1.5.3


Old Stuff

 www.your-freedom.net
 www.secure-tunnel.com

AlmostVPN 1.0 FAQ

  1. General Questions
    1. Why <place your question here> ?
    2. Why AlmostVPN trying to get to www.apple.com?
    3. Where AlmostVPN keychain come from?
    4. What about NFS tunneling?
  2. How it works
    1. Host Alias
    2. Fire and Forget profiles
  3. AlmostVPNServer
    1. What is it ?
    2. Why there are two AlmostVPNServer on my hard-drive?
    3. Why AlmostVPNServer needs to have special privileges?
    4. Is it secure?
  4. Troubleshooting
    1. My default keychain keep asking me to "unlock"
    2. I am getting message "... port conflict ..."
    3. AlmostVPN does not accept my activation key/remember my passwords

General Questions

Why <place your question here> ?

To get your question answered, e-mail it to support@leapingbytes.com

Why AlmostVPN trying to get to www.apple.com?

AlmostVPN 1.0 using XML parser to parse preferences file (~/Library/Preferences/com.leapingbytes.AlmostVPNPRO.plist). This file (as many XML files do) contains reference to DTD ( Document Type Definition ) http://www.apple.com/DTDs/PropertyList-1.0.dtd. XML parser default behavior is to try to download DTD file so it can verify that XML file it is about to parse is "good one". This issue tracked as Trouble Ticket #219.

Where AlmostVPN keychain come from?

AlmostVPN keychain gets created by AlmostVPN 0.9.x. AlmostVPN 1.0 does not use this keychain anymore. Password for this keychain is automatically generated and stored in user login keychain as almostVPN@almostVPN.

NOTE Though AlmostVPN 1.0 does not use AlmostVPN keychain, it does use almostVPN@almostVPN password in your login keychain. When you decide to switch to v 1.0 completely, you can delete AlmostVPN keychain, but do not remove almostVPN@almostVPN entry from login keychain. If you do, you will loose all passwords stored with AlmostVPN 1.0.

What about NFS tunneling?

Unfortunately, Apple is lagging with adoption of NFS v 4.0 protocol (which can run over single TCP port). So AlmostVPN will not be able to support NFS until one of two things happen:

  1. Apple adopt NFS v 4.0 (which might happen with introduction of Leopard),
  2. AlmostVPN v 1.5.x will become available (which will introduce "real"-VPN functionality. I am 85% sure that what I plan for 1.5 will allow to use NFS, but we will not know for sure until we try).

Problem with NFS is that version currently supported by Mac OS X (NFS 3) uses UDP as well as TCP protocols. UDP protocol is not tunable as easily as TCP. NFS 4 can work over single TCP connection, which is perfect for tunneling.

Until NFS is available, you can use SAMBA on linux. You may wont to read this http://blogs.sun.com/roller/page/shepler?entry=tunneling_nfs_traffic_via_ssh for more information about why NFS 4 is better suited for tunneling. If you are "do-it-yourself" kind of person, you can try to install this NFS 4 port ftp://ftp.cis.uoguelph.ca/pub/nfsv4/darwin-port on your computer and try to do tunneling with it.

How it works

Host Alias

Host Alias employs 3 separate techniques to achieve Almost VPN-like user experience

  1. It creates alias IP address on 'default' network interface
  2. It alter order used to resolve IP addresses in such a way that "Net Info" database get precedence over any other sources and creates new entry in it which maps alias host name to newly created alias IP address
  3. It creates plain old tunnels to all services running on target host. The only thing which is not so 'plain' about these tunnels is that they 'start' from an alias IP address.

POSITIVE side effects:

  1. If you choose to have "alias" host name equal to target host, then your applications (like: e-mail client) can access services over SSH Tunnels without any changes in configuration.
  2. It is possible to have multiple tunnels starting from the same port number without port conflicts. For example if you need to create tunnels to more then one HTTP server, only one of them could start at port 80, unless you are using "Host Alias"
  3. Your tunnels do not conflict with services running on your local box. For example, if you have Web Server running on your local box, you can not create a tunnel which originate at port 80, unless you are using "Host Alias"

NEGATIVE side effects (actually, there is only one):

  1. If you choose to have "alias" host name equal to target host, then you will be able to access only ports/services which are configured with AlmostVPN. For example, you will not be able to SSH to the target host unless you have configured it to have service 22/ssh.

Fire and Forget profiles

AlmostVPN can be configured to upload/download files (via SCP functionality). If you have a profile which does nothing else (but uploading/downloading), then you may want to mark it as "fire and forget". It will make the profile stop automatically as soon as file copying has been finished.

NOTE: Theoretically you should be able to do the same thing if you need to run shell on remote system. As of now (1.2), it does not work very well. In some (many) cases, AlmostVPN will stop the profile before script is finished

AlmostVPNServer

What is it ?

AlmostVPN consist of 3 major components

  1. GUI(s) ( AlmostVPNPRO.prefPan, AlmostVPNProMenuBar, AlmostVPNPRO Widget, ... )
  2. Configuration file ( ~/LIbrary/Preferences/com.leapingbytes.AlmostVPNPRO.plist)
  3. Backend (AlmostVPNServer and AVPN.Agent)

Configuration file describes all aspects of configuration (except for "secure" items, like passwords ). AlmostVPNServer knows how to interpret configuration file in order to figure out what kind of configuration commands need to be performed to start/stop profiles. GUI(s) assist end user to manipulate configuration file and communicates with AlmostVPNServer to ask it to start/stop profiles. AVPN.Agent receive notifications from the OS about important events (user logged in/out, system will sleep/did wake up ... ) and forwards them to AlmostVPNServer so it can react properly (like suspend all profiles before system goes to sleep and restart them after system wakes up).

Why there are two AlmostVPNServer on my hard-drive?

If you will search for AlmostVPNServer file on your hard-drive, you will see that there are 2 copies of it. One copy located inside AlmostVPNPRO.prefPane (Contents/Resources/AlmostVPNServer) another one could be found either in "~/Library/Application Support/AlmostVPNPRO" or "/Library/Application Support/AlmostVPNPRO". If you look very carefully, you will see that copy in "Application Support" folder has special privileges. Remember when you install AlmostVPNPRO you were asked to enter user name and password? You were asked, so AlmostVPN can install copy of AlmostVPNServer in "Application Support" folder and assign these special privileges to it. In *nix world, files like this often refer to as "setuid" files. What makes them special is that unlike other executables, when started, they assume privileges of the user who "owns" them (usually super user/administrator) as opposite to privileges of user who started them. Copy of AlmostVPNServer in "Application Support" folder is own by root and it is "setuid". As a result, when it is started, it will run with all privileges of super user.

Why AlmostVPNServer needs to have special privileges?

Unlike Windows world, where almost anyone can do almost anything, *nix world exists according to strict rules. Some operations could be done by anyone, and another only by special kind of users. Unfortunately, many operations which AlmostVPNServer needs to be able to perform fall into "special" category. These is the list of "special" operations performed by AlmostVPNServer:

  1. Access to "privileged" ports.
  2. Creating alias IP addresses (/sbin/ifconfig)
  3. Creating alias Host Names (/usr/bin/nicl)
  4. Creating new printers (/usr/sbin/lpadmin)
  5. Adding custom forwarding rules to firewall (/sbin/ipfw)

Access to "privileged" ports. You need to have special privileges to be able to "listen" on any port <= 1024. Unfortunately, quite a few very useful services fall into this category ( pop3, imap, smtp, http, https to name a few). So every time you want to create a tunnel which "starts" at one of these ports you have to be "super user". Typical way around of this limitation is to use tunnels which "starts" from ports which are different than destination ports. Usually it works very well, but there are at least 2 drawbacks

  • sometimes software which you use with tunnel, can not be configured to use different port,
  • even if you can configure you application to make it use other port, you will have to change configuration every time you switch from direct access to "tunneled" access.

Alias IP addresses/Host names. One of the major features of AlmostVPN is ability to configure tunnels in such a way that user does not have to change anything in configuration of any application which access services over tunnels. AlmostVPN achieves this by using 2 techniques:

  • allocating alias addresses
  • defining alias host names mapped to alias addresses

Let say that you configured 'Alias Host' (How To) to get access to your e-mail server. If you will try to "ping" this host without AlmostVPN profile running, ping will report real IP address to you and most likely will fail (because if you can ping this host, why you will want to use AlmostVPN to get to it?). However, once you start the profile things will become quite different. if you try to ping your server again, you will see that IP address reported by ping is different ( it will be something like 127.13.0.x ). Also, ping will not fail as before. If you will start you e-mail application, it will be able to communicate with your e-mail server without any re-configuration. AlmostVPN achieved it using 2 commands (both of which require super user priveleges to run)

  • /sbin/ifconfig - to create alias IP address
  • /usr/bin/nicl - to define new Host Name to IP address mapping, to make host name of your server map into alias IP address instead of real one. NOTE to be prices, there is one extra step which AlmostVPN needs to perform to make all these things "click". it needs to "fix" order in which lookupd looking to different sources of Name to IP mappings. You can read about lookupd here. AlmostVPN changes order to this 
    LookupOrder NI Cache FF DNS DS
    Needless to say, that AlmostVPN restore original order once all profiles stopped.

Creating new printers. It is almost self-explanatory. To be able to define new printer (one which will let you print over ssh tunnel to your remote printer) you need to be able to use /usr/sbin/lpadmin, which will not let you add new printer unless you are super-user.

Adding custom forwarding rules to firewall. So far there is only once situation when AlmostVPN needs to do anything with firewall - tunneling ARD connection. In the nutshell, problem could be described as this. Apple trying REAL HARD to make it impossible to connect ARD to the computer on which this ARD is running (which is a good thing. otherwise it will produce sever case of end-less recursion). Negative side effect of it is the fact that ARD will refuse to connect to pretty much any port on local box. Luckily for AlmostVPN users one smart person on macosxhints.com published solution and AlmostVPN perform all required steps of this solution automatically.

Is it secure?

Biggest problem with "setuid" executables is that they grant super-user privileges to anyone. They only way to deal with this is to make sure that "setuid" executable can perform only what you really need it to be able to perform and nothing else. In case of AlmostVPNServer situation is a little bit trickier. AlmostVPNServer is just a "wrapper" around Java code. Once it get started, AlmostVPNServer uses JNI APIs to fire up instance of Java Virtual Machine and that makes it to run appropriate java code. To make things even more "interesting", this java code employs some bash functions, which come from utils.sh file stored inside AlmostVPNPRO.prefPane, to perform some configuration tasks. So basically in order to make sure that AlmostVPNServer "is safe" we need to verify that these 3 files have not been tempered with:

  • AlmostVPNServer executable,
  • AlmostVPN.jar ( this jar contains all java classes ) and
  • utils.sh

First of all, we do not really need to be concern about AlmostVPNServer itself. Only person who already has super-user privileges can modify file without it loosing "setuid" property. So only two files we really need to be concern about are AlmostVPN.jar and utils.sh. The standard way to insuring that file was not tempered with is to compute this file "checksum" and than compare it with original "checksum". There are number of algorithms to calculate such sum. AlmostVPN employs MD5 (you can read about it here ). AlmostVPNServer has "original" MD5 checksum embedded in it. Every time it needs to start Java code, AlmostVPNServer will calculate MD5 sum of AlmostVPN.jar and compare it with original one. Only if these two checksums match, AlmostVPNServer will proceed with execution. Same technic used to ensure that utils.sh was not tempered with (starting with RC3 release). AlmostVPN.jar contains file with MD5 checksum of utils.sh (actually it stores MD5 checksums of ALL *.sh files employed by AlmostVPN). Every time AlmostVPNServer needs to invoke any function defined in utils.sh, it will calculate MD5 checksum of this file and compare it to the original checksum.

So is AlmostVPNServer absolutely safe? No one will know the answer to this question, until some one will manage to "hack" it and than answer will be NO. The only claim Leaping Bytes making about AlmostVPNServer is that it was implemented according to common best practices.

Troubleshooting

My default keychain keep asking me to "unlock"

It looks like under some conditions, file ownership of default keychain could be reset to "root" as a result of installation of AlmostVPN. To test if this is the case you need to run this command ( use /Applications/Utilitites/Terminal ) 

ls -l ~/Library/Keychains

you should see something like this (you will see your user name instead of xyz): 

...
-rw-r--r--   1 xyz  xyz  617620 Feb 21 10:37 login.keychain
...

if you see this instead 

...
-rw-r--r--   1 root  xyz  617620 Feb 21 10:37 login.keychain
...

"root" instead of first "xyz", then your keychain file ownership was reset (most likely by AVPN).

To "fix" the problem you need to do this (again, type your user name instead of xyz): 

	sudo chown xyz login.keychain

This should be one-time, install related problem. Leaping Bytes are working on permanent fix for this problem and will publish it in the nearest future.

I am getting message "... port conflict ..."

Sometimes, after your profile have failed to start for what ever reason, you may get into situation when you can not start this or other profiles even after you have fixed original problem. It should not happen, and it will be fixed soon. Meanwhile, go to Preferences tab and "Restart" AlmostVPN Server (NOTE wait until that light goes green again. It may take few seconds )

AlmostVPN does not accept my activation key/remember my passwords

First of all, are you entering just Activation Key? You should enter Full Name, e-mail AND Activation Key.

If you still having problem, do this from Terminal 

touch ~/.almostvpn.ssp

and see if it fixed the problem.