Archive for August, 2010

Back to My Mac and an OpenBSD firewall

Friday, August 27th, 2010

As I recently wrote, I’ve been playing with the Back to My Mac feature of MobileMe on my Macs. Put simply it’s a VPN for your Macs, you can access one remotely from another as if they were on the same LAN either at home or work.

Assuming you’ve entered all of your MobileMe account details, it should just be a case of going to the Back to My Mac tab in the MobileMe preferences and starting it up on each Mac you own.

However, with the first Mac I tried this on I hit this problem:

Back to My Mac Warning Screenshot

The router that OS X is complaining about in this case is a Soekris net4501 running OpenBSD, (well to be pedantic, there’s actually two of them in a failover configuration). OpenBSD doesn’t support NAT-PMP or UPnP out of the box, so I had a look for some additional software I could run that might support either protocol.

I came across MiniUPnPd which claimed to support both protocols and run on OpenBSD so I grabbed the source and compiled it up to try it. At the time I was still running OpenBSD 4.6 but was planning to do the upgrade to 4.7 soon, I noted that there was reports of MiniUPnPd not working properly on 4.7.

After configuring it and starting it up, it didn’t seem to work properly. After eliminating any obvious reasons, the Macs still didn’t think that the router supported either NAT-PMP or UPnP, and my Sony Playstation 3 which supports UPnP only, claimed UPnP was unavailable when I ran a network diagnostic but this seems to be a known issue with the Playstation 3. So MiniUPnPd wasn’t looking too useful to me.

Out of curiosity I investigated how complicated the NAT-PMP and UPnP protocols are as the specifications for both should be publicly available. The first one I looked at was UPnP as at the time this seemed the more well known of the two. UPnP appears be a fairly bewildering set of standards, even though it seemed the bit I only need to care about is the Internet Gateway Device (IGD) protocol. It also depends heavily on XML which I loath the more I have to deal with it.

NAT-PMP on the other hand seemed a far simpler protocol, the IETF draft was straightforward by comparison and as it was authored by Apple themselves, it should be the better supported of the two, at least on my Apple hardware. After a day or two of coding, I have a fully standalone NAT-PMP daemon – natpmpd, which I’m making available under the BSD licence.

The dedicated page documents the gory details on how to get it set up, but suffice to say once installed and running, I now get the following on each Mac:

Back to My Mac Working Screenshot

To test, I simply disconnected my MacBook Pro from my home network and instead connected through my mobile phone via 3G. The remaining Macs on the home network are still visible in the Finder and Screen and File sharing remain accessible. On my OpenBSD router using tcpdump(8) I can see the encrypted VPN traffic flowing between the remote and local Macs.

Snow Leopard and (uninstalling) Cisco VPN

Saturday, August 14th, 2010

I mentioned reinstalling Shimo when I upgraded to Snow Leopard and that works really nicely for controlling my Cisco VPN connection but for that to work, you still need to install the official Cisco VPN client.

I also use VMware Fusion and find both this and the Cisco VPN client have a propensity to step on each others toes in the networking department, my hunch is it’s most likely because both create and monitor virtual network interfaces. The usual symptoms are that my virtual machines lose network connectivity or cannot access the VPN, or that I can’t bring the VPN connection up in the first place. Sometimes I can restore order to the VPN by restarting it with the following in the Terminal:

$ sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

Anyway, while I was tethering my Mac to my mobile phone I was fiddling with the Network preferences and noticed Snow Leopard gained native support for CIsco VPN connections:

Cisco VPN Interface Screenshot

This was probably in the release notes which I didn’t read, (well-known male trait), but anyway adding this new interface and configuring it with the right settings got it working first, second, third time once I remembered the correct password. It even feels quicker.

That left me with little need for Shimo or the Cisco VPN client. Uninstalling Shimo was easy, I removed it from my Login Items under Accounts preferences and then dragged it from the Applications folder to the trash.

Uninstalling the Cisco VPN client was harder as that came from an .mpkg file but then I remembered something about these leaving package receipts somewhere. Sure enough, under /Library/Receipts was a handful of vpnclient-*.pkg files. A bit of a google suggested each contains a .bom file that you can inspect with lsbom(8), I found the following worked in the Terminal:

$ lsbom /Library/Receipts/vpnclient-api.pkg/Contents/Resources/
.	40755	502/0
./Library	40755	502/0
./Library/Frameworks	40755	502/0
./Library/Frameworks/cisco-vpnclient.framework	40755	502/0
./Library/Frameworks/cisco-vpnclient.framework/Headers	40755	502/0
./Library/Frameworks/cisco-vpnclient.framework/Headers/vpnapi.h	100644	502/0	20265	1156317900

Delete any Cisco-specific files, (obviously don’t delete things like /Library/Frameworks) and then reboot to make sure there’s no stale daemons running or kernel extensions loaded.

Using the built-in VPN support doesn’t seem to cause any conflicts with VMware, I started the VPN while it was running and the virtual machines then had access to hosts on the remote network with no obvious problems. JFW, as they say.

Tethering two Nokia phones under OS X

Thursday, August 5th, 2010

Now I’m running Snow Leopard one thing I needed to set up again was 3G access through my phone for that rare occurrence when my ADSL drops out and I need to raise a support ticket with my ISP (yes, quite) or I’m on the move somewhere.

I currently have a Nokia E71 with T-Mobile as a personal phone which I think will be my last Series 60 device but to be fair, it does seem to sync up with OS X pretty good. I also carry a Nokia E90 with Vodafone that my work provide for on call, it’s basically a glorified portable SSH terminal. I figured it’s probably advisable to set both phones up and as I don’t particularly want to carry cables for both phones (Nokia in their infinite wisdom decided to use a normal mini USB plug on the E90 but some proprietary plug on the E71), just using Bluetooth was good enough for me, so off I went.

Now, if you do this the usual way, you open Bluetooth preferences, search for the one phone and follow the Bluetooth Setup Assistant to pair the device and set up dial-up networking if OS X thinks the device supports it. Then you rinse and repeat for your second phone and here’s where you come unstuck as OS X will overwrite your dial-up networking configuration with whatever you specified the second time around and also will only use the second phone for any dial-up networking. I tried creating a second Bluetooth DUN profile but you’ll find there’s no obvious way to tie the profile to a particular phone.

So how do you do it?

Assuming you’ve not yet paired either phone, proceed to do so for each but when you’re prompted to set up the dial-up networking, just continue without entering any details. This will leave the Bluetooth DUN profile in Network preferences blank, but that’s okay as we won’t be using it.

Now here’s the non-obvious bit. Open up Bluetooth preferences and your two phones should be present in the list of devices, select one and with the little cog menu select the Edit Serial Ports… option. My E71 has a serial port configured here already by default, whereas there are none by default for the E90. In either case add a new serial port with the following settings:

  • Name: This will be something like NokiaE71-Dial-UpNetwork or NokiaE90-Dial-UpNetwork, the default is fine
  • Protocol: Modem
  • Service: Dial-Up Networking
  • Show in Network Preferences

Edit Serial Ports Screenshot

After adding the new port for each phone, OS X should notify you and ask you to configure it. First of all rename the profile which will default to the name of the serial port and isn’t terribly user-friendly, I tend to just use the phone model here. Now, I’m terrible at remembering the 3G details but Ross Barkman’s site is a great resource which lists the settings for many network operators in various countries. For each network I only really need the APN, username and password, for T-Mobile these are:

  • user
  • pass

And for Vodafone, they’re:

  • internet
  • web
  • web

The username and password go into the Account Name and Password fields, then hit Advanced… and make sure the Vendor and Model are Nokia and GPRS (GSM/3G) respectively, this should make the APN field visible into which you can enter the relevant value.

Now you should be able to hit Connect for either profile and after a few seconds you should be connected, signal permitting.

After working out how to do most of this, I discovered this blog post which walks you through much the same process, with pictures too.