Category: Systems Engineering

Split Tunnel VPN, Part 2

Diagram of the split tunnel VPN configuration that does not require static routing
Updated Split Tunnel Design

Two years ago, I devised a Windows XP split tunneling solution that involved static routing.  That solution had the advantage of being cheap, but also had the disadvantage of scaling poorly with any number of client computers.

Now I have a second solution that eliminates the static routing problems.

While researching new VPN security issues recently, I came across an obscure piece of information about the Windows VPN client.  It is nestled cryptically in this one sentence from a Microsoft whitepaper:

When the Use default gateway on remote network check box is cleared, a default route is not created, however, a route corresponding to the Internet address class of the assigned IP address is created.

Absent any other explanation, that sentence requires some mental gymnastics to understand.  Allow me to help with this.

Continue reading Split Tunnel VPN, Part 2

How to Secure a Windows VPN with PEAP

Authentication Methods page in the RRAS Remote Access Policy Wizard
Setting up PEAP

In light of last month’s announcement by Moxie Marlinspike and David Hulton that they developed a method for decrypting Windows VPN traffic in under 24 hours, it is now important to stop using MS-CHAPv2 as a means of authenticating VPN passwords.

There is a relatively simple fix for this.  Microsoft VPN servers have the ability to authenticate passwords using another protocol called PEAP, also known as PEAP-EAP-MSCHAPv2.  The only reason one might avoid using PEAP in the first place is that the Microsoft documentation is confusing and describes a requirement for Public Key Infrastructure (PKI) deployment.  The PKI as described in Deploying Remote Access VPNs requires anywhere from one to three servers just to issue certificates.  However, it only specifies the PKI requirement for a slightly different protocol called EAP-TLS.

To be clear, PEAP does not require a full-blown PKI or even an internal Certificate Authority.  You can, in fact, use the same certificate that has been, or would be, issued to a web server for SSL encryption.  There is no reason to add a second certificate just for a VPN server.  This also means there is no investment required in PKI if a free certificate issuer is used, such as startssl.com.

Below is a brief tutorial for configuring an existing RRAS installation with PEAP-MS-CHAPv2.

Continue reading How to Secure a Windows VPN with PEAP

Server Monitoring Through DD-WRT

DD-WRT Commands screen with a server monitoring script.
Powerful Little Script

Happy New Year!  I’m kicking off my 2012 blog entries with a fun little hack for Linksys routers.

There are plenty of articles on the web about using DD-WRT to enable router monitoring.  I decided to turn this idea on its head and use my router for server monitoring!  When I realized DD-WRT comes with a sendmail command, I knew this was going to be quick and easy to set up.

This is great for anyone who would like their celly to light up as soon as something goes wrong with an important computer or website.  All of the needed software is already built in to compatible routers, so there is no need to purchase or install a dedicated monitoring system on a separate computer.

By following these easy steps, you can create your own reliable monitoring service.

Continue reading Server Monitoring Through DD-WRT

PERT Chart With Nodes

PERT chart with nodes and a single task
PERT Chart

Visio 2010 is a great tool for designing PERT charts.  Since it lacks some of the shapes needed to easily add and connect nodes with other PERT items, I came up with a few tools to make it easier.

My step-by-step tutorial explains how to create nodes and connections that work seamlessly.  After completing these steps, you will have three new shapes to work with:

PERT Node, PERT Connector, and PERT Task.

Continue reading PERT Chart With Nodes

Windows VPN Keep Alive

Batch file properties window.
Batch Shortcut

I enjoy the one-click facility for connecting to my VPN in Windows XP.  It gets the job done, but I sometimes struggle with the famous dead connection bug.  This is a very common problem in Windows that causes the VPN to become unresponsive after two to five minutes of inactivity, even though the status still says “Connected.”

I created a one-click solution for both connecting and maintaining a VPN.  Setting it up is simple.  It involves just these steps, which I will explain below:

  1. Set the VPN “idle time before hanging up” period to “5 minutes” instead of “never.”  This forces Windows to properly reflect any disconnection.
  2. Create a new batch file, which I have provided below.
  3. Edit the batch file to match the name and address of your connection.
  4. Create a desktop shortcut to the batch file.
  5. Edit the shortcut properties so that the batch automatically runs minimized with a nice icon.

Continue reading Windows VPN Keep Alive

Visio Shapes and Dashed Lines

Navigating the options: More Shapes > Visio Extras > Callouts
Shapes Menus

My Flight Operations professor would like his students to create procedural flow diagrams in Visio 2010 using comment boxes with both solid lines and dashed connectors.  This turns out to be easier said than done because the latest version of Visio has line style “effects” that globally override any dashed connectors.  We can create the comment boxes easily, but how do we get them to automatically show up with specific connector formats?

The answer is to create a custom shape using a connector that is not styled.

My step-by-step instructions will guide you through a procedure to achieve that outcome.  I am providing screen shots as a visual aid, though a corresponding flow chart can be provided as needed.

Continue reading Visio Shapes and Dashed Lines

Windows VPN Requires NTLMv1

LAN Manager authentication level set to Send NTLMv2 response onlyrefuse LM
Solution Screenshot

I’ve stumbled upon a seemingly undocumented authentication error in the Windows VPN system.

Error 691: Access was denied because the username and/or password was invalid on the domain.

This can be caused simply by elevating the VPN server’s LM authentication level to 5, which refuses the NTLM protocol.  According to KB823659 requiring NTLMv2 should not break Windows XP connections unless older systems are involved.  However, this configuration does cause client and server authentication errors.

Continue reading Windows VPN Requires NTLMv1

Installing APCUPSD for Windows

Apcupsd Setup wizard, Choose Components dialog
The Setup Wizard

What’s big and slow and rarely ever useful?  For one thing, the software that comes with every desktop-grade Uninterruptible Power Supply (UPS) made by APC.  This isn’t news.  I know APC would like nothing more than to have me buy a more expensive piece of hardware that I don’t need, just to get the useful software that I do need.

Enter APCUPSD with USB support for Windows.  It’s free.  It’s open source.  It’s probably not supported by APC, but if you’ve ever tried to get tech support for a desktop-grade APC unit that was connected to a server, you already know APC isn’t going to help you with computer problems.  This free piece of software makes my UPS more useful than just a battery with a power switch.  Now I can have my server send a text message to my mobile phone whenever a blackout strikes my area.  I can see live power management statistics from any web browser in the world, including the one on my phone.  I have fewer things to monitor with regard to uptime, and I love it.

Continue reading Installing APCUPSD for Windows

Offline Files and Access Errors

Offline Files Folder
The Offline Files detail view shows limited information about permissions.

Another great Windows XP feature with another great set of problems: Offline Files.  If you have a laptop or unreliable inter-site connectivity, then you know of the necessity of keeping a local copy of your shared files to make them available at all times.  The Offline Files feature automatically keeps track of which files need to be synchronized for you, making that offline experience very slick.

Try to do this in a multi-user environment, however, and it will blow up spectacularly.  The most common symptoms appear when double clicking a document icon in offline mode.  Windows loads the program associated with that type of document, and that program instantly crashes or throws a file error.  This happens any time more than one user tries to use the same file offline on the same computer.

Continue reading Offline Files and Access Errors

Split Tunnel Virtual Private Network

Detailed overview of a split tunnel VPN system.
Split Tunnel VPN is Faster for Multitasking

Anyone who has attempted a Virtual Private Network (VPN) connection in Windows XP has run into this problem:  You want to have access to computers at your home or office, but Windows accomplishes this by routing all of your activity to the home network.  If your work involves transferring files to a server and surfing the Internet, then your Internet activity has to piggyback on the VPN and travel twice within your limited home bandwidth.  This means your slow VPN is even slower when you load a website, and any interruption of the VPN will break all of your connections to FTP sites, IM services, etc.

You may have tried to coerce Windows into routing your traffic to two different gateways, but quickly realized it wasn’t designed to do that.  Adding entries to the local routing table can solve the problem temporarily, but doing so requires administrative privileges and ugly dynamic logic to handle a gateway address that changes every time you connect the VPN.

My solution for this scenario comes in two parts:  1. A static address for the VPN client computer, and 2. A persistent route for the VPN client’s static address.  This is a bit easier said than done, so the following tutorial includes screenshots and details.

Continue reading Split Tunnel Virtual Private Network