Friday 7 August 2015

OKI B432dn Installation, missing a driver when its not missing?

Today whilst on a customer site installing their IT for a new shop, I had the glorious task of installing 5 Oki B432dn's. The computers are USFF Dell's half the size of a novel and no CD/DVD drive, no problem I thought, I'll stick the installation CD in my laptop, copy the files over to their server and install the printers from there as Windows apparently had the Universal PCL 6 Drivers but still had a problem with the printer drivers.

HAH! My laptop refused to read more than the CD file structure and a few files across multiple CD's. URGH! I'll have to get that replaced then, though I think the laptop is now out of warranty by a few months, so may just get a USB CD/DVD drive.

Back on topic ...

I downloaded the drivers from OKI's website, installed them and it still had a problem with them according to Windows and a nasty exclamation mark over the printer object. Funnily enough, the printers would still print without any problems! But no body wants to see an error, even more so one that doesn't actually stop the device from functioning, how will you know when there is actually a problem!

What the freaking hell! I really didn't want to budge any of the staff out the way to nab one of their PC's with a CD drive to copy the installation media from it, so back to OKI's website and another look of the driver list and I see USBIPP Drivers listed ... hmmm I wonder what that might be I said to myself, so downloaded the 519.5KB file, ran the installed - lo and behold, the nasty exclamation mark had gone and all was well in the world!

It's these little things that really frustrate me sometimes, but glad it was an easy fix, one that I hope Microsoft / OKI remedy soon. Rant over.

Tuesday 4 August 2015

OpenBSD L2TP/IPSEC VPN (Works with Windows Phone 8.1!)

Now I've got  my OpenBSD router at home I thought I'd have a crack at making a VPN work.
I chose a L2TP over IPSEC VPN because I was lazy and didn't want the hassle of creating certificates. Also Windows Phone 8.1 since Update 2 (GDR2) has supported L2TP/IPSEC, and as this is the primary device I'll be using my VPN with it was a sealed deal.

In OpenBSD to use L2TP / IPSEC you can use the native NPPPD (8) as I have done. I'm a big fan of using the out of the box features, afterall OpenBSD is built for security from the ground up, so using a 3rd party L2TP/IPSEC port wasn't an option, I literally didn't even give it a thought.

If you're looking for L2TP/IPSEC for Android, see my other post here:
http://blog.fuckingwith.it/2016/04/openbsd-l2tpipsec-vpn-for-android.html

With NPPPD there are a bunch of files you'll need to configure in order to make it work.
/etc/npppd/npppd.conf
/etc/npppd/npppd-users
/etc/ipsec.conf
/etc/pf.conf
/etc/sysctl.conf
/etc/rc.conf.local

My npppd.conf file looks something like this, note the reference to the npppd-users file, you can configure multiple VPN's here with different users in different files. You'll see I'm using tun instead of pppx

authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"
}

tunnel L2TP protocol l2tp {
        listen on 0.0.0.0
        listen on ::
}

ipcp IPCP {
        pool-address 10.0.0.2-10.0.0.254
        dns-servers 8.8.8.8
}

interface tun0 address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0


and list of users in the npppd-users file, add as many users you require, you can set them a static IP here too, check the man page for npppd for additional options:

Username:\
        :password=S3cureP4s5vvordz:


and ipsec.conf file should look something like this, the first two lines set macros as you can in pf.conf, this helps as I have a dynamic IP, although I still have some issues if the IP changes and need to run pf.conf, possibly also reloading ipsec.conf rules, you may need to change aes to 3des or something else your device requires, same applies to modp2048 and hmac-sha1, check /var/log/messages after trying to connect your device:

IF_WAN=pppoe0
key="B1gPH4tKEYWITHlotsOfRANDOMstuff"

ike passive esp transport \
        proto udp from $IF_WAN to any port 1701 \
        main auth "hmac-sha1" enc "aes" group modp2048 \
        quick auth "hmac-sha1" enc "aes" \
        psk $key

If you've got a working OpenBSD router using pf.conf as your firewall, you'll need to modify this too, adding tun to your skip statement, NAT rule allowing VPN clients LAN and WAN access, and the last two lines allow the VPN traffic in otherwise the VPN's wouldn't establish:

set skip on { lo, enc, tun }      #Added tun here

match out on $IF_WAN from {$IF_LAN:network, 10.0.0.0/24} nat-to ($IF_WAN:0) \
scrub (no-df max-mss 1440) #Added the network range for the VPN clients

pass quick proto { esp, ah }
pass in proto udp to $IF_WAN:0 port {isakmp, ipsec-nat-t}


You also need to add in some sysctl.conf options:

net.pipex.enable=1            
net.inet.ipcomp.enable=1  

and in rc.conf.local

isakmpd_flags="-K"
ipsec=YES
npppd_flags=""


Now once you've configured your VPN, reboot and try connect your device. You will need to set the username, password and passphrase you had earlier in the npppd-users file. If you have any errors check /var/log/messages log file for hints on what's wrong.

With this configuration I'm able to get 15Mb down and up through the VPN on my Lumia 930, my home FTTP (Fibre To the Premise) connection only has 20Mb upload, so all in its not too shabby taking into count the internet is otherwise in use by my family and the VPN overhead. 

PS: My work where I tested it for optimal performance has a 1Gb dedicated fibre line and I'm connected to a Cisco WAP371 AC wireless router no more than 3 metres away, so that wouldn't slow anything down either.

If you have any issues, just ask and I'll do my best to help, don't post any configuration files without altering sensitive data, like passwords, username and the passphrase.


PS: Thanks go to the guys at the BSD Now podcast for linking to my BSD blog articles :) Keep up the good work guys, I am an occasional listener!