Enabling ACPI shutdown on OpenWRT 14.07 (Barrier Breaker)

I use OpenWRT VMs as micro routers to build private internal networks inside my Linux workstations using KVM and openvswitch. The problem is that when the libvirt shuts guests down is sends an ACPI shutdown button press (the physical equivalent of pressing the power button) which OpenWRT ignores.

On previous versions of OpenWRT you needed to install the acpid package but now you only need to install the kmod-button-hotplug package.

opkg update
opkg install kmod-button-hotplug

My Travel Kit

Every geek has something like this, a travel kit for when you get asked by people “oh you know about computers can you email this photo from the top of a Spanish mountain?”

IMG_4051It’s nice to be able to say “yes I can”

_MG_5228_DxOMy basic travel kit consists of

  • Mobile phone charging battery (has 2x USB ports, 1 is a 2A port)
  • TP-Link WR703N running OpenWRT with 64MB RAM / 16GB Flash Mod from slboat (£25 delivered from China)
  • USB serial port that provides power and a serial console for the WR703R
  • USB 3G stick, unlocked has a PAYG 3 SIM in for UK usage
  • Short Micro USB cable for other gadgets and the wife’s phone and to charge the battery from a standard USB port
  • Apple Lightning cable for my gadgets, why can’t you use a standard Apple?
  • Short ethernet cable
  • Bootable 32GB memstick, gives me a few standard Linux options for fixing computers as well as a set of portable apps.

The WR703N is setup to run as an AP and access the internet via 3G dial up. Because it’s got a serial port on it I can tinker to solve lots of different problems without needing network access.

The OpenWRT install on the WR703N also dials into my OpenVPN hosted on this server. It means I can browse as if I am in the UK from anywhere in the world, It’s amazing how much better hotel wifi is when you can tunnel out of it and run a proper DNS server and web proxy.

The battery will run the AP for 4 days, drops to 2 days with the 3G dongle plugged in and working and gives portable data without having to pay a kidney a megabyte to the mobile carriers. The battery gives a couple of iPhone 5S / Nexus 5 charges and about a 2/3 charge on my iPad mini retina.


Smoothwall in a heterogeneous network

Smoothwall is a Linux based UTM appliance, combining a firewall, web proxy and content filter. I have recently implemented Smoothwall for a customer, this implementation included Single Sign On (SSO) support for both Mac OS X and Windows. I didn’t find any good documentation on SSO with Smoothwall for both Mac OS X and Windows so I’ve written up my notes.

Windows has for a long time had SSO support via NTLM, meaning that Windows can (fairly) securely and transparently log in to other systems that are joined to the same Active Directory controller. This is done with a ticket based challenge/response authentication process built into Active Directory.

Mac OS X has had support for Kerberos SSO via Kerberos tickets to various systems since 10.3, it has been through a number of revisions and changes over the years. However it’s not until Mac OS X 10.6.8 that support for Kerberos authentication to web-proxies like the guardian filter in Smoothwall was introduced.

This is the final piece in the puzzle for this customer and now both Apple Macs and Windows desktops “just work” automatically authenticating with Kerberos tickets.

Kerberos SSO requires slightly more careful configuration than NTLM. The main thing to make sure about is that you are accessing the proxy via it’s fully quallified name, ie proxy.example.com not just proxy or it’s IP address.

In this case the customer uses a proxy.pac file, which also needs to contain the proxy server’s full name. Smoothwall includes an option to enable this but it didn’t seem to work in this case so I just made my own simple .pac file and uploaded it.

The configuration on the clients was simple just set the network proxy settings to URL auto-configuration and point it at http://proxy.example.com/proxy.pac