Create a Linux VPN for a Nokia E61 with Openswan
Listing 11. Punching a little hole in the firewall. Note that the e61 is set in /etc/hosts to 192.168.6.252.
iptables -X REMOTEVPN_INPUT 2>/dev/null iptables -X REMOTEVPN_OUTPUT 2>/dev/null iptables -N REMOTEVPN_INPUT iptables -N REMOTEVPN_OUTPUT iptables -I INPUT -j REMOTEVPN_INPUT iptables -I OUTPUT -j REMOTEVPN_OUTPUT iptables -A REMOTEVPN_INPUT -p esp -j ACCEPT iptables -A REMOTEVPN_INPUT -m udp -p udp \ --dport isakmp -j LOG \ --log-prefix "incoming-ipsec-key " iptables -A REMOTEVPN_INPUT --src e61 \ -p tcp --dport imaps -j LOG \ --log-prefix "incoming-imaps " iptables -A REMOTEVPN_INPUT -m udp -p udp \ --dport isakmp -j ACCEPT iptables -A REMOTEVPN_INPUT --src e61 -p tcp \ --dport imaps -j ACCEPT iptables -A REMOTEVPN_INPUT --src e61 -p tcp \ --dport smtp -j ACCEPT iptables -A REMOTEVPN_INPUT --src e61 -p tcp \ --dport squid -j ACCEPT iptables -A REMOTEVPN_INPUT --src e61 \ -j LOG --log-prefix "e61-strange " iptables -A REMOTEVPN_OUTPUT -p esp -j ACCEPT iptables -A REMOTEVPN_OUTPUT -m udp -p udp \ --sport isakmp -j LOG \ --log-prefix "outgoing-ipsec-key " iptables -A REMOTEVPN_OUTPUT -m udp -p udp \ --sport isakmp -j ACCEPT
Listing 12. Remove the e61 access.
iptables -D INPUT -j REMOTEVPN_INPUT iptables -D OUTPUT -j REMOTEVPN_OUTPUT
One more complication exists for using some of the publicly available Wi-Fi hotspots. Depending on where on the globe you are, many of these hotspots follow the pattern that when you try to open a Web site, they redirect you to their Wi-Fi login page, you authenticate to them, and then you can use the Internet. If you simply open up a VPN access point on the e61 that is set to use the EasyWLAN as its Internet access point, things will not work. The e61 will start the Wi-Fi connection and immediately try to send data to set up a VPN connection. As you have to authenticate with the Wi-Fi hotspot before this, it will let traffic through, but then things will come crashing down.
A way to get around this is to open the Web browser and directly connect just using EasyWLAN without any VPN whatsoever. Once you have authenticated to the hotspot, leave the browser running and use the menu key to get back to the main menu, and then open the e-mail client. For the access point this time, use the VPN that has EasyWLAN set as its Internet access point. The existing Wi-Fi connection is reused, and the VPN is layered on top. To get secure Web browsing, you can then leave the e-mail program by holding the menu key and going back to the browser. Exit the browser, and the still-running e-mail program holds the VPN open. Start the browser again, and select the VPN as your access point.
Of course, if the Wi-Fi network you are connecting to allows connections without this preamble, opening any application that wants a data connection should allow you to select the new VPN as your access point. Also, if the Wi-Fi hotspot remembers your MAC address and allows reconnection without explicitly having to log in each time, you can start the VPN directly on subsequent connections.
Once the VPN has connected to vserv, the e61 prompts you for the user name and password to use for XAUTH verification (Figure 8).
After XAUTH verification, you should be able to use the VPN without noticing it. In this case, I can browse the Internet using my LANs proxy server to fetch the data (Figure 9).
Being able to use a DNS name in the e61 VPN policy would be wonderful for folks who don't have cheap access to static IP addresses. I'm still investigating how to connect using public key cryptography instead of the preshared key as shown in this article. For connecting a single e61 to the network, using a large enough preshared key should still be quite secure.
The information in the article comes with no guarantee of being correct, secure or suitable for anything; use it at your own risk and discretion.
Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report
August 27, 2015
12:00 PM CDT
DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.
Free to Linux Journal readers.Register Now!
- Three More Lessons
- Django Models and Migrations
- August 2015 Issue of Linux Journal: Programming
- Hacking a Safe with Bash
- The Controversy Behind Canonical's Intellectual Property Policy
- Secure Server Deployments in Hostile Territory, Part II
- Shashlik - a Tasty New Android Simulator
- Huge Package Overhaul for Debian and Ubuntu
- Embed Linux in Monitoring and Control Systems
- KDE Reveals Plasma Mobile