September 2011

gource is so cool !!

我竟然今天才发现这个cool 极了的东西!!!

http://code.google.com/p/gource/

项目主页在这里,里面有视频。

读取版本管理的日志,然后通过很炫的动画,将版本的变动表现出来,cool 啊!!支持多种版本管理软件,包括我熟悉的svn 和不算太熟悉的git 。

homebrew 下很方便,brew install gource ,安装完成后,在代码的根目录,直接运行 gource 就行了!!

然后,就欣赏很炫的动画吧!!

Eason Chan DUO Concert 2011

I am coming !!!!

HOWTO Configure L2TP VPN server on Linode Gentoo VPS

Linode announced a new facility in Tokyo, Japan at September 20, 2011. It’s a big good news for us inside the wall. The download speed, and latency, is pretty awesome!!

I migrated my linode(actually it belongs to my boss) from USA to Tokyo with no doubt. And rebuild it from Ubuntu to Gentoo. As a desktop, Ubuntu plays so good so far.But as a server, Ubuntu sucks !!

OK, everything is ready, all we need is a L2TP VPN server.

Here is my L2TP VPN configuration.

First of all, choose a faster mirror server, this is my selection: gentoo.channelx.biz, chosen from mirrorselect (emerge mirrorselect). And add it to /etc/make.conf, replace the original one.

U can run this command if u don’t have an original GENTOO_MIRRORS config in /etc/make.conf.

echo 'GENTOO_MIRRORS="http://gentoo.channelx.biz/" ' >> /etc/make.conf

The software we need: openswan , xl2tpd , ppp. We can install them all with the ‘emerge’ command, but I found there’s something wrong with the openswan (v2.4.15-r2), we must upgrade openswan to version 2.6.31, even though this version is masked.

Solve the masked problem:

echo 'EMERGE_DEFAULT_OPTS="--autounmask=n" '  >> /etc/make.conf
 
echo '=net-misc/openswan-2.6.31 ' >> /etc/portage/package.accept_keywords

OK, install it:

emerge =net-misc/openswan-2.6.31

Let’s do some copy and paste.

Configure the ipsec.

copy the content of /etc/ipsec.d/examples/sysctl.conf to /etc/sysctl.conf ,and make sure the rp_filter options are commented.

# Enables source route verification
#net.ipv4.conf.default.rp_filter = 1
# Enable reverse path
#net.ipv4.conf.all.rp_filter = 1

u can run this command:

cat /etc/ipsec.d/examples/sysctl.conf >> /etc/sysctl.conf

and active the sysctl.conf:

sysctl -p

Edit the /etc/ipsec.conf :

echo 'include /etc/ipsec.d/examples/l2tp-psk.conf' >> /etc/ipsec.conf

when ignore the commented line:

#cat /etc/ipsec.conf | egrep -v "^[[:space:]]*#" | grep -v "^$"
 
conn L2TP-PSK-NAT
	rightsubnet=vhost:%priv
	also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	rekey=no
	ikelifetime=8h
	keylife=1h
	type=transport
	left=YourPublicIP 
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/0
conn passthrough-for-non-l2tp
        type=passthrough
        left=YourPublicIP
        leftnexthop=YourGatewayIP
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route

and remember to replace the “YourPublicIP” , “YourGatewayIP” to the correct value.

edit /etc/ipsec.secrets :

YourIPAddress  %any: PSK "sharedsecret"

do the same replacement.

Configure the iptables.

iptables -t nat -A POSTROUTING -j MASQUERADE
 
/etc/init.d/iptables save
 
rc-updat add iptables default

Configure xl2tpd :

# cat /etc/xl2tpd/xl2tpd.conf
 
[global] 
ipsec saref = yes
 
[lns default] 
ip range = 172.16.80.128-172.16.80.254 
local ip = 172.16.80.1
require chap = yes 
refuse pap = yes 
require authentication = yes 
name = xl2tpd
ppp debug = yes 
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Configure PPP :

# cat /etc/ppp/options.xl2tpd
 
ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
ms-dns  8.8.4.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
# cat /etc/ppp/chap-secrets
 
Username        xl2tpd      Password        *

do some replacement here.

start the services:

/etc/init.d/ipsec start
/etc/init.d/xl2tpd start

Have fun .

PS: ipsec verify failed ?

Pluto listening for IKE on udp 500                          	[FAILED]
  Cannot execute command "lsof -i UDP:500": No such file or directory
Pluto listening for NAT-T on udp 4500                       	[FAILED]
  Cannot execute command "lsof -i UDP:4500": No such file or directory

it’s all right, because the command ‘lsof‘ is missing, just ‘emerge lsof

Reference:

http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/
http://apple4.us/2010/05/setting-up-l2tp-vpn-on-debian-ubuntu.html
http://forums.gentoo.org/viewtopic-t-324500-highlight-openswan.html (the ppp configuration part, it’s different between gentoo and ubuntu)

——————————
update: 2011-09-26
If u can connect successfully at the first time, but failed at the second. Here’s the solution.
Add the following lines to your L2TP-PSK-noNAT connection and restart ipsec (/etc/init.d/ipsec restart )

dpddelay=40
dpdtimeout=130
dpdaction=clear

Reference:
http://lists.openswan.org/pipermail/users/2011-January/019945.html

小折腾几天dd-wrt

这几天晚上回来都在折腾我家的路由,写下我的折腾小结。

刷DD-WRT 当然要看看固件支不支持啦,看下这个:http://www.dd-wrt.com/wiki/index.php/Supported_Devices

之前我还刷过一个baffulo 的,才4m 闪存,32m 内存,最大的好处是,官方提供DD-WRT firmware standard 版,不怕刷坏。

我自己淘了一个二手 belkin F7D4302 ,强大的地方是,64m 内存,8m 闪存,而且支持2.4GHz 5Ghz 双频,有usb 接口,硬件配置超爽!!缺点无自己的天线,信号不是那么好,发热量据说很大,我初用,感觉还不深。

刷的过程就不说了,反正我是参考google 一搜就出来的那篇文章刷的。说说中间的折腾吧。

belkin 的路由在supported devices 里,会有以下warning:

WARNING: Always use TFTP to flash Belkin routers if at all possible! Upgrading dd-wrt from the web interface can lead to a bricked (nonfunctional) unit!

不过我的那个有一个note: use CFE mini Web Server for first flash. 第一次貌似可以用web gui 来刷,于是我就刷了一个专门为 F7D4302 定制的( http://www.dd-wrt.com/dd-wrtv2/downloads/others/eko/BrainSlayer-V24-preSP2/2011/06-14-11-r17201/broadcom_K26/dd-wrt.v24-17201_NEWD-2_K2.6_mini_f7d4302.bin) 固件。

貌似一定要用ie 来刷,反正mac 下的safari , chrome , firefox 都不行,不知道linux 下的firefox chrome 行不行。

这个是mini 版,如果真的想把路由用起来,mini 是远远不够的,mini standard mega 之间的区别看这里:http://en.wikipedia.org/wiki/DD-WRT#Features

mega 的固件可以在这里下载:http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2FV24_TNG%2Fsvn17084/

我就在mini 的web gui 下刷的mega ,貌似也没有变砖,只是有时候不那么灵光了。

配置好openvpn 后,这里的vpn 不要push gateway ,就是路由的配置了。一般来说,有两种方式,

1,国内ip 走默认路由,国外ip 即使没有被认证,也走vpn 。这里需要维护一份国内ip 的列表,不过ipv4 都分完了,这个估计变动不大了。

2,只有被认证的ip 走vpn ,其它都走默认路由。这里需要维护一份被认证的ip 列表,这里的ip ,其实可以从gfwlist 里把那些ip 都抽取出来。

然后,使用以下两个命令,自己写个脚本吧。

ip route add $gfwip via $vpntunip table 163

ip rule add from 192.168.1.0/24 table 163

前者是加路由,并把规则写入 163 号表,后者是将所有 192.168.1.0/24 的ip 都应用163 号表的规则。(kernel 必须支持 CONFIG_IP_MULTIPLE_TABLES ,这里的DD-WRT 当然是带的,不过gentoo 的livecd 的kernel 是没有的!!)

DD-WRT 的包管理系统ipkg 弱爆了,建议安装ipkg-opt 。看这里:http://www.dd-wrt.com/wiki/index.php/Optware , 或者简单一句话:

wget http://www.3iii.dk/linux/optware/optware-install-ddwrt.sh -O – | tr -d ‘\r’ > /tmp/optware-install.sh

sh /tmp/optware-install.sh

本人初玩DD-WRT ,或许这些都有问题,日后遇到问题再修正了。

——————————–

update: 2011-09-24

对于我这个型号的路由。。。不能使用其自带的openvpn client ,貌似会有各种问题,例如不能保存配置,重启就回复了之前的配置,没有了5G 网络之类的。用ipkg-opt 装一个screen ,然后自己跑openvpn client 吧。

update: 2012-05-01

今天又玩了一下 DD-WRT ,就更新一下吧。其实后来我都把外国的 ip 都走 VPN 了,如果只把认证的 IP 走 VPN 还是很不方便的。

ubuntu 下的lvs tunnel real server 配置注意

来个速记。

以前就因为一次内网调整,使用了一次lvs 的tunnel 模式,后来都没有配置过了,今天因为要配置外网的lvs ,再次弄了一下,才发现要注意一下了。

DR 模式下的rs 配置一般如下:

/sbin/ifconfig lo:0 $VIP broadcast $VIP netmask 255.255.255.255 up
echo “1” >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo “2” >/proc/sys/net/ipv4/conf/lo/arp_announce
echo “1” >/proc/sys/net/ipv4/conf/all/arp_ignore
echo “2” >/proc/sys/net/ipv4/conf/all/arp_announce
tunnel 的话,可以改成这样:
/sbin/ifconfig tunl0 $VIP broadcast $VIP netmask 255.255.255.255 up
echo “1” >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo “2” >/proc/sys/net/ipv4/conf/lo/arp_announce
echo “1” >/proc/sys/net/ipv4/conf/all/arp_ignore
echo “2” >/proc/sys/net/ipv4/conf/all/arp_announce
直接执行的话,可能会出现以下错误(反正那个死人坑爹的ubuntu 出现了!!!还是得找机会换了它。。。)
SIOCSIFADDR: No such device
tunl0: ERROR while getting interface flags: No such device
SIOCSIFNETMASK: No such device
竟然不能建立tun 设备!!
好吧,tun 设备作为module 了,没有编译进去内核@@
modprobe ipip 即可。