Navarus: Late Night Posts

You read the title right! It appears that the country I was born, raised and live in is slowly starting to go back in time. For a while I thought we were actually progressing. Bahrain appeared to the rest of the world like a friendly and free country, this freedom has attracted a lot of foreign investment from banking to you name it!

Unfortunately, MPs that have been elected by the people of Bahrain, have gone a bit too far in what they want in this country. It first started with the censoring of the Internet (although I’m not sure they were directly involved in the decision…), followed by a proposal to ban alcohol in the national airline (Gulf Air) and now, a ban on pork.

Right, so what is the punishment? I quote “two-month jail terms or fines of BD300, or both, for anyone in Bahrain who imports, sells or simply possesses pork.” (GDN, Feb 19, 2009). Yep, simply possessing pork can get you fined around $800 (oh and the possibility of going to jail!).

As a Muslim, I do not eat pork. But I don’t care whether anyone else eats pork, you see the difference between people like us and the MPs is that we are adapting to our multi cultural society!

I don’t know what other crazy laws they might come up with, while ignoring basic necessities like health, education, unemployment amongst other issues. I just hope we don’t get pushed way back in time…

Here I am, another blogger protesting the Ministry of Information of Bahrain decision to BLOCK websites. Stuff that they have blocked ranges from pornography (ok some countries around here do that anyways…) to informational sites like AskMen and even NEWSPAPER sites!!… Hell, my web host provider is blocked for some reason (luckily I don’t need to visit their site to make payments or support).

This Internet “filter” that has been deployed is here to protect our little fragile minds, basically we are being treated like kids, the parent being the MoI. Isn’t it the responsibility of parents to watch what their kids do online instead of the government? Seriously this is so unbelievable that I don’t know what else to say. The silly thing is that you are redirect to http://www.anonymous.com.bh, why? It’s not like we don’t know who’s blocking the sites… Screenshot below:

Anyways, there are ways to bypass the block: proxies, public VPN services, TOR etc… But wait, proxies=blocked, free AND paid VPN services=blocked and TOR=blocked. Right now the only way I can think of to bypass this block is to run your own VPN server and connect through it (I have a guide for this, take a look before my blog gets blocked…).

Recently, there has been a slight improvement to this block system: an option to unblock!! Yes finally, enter some details (some private: your name and email) and I guess they review the site again to check if it should be blocked. But, the big but, the biggest but: IT DOESN’T WORK FFS!! I suggest you keep trying and maybe the server crash or they fix it: http://www.unblock.gov.bh

That’s it for my rant. Time to access some blocked sites!

OpenVPN is a free software that allows you to setup a VPN (Virtual Private Network) with several uses. Some of the more popular uses of a VPN is to bypass your ISP while surfing the internet (ISPs that block sensitive political content), access content available only to certain countries (Hulu for videos and Pandora music services only available to accesses from a US based IP address) and general encryption of data between your computer and the VPN server.

Before starting it is recommended that you have some general knowledge on Linux (although this tutorial can be simply applied by copy pasting, changing certain stuff though), have a server or VPS (Virtual Private Server) and a test computer that will access the VPN server.

Choosing a server location should be a bit straightforward, if you want to access US content you would obviously need a US based server or VPS. Here is a forum with resources and reviews of several dedicated server and VPS providers.

Note: some VPS providers do not enable the required interfaces to create VPN connections, you should contact them for enabling or choose a provider that has it enabled in their OS selection.

I have a VPN server running successfully on a Centos 4 server by going through the steps below.

Anyways lets get started!

1. Access your server as root in order to install the VPN. Either directly or remotely using something like SSH.

2. You will need some stuff installed before installing OpenVPN (this might be already installed on your server), such as SSL enter:

yum update
yum install openssl-devel openssl

3. Download OpenVPN and start the installation process (click here for the download page), these commands help:

wget http://link.to.the.download
tar xzf theopenvpntar.tar.gz
cd directorycreated
./configure
make
make install

4. After completing the initial installation, test if OpenVPN is working using these commands:

service openvpn start
service openvpn stop

5. If you get OK messages when starting and stopping the server then you may continue, otherwise retry the installation.

6. Copy the required directories to /etc/openvpn, the ones we need are “easy-rsa”, to locate and copy:

updatedb
locate easy-rsa
cp -R /the/directory/found/above /etc/openvpn

7. Change to the directory /etc/openvpn:

cd /etc/openvpn

8. Make a directory for the keys that will be issued to the clients and server key:

mkdir /etc/openvpn/keys

9. Edit the OpenVPN keys location to use the directory created above:

nano -w /etc/openvpn/easy-rsa/vars
export KEY_DIR=/etc/openvpn/keys

10. Now we create the certificates, note that the 2nd command will delete everything in the directory set above (/etc/openvpn/keys):

. ./vars (dot space dot!)
./clean-all
./build-ca

Note: keep the values such as country, province etc as default, but the “Common Name” must be something unique!

./build-key-server server
./build-key clienta
./build-key clientb
./build-key clientc
(as many clients you want)

./build-dh (this may take some time)

11. Create the OpenVPN server’s configuration file:

cd /etc/openvpn
touch server.conf
nano -w server.conf

I typically use the following settings in server.conf:

port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-config-dir ccd
push “dhcp-option DNS 208.67.222.222″
push “dhcp-option DNS 208.67.220.220″
ifconfig-pool-persist ifconpool.txt
push “redirect-gateway def1″
keepalive 10 120
persist-key
persist-tun
status server-tcp.log
verb 3

12. Create the log file that shows people currently connected to the server:

touch server-tcp.log

13. Create the reserver ip list:

touch ifconpool.txt

14. Allow your server to forward IP traffic:

nano -w /etc/sysctl.conf
net.ipv4.ip_forward = 1 (add this line somewhere inside sysctl.conf)

15. Reboot your server (on Linux its usually shutdown -r now).

16. Download OpenVPN client from the OpenVPN site, and install it.

17. Now for the client configuration, save this as client.ovpn, I typically use:

client
dev tun
proto tcp
remote server.ip.address.here 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
push “dhcp-option DNS 208.67.222.222″
push “dhcp-option DNS 208.67.220.220″
ca ca.crt
cert client3.crt
key client3.key
verb 3

18. Testing it all out: get the following certificates from /etc/openvpn/keys to your computer: “ca.crt”, “clienta.crt”, “clienta.csr” and “clienta.key”. Put these inside the OpenVPN config folder ( usuallyC:\Program Files\OpenVPN\config) along with the client.ovpn file you created earlier.

19. Run OpenVPN, right click the little red computer in your system tray and click “Connect”.

20. If all is well you connect! Check if your IP address matches the server’s public address by visiting ShowMyIP. If you’re unable to connect, make sure the port 1194 are open on both the server’s and client’s firewalls.

Hope this helps give a quick start to installing OpenVPN, please reply if you need some help or general comments/fixes!

Bits and pieces taken from the official OpenVPN docs at: http://www.openvpn.net/index.php/documentation/howto.html

DNS servers above are the ones offered by OpenDNS.

And my exams start . Out of 5 subjects 3 will need some real studying, blah I hate studying.

Oh well nothing much to do this week anyways…

With the recent release of Microsoft’s future Windows 7 (codenamed Blackcomb and Vienna) beta, some people might not want to go through the process of formatting a computer or have an extra computer lying around for testing purposes. The easiest solution at the moment is to install Windows 7 inside a virtual machine.

One of the best developers of virtual machines is VMware, in particular if all you want is a quick and simple way to install (any) operating system is to try using VMware Player (which is free!). Unfortunately you cannot create virtual machines directly from inside VMware player (you would need something paid like VMware Workstation to do that).

Here’s a quick guide to start running Windows 7 (or any OS) using only VMware player and some simple online tools.

1. Download the operating system: to download Windows 7, visit the official Microsoft page at http://www.microsoft.com/windows/windows-7/ and look for the “Download the Windows 7 Beta” at the top navigation bar. It’s an iso image of over 2GBs (might take a while depending on your connection). You might need a Windows Live ID account (an activation key is also given).
2. Download VMware Player: to get the player visit the VMware Player page. You may be asked to enter some details about yourself before being able to actually download the player.
3. Install VMware Player: you might need to restart your computer to complete the installation process.
4. Create the virtual machine: remember that VMware Player is unable to create them. There is a pretty nifty site that creates VMs for you called EasyVMX. For starters: use the “Super Simple” VM creator.
5. VM settings in “Super Simple” creator that worked for me were: “Virtual Machine Operating System: Windows Vista”, “Memory Size: 1024MB”, “Virtual Machine Disk Size: 10GB” (you need at least 5GB to install Windows 7). Click on “Create Virtual Machine” at the bottom and extract the files somewhere.
6. Burn or mount the Windows 7 iso: Either burn the iso to a DVD or mount it using a drive emulator (I like DAEMON Tools). It appears to be much simpler! On the EasyVMX virtual machine creator tick the “Live-CD ISO-Image” box at the bottom and enter the file name of the .iso. It’s easier to keep the iso file inside the extracted directory (otherwise enter the path of the iso). Big thanks to pal for this tip!
7. Start the virtual machine: go to those files you extracted. Double click on the file that has the description: “VMware virtual machine configuration”.
8. Install Windows 7: this will look like almost any Windows installation, agreements bla bla, etc… Choose to install Windows 7 NOT the upgrade option.
9. Let the installation finish: you will be asked to enter the activation key (not required, but you will need to activate it after 30 days if you do not enter it now), location, networking etc…
10. Enjoy (or hate) Windows 7!

PS: Microsoft said that something like 2.5 million downloads/keys (or something) will be given out, so get it while you still can!

It appears that recently (not sure how long) my ISP has been routing North American traffic on AS6453 (Teleglobe/VSNL International/TATA Communications) through Asia instead of using the link to North America.

Here’s what a trace route is looking like at the moment:

6    24 ms    24 ms    34 ms  172.17.2.62

7    42 ms    24 ms    25 ms  172.17.2.45

8    32 ms    30 ms    30 ms  if-1-4.core1.RSD-Riyad.as6453.net [66.198.126.69]

9    42 ms    43 ms    43 ms  if-5-0.bb1.JSD-Jeddah.as6453.net [195.219.153.249]

10   237 ms   236 ms   238 ms  if-14-0.core1.S9R-Singapore.as6453.net [216.6.57.49]

11   236 ms   235 ms   236 ms  if-2-0.mcore4.NJY-Newark.as6453.net [216.6.57.18]

12   235 ms   235 ms   236 ms  if-6-0.mcore4.NQT-NewYork.as6453.net [216.6.63.42]

13   243 ms   242 ms   243 ms  if-1-0.mcore3.MTT-Montreal.as6453.net [216.6.87.22]

14   252 ms   267 ms   317 ms  Vlan19.icore1.MTT-Montreal.as6453.net [216.6.114.14]

15   242 ms   242 ms   287 ms  te6-2.cl-core04.teleglobe.mtl.iweb.com [206.82.135.30]

16   242 ms   242 ms   242 ms  te8-1.v0709.hd-core01.mtl.iweb.com [67.205.127.129]

17   256 ms   243 ms   243 ms  iweb.com [209.172.41.185]

It appears that the latest repairs on the SEAMEWE cables have been completed on schedule, I’m not sure for how long but traffic is at the moment going through it without crazy routing through Asia and the US. Seems like the 5th of January estimate was correct !

At the moment traffic to Europe seems normal (through Teleglobe/VSNL International/TATA Communications) according to this trace route (www.telia.net):

6    24 ms    24 ms    24 ms  172.17.2.70

7    24 ms    24 ms    32 ms  172.17.2.53

8    45 ms    45 ms    46 ms  if-2-3.bb1.JSD-Jeddah.as6453.net [195.219.153.105]

9   152 ms   151 ms   150 ms  if-9-1.core2.LHX-London.as6453.net [195.219.13.21]

10   155 ms   156 ms   155 ms  if-9-3.mcore3.LDN-London.as6453.net [195.219.195.105]

11   155 ms   381 ms   155 ms  ldn-b4-link.telia.net [213.248.74.1]

12   151 ms   156 ms   155 ms  ldn-bb2-link.telia.net [80.91.251.14]

13   280 ms   281 ms   280 ms  hbg-bb2-link.telia.net [80.91.254.218]

14   297 ms   194 ms   295 ms  s-bb2-link.telia.net [213.248.64.37]

15   296 ms   191 ms   294 ms  s-b1-link.telia.net [80.91.252.69]

16   191 ms   294 ms   191 ms  hy-peer1-pos4-0.se.telia.net [213.248.101.141]

17   191 ms   188 ms   297 ms  hy-c5-link.se.telia.net [81.228.94.16]

18   197 ms   199 ms   199 ms  hdn-r-d2-link.telia.net [81.228.73.183]

19   190 ms   188 ms   189 ms  212.181.192.107

20   195 ms   193 ms   195 ms  192.43.165.12

21   200 ms   198 ms   197 ms  193.44.158.150

22  1164 ms   188 ms   190 ms  kontaktamig.telia.se [193.44.158.105]

However traffic to the US is at the moment going through Europe. Something is weird with the trace routes, it seems like it rarely uses AS6453 (Teleglobe/VSNL International/TATA Communications), or at least in 2/3 of the servers. Here are some examples:

No AS6453 after Europe link (www.amazon.com):

6    25 ms    24 ms    24 ms  172.17.2.66

7    25 ms    25 ms    24 ms  172.17.2.53

8    46 ms    46 ms    46 ms  if-2-3.bb1.JSD-Jeddah.as6453.net [195.219.153.105]

9   151 ms   151 ms   151 ms  if-9-1.core2.LHX-London.as6453.net [195.219.13.21]

10   156 ms   156 ms   156 ms  if-9-3.mcore3.LDN-London.as6453.net [195.219.195.105]

11   161 ms   161 ms   161 ms  Vlan463.icore1.LDN-London.as6453.net [195.219.195.38]

12   257 ms   212 ms   213 ms  xe-10-2-0-edge3.london1.level3.net [4.68.63.105]

13   211 ms   215 ms   217 ms  ae-32-56.ebr2.London1.Level3.net [4.68.116.190]

14   211 ms   212 ms   212 ms  ae-43-43.ebr1.NewYork1.Level3.net [4.69.137.74]

15   217 ms   216 ms   219 ms  ae-3-3.ebr4.Washington1.Level3.net [4.69.132.93]

16   226 ms   215 ms   217 ms  ae-94-94.csw4.Washington1.Level3.net [4.69.134.190]

17   208 ms   209 ms   209 ms  ae-4-99.edge1.Washington1.Level3.net [4.68.17.208]

Using another provider after Europe link (www.burst.net):

6    24 ms    24 ms    24 ms  172.17.2.58

7    25 ms    24 ms    24 ms  172.17.2.45

8    30 ms    30 ms    31 ms  if-1-4.core1.RSD-Riyad.as6453.net [66.198.126.69]

9   153 ms   150 ms   150 ms  if-8-2.core1.LDN-London.as6453.net [116.0.78.66]

10   184 ms   212 ms   208 ms  if-3-1.mcore3.LDN-London.as6453.net [195.219.195.1]

11   181 ms   181 ms   181 ms  if-3-0-0.core1.AD1-Amsterdam.as6453.net [195.219.195.34]

12   189 ms   182 ms   182 ms  Vlan1118.icore1.AD1-Amsterdam.as6453.net [80.231.80.86]

13   194 ms   179 ms   180 ms  64.208.27.5

14   243 ms   242 ms   243 ms  hostnoc.demarc.gblx.net [64.214.106.38]

15   243 ms   242 ms   242 ms  gig1-0.rtr0.sctn.hostnoc.net [64.191.116.250]

16   242 ms   242 ms   243 ms  burst.net [66.96.192.201]

Using AS6453 all the way (www.xo.com):

6    24 ms    24 ms    24 ms  172.17.2.66

7    24 ms    24 ms    24 ms  172.17.2.49

8    43 ms    44 ms    42 ms  if-3-3.bb1.JSD-Jeddah.as6453.net [195.219.153.41]

9   150 ms   148 ms   149 ms  if-9-1.core2.LHX-London.as6453.net [195.219.13.21]

10   153 ms   154 ms   153 ms  if-9-3.mcore3.LDN-London.as6453.net [195.219.195.105]

11   156 ms   156 ms   156 ms  if-5-0-0.mcore3.L78-London.as6453.net [195.219.195.10]

12   231 ms   232 ms   232 ms  if-12-0-0-983.core2.NTO-NewYork.as6453.net [216.6.97.37]

13   233 ms   233 ms   235 ms  Vlan475.icore1.NTO-NewYork.as6453.net [216.6.97.90]

14   231 ms   231 ms   232 ms  ix-12-43.icore1.NTO-NewYork.as6453.net [216.6.97.54]

15   232 ms   232 ms   232 ms  te-3-1-0.rar3.nyc-ny.us.xo.net [65.106.1.18]

16   232 ms   233 ms   232 ms  ge7-0-0d0.rar1.nyc-ny.us.xo.net [65.106.1.17]

17   259 ms   259 ms   259 ms  p6-0-0.RAR2.Chicago-IL.us.xo.net [65.106.0.29]

18   319 ms   277 ms   277 ms  p1-0-0.RAR1.Dallas-TX.us.xo.net [65.106.0.34]

19   279 ms   283 ms   279 ms  p0-0-0d0.mar1.dallas-tx.us.xo.net [65.106.4.246]

20   279 ms   279 ms   278 ms  ge0-0.clr2.dallas-tx.us.xo.net [207.88.82.26]

21   278 ms   279 ms   280 ms  ip65-46-144-196.z144-46-65.customer.algx.net [65.46.144.196]

22   279 ms   279 ms   279 ms  txplano-fw01a-eth1.pla.dc.xo.com [205.158.160.201]

At least the European links are up, I guess soon providers will have their BGP back to previous routes and traffic to the US will be direct instead of going through Europe.

Finally it seems like “teh Interwebs r bck 2 norml!!!11!”

It seems like the Internet is almost coming back to normal around here in the Middle East. Quick recap, 3 major cables FLAG, SEAMEWE3 and SEAMEWE4 were cut last month (December) causing major disruptions.

One of the obvious effects of such cuts is the high latency you might get in applications such as gaming and VoIP due to rerouting of traffic through other cables that aren’t geographically suitable (Middle East > Asia > US > Europe instead of Middle East > Europe).

I’ve been running some traceroutes to servers that my ISP (Batelco) routes through FLAG and one of the SEAMEWE. The FLAG link seems to be up and runing since it goes straight to Europe and US (but it has always been laggy even when it was fully operational), however for some other servers the routing is going through Asia and US.

Here are the results (It starts at the part just before it leaves my ISPs network):

FLAG Europe (www.leaseweb.com):

6    23 ms    50 ms    25 ms  172.17.2.62

7    25 ms    27 ms    24 ms  172.17.2.41

8   247 ms   248 ms   248 ms  80.77.1.217

9   246 ms   245 ms   272 ms  ge-1-0-1.0.cjr02.ldn001.flagtel.com [62.216.129.46]

10   248 ms   252 ms   255 ms  so-5-1-0.0.cjr02.ldn004.flagtel.com [62.216.129.150]

11   259 ms   259 ms   259 ms  ten4-0.lon.leaseweb.net [195.66.225.56]

12   261 ms   259 ms   274 ms  amx.nkf.leaseweb.net [85.17.100.210]

13     *        *        *     Request timed out.

14   260 ms   260 ms   271 ms  gi4-2.r2.sbp.leaseweb.net [83.149.127.14]

15   259 ms   252 ms   253 ms  www.leaseweb.com [83.149.80.111]

FLAG US (us.voxalot.com):

6    36 ms    26 ms    23 ms  172.17.2.70

7    59 ms    33 ms    25 ms  172.17.2.53

8   260 ms   232 ms   231 ms  62.216.146.97

9   234 ms   242 ms   234 ms  so-0-3-2.0.pjr01.nyc005.flagtel.com [62.216.128.50]

10   232 ms   233 ms   263 ms  ge-2-0-0.0.cjr02.nyc005.flagtel.com [85.95.25.109]

11   235 ms   245 ms   290 ms  nyiix.Peer1.net [198.32.160.65]

12     *        *        *     Request timed out.

13     *        *        *     Request timed out.

14   278 ms   239 ms   237 ms  10ge.ten1-1.wdc-sp2-cor-1.peer1.net [216.187.116.253]

15     *        *        *     Request timed out.

16   238 ms   239 ms   279 ms  premium.voxalot.com [64.34.173.199]

Teleglobe/VSNL International/TATA Communications Europe (eu.logon.worldofwarcraft.com):

6    24 ms    23 ms    24 ms  172.17.2.66

7    64 ms    30 ms    25 ms  172.17.2.53

8    45 ms    45 ms    44 ms  if-3-3.bb1.JSD-Jeddah.as6453.net [195.219.153.41]

9   144 ms   144 ms   143 ms  if-14-0.core1.S9R-Singapore.as6453.net [216.6.57.49]

10   334 ms   334 ms   347 ms  if-4-0-0-996.mcore5.LAA-LosAngeles.as6453.net [209.58.33.17]

11   344 ms   356 ms   344 ms  if-11-0-0-938.mcore3.LAA-LosAngeles.as6453.net [209.58.85.5]

12   343 ms   342 ms   343 ms  Vlan42.icore1.LAA-LosAngeles.as6453.net [216.6.84.114]

13   340 ms   330 ms   337 ms  las-bb1-pos2-3-3.telia.net [213.248.94.49]

14   421 ms   421 ms   422 ms  ash-bb1-link.telia.net [80.91.252.157]

15   484 ms   487 ms   487 ms  prs-bb1-link.telia.net [80.91.252.37]

16   475 ms   475 ms   477 ms  prs-b4-link.telia.net [80.91.251.45]

17   486 ms   487 ms   484 ms  prs-nant-ks51-link.telia.net [80.91.249.66]

Teleglobe/VSNL International/TATA Communications US (layeredtech.com):

6    43 ms    25 ms    24 ms  172.17.2.58

7    23 ms    24 ms    24 ms  172.17.2.45

8    30 ms    31 ms    31 ms  if-1-4.core1.RSD-Riyad.as6453.net [66.198.126.69]

9   141 ms   140 ms   140 ms  if-13-1-1.core1.S9R-Singapore.as6453.net [116.0.78.34]

10   351 ms   332 ms   330 ms  if-4-0-0-996.mcore5.LAA-LosAngeles.as6453.net [209.58.33.17]

11   341 ms   339 ms   340 ms  if-11-0-0-938.mcore3.LAA-LosAngeles.as6453.net [209.58.85.5]

12   326 ms   325 ms   326 ms  if-0-0-0-810.mcore4.LAA-LosAngeles.as6453.net [216.6.84.98]

13     *        *        *     Request timed out.

14   359 ms   358 ms   358 ms  cr2-pos-0-3-2-0.dallas.savvis.net [204.70.194.54]

15   407 ms   372 ms   373 ms  hr1-tengig-12-0-0.dallasda1.savvis.net [204.70.203.58]

16   360 ms   358 ms   359 ms  216.39.79.98

17     *        *        *     Request timed out.

18   372 ms   372 ms   372 ms  savvis.www.layeredtech.com [72.232.23.197]

From the results above you can see that Teleglobe/VSNL International/TATA Communications are routing traffic through Singapore and Los Angeles, US to access sites in both Europe and the US. It isn’t so bad if the server is located in the US, but more hops are encountered on its way to Europe.  According to a newspaper in Qatar the SEAMEWE cables should be up and running sometime on January 5th.

Crossing my fingers in the meantime, you never know when these cables get cut!

Happy New Year Mexico!

Happy New Year United States!