Archive for category networking

rewire the web…

The internet comes up with new ideas of information transformation and management every day. Yahoo now came up with a great idea of how the users could almost freely transform syndicateable data to anything they like.

Yahoo says this about it’s new baby:

“Pipes is an interactive feed aggregator and manipulator. Using Pipes, you can create feeds that are more powerful, useful and relevant.”

If you ever wanted to connect NY Times articles to Flickr, you can do this and many other things now. You even get a decent editor:

(yes, that’s in a webbrowser…)

Go and give it a try.


No Comments

a tool you might need some day: emulated smtp server for debugging purposes

“It monitors port 25 and emulates an Smtp server dropping the files in a directory which you can read using Windows Mail (Outlook Express).”

Source: get it here.

No Comments

a map of the intertubes


No Comments

low latency network audio…JACK

It’s been some days when I wrote about my wish and need for low latency network audio solutions. And now it seems that there is something to help the situation: JACK.

“Have you ever wanted to take the audio output of one piece of software and send it to another? How about taking the output of that same program and send it to two others, then record the result in the first program? If so, JACK may be what you’ve been looking for.

JACK is a low-latency audio server, written for POSIX conformant operating systems such as GNU/Linux and Apple’s OS X. It can connect a number of different applications to an audio device, as well as allowing them to share audio between themselves. Its clients can run in their own processes (ie. as normal applications), or can they can run within the JACK server (ie. as a “plugin”).”

This alone isn’t what I was searching for…but there is NetJack – the network extension for JACK.

Netjack is a Realtime Audio Transport over a generic IP Network. It is fully integrated into JACK.”

Source 1: another nerd wish- low latency network audio
Source 2:
Source 3:
Source 4:
Source 5:

No Comments

Xbox live connection ?

“Most broadband routers use Network Address Translation (NAT). Windows Internet Connection Sharing also uses NAT.

For most devices that use NAT, port forwarding is not required to connect to Xbox Live. This is especially true if you use an Xbox Live certified device. Port forwarding should only be needed if you use a proxy server or a true firewall device instead of, or in addition to a NAT. Sometimes, you may have to configure port settings on a non Xbox Live certified router or gateway.
If there is a firewall device between the Xbox console and the network device, you may have to configure the firewall to enable communication on specific network ports. If the NAT status in the Network Status area of the Dashboard is “moderate” or “strict,” you may have to configure port settings.”

The following ports must be available for Xbox Live to operate correctly:

  • UDP 88
  • UDP 3074
  • TCP 3074


No Comments

why not take 13 displays and…

…build yourself a “just-like-the-original” power consuming flight simulator. I am not sure what would be more expensive. This setup or the ultra-light aircraft which is currently simulated…

Follow the link and see other home-cockpit-setups.


No Comments

Thinstuff releases RDP Server…for Linux’n’stuff

Thinstuff released it’s RDP Server version 1.0 recently. Some of the features:

  • RDP server for Linux
    • RLE compression
    • RDP protocol compression
    • Data encryption
    • Client selected resolutions and bits per pixel
    • Fullscreen mode
    • RDP Bitmap Cache
    • RDP Orders
    • Compatible Clients: RDP 5.0, 5.1, 5.2, Windows CE, rdesktop
  • Optimized for many kinds of X11 applications for optimal performance
  • Change resolution while clients are connected
  • Very low bandwidth consumption
  • Shadowing support to view a session multiple times
  • Terminal Server
    • Database or passwd/shadow user management
    • Passwd/shadow or PAM authentication
    • Management through Java Client
    • Authentication by specifying username and password in the RDP client or at a login window within the RDP session

Obviously the RDP server is a X Server on the linux side with a RDP interface to the rest of the world…very cool indeed. As soon as I have some time I’ll give it a try…


No Comments

udp multicast to tcp unicast proxy YAPS revisited…and bugfixed

Yesterday I had an idea how I could fix the last remaining problem in my udp multicast to tcp unicast proxy server (YAPS).

The last time I had to report this:

“There are some glitches I am afraid to say: one known bug is that there are 12 bytes to much in the outgoing data stream which corrupts the picture. If anyone here can fix it: Do it please 😉 I tried one day and I could not find a solution for the problem.”

My idea was now, that those glitches are possibly there because some bytes of the header remain in each packet and therefore the movie stream itself is destroyed. MPlayer was able to display something, but as I said…glitches.

So I made a method that actually calculates the size of the header of each RTP packet and then removes this header:

   1:  public byte[] killRTPheader(byte[] b,ref int inlength)
   2:  {
   3:  byte[] outbytes = new byte[1600];
   4:  int headersize = 12+4*((b[0] >> 0) & 0x0f);
   5:    Array.ConstrainedCopy(b, headersize, outbytes, 0, inlength - headersize);
   6:    inlength = inlength - headersize;
   7:  return outbytes;
   8:  }

The results speak for themselves: A perfect sound and picture.

Beside that I added some additional features. Read the source and you’ll find out.

You can grab the source and binaries here: (24,74 KB)


crimping hell

Hmm…did you ever wonder why your network access is so slow? Have you ever experienced some kind of “network-hickup”? Did your pc ever smell strange? Well you would like to check the cableing:

His Excuse was: “It was dark when I did this!”

No Comments

Say “hello, antenna!”

And now I can present my new neighbour: Kathrein 742215 UMTS Antenna! With 300 W it

No Comments

scheduled downtime

Due to network maintenance work schrankmonster/technology-ninja will most likely not be available from 2030 till 2230 CEST (UTC+2).

Go and make some babies instead! Thank you.

No Comments

setting up the 6509-ng

So our test-drive 6509 is setup-and-going in the local junk server room. As you can see the room is obviously used for two different purposes. On the one hand it’s a windowless central network service point…and on the other it’s… oh dear…take a look for yourself:

When you come closer…you see…:

TWO 6509!!!!..
an old one(in the rack) and the new one (on the ground)

And to raise some pulses -a module listing:

c6509-ng#sh module
Mod Ports Card Type Model Serial No.
— —– ————————————– —————— ———–
3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX xxxxxxxxxxx
4 24 CEF720 24 port 1000mb SFP WS-X6724-SFP xxxxxxxxxxx
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B xxxxxxxxxxx
7 6 Firewall Module WS-SVC-FWM-1 xxxxxxxxxxx

Mod MAC addresses Hw Fw Sw Status
— ———————————- —— ———— ———— ——-
3 0000.0000.0000 to 0000.0000.0000 1.0 12.2(14r)S5 12.2(18)SXD7 Ok
4 0000.0000.0000 to 0000.0000.0000 2.3 12.2(14r)S5 12.2(18)SXD7 Ok
5 0000.0000.0000 to 0000.0000.0000 4.4 8.1(3) 12.2(18)SXD7 Ok
7 0000.0000.0000 to 0000.0000.0000 3.0 7.2(1) 2.3(4) Ok

Mod Sub-Module Model Serial Hw Status
— ————————— —————— ———— ——- ——-
3 Centralized Forwarding Card WS-F6700-CFC xxxxxxxxxxx 2.0 Ok
4 Centralized Forwarding Card WS-F6700-CFC xxxxxxxxxxx 2.0 Ok
5 Policy Feature Card 3 WS-F6K-PFC3B xxxxxxxxxxx 2.1 Ok
5 MSFC3 Daughterboard WS-SUP720 xxxxxxxxxxx 2.3 Ok

Oh…something that raised our pulses… a 6513 in one of the other Network Service Points…yummi:

At the moment the ahzf and cosrahn are playing with the machine…so more stuff is definitly to come soon.

No Comments

Goodbye 6bone…

As of today the 6bone IPv6 testbed is phased out…

The 6bone was established in 1996 by the IETF as an IPv6 Testbed network to enable various IPv6 testing as well as to assist in the transitioning of IPv6 into the Internet. It operates under the IPv6 address allocation 3FFE::/16 from RFC 2471. As IPv6 is beginning its production deployment it is appropriate to plan for the phaseout of the 6bone. This document establishes a plan for a multi-year phaseout of the 6bone and its address allocation on the assumption that the IETF is the appropriate place to determine this.”


No Comments

Putty SSH Tunnel as a Service

Putty is a free SSH client for Windows. And here’s a link to a How-To that shows you how to set up a tunnel as a system service:

“First of all, before I wanted to browse the web, I’d have to start the putty client and log into my ssh shell. I had to always keep the putty client open, so it would always be minimized to the taskbar, taking up precious space and often getting closed my mistake. Also, if I lost internet connection my ssh session would be aborted and I’d once again have to log in. There must be a better way. By running the ssh tunnel from a Windows Service it is now always running silently in the background. If my network connection is disturbed, it automatically reestablishes my ssh session.”

Read more here.

Source: Putty SSH Tunnel

1 Comment

802.1x with Vista…

Of course every single one of you knows how to do this: connect to a 802.1x network with Windows Vista (beta 2 in this case). But I just want to give you a short slideshow of how it’s done:

No Comments

CISCO Catalyst 6509+FWSM to be taken to a test drive…

Today the 6509 + the Firewall Service Module arrived at our office. Quite a heavy machine but we’re really excited to play with it 🙂

in all it’s beauty…

more pictures and infos to come…


German CISCO Expo 2006 review

German CISCO Expo 2006 is finally over and from our point of view it was truly a great success.
There were very interessting sometimes cool presentations and demos, a lot of food & snacks and
very colorful light at the party. Over all it was a much better event than all those cisco
CeBit exhibitions I’ve been to before… the new (cisco) economy seem to be back on stage 😉


CISCO’s new vision for next generation networking got a new name: “Intelligent Information Network”!
Now all the routers and switches should become more intelligent, be aware of the users actual location
and connection type (ethernet, wlan, UMTS, …) and voice, data, video are integrated services of
IIN. Doesn’t sound this familiar? Yes! In the days of web 2.0 I think German Telekom would call
this reinvention of the wheel just ISDN 2.0… let’s hope that it will work better this time 😉

BTW: During the T-Systems keynote they showed us a _real hacker_ *huu-hoo* and demonstrated
the unbelievable security risks of unencrypted VoIP by using ARP Spoofing *hu-hoho*. So don’t
ask T-Systems if you have a _real_ security problem.


There were several talks about eLearning, eEducation, about the CISCO networking academy, and
the Scottish Schools Digital Network. If we belive in the given facts and figures people with
deep knowledge in networking will have a great time to earn a lot of money during the next years.
But from our point of view there is still no real funding of university research (URP is not that
great). The NetAcad program might be good for people willing to learn how to configure cisco
switches, but not when you are more interessted in building next generation routers, switches, and
networking concepts. So for us this program is more or less just marketing…

Technology power sessions

WLAN is still a lot of fun… Much more interessing was the talk about the modular IOS, EEM, and
Gold. CISCO is rewritting their os from ground and the new one will have some really nice features…
For example a real filesystem with virtual files like /sys (*hu-hoo* think about this twice ;),
embedded event management, processes for more or less every protocol in use and best: an TCL
scripting environment! If you send enough emails to the dev team embedded perl could also
become available. You can win a box of sparkling wine when you implement tetris within TCL *g*

RFID sponsored by German Telekom… great… :/

Burn venture capital, burn!

The party was really a great! Thanks to the orga team… but I still don’t like this “booooming”…

review and pictures by Ahzf


No Comments

OpenVPN is available for Windows Mobile 5 (and 2003 by the way)

For some time we where in desperate need of a comprehensive and secure VPN solution for Windows Mobile (all version!). There is PPTP and L2TP. And there are teething problems for… well ever since.

The silent wish always was to have a more subtle solution: We are using OpenVPN on all of our machines. So we wanted it on our mobile devices too. And there it is:

It’s running on Pocket PC 2003 and Windows Mobile 5.

Source 1:

Source 2:

1 Comment

Cisco Expo 2006 in Germany

Technology-ninja correspondent ahzf is attending the Cisco Expo 2006 at the moment. He sent us the first impressions from the expo floors – more details to show up soon:


No Comments

paint something…the massively multiplayer online game way…

“ is a massively multiplayer, real time internet application that connects people around the world to interact in a shared global mosaic.”

“The global mosaic is made of 1,000 colorful tiles. When you drag a tile, everyone else visiting TheBroth can see it immediately. Collaborate with others or create your own Mona Lisa for all to see!”


1 Comment

Windows Media Server 9 live statistics tool

André wrote an small but handy CLI application that shows you the currently connected clients and the number of maximum connected clients on a Windows Media Server (version 9.0). It creates a HTML file with the statistical information.

“Copyright notice: pubstats is written by André Helbig ( You are allowed to use, copy and change this program as you want. You are not allowed to sell or rent this program. If you make changes, please keep a notice, that this program war originally written by me as long as an essential part of my work is stil left in the program.”


pubstats [-p publishingpoint] [-d path to datafile] [-h path to html-file] [/?]

-p publishingpoint for which statistics should be generated

-h html-file for output.

-d current data will be saved in and old data will be retrieved from this file
every time you open pubstats. If no file is specified, only current will be
-? show help

Download-Link: (5,81 KB)


No Comments

Yet another proxy server… how to turn multicast into unicast…

We are using multicast to deliver more than 20 MPEG-2 encoded video+audio streams in our network. The advantages of using multicasting in a network of more than 2000 machines are well known. But there are several scenarios when multicasting is not the right choice.

For example: in wireless environments you have to use some sort of multicast group management which is not always as flexible as a more simple solution. You would end up multicasting all 20 streams into the wireless network – which would just explode or something. (our multicasting traffic volume is around 125 Mbit/s…which is… quite much)

I started writing such a solution two days ago and now I want to make the first lines of code available for everybody to try out.

To speak simple: it’s just another proxy server. It’s a HTTP Server that can be triggered to join a multicast group (hardcoded in this version) and forward the traffic from that multicast group directly to the client that asked for it. It’s as simple as it can get and to be more technical: the proxy receives udp multicast packets and sends them as tcp unicast packets.

When you tell MPlayer to trigger the proxy by asking for /hr.ts you would get something like this (if you have a multicast group on that IP/Port):

As you can see: MPEG2-Transport Stream inside. So it works as designed. There are some glitches I am afraid to say: one known bug is that there are 12 bytes to much in the outgoing data stream which corrupts the picture. If anyone here can fix it: Do it please 😉 I tried one day and I could not find a solution for the problem.

Anyways: It’s doing what it’s supposed to do. And that’s why I am making it available for everyone:

Sourcecode: (11,18 KB)

It compiles with Microsoft.NET 1.1/2.0 and Mono. There’s a Visual Studio 2005 solution file inside to help you compile it. (Should work with Visual C# Express Edition). Oh… and I am releasing it under the BSD license which is included with the package.

Feel free to comment and contribute.


System.Net.Sockets.SocketException: Protocol not supported

While coding the multi-platform way – with Microsoft .NET framework on Windows and Mono on everything else we discovered an annoying bug. In some source-code examples that deal with networking you often see something like this:

Socket listener = new Socket(0, SocketType.Stream, ProtocolType.Tcp);

This short code-snippet instantiates a new socket object. Mono compiles this code without any error or warning. But when you run it… this shows up:

Unhandled Exception: System.Net.Sockets.SocketException: Protocol not supported
in <0x00100> System.Net.Sockets.Socket:.ctor 
(AddressFamily family, SocketType type, ProtocolType proto)
in <0x00068> HTTPServer.HttpServer:listen ()
in (wrapper delegate-invoke) System.MulticastDelegate:invoke_void ()

Note: this doesn’t happen with .NET 1.1 and .NET 2.0 on Windows.

You can solve this exception just by telling mono which AdressFamily should be used:

Socket listener = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);

Thanks to Ello for his help.


No Comments

the web is international

I just figured out that the web is indeed worldwide.

No Comments

How to setup secure 802.1x WPA2 enterprise wireless lan on a linksys WRT54G / GS Revision 4

This article is in german, but I am going to make a translated english version available soon. Thanks to Volker -cosrahn- Henze for writing this great how-to.

Für Feedback und/oder Fragen bitte die Kommentarfunktion verwenden.


Dieses Howto ist ein bischen anders als andere. Es ist ein “Monolitisches” Howto. Wir haben sozusagen einen Snapshot des, bis dato, aktuellen OpenWRT auf unseren Server gezogen und werden damit das gesamte System aufbauen. Es wird keine Updates geben. Das ist natürlich nicht gut aber wir haben diesen Ansatz gewählt um ein Howto zu realisieren bei dem keine Fragen offen bleiben. Also wenn Du es GENAU so machst wie wir hier, solltest Du danach einen wunderschönen Linksys haben der dir einen sicheren und komfortablen Weg bietet dein WLAN vor Unbefugten zu schützen aber trotzdem schnell und einfach Freunden, Bekannten und Nachbarn den Zugriff zu gewähren oder wieder zu enziehen. Warum kein Customized-Image? Wir müssten es testen und dazu felht einfach die Zeit und die Hardware. Aber ich denke das wir demnächst evtl. solch ein Image bauen werden. Allerdings hat solch ein Howto auch den Vorteil das ihr wisst was in eurem Linksys steckt und nicht einfach sagt “Ich glaub der Klumpen da in der Ecke macht das…” Gut dann viel Spass!


  • Linksys WRT54GS Revision 4

  • Ein Rechner mit telnet und SSH (SSH für Windowser gibt es hier)

  • Möglichkeiten Dateien per scp zu übertragen (mit scp, WinSCP usw.)

  • Grundkenntnisse mit dem Umgang mit Maus und Tastatur


Linksys auspacken. Die Warnung “Zuerst CD laufen lassen, dann die Kabel anschließen.” kann man getrost überlesen. Und steckt nun das beiliegende Kabel an den Port 1 und an einen beliebigen Rechner. Nun bekommt man eine IP (, die IP des Linksys ist die also mit in deinem Browser kommst Du auf das Webinterface. Login: admin und Passwort: admin

Die Logindaten sollten auch auf der beiliegenden
Dokumentations-CD zu finden sein.

So sieht das Webfrontend von Linksys aus. Nach dem Flashen wir der Linksys kein
Webfrontend haben. Man kann allerdings eines Nachinstallieren.
Aber dies ist ein anderes Howto…


Die entsprechende Firmware erhält man hier: (1,61 MB) – Dies ist ein Mirror des

!!!!!!!!!! ACHTUNG nun wirds heiß !!!!!!!!!!
Überprüfe unbedingt noch einmal ob nicht doch ein Stromausfall angekündigt wurde oder der Nachbar versucht mit dem Föhn baden zu gehen. Ein Stromausfall wäre fatal für den Linksys.

Klick auf Administration->Firmware Upgrade

Die Datei openwrt-wrt54gs_v4-jffs2.bin angeben

laufendes Update


Nun ist es soweit. Wenn alles geklappt hat kannst du dich per telnet einloggen.

Das erste Telnet

root@OpenWrt:~# telnet
Connected to
Escape character is ‘^]’.
=== IMPORTANT ============================
Use ‘passwd’ to set your login password
this will disable telnet and enable SSH

BusyBox v1.00 (2006.03.27-00:00+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

_______ ________ __
| |.—–.—–.—–.| | | |.—-.| |_
| – || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
WHITE RUSSIAN (RC5) ——————————-
* 2 oz Vodka Mix the Vodka and Kahlua together
* 1 oz Kahlua over ice, then float the cream or
* 1/2oz cream milk on the top.

Nach dem einloggen erstmal ein Reset da die Dateisysteme noch read-only sind:

root@OpenWrt:~# reboot

Nach diesem Reboot kann man sich wieder einloggen. Als erstes muss ein neues Passwort gesetzt werden:

root@OpenWrt:~# telnet
root@OpenWrt:~# passwd
Changing password for root
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
Re-enter new password:
Password changed.

Nun loggen wir uns wieder aus, da Telnet nicht besonders sicher ist
und jeder mitlesen könnte was wir eingeben.

root@OpenWrt:~# exit
volker@buran ~ $ ssh root@
root@’s password:

BusyBox v1.00 (2005.07.18-21:49+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

_______ ________ __
| |.—–.—–.—–.| | | |.—-.| |_
| – || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
WHITE RUSSIAN (RC2) ——————————-
* 2 oz Vodka Mix the Vodka and Kahlua together
* 1 oz Kahlua over ice, then float the cream or
* 1/2oz cream milk on the top.


Nun sollte man sich um Internet kümmern. Dies ist aber nicht Teil dieses How-To da es da einfach sehr viele Möglichkeiten gibt einen Linksys mit dem Internet zu verbinden. Deshalb die, meiner Meinung nach, zwei gängigsten hier und noch mehr Infos dazu gibt es hier.

FeM-Net oder andere größere LANs

Hier die Vorgehensweise wenn ihr das Gerät an einem größeren LAN wie dem FeM-Net betreiben wollt. Bitte achtet darauf das der Internet-Port(das ist der der ein Stückchen weiter weg ist on den anderen) des Linksys mit dem LAN verbunden ist. ACHTUNG wenn ihr einen anderen Port mit dem FeM-Net verbindet wird euer FeM-Net-Port deaktiviert.

Jetzt braucht ihr die MAC-Adresse des Linksys um ihn im FeM-Net freizuschalten. Das ist ganz einfach.

root@OpenWrt:~# ifconfig vlan1
vlan1 Link encap:Ethernet HWaddr 00:14:BF:CA:FE:01
inet6 addr: fe80::214:bfff:feca:fe01/64 Scope:Link
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 MiB) TX bytes:0 (0.0 MiB)

Bei unserem Gerät wäre die MAC-Adresse “00:14:BF:CA:FE:01”.


Das ist leicht. Einfach ein paar NVRAM Variablen setzen und das DSL-Modem an den WAN-Port des Linksys stecken.

nvram set wan_ifname=ppp0
nvram set wan_proto=pppoe
nvram set ppp_idletime=10
nvram set ppp_mtu=1492
nvram set ppp_passwd=
nvram set ppp_redialperiod=15
nvram set ppp_username=
nvram set pppoe_ifname=vlan1
nvram commit

Wenn du fertig bist schalte das WAN-Interface ein mit:

ifup wan


Jetzt machen wir erstmal ein Update der Softwarepakete. Wir stellen eine Packet-Sammlung bereit um sicherzustellen das alles genauso funktioniert wie wir es beschrieben haben. Das heißt aber nicht das diese Howto auch nicht mit späteren Versionen funktionieren wird.

root@OpenWrt:~# cp /etc/ipkg.conf /etc/ipkg.conf.old
root@OpenWrt:~# vi /etc/ipkg.conf
* Taste “i” drücken (Insert-Modus)
* nun die folgenden Einträge ändern
src whiterussian
src non-free
src whiterussian
src non-free
den Rest lassen wir einfach so
* Taste “Esc” drücken (Kommando-Modus)

Jetzt kann man mit einem ipkg update die Paket-Informationen holen.

root@OpenWrt:~# ipkg update
Downloading …
Connecting to[]:80
Packages 100% |******************************************|
121 KB 00:00 ETA
Updated list of available packages in /usr/lib/ipkg/lists/whiterussian
Downloading …
Connecting to[]:80
Packages 100% |******************************************|
568 00:00 ETA
Updated list of available packages in /usr/lib/ipkg/lists/non-free


Dieser Schritt ist wichtig da ihr mit diesem Tool den Linksys mit der Zeit im Internet syncronisieren müsst. Der Linksys besitzt keine Pufferbatterie und kann seine Zeit nicht zwischenspeichern. Die Zeit wird aber unbediengt gebraucht damit die PKI(das mit OpenSSL erstellte Zeug) funktioniert.

root@OpenWrt:~# ipkg install ntpclient

ntpclient_2003_194-2_mipsel.ipk …
Connecting to[]:80
ntpclient_2003_194-2 100% |*******************************************|
9555 00:00 ETA
Unpacking ntpclient…Done.
Configuring ntpclient…Done.

Nun schnell die Zeit syncen.

root@OpenWrt:~# ntpclient -h -s

Ggf. kann hier statt ein beliebig anderer Zeitserver verwendet werden.

Und ein Startscript welches beim einschalten des Linksys die aktuelle Zeit aus dem Internet holt.

root@OpenWrt:~# echo “#!/bin/ash” >/etc/init.d/S70ntp
root@OpenWrt:~# echo “ntpclient -h -s” >>/etc/init.d/S70ntp
root@OpenWrt:~# chmod a+x /etc/init.d/S70ntp

Geschaft, nun haben wir, so Gott will, immer die richtige Uhrzeit auf unserem Linksys.


Installation der propritären Tools. Auch wenn es nicht schön ist, diesen Schritt kannst Du nicht überspringen. Der propritäre NAS und die WL-tools müssen nachinstalliert werden.

root@OpenWrt:~# ipkg install nas

nas_3.90.37-16_mipsel.ipk …
Connecting to[]:80
nas_3.90.37-16_mipse 100% |******************************************|
75771 00:00 ETA
Unpacking nas…Done.
Configuring nas…Done.
root@OpenWrt:~# ipkg install wl

wl_3.90.37-1_mipsel.ipk …
Connecting to[]:80
wl_3.90.37-1_mipsel. 100% |******************************************|
40906 00:00 ETA
Unpacking wl…Done.
Configuring wl…Done.

Der NAS wird benötigt um die Kommunikation zwischen WLAN-Device des Linksys und dem Radius-Server. Die WL-Tools werden benötigt um alle Funktionen des propritären WLAN-Treibers zu nutzen.


Mit OpenSSL wird nun eine Root-CA erstellt. Dies bietet die Möglichkeit dynamisch Zertifikate an beliebige Personen zu verteilen ohne das ihr euch kompliziert Pre-Shared-Keys zuflüstern müsst. Außerdem kann man Zertifikate zurückziehen wenn man jemanden nicht mehr leiden kann. Das ist besonders in größeren Infrastrukturen sehr sinnvoll. Installiert euch openssl-utils auf eurem, mittlerweile liebgewonnen, Linksys. Im übrigen ist es ratsam die Root-CA auf einem anderen PC zu erstellen. Hier der Einfachheit-wegen direkt auf dem Linksys.

root@OpenWrt:~# ipkg install openssl-util

Legt euch ein Verzeichnis an in dem die Root-CA gespeichert wird.

root@OpenWrt:~# cd /usr/share/
root@OpenWrt:/usr/share/CA# mkdir CA
root@OpenWrt:/usr/share/CA# cd CA

OpenSSL brauch ein paar Verzeichnisse, in dem es seinen sinnlosen Mist ablegen kann.

root@OpenWrt:/usr/share/CA# mkdir certs crl newcerts private users

Erstelle die Seriennummer und die Indexdatei für die Root-CA.

root@OpenWrt:/usr/share/CA# echo “01” > serial
root@OpenWrt:/usr/share/CA# cp /dev/null index.txt
root@OpenWrt:/usr/share/CA# cp /etc/ssl/openssl.cnf .

Mach eine Kopie der Orginal OpenSSL-Konfig-Datei und ändere es wie Du es benötigst.

root@OpenWrt:/usr/share/CA# vi openssl.cnf
* Taste “i” drücken (Insert-Mode)
* mit den Pfeiltasten nach unten scrollen bis zum Feld [ CA_default ]
* den Parameter
dir = ./demoCA
* tauschen gegen
dir = ./
* Dann die beliebigen Anpassungen machen
* Taste “ESC” drücken (Kommando-Modus)

Für die Client Zertifikate benötigt man spezielle Windows XP Extensions. Dazu legen wir eine neue Datei mit dem Namen xpextensions an.

root@OpenWrt:/usr/share/CA# vi xpextensions
* Taste “i” drücken (Insert-Mode)
Die Zeilen hinzufügen
[ xpclient_ext ]
extendedKeyUsage =
[ xpserver_ext ]
extendedKeyUsage =
* Taste “ESC” drücken (Kommando-Modus)


Sie ist 1095 Tage gültig. Das kann natürlich nach belieben angepasst werden in dem man die Zahl nach der Option -days verändert.

root@OpenWrt:/usr/share/CA# openssl req -new -x509 \
-keyout private/cakey.pem -out cacert.pem -days 1095 -config openssl.cnf
Generating a 1024 bit RSA private key
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase: “Das_Root-CA_Passwort”
Verifying – Enter PEM pass phrase: “Das_Root-CA_Passwort”
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Thueringen
Locality Name (eg, city) []:Ilmenau
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FeM e.V.
Organizational Unit Name (eg, section) []:Technik
Common Name (eg, YOUR name) []:Cosrahn
Email Address []:somemailadress

Tipp: Merkt euch das Passwort. Und dieses sollte niemals in falsche Hände geraten.

root@OpenWrt:/usr/share/CA# openssl pkcs12 -export -in cacert.pem -inkey private/cakey.pem \
-out caroot.p12 -cacerts -descert
Enter pass phrase for private/cakey.pem: “Das_Root-CA_Passwort”
Enter Export Password: “caroot_p12_Passwort” (kann auch leer sein)
Verifying – Enter Export Password: “caroot_p12_Passwort” (kann auch leer sein)
root@OpenWrt:/usr/share/CA# openssl pkcs12 -in caroot.p12 -out caroot.pem
Enter Import Password: “caroot_p12_Passwort”
MAC verified OK
Enter PEM pass phrase: “caroot_pem_Passwort”
Verifying – Enter PEM pass phrase: “caroot_pem_Passwort”

Und für Windows.

root@OpenWrt:/usr/share/CA# openssl x509 -in cacert.pem \
-inform PEM -out cacert.der -outform DER


root@OpenWrt:/usr/share/CA# openssl req -nodes -new -x509 -keyout radius-req.pem \
-out radius-req.pem -days 730 -config openssl.cnf
Generating a 1024 bit RSA private key
writing new private key to ‘radius-req.pem’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Thueringen
Locality Name (eg, city) []:Ilmenau
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FeM e.V.
Organizational Unit Name (eg, section) []:Technik
Common Name (eg, YOUR name) []:Cosrahn
Email Address []:somemailaddress
root@OpenWrt:/usr/share/CA# openssl x509 -x509toreq \
-in radius-req.pem -signkey radius-req.pem -out radius-tmp.pem
Getting request Private Key
Generating certificate request

Zertifizieren des Request Bitte achte hier auf die Reihenfolge “-infiles radius-tmp.pem” ist die letzte Option in der Kommandozeile.

root@OpenWrt:/usr/share/CA# openssl ca -config openssl.cnf \
-policy policy_anything -out radius-cert.pem -extensions xpserver_ext \
-extfile xpextensions -infiles radius-tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /usr/share/CA/private/cakey.pem: “Das_Root-CA_Passwort”
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Not Before: Jan 1 05:15:35 2000 GMT
Not After : Dec 31 05:15:35 2000 GMT
countryName = DE
stateOrProvinceName = Thueringen
localityName = Ilmenau
organizationName = FeM e.V.
organizationalUnitName = Technik
commonName = Cosrahn
emailAddress = somemailaddress
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Dec 31 05:15:35 2000 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Konvertieren des Zertifikats in PKCS12-Datei damit es lesbar für Outlook; MSIE; Mozilla wird. (dieser Schritt ist nicht unbedingt nötig, da unser Radius kein PKCS12 benötigt).

openssl pkcs12 -export -in radius-cert.pem -out radius-cert.p12\-inkey radius-req.pem -descert


Dieser Schritt muss für jeden Client wiederholt werden.

root@OpenWrt:/usr/share/CA# openssl req -nodes -new -x509\
-keyout client-req.pem -out client-req.pem -days 730 -config openssl.cnf
Generating a 1024 bit RSA private key
writing new private key to ‘client-req.pem’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Thueringen
Locality Name (eg, city) []:Ilmenau
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FeM e.V.
Organizational Unit Name (eg, section) []:Technik
Common Name (eg, YOUR name) []:Cosrahn
Email Address []:somemailAddress
root@OpenWrt:/usr/share/CA# openssl x509 -x509toreq -in client-req.pem \
-signkey client-req.pem -out client-tmp.pem
Getting request Private Key
Generating certificate request

Zertifizieren der Request – Bitte achte auf die richtige Reihenfolge “-infiles client-tmp.pem” ist die letzte Option auf der Kommandozeile.

root@OpenWrt:/usr/share/CA# openssl ca -config openssl.cnf -policy policy_anything \
-out client-cert.pem -extensions xpclient_ext -extfile xpextensions \
-infiles client-tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /usr/share/CA/private/cakey.pem:
DEBUG[load_index]: unique_subject = “yes”
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Not Before: Jan 1 05:37:37 2000 GMT
Not After : Dec 31 05:37:37 2000 GMT
countryName = DE
stateOrProvinceName = Thueringen
localityName = Ilmenau
organizationName = FeM e.V.
organizationalUnitName = Technik
commonName = Cosrahn
emailAddress = somemailAddress
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Dec 31 05:37:37 2000 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Konvertieren des Zertifikat in PKCS12-Datei (Outlook; MSIE; Mozilla).

openssl pkcs12 -export -in client-cert.pem -out client-cert.p12 \
-inkey client-req.pem -descert

Um grössere Sauerein zu vermeiden hab ich den obigen Teil zu einem kleinen Script zusammen gefasst. Dieses kleine Script hilft beim erstellen eines neuen Clients. Man findet die erstellten Zertifikate in /usr/share/CA/users/[clientname].

Hier das Skript: (,43 KB)

Man kann nun zB. einfach mit:

root@OpenWrt:/usr/share/CA# ./ Paul

ein Zertifikat für den User “Paul” erstellen.


Um den Verschlüsselungsspass komplett zu machen brauchen wir noch eine random-Datei und eine Diffi-Hellmann-Parameter Datei. Dazu gehen wir wie folgt vor.

root@OpenWrt:/usr/share/CA# openssl dhparam -out dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
root@OpenWrt:/usr/share/CA# dd if=/dev/urandom of=random bs=1k count=1


Wir haben jetzt viele Dateien generiert aber welche ist jetzt wozu da? Also werden wir das jetzt mal aufdröseln.

radius-req.pem – der Key
radius-cert.pem – das Zertifikat
cacert.pem und cacert.der – das CA-Zertifikat
dh1024.pem – das DH Parameter
random – beinhaltet einfach nur zufällige Daten


Der Client:

diese Dateien müssen auf den Rechner der sich in das WLAN einloggen will.

Die Dateien für den Radius behandeln wir später.


Nach dem wir das geschaft haben, können wir mit dem Radius-Server weiter machen. Wenn Du schon einen funktionierenden Radius-Server in deinem Netz benutzt, kannst Du diesen Schritt überspringen. Um den FreeRadius-Server zu installieren geht man wie folgt vor:

root@OpenWrt:~# ipkg install freeradius

root@OpenWrt:~# ipkg install freeradius-utils

root@OpenWrt:~# ipkg install freeradius-mod-eap

root@OpenWrt:~# ipkg install freeradius-mod-eap-md5

root@OpenWrt:~# ipkg install freeradius-mod-eap-peap

root@OpenWrt:~# ipkg install freeradius-mod-eap-tls

root@OpenWrt:~# ipkg install freeradius-mod-eap-ttls

root@OpenWrt:~# ipkg install freeradius-mod-files

root@OpenWrt:~# ipkg install freeradius-mod-pap


Bitte achte darauf dass du kein Paket vergesst.

Damit der RADIUS auch nach einem reboot zur richtigen Zeit startet, muss das Startscript noch umbenannt werden.

mv /etc/init.d/radiusd /etc/init.d/S41radiusd

Dann die erstellten OpenSSL-Zertifikate kopieren.

mkdir /etc/freeradius/ca
cp /usr/share/CA/cacert.pem /etc/freeradius/ca
cp /usr/share/CA/radius-req.pem /etc/freeradius/ca
cp /usr/share/CA/radius-cert.pem /etc/freeradius/ca
cp /usr/share/CA/dh1024.pem /etc/freeradius/ca/
cp /usr/share/CA/random /etc/freeradius/ca/

Die wichtigen Dateien für die Radius Konfiguration sind

  • clients.conf
  • eap.conf
  • radiusd.conf
  • users


client {
secret = Das_RADIUS_Passwort
shortname = localhost
nastype = other




Nun wollen wir einfach mal unsere 802.1X Umgebung aktivieren.

root@OpenWrt:~# nvram set wl0_akm=wpa wpa2
root@OpenWrt:~# nvram set wl0_auth_mode=radius
root@OpenWrt:~# nvram set wl0_crypto=aes+tkip
root@OpenWrt:~# nvram set wl0_radius_ipaddr=
root@OpenWrt:~# nvram set wl0_radius_key=Das_RADIUS_Passwort
root@OpenWrt:~# nvram set wl0_radius_port=1812
root@OpenWrt:~# nvram set wl0_ssid=My_8021X_Network
root@OpenWrt:~# nvram set wan_hostname=My_8021X_Gateway
root@OpenWrt:~# nvram set wl0_wep=aes+tkip
root@OpenWrt:~# nvram commit

Nun sollte nach einem Reboot der Zauber beginnen. Viel Spass!


ipkg install wireless-tools
ipkg install webif


WPA2 Enterprise-Howto
OpenWRT Konfig Hilfen
OpenSSL X509


bumps ahead…

I am migrating the currently running MSDNAA download server solution to a Virtual Server 2005 R2 based solution. Since some of the portions of / are running on those machine you may experience some bumps in the next hours…

Everything on / should work by the time the sun shows up in europe…

No Comments

IP multiple socket outlet…

The IP power-outlets for the planet-lab machine arrived. What a gadget to play with 🙂


1 Comment

isolate me…

patented isolatr technology: Helping you find where other people aren’t…great idea in fact not new 😉

Thanks to wiseguy for the tip…


No Comments

Windows Live (beta refresh) movie…

I don’t know why but I am in movie-making-mood. So I did another movie showing some of the features of Windows Live…:

  • customization

  • searching web, news, images,…

  • adding gadgets…

click to view

No Comments

gadget-o-mania: bluetooth + windows mobile 5 device = smart remote control

Everybody knows me as the gadget-loving guy who cannot resist any chance to play with technology. And this night was once again time to play.

I was in bed complaining about the fact that I have to get up to change the track iTunes is playing at the moment. I thought: It should be possible to remote control iTunes and everything else on any machine in the room.

I instantly got up and looked for something that might do what I wanted… And what I found outdid my expectations by far: Salling Clicker is the name of the tool.

What’s the point of the tool? It’s simply a server and a client. The server runs on any Windows or Macintosh machine and accepts connections via TCP/IP or bluetooth. I am using bluetooth at the moment… The client runs on almost any phone, in my case a Windows Mobile 5 phone.

The installation is painless – on the Mac it comes as a Preference Pane:

This represents the menu you have on your client…on my phone in this case…

You even can configure phone events…for example: What happens when the phone rings?

The user interface is very similar to an iPod. You simply control it with the D-Pad of the phone. Clicking the D-Pad is selecting…

To give you an idea what it looks like to play a song…look:

Yes there is cover art…and track rating…

And … you can search… and find…

This is the first tool for about two years that flashed big way. I instantly registered my copy (the 30 click-limitation is quite annoying) and got a serial number within minutes. As I am exploring the tool I even found extensions for the remote control to acces my eMail…my ICQ…oh well and remote controlling Powerpoint presentations is one base feature…

The tool is, like I said, available for Windows and Macintosh – so take a look it’s really worth the try.


No Comments

ridiculous speed, light speed, wire speed….

Did you ever wonder how fast data is actually travelling on the wires that come out of your machines? So take a look at this diagram to find out:


No Comments

house automation to the max.

So here we are: We got a EIB bus in our office and thought: Oh well – that’s something to play with. But this guy wired and automated his complete house.

I cannot even imagine what information he is getting from “toilet flushed 3 times today”…but hey – why not 🙂


No Comments

How to get a root certificate onto a Windows Mobile device properly…

So thanks to the Windows Mobile Team Blog I am able to present you the proper way to get a root certificate installed on a Windows Mobile device. The way would be to create somehow a .CAB installer file which installs the root certificate on the device. The problem to this date: We just did not know how to create this .CAB installer file.

So here are the few steps:

Step 1: Export the root certificate from your certmgr.msc console (Start – Run – “certmgr.msc“):

as a Base-64-encoded X.509 file…

this file looks like this when you open it in notepad:

for the next step we need everything within the “—–BEGIN/END CERTIFICATE—–” sections, of course without those sections…

Now view the certificate and get the fingerprint:

copy the “10 24 09 …” text and create a new XML file. To make it not to complicated have a look at what it should look like when you’re done (you can click the image for better reading):

So you have the XML file – get to the command line and make a “makecab ” – and you’re done. You should have a .CAB installer file which installs a root certificate on a Windows Mobile device.


No Comments

one multi-monitor idea implemented: Synergy2

So nearly a year ago I wrote about my multi-monitor ideas. And after that article a reader commented that there is a software called “Synergy” – which is just perfect solving at least three of my demands on a perfect multi-monitor working environment:

  • use ONE keyboard+mouse – regardless how many machines I want to control
  • I want to copy-paste across the machines – clipboard sharing!
  • platform independent – I’ve got at least one Mac, one Windows and one Linux I want to control

So here it is. And it’s working like a champ. To make it more clear what I am talking about I made a short movie for you:

click to watch

And all this with just a small text config file that tells synergy2 which machine is next to which one…

You can get this video also via our podcast rss feed.


No Comments

an OSX traffic monitoring tool – even usable when you only have a shell

Since I am quite frequently working on my Mac via ssh I was in desperate need for a tool to monitor the input/output network traffic. I normally don’t need something like ethereal or tcpdump – I just need something that displays a graph and simple traffic statistics and last but not least updates itself frequently. So netstat is not usable for that purpose because it’s not the most concise tool I know. So ethereal and tcpdump are usually used for different purposes like traffic sniffing and dumping – So ahzf gave me the hint to look for something called “darkstat” – And yes: it’s a really useful tool.

Darkstat runs on the host system and monitors the network interfaces. It also incorporates a webserver which allows you to take a look at the statistics.

Darkstats main start-page looks like this:

It’s a great tool that displays more detailed information when you click on the links in the menu bar. If you’re searching for a great network tool for your unix/mac – go for darkstat!

I have to mention that darkstat is no longer under active development – sad but true.


No Comments

22c3: video and audio streaming and recording scheme

As promised yesterday here are some more information about the video and audio streaming and recording at the 22c3. First let’s start with the almost complete scheme:

What’s not in the scheme is where and how the streams are recorded:

  1. there’s a DV tape in every camera (we’ve got 400 brand new DV tapes for that purpose here)

  2. audio+video streams are recorded on the CCC encoding machines on their local hard drives (MPEG2 audio and MPEG4 video)

  3. audio+video streams are record on the FeM encoding machines on their local hard drives (Windows Media Audio+Video 9)

  4. audio-only streams are recorded on the CCC streaming servers local hard drives

Last but not least: How can you watch and hear those fantastic streams? Easy:

Two ways:

go to and take a look or follow the links directly to the WMV streams:

lecture hall 1
lecture hall 2
lecture hall 3
lecture hall 4

or go to and take a look or take this table:

hall 1 link
hall 2 link
hall 3 link
hall 4 link

Visio: all lecture halls.vsd (507,5 KB)
SVG: all lecture halls.svg (384,63 KB)

Source 1:
Source 2:
Source 3:


young single searching…

lonely switch searching for connections.

No Comments

Importing Certificates on the Pocket PC 2003 / Windows Mobile 5 platform…

Hurray! Now the certificate import utility is available for Windows Mobile 5. Since we’re playing a lot with 802.1x we are desperately in need of such a certificate import utility.

I did not test the utility – more on that later.

“I have made Crtimprt, a program for Pocket PC 2003 and Windows Mobile 5.0. Crtimprt allows you to import:

  • A “Personal Certificate” issued by any Certificate Authority (CA).

  • A private key which corresponds to this certificate.

  • One or more “Root Certificates” (or none at all).

Once an X.509 certificate is installed, you can use it to for user authentication on the Pocket PC. The imported certificate can be used in the following scenarios:

  • User authentication in L2TP/IPsec VPNs.

  • Web client authentication in Pocket Internet Explorer.

  • User authentication in 802.1x wireless networks (EAP-TLS only).

  • Other third-party applications that happen to support Personal certificates (I am not aware of any, though).”


No Comments

Songbird: cloning and extending iTunes

Well – Silence was around the guys who made Winamp after they played a bit with AOL. But here they are – back with another media player: Songbird will face the light in a first preview version in december.

I think that these guys will face serious threat from apple. From my standpoint it’s clearly an iTunes clone…wether the guys are telling different…


No Comments

IPv6 pragmatism.

’nuff said.

No Comments

it’s JASJAR / MDA pro time… yeeeehaa!

After several weeks of waiting today the JASJAR / MDA pro arrived together with the T-Mobile UMTS contract + USIM.

As you can imagine the unpackaging was quite an event (I am not posting the pictures that show me retardedly smiling)

Everything in place….


Since ahzfs JASJAR also arrived today and the third one is on it’s way and expected to arrive on monady we now can just start over developing the applications for our research project.

1 Comment

Microsoft Research presents: Virtual WiFi

“VirtualWiFi is a virtualization architecture for wireless LAN (WLAN) cards. It abstracts a single WLAN card to appear as multiple virtual WLAN cards to the user. The user can then configure each virtual card to connect to a different wireless network. Therefore, VirtualWiFi allows a user to simultaneously connect his machine to multiple wireless networks using just one WLAN card. This new functionality introduced by VirtualWiFi enables many new applications, which were not possible earlier using a single WLAN card. For example,

  • With VirtualWiFi, you can connect to a guest’s machine or play games over an ad hoc network, while surfing the web via an infrastructure network.
  • You can use VirtualWiFi to connect your ad hoc network, which may contain many nodes, to the Internet using only one node.
  • VirtualWiFi can help make your home infrastructure network elastic by extending its access to nodes that are out of range of your home WiFi Access Point.”

  • Source:

    No Comments

    the evilgate structure, and 802.1X

    I told you about the Linksys WRT54GS-DE router I’ve bought to put an OpenWRT on it. So what’s it all about? Why would I want to have such a firewall-detour-device. And whats a firewall-detour-device anyway?

    So let’s take the following situation: You are in a network that allows you to access parts of the internet. Lets say you can access every TCP Ports 21,22,80,119,139,143 and everything above 1024 (list is incomplete!). And this network you are in blocks every UDP data transfer you would like to do. Unfortunately all the interesting things want to have UDP or at least some lower TCP ports. – What to do? That’s why you need the firewall-detour-device. It passes you unfiltered internet through the filtered network.

    In our case it would look like that:

    As you can see there are two ways to use the firewall-detour-device (the little linksys in the picture). By standard RJ45 ethernet and by 802.11g WLAN. The most interesting case is the WLAN-use-case. But lets’s start with the OpenVPN tunnel: The first thing you need is a machine that has unfiltered internet. You now determine on what ports you can connect through your firewall to that particular server. TCP port 80 for example…now take OpenVPN and with a few lines of configuration the server is set-up. (OpenVPN gives you the ability to connect through virtually every port either UDP or TCP – you even could tunnel through a HTTP/S proxy but that’s not a subject of this article)

    The client-side has to be configured accordingly – which means installing OpenWRT on the Linksys and getting OpenVPN ipkg’ed…

    The last question would be how you would secure your WLAN access to the firewall-detour-device. You have heard about WPA? In our case we implemented a 802.1X Authentication System: The authentication is done by a radius server which runs on the linksys. The client (the users notebook/desktop pc) has a certificate issued by the same CA that issued the access-points certifcate, with just some XP_EXTENSIONS in the certificate (additional OIDs). On the linksys additionally runs a daemon that changes the WPA key every 3600 seconds (configurable).

    So at the end you have a certificate based authentication with a radius server combined with a WPA Implementation which changes the WPA keys in a configurable interval.

    A typical OpenVPN config file looks like this:

    dev tun
    proto udp

    # TLS parms
    ca [ca-certificate-PEM-format]
    cert [client-certificate-PEM-format]
    key [client-key-PEM-format]
    dh [diffie-hellmann file]

    remote [the-OpenVPN-server]

    There are some how-to manuals available at the OpenWRT homepage – so I do not copy-paste them here. But there are some misconceptions about the things you have to do on a Windows Client to use a 802.1X WLAN:

    You need the root-certificate (the same you used at the accesspoint the only difference is that it has to be in the DER format) and you need a client certificate with XP-Extensions in PKCS#12 format. When you have both you just have to double-click to import them. When you now connect the the 802.1X WLAN you are asked to approve the root-certificate. After that you’re probably asked to choose which client-certificate you would like to use – select your client certificate and voilá. You should be connected to the WLAN authenticated with 802.1X.

    Source 1: Linksys Router is now “evilgate”
    Source 2: What is WPA?
    Source 3: What is 802.1X?
    Source 4:

    No Comments

    back on from the IPXServer test-machine…now the test summary

    After a week of testing schrankmonster is back on it’s “old” server. I successfully finished the one-week-free-test which IPXServer offered me.

    But first things first: At the moment I am planning to move this website (and some other) to a new and dedicated machine. Therefore I am looking for a hoster that has the best offer…and IPXServer seems to deliver the best price-performance ratio. So I asked for some more information about their products (actually their site is…crap) – and they offered me a one week test of a server of my choice.

    Within 12 hours from my request they delivered the server with Windows Server 2003 Web Edition running on it. I received 5 eMails through IPXServers own pop3-mail-system (which every customer is forced to use to communicate with IPXServer) with the login informations and support informations. And after one hour this website was completely moved to the new server. (it took around 50 minutes to copy all the data)

    Beside the Remote Desktop Client way to administrate the server a customer gets a web-driven administration area to perform all kinds of tasks with the server (like upgrading, passwords, recovery…)

    I want to give a short overview of the administration area:

    that’s the first page after the login

    some information about the machine…

    the configuration of the machine

    there are some traffic statistics

    you can configure traffic-limits and alarms

    well…very limited remote possibilities

    you can upgrade the hardware (ask the sales-team about the pricing!)

    you can upgrade the software…see the “individual installation”… for about 25 Euros per 15 minutes they will install any OS you name and send in for you…

    there’s a VERY SHORT FAQ section.

    that’s the technical support-section…I preferred eMail support…

    and you have some backup space…

    To come to a conclusion: All testing went fine so far. The machine delivered the performance I expected – the network even delivered better performance than I expected (about 7 megabyte/s down-speed from that machine to my home machine). Additionally IPXServer delivers the best price-performance ratio. Considering the fact that the IPXServer eMail support normally responded in less than 2 hours to any eMail I sent them – there’s nothing bad I could say about IPXServer. I am sure that I will become a customer in the future: I really can recommend IPXServer so far.

    Source: IPXServer

    No Comments

    Mission accomplished: Linksys Router is now “evilgate”

    After some minutes the job was done – and openwrt instead of the original firmware was flashed into the two new linksys routers.

    Please welcome OpenWrt – “White Russian RC2”.

    Since the documentation is quite good it just leaves me with this citation:

    “With the release of the Linux sources for the Linksys WRT54G/GS series of routers came a number of modified firmwares to extend functionality in various ways. Each firmware was 99% stock sources and 1% added functionality, and each firmware attempted to cater to a certain market segment with the functionality that they provided. The downsides were twofold, one – it was often difficult to find a firmware with the combination of functionality desired (leading to forks and yet more custom firmwares) and two – all the firmwares were based on the original Linksys sources which were far behind mainstream Linux development.

    OpenWrt takes a different route, instead of starting out with the Linksys sources, the development started with a clean slate. Piece by piece software was added to bring the functionality back to that of the stock firmware, using the most recent versions available. What makes OpenWrt really unique though is the fact it employs a writable filesystem so the firmware is nolonger a static compilation of software but can instead be dynamically adjusted to fit the particular needs of the situation. In short, the device is turned into a mini linux PC with OpenWrt acting as the distribution, complete with almost all traditional linux commands and a package management system for easily loading on extra software and features.”


    No Comments

    it’s all about power

    hmm…seems like I have some things to optimize… the “old” server really was more powerful…

    Believe it or not: That 15%-20% load there is just the Remote Desktop… I’ve never seen something like that…even on my P3-500 machine which is my mail-server at the moment it’s not more than 5%…

    …Strange. I’ll have to find a reason for that behaviour…

    No Comments

    heavy load on our servers…

    Today nierenschaden finally got the tent’s FTP Server up and running so we can mirror and host the talk recordings that are available about an hour after the talk ended….

    After we announced our server (which has about 750 GB of storage) many people dropped in to leech from our mirror…

    No Comments

    providing network connections…

    We have 8 machines in our village connected to our HP2524 network switch… – but after two days there are 14 cables plugged into the switch…these cables go to some other tents around us.

    we proudly present: Food and a HP2524

    It turned out that there where not enough uplink ports for everyone at the next so called “Datenklo”…

    …everyone just puts it’s network cable into it…and once the hour a member of the technical staff connects the new cable to one of the switches inside the “Datenklo”…

    No Comments

    fem ex post

    Since I left my lovely Studentenwohnheim in Ilmenau with its broadband out-of-the-wall internet access…

    posted by Medienfloh

    No Comments

    at august 1st there’s something going to happen to theSpoke

    At august the 1st the brand new TheSpoke (theSpoke2 actually) will launch. Until then there’s a lot to do and bugfix. But it’s going to be a great thing.

    I am working since months in the Advisory Board for the new version of theSpoke. And we hope that we did a good job.

    So check the new site (currently in beta-mode) out: