An Open Access Peon

09 September 2008

Automounting a CIFS share in Ubuntu

autofs is a tool that mounts and unmounts devices on demand. To use autofs to mount CIFS shares (Windows/Samba) in Ubuntu do the following:

$ sudo apt-get install autofs smbfs smbclient


Then edit /etc/auto.master and uncomment the smb line:

#
# $Id: auto.master,v 1.4 2005/01/04 14:36:54 raven Exp $
#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#/misc /etc/auto.misc --timeout=60
/smb /etc/auto.smb
#/misc /etc/auto.misc
#/net /etc/auto.net


Restart autofs:

$ sudo /etc/init.d/autofs restart


You can now view and mount CIFS shares by changing to the directory /smb/HOSTNAME/SHARENAME e.g. to mount and change directory to "photos" on "bart":

$ cd /smb/bart/photos


You can even list the shares on "bart" by doing:

$ ls /smb/bart/


What the default scripts don't provide is the ability to have per-connection mount options. In particular I wanted to mount some hosts read only and using UTF-8. I modified the /etc/auto.smb script as follows:

...

# This file must be executable to work! chmod 755!

key="$1"
mountopts="-fstype=cifs"
smbopts=""
credfile="/etc/auto.smb.$key"
optsfile="/etc/auto.smb.$key.opts"

if [ -e $optsfile ]; then
. $optsfile
fi

...


I then created a connection specific file /etc/auto.smb.bart.opts containing:

mountopts="$mountopts,ro,iocharset=utf8"


Now any mounts on "bart" will be set read only and use the UTF-8 character set.

04 September 2008

DG834/DG834G to OpenSwan VPN

The Netgear DG834 ADSL routers support IPSEC based Virtual Private Networks (VPN). The DG834 uses the Open Source Openswan software (http://www.openswan.org/). This blog provides the configuration details for how I connected an intranet LAN behind a DG834 to a Ubuntu-based Linux server in another LAN via the Internet.

Here's my setup:

NAS - [192.168.0.1] DG834G [starsky] - {inet}

{inet} - [hutch] ADSL ROUTER [192.168.1.1] - Backup

Where:
  • The NAS is a Western Digital network drive.
  • The Backup is a normal PC running Ubuntu with a RAID 5 SATA storage.
  • Both ADSL connections have static IPs.
  • starsky's public IP is 10.1.1.1
  • hutch's public IP is 10.2.2.2
  • Backup is set as the DMZ server in ADSL ROUTER.
The goal was to copy data from the NAS to the Backup and to provide Windows share access to the Backup from the 192.168.0.0/24 subnet.

The DG834G is running firmware version V2.10.22. I used the VPN Wizard to set up the VPN endpoint initially and then revised it in the VPN policy editor. The Policy Name can be anything (e.g. "Bob"). As I want this connection to be up all the time I set the "IKE Keep Alive" and set the connection to "Initiator and Responder". The Address Data is the host name of ADSL ROUTER (hutch). The Pre-shared Key should be something difficult to guess.



On Backup I installed Openswan and followed the defaults during installation:

$ sudo apt-get install openswan

I added to /etc/ipsec.conf:


conn Bob
type=tunnel
leftid=10.2.2.2 # hutch
left=%defaultroute
leftsubnet=192.168.1.0/24
right=10.1.1.1 # starsky
rightsubnet=192.168.0.0/24
keyexchange=ike
auto=start
auth=esp
authby=secret
pfs=no
rekey=no
ike=3des-sha1-modp1024
esp=3des-sha1


And to /etc/ipsec.secrets (where pre-shared key is the same as you entered into the DG834):

# secrets for "Bob"
hutch starsky
10.2.2.2 10.1.1.1: PSK "pre-shared key"


I then restarted Openswan:

sudo /etc/init.d/ipsec restart

Once the VPN has established (look in /var/log/auth.log) I can access Backup by browsing to it's IP address: //192.168.1.100/SHARENAME.

I'm not sure with the above configuration you can access the 192.168.1 subnet from the 192.168.0 subnet. Answers on a postcard ...


ADSL ROUTER is actually a DG834Gv4, but the firmware seems to be buggy. In the default firmware it won't allow Windows shares to be accessed across it and in the latest firmware (V5.01.09) the VPN connection is unreliable and won't re-establish unless the router is rebooted.

The above "works for me", but I'm by no means an IPSEC or Openswan expert so welcome any feedback/corrections.