I spent a few weeks, a long time ago, getting the Imagine WiMax Motorola USBw35200 dongle working under Linux using the Sprint 4G Developer software, but it was a nasty hack.

A Hack that stopped working recently. Or at least, when I tried to use it this week it didn’t work.

The basics:
Linux Kernel 3.0.0 has the right kernel module.
You need to build the Spring 4G package to get the firmware out, copy it to /lib/firmware
Imagine uses EAP-TLS
You can get the WiMAX and Imagine server certs from the CD-ROM partition on the dongle (disable usb modeswitch before you insert it)

The problem:
You need a Device Private Key to connect, which is stored in a memory location on the dongle itself. I have no idea how to get it out, or how to point the wimax userspace agents to that memory.

Being a geek, I decided that using a TV to view TV wasn’t really the way to do things.
So instead, I decided to find a way of viewing Saorview on my PC.

So the easy way, is to get a DVB-T receiver for a PC, and tune to the channel you want to view. I’m not going to show you how to do this, because the guys at mpeg4ireland already have.

I’m going to show you how to receive every Saorview channel at the same time.
Although I’m sure you’re not going to be able to watch them all at the same time…

First, you need a DVB-T receiver.

I used a €40 Hauppauge Nova-T USB Stick.

Then you’ll need MumuDVB. You’ll need at least version 1.6.1
I got the latest release from here.
Yes, Ubuntu has a version in their repo’s, but thats version 1.6. It will NOT work. (well, if you only want to receive the radio stations and the test pattern, then 1.6 is for you!)

Plug your DVB-T card/stick in, make sure it gets recognised and you get an entry in /dev/dvb

$ ls /dev/dvb/
adapter0

Install dvb-apps

sudo apt-get install dvb-apps

Grab the wideband tuning file from the mpeg4ireland site and use it to scan for channels.

scan wideband > channels.conf

Make sure there’s something useful in your channels.conf
The start of each line should be a channel name, followed by a frequency.
If there’s something in there, make a note of the frequency that you see.
In my case, since I’m getting signal from Three Rock Dublin, my frequency is 738000000 (or 738Mhz)

If you don’t get anything, you might have some problems. So I suggest doing some research on Saorview using the mpeg4ireland site to see if you have coverage.

Now, unpack MumuDVB and build it.

tar -zxvf mumudvb-beta.tar.gz
cd mumudvb
autoreconf -i -f
./configure
make
sudo make install

Then create a config file (mumu.conf). Make sure you set your frequency correctly to the one you extracted from channels.conf earlier. (Divide the long number by 1000000 to get MHz).

freq=738
autoconfiguration=2
autoconf_radios=1
autoconf_ip_header=239.192
multicast_ttl=5
sap=1
sap_default_group=Saorview
sap_organisation=RTENL

Now start up MumuDVB using this configuration. There will be loads of debug output, just so you can see what its up to.

sudo mumudvb -c mumu.conf -s -t -vv -d

Then install VLC on your PC (or another PC on the same network).
Start it up, and press Ctrl-P to get the Preferences.
In the bottom left, select Show settings All.
In the Tree, select Playlist > Service Discovery.
Enable Network streams (SAP)
Click Save.
Press Ctrl-L and wait 10 seconds.
You should see a folder caller Saorview.
Expand it, and double click the channel you wish to view.

OR

Launch VLC, and open the Network address udp://@239.192.0.0:1234/ (Should be RTE One)
udp://@239.192.0.1:1234/ should be RTE Two.
udp://@239.192.0.2:1234/ should be TV3.
etc…

Voila!
If you poke around in the VLC options, you’ll notice that Teletext works too.
There’s even a Program Guide that has the next 7 days line-up in it. (Tools > Program Guide)
Subtitles work, and on some channels there may even be a second Audio stream.

Now do it on another PC, and view a different channel at the same time. Continue until you get bored.
For fun, check the CPU usage of the mumudvb process.
On my system it only uses around 5% of 1 CPU since its not actually doing very much. Not bad…

The process will be spewing out loads of stats, like Bit error rate, Signal Strength and SNR. Their meaning is self evident.
Every 5 seconds it will also output Traffic information, which is quite interesting since it displays the actual Bandwidth used per channel.

As an exercise for the reader, I’ll leave you to figure out how to get it to start up in the background.
Personally, I run it in a screen session so I can easily open it up again and see the Signal Strength, etc.

Note: RTE Two is broadcast in HD, and viewing it may be a bit CPU intensive.

In this mini-guide, I’ll show how to configure a Mikrotik RouterOS router as an OpenVPN Client, and connect it to the server.

First, you’ll need to copy a client certificate to your client router. You can use this guide to help you generate one if you haven’t already done so. Then import them into RouterOS, as per the instructions.

Then you need to create a PPP Profile.

/ppp profile
add change-tcp-mss=default comment="" name=openvpn-out only-one=default \
use-compression=default use-encryption=default use-vj-compression=default

Next, you need to add the ovpn-client interface. Make sure that the certificate is the one that you imported, and that the username and password match what you configured on your server.

/interface ovpn-client
add add-default-route=no auth=sha1 certificate=client1 cipher=aes128 \
comment="" connect-to= disabled=no mode=ip name=OVPN-Client \
user=client 1 password=password1 port=1194 profile=openvpn-out

And thats it! Pretty simple really…
If you want all your internet traffic to go over the VPN, change the add-default-route=no to yes, and it will add the default route down the VPN every time it connects.

This next mini-guide will show how to configure a Mikrotik RouterOS router for use as an OpenVPN Server. This is where your various devices will “dial-in” to.

Obviously, everyone’s network is different. So I’ll try and make this as generic as possible, but without straying from my policy of being as straight forward as I need to be.
So, hopefully, you already have a configured RouterOS router, thats already part of your network.

Designing the VPN Network

The first step of any network change, is to decide where we want to be when we’re done.
This mini-guide is going to show you how to create layer-3 tunnels from a remote device, to your home/office gateway router (running RouterOS).

Because we’re doing a layer-3 configuration, you’ll need to put aside a range of IPs for your VPN clients.
In this setup, I’m going to use 10.0.0.1/24 for our LAN, 10.1.0.1/24 for the VPN.

We create an IP Pool, which RouterOS will use to select and assign IPs for the VPN clients. Start at the second IP, since we’ll use the first IP for the server itself.

/ip pool add name=ovpn-pool ranges=10.1.0.2-10.1.0.100

Then we create an PPP Profile, which is used to define the settings of the session created with a VPN Client.

/ppp profile
add change-tcp-mss=default comment="" local-address=10.1.0.1 \
name="openvpn-in" only-one=default remote-address=openvpn-pool \
use-compression=default use-encryption=required use-vj-compression=default

Configure the OpenVPN Server. For this, we’ll need to remember the name of the imported server certificate that you generated in the previous article.

/interface ovpn-server server set auth=sha1,md5 certificate=server-cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn-in \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=24 \
port=1194 require-client-certificate=no

Configure your Firewall to allow inbound OpenVPN connections, and allow the OpenVPN Clients to NAT out of your Internet connection (if you want to allow them internet access).

/ip firewall filter add action=accept chain=input disabled=no protocol=tcp dst-port=1194
/ip firewall nat add action=masquerade chain=src-nat out-interface=

Then, for every user, you should define a username and password. This also gives you the ability to assign each client a fixed IP, and you’ll notice that in the ip pool definition I left a chunk of IPs at the end of the /24 free for this.

/ppp secret add disabled=no name="client1" password="password1"

This user will have a static IP assigned.

/ppp secret add disabled=no name="client2" password="password2" remote-address=10.1.0.101

And that is the OpenVPN Server, all configured.
In the next mini-guide, I’ll show you got to set up a Mikrotik RouterOS router as an OpenVPN client.

Its part of a series of posts that will hopefully include:
Configuring a Mikrotik RouterOS router as a Server
Configuring a Mikrotik RouterOS router as a Client
Configuring a Linux machine as a Client
Configuring a DD-WRT router as a Client

And Tomtom will be working with me to produce instructions on connecting to the server from an iPod Touch, iPhone and Nokia N900.

So, lets begin…

All the Certificates that we generate, for the server and clients, need to be signed by the same Certificate Authority.
Then, we can generate the server and client certificates.

Generating Certificates

Thankfully, there’s an easy-to-use set of scripts that come with the linux OpenVPN packages, called easy-rsa. So we’ll first be needing a Debian/Ubuntu machine to follow this howto.

First, install OpenVPN on a linux machine.

sudo apt-get install openvpn

Then, lets move the easy-rsa scripts to somewhere useful and easier to remember, and create a directory where we’ll store the certificates.

sudo mkdir /etc/openvpn/{easy-rsa,keys}
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Then, change to the /etc/openvpn/easy-rsa directory and edit the configuration files.

cd /etc/openvpn/easy-rsa
sudo vi vars

Edit the file, changing a few of the variables as below:

export EASY_RSA="/etc/openvpn/easy-rsa"
export KEY_DIR="/etc/openvpn/keys"

If you want, you can change the values for KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL to values that make sense for your setup. Now, since we’ll be setting environment variables, we need an environment.

sudo bash
source vars

Take careful notice of that warning. You should only run clean-all ONCE, and this is the time you’re going to do it.

./clean-all

Thats all thats needed to setup the easy-rsa scripts.
Lets get on with generating the keys.
First, the CA (Certificate Authority)

./pkitool --initca

Next, we generate the Certificate for the OpenVPN Server.

./pkitool --server ovpn-server

Then, for each client, you generate a uniquely named client certificate.

./pkitool client1

Repeat for each client

If you want to come back later in a few days to generate a new certificate for a new client, here’s a quick list of commands to do that.

sudo bash
cd /etc/openvpn/easy-rsa
source vars
./pkitool client99

Copying certificates to the RouterOS OpenVPN Server.
Using whatever means you prefer, copy the ca.crt, ovpn-server.crt and ovpn-server.key to your RouterOS router.
I prefer using scp.

scp ca.crt ovpn-server.crt ovpn-server.key admin@<IP of Router>:.

Then, on the RouterOS Router, you should import these certificates.

/certificate import=ca.crt
/certificate import=ovpn-server.crt
/certificate import=ovpn-server.key

You may want to rename the entries to something you’ll understand, since they’ll be named cert1 and cert2 by default.

For your clients, you’ll need ca.crt, clientX.crt and clientX.key

NEVER distribute ca.key, not even to your OpenVPN Server.

Its a Sci-Fi Movie, it has aliens, and people go splat alot.

Its great.

And best of all, there’s a guy with a South African accent, swearing in Afrikaans. Thats the last thing I thought I’d see on an Irish cinema screen.

I could go into all the details, comment on the obvious parallels to Apartheid and all that, but that just made the movie better. It wasn’t the reason I enjoyed it, but it certainly added to the experience.

Seeing Johannesburg like that (and “bolting” 3 giant Heli-pads to the roof of the Carlton Hotel, and then blowing bits of it up), was priceless.

Just go see it, especially if you’re a Sci-Fi person. The Skop, skiet en donner aspect makes it awesome!

  apt-get install openvpn

See, I said it was easy. Now there’s a little more of a complex part, where we setup the CA and utilities needed for generating Certificates for the Server and all the Clients.

I like to move the easy-rsa directory into my /etc/openvpn directory, since its easier to work with it there (and easier to remember where it is). So run the following command to copy it across:

mkdir /etc/openvpn/{keys,easy-rsa}
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ 

Then you need to edit your /etc/openvpn/easy-rsa/vars file, and make a few changes. I’ve set the following variables.

export EASY_RSA="/etc/openvpn/easy-rsa/"
export KEY_DIR="/etc/openvpn/keys"

And I tweaked my KEY_ variables so I don’t have to fill them in every time:

Then, you need to setup your environment by running

cd /etc/openvpn/easy-rsa
. vars
./clean-all

Careful with the clean-all command. Only run this ONCE, when you FIRST start this setup. It deletes ALL your keys, so you have a blank slate!

Now you build your own Certificate Authority (CA) certificate and key

./build-ca

Then build your Diffie-Hellman Paramaters (for SSL/TLS connections)

./build-dh

Then, build a key for your OpenVPN server. This generates a server.crt and server.key
Make sure you set the CommonName attribute to something meaningful for you (and unique) 

./build-key-server server

Now you’ll want to generate a key for each of the connecting clients. We can do one now, and then you can come back to follow these steps to add more at a later stage. Make sure the CommonName attribute is unique in all of these. Infact, I’d urge you to make them correspond to the username that the will authenticate with (this will be stored in the database).

./build-key client1

The basics of RSA dictate that anything with a .key is to be kept private, and is relevant only to the machine it was intended for, and the .crt is for your local machine, and the remote end too.

So: 
server.key never leaves the server
server.crt gets copied to the client
client1.key gets copied to the client
client1.crt gets copied to the client
dh1024.pem gets copied to the client
ca.crt gets copied to the client.
ca.key is super secret. If someone got their hands on it, they could create more client certificates, which is a bad thing ™. 

And thats all I’ll cover in this Howto.

In the next one, we’ll install radiusplugin, and I’ll show you the configuration files needed for the server and clients.

So this is where we will begin the Monster VPN Project

I’m assuming you’ve already got Debian installed. I’m not going into this, as its been documented all over the place, and isn’t that much of a problem. (And in all honesty, if you struggle with this, you might want to reconsider continueing this project) 

The best place to start on this project, is to install MySQL. Since its going to be the database that stores all the data for the VPN’s, its best to have this in place before you start with the rest of it.

Thankfully, this is pretty simple in Debian.

Make sure you’re logged in as root, and run

apt-get install mysql-client-5.0 mysql-common mysql-server-5.0 

This will install the binaries needed to run a MySQL server, and the client. But since we’ll be compiling radiusplugin from source, we also need the -dev libraries for the MySQL client, so run the following too:

apt-get install libmysqlclient15-dev

Well, thats it! I did say it was easy…

The idea is to have a simple web interface where I can add/remove/edit user accounts, Generate Certificates for endpoints and check users usage.

RADIUS is a fantastic AAA (Accounting Authentication And Authorization) protocol, which is used for almost everything ISP related (dial-up, dsl, wimax, wifi hotspots), so it seems only fitting that I use it for this application. It also means I can integrate other things into it, without serious modification (since its a standard). I may even start using it for building my own Hotspot controller for Mikrotik RouterOS based hotspots.

Here’s the plan:
Debian as the Linux flavour
MySQL to store all the authentication and configuration information (howto)
FreeRADIUS to provide an interface into getting at the information, and for accounting
OpenVPN for the actual VPN server
RadiusPlugin for making OpenVPN play nicely with FreeRADIUS 
Apache HTTP server, since its going to be a web frontend
PHP for the service side part of the web frontend 

I’ve followed a few guides to get this going, and this one is possibly the most useful one I’ve come across.

So far, I’ve had bits and pieces working, but I haven’t managed to get them all working together at the same time.

Over the next few days, I’ll be documenting (in as much details as I can remember), the steps needed to set this up. I’m doing this for personal documentation purposes as well as to share with the community should anyone else want to do something similar.

So stay tuned, subscribe to my RSS feed, and keep your eyes open for my follow-up posts.