Found this interesting article.

Looks like some smart people at MIT have been studying the aerodynamics of birds and planes, and have designed a Glider that can perch on a wire (like a bird).

Read on to watch a video of it in action.

Or the alternate title of “Why your inability to access international content is your ISP’s fault, and not Seacom’s”
Or “Why your cheap-as-chips residential ADSL Broadband account is broken, and why I don’t care”

I could go on with all the complaints that I’ve heard over the last 24 hours, and all the stupid reasoning behind those complaints. But I won’t. I’ll try and be helpfully informative.

So we’ll start with the facts:

• Seacom is one of the Submarine fiber cables that connect South Africa to Europe.
• There are other ways out of South Africa to Europe, that do not rely on Seacom.
• Residential ADSL users are quite far down the list of priorities for most ISP’s.
• Business users on leased lines account for significantly more income than ADSL users.
• You get what you pay for.

Your choice of ISP should take all of these facts into account:

• Does your ISP have multiple international circuits?
• Are these circuits physically diverse (ie: not the same cable).
• Are you actually paying for a service that will make use of the backup circuits in the event of a failure?

Chances are, unless you have a leased line service, and you pay something in the region of R20000 a month for it, you will be affected by the Seacom problems.

It would be incredibly naive of any ISP to expect that a single upstream provider will be up 100% of the time. Seacom do not promise a 100% uptime, so how can you expect that level of service if you rely solely on them?

The solution for the ISPs? Use one of those other forms of international connectivity. Such as the SAT3-SAFE cable. Sure, thats expensive, so only use that for your “premium” customers. Like those guys paying R20000+ a month for their leased lines. They’ll get what they pay for.

And that there, is the difference between the R900 you pay a month for 4mbit ADSL, and R20000 per month for 4mbit leased line.

You get what you pay for.

Not much to say really. Izzy broke her toe on Tuesday, so we took her to the vet. And this is what came back.

This post is especially for Rommel. He saw my last mini-guides on OpenVPN on RouterOS, and wanted to know how to set up an OpenVPN Server on Linux that operates the same as the OpenVPN Server in RouterOS.

So, this one will be short and simple, as there are a thousand different ways to do an OpenVPN Server on linux, but this way will make it work the same way its configured in my mini-guide.

Start be installing OpenVPN on your Linux machine.
In Ubuntu or Debian, this is as easy as

sudo apt-get install openvpn

Lets get the Certificates in the keys directory, if you haven’t already done it as part of the certificate generation mini-guide.

sudo mkdir /etc/openvpn/keys

Put your server .key and .crt in here, as well as your ca.crt

You will also want to copy the dh1024.pem from your certificate store.

Then, create a configuration file (we’ll call it server.conf), in /etc/openvpn/

sudo vi /etc/openvpn/server.conf

And stick the following in it:

port 1194
proto tcp
dev tun
server 10.1.0.1 255.255.255.0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/ovpn-server.crt
key /etc/openvpn/keys/ovpn-server.key
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/server-status.log
verb 3

Save it, and restart openvpn

/etc/init.d/openvpn restart

And that should do it.

If you want to NAT all traffic out towards the Internet, giving the VPN users internet access, add a masquerade rule. Assuming eth1 is your internet facing network interface.

sudo iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

Simple as that!

In the last article I showed how to configure a Mikrotik RouterOS router as an OpenVPN Server.

In this mini-guide, I’ll show how to configure a Mikrotik RouterOS router as an OpenVPN Client, and connect it to the server.

First, you’ll need to copy a client certificate to your client router. You can use this guide to help you generate one if you haven’t already done so. Then import them into RouterOS, as per the instructions.

Then you need to create a PPP Profile.

/ppp profile
add change-tcp-mss=default comment="" name=openvpn-out only-one=default \
use-compression=default use-encryption=default use-vj-compression=default

Next, you need to add the ovpn-client interface. Make sure that the certificate is the one that you imported, and that the username and password match what you configured on your server.

/interface ovpn-client
add add-default-route=no auth=sha1 certificate=client1 cipher=aes128 \
comment="" connect-to= disabled=no mode=ip name=OVPN-Client \
user=client 1 password=password1 port=1194 profile=openvpn-out

And thats it! Pretty simple really…
If you want all your internet traffic to go over the VPN, change the add-default-route=no to yes, and it will add the default route down the VPN every time it connects.

So, I was on the ZA Tech show today!

A little nerve wrecking, since it was live and I hadn’t really prepared very much. So much more that I should have said.

I spoke about Jawug, and Wug.za.net and the growing popularity of the Wireless User Groups.

Show recording is embedded after the jump…

In the first mini-guide of this series, I showed how to generate SSL Certificates for use with an OpenVPN setup.

This next mini-guide will show how to configure a Mikrotik RouterOS router for use as an OpenVPN Server. This is where your various devices will “dial-in” to.

Obviously, everyone’s network is different. So I’ll try and make this as generic as possible, but without straying from my policy of being as straight forward as I need to be.
So, hopefully, you already have a configured RouterOS router, thats already part of your network.

Designing the VPN Network

The first step of any network change, is to decide where we want to be when we’re done.
This mini-guide is going to show you how to create layer-3 tunnels from a remote device, to your home/office gateway router (running RouterOS).

Because we’re doing a layer-3 configuration, you’ll need to put aside a range of IPs for your VPN clients.
In this setup, I’m going to use 10.0.0.1/24 for our LAN, 10.1.0.1/24 for the VPN.

We create an IP Pool, which RouterOS will use to select and assign IPs for the VPN clients. Start at the second IP, since we’ll use the first IP for the server itself.

/ip pool add name=ovpn-pool ranges=10.1.0.2-10.1.0.100

Then we create an PPP Profile, which is used to define the settings of the session created with a VPN Client.

/ppp profile
add change-tcp-mss=default comment="" local-address=10.1.0.1 \
name="openvpn-in" only-one=default remote-address=openvpn-pool \
use-compression=default use-encryption=required use-vj-compression=default

Configure the OpenVPN Server. For this, we’ll need to remember the name of the imported server certificate that you generated in the previous article.

/interface ovpn-server server set auth=sha1,md5 certificate=server-cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn-in \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=24 \
port=1194 require-client-certificate=no

Configure your Firewall to allow inbound OpenVPN connections, and allow the OpenVPN Clients to NAT out of your Internet connection (if you want to allow them internet access).

/ip firewall filter add action=accept chain=input disabled=no protocol=tcp dst-port=1194
/ip firewall nat add action=masquerade chain=src-nat out-interface=

Then, for every user, you should define a username and password. This also gives you the ability to assign each client a fixed IP, and you’ll notice that in the ip pool definition I left a chunk of IPs at the end of the /24 free for this.

/ppp secret add disabled=no name="client1" password="password1"

This user will have a static IP assigned.

/ppp secret add disabled=no name="client2" password="password2" remote-address=10.1.0.101

And that is the OpenVPN Server, all configured.
In the next mini-guide, I’ll show you got to set up a Mikrotik RouterOS router as an OpenVPN client.

In this mini-howto, I’m going to show how to generate Certificates for use with OpenVPN.

Its part of a series of posts that will hopefully include:
Configuring a Mikrotik RouterOS router as a Server
Configuring a Mikrotik RouterOS router as a Client
Configuring a Linux machine as a Client
Configuring a DD-WRT router as a Client

And Tomtom will be working with me to produce instructions on connecting to the server from an iPod Touch, iPhone and Nokia N900.

So, lets begin…

All the Certificates that we generate, for the server and clients, need to be signed by the same Certificate Authority.
Then, we can generate the server and client certificates.

Generating Certificates

Thankfully, there’s an easy-to-use set of scripts that come with the linux OpenVPN packages, called easy-rsa. So we’ll first be needing a Debian/Ubuntu machine to follow this howto.

First, install OpenVPN on a linux machine.

sudo apt-get install openvpn

Then, lets move the easy-rsa scripts to somewhere useful and easier to remember, and create a directory where we’ll store the certificates.

sudo mkdir /etc/openvpn/{easy-rsa,keys}
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Then, change to the /etc/openvpn/easy-rsa directory and edit the configuration files.

cd /etc/openvpn/easy-rsa
sudo vi vars

Edit the file, changing a few of the variables as below:

export EASY_RSA="/etc/openvpn/easy-rsa"
export KEY_DIR="/etc/openvpn/keys"

If you want, you can change the values for KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL to values that make sense for your setup. Now, since we’ll be setting environment variables, we need an environment.

sudo bash
source vars

Take careful notice of that warning. You should only run clean-all ONCE, and this is the time you’re going to do it.

./clean-all

Thats all thats needed to setup the easy-rsa scripts.
Lets get on with generating the keys.
First, the CA (Certificate Authority)

./pkitool --initca

Next, we generate the Certificate for the OpenVPN Server.

./pkitool --server ovpn-server

Then, for each client, you generate a uniquely named client certificate.

./pkitool client1

Repeat for each client

If you want to come back later in a few days to generate a new certificate for a new client, here’s a quick list of commands to do that.

sudo bash
cd /etc/openvpn/easy-rsa
source vars
./pkitool client99

Copying certificates to the RouterOS OpenVPN Server.
Using whatever means you prefer, copy the ca.crt, ovpn-server.crt and ovpn-server.key to your RouterOS router.
I prefer using scp.

scp ca.crt ovpn-server.crt ovpn-server.key admin@<IP of Router>:.

Then, on the RouterOS Router, you should import these certificates.

/certificate import=ca.crt
/certificate import=ovpn-server.crt
/certificate import=ovpn-server.key

You may want to rename the entries to something you’ll understand, since they’ll be named cert1 and cert2 by default.

For your clients, you’ll need ca.crt, clientX.crt and clientX.key

NEVER distribute ca.key, not even to your OpenVPN Server.

BBC, Sky, RTE. They all seem to have the same News story format.

So, here’s the template that they all use. (Caution, contains a few naughty words)

Please Mr Movie making Man. Don’t destroy the memories of my childhood. Please be a good movie.