Routing IPv6 traffic through Debian pptpd into Hurricane Electric’s IPv6 tunnel

Leave a reply

This is a repost of an answer I made to my own question on SuperUser (the “non-programmer” Stack Overflow) regarding setting up pptpd under Debian to route IPv6.

In the post, I’m also looking into using this under Mac OS X 10.8 Mountain Lion. I fully understand that PPTP is an insecure protocol and have separately also set up OpenVPN. However, I’m looking at this because PPTP is much more ubiquitous than OpenVPN and it’s easier to set up at both server and client side; no playing with certificate authorities, no playing with distributing configuration files to clients, etc. (Yes, I’m highly annoyed at the OpenVPN client for iOS not supporting the static key setup. Yes, I understand static key is less secure. No, I’m not dealing with stuff that require total and complete anonymity or encryption; I just want a VPN to work.)

This post does not deal with routing the segment through OS X once you got it to OS X.

This post only minimally deals with Windows as a client, because it Just Works™, and does not deal with GNU/Linux as a client, because it didn’t “magically” work under Ubuntu when I tried it, and I am not interested enough to figure out why.

Main goal here is documenting what an OS X user who has access to a Debian server with a public IP needs to do in order to get his OS X machine onto public IPv6 Internet without exposing it to public IPv4 Internet.

Client OS

Mac OS X does not particularly like IPv6 over PPP. Use the following after the connection has been set up:

sudo ipconfig set ppp0 AUTOMATIC-V6
sudo route add -inet6 default -interface ppp0

The prior seems to make OS X adhere to router advertisements; the latter adds a default route for IPv6. (Now, if only the certain-fruity-mobile-operating-system version of route provided -inet6, I’d be a happy wooden boy.)

Also take note that OS X will ignore whatever address was supposed to be negotiated over IPv6 and set up only a local address. This may interfere with routing towards OS X.

On the other hand, Windows 8 (of all systems!) has happily picked up the address sent over PPP, took note of the router advertisement, and overall configured itself flawlessly. PPTP really works nice in Windows.

Server

First thing I missed was that Hurricane Electric’s tunnel broker actually assigns TWO /64 prefixes; one is supposed to be solely for client use, while the other is intended for routing additional clients (such as the PPTP client). And if you need more addresses (or prefixes!), you can even get a /48 prefix. (With IPv6, this means there’s more bits for ‘your’ use; HE’s prefix takes ‘only’ 48 bits. So that provides you a few more bits to control before the auto-generated suffix, created from a MAC address or even created randomly, kicks in and takes over last 64 bits. You could theoretically wiggle and subnet even with only 64-bits to spare, but I’ve seen strange behavior on either Windows 8 or OS X, so I wouldn’t rely too much on that.)

Instead of configuring radvd directly and running it as a server — simply don’t configure it globally. That is, don’t run it as a service on Debian.

Instead, let’s follow Konrad Rosenbaum’s example, at Silmor.de, and have radvd configured after pppd creates the PPP interface.

  1. Set up your IPv6 connectivity. I use Hurricane Electric; I’ve configured it as follows: 
    # hurricane electric tunnel
# based on: http://www.tunnelbroker.net/forums/index.php?topic=1642.0
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
    address 2001:470:UUUU:VVVV::2
    netmask 64
    endpoint  216.66.86.114
    ttl 255
    gateway 2001:470:UUUU:VVVV::1
    ## from http://lightyearsoftware.com/2011/02/configure-debian-as-an-ipv6-router/
    # I did not set up the routing of the /64 nor the /48 prefix here, but
    # this would ordinarily do it.  
    #up ip link set mtu 1280 dev he-ipv6
    #up route -6 add 2001:470:WWWW:VVVV::/64 he-ipv6

    # Note that Hurricane Electric provides different /64 IPv6 prefixes
    # for the client (UUUU:VVVV) and routing (WWWW:VVVV). 
    # And the /48 prefix is very different altogether.

  2. Install pptpd. (Of course, take note of PPTP’s insecurity as a protocol, and consider using OpenVPN or some other alternative.)

  3. Edit /etc/ppp/pptpd-options 
    name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
nodefaultroute
lock
nobsdcomp
ipv6 ::1,::2

    Note the last line is different from the text in my question. You’re assigning some static addresses which may be respected by your client OS or not. (OS X seems to ignore them, but Windows uses them.)

  4. Create users for PPTP. Second column filters based on name argument in pptpd-options. Edit /etc/ppp/chap-secrets: 
    ivucica pptpd AHyperSecretPasswordInPlainText 10.0.101.2 10.0.101.3 10.0.101.4

    You’re supposed to be able to replace the addresses with * instead of listing them manually. I did not try that out.

  5. Assign your PPTP users some IPv6 prefixes. NOTE: this is solely used by the script I’ll list below, which is derived from Konrad’s script.

    Edit /etc/ppp/ipv6-addr:

    ivucica:1234
littlejohnny:1235
  6. Add new file /etc/ipv6-up.d/setupradvd: 
    #!/bin/bash
ADDR=$(grep ^$PEERNAME: /etc/ppp/ipv6-addr |cut -f 2 -d :) 
if test x$ADDR == x ; then
 echo "No IPv6 address found for user $PEERNAME"
 exit 0
fi

# We'll assign the user a /64 prefix.
# I'm using a Hurricane Electric-assigned /48 prefix.

# Operating systems seem to expect to be able to assign the 
# last 64 bits of the address (based on ethernet MAC address
# or some other identifier). So try to obtain a /48 prefix.

# If you only have a /64 bit prefix, you can try to assign a
# /80 prefix to your remote users. It works, but I'm only now
# trying to enable these users to have routing.

USERPREFIX=2001:470:XXXX:$ADDR
USERPREFIXSIZE=64
USERPREFIXOURADDRESS=1
USERPREFIXUSERADDRESS=2

# Add the address for your side of the tunnel to the PPP device.
ifconfig $IFNAME add $USERPREFIX::$USERPREFIXOURADDRESS/$USERPREFIXSIZE

# establish new route
# (when a packet is directed toward user subnet, send it to user ip)
route -6 add $USERPREFIX::/$USERPREFIXSIZE gw $USERPREFIX::$USERPREFIXUSERADDRESS

#generate radvd config
RAP=/etc/ppp/ipv6-radvd/$IFNAME
RA=$RAP.conf
echo interface $IFNAME >$RA
echo '{ AdvSendAdvert on; MinRtrAdvInterval 5; MaxRtrAdvInterval 100;' >>$RA
echo ' prefix' $USERPREFIX::/$USERPREFIXSIZE '{};' >>$RA

# Instead of your DNS...
#echo ' RDNSS $USERPREFIX::$USERPREFIXOURADDRESS {}; };' >>$RA
# ...try assigning the Google DNS :) 
echo ' RDNSS 2001:4860:4860::8888 {}; }; ' >> $RA

# The creation of radvd configuration could be more readable, but whatever.

# Start radvd
/usr/sbin/radvd -C $RA -p $RAP.pid

exit 0

    Don’t forget to chmod the script to make it executable by pppd:

    chmod 755 /etc/ipv6-up.d/setupradvd
  7. The script spews radvd configuration into /etc/ppp/ipv6-radvd/… ensure that the folder exists! 
    mkdir /etc/ppp/ipv6-radvd
  8. Also add /etc/ppp/ipv6-down.d/setupradvd (and make it executable!) — taken verbatim from Konrad: 
    #!/bin/bash
RAP=/etc/ppp/ipv6-radvd/$IFNAME
kill `cat $RAP.pid` || true
rm -f $RAP.*

    And

    chmod 755 /etc/ppp/ipv6-down.d/setupradvd

I have not tested using DHCPv6 to distribute the routing information, addresses or DNS information, especially since rtadv should be fulfilling these roles. It also would not help me, because as of Mountain Lion, OS X still does not ship with a DHCPv6 client (perhaps intentionally; nine out of ten dentists most of IPv6 experts agree that DHCP is evil).

Once again, please note Michael’s comments on PPTP security; consider using OpenVPN in production.

Yes, Konrad Rosenbaum also has a nice tutorial on IPv6 over OpenVPN. :-)

A simple WiX template for games

Leave a reply

Over the last few days, I’ve got some comments and emails about my old, old post about WiX in which I promised to release a functional template.

Since that work with WiX was originally done for some games, and in the meantime I began working with OS X most of the time, it took “a while” for me to grab some time and remove company branding, create a sample project, and finally prepare and release the template for my own as well as other people’s use.

You can the template from its Bitbucket repository . Have fun!

Core Data: Migrating ignores manual mapping model (or fails migration) despite mapping model’s existence

Leave a reply

Let’s say you created a somewhat complex migration model. Among other things, let’s say it includes entity migration policies (you know — subclasses of NSEntityMigrationPolicy).

However, Core Data ignores your manual migration model. Why, oh why?

You can try looking into this by clicking on schema name in Xcode 4, picking the “Run” sidebar ‘tab’, picking the “Arguments” tab, and adding -com.apple.CoreData.MigrationDebug 1. (See tech note TN2124.)

Alright, so now you see what the source persistent store’s version hashes are, and what the expected destination store’s version hashes should be. Then you see how Core Data starts migration by telling you its conclusion about what the hashes are (for the second time). Finally, it starts iterating over your manual mapping models (the .xcmappingmodel bundles).

And then you see that it finds your mapping model, picks up on it, then decides the hashes are wrong and ignores it!

“What the…?” you wonder. You compare hashes, and they are listed in different order, but essentially the same.

I can only conclude this is a bug in Core Data (or in the entity editor in Xcode4).

Luckily it’s easy to remedy! Go to the mapping model, pick another source and destination model version, then restore to the correct source and destination model versions. Definitely do make a git commit prior to making this change so you can compare what happened.

Alternatively, an answer on StackOverflow has a different solution which can be applied in case you know what is the version of the original persistent store. It involves manually setting version hashes on the NSEntityMappings inside the NSMappingModel.

Patching an unrecognized selector into a misbehaving OS X app

Leave a reply

Let’s say you have an app that misbehaves. As in, it raises an exception mentioning an unrecognized selector.

Of course, it’s third party and closed-source.

But you are an enterprising young developer and you really want to patch this app.

I will not identify the app that I patched, to avoid any impression that I’m cracking the app. (It’s a popular app and I’ve run into pretty nice anti piracy protection blocking gdb on multiple layers. Since I’m not familiar with cracking and was not even attempting that, I’ve decided that it’s best to simply avoid mentioning the app name.)

Makefile

all: misbehavingappfixer.dylib

misbehavingappfixer.dylib: misbehavingappfixer.o
        gcc \
                -dynamiclib \
                -undefined suppress -flat_namespace \
                misbehavingappfixer.o \
                -framework Cocoa -o misbehavingappfixer.dylib
run:
        DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=`pwd`/misbehavingappfixer.dylib /Applications/Misbehaving\ App.app/Contents/MacOS/Misbehaving\ App

misbehavingappfixer.c

#include <objc/runtime.h>
#include <CoreFoundation/CoreFoundation.h>
static CFStringRef nameImp(id self, SEL _cmd)
{
        return CFSTR("IVFlawedClass");
}

void inject_init(void) __attribute__((constructor));
void inject_init(void)
{
        Class _IVFlawedClass = objc_getClass("IVFlawedClass");
        if(!_IVFlawedClass)
        {
                printf("Could not find IVFlawedClass");
                return;
        }

        SEL nameSel = sel_registerName("name");
        class_addMethod(_IVFlawedClass, nameSel, (IMP)nameImp, "@@:");
}

I avoided using Objective-C because I had some issues when I tried going that route. It should work, but I didn’t want to spend any more time on this than I already have.

Now, to use this:

make
make run

This will compile the fix dylib, and then launch the Misbehaving App while first preloading our fix dylib.

For more information, see these:

Note: from comments on Mike Ash’s post, it seems that since I’m not overwriting symbols, I don’t need to (and, more importantly, *should* not) be using flat namespace. That means, I should not be using DYLD_FORCE_FLAT_NAMESPACE and -flat_namespace.

But, it works for me, so what the hell. :)

Movie to animated gif

Leave a reply

To get an animated gif from a movie, I do this:

ffmpeg -i themovie.mov themovie-%02d.png
convert -verbose +dither -layers Optimize themovie*.gif GIF:- > themovie.gif

convert comes from ImageMagick. I could/should pass some more stuff to ffmpeg and convert, such as -s to resize and -r to change FPS of the PNGs, or -resize to resize the output gif.

More info in this gist.

“Najmlađi najboljić” – How programmers from elementary school’s 2nd grade are treated by Croatian institutions

1 Reply

HRVATI: Pogledajte video na kraju članka. Pred kraj videa je otipkana ova priča koju u nastavku pišem na engleskom. (Također, ispod videa, još malo teksta na hrvatskom.)

IN ENGLISH: For my foreign readers, here’s a VERY quick overview of how very talented kids got treated during the last several years, and how well national computer science competition’s official rules are handled by the National Competition’s Committee for computer science, and the Croatian Education and Teacher Training Agency, are handling a super-smart second grader.

Usually, in Croatia, kids that go to computer science competitions do so in elementary school from fifth to eight grade, as well as during the entire high school. That’s fine. Dorijan Lendvaj was, however, a second-grader in 2012.

Nowhere was it said that children younger than fifth-grade can’t compete. It’s not forbidden. There is no limitation for children to compete from fifth-grade upwards. And as far as I know, so it was since 1992, when the national competition was first held. Rules definitely did not change during the 2000s, the decade when I competed between seventh grade and high school’s fourth grade. There were always some fourth-graders. Younger kids didn’t compete because they did not yet understand programming well enough to understand the problems, much less solve them.

At least during 2000s, there was always a division between P1 and P2 — fifth and sixth grade, and seventh and eight grade. That’s fine. Pre-fifth-graders simply competed in P1. That is no longer the case.

So what’s the problem? Since AZOO (that’s the agency) took over the organizing, they took on the task of setting the rules. Let’s see what’s up in the elementary school. There was the rule that the ranking list for INVITATION from county to the national level is based on several age groups: pre-fifth and fifth grade, sixth grade, seventh grade and eight grade. Does that make sense? Little, but let’s go with the flow. There is a small number of pre-fifth-graders, so it perhaps makes little sense to organize a separate competition.

During AZOO era, problems were also written based on those groups instead of P1 and P2. That’s also fine, for the same reason.

But that makes it more shocking that AZOO decided they did NOT need to apply the rule that AZOO EXPLICITLY DID NOT CHANGE. That rule says: ALL RANKING LISTS AT NATIONAL LEVEL ARE BASED ON CHILD’S GRADE. That is, even if Dorijan is the sole second-grade competitor on the national level, he wins the competition.

He should have won in 2012, when he was a second-grader, right? The same year that Dorijan and a third grader (Ivan Jambrešić) were given special, one-shot “recognitions” for being young competitors, right?

NO. HE AND IVAN JAMBREŠIĆ WERE RANKED AS IF THEY WERE FIFTH-GRADERS. DORIJAN WAS RANKED AS FIFTH, and denied the national-level award called “Oscar of Knowledge”.

This blatant disregard for THEIR OWN RULES was quickly remedied during the current school year 2012/2013, just before the 2013 competition. How?

NEW RULES STATE THAT ONLY FIFTH-GRADERS AND UP CAN COMPETE. Dorijan, who successfully competed with FIFTH-GRADE-LEVEL TASKS AS THE SOLE SECOND-GRADER has for his success been rewarded with A TWO YEAR BAN FROM THE COMPETITION. The only second-grader that managed to reach the state-level competition based on county-level competition lists which included him in fifth grade level (rightfully, according to the rules) has not only been rewarded with incorrect reading of very clear rules (“national-level ranks are categorized by grade”) but by BAN FROM COMPETING UNTIL HE REACHES FIFTH GRADE.

I also saw some signs that fifth and sixth graders may also soon be done away with. There is absolutely no doubt about it that this is about Dorijan.

What’s more to say? Deterioration of computer science competitions in Croatia seems to be near completion. They have transformed from a celebration of youth and intellect into a teacher’s point-scoring fest, in which teachers (MANY OF WHOM DON’T WORK WITH CHILDREN OR WORK VERY POORLY WITH THEM — I applaud the exceptions, of course) fight for points, which they are then promoted with and earn a better paycheck.

That’s right: teachers who are blatantly preferring getting better paychecks than advancing their students’ minds. Teachers who prefer fighting for their pockets against anyone who is truly interested in children’s wellbeing. Teachers who prefer BANNING SECOND AND THIRDGRADERS over relenting and SIMPLY AWARDING THE KID the award that is RIGHTFULLY his, according to the RULES THEY THEMSELVES WROTE.

Should the right to correct a wrong be allowed to expire? I don’t think so. Especially with talented kids like Dorijan.

Here’s a video about Dorijan in which you can see that, as a second grader, he understands equations, square roots, fractions, multiplication and division better than many adults in the room! It’d be awesome if you could speak Croatian, but even if you don’t, it’s an interesting video.

If he doesn’t deserve a separate category and to win the national competition, who does? If he wasn’t the best second-grader in the state, who is?

Or is Dorijan magically only the fifth-best fifth grader in the state? (And if you know to perform this act of age-shifting, please do tell me. I’d love to adjust my age a bit or do other wondrous transformations. Like turning a piece of paper into an iPad.)

“Dorijan Lendvaj obožava sekicu Doru i brata Vilima, mamu i tatu te jako voli programiranje. Iznimno je vješt u programskim jezicima Logo i C++. Odličan je učenik, sklon matematici, i voli se igrati, a ponekad i tako da programira robote.

On je najmlađi najboljić u povijesti državnih natjecanja iz informatike u Republici Hrvatskoj, a još uvijek nije upisan u listu državnih pobjednika.

Ako ga pitate koji je bio na posljednjem državnom natjecanju (ožujak 2012.), on će reći da je bio peti, jer tako još uvijek u službenim evidencijama i piše, iako dobro zna da je bio prvi. Više nego dobro zna da je najmlađi pobjednik državnog natjecanja iz informatike u povijesti.

Dorijan Lendvaj, divan i predobar daroviti Čovjek iz Popovače. Zlatni CROCalien za 2012.”

Još o fantomskim priznanjima

Dorijan Lendvaj je u 2012. bio drugi razred. Pravilnik državnog natjecanja iz informatike je, otkad je Agencija za odgoj i obrazovanje preuzela organizaciju, zadržao pravilo “rangiranje na državnom natjecanju se radi po razredima”. I tako je izričito pisalo do prosinca 2012.

Što znači da kad se Dorijan Lendvaj natjecao kao jedini drugašić koji je uopće uspio doći do državnog natjecanja, trebao je adekvatno biti rangiran i pobijediti, je li tako?

Ne, naravno da nije. Nekoliko zadnjih godina za redom, organizatori državnog natjecanja uporno ponavljaju grešku i ne čitaju svoj pravilnik kako spada. Dorijan je rangiran u “dobnoj skupini” koja je nazvana “do 5. razreda”. Nažalost, ne postoji razred “do 5. razreda”, a takve dobne skupine definirane su samo za, primjerice, pozivanje na državno natjecanje ili za sastavljanje zadataka. No kad učenik dođe na državno natjecanje, pravilo je bilo (i trebalo se poštovati) da se konačna rang ljestvica formira po razredima.

Dorijan je pobijedio, trebao dobiti nagradu “Oskar znanja”, ali magično se transformirao u petaša i zaradio peto mjesto. Kakva je to magija? Može se to negdje naučiti?

E sad, nije to jedina nagrada koju je dobio od državnog povjerenstva i organizatora. O, ne ne! To bi bilo prejednostavno. Dorijan je dobio i nagradu koju možemo nazvati “natjecati se mogu samo učenici petog razreda naviše”, UVEDENA U PROSINCU 2013.

Naravno, u tu nagradu nisu uključeni ni kipić ni medalja nagradu. Bogme nije ni uključeno PRIZNANJE kakvo je POČETKOM natjecanja Dorijan dobio 2012. kao jedan od najmlađih sudionika ikada (ako ne i najmlađi).

I nije Dorijan jedini. Iste 2012. u istu skupinu (isto priznanje) stavljen je i Ivan Jambrešić.

Zašto pričam primarno o Dorijanu, a ne toliko i o Ivanu? Gore je zgodan filmić u kojem se vidi da ako itko NE ZASLUŽUJE TAKAV TRETMAN, onda je to ipak netko pametan poput Dorijana.

Dakle u drugom razredu dečko kuži jednadžbe, korijene, razlomke i “brojeve veće od 10″. Na kraju videa je isto i tekst, sažetak cijele priče.

Ovogodišnji rezultati kluba iz Popovače

Thoughts?