## I have a little glitch in my OpenVPN configuration.

One of the subjects which I have written about before, is that I host a VPN, which uses the OpenVPN protocol, and that I have used my own, hand-written configuration files for it.

There are certain ways in which this VPN is atypical, in its configuration. For example, what most system administrators will do, is assign a range of IP addresses on their virtual LAN, which do not overlap anywhere with the IP address range on their physical LAN. OTOH, what I have done is to use the configuration lines:


ifconfig 192.168.2.129 255.255.255.128
ifconfig-pool 192.168.2.130 192.168.2.254 255.255.255.0
push "route-gateway 192.168.2.129 255.255.255.0"

In my thoughts, I was assigning the IP address range from 192.168.2.129 through 192.168.2.254 to the VPN. But whenever my OpenVPN server starts or restarts it does so with a warning, that this IP address range overlaps with the existing IP addresses of my physical LAN, which go from 192.168.2.0 through 192.168.2.255 .

This is how I made a little mistake: My configuration unwittingly also included IP address 192.168.2.255 in the range, which will be routed as belonging to the VPN. And this is due to the first line above, which simply has 255.255.255.128 as its subnet mask.

This can cause the following problem. As part of my physical LAN, address 192.168.2.255 sometimes serves a purpose. It is the UDP Broadcast address of my router, and can be used by clients to find all the connected LAN clients.

Probably because I have done this, the command ‘nmblookup‘ will not work on my machine ‘Phoenix’, which is also my server (as I discovered for the first time last evening). But beyond that, this could be why setting this server to act as a WINS server creates a failure in the configuration of my LAN. This may not really be due to any intolerance on the part of my Windows 7 machine ‘Mithral’, of a Linux box acting as a WINS server.

Also, the command ‘nmblookup‘ works fine on both the other Linux machines on my LAN: On ‘Klystron’ and on ‘Walnut’.

If I was determined to make my configuration better, I could try tweaking this OpenVPN configuration, let us say with a subnet mask of 255.255.255.192 instead of with 255.255.255.128 . Of course, I would then also have to reduce the number of possible, available connections to my VPN accordingly, let us say so:


ifconfig 192.168.2.129 255.255.255.192
ifconfig-pool 192.168.2.130 192.168.2.191 255.255.255.0
push "route-gateway 192.168.2.129 255.255.255.0"



In other words, I can create a 6-bit subnet, the addresses of which are prepended by the bits ’10’. However, it was incorrect of me to have a 7-bit subnet, which was simply prepended by the high bit ‘1’, because unfortunately, doing so also masks the UDP Broadcast Address of the router.

For the moment, not being able to use the ‘nmblookup‘ command on ‘Phoenix’ has not had significant consequences for me, and one main reason might be the fact that in general, Linux avoids using NetBIOS. Also, the graphical browser I use, does not seem to depend 100% on this command, or on the local machine being the WINS server, in order to work.

So this error has little urgency for me, and also did not impede my use of the computers.

Dirk

(Edit : ) Minutes after writing this posting, I have applied the change in configuration as described. With great joy, I find that my ‘nmblookup‘ command works fine now.

Now, this error should not strike people as serious, because it was only according to the LAN, as seen by one client (‘Phoenix’) that this address belonged, incorrectly, to the VPN. However, sometimes routers have been programmed in their firmware to offer as an extended feature, to reflect whatever IP address assignments are reported by one client. If mine is such a router, then of course, this one IP address would have been spotted as a conflict, and overridden by the router, so that the other machines on my LAN, continued to see the correct mapping.

One of the facts which I had observed about the Google Chrome browser version, which is meant for Linux, was that Google no longer provides a 32-bit version of its binaries. In keeping with this, Google has also removed the section in its code repository, which would make a 32-bit version available. Hence, I can only be subscribing to the 64-bit upgrades. Yet, my Linux computer ‘Phoenix’ has its package manager set up, to query a repository for both the 64-bit and the 32-bit versions of any package by default, and then to download and install the packages which are relevant.

In this earlier posting, I observed how this can lead to an error message when running ‘apt-get update‘. What I had done, was to make minor configuration changes like so, which I had needed to re-apply, after every upgrade to Chrome.

Well Google has caught up with the scenario which I was describing. As of their latest upgrade, their own ‘cron.daily‘ symlink will properly put the following source into ‘/etc/apt/sources.list.d/google-chrome.list‘ :





You may note, that the script from Google now includes the ‘[arch=amd64]‘ parameter, which means that I won’t have to make any manual adjustments to this configuration detail of my machine, every time the Chrome browser receives an upgrade.

Dirk

## It is possible to mistake a configuration file for a shell script.

One source of error which I’ve observed, was even recommended in the old ‘linpopup’ package documentation.

ICYMI, “Linpopup” was a Linux extension to the Samba server, meant to allow messages to be passed directly from one computer to another on a LAN. It was based on the old “WinPopup” feature, which Microsoft discontinued with Windows XP (Service Pack 2 ? )

I think that one of the problems with the original WinPopup was, that its messages were allowed to be rich text, including URLs, which users were tricked into clicking on, because users did not recognize that pop-up windows they were getting, were in fact intended as a feature, but that these messages were eventually sent out to blocks of IP addresses as a form of spam, sometimes carrying a payload of malware.

Unlike its Windows predecessor, LinPopup only allows Plain Old Text to be sent. But this posting is not meant to describe this, as a feature of Samba. I’m intending to showcase this as an example of a type of mistake, which modern-day thinkers make when creating configuration files. In order to ready a Samba server to receive these messages, a Linux user is given the suggestion to put the following into their /etc/samba/smb.conf, near the end of their [global] section:
 message command = /usr/local/bin/LinPopUp "%f" "%m" %s; rm %s 

I know this, because I custom-compiled the old package, and this was stated in the documentation.

Now, it is possible to configure some other program to receive the message, which Samba leaves in the temporary file ‘%s’, as long as we remember that any message command which Samba runs, will be run as user ‘nobody’, with the privileges of user ‘nobody’. That’s not a problem. But there is a problem with this configuration line, which users ran in to, and which users had trouble pinpointing.

This is meant for a configuration file, but the above syntax would be suitable for a shell script. A configuration file will often allow for an executable program to be specified, and will even go so far as to allow command-line parameters to be passed in. But a configuration file will not go so far, as to allow two programs to be executed in sequence. That is a luxury which too many modern coders take for granted, apparently.

The two programs referred to above are

/usr/local/bin/LinPopUp

rm

In fact, this configuration mistake will pass in the semicolon, as part of the parameters to /usr/local/bin/LinPopUp , thereby mangling the ability of this program to identify the file the message is in. And then it will pass in the string “rm” as well…

What I had to do myself, was something like
 message command = bash -c '/usr/local/bin/linpopup "%f" "%m" %s ; rm %s' & 

The one program I’m telling Samba to run, is ‘bash’. It, in turn, can run several other programs synchronously, asynchronously, etc..

Also, it should be noted that the ‘&’ at the end of my line, is not equivalent to its use in shell scripts, where it tells a running instance of ‘bash’, to disconnect the child process immediately, and to continue running the rest of the script. My ‘&’ does not assume that ‘bash’ is already running, and appears as a parameter to ‘bash’ itself.

For all I know, ‘bash’ could simply ignore this. But I do know, that this ‘&’ does not interfere in my message command working…

Dirk

(Edit : ) And, It is up to the way the Samba server parses its configuration file, whether it expands the variables, which begin with ‘%’ , inside single quotes. It doesn’t matter that ‘bash’ would not do so.