Exchange Server Alternatives: Results So Far Part Deux

Yesterday I finished looking at the features of Open-Xchange, and today I have been looking at Zimbra's functionality. Zimbra helpfully gives us a chart comparing the various features of its five different edition. So as to compare apples to apples as far as possible, I am looking at the "Open Source Edition", i.e. the one that has no dollar signs attached to it.

Zimbra seems to spend a great deal of time boasting about it's Ajaxified (yes, I know it's not a word, but it's getting a lot of usage) email & calendar features. Ajax, or Asynchronous Javascript and XML, is an old technology that became incredibly trendy (and very useful) in late 2005 and 2006. It permits a web page to send a request to and receive a response from a remote server without reloading the entire page. This makes a web application appear to function much faster, as less data has to move around the Internet, and you only have to load the part of the page that has changed rather than all the HTML and images for the entire page. It's quite a useful technology, and we implement it on the vast majority of the web applications we build.

The feature set of the free edition of Zimbra is rather more limited than that of Open-Xchange. First, there is no Outlook connectivity; you have to spend money for that. Second, there is no inline display of HTML attachments for email. Third, there is no easy online backup/restore (which just seems insane to me, but there you go). In fact, in order to connect with Outlook and MAPI clients, you need to purchase the full "Network Professional Edition" -- presumably the most expensive, with an annual licensing fee, or a monthly subscription fee. How much does it cost? Well, that's a bit difficult to figure out without talking to a sales rep -- always a bad sign --but you do get a bit of information on the site:

Licenses are sold in blocks of 25 and priced on a sliding scale based on the size of your installation and business segment. For example, 75 Professional Edition mailboxes for a business are priced at $28/user/year; a non-profit for the same will be discounted 50%.

There is a bit more info on the site regarding pricing for the various editions. For example: for the Network Professional Edition for a business, the first 25 pack is set at $35/user/year. Assuming that you have a minimum of 25 users, then the annual cost is $875.00. This is all well and good, but 10 minutes on Froogle shows that I can get Exchange itself with an equivalent number of client access licenses for the same money or less -- and it's not an annual subscription.

So what's the point?

Next, I'm going to give Scalix a look.

Exchange Server Alternative: Results so far

So I've been working away, trying to identify the best alternative to Microsoft Exchange Server for my organization. I had initially narrowed the field down to two: Zimbra, and Open-Xchange. I've spent a few hours today going through the latter, and a fairly thorough review of the Open-Xchange site suggests that it supports the following:

• Messaging (email)
• Shared Calendars
• Shared Tasks
• Shared Contacts
• Document sharing
• Project portals (not entirely certain what this is, but if it is what I think it is, it looks promising)
• User forums, bulliten boards
• Knowledge base (sort of like a faq on steroids)
• Bookmark repository (our own private del.icio.us?)
• Support for Outlook (through a nifty api called the oxtender)
• Support for Palm
• Support for Samba
• Support for SyncML
• Advanced user management
• Advanced messaging archival/reporting/retrieval

Wow. That exceeds my initial requirements list, and then some. There are, to be fair, a few missing elements -- spam & virus prevention are must haves, and network faxing would be nice. If my cursory read of the architecture is accurate, then I suspect none of these are going to be problematic (in fact, I might be able to stick my my existing smtp transport layer, and have to do nothing in this regard). This is an extremely well thought out package. I plan on reviewing Zimbra's featureset next, and then doing a test install of each package.

Exchange Server Alternative: Requirements

Quite often when dealing with a client -- particularly a new one -- I spend a great deal of time simply educating them on the need for sufficient planning prior to actually beginning a project. Like most IT firms, we call this the requirements phase, and out of it comes (naturally enough) the requirements document. Smaller clients often put up some resistance to this, and, much like an eager new developer, just want to jump right in and begin work. There are a number of rather serious problems with this approach. I find analogy usually helps in cases like this.

"Would you build a house without a blueprint?"
"Well... No..."

Well, they say that confession is good for the soul, and it is time to come clean. Perhaps it is the unusual feeling of relaxation that comes during the holiday season, or perhaps it is simple laziness, but whatever the case, I have not put sufficient planning into my "let's find a free, or at any rate reasonably inexpensive alternative to Microsoft Exchange Server" project.

I haven't even clearly articulated my objectives to myself, let alone in this particular forum.

Accordingly, I am making an early resolution this year: find out exactly what Exchange does, which of those features are going to be a requirement for my project, and enumerate other features that would be nice to have, but don't exist yet. Once an appropriate platform is chosen and installed, perhaps we can even complete add ons for whichever platform we choose, and release those for the benefit of others.

A quick read through the product features list on Microsoft's site lists these as must haves:

• shared calendars
• shared address books
• easy integration with Microsoft Outlook
• anti-spam
• anti-virus
• messaging records management
• webmail access
• pop3, pop3s, imap, imaps protocol support
• smtp and smtps protocol support
• flexible and sophisticated calendaring functionality
• integration with popular PDAs for to-dos, calendars, etc.
  

Yes, those are what a child of the eighties would call "no brainers", but there you go. If you don't write it down, it didn't happen.

As I work through my research, I'll construct a "nice-to-have" list as well.

Exchange Server Alternatives: Update

I have been conducting some research into which platform will be the most appropriate to put in a system that will provide much the same functionality as Microsoft Exchange, without the cost and security vulnerabilities (which may or not be mythical; there is no question as to the cost - it's very real). This is the first of my DIY projects that I approach with some reluctance, as I personally do not use or like Outlook. However, many of my clients, contractors, etc. do, and I can understand their desire to have this functionality in place. So far, it looks like there are two viable alternatives that will do what I want, without serious limitations: Zimbra, and Open-Xchange. Both work within a browser, and permit use from other applications (most notably Microsoft Outlook).

I have a lot more work to do before I make my final determination, including setting up a test environment, some additional research, and serious testing, but I believe I have narrowed it down to these two.

Exchange Server Alternatives

We have been under some pressure from both clients and selected staff (curse them) who really, really want to have an Exchange server installed for our office. Although I have resisted for quite awhile, and continue to use a rock sold qmail installation for our email services, there are, I admit, some benefits to having Microsoft Exchange installed -- shared calendars, shared address books, and so forth. However, Microsoft Exchange is a pricey little thing, and I have heard countless horror stories about security.

Naturally, I am looking for a free, stable, secure alternative right now.

So far, I have come up with this list of possible alternatives:

• eGroupware - a PHP based groupware solution, intended to be used with a web browser. Not a true replacement for exchange server. http://www.egroupware.org
• Group-Office - like eGroupware, this is a PHP based groupware solution, intended to be used with a web browser. Not a true replacement for exchange server. http://www.group-office.com
• Open-Xchange - Hmmm... now this is more like it. Integrated SMTP & messaging server, integration with Samba, and "OXTenders", for connections with various non-browser applications. This sounds more like what I am looking for. http://www.open-xchange.com/EN/developer/
  
• Kolab - From their site: "Kolab is a Groupware Solution for Emails, Appointments, Contacts and more. It supports mixed client environments (Outlook/KDE) because of an open storage format. Any email client speaking standard protocols can be served. For the full Kolab experience you need a Kolab Server and Kolab Clients. " A quick overview of the required software suggests that although this will connect with Exchange, it requires a "proprietary, [connector] with gratis 30 day evaluation", called "Toltec connector 2". Hey, I don't want to spend any money if I don't have to... http://www.kolab.com
• OGo - OpenGroupware http://www.opengroupware.org
• Zimbra http://www.zimbra.com
• Open Source Outlook MAPI Connector http://www.openconnector.org

Update: A visitor suggests Scalix (www.scalix.com), which looks very promising. It comes in two flavours - commercial, and "community edition." The latter is free, but limited to 25 users. I will include it in my research, though.

I have not done a great deal of research into any of these, but plan to do so over the holidays. I'll keep you posted.

Asterisk via Live CD

While waiting for my various components to arrive for the Asterisk install, I decided to see if I could simply play around with soft phone technology, experiment, and so forth. I didn't actually accomplish anything so far, but I did stumble across this Live CD Asterisk product. In case you are unfamiliar with the concept, a Live CD is a rather nifty little thing -- it's a complete, task specific operating system on some bootable media (typically a CD ROM or DVD ROM, but you can use it on a compact flash card, USB key, etc. -- anything that has sufficient storage space and can boot your PC). This is a complete, fully functional Asterisk install on a CD ROM. I actually downloaded it, burned it, and used it to boot my PC. It worked -- at least I think it did. Once again, I'm waiting for some gear to arrive to be able to complete the install and see how it works.

Asterisk Update

It's been awhile since I have been able to post here -- November and December are typically very busy for me, and I have little time for extracurricular activities. However, I have managed to do some work on the Asterisk install. I've installed the base code on my backup server, which is now running the latest build of CentOS. It went smoothly, largely because I am unable to test anything as of yet -- I have not picked up the hardware necessary to complete the installation. I've decided to go with the Linksys Sipura SPA 3000 for my hardware requirements, for a couple of reasons. First, the box running Asterisk is a bit elderly, and having the FXO/FXS in a stand alone box will reduce the processor requirements; and second, the price is much better this way. I can pick the box up for as little as $115.00 CDN.

I hope to order one this month, and begin testing the application.

A bit off topic

This really isn't about saving money or cheap technology... but it's such a good effort by someone in Japan that I couldn't resist. This gentleman guts his Mac Cube and gives it a new enclosure, echoing a miniature version of the Aluminum Grilled Power Mac G5 in Cube Form.

I wonder if I could get him to cut the holes for my cheese grater antenna...

Internet Cafe Security

This PDF discusses a simple (and free) way to foil keyloggers on public terminals such as those found in Internet Cafes. It's common for thieves to install malicious software such as keyloggers in an effort to steal personal information, passwords and so forth from those who use the systems.

Since I hate reading PDFs in web browsers, I copy the relevant bits here:

Rather than hide the password our approach is to embed it in a sequence of random characters. So we seek a way of entering random keys so that they will be seen by the keylogger, but will not affect normal login. The trick lies in the fact that keyloggers employ very low level OS calls. The keylogger sees everything, but it doesn’t understand what it sees. The browser also sees everything, but it doesn’t use everything that it sees: it does not know what to do with keys that are typed anywhere other than the text entry fields, and lets them fall on the floor. The keylogger has no easy way to determine which keys are used by the browser and which fall on the floor. It is very easy to record all of the keys or mouse events (this is true both for Windows and Linux based systems). It is also very easy to determine which application had focus at the time of the event (e.g. this key went to the browser). But it is very hard to determine what the application did with those events. Between successive keys of the password we will enter random keys. In the spirit of chaffing and winnowing, the string that the keylogger receives will contain the password, but embedded in so much random junk that discovering it is infeasible. Observe that we are not exploiting a particular feature of any particular browser: this trick works with all versions of Internet Explorer, Netscape Navigator and Mozilla Firefox. We are exploiting the difficulty from the OS layer of determining how the GUI of an an application handles events. It involves typing random characters between successive characters of the password, and changing focus to and from the password field using the mouse. Instead of the password snoopy2 the keylogger now gets:

hotmail.comspqmlainsdgsosdgfsodgfdpuouuyhdg2

Here a total of 26 random characters have been inserted among the 7 characters of the actual password. In general a total of n extra characters in a length k password will yield so many possible passwords that attack is infeasible (recall the password that can only be tested by attempting login). There are various attacks on this method as we explain below. However, none of the keyloggers reviewed ... appear to have to functionality to defeat this simple trick.

Simple, neat trick.

Computer Part Wreath

This is too funny -- this site shows a Christmas wreath made from left over/spare/elderly computer parts, wired to a frame. There are no details of construction -- just the picture. But seriously, how hard could it be? And who among us does not have a few dozen spare printed circuit boards laying around?

I think I'll give this a try and impress my wife. She laments the fact that I see Christmas decorations as both pointless and wasteful.

DIY Home Theatre PC - Update

I've done some looking around, and found that there are quite a few varying opinions on building a Digital Home Theatre System.

On a side note, I should probably come up with something simpler to call it. "Digital Home Theatre System" is too cumbersome, and DHTS sounds wrong somehow. Well, it's a PC, and it's a home theatre... how about Home Theatre PC, or HTPC for short?

This article over at PCStats.com outlines their approach to building a system (which, I might add, they call their HTPC. I confess; I stole the acronym). It's quite good, right up until the point where they elect to install Windows as their operating system. There's nothing wrong with Windox XP (even the media center edition is fine for most people). I just don't want to (a) pay for it; (b) steal it; or (c) keep it patched and up to date. This is a TV system I'm building. I don't particularly want to have to reboot my television.

The information provided, though, is quite helpful.

I'll keep researching.

Replace your phone service with Skype

The folks over at Linuxjournal.com have a nifty how-to guide for replacing your PSTN phone service (that's Public Switched Telephone Network, for people like me, who are still new to this whole VOIP thing) with a Skype based solution.

This is rather slick...

The author claims that his "solution was to build a Skype server that provides 24/7 phone service with the minimum of hassle and fuss. By dumping your regular phone company and taking back control of your home phone wiring using a Skype server, you will have not only a phone system with nearly the same capabilities as before-indeed, in some ways better-you will also save a bundle of money! In my case, I save a little less than $700 US each year (this year, next year, and the year after that, and so on), or about 82% off of my old phone bill."

Hmmm... 82% is a lot of dough.

Update:
Darn. The SkypeIn service (details on the Skype website) is not yet available in Canada. Well, it is, but my next door neighbours would have to call a number in some other country to get me... and that's not going to happen.

Oh well.

Freevo - the MythTV Alternative?

So I've been doing some more reading into my Digital home theatre project (it seems I've been doing a lot of reading lately). I came across an alternative to MythTV: Freevo. As the name suggests, this is intended to be a free (as in you put hours of work into something and place no actual monetary value on your time) alternative to TiVo.

It looks interesting. I'm not sure if there is any general consensus as to which is better, but it is probably worth some additional investigation.

I did find a bunch of comments on someone's digg post that argue both sides of the fence, which wasn't very helpful. I wanted to post a screenshot, but the ones on Freevo's site don't seem to work (which isn't very encouraging).

Why MythTV?

I've been doing some more reading, and it seems that MythTV is a logical choice for the Home Theatre PC I want to put together. Here are some of the features offered by MythTV:

• Basic 'live-tv' functionality. Pause/Fast Forward/Rewind "live" TV.
• Support for multiple tuner cards and multiple simultaneous recordings.
• Distributed architecture allowing multiple recording machines and multiple playback machines on the same network, completely transparent to the user.
• Compresses video in software using rtjpeg (from Nuppelvideo) or mpeg4 (from libavcodec). Full support for Hardware MPEG-2 encoder cards (Hauppauge PVR-250 / PVR-350). Preliminary support for DVB cards and the new pcHDTV tuner card.
• Support for the (very nice looking) hardware MPEG-2 decoder and TV out present on the Hauppauge PVR-350.
• Completely automatic commercial detection/skipping
• Grabs program information using xmltv.
• A fully themeable menu to tie it all together.

Here's what it looks like (the above info and the below screenshot are taken from the MythTV website):


All in all, this looks like a pretty good system. Of course, my wife will insist that it's aesthetically pleasing as well, and that could be more of a challenge...

DIY Home Theater

Last night I realized that I am using a VCR that is older than my oldest child, and she hits the double digits next year.

I'm getting old.

Rather than wallow in self pity, though, I decided to focus my energy into something productive. It's time to do away with the elderly analog VCR and try building a Home Theater PC. I've been thinking about this for quite some time, and believe it's time to give it a go.

Although I don't have the specifics worked out, I am certain that MythTV will be a component of the final mix. This is a free, Tivo-like package that does not require a subscription.

Besides, I think that getting my Asterisk system working is going to take awhile. I need to have a success of some sort in the meantime.

Interesting Add On for Asterisk

While planning for my Asterisk install, it occurred to me that someone has almost certainly already built and released an open source project for web based administration of the server. While I have by no means completed my research into this topic, I did stumble across a very nice package called VoiceOne. This seems to be almost exactly what I will need.

Here is a sample screenshot of the application. It looks very promising.

Asterisk update

I've been doing some more reading about the hardware requirements and options for setting up an Asterisk PBX, and came across this information:

"If you build an Asterisk system without the need for PCI cards, you have a much greater set of choices for what kind of computer to run Asterisk on. If things are configured correctly, the ATAs are handling all of the load for coding/decoding digitized streams of voice to/from analog. You have a better chance of being able to successfully share a computer for asterisk and some other tasks. There are some great choices in small form factor computers. It's even possible to run Asterisk on a Linksys WRT54GS, but that box is a bit too underpowered for a full featured Asterisk configuration. Linksys also sells ATAs with firmware from Sipura. Now it's been announced that Linksys is buying Sipura. I haven't seen any reports on hacking the version of the WRT54G with the embedded ATA yet, but I'm hoping we might see some pretty cool things soon."

Please note that I fixed some spelling errors in this prior to putting it here. I can't help it; the English prof in me takes precedence over the nerd from time to time. Anyway, it sounds a lot like the external box (i.e. the Linksys - Sipura SPA-3000) might be a better solution given that I'm using older hardware for my home installation of Asterisk. After a bit of browsing, I found an excellent price on one here, in Canada. I'm tempted to try this using my Linksys WRT54GS router, but since that's currently connecting my antenna to the Internet, I might be asking it to do more than it can.

Automatic Backups with rdiff-backup

I finally got around to finishing my backup scripts. My goal was to have off site backup of machines on my internal network to a remote location, through a secure tunnel established with OpenVPN. I elected to go with rdiff-backup, as it permits nifty features like point-in-time recovery (i.e. restore this file/directory/whatever as it was on a certain date at a certain time). I set up a machine in the same physical location as the servers I wanted to back up as a primary backup server (so as to permit speedy recovery without having to go through the tunnel), and then backed up once a day off site to the remote machine.

It turned out to be pretty easy.

The first step was to allow automatic backups without human intervention. The way that rdiff-backup works is actually pretty cool. You establish a connection to the remote server using some login facility such as telnet, rlogin, or ssh (I went with ssh for obvious reasons -- it's the most secure), and then execute the rdiff-backup program on the remote machine, telling it to send the files across the network to wherever you want them backed up. This means that rdiff-backup has to be installed on both the "server" and the "clients". Installation is a snap.

The next step is to create a "backupuser" account on all machines, and use Public Key Infrastructure (PKI) to permit secure unattended logins.

This is relatively simple. First, create the account on all machines (i.e. adduser command). Next, generate a public/private keypair for the account as follows:

trolius> ssh-keygen2
Generating 2048-bit dsa key pair
1 oOo.oOo.o
Key generated.
2048-bit dsa, user@Local, Wed Mar 22 2002 00:13:43 +0200
Passphrase :
Again :
Private key saved to /home/backupuser/.ssh/id_dsa_2048_a
Public key saved to /home/backupuser/.ssh/id_dsa_2048_a.pub

Note that you might get slightly different feedback depending on your version of OpenSSH. Next, rename the generate private and public keys to whatever your OpenSSH requires them to be (hint: read /etc/ssh/sshd_config for a clue). Copy the keys to the remote machines, and log into each once so that you can say "yes" when prompted as to whether or not you want to accept the keys.

Finally, back everything up! These commands will do it for you:

/usr/local/bin/rdiff-backup \
 backupuser@192.168.0.16::/home/httpd \
 /backup/luther/httpd

Note that the slashes (\) are there to keep the command from going out of the text area on the blog; you can use them or not, as you wish, when you type the actual commands. This command backs up /home/httpd on "luther" to /backup/luther/httpd on the machine which originated the command (i.e. the one that is receiving the backup).

rdiff-backup -r 3D /backup/luther/httpd/somedir/ \
/home/backupuser/tmp/

This will restore the entire "somedir" directory to the local directory /home/backupuser/tmp/ as it was three days ago. The "r" stands for "restore as of". You can use a variety of formats to specify date, time, etc. Other acceptable time strings include 5m4s (5 minutes and 4 seconds) and 2002-03-05 (March 5th, 2002).

I ran the backups once, to ensure that everything is backed up, and then added each command as a crontab in /etc/crontab to run it hourly on the "primary" backup server. I then added similar entries on the crontab of the remote backup server, to run once a day at 4:00 AM.

Couldn't be simpler, and I can sleep better at night knowing my data is stored redundantly.

Planning the Asterisk Install

After reviewing the basic instructions found here, it would appear that I need to purchase PCI cards with Foreign eXchange Station (FXS) ports, and with Foreign Exchange Office ports. Telephones are connected to the FXS ports, and phone lines are connected to the FXO ports.

Apparently bad things happen if you get this wrong. FXS ports provide power and generate ring signals, while FXO ports receive power and ring signals. I'll have to be careful with that.

I'm also going to need an Analog Telephone Adaptor, or ATA, that acts as a gateway between my digital network (the Asterisk box) and plain old analog phones and phone lines. Fortunately, the most common ATAs offer FXS ports, so there is less hardware to buy (and money to spend).

Apparently there has been considerable success using the TDM400P with a couple of daughter cards for a self contained PC to handle everything. Or, we could go with the Sipura 3000 (a stand alone box that you connect your Asterisk machine to via ethernet). I guess it all comes down to price.

Pricing out the first option, the Digium TDM400P, doesn't look too bad. I found a decent price here, at voipdepot.ca.

My, what a wonderful new crop of acronyms to learn. I connect from the CO to my FXO, then go through my ATA to FXS to connect to a phone and get dial tone. What fun.

Why install Asterisk at home?

I've had a number of people ask me why I would be interested in installing Asterisk PBX at home. Well, there are a number of reasons. First, I pay for voice mail and a few other features on my home phones, and it costs me a bit of cash every month. The PBX will pay for itself inside of a year. The main reason, though, is functionality. Here are some of the features that are of interest to me:

• Sophisticated Voice Mail system - This can provide a mail box per person, that can be deliver notification by e-mail. Web based access to your voice mail is also available.
• Interactive Voice Response IVR system - You can present callers with a menu, which can be particularly useful if you have more people in the house than you have incoming phone lines. "Press 1 for Him, Press 2 for Her, Press 3 for Kid No. 1, Press 4 for Kid No. 2"...
• Control over which phones ring, and at what times.
• Functions as an Intercom - Place in house calls.
• Call routing - Route incoming calls by Caller ID.
• Multi-line functionality - if you need more than 2 incoming lines, you will quickly discover that phones that handle more than two lines are much more expensive than 1 or 2 line phones, and there isn't very much selection available.
  
• Call Detail Reports - for attempting to gain some control over costs, and/or teenagers, etc.
  
• Check your voice mail over the web.
• Email notification of voice mail.

There are many more features, but even this brief overview shows the kind of control you can have.

Plus, it's cool. And although I do hate to admit it, there is a fairly wide "geek" streak in me. It rears its ugly head sometimes.

Progress with Asterisk

I've made some progress with my Asterisk PBX planning. As I indicated earlier, I had to do a re-install of the operating system on my backup server (From FreeBSD to CentOS) first, and I've managed to get that out of the way. I've also developed a strong appreciation and respect for the "yum" package manager. It's very good, and as easy to use as ports on FreeBSD.

Anyway, I've begun the work necessary to build a simple PBX system at home, using Asterisk. I figure I'll practice at home, and if it works well, eventually migrate my business onto the same system. At this point, it's largely reading and research, as I have to (gasp) actually purchase some hardware in order to make this work.

Apparently, I'm going to need a PSTN interface card.

For those not in the know (like me, up until recently), PSTN stands for Public Switched Telephone Network. Also, POTS is Plain Old Telephone Service. And in case you were wondering, PBX stands for Private Branch eXchange. Wikipedia has some great info on the history of the PBX.

I'm sorry for the digression.

A PSTN interface card is the basic device that permits you to connect analog or digital phone lines (the ones that you use at work or at home to connect regular phones to) to your PBX. Once you've done that you have access to all the nifty features that Asterisk offers, such as call parking, voice mail, and so forth.

There is a helpful site found here that details all of the various cards known to work well with Asterisk. I'm going to have to do some serious price comparison for awhile, and find one known to work well with my system.

This is going to take awhile.

No go on the cheese grater

After some careful consideration, I've decided to give the slotted wave guide antenna a miss. I only have 10 fingers, and I'm particularly attached to them. I spoke with a friend who does metal work, and asked him if he thought I could do it... and I think he's still laughing.

Oh well...

Asterisk - VOIP for the handyman

While configuring my backup server, it occurred to me that this would be an ideal time to try working with Asterisk, the free VOIP solution available for Linux. Naturally, this entails re-doing much of what I have already done with Samba, as I chose FreeBSD as my operating system. I'll have to strip it and go with CentOS instead. Sigh.

The Asterisk site claims that Asterisk is a complete PBX in software. It runs on Linux, BSD and MacOSX and provides all of the features you would expect from a PBX and more. Asterisk does voice over IP in many protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware. However, my research has indicated that it runs best on Linux, so Linux it is.

I'll keep you posted. And this time I'll take notes.

Slotted Waveguide Antenna for 802.11x

This looks interesting... This is a slotted waveguide antenna, which is an alternative to the double-biquad on a satellite dish I put together last month. According to Trevor Marshall's site, this is a rather good design for Wifi network reception. I wonder how hard it would be to make one of these...

Making your own portable internet

As promised, here are the details for making your own, I'll-only-pay-for-this-once "portable Internet." The goal here is simple: we are going to take a standard wireless router and use the "antennna-side" to connect to an existing wireless network as a client, and then use the "wired ports-side" on that hub to connect our machine(s) to the Internet.

This is really a trivial exercise. There are only two things you'll need:

1) A wireless base station that supports dd-wrt;
2) A copy of dd-wrt.

The first is strictly a matter of preference and budget. I went with the readily available Linksys WRT54G model. You can find them all over the place, but whatever you do, make certain that you look at the serial number prior to buying it. The newest releases are not able to run any version of dd-wrt, as Linksys (in their infinite wisdom) has somewhat crippled them by reducing the amount of flash memory they have. Ensure that you have nothing later than version 7.0 by comparing the serial number on the outside of the box against this chart on Wikipedia.

If you want to spend a bit more, but get a machine with some additional horsepower, then the kind folks at dd-wrt recommend the Buffalo Airstation WHR-HP-G54. It costs a few dollars more, but it's worth it. Not only is it more aesthetically pleasing, but it also has loads of memory, and (so I am told) a better range than the Linksys models. I didn't do this. I wish I had.

Once you have your wireless router, simply download the appropriate version of dd-wrt by going here. Installation is trivial; just follow the instructions here.

Once you have that done, this is a trivial exercise.

1) Run an ethernet cable from one of the router ports on the back of your wireless hub to the ethernet port of your pc/mac/laptop/whatever.

2) Start up a web browser on your computer.

3) Access the following URL http://192.168.1.1

4) Click on the "Status" tab. When prompted, type in the username/password to get into the admin tool (by default, these are set to root/admin. Please change them). Then click on the "Wireless" subtab.

5) Scroll down till you see "Wireless Nodes". Click on "Site Survey".

7) A window opens showing all available networks. Pick one that you can legally connect to, and click "Join". When a button allowing you to continue shows up, click it.

8) Next you are bounced to the "Basic Settings" for wireless config page. Ensure that "Client" is chosen in the drop down menu, and click "Save Settings".

You are done. Wasn't that easy? For future connects, you simply have to repeat steps 3 through 8 to pick the network you want to connect to. It only takes a few seconds. Personally, I find performing a 10 second routine is preferable to giving someone $50/month.... but that's just my opinion.

Rogers Portable Internet

I live in a fairly rural part of Canada, and this means that we sometimes lag behind other parts of the world for the latest technical advances to become available. We were late getting digital cell phone coverage, Vonage service, Cable modems (although we did have DSL coverage long before the rest of the country for some strange reason).

However, this should not not be any kind of barrier to the truly dedicated. After all, my goal is to get much of this kind of functionality for free, or at least as close to free as I can get. Besides, you will often see larger corporations doing little more than charging you a monthly fee for something you could get for free yourself.

Take Rogers in Canada, for instance. They now offer the "Portable Internet". This is a Wifi adaptor that connects to your computer, and then searches for and connects to available Wifi networks. As some readers have helpfully pointed out, Rogers portable internet is not a Wifi service at all. Mea culpa, and my apologies to Rogers. However, you can still use this post and its followup to connect to free Wifi networks if you happen to have any nearby. This is a great idea, and Rogers helpfully supplies you with coverage maps showing where the "hot spots" are throughout the country. What they neglect to tell you is that in a lot of cases the "coverage area" is not supplied by Rogers at all. In fact, all they are really doing is renting you a piece of hardware for what seems to me to be a very high price (at the time of this writing, you pay approximately $100 for the "modem" and $50/month for the service). Given the fact that all they really need to do is ship you the "modem", and someone else is providing the actual connectivity, this is a bit outrageous.

In fact, you can give yourself exactly the same service as Rogers excellent access to available free Wifi Networks in your area for a one time fee of about $50.00. It involves purchasing the appropriate wireless router and installing dd-wrt on it.

I'm going to post detailed instructions for doing so here. I like Rogers' network, and in fact subscribe to a number of their services... but this $50/month for the right to use someone else's network strikes me as usurious.

Stay tuned...

Antenna Update

My double biquad antenna got a real test last night. We had seriously heavy rainfall, and I am told that water absorbs radio frequency in the 2.4 GHz range (the range used by WiFi). I am pleased to report that it worked flawlessly throughout the entire storm.

Yes, it was the caffeine

It turns out that caffeine deprivation is not a good thing. Following copious quantities of Jamaican Blue Mountain bean, I successfully mounted Trolius (my new Samba server) on the network as a master browser. It worked, and I have no idea what I did differently. This is why I usually write things down as I do them.

The next step is to relocate this machine to a remove location, connect to the network at the office using OpenVPN, and start experimenting with rdiff-backup. Hopefully I'll have some time to do that over the weekend.

It's good to be back to coffee. I don't think I'll try giving it up again...

Irritations with Samba

I've been drinking less coffee lately, and that might go a long way towards explaining why I had such trouble trying to configure Samba last night. This should have been a trivial exercise, but my forehead is sore from banging it against the wall so much.

As a side note, I need to get softer walls.

The installation of Samba on FreeBSD is trivial. Just type:

cd /usr/ports/net/samba
make install clean

Wait a bit, and suddenly you have samba installed. The startup scripts are, as usual, in:

/usr/local/etc/rc.d

and the configuration files are in:

/usr/local/etc/samba.

Nothing unusual there.

The next step is to modify the sample configuration file (smb.conf). I copied it (to save the original) and opened it up. Wow. There are a lot of options in there. I decided to try something simple at first, just to get it working. I had formatted the filesystem to leave a large (750 gig) partition mounted as /archive. That was where I planned to have rdiff-backup store everything. Why not make that mount as a Windows fileserver? That should be easy.

Using the existing smb.conf file as a starting point, I examined some of the sample entries. Here's the one I went with:

;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no

This seemed simple enough, so I changed it to this (removing the semicolons, which are comment markers):

[Archive]
path = /archive
public = yes
writable = yes

That looked easy enough. I made the change, entered some simple stuff at the top (server name, etc.) and started the process. Typing ps ax | grep smb showed that the process was running, so I fired up a Windows laptop, typed this in the address bar of a window:

\\trolius.local\Archive

(trolius.local being the name of the box I am working on, obviously). Lo and behold, the server mounted! Great. Well, that was easy. Just to be sure that things were working as expected, I opened the "My Network Places" icon on my desktop, and browsed the local network.

No server.

And it's still not there. And I can't figure out why. I think I'll purchase some coffee and try again. Caffeine solves so many problems...

Step one complete...

I took the time necessary to do a clean install of FreeBSD 6.1 on my dual processor Compaq last evening. It was, as is usually the case with FreeBSD, a very painless process.

The only thing that was a bit annoying was setting up the SMP part of the kernel. By default, FreeBSD does not use a kernel that supports multiple processors. Fortunately, this is a simple thing to do (although it did take quite a while to compile).

Tonight I hope to start experimenting with Samba, and see how much it's changed since I last gave it any consideration. I'll also install rdiff-backup, as (if things go well) I'll need it fairly soon anyway.

"The rumours of my death...."

In my previous post I had suggested that Tiny Sofa linux was in hibernation. Apparently this is not true, as anyone with enough initiative to visit their website can see. It was updated to tinysofa classic server 2.0 Update 6 (Ceara) just last month. To be fair, I was talking about the Enterprise version of this distro, which hasn't seen a significant update since February, 2005.

Mea culpa.

Picking an Operating System

Step one in getting my "this isn't going to cost me anything 'cause we'll just use open source and exising hardware" file server up and running is, of course, picking an appropriate operating system. I've always been somewhat agnostic in this area; I run a number of FreeBSD boxen, a couple of Macs, several Linux machines, and so forth. In the BSD world, I do have a decided preference for FreeBSD As for Linux, I used to use a distro called Tiny Sofa, but it appears to have gone into hibernation. Currently, I've been using CentOS, a repackaged version of Red Hat Enterprise Linux 4, without the subscription fee. (I did visit distrowatch.com to see what was "cool" these days, but decided that it's turned into little more than a popularity contest).

The hardware I want to work with is an elderly Compaq, with dual Pentium III processors, tons of disk space and a gig of RAM. While this might seem museum-quality gear to to uninitiated, please bear in mind that we'll be running this without the Redmond tax, and without the (massive) overhead required by Windows. In fact, we won't run any windowing system at all; everything will be set up via the command line. If we want a GUI of some sort for administration, we'll find an open source web service that fits the bill, and run it from there.

Anyway, back to the process of choosing an operating system. A primary consideration, of course, is maintenance. I don't want to even think about this machine once it is up and running. Thus, updates should be painless. Well, CentOS has a pretty simple to use update manager (typing "yum update" and hitting the "y" a couple of times is pretty easy). But it's very hard to beat the ports system in FreeBSD.

After a bit of research into hardware compatibility, reliability, etc., I could not come up with a compelling reason to go with one operating system over the other. What it finally came down to was this: I found the FreeBSD install CD before I located my CentoOS disks.

FreeBSD it is!

Replacing a Windows Fileserver

We have been using an elderly Pentium II with an ancient install of Windows NT Server as our primary backup and file server for quite some time now. I was considering simply retiring the box, and replacing it with a newer machine with Windows Server 2003 (some variation thereof), when it occurred to me that reading about the open source alternative, Samba, has been on my to do list for quite some time.

Why make Microsoft any richer, when there is a free alternative out there?

This would also give me a chance to try out rdiff-backup, a rather nifty open source back up solution with point-in-time recovery (i.e. restore this file/directory/whatever to the condition it was last Tuesday at 11:23 AM). That would be very, very helpful in my line of work.

The Goal: use existing hardware and free software to create a fully functional Windows compatible file server and turf the elderly NT server solution. At the same time, design and implement a set-and-forget, point-in-time recovery capable backup strategy that will regularly poll live servers and our internal network and back everything up.

I'm going to start reading now. I'll keep you posted.

Success!

This past weekend I finally found the time to assemble everything and give the dish/double biquad antenna a try, and it worked surprisingly well.

Here's how it went: first, I downloaded a copy of dd-wrt from http://www.dd-wrt.com, and used it to replace the built in OS on my Linksys WRT54G wireless router. It turned out to be a simple enough process, and took less than 30 minutes. By the way, it's amazing the additional functionality this replacement router OS offers -- even if you are not interested in building your own antenna, you should give this a look. It's a serious improvement.

Next, I removed one of the antennas from the router, and connected the router directly to the double biquad using a pigtail cable. I was preparing to hook the double biquad to a dish when I noticed that the router was already reporting more than a dozen available access points -- even without the dish!

This was phenomenal.

I browsed through the available access points to discover that the free wireless network I wanted to connect to was already showing up as available -- and this from inside my house, at my kitchen table. I Clicked on "Join" from within the dd-wrt admin tool, and lo and behold, I was suddenly connected to the internet. Admittedly, this was only a 1 meg connection, but I figured that would improve when I mounted the antenna to the dish, and put the dish on the roof. I made a note of the MAC address of the machine I had connected to so I could figure out just how far away the access point was.

Next, I mounted the double biquad onto the satellite dish. I decided to try the StarChoice dish first, as it was the largest, and I figured it would collect the strongest signal. Mounting was simple enough. I simply tore apart the LNB and then used a power drill and a wood screw to mount it to the plastic housing. That was simple. After I finished, it occurred to me that I should probably have taken into account the fact that I live in Canada, and we don't have the mildest of winters. So, it was off to the dollar store to see if I could find a microwave safe, watertight plastic container to cover the antenna. This turned out to be simple as well. Armed with a Xacto knife and a tube of silicone sealant, I proceeded to mount the assembly a second time, this time in a waterproof container.

An hour later I was up on the roof, and trying to point the dish where I knew there to be an access point or two.

It took some experimentation, but I managed to get a stable, relatively fast 4 meg connection to the wireless network in town.

Ah, the sweet smell of success.... and money saved.

Making the double biquad

I had some time last night, so I decided to make the actual double biquad part of the antenna. As I said in a recent posting, I used the ground wire from standard household electrical wiring. I used a permanent marker (the kind used to write on recordable cds) to mark out the location of the various bends. According the what I found online, each side of the "diamonds" should be as close to 30.5mm as possible.

At first, I tried using two pairs of pliers to make the bends as sharp as possible, but that didn't work very well. I then switched to using a vise:




That worked much better. After a bit, I had something like this:


It took some effort, but I had it completed in about a half an hour. Now, I needed something to attach it to. I took the bit of 3/4" copper piping I got for free from a local hardware store and soldered it to my copper reflector plate. I also used a dremel tool to remove a few millimetres from one edge, so that the antenna would not touch it when it came up from the pipe. The result looked like this. Note the excess solder. I don't do this sort of thing often enough.


I then soldered a center post to the n-connector (which protruded through the center of the pipe), and tried to solder it to the finished double biquad. What a serious pain that turned out to be. After some thought, it occurred to me that I probably should have made the center post of the biquad part of the double biquad itself -- i.e., why snip it off when I could have simply bent it 90 degrees straight down. Also, I snipped the two ends that should have been soldered to the pipe a bit short, and soldering them to the copper piping turned out to be rather problematic.

I plan on trying this again. This time, I'll make the center post and the double biquad out of a single piece of copper, and leave the two "tails" that have to be connected to the pipe a bit longer than they need to be. I'll use the dremel to create two small grooves in the top of the pipe, lay the two tail ends in those grooves, and put a drop of solder on each. That should make things simpler.

Biquad Wifi - making progress

I've come much closer to getting the antenna ready for trial. First, I've acquired a dish. This set me back the staggering sum of $10.00 + shipping from eBay. Just to be safe, I picked up one for nothing from a yard sale, just moments before it closed, as well. The first (pictured below) is a Dish Network model; the second is an elliptical model. I'll try both, and go with the one that has the stronger signal.




















Next, I picked up some 15mm tall 3/4" copper piping from a local hardware store. They actually didn't even charge me for these, which I thought was very kind of them.














I picked up a few feet of standard household wiring out of the mess in my "don't throw this stuff away 'cause you might need it someday" box in my basement. Used my trusty pocket knife to open this up and extract the ground wire. That way, I don't have to strip the insulation off of the wire.

Easy Certs

FYI, I stumbled on a nifty (and free) utility to generate the certificates you need to use with OpenVPN.

You can find it here:

http://openvpn.se/mycert/

OpenVPN client configuration

Configuring OpenVPN for client use turned out to be rather simple. We installed the OpenVPN GUI found at http://openvpn.se, and then went to the configuration files stored in this location:

c:\program files\openvpn\config

First, we copied the files we generated on the server to this folder. Since I was installing on a laptop, I named my key files "laptop.key" and "laptop.crt". I placed copies of those files in this folder. I also need the "ca.crt" file from the server stored in this location. All three files were copied over using a USB thumb drive, so there is no risk of them getting into the wrong hands.

My configuration file looked like this:

client
remote 205.174.168.29 1194

dev tun
# proto udp
comp-lzo
ca ca.crt
cert laptop.crt
key laptop.key

verb 3

I then double clicked on the OpenVPN icon in the system tray, and lo and behold, I was connected to the local network at work!

After a bit though, it started randomly dropping the connection and then reconnecting. This was annoying, so I did a bit more digging.

By adding these lines to the config, the connection became much more stable:

persist-key
persist-tun

OpenVPN Server configuration

As promised, here are some more details about how I configured my OpenVPN server. The machine in question is running a recent build of FreeBSD, with ports installed. If you haven't used FreeBSD, you might want to consider it. It's a very easy to use, stable system (although if you've ever tried to run a serious Java application on it, you'll quickly become frustrated. FreeBSD + threads = headache, IMHO).

Installing OpenVPN on FreeBSD is as simple as this:

admin@max>cd /usr/ports/security/openvpn
admin@max>make install clean

And that's it. After a few minutes, I had a nice, clean installation of OpenVPN. Now to configure it.

In the FreeBSD world, configuration files are stored in /usr/local/etc/openvpn. So, I went there, and followed the instructions found here: http://openvpn.net/howto.html#config (Please note that the docs indicate helpful scripts for setting up keys etc. are in /usr/share/doc/openvpn, but in the BSD world they seem to be in /usr/local/share/doc/openvpn).

The only hiccup I ran into was that the docs give examples using the bash shell, and I tend to stick to tcsh. Not a big deal. I just ran these commands:

admin@max>pkg_add -r bash
admin@max>rehash
admin@max>exec bash

and I was in bash, where things all worked the docs indicated. Simple enough.

Once I had all my certs set up, my final openvpn.conf file looked something like this:

[tcs@max] /usr/local/etc/openvpn> cat openvpn.conf
# Specify device
dev tun
proto udp

# Server and client IP and Pool
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# Certificates for VPN Authentication
ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/server.crt
key /usr/local/etc/openvpn/server.key
dh /usr/local/etc/openvpn/dh1024.pem

# Routes to push to the client
push "route 10.10.132.0 255.255.255.0"

# route all traffic through vpn
push "redirect-gateway def1"

# Use compression on the VPN link
comp-lzo

push "dhcp-option DNS 10.10.132.123"

# Make the link more resistent to connection failures
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon

Finally, since I wanted to use my server as a gateway to my internal LAN, I had to change my pf.conf file (the firewall configuration). The relevant line looks like this:

# nat for vpn
nat on $int_if from $vpn_net to any -> ($int_if)

where $inf_if is the interface device connected to the internal network, and $vpn_net is the subnet I've assigned to the VPN (10.8.0.0/24).

More on this, and on client configuration, when I have a bit more time.

Update: Part three is here.

The Adventure Begins

So I've started getting together the things I'll need to build my biquad wifi antenna. After some scrounging and a few trips to the web, I have acquired the first two bits of equipment I need to start: copper, and an n-connector. They're not much to look at yet, but here they are:











The copper was free -- scrap donated from a local sheet metal shop, and bent into shape very carefully using a couple of bits of lumber. It was fairly trivial.


















The n-connector set me back slightly under six dollars. Next, I'll see if I can scrounge some copper wiring somewhere, and bend it into the appropriate shape.

Free Wifi Internet for around $20

The city I live near has free WiFi Internet, with very good coverage inside the city limits. Unfortunately, I'm some 15 miles outside those limits, and thus forced to pay for either DSL or cablemodem service. This just doesn't seem right to me. Free Wifi access a scant 15 miles away? There has to be some way to connect.

So, it's off to Google, and lo and behold, I discover this: How to build a biquad wifi antenna, over at Engadget. Given some copper, about $20 worth of gear, and a used satellite dish, you can vastly extend the range of a wifi network.

A bit more reading over here, at Martybugs, suggests that the actual antenna portion can get a higher gain with a few modifications to the design given at Engadget. Checking out Martybugs' sources leads me here, to Trevor Marshall's information. This gives even more detailed information. Hey -- I have a soldering iron and a highly developed sense of adventure, so why not?

I think I'll give it a go. I'll keep you posted.

Virtual Private Networking for Everyone - OpenVPN

I own a small tech firm on the East coast, and have long wanted a safe, secure method of connecting from my residence (about 15 miles outside of the city) to the LAN at the office. My network at the office is mixed, consisting of Windows XP machines, various Macs, and both Linux and FreeBSD servers. At home we have a single XP machine, and several Mac notebooks (iBooks and Intel-based MacBooks).

Naturally, the best solution for connecting between the two locations would be a Virtual Private Network of some sort. Given the fact that I am notoriously cheap, I decided to search around and see if I could come up with some sort of open source solution... and it took me all of fifteen minutes with my favourite search engine to come up with a viable alternative: OpenVPN. It took me a bit longer to get everything working as well as I wanted to, but not all that long. Read on if you'd like to see how I did it.


Why use a VPN?
There are any number of reasons why you might want to have a VPN in place. For example, with a properly set up VPN, you can access resources at one location from the other. So if I want to print something at the office from home, I can do that. Similarly, if I need to recover a file from offsite back up (read: the backup server I keep in my basement) I can do that without having to drive all the way home.

Of course, there are the more obvious things a VPN will give you. If you use a wireless home router that's more than a year or two old, chances are it uses one of the more archaic forms of encryption, like WEP. The problem with these encryption methods is that they don't actually protect your data; anyone with the inclination could park outside your house, apartment building, whatever, and "sniff" your network traffic. Encrypting all traffic between your web browser and some secure gateway will take the wind out of some potential hacker's sails. Remember, just because you're paranoid doesn't mean they're not out to get you....

Or, if you're so paranoid you don't even trust your ISP, you can use a VPN between your home computer and a secure gateway you control somewhere else (like your office) and encrypt allthe traffic that exists on your ISP's network. It won't get decrypted until it hits your gateway machine. Of course, assuming you are a relatively law abiding citizen, this might be going a bit far (unless you are partial to tinfoil hats, that is).


Why OpenVPN?
OpenVPN is free, cross platform, and relatively easy to install and maintain. It also uses a very secure ecryption algorithm -- 128 bit Secure Sockets Layer (SSL) or the same level of encryption you probably use when you access your banking information online. I figure if it's good enough for the major North American financial institutions, it's probably sufficient for my purposes.


Installing OpenVPN
We decided to install OpenVPN on a FreeBSD box, using ports. It was trivial. We'll post a detailed howto here in a week or so. But if you have access to a FreeBSD box, ports is the way to go. Trust me.


Installing OpenVPN clients
Reading the documentatation found on OpenVPN's web site suggests that this is a daunting task. It probably is, if you elect to go their route. We decided to stand on the shoulders of those who have gone before, and use some simple solutions where the heavy lifting is done for us.

For the Windows clients, we went with OpenVPN GUI (http://openvpn.se). Installing it took about 30 seconds, and configuring it took a bit longer (but not much).

For the Macintosh clients, we went with Tunnelblick (http://www.tunnelblick.net). Granted, it has a rather silly name, but it works very, very well, and didn't give us any problems on either the G4 based Macs, or the Intel based machines.

Stay tuned for the technical details of how we made this all work...

Update: Part two is here.