This Geek

For those of you who are using an ADSL modem or any kind of router behind an IPCop, it can sometimes become an annoying process to access the router’s web gui so that you can view connection statistics, etc. Usually you need to unplug the router and then hook it up directly to your local LAN, etc. Whatever you need to do, it can be annoying.

I have come up with a way around that. It just involves using some nifty tricks via SSH, and I will show you how to configure your system with minimal fuss in order to get to your router’s web gui. It’s easy to modify so you can access any other port too.

You will need:

• A copy of PuTTY
• A Web Browser

Firstly, you need to enable one or two options in your IPCop’s web gui. Access the IPCop web gui using your browser, and select System -> SSH Access.

Login when prompted using your admin user.

If you haven’t already, enable ‘SSH Access’, and in particular, enable ‘Allow TCP Forwarding’. You should have at least ‘Allow password based authentication’ as well.

Note that you access SSH on port 222.

Save the settings, and you can close your session.

If you’re not using an IPCop, just ensure that you can access your firewall via ssh.

Now comes the “hard” part (which is actually pretty easy as you will see).

Extract the putty archive somewhere useful, and create a shortcut to the putty.exe somewhere convenient. I usually create the shortcut on my Quick Launch toolbar. Or you can just run the exe directly. It’s entirely up to you. I’m not going to tell you how to manage your software.

Run putty, and you will be presented with a confusing interface. The basic idea is that you type in the IP or hostname of the machine you want to connect to, select the type of connection, and hit enter, which launches the connection.

In our case, we are going to be creating a couple of saved sessions, so that all we will need to do is to double click the entry in the saved sessions list, and the connection will be established, or the command will be executed.

In the hostname field, enter the hostname or ip address of your IPCop firewall. By default, the connection type will be SSH. Set the port field to 222 (Adjust as necessary for your own firewall).

Now since we will ALWAYS be logging in to the firewall as user ‘root’, we can set the username so that we don’t always have to type it. This step is optional. In the left “tree”, expand ‘Connection’, and select ‘Data’. In the very top field, under ‘Auto-login username’ enter ‘root’ (without the quotes).

On the left tree, select ‘Session’ at the top to return to the session configuration page.

In the ‘Saved Sessions’ field, give your session a name. Use ‘IPCop Console’ if it will make you feel better, and then click the ‘Save’ button. You now have a saved session. Since the session is already technically loaded, we can click the ‘Open’ button at the bottom of the window to launch the session, or you can simply double click the new ‘IPCop Console’ saved session to launch it.

Using username "root".
root@ipcop's password:

Since we set the ‘auto login’ feature, the username will automatically be entered for us, and you will just be prompted for the password. Enter the IPCop root password, and you should be presented with a colourful prompt.

Using username "root".
root@dementor.hogwarts.dom's password:
Last login: Sun Apr 13 13:10:13 2008 from blah
root@ipcop:~ #

This is good enough for our purposes, so just press CTRL+D to quit the session. ‘logout’ or ‘exit’ will work just as well.

When using IPCop to establish the pppoe sessions for us, it sets the RED interface to an IP address of 1.1.1.1, which is not very helpful for us if we want to talk to a modem/router using an IP address of say 192.168.1.254 (Billion default). Therefore what we need to do is to add an ip address of the same network that your router uses to the IPCop RED interface.

NOTE: If you are using a different modem/router brand, simply adjust the subnets / addresses as necessary.

Since the router is by default using 192.168.1.254, we can configure the IPCop using ANY other address on the same subnet (since we know that there isn’t anything else using that subnet on our RED interface anyway). For simplicity’s sake, I will use 192.168.1.1 for the RED interface.

We are now going to create another session in putty to add the IP address 192.168.1.1 to the red interface for us automatically.

Start up putty again. Select the IPCop Console session, and press the LOAD button. NOTE - we do NOT want to establish a session at this time.

The settings for the IPCop Console connection will now be loaded in to putty. In the left tree, expand ‘Connection’, and then select ‘SSH’. At the top of the page, you will see a field ‘Remote command’. This is where we will add the command that putty will execute for us.

Type the text below in to the ‘Remote command’ field. Change 192.168.1.1 to whatever address you would need to use to talk to your brand of modem/router.

/sbin/ip addr add 192.168.1.1/24 dev eth1

In the tree at the left, click ‘Session’ at the top. Now, under ‘Saved Sessions’, change the name of the session to something else. In my case, I used ‘ADSL Router Access Start’. Below the ‘Saved Sessions’ field, you will see an option ‘Close window on exit’. Set the option ‘only on clean exit’ and then click the SAVE button.

In the left tree, select ‘Connections -> SSH’ again. In the remote command field, change the word ‘add’ to ‘del’ so that the remote command looks like this:

/sbin/ip addr del 192.168.1.1/24 dev eth1

In the tree at the left, click ‘Session’ at the top again, and change the field under ‘Saved Sessions’ to something else. I used ‘ADSL Router Access Stop’ and click the SAVE button.

Now you should have three sessions in your session list: IPCop Console, ADSL Router Access Start, and ADSL Router Access Stop.

We have one more session to create.

In the Saved Sessions list, select IPCop Console, and press the LOAD button.

In the tree at the left, select ‘Connection -> SSH’ again. This time we leave ‘Remote command’ blank, but now we need to set the option ‘Don’t start a shell or command at all’. Once you have selected that, in the left tree, expand the ‘SSH’ node that is currently highlighted, and then select ‘Tunnels’.

We’re only concerned with the options near the bottom, Source Port, Destination, etc.

Enter a source port. This can be anything you like (up to 65535) - AS LONG AS IT IS NOT IN USE ON YOUR COMPUTER. If you want to see what ports are currently in use on your computer, open a command prompt, and type ‘netstat -an’. You’re concerned with the column called ‘Local Address’, which will have a whole bunch of entries like 127.0.0.1:137 or 0.0.0.0:500, with various other addresses on your machine. The part that you’re concerned with is the bit after the “:” - so x.x.x.x:400 <– that is the port. If the port you want to use is listed here, you will need to choose something else - as long as it doesn’t appear on that list. NOTE - on Vista you might need to run the command prompt as an Administrator (Right click the shortcut).

In my case, I just used the port 12345. Enter the destination. This will be the modem/router IP address, and the web port. So I used 192.168.1.254:80(Port 80 is the port that web servers listen on).

Click ‘ADD’.

In the box above that section (called Forwarded Ports), you will now see an entry:

L12345    192.168.1.254:80

In the left tree, click ‘Session’, and under ‘Saved Sessions’, give the session a new name. I used ‘ADSL Router Port Forward’ and click SAVE.

Congratulations. The configuration is now complete.

How to use it:

Start Putty. Double click the ‘ADSL Router Access Start’ session. Enter the password. Almost immediately, the putty window will close. THIS IS NORMAL. All putty did was tell the IPCop to add the IP Address of 192.168.1.1 to the RED interface so that we can access the router. If you run this command more than once, nothing bad will happen, so if you’re not sure if you ran it, you can safely launch it again.

Start Putty again. This time, double click the ‘ADSL Router Port Forward’. Enter the password, and then nothing much will happen. You will not get a command prompt, nor will anything further appear on the screen. DO NOT CLOSE THE WINDOW. Just minimize it to get it out the way.

Now open up your web browser, and enter the url: http://localhost:12345. You should be prompted to enter your modem/router password. Congratulations, you are now accessing the configuration pages for your modem/router.

When you are finished with the modem configuration, you can close the putty window that you opened previously. This will terminate the tunnel through your IPCop to your modem, and accessing localhost on port 12345 will no longer work.

While not entirely necessary, you can start putty, and launch the ‘ADSL Router Access Stop’ session, which will remove the 192.168.1.1 ip address off the RED interface.

Couldn’t resist that title, forgive me

I was mucking about with SSH tunneling with PuTTY a bit earlier. Although it looks completely mind boggling, it’s actually very very simple to do. I just wish some schmuck had written a concise howto, then I probably would’ve spent 2 minutes figuring it out instead of 5.

So… consider this my concise howto. (Ok, bear in mind, I have no idea how to spell concise, let alone speak it!)

First of all, you need to have an accessible SSH server somewhere that you can authenticate to, and hopefully the option AllowTCPForwarding is set to “Yes” in its sshd_config. If you have access to modify the config, I suggest checking that this option is on.

Load PuTTY on your workstation, and type the hostname and port of your ssh server on the “Session” window (That’s the default window that opens when PuTTY loads). If you have your connection saved, click it in the Saved Sessions list and click the “Load” button.

Now, in the tree list to the left, expand “Connection”, then “SSH”, and click on “Tunnels”.

In the dialog to the right, type in a source port (This is the port that you will connect to on your local machine) - pick something arbitrary - hopefully it won’t be in use. If you’re not sure, open a command prompt and run ‘netstat -a’, and pick a port that is NOT listed there

In the destination field, type the name of the server you wish to connect to, and the port, using host:port syntax. Click “Add”. If you want to add more local ports / remote hosts, do it now.

If you want your machine to be a gateway type machine, click the check box at the very top of the screen, “Local ports accept connections from other hosts”. — I have NOT tested this functionality, so who knows if it works.

Click ‘Open’ when you’re ready. If you like, you can switch back to the ‘Sessions’ section, and save your tunnel session.

The PuTTY console screen will open like normal, and you can authenticate to your ssh server. Leave that window open, and open whatever software you wish to tunnel with, and enter ‘localhost:port’ (set the port to whatever port you chose in the Source port for the tunnel).

Voila! You should be connected.

The only caveat I can see is using the tunnel for browsing the web is not that effective, especially in the case of name based virtual hosts - if you try access a site that is a virtual host on some web server, the default site will actually load, and not necessarily the site you were expecting. I’m not sure if there is a way around this.

Argh. I hate frustrating issues that make me want to pull my hair out. Not that I’ve got much hair mind you. I tend to keep it short. Number 1 short. It adds to the mean don’t fuck with me look. Which also means it’s too short to actually grab. So my point is moot. Gah.

The DNS servers provided by my ADSL link are pretty crap. They take ages to update, and sometimes give shit, so some kind soul pointed me at Open DNS. I immediately configured my LAN to use them, and I was A for away.

Now my only niggle with them is whenever I configure a new sub-domain on my name server, it takes a little while for it to propagate - which is normal in DNS systems - however, with one particular sub-domain that I configured for one of my brother’s domains, I just could NOT access it from my own machine. It was seriously pissing me off. One minute I’d get resolution and the site would load, and then next I would just get DNS errors.

Doing a local lookup kept returning an IP that belongs to OpenDNS - wtf?

So I browsed to their site and searched around a bit. Eventually I happened across this link which allows you to query the status of their DNS cache. So, I do the obvious. Of the 4 servers (or so) that they have, one of them was showing invalid data. And typically, it was that fucker that I constantly seemed to query. Fortunately they provide tools to fix the problem, so in less than 5 seconds, I had resolved the issue.

Now, grasshoppers, what does this lesson teach us?

RTFM - Read the fucking manual.

I was put in the unfortunate position of needing to reload my IPCop. No problem, I’ll export the backup key, and download the latest backup file to my local machine. This I do, quite easily.

So, I reload the IPCop box, skip the floppy restore option, thinking I’m going to restore it via the web interface, so who cares anyway.

I get to the web interface, access the backup option. First thing I realise - there’s no way to import my saved backup key. Darn. So I try import the dat backup anyway. The interface tells me to bugger off, it can’t decrypt the file. Grrr. So what now?

I ssh to the IPCop box, and checkout the existing backup key. Then I check my saved backup key. My saved one is encrypted. Double darn (Ok, I said something far more nasty really).

Google… can’t find a damn thing. The only references I can find is some people copying their backup.key from an old hard disk to the new one. Whoop te doo. That does NOT help me. So, I download the IPCop source code, peruse a couple of files, and figure out how to decrypt the key.

To make my life easier, I used WinSCP to transfer my encrypted key to the IPCop box, then it’s a simple matter of running:

/usr/bin/openssl enc -a -d -aes256 -salt -pass pass:<yourpasswordhere> -in encrypted.backup.key -out decrypted.backup.key

You obviously need to insert your backup password where it says <yourpasswordhere>. If you forgot it, sorry mate, can’t help you.

Once that’s done, simply copy your decrypted.backup.key to the correct place:

cp decrypted.backup.key /var/ipcop/backup/backup.key

and overwrite the existing file.

Now you can import your saved backup and restore your settings.

Hope this helps someone. :p

EDIT: Whoops. Didn’t realise that the < & > that I inserted originally failed to render cuz the engine thought it was an html tag. Ugh.

So I’m reloading XP on my workstation. It goes through it’s usual crap before running that stupid welcome wizard thing where you add usernames etc. All’s fine and well.  Anyway, while loading up drivers, I realised that I had failed to install my sound drivers off CD first before installing the updated drivers, so I was missing a lot of the cool applications (I have an SB Audigy 2 ZS). So I thought that, instead of uninstalling the drivers I had just put on and tainting windows by loading off the CD and then reapplying drivers yadda yadda, I would just reload Windows yet again. No biggie, it doesn’t take all that long on my hardware anyway.

So I do exactly what I did before - I wipe the partition during setup, and recreate it, and let Windows install on to it.  I follow exactly the same steps as before.  This time, when Windows reboots after installation - instead of running that stupid lil welcome wizard, it dumps me at the welcome screen with just the administrator user visible.  What the…?  Where the heck was the wizard to add users etc?

I don’t get Microsoft, really I don’t.

Anyway, third time lucky. 

You’re probably wondering why I’m reloading for a third time? I don’t know.  I just can’t handle the idea of trying to use Windows when the installation didn’t go as smoothly as I expected it to.  It’s like a psychological block - I’m going to constantly get the feeling that something is not right if I just let it go.

So I reload yet again. :p

I figured out that the welcome wizard didn’t run because when Windows asks to adjust the resolution, I bumped my keyboard and accidentally cancelled the change - which means the wizard does not run. Odd.

I’ve added ESF feed support to my blog now. If you’re looking for an ESF capable reader, check here. I’ve never used this software, and I’m not endorsing it. I found it in the readme for the plugin. Use it at your own risk.

The site decided to go all funky and not display the style sheets. Ahh well. It sorted itself out somehow, and I also took the opportunity to upgrade the backend, not that I really notice the difference.

shrug