Xathrya Sabertooth

How to View or Edit PDF/Image Metadata from Command Line
Access VNC Remote Desktop in Web Browser
Install and Configure httptunnel
Installing wxHexEditor
Installing wxHexEditor for Slackware64
Creating Multiple Networks on VMware Player
How to Install RPM Fusion
Creating Multiple VPN Tunnels Between Two Hosts using tinc VPN
How to Set Up Repoforge Repository
Install and Configure tinc VPN

How to View or Edit PDF/Image Metadata from Command Line

Posted: 06 Oct 2013 07:42 PM PDT

Typical digital images or photos have a rich set of metadata embedded in them. Metadata is automatically written by capture device such as digital cameras, or it can be manually added by photographers or photo editing software to show various properties. Similarly, a pdf document also have its own set of metadata associated with them to identify author, title, date, etc.

There are various tools that allow us to edit metadata in digital photos or pdf documents and ExifTool is one of it. ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. ExifTool supports many different metadata formats including EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, as well as the maker notes of many digital cameras by Canon, Casio, FLIR, FujiFilm, GE, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Phase One, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony.

In this article, we will discuss about how to view or edit metadata in pdf documents or digital pictures from command line using ExifTool. All of experiments have been done on Slackware64 14.0.

Supported Metadata

Below is the list of file types and metadata currently supported by ExifTool (“r” = read, “w” = write, “c” = create)

Supported file types

------------+-------------+-------------+-------------+------------  3FR   r     | DVB   r     | M4A/V r     | PBM   r/w   | RWL   r/w  3G2   r     | DYLIB r     | MEF   r/w   | PDF   r/w   | RWZ   r  3GP   r     | EIP   r     | MIE   r/w/c | PEF   r/w   | RM    r  ACR   r     | EPS   r/w   | MIFF  r     | PFA   r     | SO    r  AFM   r     | ERF   r/w   | MKA   r     | PFB   r     | SR2   r/w  AI    r/w   | EXE   r     | MKS   r     | PFM   r     | SRF   r  AIFF  r     | EXIF  r/w/c | MKV   r     | PGF   r     | SRW   r/w  APE   r     | F4A/V r     | MNG   r/w   | PGM   r/w   | SVG   r  ARW   r/w   | FLA   r     | MOS   r/w   | PICT  r     | SWF   r  ASF   r     | FLAC  r     | MOV   r     | PMP   r     | THM   r/w  AVI   r     | FLV   r     | MP3   r     | PNG   r/w   | TIFF  r/w  BMP   r     | FPX   r     | MP4   r     | PPM   r/w   | TTC   r  BTF   r     | GIF   r/w   | MPC   r     | PPT   r     | TTF   r  COS   r     | GZ    r     | MPG   r     | PPTX  r     | VRD   r/w/c  CR2   r/w   | HDP   r/w   | MPO   r/w   | PS    r/w   | VSD   r  CRW   r/w   | HTML  r     | MQV   r     | PSB   r/w   | WAV   r  CS1   r/w   | ICC   r/w/c | MRW   r/w   | PSD   r/w   | WDP   r/w  DCM   r     | IIQ   r/w   | MXF   r     | PSP   r     | WEBP  r  DCP   r/w   | IND   r/w   | NEF   r/w   | QTIF  r     | WEBM  r  DCR   r     | ITC   r     | NRW   r/w   | RA    r     | WMA   r  DFONT r     | JNG   r/w   | NUMBERS r   | RAF   r/w   | WMV   r  DIVX  r     | JP2   r/w   | ODP   r     | RAM   r     | X3F   r/w  DJVU  r     | JPEG  r/w   | ODS   r     | RAR   r     | XCF   r  DLL   r     | K25   r     | ODT   r     | RAW   r/w   | XLS   r  DNG   r/w   | KDC   r     | OGG   r     | RIFF  r     | XLSX  r  DOC   r     | KEY   r     | ORF   r/w   | RSRC  r     | XMP   r/w/c  DOCX  r     | LNK   r     | OTF   r     | RTF   r     | ZIP   r  DV    r     | M2TS  r     | PAGES r     | RW2   r/w   |

Supported metadata standards and types

----------------------+----------------------+---------------------  EXIF           r/w/c  |  CIFF           r/w  |  Ricoh RMETA    r  GPS            r/w/c  |  AFCP           r/w  |  Picture Info   r  IPTC           r/w/c  |  Kodak Meta     r/w  |  Adobe APP14    r  XMP            r/w/c  |  FotoStation    r/w  |  MPF            r  MakerNotes     r/w/c  |  PhotoMechanic  r/w  |  Stim           r  Photoshop IRB  r/w/c  |  JPEG 2000      r    |  APE            r  ICC Profile    r/w/c  |  DICOM          r    |  Vorbis         r  MIE            r/w/c  |  Flash          r    |  SPIFF          r  JFIF           r/w/c  |  FlashPix       r    |  DjVu           r  Ducky APP12    r/w/c  |  QuickTime      r    |  M2TS           r  PDF            r/w/c  |  Matroska       r    |  PE/COFF        r  PNG            r/w/c  |  GeoTIFF        r    |  AVCHD          r  Canon VRD      r/w/c  |  PrintIM        r    |  ZIP            r  Nikon Capture  r/w/c  |  ID3            r    |  (and more)

Installation

As stated before, ExifTool is using Perl. ExifTool requires Perl 5.004 or later. No other library or software is required.

Package Manager Way

To install ExifTool on Ubuntu, Debian or Linux Mint you can use following command:

sudo apt-get install libimage-exiftool-perl

To install ExifTool on CentOS or RHEL, first you need to set up EPEL repository, and then run the following:

sudo yum install perl-Image-ExifTool

Generic Way

Installing ExifTool from source is really simple.

Download the source code, the latest version is 9.37

wget http://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-9.37.tar.gz

Extract and go to the source code’s root directory:

tar -xzvf Image-ExifTool-9.37.tar.gz  cd Image-ExifTool-9.37

next, invoke following commands to test and install:

perl Makefile.PL  make test  sudo make install

Windows Way

In Windows, there is a choice of two different versions of ExifTool to install. If you don’t already have Perl, it is easier to install the stand-alone ExifTool executable, but note that the stand-alone version doesn’t include the HTML documentation or some other files of the full distribution.

The stand-alone executable can be downloaded from ExifTool home page: exiftool-9.37.zip. After download it, extract “exiftool(-k).exe”. Rename and move it as to C:\Windows\exiftool.exe.

You can now run exiftool by typing “exiftool” at the command prompt.

Usage Example

View all metadata in a picture

exiftool input.jpg

Change title and author information of a pdf document

exiftool -Title="A title by Satria" -Author="Satria Ady Pradana" input.pdf

Modify tags of multiple image in a batch

exiftool -artist="Satria Ady Pradana" -copyright="2013 Satria Ady Pradana" a.jpg b.jpg c.jpg

Modify artist name for all media files located in a target directory

exiftool -artist="Satria Ady Pradana" ./folder

Show all Metadata information in an Image

This will include duplicate and unknown tags, sorted by group.

exiftool -a -u -g2 input.jpg

Show all metadata fields which contains the word “Date”

exiftool -"*Date*" input.png

Extract GPS coordinate information from a photo

exiftool -gpslatitude -gpslongitude input.jpg

Show GPS coordinate information contained in a picture in tabular format

exiftool -filename -gpslatitude -gpslongitude -T input.jpg

Access VNC Remote Desktop in Web Browser

Posted: 06 Oct 2013 03:31 PM PDT

There are many VNC clients available, differing in their capabilities and support. If you are looking cross-platform VNC client, you can have Java-based VNC viewers (e.g., RealVNC or TightVNC). However, there is also a new way, web-based VNC clients.

VNC web clients are typically faster than Java-based VNC viewers and could be easily integrated into other third-party application.

In this article, we will discuss about how to access VNC remote desktop in web browser by using VNC web client called noVNC. All experiment is done on Linux, Slackware64 14.0.

What is noVNC

noVNC is a HTML5-based remote desktop web client which can communicate with a remote VNC server via Web Sockets. Using noVNC, you can control a remote computer in a web browser over VNC.

noVNC has been integrated into a number of other projects including OpenStack, OpenNebula, CloudSigma, Amahi and PocketVNC.

noVNC Feature List

The following list shows full features offered by noVNC.

Supports all modern browsers including those on iOS, Android.
Supported VNC encodings: raw, copyrect, rre, hextile, tight, tightPNG
WebSocket SSL/TLS encryption (i.e. "wss://") support
24-bit true color and 8 bit colour mapped
Supports desktop resize notification/pseudo-encoding
Local or remote cursor
Clipboard copy/paste
Clipping or scrolling modes for large remote screens

Web Browser Requirements

Not all web browser can run noVNC. We need web browsers which capable of running HTML5, in specific: HTML5 Canvas and WebSockets. Therefore, older age web browsers are excluded from our list.

The following browser meet the requirements:

Chrome 8+
Firefox 3.6+
Safari 5+
iOS Safari 4.2+
Opera 11+
Internet Explorer 9+

If your browser does not have native WebSockets support, you can use web-socket.js, which is included in noVNC package.

More detailed on browser compatibility can be seen on the the official guide.

Installation

To install noVNC remote desktop web client, clone the noVNC repository:

git clone git://github.com/kanaka/noVNC

Running

Launch Webcokify WebSockets Proxy

The first step is to launch Websockify (which comes with noVNC package) on local host. noVNC relies on Websockify to communicate with a remote VNC server. Websockify is a WebSocket to TCP proxy/bridge, which allows a web browser to connect to any application, server or service via local TCP proxy.

Here we assume we have already set up a running VNC server somewhere. Let say we have VNC server at 192.168.1.102:5901 using TightVNC.

To launch Websockify, use a startup script called launch.sh. This script starts a mini-webserver as well as Websockify. The "–vnc" option is used to specify the location of a remotely running VNC server. Run it on noVNC source code root directory:

./utils/launch.sh --vnc 192.168.102:5901

And you should have something like this:

Warning: could not find self.pem  Starting webserver and WebSockets proxy on port 6080  WebSocket server settings:    - Listen on :6080    - Flash security policy server    - Web server. Web root: /home/xathrya/gitku/noVNC    - No SSL/TLS support (no cert file)    - proxying from :6080 to 192.168.1.102:5901    Navigate to this URL:        http://BlueWyvern:6080/vnc.html?host=BlueWyvern&port=6080    Press Ctrl-C to exit

Connect using Browsers

At this point, you can open up a web browser, and navigate to the URL shown in the output of Websockify (e.g., http://BlueWyvern:6080/vnc.html?host=BlueWyvern&port=6080).

If the remote VNC server requires password authentication, you will see the following screen in your web browser.

After you have successfully connected to a remote VNC server, you will be able to access the remote desktop.

You can also adjust the settings of a VNC session by clicking the settings icon.

The above examples are running on Slacwkware64 14.0 (client) and Raspbian Wheezy / Raspberry Pi (server)

Create Encrypted VNC Session with noVNC

By default a VNC session created by noVNC is not encrypted. If you want, you can create encrypted VNC connections by using the WebSocket 'wss://' URI scheme. For that, you need to generate a self-signed encryption certificate (e.g., by using OpenSSL), and have Websockify load the certificate.

To create a self-signed certificate with OpenSSL:

openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem

After that, place the certification in noVNC/utils directory. Then you can run launch.sh, Websockify will automatically load the certificate.

Install and Configure httptunnel

Posted: 06 Oct 2013 03:02 PM PDT

httptunnel is free software that allows one to create a bi-directional tunnel encapsulated by HTTP, between client and server. The HTTP requests can be sent via an HTTP proxy if so desired. HTTP-encapsulated tunnels are useful behind restrictive network. If WWW access is allowed through a HTTP proxy, it’s possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall.

A common example of using this method is for using games, IM clients, or P2P sharing applications across restrictive firewalls or proxies which tend to block pretty much everything except well known traffic such as HTTP traffic.

httptunnel consists of hts (server) and htc (client) components to establish HTTP tunnels in between.

Installation

Linux Package Manager Way

For Debian or its derivatives system (Ubuntu, Linux Mint):

sudo apt-get install httptunnel

For Red Hat or derivatives system (Fedora, CentOS, Scientific Linux, etc), you should set up Repoforge repository first and then do:

sudo yum install httptunnel

Windows Way

Binary for Windows are provided by some contributors.

For Windows NT, you can go to here.

For WIN32, you can go to here.

Generic Way

Download the latest stable httptunnel source code (version 3.0.5) httptunnel-3.0.5.tar.gz

Extract the source code from archive, and do usual routine:

tar -xf httptunnel-3.0.5.tar.gz  cd httptunnel-3.0.5  ./configure  make  make install

Set Up HTTP Tunnel

As stated before, there are two parties for a connection, which is http server and http client. Therefore, we need to configure both side. Of course, both should have httptunnel installed.

Server Side

hts -F <server_ip_addr>:<port_of_your_app> 80

The above command tells hts to listen on port 80 and redirect all traffic received on port 80 to ,port_of_your_app>

Client Side

htc -P <my_proxy.com:proxy_port> -F <port_of_your_app> <server_ip_addr>:80

The above command tells htc to receive traffic on localhost:<port_of_your_app>, which then is redirected to <server_ip_addr>:80, optionally via proxy (in case the client is behind HTTP proxy).

At this point, the application instances running on two end hosts can communicate with each other transparently via an HTTP tunnel.

Installing wxHexEditor

Posted: 06 Oct 2013 02:44 PM PDT

A hex editor is a “special purpose” editor. It is different from a regular text ediro in that the hex editor displays the raw binary content of a given file, without applying any text encoding or typesetting. A hex editor is mainly used in forensic or low level editing situation. It can be use for example: repairing disk image and partition, reverse engineering binary code, patching emulator ROM files, analyzing malware, etc.

One of good HEX editor available for Linux is wxHexEditor, which will be discussed here.

wxHexEditor is using wxWidgets libraries, therefore it can be compiled on top of various platform supported by wxWidgets.

In this article we will limit ourself to some operating system: Windows, Mac, and Linux.

There is also a specific article for installing wxHexEditor for Slackware, which can be used as a guide for installing wxHexEditor from source code.

The latest version of wxHexEditor is 0.22, which will be used in this article.

wxHexEditor Features

wxHexEditor offers a number of powerful features.

64-bit file descriptors supporting files or devices of up to 2^64 bytes.
Extremely fast with handling large files by not copying the whole files to RAM.
Can handle multiple byte insertions or deletions without creating a temp file.
Low memory footprint (e.g., 25 MB memory for opening multi GB files).
Disassembly support for x86, x86-64, MMX, SSE, SSE2, SSE3, AMD-V, Intel VT-x.
Support for process memory editing.
Can handle XOR-based obfuscation.
Multiple views to show multiple files.
Support for multiple encodings (e.g., UTF8/16/32, Shift JIS, GBK, EUC, etc).

Dependencies

To compile wxHexEditor, we need wxWidgets library with version 2.8.11 or higher.

You can follow this article to install wxWidgets if you don’t have it yet.

Windows Installation

wxHexEditor offers a binary installer which compiled using MinGW. You can download it here.

Once the download finished, you will have a new zip archive name wxHexEditor-v0.22a-Win32.zip.

Mac OS Installation

Mac OSX users can download precompiled static binary for MacIntel. You can download the installer here.

Linux Installation

Debian Way

To install wxHexEditor on Debian and it’s derivation, you can install via GetDeb Apps repositories. Here are the commands you need to invoke to install wxHexEditor:

wget -q -O – http://archive.getdeb.net/getdeb-archive.key | sudo apt-key add -  sudo sh -c 'echo "deb http://archive.getdeb.net/ubuntu $(lsb_release -cs)-getdeb apps" >> /etc/apt/sources.list.d/getdeb.list'  sudo apt-get update  sudo apt-get install wxhexeditor

Alternatively, you can build wxHexEditor from source:

sudo apt-get install debhelper libdisasm-dev libmhash-dev libwxbase2.8-dev libwxgtk2.8-dev wx-common wx2.8-headers  svn checkout svn://svn.code.sf.net/p/wxhexeditor/code/trunk wxHexEditor  cd wxHexEditor  make OPTFLAGS="-fopenmp"

RPM Package Way

If you are using CentOS or RHEL, you need to enable Repoforge repository first.

To install wxHexEditor, you can build it from source, as follows:

sudo yum install libtool gcc-c++ wxGTK-devel  svn checkout svn://svn.code.sf.net/p/wxhexeditor/code/trunk wxHexEditor  cd wxHexEditor  make OPTFLAGS="-fopenmp"

Troubleshoot

If you encounter following problems:

/lib/libgbm.so.1: undefined reference to `wayland_buffer_is_drm'

then you need to updating mesa-libgbm package.

Installing wxHexEditor for Slackware64

Posted: 06 Oct 2013 02:01 PM PDT

One of good HEX editor available for Linux is wxHexEditor, which will be discussed here.

In this article, I use following:

Slackware64 14.0
wxHexEditor – source code.

There is also an article for installing wxHexEditor in several operating system.

wxHexEditor Features

wxHexEditor offers a number of powerful features.

64-bit file descriptors supporting files or devices of up to 2^64 bytes.
Extremely fast with handling large files by not copying the whole files to RAM.
Can handle multiple byte insertions or deletions without creating a temp file.
Low memory footprint (e.g., 25 MB memory for opening multi GB files).
Disassembly support for x86, x86-64, MMX, SSE, SSE2, SSE3, AMD-V, Intel VT-x.
Support for process memory editing.
Can handle XOR-based obfuscation.
Multiple views to show multiple files.
Support for multiple encodings (e.g., UTF8/16/32, Shift JIS, GBK, EUC, etc).

Installation

Dependencies

To compile wxHexEditor, we need wxWidgets library with version 2.8.11 or higher.

You can follow this article to install wxWidgets if you don’t have it yet.

You also need wxPython to do so.

Obtain the Materials

Source code for wxHexEditor is hosted at sourceforge with latest version is 0.22 Beta. You can download the source code here.

Next, extract it and you will have a directory of the source code. Change to that directory, the rest of compilation will be assumed that we are here.

Compilation

Invoke these series of commands to build wxHexEditor (using root privileges to install):

make OPTFLAGS="-fopenmp"  su -c "make install"

Other Installation Methods

Slackbuilds

A slackbuild script has been provided here. However, the version supported there is 0.20.

You can download the source code and slackbuild script and do slackbuild on your system.

Install from RPM Package

Installing from RPM package means you need to convert the corresponding .rpm package to Slackware compatible. This package is actually used for Red Hat and it’s derivative distributions.

First you need to obtain the package.

For example, I obtain one package from pkgs.org which is wxHexEditor-0.22-2.1.x86_64.rpm

Then do conversion by rpm2tgz tool:

rpm2tgz wxhexeditor-0.22-2.1.x86_64.rpm

And then install it by:

su -c "upgradepkg --install-new wxhexeditor-0.22-2.1.x86_64.tgz"

Install from Deb Package

Installing from Deb package means you need to convert the corresponding .deb package to Slackware compatible. This package is actually used for Debian and it’s derivative distributions.

First you need to obtain the package.

For example, I obtain one package from pkgs.org which is wxHexEditor-0.22-repack-1_amd64.deb

Then do conversion by deb2tgz tool:

deb2tgz wxhexeditor_0.22+repack-1_amd64.deb

And then install it by:

su -c "upgradepkg --install-new wxhexeditor_0.22+repack-1_amd64.tgz"

Creating Multiple Networks on VMware Player

Posted: 06 Oct 2013 01:34 PM PDT

In VMware Player, there are three network options for guest VMs: bridged network, NAT network, and host-only network.

What if you want to create multiple isolated networks, running the VM and have the networks run available at once? Each of which is reachable via different network interfaces attached to the VM. Surely this is interesting, but if the network choices are limited to the one above three options, we can’t make our idea real.

Therefore, in this article we will discuss about how we can “hack” VMware Player so it can accommodate our idea.

The Theory Behind

The feature we use is “LAN segments”. Using this, we can define multiple LAN segments, each of which represents an isolated virtual LAN. We can then add our VM as many LAN segments (corresponding network adapters) as we want. Both VMware Workstation and VMware Player have this feature so you can apply it to VMware Workstation too. However, on Linux it seems that LAN Segments is not shown by default.

Each LAN segment act as a VPN (Virtual Private Network). This way, more than one isolated network can be formed.

Creating LAN Segment

In order to create and assign a LAN segment to VMware Player VM, first create a new VM instance with two network interface (one bridged and the other NAT interfaces) using Virtual Machine Wizard. Do not turn on the VM at this point. Instead, open up .vmx file of the VM and edit it as follows.

Search for the lines that reads “ethernet1.xxxxx”. This is configuration for network interface eth1

ethernet1.present = "TRUE"  ethernet1.connectionType = "nat"  ethernet1.virtualDev = "e1000"  ethernet1.wakeOnPcktRcv = "FALSE"  ethernet1.addressType = "generated"

Currently eth1 is set to use NAT. We will reconfigure it so that it uses a LAN segment instead. For that, change the above configuration as follows:

ethernet1.present = "TRUE"  ethernet1.connectionType = "pvn"  ethernet1.pvnID = "52 dd bc d5 36 19 1b 6b-0f f1 fb 1c 4c ac 44 f7"  ethernet1.virtualDev = "e1000"  ethernet1.wakeOnPcktRcv = "FALSE"  ethernet1.addressType = "generated"

As seen there, two changes made. First, ethernet1.connectionType was change to “pvn” (Private Virtual Network). Also, there is a new entry, ethernet1.pvnID which identifies the LAN segment that the VM will be attached to. You can fill in any arbitrary pvnID in the same alphanumeric format; it will be regenerated by VMware Player later on.

Once changes are saved to .vmx file, open the guest machine's VM settings on VMware Player. Now you will notice that LAN segment configuration menu magically appears on VMware Player GUI, as shown below.

If it isn’t shown up yet, close VMware Player and start it up again.

From the drop down menu of LAN segments, you can choose "LAN Segment 1″ which was created by our manual editing of .vmx file. You can also create as many LAN segments as you want, by clicking on "LAN Segments" button, which will show you a LAN segment management interface.

All the VMs that are attached to the same LAN segment are physically on the same layer-2 network. VMs that are assigned to different LAN segments are physically separated.

Note that there is no pre-configured DHCP service running on the LAN segments you create. Therefore, if you want to have your VM assigned a DHCP IP address from a given LAN segment, you will need to run a DHCP server on one of your VMs on the same LAN segment. Alternatively, you could use a static IP address.

How to Install RPM Fusion

Posted: 06 Oct 2013 01:03 PM PDT

RPM Fusion is a service which provides software that the Fedora Project or Red Hat doesn’t want to ship. Like any RPM package, you can install package on RPM Fusion using yum and PackageKit. RPM Fusion is a merger of Dribble, Freshrpms, and Livna which has goal to simplify end-user experience by grouping as much add-on software as possible in single location.

Specifically, RPM Fusion offers various free or non-free add-on packages. These packages are not shipped by Fedora and Red Hat because they do not meet the software requirement.

Installing RPM Fusion is not difficult. Here in this article we will discuss it.

In this article, we will use Fedora 15 as example machine.

Installation

RPM Fusion maintains two separate repositories for free and non-free packages. You can selectively enable either or both repositories as you want.

In order to enable the free repository of RPM Fusion, do:

sudo yum localinstall --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm

To enable the non-free repository of RPM fusion

sudo yum localinstall --nogpgcheck http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm

Verification

To verify that RPM Fusion repository has been set up successfully, run the following command to list all available repositories on your system.

yum repolist | grep rpmfusion

If you have enabled the RPM Fusion, an entry should appears

Creating Multiple VPN Tunnels Between Two Hosts using tinc VPN

Posted: 06 Oct 2013 11:52 AM PDT

There are cases where we want to create more than one VPN tunnels between a pair of hosts. Well this is possible and this is what we want to discuss in this article.

Why Multiple Tunnels?

As the question goes, why?

With multiple tunnels, you could use each tunnel for a different purpose, achieving full isolation among traffic belonging to different tunnels. Depending on which tunnel traffic goes through, you could even apply different QoS or security policies to the underlying traffic.

Scenario

In this example, we will create two VPN tunnels between hosts Alice and Bob. Assuming that Alice serves as a tinc VPN bootstrapping point, while Bob initiates a connection to Alice. Two VPNs created between Alice and bob are named vpn1 and vpn2.

Configuration

In tinc, one tinc daemon can only manage one VPN. This means that if you want to create multiple tunnels between two hosts, you need to run as many tinc daemons on each host.

To a basic set up, you can follow this article in the configuration section.

Create VPN Configuration

Using the guide above, create two separate tinc VPNs named vpn1 and vpn2. If you follow the tinc configuration instruction, two sets of tinc configuration files will be stored in /etc/tinc/vpn1 and /etc/tinc/vpn2. Make sure to use two distinct tinc interface names (e.g., tun0, tun1) as well as two different subnets for these two VPNs.

Specifying Port

By default, listens on port 655 for incoming connections. Thus we cannot run more than one tinc daemons with the default port setting. For two VPNs vpn1 and vpn2, you can use the default port for one VPN (e.g., vpn1), but need to use another port for the other VPN (e.g., vpn2). Therefore, we need to configure a port number to use for vpn2 (in our scenario).

On both hosts alice and bob, append the following in /etc/tinc/vpn2/hosts/alice and /etc/tinc/vpn2/hosts/bob. The port number can be anything other than tinc's default port number 655.

Port = 700

Make sure the port is available.

Starting tinc

Once tinc configurations are done, start two tinc daemons on each host as follows (using root privileges):

tincd --net=vpn1  tincd --net=vpn2

How to Set Up Repoforge Repository

Posted: 06 Oct 2013 11:41 AM PDT

Repoforge, previously known as RPMforge, maintains a repository of RPM packages for Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux. If you are a RHEL or CentOS user, it is strongly recommended to set up Repoforge repository on your system, as it contains many useful software packages that are not available in existing stock repositories.

The configuration of Repoforge is not so difficult. Here in this article we will try to do it.

In this article, we will use CentOS 6.3 as example machine.

Installation

In order to enable Repoforge repository on your CentOS system, you need to check CentOS version. Though we said earlier that we use CentOS 6.3, you can also check your CentOS version by running the following command.

cat /etc/redhat-release

You should also check your architecture, whether 32-bit (i.e., i686) or 64-bit (i.e., x86_64) based:

uname -a

The configuration would depend on your version.

For 32-bit CentOS 6.*:

sudo rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm

For 64-bit CentOS 6.*:

sudo rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

For 32-bit CentOS 5.*:

sudo rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.i386.rpm

For 64-bit CentOS 5.*:

sudo rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.x86_64.rpm

Verification

Once repoforge ins installed, you can use yum to install all available packages from the repoforge repo.

Install and Configure tinc VPN

Posted: 06 Oct 2013 11:34 AM PDT

tinc is an open-source VPN daemon that uses tunnelling and encryption to create a secure private network between hosts on the internet. Because the VPN appears to the IP level network code as a normal network device, there is no need to adapt any existing software. This allows VPN sites to share information with each other over the Internet without exposing any information to others.

tinc comes with a number of powerful features not found in other VPN solutions. For example, tinc allows peers behind NAT to communicate with one another via VPN directly, not through a third party. Other features include full IPv6 support and path MTU discovery. For a complete list, you should go to tinc official site.

Scenario

Unlike any other article, we will use a scenario to illustrate the case we use in this article.

In this article, we will set up a VPN connection between two hosts via tinc. Let’s call these hosts as “Alice” and “Bob”. We also assume that Bob will initiate a VPN connection to host “alice”.

Installation

First, install tinc on both hosts.

Linux Package Manager Way

For Debian or its derivatives system (Ubuntu, Linux Mint):

sudo apt-get install tinc

For Red Hat or derivatives system (Fedora, CentOS, Scientific Linux, etc), you should set up Repoforge repository first and then do:

sudo yum install tinc -y

Windows Way

For a Windows system (Windows XP/Vista/7/8), there is an installation file you can use. The latest version you can find is 1.0.22.

Download and execute the file, here.

Mac OS Way

The recommended methods to install tinc on Mac OS is using macports port system. he MacPorts Project is an open-source community initiative to design an easy-to-use system for compiling, installing, and upgrading either command-line, X11 or Aqua based open-source software on the MacOSX operating system. Macports is recommended because it does not modify your system files. It keeps itself separate from your system.

XCode is required prerequisite. It must be installed before installing Macports. Download and install the Macports system from MacForge.

XCode (requires free online ADC Membership); it can also be obtained from original OSX installation DVD
Macports

After Macports is installed, close and reopen your terminal. Update the ports system and ports list.

sudo port selfupdate  sudo port sync

Then you can install tinc and all necessary dependencies by:

sudo port install tinc

All configuration files are located in /opt/local/etc/tinc.

Configuration

For each host, create a directory for tinc.

Alice machine

mkdir -p /etc/tinc/myvpn/hosts

Then create a file /etc/tinc/myvpn/tinc.conf with following data:

Name = alice  AddressFamily = ipv4  Interface = tun0

The above example create a “session” under name “myvpn”. This is the name of the VPN network to established between Alice and Bob on this scenario. VPN name can be any alphanumeric name without containing "-". In tinc.conf example, "Name" field indicates the name of tinc-running local host, which doesn't have to be actual hostname. You can choose any generic name.

Next, create host configuration files which contain host-specific information on /etc/tinc/myvpn/hosts/alice with following text:

Address = 1.2.3.4  Subnet = 10.0.0.1/32

The name of host configuration file (e.g., alice) should be the same as the one you defined in tinc.conf. The "Address" field indicates a globally routable public IP address associated with alice. This field is required for at least one host in a given VPN network so that other hosts can initiate VPN connections to it. In this example, alice will serve as the bootstrapping server, and so has a public IP address (e.g., 1.2.3.4). The "Subnet" field indicates the VPN IP address to be assigned to alice.

Next, generate public/private pair keys (using root privileges):

tincd -n myvpn -K4096

The above command will generate 4096-bit public/private keys for host "alice". The private key will be stored as /etc/tinc/myvpn/rsa_key.priv, and the public key will be appended to /etc/tinc/myvpn/hosts/alice.

Next, configure the scripts that will be run right after tinc daemon gets started, as well as right before tinc daemon is terminated. Make sure you have them executable by chmod to 755.

Create /etc/tinc/myvpn/tinc-up for startup script:

#!/bin/sh  ifconfig $INTERFACE 10.0.0.1 netmask 255.255.255.0

Create /etc/tinc/myvpn/tinc-down for shutdown script:

#!/bin/sh  ifconfig $INTERFACE down

Bob Machine

mkdir -p /etc/tinc/myvpn/hosts

Then create a file /etc/tinc/myvpn/tinc.conf with following data:

Name = bob  AddressFamily = ipv4  Interface = tun0  ConnectTo = alice

Similar to Alice machine, we create a configuration for Bob. However, we remember that in this scenario Bob is initiating connection to Alice. Therefor, we put “ConnectTo” field to connect to Alice machine.

Create a file /etc/tinc/myvpn/hosts/bob with following data:

Subnet = 10.0.0.2/32

Then create a private/public key pair (using root privileges):

tincd -n myvpn -K4096

This will store the Bob’s private key as /etc/tinc/myvpn/rsa_key.priv and its public will be added to /etc/tinc/myvpn/hosts/bob.

We also need to create two script similar to alice, namely /etc/tinc/myvpn/tinc-up and /etc/myvpn/tinc-down.

On /etc/tinc/myvpn/tinc-up, write:

#!/bin/sh  ifconfig $INTERFACE 10.0.0.2 netmask 255.255.255.0

On /etc/tinc/myvpn/tinc-down, write:

#!/bin/sh  ifconfig $INTERFACE down

Make sure both script are executable.

Copying Both Key

Next we need to copy each host’s public key file into other host. This way, both party can connect into a VPN network.

On Alice:

scp /etc/tinc/myvpn/hosts/alice root@bob:/etc/tinc/myvpn/hosts/

On Bob:

scp /etc/tinc/myvpn/hosts/bob root@alice:/etc/tinc/myvpn/hosts/

Creating Connection

After finishing the configuration, you should be able to create a connection. Based on our scenario, since Bob initiates a VPN connection, you need to start tinc daemon on Alice first and then Bob. Both are using same command (use root privileges):

tincd -n myvpn

Senin, 07 Oktober 2013