## Blog now uses HTTPS!

With the release of LetsEncrypt to the public, I’ve reconfigured my blog server to use HTTPS.  Setup was pretty straightforward, I just followed the nginx setup guide.  Notably though, my highly restrictive nginx setup didn’t work with the rules they described.  Instead, I needed this fragment to get the Let’s Encrypt authentication challenge to pass;

Notably, the certs issued only last for 90 days, so you will need some way to renew them automatically.  The above guide has that.

Let’s see how it goes.

## OpenVPN Routing from Server to Client

There’s a lot of guides about how to use OpenVPN to push arbitrary routes (usually to defeat geolocking) from an OpenVPN client to a server.  However, my requirements are actually backwards.  I need to be able to push routes from my server to a client (since the ‘server’ is my home router).  This requires a different rule set from normal.

Firstly, the machine that has is going to function as the egress point to the Internet has to be configured to allow IPv4 forwarding and also to allow masquerading (so that packets intended to be forwarded from the internal network to the Internet can be re-tagged with the egress point external IP address).

In /etc/sysctl.conf, set net.ipv4.ip_forward to 1.  Then, you’ll need the following iptables rules (eth0 is the egress interface, tun0 is the internal interface);

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -j LOG
iptables -A FORWARD -j DROP

The first rule causes traffic outbound on the egress interface to be masqueraded (NAT).  The second rule causes inbound traffic going from the egress interface to the internal interface to be accepted if it’s part of an established or related connection (ie, packets coming back).  The third rule causes packets destined to be forwarded from the internal interface to the egress interface to be accepted.  And the last two rules log anything else and drop them.

# OpenVPN Server Configuration

Now, the OpenVPN server needs to be told what routes should be directed into the tun adapter.  As an example, we’ll use whatismyip.com .  In /etc/config/openvpn, add the following;

list route '141.101.120.14 255.255.255.255'
list route '141.101.120.15 255.255.255.255'

When OpenVPN is restarted, it will automatically put the correct entries in your router’s routing table to direct traffic to those IPs out your tun adapter.  However, that’s not all.

# OpenVPN Client Configuration (on server)

If OpenVPN receives traffic on the tun adapter for those IPs, it doesn’t know which connected client should receive the packets and so it drops them.  You will also need iroutes for those networks in the client configuration directives for your client;

iroute 141.101.120.14 255.255.255.255
iroute 141.101.120.15 255.255.255.255

Right, that’s it.  Restart OpenVPN and connect to it.

# Testing

Try and ping one of the routes you’ve added.  If it works, great!  If not, the first thing to check is that the traffic is actually getting routed.  Examine the router’s routing table with ‘route’ and see if the route is listed.

Assuming it is, on your client end, run the following;

tcpdump -i tun0

When trying to ping, you should see packets land.  If you do, this tells you that packets are hitting your router, being redirected into OpenVPN, OpenVPN is passing them down the tunnel and they’re breaking out at the tun interface on your client.  Check your firewall log on the client and make sure your firewall rules are fine.

If you don’t see the packets landing on the tun interface, check logread on your router.  If there are complaints about packets being dropped, examine /tmp/openvpn.status and make sure that the route is listed in the OpenVPN routing table.

Anyway, good luck.  I’m sure you can come up with some creative ways of having your routing come out a different egress point than usual 🙂

As discussed in the last post, I adjusted my dial plan to the following;

(000S0|106S0|183[12]x.|1[389]xxxxxxxxS0|13[1-9]xxxS0|0[23478]xxxxxxxxS0|[2-9]xxxxxxxS0|001xxxx.S5|111S0|*xx.)

This dial plan gives me immediate dialing for known phone numbers, and appears to work pretty nicely.  However…  My VOIP provider delivers caller ID numbers in internationalized format (but only for national numbers!), so a call from (0412 345 678) comes through to caller ID as 61412345678.

This means that on my cordless phone, I have to add an entry into the phonebook for that number exactly.  And therefore when I go to dial, I’m dialing a number that starts with 6 with no international number prefix (0011).  Therefore, what actually happens is the dial plan component [2-9]xxxxxxxS0 triggers, and dials 61412345, discarding the last three numbers.  Whoops.

What I need is an adjustment to my dial plan so that I can dial eleven-digit stupid numbers that start with 61, having them automatically translated to start with 0, while still allowing me to dial 8-digit numbers that start with 6, WITHOUT introducing an annoying delay in the dial plan.

(000S0|106S0|183[12]x.|1[389]xxxxxxxxS0|13[1-9]xxxS0|<61:0>[23478]xxxxxxxxS0|0[23478]xxxxxxxxS0|[2-9]xxxxxxxS1|001xxxx.S5|111S0|*xx.)

The highlighted sections are the relevant pieces.  What happens here is that if you enter an eight digit number starting with 6 (in this example), it will trigger the second highlighted section which gives you one second to type additional digits before dialing.  If you dial additional digits it triggers the first highlighted section.  That section takes a number which starts with 61 and replaces that with 0 and dials.

So, if I dial 61412345 and stop typing, the sequence of events is;

• Second dial plan is matched, set interdigit short delay to 1 second
• No more digits received, dial 61412345

And if I dial 61412345678 with no gaps and then stop typing, the sequence is;

• Second dial plan is matched, set interdigit short delay to 1 second
• Translate leading 61 to a 0, dial 0412345678

And the correct thing happens!  The other way around this would be to change all the S0 matches to S1’s (so you have a little time to finish dialing before things happen), and then have a catchall ‘xx.’ rule at the end to match anything.  That way an 11 digit dial would fall through to the catchall rule and result in a dial.  But doing that would cause the fallthrough rule to only match after 3 seconds, causing a delay whenever you used the phone book.

## VOIP Analog Telephone Adapters – Dial Plans

Picked myself up a Cisco SPA112 to replace the wonky built-in VOIP capability of my router.  However, I seem to have some unusual behaviour.  Namely, when I take my cordless phone off the hook, I only get about 4 seconds to start entering numbers before the ATA switches over to the “off hook alarm” mode and rejects any further digits.  Unfortunately, the phone’s built-in dialer waits a few seconds before starting to dial, so it’s pretty random whether you can dial or not.

It turns out the problem here was the dial plan!  There’s a few timeouts in play here – the off-hook timer (5 seconds), the interdigit long delay (10 seconds) and the interdigit short delay (3 seconds).  My dial plan was causing the interdigit short delay to start counting as soon as the phone was taken off the hook!  Here’s what I used;

(000|106|0[23478]xxxxxxxx|[2-9]xxxxxxx|*xx|111|*9xx|13[1-9]xxx|1[389]00xxxxxx|001xxx.|x.)

What causes the issue here is the “x.” plan.  That translates to “any digit, zero or more times”.  This means as soon as the phone is taken off of the hook, the interdigit short delay is triggered because the entered digits (none) match at least one rule in the dial plan.

The solution here is to use a (much) better dial plan, namely;

(000S0|106S0|183[12]x.|1[389]xxxxxxxxS0|13[1-9]xxxS0|0[23478]xxxxxxxxS0|[2-9]xxxxxxxS0|001xxxx.S5|111S0|*xx.)

This plan is fairly complicated, so I’ll break it down piece by piece.  Notably, this plan won’t allow arbitrary number dialing like the first one does, all numbers have to match something in the plan somewhere.

• 000S0, 106S0, 111S0 – Immediately dial these numbers (emergency numbers) as soon as they are entered without waiting for further digits (S0 sets the interdigit short delay to zero)
• 183[12]x. – Dial any number which starts with 1831 or 1832, after waiting until no digits have been entered until the interdigit short delay timer (3 seconds) expires.  Note that the period means “match the preceding token zero or more times”.
• 1[389]xxxxxxxxS0 – Immediately dial a 13, 18, or 19 number once ten entered digits have been reached
• 13[1-9]xxxxS0 – Immediately dial a 13 number once six digits have been reached.  Note that this would conflict with the rule above it, except all ten-digit 13 numbers are 130 numbers meaning they don’t match this rule.
• 0[23478]xxxxxxxxS0 – Immediately dial a standard Australian STD number including area code (two digit area code starting with 0, eight digit number)
• [2-9]xxxxxxxS0 – Immediately dial a standard Australian local number with no area code (eight digits)
• 01xxxx.S5 – Dial an International number of five or more digits, resetting the interdigit short delay to 5 seconds for this dial (to give more time to dial numbers)
• *xx. – Dial a star-code of one or more digits after waiting for the interdigit short delay to expire (3 seconds)

The immediate dials reduce time delay for the dialer (ie, waiting 3 seconds after dialing for something to happen), but they can also conflict if two rules match a possible number.

For example, if you tried to dial 1301234567 with that plan (which is a theoretically valid ten-digit 13 number), you’ll find that you will actually dial 130123 and the rest of your digits will be discarded.  This isn’t a problem here because 130 is never used for ten-digit 13 numbers.

You can do an awful lot with dial plan codes, as well as bust things in weird ways.

## GT-i9305T CyanogenMod Nightlies changed to CM 11

Be warned!  As of Christmas Day, the CyanogenMod nightlies for the GT-i9305 series have changed over to CyanogenMod 11.

YOU MUST FOLLOW THESE INSTRUCTIONS FOR THIS TO WORK.

Go hit this thread for info on the packages you’ll need.  You will need, at minimum;

• ClockworkMod 6.0.4.5 (from that thread!)
• cm-11 Nightly Build (from get.cm will do)
• gapps-kk build (from that thread)

Then, in order to make it work, flash things in this order;

• Reboot your phone into recovery mode.  MAKE A BACKUP.
• Flash the ClockworkMod ZIp.  Reboot again.
• Flash the cm-11 build
• Flash the gapps-kk build
• Wipe the cache partition.  Reboot.
• Pray

Good luck!

## VPS Migration Completed

Last night my VPS provider relocated my VPS instance to a new host, which should have better performance, and even better (for me) provides reverse DNS capability.  Everything should be back up, but because I got a new IP address, it may be an hour or so until everyone’s DNS caches update.

## Blog Rename

No change to locations, DNS redirects or anything, but I’ve renamed the blog.  The reason is that it turns out that Zen Coding is also a text editor plugin for writing CSS, created in 2008.  Now, I’ve had the name of this blog since March 2007, so I had the name first…  But eh, whatever.  The relevant names are;

• blog.zencoffee.org – The “authoritative” DNS record going to this blog.
• coding.zencoffee.org – URL redirect going to the above.
• zencoding.blogspot.com – URL redirect going to the above.

Unfortunately the change to WordPress changed the URL format for all my posts, which has gone and busted any links people might have had, but they should get redirected to the homepage.

## WordPress – Thoughts

Well, now I’ve got WordPress set up and running, a few thoughts and comments about it are in order.  So far, it’s pretty good.  Cleaner than Blogger, but it does require more maintenance to run.

On CentOS, installation was very easy.  You can follow this basic guide here (although I used the yum package from EPEL instead of using the tarball).  After installation, go into wp-config.php and edit it.  Add this somewhere;

/** Define method used to update filesystem - direct is forced */
define('FS_METHOD', 'direct');

WordPress checks whether the wp-content directory is writable before determining whether it will be able to upload plugins.  With the yum package,  wp-content is not writable by apache, but the  wp-content/plugins directory is.  Technically plugin installation does not require write access to  wp-content but does require it to wp-content/plugins, so I guess WordPress has a bug.  Anyway, the above fragment will force WordPress to use the direct method, which will work.

# Blogger Importing

After setup, the first thing I did was to install the Blogger Importer plugin, and go and import all my old Blogger posts.  This worked pretty well, brought in all comments and posts, and linked them up right.  However, it did break some formatting in the posts – particularly with headings and blockquoted code segments.

I also had to spend a fair bit of time retagging and recategorizing all my posts to tidy them up.  Annoyingly you can’t mass edit a group of posts and remove a category easily, but you can mass edit and add categories and tags.  You can then strip categories off posts with MySQL queries if you’re brave.

I also had to go through my posts and edit several of them to clean up the layout, insert preformatted blocks and headings and such.

Could have been a lot worse.

# Essential Plugins

The collection of plugins I have installed by default are;

• Limit Login Attempts – Helps prevent brute force attacks against your WP logins.  Easy to set up, no real reason not to have it.
• Jetpack by WordPress.com – Adds a vast raft of features to your WP install.  You’ll need to sign up for a WordPress.com account to get all the features, but it’s worth it.
• Google XML Sitemaps – Automatically notifies Google when your blog changes so that search works properly
• Easy Table – Allows really easy table generation in blog posts.
• Akismet – Spam control for comments.

All of the above are very easy to set up, and Jetpack in particular is a must have.

# Cool stuff

With those plugins installed, you can do really cool stuff when posting that wasn’t so easy with Blogger.  Some of those are…

## Maths Formulas with LaTeX

It’s possible to use a special latex tag in order to make text get rendered using Latex, the defacto standard for mathematical typesetting.

$latex \displaystyle \sin(x) = \displaystyle\sum_{n=0}^\infty \frac{(-1)^n}{(2n+1)!}\ x^{2n+1} = x - \frac{x^3}{3!} + \frac{x^5}{5!}- \frac{x^7}{7!}\ ... &s=2$

When used somewhere will render as

$\displaystyle \sin(x) = \displaystyle\sum_{n=0}^\infty \frac{(-1)^n}{(2n+1)!}\ x^{2n+1} = x - \frac{x^3}{3!} + \frac{x^5}{5!}- \frac{x^7}{7!}\ ...$

That’s pretty awesome.  Oh yeah, you don’t actually have a space between the \$ and the latex word above, I just had to put it there to stop it being interpreted.

## Easy Tables

With the Easy Table plugin, you can render a table very easily like this;

[ table class="table table-striped"]
Number,Letter
1,A
2,B
3,C
4,D
5,E
6,F
[/table]

And that will then render like this;

Number Letter
1 A
2 B
3 C
4 D
5 E
6 F

Awesome.  Drop the space between [ and table, of course if you want to give it a go yourself.

## Preformatted text blocks

There are a few above.  They Just Work(tm) in WordPress, but in Blogger your experience can be random.

There’s various other plugins that can be installed do do nice stuff like syntax highlighting for code and so-on.  I’ll check those out later, but the plugins I’ve listed above do most things quite nicely.

All in all, I’m pretty happy with it so far.