Just about four weeks ago I posted about the resurrection of the .ovpn to .apc converter script. In the meantime Alois told me in the comments that while this was nice it didn’t work for current versions of the OpenVPN Access Server and the .ovpn files it creates.
Well, since there’s been nothing much else to do I did some more work on the script and I can now happily say that it now also converts the new .ovpn format to an .apc the Astaro can understand. Unfortunately, there’s a little catch: the OpenVPN Access Server relies on ‘tls-auth’ for client connections and the Astaro neither knows of that concept not provides a method to import the needed key file. So I had to do some creative manipulation to make the Astaro do my bidding to include the necessary config statements. In addition, you will need to manually copy the key file to the Astaro to make everything work as expected. To make things as easy as possible, the script will tell you what to do.
If you’re interested, check out the latest version of ovpn-to-apc.sh on Gitorious. If it works for you, let me know. If it doesn’t, let me know, too.
The Astaro Security Gateway (ASG) is a great firewall and remote access solution. The only flaw of it being that Astaro, too, tries to build a walled garden around their suite of products. One major drawback here is that while the ASG has outstanding capabilities as a remote access server, there’s no easy way to use it as a client to connect to an OpenVPN SSL server. The main show stopper is that the ASG expects to get all it’s connection information from a .apc file while OpenVPN at best provides a .ovpn file which has a completely different structure.
Back in 2009 Patrick Schneider provided a simple bash script that would convert .ovpn files together with the needed certificates and key files into a .apc file the ASG could read. Unfortunately the script stopped working with newer ASG releases. Since I needed the functionality for a current project, I resurrected the code, polished and updated it a bit. The result can now be found on Gitorious: the new OVPN-to-APC converter script. Feel free to clone and enhance.
Update: Just pushed a new version to Gitorious that now handles the new .ovpn format provided by the OpenVPN Access Server as well.
After almost tearing my hair out while trying to get those two to fully work together, I found the solution in the end. While most of the things that can be read here and there are right and true, all solutions I found one the web have one problem: After activating nice URLs in Dokuwiki, you won’t be able to use ACLs anymore with Nginx as the web front end.
The solution is quite simple, there’s an additional global rewrite needed:
The reason being that if you rely on “try_files” doing the right thing, it will do what you want for normal pages. But it will trigger a 302 redirect for admin pages, thereby losing all the POST data that should have been sent. Using the rewrite will keep the POST data and thus make the ACLs editing work again, even with pretty URLs.
This has been a very hectic couple of weeks. Not only the beta testing for the (now not so) new Netgear ReadyNAS boxes with ARM architecture: the Duo v2 and the NV+ v2. But also building add-ons for the new interface. Currently available are:
Especially the new web interface was a major obstacle there for in some situations it behaves quite different than the old and trusty Frontview. But now that I’ve got the hang of it I’m quite confident that more stuff is going to follow soon. And of course updates to the ReadyNAS Sparc stuff that has been put on hold for doing the ARM thing ;) Since I’ve just upgraded this site to WordPress 3.3, I might do an add-on for that as well – we’ll see.
For now it’s relaxing time – at least until the end of the week.
It’s not really news that PHP in it’s CGI or FPM flavor has slight to modest problems getting it’s environment right when using Apache as the front end web server, especially the $_SERVER[‘SCRIPT_NAME’] variable many scripts rely on to determine their true location on the hard drive. This erratic behavior is heavily documented in bug reports 51983 and 55208. As is common practice for the PHP-FPM team, their approach is to sit still and wait until this bug goes away on it’s own. This approach, proven to work for many politicians, may however not work for those folks, that need a solution to the problem at hand. A quite simple solution that unfortunately requires to recompile PHP is the following brute force patch for PHP 5.3.8:
Yep its great and now they can move on to a decent Google+ app for iPad.
[ More ]
Sehr geehrter Herr Xxxxxx,
sind Sie der Michael Xxxxxx aus der Xxxxxxxxxxstr. 46, in XXXXX Xxxxxxxx-
Wenn ja, ich bin der Allianz-Fachmann von Ihrem Nachbar Gunter Xxxxxxx. Der hat Ihren autositz beschÃ¤digt.
Damit ich den Schaden begleichen kann, benÃ¶tige ich Ihre Bankverbindung.
Mit freundlichen GrÃ¼ÃŸen
Allianz Agentur Xxxxxx-Xxxxxxx
Wozu einen Brief schreiben, wenn man doch Ã¼ber Facebook wahllos (die falschen) Leute anschreiben kann?
Can’t believe I missed that.
I especially like the part about “those who stay silent”.
Today an interesting request came up in the ReadyNAS forums: Would it be possible to build an add-on that could send Wake-on-LAN (WoL) packets to any host on your local network? You bet it is ;) Took me a bit time to fiddle in the password protection but here you go:
After installation you can wake any machine on your LAN by requesting a special URL from your ReadyNAS. And once you’ve properly configured your router, you can even wake up machines while you’re on the road.
Gerade eben hat die neue Skype for Mac (beta) einen neuen Rekord in der Kategorie “kÃ¼rzeste Verweildauer auf meinem Mac” aufgestellt. Installieren, Starten, Gruseln, Runterschmeissen – das war alles in weniger als 60 Sekunden durch. Die neue “Schaltzentrale” ist fÃ¼r mich total unbrauchbar.
Es interessiert mich nicht, wann ich zuletzt mit wem aus meiner Kontaktliste gechattet habe – was Ã¼brigens neben “ich schick’ mal schnell die Datei” meine Hauptanwendung von Skype ist -, aber ich muss alle meine wichtigen Kontakte im Schnellzugriff haben. Naja. Die alte 220.127.116.113 wird ja hoffentlich noch ‘ne Weile funktionieren.
P.S.: Ich bin da nicht allein
Es hÃ¤tte nur nicht grad diese sein mÃ¼ssen. Wie auch immer, Mail geht wieder.
Ever since some upgrade of my Ubuntu workstation it would took forever (10-15 seconds) to login to remote hosts using ssh. The solution is quite easy. Edit /etc/ssh/ssh_config and make sure you have set the following options:
Since I made these changes ssh logins again work in no time.
The Firefox add-on China Channel offers internet user outside China to surf the web as if they were in China. Take an unforgetable virtual trip to China and experience the technical expertise of the Chinese Ministry of Information Industry (supported by western companies).
Or watch the video first.