.

It has been replaced by my new Samsung Galaxy SII. And all this happened within a matter of a few hours.

I had been eyeing an Android phone for a while now. My first choice would have been the vanilla Nexus series - but they tend to be far too pricey and missing carrier specific frequency capabilities on their wireless chipsets. The next choice was the Galaxy series from Samsung. And that is when I saw this deal from RadioShack:

While this was about $50 more than the Black Friday deal from Radioshack, it was still a full $100 less than the discounted price on AT&T's website. And it hit my key checklist items.

• A tried and tested phone chassis - the Galaxy S II is the second in the highly successful Galaxy series.
• Minimal UI customization - unlike the HTC Sense UI, TouchWiz UI is relatively lightweight and optimized for speed.
• A known upgrade path to Ice Cream Sandwich.
• No known carrier hindrances to phone capabilities.
• Speed and responsiveness.

The Galaxy SII hit all points on the checklist - making the decision to switch surprisingly quick and painless. And RadioShack was not that bad an experience, as far as the tactical switch went. On a side note, I need to remind myself that RadioShack is probably a better option for buying electronics when I want something outside the standard mainstream products.

RIP: my ageing Nokia 5800 - you were a trailblazer, and were better than you had any reason to be. Yet, the trail was left cold after you, for no fault of yours. You will be missed.