obive.net

Wednesday January 24 2018 @ 4:43 PM

Intro

I wanted to setup remote access to my LAN from outside my home through my pfsense router running on a Zotac CI323 nano. I thought "Hey, this is the most common use case for VPN, it should be easy!".

After hours of fuddling with IPSec and windows giving vague useless errors, I decided to give OpenVPN a shot.

I used the pfsense built-in wizard and the addon package openvpn-client-export along with one of the numerous how-to guides.

I setup for a route to be pushed on the server:

I turned on float for the clients:

Finally the VPN connection that connected (the tray icon turned green and the log showed no errors) but connecting to devices within the LAN didn't work (although connecting the the router worked fine). I thought "At least the hard part, authentication, was out of the way".

Debugging

Fortunately, my neighbor let me use her Wi-Fi to troubleshoot my connection. I already gave up getting another IP from my ISP since they required I convert to a commercial account and using my mobile phone as a Wi-Fi hotspot was out of the question since family is grandfathered into a cheaper unlimited data plan which I could not break out of unless I signed up for my own line at $80 a month. Of course it was fun explaining to the ISP tech support rep how my switch did not have a WAN port, what the difference between a hub and a switch is, and explaining to the mobile phone carrier that 3mbps means megabit not megabyte (and that megabyte is no longer 1024 based, hello mebibit)

Wireshark

You can use Wireshark to verify which machines are receiving which packets.

To start, I started pinging my main machine from my laptop:

Start Wireshark, select the appropriate interface, start capturing, and add a filter 'icmp' to show only the ping packets.

Here we can see that my Mac was not returning replies. I found this curious, if it received the request, where was the reply? You can verify what the router is receiving by capturing its packets.

On pfsense you can use the built-in packet capture tool based on tcpdump. Make sure to select the appropriate interface and filter to ICMP packets.

In my case, pfsense confirmed no replies were being sent. As it turns out, if no route exists to a destination, no packet is sent. This can be further diagnosed using a traceroute:

MacOS

traceroute -d 10.0.8.2

 

To view a list of all static routes on a system

Windows

route print

MacOS

netstat -nr

We can solve this problem by adding a static route:

MacOS

sudo route -n add 10.0.8.0/24 10.0.0.1

But this is unsustainable as we would need to add this route to every machine in the LAN. Another option is a DHCP classless static lease.

Static routes over DHCP

You can enter a classless static route into the DHCP options in pfsense under the DHCP server menu using an option number of 121.

The classless static routes have a really screwy format entered as:

::

In my case of 10.0.8.0 with a subnet mask of 255.255.255.0 and a gateway of 10.0.0.1 I get (in decimal) 24:10:0:8:10:0:0:1 (notice the missing trailing 0 from 10.0.8.0) which in hex is 18:0A:00:08:0A:00:00:01

Be careful setting up a classless static route because Windows will silently refuse to take a DHCP lease if it's not perfectly formatted.

You can debug this situation by trying to manually renew and you will get this output showing invalid data:

To view static routes on MacOS coming from DHCP discovery response:

ipconfig getpacket `en1`

In my case, my Mac has a static lease which doesn't get the special bits from pfsense so I'm sticking with the manually added static route.

Even after all that, my Mac could still not ping my Windows machine connected through the VPN. It turns out Windows Firewall was on! I didn't want to turn off the firewall for public networks where I'm connecting to the VPN from so I needed to get Windows to treat the VPN as a 'private' network. This is not an easy task with the Home version of Windows 10 that came on my laptop. I finally found this exhaustive guide to changing the network location which had the key PowerShell command (make sure to run as Administrator):

 


(For demonstration purposes only; in this example it shows my home Wi-Fi which is already private)

In the end, I was finally able to connect both ways through the VPN.

Monday July 10 2017 @ 8:30 PM

This is the third rewrite of my site, and it has been 15 years since the last rewrite. It has also been many years since I posted, mostly because I post my ramblings on facebook now.

Monday May 9 2011 @ 8:57 PM


Otherwise unmarked; ATT, you almost tricked me!


Almost tricked again!


I would be terribly surprised if the answer was not "pay us more money!"

Tuesday January 25 2011 @ 8:41 PM

It's here!

Tuesday February 23 2010 @ 6:14 PM

Some background: My primary checking account, which I opened 10 years ago in Cleveland Ohio, is with National City bank. National City bank was relatively recently acquired by PNC bank. As I have gone to various universities in Ohio and not yet settled at a new semi-permanent address, I still have all my statements go to my parents house in Cleveland.

Two or so months ago PNC sent all their newly acquired customers a letter in the mail enumerating how fantastic PNC is, how much their new customers are going to love PNC, how smooth and seamless the transition is going to be, and how uniquely fantastic their customer service is.

For the past month or so my local National City branch in Columbus Ohio has had National City banners no-doubt covering up PNC signs where National City signs used to be.

This past weekend, I saw on the local news how they were closing all the National City branches in Columbus and opening on Monday as PNC branches.

I went to deposit a check on Monday February 22nd. Normally I would use the ATM but I decided to go inside to clarify how my account was going to change/has changed. I gave the teller my endorsed check. She asked for my PNC card. I handed her my National City card. She said “this isn’t a PNC card” and I confirmed, “yes, correct” as I recalled the letter they had sent me and imagining what was about to ensue. She asked for my SSN and typed some stuff into her computer and said “your account hasn’t been converted yet and you wont be able to deposit your check here. You will have to use an ATM.” When I asked why they couldn’t run both National City and PNC software on their computers, the teller’s manager responded “the applications are too large to run more than one on the computer at a time.” Ignoring how much of a complete pile of bullshit that was (dumb terminal emulator’s don’t use much memory), A “seamless transition” would have them using 2 computers, one for converted accounts and one for unconverted. I was then informed that accounts in from north Ohio have not yet been transfered to PNC and that they wont transfer for another two months.

This situation is both foreseeable and expected. The Ohio State University draws students from all over Ohio, including northern Ohio and many of those students no doubt have National City accounts. Not to mention simple data-mining would have easily exposed that the address I have statements to is two hours away from the ATM where I deposit all my checks. Considering the letter PNC sent regarding the seamless transition, PNC’s sham is quite transparent.

Before I left the branch, I asked for a customer service number to report my issues to. The representative I spoke with gave me more excuses, was completely uninterested in my problems, refused to report my problems, and ended the call by essentially saying ‘since I can’t help you, I’m going to end this call’. Again, considering the letter PNC sent regarding their extraordinary customer service, PNC is quite obviously full of crap.

At this point I was considering switching banks. I head across the street to Chase. In the past I had regularly received cash incentive offers from chase to open a checking account. I asked the woman helping me if I could take advantage of a similar offer without having the actual junk mail with the offering on it, and she said I would have to have the letter.

Apparently Chase doesn’t offer a free checking account. Their cheapest account has a six dollar a month fee. She insisted that their great debit card offering and fantastic free savings account would make up for the fee. The savings account had a remarkably low 0.05 APY, which is a slap in the face. The debit card itself had an annual fee of 25 dollars, and the rewards associated with it were in ‘points’. Realizing the points were just a trick to confuse potential customers, I confronted her about it. She claimed that everyone she has ever spoken with has had no trouble fully understanding how the points work. The card gives 10 + (1.1 * dollars) per purchase back in points. Of course it isn’t explained so eloquently on their marketing material.

I asked her what the point-to-cash conversion rate was. Her response was that there was no conversion rate. I asked her if one could redeem points for cash and she said one could. I again asked her what the conversion rate was. She reiterated that there is no rate. I asked her how much cash one would receive if one decided to redeem one’s points for cash. She explained that would depend on how many points one had. Well no shit. I called her out on it and asked her to just explain how it would work with 1000 points. She then said it depends on if one redeems the points for a gift card or cash. At this point I started to lose it. I said obviously were talking about the cash redemption here. She then said she doesn’t know what the conversion rate was and that there was no way for her to find out. We, together, couldn’t even figure it out on the redemption website.

After doing some quick mental math by estimating, I told her to get what I have with National City with Chase I would be spending eight dollars a month. She gave me this look like I was exaggerating and was well over what I would actually be paying and then pulled out a calculator and calculated the actual cost per month and in an accusatory tone told me $8.08. Are you kidding me?

I honestly don’t understand how chase can have a single satisfied customer.

Moving on to the only remaining bank in the area, Huntington. Based on the specifications of the National City account I currently had, and what the Chase respective had told me, I drilled the Huntington representative on their specifics. During which she insinuated that I was nit-picking and purposefully wasting her time. I would not have to be as nit-picky if their offerings weren’t designed to tick and confuse customers in an effort to extort as many hidden fees as they could. To win my business she offered to give me a free half-order of checks. When I asked her how many boxes/books/checks a half-order consisted of, she again claimed I was nit-picking. Excuse me for requiring quantifiable terms.

How absolutely frustrating.

Wednesday January 27 2010 @ 10:34 PM

It was Thomas Jefferson who called for "A wise and frugal Government which shall leave men free to regulate their own pursuits of industry ....and shall not take from the mouth of labor the bread it has earned..." He was right.

Prove it.

The circumstances of our time demand that we reconsider and restore the proper, limited role of government at every level.

Limited government doesn't work. Without regulation, Selfish jerks suppress everyone they can.

But most Americans do not want to turn over the best medical care system in the world to the federal government.

Best by what metric? Cost? No. IMR? No. Life expectancy? No. Coverage? No. A direct relationship between wealth and care? Yes!

we welcome your ideas on Facebook and Twitter.

Lawl

We are blessed here in America with vast natural resources, and we must use them all.

What the fuck?

A child's educational opportunity should be determined by her intellect and work ethic, not by her zip code.

You forgot their parents wealth.

As Senator-elect Scott Brown says, we should be spending taxpayer dollars to defeat terrorists, not to protect them.

That's so un-American I can't even comment.

Here at home government must help foster a society in which all our people can use their God-given talents in liberty to pursue the American Dream. Republicans know that government cannot guarantee individual outcomes, but we strongly believe that it must guarantee equality of opportunity for all.

The first sentence contradicts the second.

Over-regulating employers won't create more employment; overtaxing investors won't foster more investment.

However not regulating or taxing does foster corruption!

The Scriptures say[...]

What some work of fiction says should have nothing to do with our government.

America must always be a land where liberty and property are valued and respected, and innocent human life is protected.

This further contradicts Senator Brown's statement.

Where opportunity is unequal, we must make it open to everyone.

Continued contradiction.

Monday October 5 2009 @ 7:52 PM

Sending DatagramPackets in Java will throw a java.io.IOException: Message too long.

Seems the maximum message size on Windows is (64KiB -28B) = 65508 (I have no idea where that 28 came from) and on MacOSX (at least on 10.5.8 on my MacPro) is 9KiB (9216B). These were determined from incrementing the size of the message from 1 until the IOException was thrown. The big surprise is when you develop on a Windows box and you run your app on a Mac and the DataGramPackets never arrive.

Monday October 5 2009 @ 7:42 PM

Who would have thought? Use a RandomAccessFile instead! =)

Notice to Sun (Oracle?): It would be cool if this were not only mentioned in the documentation but very clear, as it has potential for data loss, and in my case would have saved me a lot of time.

Thursday August 6 2009 @ 1:12 AM

So GE contracts out their consumer electronics to some other company but still sticks their logo on them. What's cool about this is that it's nearly impossible to find a manual! I have a 'GE' alarm clock and I was looking for the manual. Google was no help. GE's consumer electronics page doesn't list anything about alarm clocks! The bottom of the alarm clock says 'Thomson Multimedia Inc' which google doesn't like either.

GE's consumer phone section links to http://home-electronics.net (god I hate that domain) which sounds promising and here's where the sleuthing comes in. If you archive.org that URL back to 2003ish you get a really well written language selection drop down which archive.org doesn't like. Dicking around with the URL and archive.org you can eventually get to an english page where you can follow links to alarm clocks and then GET THE PDF!

GE 7-4853c Manual

Thanks for making things so easy for your customers GE!

The combination of features that make this alarm clock better than all others is:

  • Dual alarm
  • Custom timed Nap mode
  • Custom snooze time
  • Big dim (in the dark) light sensitive display
  • Easy alarm and clock set via switch instead of holding buttons
  • Set time via back and forward (gets really fast if you hold it down long) instead of lame minute/hour buttons
What it's missing:
  • Custom alarm duration

Monday July 20 2009 @ 11:25 PM


If it smells good, stick it in your ear!

Wednesday February 25 2009 @ 7:55 PM

From: Charlie Hayes
Sent: Tuesday, February 24, 2009 7:59 PM
To: admin@wixaware.com
Subject: False statements on your web site

Your website has "Windows Installer - free WiX authoring tool, free MSI
creation software" printed at the top; However, all the tools your company
publishes are not free.

Anyone looking for a free WiX authoring tool or a free MSI creation tool
will NOT find them on your website. The only function this text serves is to
clutter the result pages of search engines with garbage results. I realize
that maybe you have succeeded in tricking a few people into reading all
about your products before figuring out they aren't free, with a remote
possibly that it lead to a sale.

In fact, searching for "free msi creation software" or "free wix tool"
doesn't even have your site ranked highly if not even on the first page.

You may have cluttered my search results.
You didn't help search ranking.
You didn't trick me.
You made no sale.
You created resentment.

Please consider revising your website for the good of the internet.

Regards,
Charlie


From: "Sinan Karaca" Date: February 24, 2009 9:28:53 PM EST To: Charlie Hayes Subject: RE: False statements on your web site Well, it's free to try. And go and take your resentment and shove it up your ass, you jack ass. Sincerely, Sinan

Monday February 16 2009 @ 1:34 AM

I don't think College in understands what Fat Free means:


(mouseover for nutrition facts and ingredients)

SPOILER ALERT: The fat free one (the one on the right) has chicken fat in the ingredients!

Tuesday November 11 2008 @ 1:35 AM

The marketing department over at Sleep Innovations went a little over the top on marketing for their pillow box. If we took their marketing material as fact, here is some information about the pillow:

  • Pillow is made for bed sleep. Will not work for any other type of sleep.
  • This will work for any sleeper, counter to the previous statement. Even Elephants.
  • This pillow is made of ejected black-hole core material. It is of the highest density.
  • You would be unable to find a pillow with better support. This pillow has better support than a custom made pillow.
  • It would be impossible to find a pillow that provided more comfort. This pillow provides maximum comfort.
  • This pillow's style is of maximum quantities. Not a single designer could design a pillow with better style. This pillow is of such high style that every single human being would agree, this is the best looking pillow.
  • Due to the ultimate nature of this pillow's support, comfort, and style, it will allow you to achieve the ultimate sleep experience. For you, this experience might be the most horrific nightmare, however this experience would remain unsurpassed.
  • This pillow was custom shaped for you. This personalized shape just so happens to not only be the best for you, but for every other sleeper in the universe.
  • The support provided by this pillow is therapeutic in nature. It will cure any disease.
  • The cover this pillow has been wrapped in adds a squishy grace that no other pillow can provide.
  • People within the United States have received deep pleasure when they exercised skill when making this pillow. However the Premium Cover was slave-labor produced in China.
  • The company responsible for designing and manufacturing this pillow has come up with new and original designs related to sleep. The other 106 billion [citation] had not yet thought of these designs.

Bullshit highlighted in pink!

Wednesday October 22 2008 @ 10:15 PM

I got this cheap silverware from Wal-Mart last year. I bought 2 6-packs of spoons, forks, and knives. They packaging for each pack was a single label wrapped tightly around and glued to the utensils.

When I got home from the store I took them apart but the glue was stubborn! I tried GooGone. It helped, but didn’t totally work. I tried soap and water, didn’t help at all. I tried boiling them for an hour, didn’t work. I gave up and thought the glue would wear away as they were used and washed over and over. It didn’t.

I remembered that I bought some Meijer-brand Magic Erasers when they were on clearance. I tried one and… IT WORKED! It was effortless! Before and after shots:


(mouseover for after)

Thursday September 11 2008 @ 8:10 PM

A&W bottles their root beer in a plastic bottle which has been designed to look like a glass bottle... which itself has been designed to look like a wooden barrel! As you can see, their aluminum cans also have the wooden barrel facade.

At White Turkey near Computer Camp, they have a humungous wooden barrel which customers are to believe contains root beer, which you can see in a few of the pictures on their super cool slide show. But, guess what! It doesn't! It contains a relatively tiny root beer syrup bin and I'm guessing a plastic line to their carbonated water supply.

There seems to be a wooden barrel root beer conspiracy! Where can I find root beer that is actually inside a wooden barrel? If the wooden barrel was so important as A&W and RICHardson (White Turkey's root beer supplier) want us to believe, then why not just sell it in REAL wooden barrels? I know! Because the wood doesn't actually matter and it's much cheaper to manufacture non-wooden containers! A&W, quit the crap and slap an A&W logo on a generic plastic bottle!

Tuesday July 29 2008 @ 6:14 PM

Noteworthy things happening in my life since my last update that I can remember:
  1. My car (1997 Maxima) wouldn't shift; took in for repair; would cost $4000 to fix rusted-through core support; Got new 2008 Honda Fit.
  2. Got new computer, Mac Pro, with insurance money from my PowerBook being stolen (jerks).
  3. Had a super fun time at computer camp, as always.
  4. Scuzzy had cancerous bump removed and was diagnosed and treated for Addison's Disease.
  5. Katie and Charlie visited, we had a great time at Zoombezi Bay. If interested, please ask about Pickle Soup.
  6. Had my car smashed by some drunk people; Insurance company considers it a collision: won't pay; Police don't consider it a collision: won't investigate.

Saturday April 19 2008 @ 2:08 AM

http://en.wikipedia.org/wiki/Category:Living_people

Monday April 14 2008 @ 10:29 PM


I count at least 8 cops.
At least two more were on their way =/

Tuesday April 8 2008 @ 11:06 PM


Microsoft en robes the USB cord of their hardware with "Install the software first" warnings.
It works in 1 second when you plug it into a Mac without installing software first.
After "Found new hardware", "Found new USB device", "Found new HID device", "Found new mouse", "Found new Microsoft IntelliMouse", 5 beeps and 15 seconds later, it works on Windows without software too!

Tuesday April 8 2008 @ 10:50 PM


What's funny is that normal USB cords still fit =/
Keyboard on the left, extension cord where keyboard plugs into on right