Keystone IT Tech

from a terminal window:

ssh user@<<ssh server>>.com -D 9000

in firefox:

go to preferences:advanced:network:Connection Settings

This will pipe all web traffic through a secure ssh tunnel, and allow access to local web resources from firefox.

Of course you want to disable that firefox setting if you’re not connected to the tunnel.

There is a firefox addon called Quickproxy that allows you to activate/deactivate the proxy settings with a button push:

https://addons.mozilla.org/en-US/firefox/addon/1557/

And sshmenu has a great interface for quickly connecting to remote sites.

http://sshmenu.sourceforge.net/

sudo apt-get install sshmenu sshmenu-gnome

pfsense by default only allows one sip registration to be active at a time on a protected LAN. The siproxd extension allows multiple phones to coexist happily, but it is a little confusing to set up. Here is what works the best from my testing:
Firewall: Rules: WAN = none for SIP or RTP

Firewall: NAT: Port Forward = none

Firewall: NAT: Outbound = Manual Outbound NAT, using default rule with NO Static Port mapping

Reboot the pfsense machine

UPDATE: siproxd is not necessary for multiple sip reigsrations to work! The above should be adequate.

Install the siproxd package from the System:Package Manager page on the pfsense admin page.

Services: siproxd: Settings = Inbound to LAN, Outbound to WAN, Port to 5060. Expedited Forwarding on.

Reboot the pfsense machine

I am including some screenshots to help.

Click on the “e” to edit the rule.

siproxd settings:

Here is the Microsoft KB entry for terminal session security.

Download ntop addon from here:

http://mh-lantech.css-hamburg.de/ipcop/download.php?view.138

transfer to /root on ipcop machine
from ssh session on icop:
cd /usr/lib
ln -s libpcap.so.0.9.7 libpcap.so.0.8.3
cd /root
tar -zxvf ntop_ipcop_1.4.8.tar.gz
cd ntop
./install
from ipcop gui, refresh view and choose NTOP from SERVICES menu
Click Start button, and refresh
There is a link now shown for Ntop Webinterface (http)

The ln -s  is necessary due to a change since ipcop v 1.4.18

Sorry for the brevity – it was quickly written to fill a need. I will try and flesh it out later. This is a minimal ubuntu server setup with just enough gui to function with nx client. We use these for remote access terminals on low powered equipment.

Install ubuntu server 8.04.3 from CD

only select openssh-server, use all other defaults

login and note ip address

ifconfig

change ssh port to non-standard port e.g. 8888

sudo nano /etc/ssh/sshd_config

change port 22 to port 8888, save and exit.

sudo reboot

From remote machine login with ssh

ssh <user>@<ip addr> -p 8888

sudo su

apt-get update

apt-get upgrade -y

–let it work for a while

reboot

log back in after a few minutes

sudo nano /etc/apt/sources.list

add this at the bottom:

deb http://ppa.launchpad.net/freenx-team/ppa/ubuntu hardy main

deb-src http://ppa.launchpad.net/freenx-team/ppa/ubuntu hardy main

save and update key, then reload repositories:

sudo apt-key adv –recv-keys –keyserver keyserver.ubuntu.com 2a8e3034d018a4ce

sudo apt-get update

Now actually install freenx:

sudo aptitude install freenx

wait 5-10 minutes for it to finish

sudo /usr/lib/nx/nxsetup –install

You should be ready to connect with NX Client from nomachine

optionally Install a few items you may need later:

sudo apt-get install gnome-terminal firefox tsclient libstdc++5

Likewise has a really impressive free product that lets Linux and OSX users integrate into an Active Directory environment very easily. In fact with linux I think it’s easier than with Windows!

In ubuntu you can install the likewise-open-gui package. For OSX you can download the installer package from the likewise.com website and follow the 10 minute setup guide.

Using the default traffic shaper works really well for simple qos needs. Set your defined rtp ports (e.g. udp 3000 and 3001) and udp 5060 and udp 4569 as high priority. Add any offending traffic (e.g. gotomeeting at udp 8200) as low or medium. Takes about 5 minutes and works like a charm!

This was adapted from here.

The basic idea is that in the crypto system that ssh uses (RSA or/and DSA)  the encryption and  decryption are done using different keys. Basically, what the user (client) needs is to generate a public/private key pair. The server will know the public key, but only the client will know the private key. When the client connects to the server, it  tells its own public key. If this key is allowed (if it is between the known public keys list on the server), the server will send a randomic number to the client. This encrypted number can only be decrypted if the appropriate decryption key is used, and this decryption key is the client’s private one. The client then uses then its own private key and decrypt the number. If this is done correctly, the server will grant the access with no more questions. As you can see the system is safe, because the client never tells anybody about its private key; and this key cannot be inferred using the public one.

What must be done is to generate a public/private key pair, and copy the public part into the appropriate place on the server side.

Step by step instructions:

On the user’s home directory, on the client machine, type

local> ssh-keygen -t dsa -f .ssh/id_dsa

-t tells the type of encryption
-f tells where to store the public/private key pairs. In this case, the .ssh directory on home is being used

A password will be asked; leave this part blank, just pressing <enter>
Now, go the .ssh directory, and you will find two new files: id_dsa and id_dsa.pub. The last one is the public part. Now, copy the public key to the server machine

local> cd .ssh
local> scp id_dsa.pub user@remote:~/.ssh/id_dsa.pub

Of course, this time you will need to enter the password.
Now, login into the server machine and go to the .ssh directory on the server side

local> ssh user@remote
remote> cd .ssh

Now, add the client’s public key to the know public keys on the server

remote> cat id_dsa.pub >> authorized_keys2
remote> chmod 640 authorized_keys2
remote> rm id_dsa.pub
remote> exit

That’s all.
Next time you log into the remote server, no password will be asked!

Combined with the gnome sshmenu applet, this can be a real time saver.

With the floods here in Iowa this summer I suddenly had several customers with no internet connections. I expected voip trunks to not work, but several of them also were losing registration on all their phones. I thought I had understood how to set up DNS properly, but I did not quite have it.

Here’s the best formula as I understand it:

Have your gateway use a valid public DNS server.
Have the trixbox Pro server use the gateway as the primary DNS, and a public DNS server as the secondary DNS
Have the phones use the trixbox Pro server as their only DNS.

One thing that drove me about insane was my sandbox server was on a cheap netgear router. I guess cheap routers can’t be counted on to function properly at all without a WAN link. I could unplug the WAN link and within a minute the phones would lose registration, even with everything else set up correctly. Today I put an IPCOP firewall on the sandbox network and everything functions exactly like it should without the WAN link.

A Linksys WRT54G loses registrations at intervals but keeps the trixbox Pro system marginally functional. A Linksys WRTT54G with DD-WRT firmware functions properly, though.

A related problem with VERY similar symptoms:
Having a SIP trunk with a FQDN will cause all phones to unregister in the event of an internet outage. Changing to a straight IP address removes that problem. I guess that is an asterisk bug.

freenx is a free implementation of nomachine’s nxserver and client. It is compatible with thinstation and ubuntu linux. It provides a remarkably high speed remote graphical session. Here is a procedure to get freenx server working with Ubuntu gutsy.