So, this one will be short and simple, as there are a thousand different ways to do an OpenVPN Server on linux, but this way will make it work the same way its configured in my mini-guide.

Start be installing OpenVPN on your Linux machine.
In Ubuntu or Debian, this is as easy as

sudo apt-get install openvpn

Lets get the Certificates in the keys directory, if you haven’t already done it as part of the certificate generation mini-guide.

sudo mkdir /etc/openvpn/keys

Put your server .key and .crt in here, as well as your ca.crt

You will also want to copy the dh1024.pem from your certificate store.

Then, create a configuration file (we’ll call it server.conf), in /etc/openvpn/

sudo vi /etc/openvpn/server.conf

And stick the following in it:

port 1194
proto tcp
dev tun
server 10.1.0.1 255.255.255.0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/ovpn-server.crt
key /etc/openvpn/keys/ovpn-server.key
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/server-status.log
verb 3

Save it, and restart openvpn

/etc/init.d/openvpn restart

And that should do it.

If you want to NAT all traffic out towards the Internet, giving the VPN users internet access, add a masquerade rule. Assuming eth1 is your internet facing network interface.

sudo iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

Simple as that!

In this mini-guide, I’ll show how to configure a Mikrotik RouterOS router as an OpenVPN Client, and connect it to the server.

First, you’ll need to copy a client certificate to your client router. You can use this guide to help you generate one if you haven’t already done so. Then import them into RouterOS, as per the instructions.

Then you need to create a PPP Profile.

/ppp profile
add change-tcp-mss=default comment="" name=openvpn-out only-one=default \
use-compression=default use-encryption=default use-vj-compression=default

Next, you need to add the ovpn-client interface. Make sure that the certificate is the one that you imported, and that the username and password match what you configured on your server.

/interface ovpn-client
add add-default-route=no auth=sha1 certificate=client1 cipher=aes128 \
comment="" connect-to= disabled=no mode=ip name=OVPN-Client \
user=client 1 password=password1 port=1194 profile=openvpn-out

And thats it! Pretty simple really…
If you want all your internet traffic to go over the VPN, change the add-default-route=no to yes, and it will add the default route down the VPN every time it connects.

A little nerve wrecking, since it was live and I hadn’t really prepared very much. So much more that I should have said.

I spoke about Jawug, and Wug.za.net and the growing popularity of the Wireless User Groups.

Show recording is embedded after the jump…

This next mini-guide will show how to configure a Mikrotik RouterOS router for use as an OpenVPN Server. This is where your various devices will “dial-in” to.

Obviously, everyone’s network is different. So I’ll try and make this as generic as possible, but without straying from my policy of being as straight forward as I need to be.
So, hopefully, you already have a configured RouterOS router, thats already part of your network.

Designing the VPN Network

The first step of any network change, is to decide where we want to be when we’re done.
This mini-guide is going to show you how to create layer-3 tunnels from a remote device, to your home/office gateway router (running RouterOS).

Because we’re doing a layer-3 configuration, you’ll need to put aside a range of IPs for your VPN clients.
In this setup, I’m going to use 10.0.0.1/24 for our LAN, 10.1.0.1/24 for the VPN.

We create an IP Pool, which RouterOS will use to select and assign IPs for the VPN clients. Start at the second IP, since we’ll use the first IP for the server itself.

/ip pool add name=ovpn-pool ranges=10.1.0.2-10.1.0.100

Then we create an PPP Profile, which is used to define the settings of the session created with a VPN Client.

/ppp profile
add change-tcp-mss=default comment="" local-address=10.1.0.1 \
name="openvpn-in" only-one=default remote-address=openvpn-pool \
use-compression=default use-encryption=required use-vj-compression=default

Configure the OpenVPN Server. For this, we’ll need to remember the name of the imported server certificate that you generated in the previous article.

/interface ovpn-server server set auth=sha1,md5 certificate=server-cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn-in \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=24 \
port=1194 require-client-certificate=no

Configure your Firewall to allow inbound OpenVPN connections, and allow the OpenVPN Clients to NAT out of your Internet connection (if you want to allow them internet access).

/ip firewall filter add action=accept chain=input disabled=no protocol=tcp dst-port=1194
/ip firewall nat add action=masquerade chain=src-nat out-interface=

Then, for every user, you should define a username and password. This also gives you the ability to assign each client a fixed IP, and you’ll notice that in the ip pool definition I left a chunk of IPs at the end of the /24 free for this.

/ppp secret add disabled=no name="client1" password="password1"

This user will have a static IP assigned.

/ppp secret add disabled=no name="client2" password="password2" remote-address=10.1.0.101

And that is the OpenVPN Server, all configured.
In the next mini-guide, I’ll show you got to set up a Mikrotik RouterOS router as an OpenVPN client.

Its part of a series of posts that will hopefully include:
Configuring a Mikrotik RouterOS router as a Server
Configuring a Mikrotik RouterOS router as a Client
Configuring a Linux machine as a Client
Configuring a DD-WRT router as a Client

And Tomtom will be working with me to produce instructions on connecting to the server from an iPod Touch, iPhone and Nokia N900.

So, lets begin…

All the Certificates that we generate, for the server and clients, need to be signed by the same Certificate Authority.
Then, we can generate the server and client certificates.

Generating Certificates

Thankfully, there’s an easy-to-use set of scripts that come with the linux OpenVPN packages, called easy-rsa. So we’ll first be needing a Debian/Ubuntu machine to follow this howto.

First, install OpenVPN on a linux machine.

sudo apt-get install openvpn

Then, lets move the easy-rsa scripts to somewhere useful and easier to remember, and create a directory where we’ll store the certificates.

sudo mkdir /etc/openvpn/{easy-rsa,keys}
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Then, change to the /etc/openvpn/easy-rsa directory and edit the configuration files.

cd /etc/openvpn/easy-rsa
sudo vi vars

Edit the file, changing a few of the variables as below:

export EASY_RSA="/etc/openvpn/easy-rsa"
export KEY_DIR="/etc/openvpn/keys"

If you want, you can change the values for KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL to values that make sense for your setup. Now, since we’ll be setting environment variables, we need an environment.

sudo bash
source vars

Take careful notice of that warning. You should only run clean-all ONCE, and this is the time you’re going to do it.

./clean-all

Thats all thats needed to setup the easy-rsa scripts.
Lets get on with generating the keys.
First, the CA (Certificate Authority)

./pkitool --initca

Next, we generate the Certificate for the OpenVPN Server.

./pkitool --server ovpn-server

Then, for each client, you generate a uniquely named client certificate.

./pkitool client1

Repeat for each client

If you want to come back later in a few days to generate a new certificate for a new client, here’s a quick list of commands to do that.

sudo bash
cd /etc/openvpn/easy-rsa
source vars
./pkitool client99

Copying certificates to the RouterOS OpenVPN Server.
Using whatever means you prefer, copy the ca.crt, ovpn-server.crt and ovpn-server.key to your RouterOS router.
I prefer using scp.

scp ca.crt ovpn-server.crt ovpn-server.key admin@<IP of Router>:.

Then, on the RouterOS Router, you should import these certificates.

/certificate import=ca.crt
/certificate import=ovpn-server.crt
/certificate import=ovpn-server.key

You may want to rename the entries to something you’ll understand, since they’ll be named cert1 and cert2 by default.

For your clients, you’ll need ca.crt, clientX.crt and clientX.key

NEVER distribute ca.key, not even to your OpenVPN Server.

So, here’s the template that they all use. (Caution, contains a few naughty words)

I’m so proud of myself, that I’m posting pictures to celebrate!

Dirty Desks

Clean Desk

When 5fm died, my passion for music died too.
I think it was more the way that 5fm died. It made me realise that the music industry has no interest in the art behind the music, or the musicians. It was made very clear that they were in it for the money, and to get that, the higher-ups at 5fm decided to go after a different target market.

Perhaps I had more of an attachment to the station than your average radio listener. Sitting in the studio during a live show made me realise that being a DJ was more than just a job. You don’t just talk between the songs, there’s a real passion behind it.

Until money gets involved. Then you end up with a station manager that gets rid of the best talent in South African radio, and replace them with a bunch of wannabe’s, fresh out of the celebrity factory.

They got rid of Barney Simon! And Alex Jay!

Thats when the music died for me.

5fm is nothing now. So far removed from the 5fm of the 90’s, that It feels wrong to call it 5fm. A talentless, money spinning, stream of crap that will make your ears bleed if you accidentally tune in.

Music “charts” have nothing to do with good music. Its all about how much money the labels can throw at PR and promotions. Just keep playing a new track to the masses, and they’ll “like” it. Don’t even get me started on the rampant abuse of Auto Tune.

But today, at the ungodly hour of 4am, I’m listening to a stream of endless new songs on thesixtyone. And it feels good, because I get to listen to the music that I like, and I get to share it with others. And I get to show my appreciation to the artists that put their hearts into creating the music.

From thesixtyone site:

On thesixtyone, artists sell their music directly to their fans. Unlike a record or distribution deal where they only make $1-2 per album (if they ever get paid, that is), artists on thesixtyone make at least $7 per album and are paid every 30 days — no wait for recoupment and no complex royalty schemes!

Giving the music back to the artists, I like it.

Every 2nd person who figures something out on their own, is writing up a HOWTO.
This isn’t a problem. Its the fact that they’re calling it a “Hack” thats getting on my nerves.

A Hack is where you take something, and make it do something it was never designed to do. Not using something that was designed to do something, to do something slightly similar. Thats not a hack, thats an adaptation.

Well, thats my rant for the day. If anyone wants to sponsor some real gadget hacking, let me know and I’m sure we can work something out