How to configure WRT54G within VPN

Similar Messages

• How to configure Multiple PPTP VPN Clients on cisco 3g supported Router

  I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
  here is the config for the one that works:
  vpdn-group 1
  request-dialin
  protocol pptp
  rotary-group 0
  initiate-to ip xxx.xxx.xxx.xxx
  interface Dialer0
  mtu 1450
  ip address negotiated
  ip pim dense-mode
  ip nat outside
  ip virtual-reassembly
  zone-member security private
  encapsulation ppp
  ip igmp query-interval 125
  dialer in-band
  dialer idle-timeout 0
  dialer string 123
  dialer vpdn
  dialer-group 1
  no peer neighbor-route
  no cdp enable
  ppp pfc local request
  ppp pfc remote apply
  ppp encrypt mppe auto
  ppp authentication ms-chap-v2 ms-chap eap chap pap callin
  ppp eap refuse
  ppp chap hostname xxx@xxx
  ppp chap password 7 xxxpassword
  But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.

  I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
  here is the config for the one that works:
  vpdn-group 1
  request-dialin
  protocol pptp
  rotary-group 0
  initiate-to ip xxx.xxx.xxx.xxx
  interface Dialer0
  mtu 1450
  ip address negotiated
  ip pim dense-mode
  ip nat outside
  ip virtual-reassembly
  zone-member security private
  encapsulation ppp
  ip igmp query-interval 125
  dialer in-band
  dialer idle-timeout 0
  dialer string 123
  dialer vpdn
  dialer-group 1
  no peer neighbor-route
  no cdp enable
  ppp pfc local request
  ppp pfc remote apply
  ppp encrypt mppe auto
  ppp authentication ms-chap-v2 ms-chap eap chap pap callin
  ppp eap refuse
  ppp chap hostname xxx@xxx
  ppp chap password 7 xxxpassword
  But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.

• How to configure wrt54g router as an access point when connected to a 3Com switch

   I'm trying to use my linksys router as an access point to keep from having to make more network drops. I can't figure out which IP address/gateway to use on my router to get it to communicate with my switch. The 3Com switch address is 10.1.10.250, gateway is 10.1.10.1, netmask is 255,255,255,0.The linksys router has been reset to defaults.
  I know that it can be done but I'm having the hardest time making it work.

  For the DD-WRT firmware, you can try this link .
  For the price of your Acess Point you can try this link .

• How to configure routing on site to site VPN(RV215W)

  Hi all
  I have set up a VPN between a RV215W and SRP521 (site to site)
  The VPN is up and connection is established on both side.
  However I cannot connect from one network to another (No ping, no connection)
  When I checked teh configuration, I noticed that route table on RV215W does not show any ipsec interface nor the route to the remote network
  Any hint how to configure this route over the VPN? Should I do it manually or is it a paramater to be made automaticaly?
  On the SRP215 the routing is as follow
  Destination LAN IP
  Subnet Mask
  Gateway
  Interface
  192.168.100.0
  255.255.255.0
  VLAN100
  192.168.15.0
  255.255.255.0
  VLAN1
  192.168.25.0
  255.255.255.0
  141.48.36.1
  ipsec0
  41.0.0.0
  255.0.0.0
  WAN1
  41.0.0.0
  255.0.0.0
  ipsec0
  0.0.0.0
  0.0.0.0
  141.48.36.1
  WAN1
  On the  SRP only local and WAN are displayed

  Hi,
  Don't worry about your English - it is good. I am not a native English speaker, either.
  You are correct - Cisco's IS-IS has no internal support for optional metrics. The only metric value that is going to be used in best path selection is the default metric. Regarding considerations about metrics in IS-IS, the only consideration I find important is that all new IS-IS deployments should use wide metrics. These can be activated using the metric-style wide in the router isis configuration. Wide metrics allow you to use a significantly wider metric range than the original IS-IS standard: 24 bits for interface metric, and 32 bits for total path metric. It is important to say that all L1 routers within an area, or all L2 routers in the domain must use the same metric type, either the classic (also called narrow) or the new wide metrics.
  Apart from that, there are no special considerations I am aware of. The choice of metric values for a particular interface is completely up to you. Of course you might want to configure lower metrics for faster interfaces (and vice versa), but what values you choose is up to you.
  Best regards,
  Peter

• How do I configure WRT54G as a wireless access point?

  Ater a whole series of problems related to Vista, a WAP54G, Airport xpress, wireless printers, etc. plus at least three hours on the phone with Linksys tech support acessing my computer remotely and still not fixing the problems, I dumped my WRT54GC for a Belkin-N router.  I set it up over the weekend and slowly regained internet access, then the pinter, then the Airports. 
  I still would like to have an access point because my signal strength even with the new N router is too weak downstairs to allow my PS3 to connect to it.  I cannot figure out how to configure the WAP54G to make it work.  I want to take a shot with the WRT54GC.  From what I've read, I should be able to do it. 
  I can get into the router (referring to the Linksys) no problem.  I can reconfigure it to an extent, changing the IP address to the recommended 192.168.1.2.  I do this by running an ethernet cable from my PC to the router.  Howver, after changing the IP address in the router I can't get into it any more using the new IP address.  When I attach teh Linksys router to the Belkin I can't get in either.
  Both the Linksys and the Belkin use 192.168.1.1 as the default IP address for each device. 
  I would like to know what settings I need to change i nteh WRT54G to turn it ino an access point -- an extenson of my existing network with teh Belkin router attached to the Comcast modem.  I have looked at various how-to's and they all seem to assume I am connecting the two routers with an ethernet cable.  If it's not clear at this point, I'd like to connect them wirelessly.
  Thanks.

  Thanks so much for the reply.
  I was working with it all last night and somethign strange happened.  After reading some other info on the internets, I changed the IP address on the WRT to 192.168.2.1.  It updated, I then ran the wire from the Belkin to the WRT, I typed in 192.168.2.1, it took me to the Linksys setup page, but when I clicked "wireless" in the WRT setup, it took me to the Belkin setup page.  How in the world did that happen?
  Armed with tis new info, I did a hard reset on the WRT -- assuming it would change the WRT back to 192.168.1.1 -- got into the setup, turned off DHCP, left the IP as .1.1, and then wired it again into the Belkin.  I can now get into the setup of either one.
  Here's the thing:  I don't want the two routers wired together.  I want to move the WRT downstairs so a PS3 can pick up the signal.  I want the WRT to wirelessly relay that signal to the Belkin to get the PS3 onto the net.  I can't run a wire from the Belkin to the WRT. 
  I've read conflicting reports about whether the  WRT can do this.  Other sites suggest adding 3rd party firmware to add that functionality but that will definitely push the bounds of my abilities and likely exceed them.  So, can the WRT even function in this way? 
  Inre the WAP, I don' know why but my ability to access the setup menu via 192.168.1.245 is very hit or miss -- much miss than hit.  It makes no sense unless there is a bad connection somewhere because I hard reset, wire it to my laptop, put in the IP, and time out 19 times out of 20.  I've got the MAC address for the router, and I think I know I want it to function as a repeater, but I've not been able to get that working right eihter. 
  Thanks for any further reply.

• Connecting two WRT54G wireless routers - how to configure

  Hi All,
  I have two WRT54G wireless routers. One is currently providing wireless access for several users at a local law firm. I need to connect a second wireless router for a user who works for another company in the same office. The second wireless router is basically going to be used for Internet access. The Office Manager at the law office does not want the user from the other company using their wireless router directly, BUT they will allow me to hook up the second wireless router for Internet access. I realize this doesn't really make sense in terms of security, but this is the scenario I must abide to. So I am wondering how to configure the second router. I am thinking that I connect a CAT5 from one port on the first router to the Internet port on the second router. I am also guessing that I need to assign the the second router a static IP with a different subnet such as 192.168.2.1. I am not sure if the first router still has the default 192.168.1.1. If the first router does use 192.168.1.1 would I need to change the IP on the second one to one on another subnet? Thanks.

  You will need a setup like this:
  Modem  ---  new WRT54G  ----  existing WRT54G
                   192.168.2.1              192.168.1.1    ( "Local IP address" )
  Modem connects to Internet port of new WRT54G.
  LAN port of new WRT54G connects to Internet port on existing WRT54G.
  SSID:  different on each router  (do not use "linksys" )
  SSID broadcast:  enabled on both routers
  encryption:  recommend WPA2, or at least WPA  (can be same or different on the two routers).
  passwords:   different on each router.
  channel:  try to stay at least 5 channels apart.  Usually channel 1, 6, and 11 work best, but any two different channels can be used.
  Any "port forwarding" used by existing WRT54G must also be done on new WRT54G.
  Both routers need a real login password (not "admin" )
  New WRT54G will need "Intenet connection type" set to whatever is currently on existing WRT54G.  Internet connection type for existing WRT54G will need to be set to DHCP.
  Message Edited by toomanydonuts on 01-15-2008 01:54 AM

• [SOLVED]How to configure pptp vpn start on boot with netcfg?

  I've configured 2 profiles:
  eth0 and ppp0, where ppp0 is a pptp vpn tunnel.
  $ ls /etc/network.d/
  eth0  examples  interfaces  ppp0
  $ cat /etc/network.d/ppp0
  CONNECTION='ppp'
  INTERFACE='ppp0'
  PEER='dxt'
  PPP_TIMEOUT=10
  $ cat /etc/conf.d/netcfg
  # Enable these netcfg profiles at boot time.
  #   - prefix an entry with a '@' to background its startup
  #   - set to 'last' to restore the profiles running at the last shutdown
  #   - set to 'menu' to present a menu (requires the dialog package)
  # Network profiles are found in /etc/network.d
  NETWORKS=(eth0 ppp0)
  # Specify the name of your wired interface for net-auto-wired
  WIRED_INTERFACE="eth0"
  # Specify the name of your wireless interface for net-auto-wireless
  WIRELESS_INTERFACE="wlan0"
  Manually, I can start up ppp0 correctly.
  $ sudo netcfg -u ppp0
  :: ppp0 up                                                                                                                                                                 [ BUSY ] Using interface ppp0
  Connect: ppp0 <--> /dev/pts/3
  CHAP authentication succeeded
  MPPE 128-bit stateless compression enabled
  Cannot determine ethernet address for proxy ARP
  local  IP address 10.100.3.132
  remote IP address 10.100.3.1
                                                                                                                                                                             [ DONE ]
  $ ip addr list dev ppp0
  8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1496 qdisc pfifo_fast state UNKNOWN qlen 3
      link/ppp
      inet 10.100.3.132 peer 10.100.3.1/32 scope global ppp0
  But after booting, only eth0 is up. How to configure ppp0 to start on boot with netcfg?
  Last edited by rchiang (2012-12-21 01:09:32)

  Thanks a lot for your instruction.
  netcfg works now!
  chris_l wrote:
  Did you
  systemctl enable [email protected]

• How to configure router to use ip pool on the aaa server for vpn clients

  how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
  sebastan

  Hello Sebastan,
  what do you use as AAA server (e.g. ACS with TACACS+ or RADIUS) ?
  Regards,
  GNT

• I need to know how to configure wi-fi and VPN on m...

  I need to know how to configure wi-fi and VPN on my E61i.
  everytime I search for any available WLAN,I find one(in my company)and when start browsing,it gives me(WLAN not found).
  What should I do?

  iOS: Connecting to the Internet

• ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (ex., 5 min) using the SLA?

  I have ASA 5505 8.4.  How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
  Or as something else to implement it?
  My configuration for SLA monitor:
  sla monitor 123
   type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
   num-packets 3
   timeout 3000
   frequency 10
  sla monitor schedule 123 life forever start-time now
  track 1 rtr 123 reachability

  Hey cadet alain,
  thank you for your answer :-)
  I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
  Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
  3
  Nov 21 2011
  18:29:56
  77.xxx.xxx.99
  59068
  80.xxx.xxx.180
  80
  TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
  The attached file is only the show running-config
  Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
  Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
  Regards.
  Chris

• Don't know which technology to utilize or how to configure ASA5505

  I have an ASA5505.  Currently, it is using static NAT on several ports to forward traffic to several devices inside my network.  It is a pain not only to configure but from the end user side.
  The issue I am having is the applicatoins I am using to access the devices become a mess with dual configurations, one for when I am connected to the internal network and one for when I am away from the office and accessing from the internet.  For example, I have 2 Cisco VC240 IP Cameras behind the ASA5505.  One is set use port 9091 and the other 9092.  When I am inside the office, I access them via http://10.1.2.215:9091 and http://10.1.2.216:9092.  But when I am away from the office, I have to have another configuration in an Android app to use them, http://external_ASA_IP:9091 and 9092 and then NAT 9091 to the object for Camera1 and 9092 for Camera2.  This is only one scenario.  I also have a UC320W that I would like to put an IP phone at home and it sounds like AnyConnect is the only way to do this.
  It sounds like to me that if I use some type of VPN, I can access the same devices using the same IP whether internal or external with the external connection using the VPN to tunnel the IP to the local network.  There seems to be quite a few ways to do this with an ASA 5505.
  AnyConnect seems like the way to go but after reading Cisco documentation, it requires your Android device to be root'd if it is not a particular Samsung model.  If I understand correctly, root'ing your phone voids the warranty.  I know it is common practice but would think Cisco would have a better solution as I am sure Cisco would not want another manufacturer telling their customers to void the warranty on their Cisco equipment in order to get it to work.
  I believe I can just use IPSEC and use the native VPN of the Android OS and also tunnel L2TP as the Android supports IPSEC-PSK/L2TP or IPSEC-CRT/L2TP.  But will either of these will support the IP phone to the UC320W?
  A friend also told me to use NginX to proxy URL's so the URL http://www.fqdn.com/camera1 gets proxy'd to the internal IP of Camera1 and http://www.fqdn.com/camera2 gets proxy'd to Camera2.  He says I should be able to store a cookie on the phone and let the phone authenticate to the camera and if the phone cannot, the proxy can authenticate internally to the IP camera over SSL.
  I don't know anymore, I am so confused and just want to simplify my life as I am just a small business with me and a couple other employees but I have full-time job and it is not IT/Network Technician, it is only CTO/CEO/CIO/CFO.  I don't have hours upon hours to set this up and test and I don't have hours upon hours to manage it.  I just need to simplify this and have so that it is a set-it-and-forget-it for 6 months to 1 year and re-evaluate or update.  So, if someone suggests IPSEC, I would not know how to configure anyway and you should expect another post.  The same for AnyConnect or any of the other suggestions.
  Thanks in advance for any advice.

  Hi!
  1. Set Calculation Mode property of ITEM_5 to Formula.
  Formula property:
  nvl(:Block_Name.ITEM_1, 0) + nvl(:Block_Name.ITEM_2, 0) + nvl(:Block_Name.ITEM_3, 0) + nvl(:Block_Name.ITEM_4, 0)
  OR
  Function_Name(Param_1,... Param_N);
  Have in view of, that the ITEM_5 data will not be saved in DataBase.
  2. When-Validate-Item trigger is usfull when is necessary to store calculated item data in DataBase.
  Rename you Post-Query trigger to When-Validate-Item.
  Modify trigger: Store calculation result in the variable.
  (Don't forget to round variable value!)
  Then compare it with ITEM_5. If they are different - :ITEM_5 := var_name.
  I prefer the first method.

• How to configure sso with SSL step by step

  Purpose
  In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
  Overview
  In this document we will demonstrate:
  1.     How to configure OHS support SSL
  2.     How to Register SSO with SSL
  3.     Configure SSO for certificates
  Prerequisites
  Before start this document, you should have:
  1.     Oracle AS 10g infrastructure installed (10.1.2)
  2.     OCA installed
  Note:
  1.     “When you install Oracle infrastructure, please make sure you have select OCA.
  2.     How Certificate-Enabled Authentication Works:
  a.     The user tries to access a partner application.
  b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
  c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
  Enable SSL on the Single Sign-On Middle Tier
  The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
  l     You must configure SSL on the computer where the single sign-on middle tier is running.
  l     You are configuring one-way SSL.
  l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
  1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
  2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
  <ias-component id="HTTP_Server">
  <process-type id="HTTP_Server" module-id="OHS">
  <module-data>
  <category id="start-parameters">
  <data id="start-mode" value="ssl-enabled"/>
  </category>
  </module-data>
  <process-set id="HTTP_Server" numprocs="1"/>
  </process-type>
  </ias-component>
  3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
  4.     Reload the modified opmn configuration file:
  ORACLE_HOME/opmn/bin/opmnctl reload
  5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
  6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
  Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
  <VirtualHost ssl_host:port>
  RewriteEngine on
  RewriteOptions inherit
  </VirtualHost>
  Save and close the file.
  7.     Update the distributed cluster management database with the changes:
  ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
  8.     Restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
  9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
  Reconfigure the Identity Management Infrastructure Database
  Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
  1.     Change Single Sign-On URLs
  Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
  UNIX:
  $ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
  Windows:
  %ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
  In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
  Here is an example:
  ssocfg.sh https login.acme.com 4443
  2. Restart OC4J_SECURITY instance and verify the configuration
  To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
  If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Then try logging in to the single sign-on server at its SSL address:
  https://host:ssl_port/pls/orasso/
       3. Back up the file targets.xml:
  cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
  4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
  ·     HTTPMachine—the server host name
  ·     HTTPPort—the server port number
  ·     HTTPProtocol—the server protocol
  If, for example, you run ssocfg like this:
  ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
  Update the three attributes this way:
  <Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
  <Property NAME="HTTPPort" VALUE="4443"/>
  <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
  5.Save and close the file.
  6.     Reload the OracleAS console:
       ORACLE_HOME/bin/emctl reload
  7. Issue these two commands:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Registering mod_osso
  1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
  $ORACLE_HOME/sso/bin/ssoreg.sh
       -oracle_home_path $ORACLE_HOME
       -config_mod_osso TRUE
       -mod_osso_url https://myhost.mydomain.com:4443
  2.     Restarting the Oracle HTTP Server
  After running ssoreg, restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  Configuring the Single Sign-On System for Certificates
  1.     Configure policy.properties with the Default Authentication Plugin
  Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
  DefaultAuthLevel = MediumHighSecurity
  Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
  MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
  2.     Restart the Single Sign-On Middle Tier
  After configuring the server, restart the middle tier:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Bringing the SSO Users to OCA User Certificate Request URL
  The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
  The URL for the SSO certificate Request is:
  https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
  You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
  To link the OCA server to OracleAS SSO server, use the following command:
  ocactl linksso
  opmnctl stoproc type=oc4j instancename=oca
  opmnctl startproc type=oc4j instancename=oca
  You also can use ocactl unlinksso to unlink the OCA to SSO.

  I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
  The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
  on a URL that looks like this :
  http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  and gives the error :
  ( Forbidden
  You don't have permisission to access /sso/auth on this server at port 7777)
  when I manually change the URL to :
  https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  the SSO works correctly.
  The question is :
  How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
  Any ideas ?
  Thanks in advance

• How to find out logs related to which server, If i have 2 WFE's in the farm. How to configure logs path?

  Hi,
  I got this doubt, when searching logs on the servers. I have 2 WFE's in my farm, I got an error from enduser. So in which WFE server i need to check the logs.
  How to configure logs path. Is it is possible to specify logs path on our own instead of 14 hive folder.
  Badri

  That is a really bad idea, especially with idle disconnects and other unreliability of CIFS.
  You should instead check out the command
  Merge-SPLogFiles which will allow you to combine ULS logs from multiple servers into a single file.
  You can certainly specify your own path, but the path must be available on all servers. For example, if you specified D:\Logs, D:\Logs must exist on all SharePoint servers within the farm.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• How to configure CustomLoginModule in jps-config.xml

  Hi,
  How can we configure a Custom Login Module using jps-config.xml, as we do not want to use weblogic custom authentication provider as it needs application jars(which we require fo authenticating the user) to be kept in weblogic classpath.
  Is there any documentation on how to configure and use Custom Login Modules in jps-config.xml, I tried to create a LoginModule and specify it in jps-config.xml, but
  My LoginModule is not getting called.
  Jdev version: 11.1.1.3.0
  Server : weblogic
  my jps-config.xml is
                <?xml version = '1.0' encoding = 'Cp1252'?>
  <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
     <property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
     <property value="custom.provider" name="true"/>
     <propertySets/>
     <serviceProviders>
        <serviceProvider class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider" name="credstore.provider" type="CREDENTIAL_STORE">
           <description>Credential Store Service Provider</description>
        </serviceProvider>
        <serviceProvider class="oracle.security.jps.internal.login.jaas.JaasLoginServiceProvider" name="jaas.login.provider" type="LOGIN">
           <description>
              Login Module Service Provider
           </description>
        </serviceProvider>
        <serviceProvider class="oracle.security.jps.internal.idstore.xml.XmlIdentityStoreProvider" name="idstore.xml.provider" type="IDENTITY_STORE">
           <description>XML-based IdStore Provider</description>
        </serviceProvider>
        <serviceProvider class="oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider" name="policystore.xml.provider" type="POLICY_STORE">
           <description>XML-based PolicyStore Provider</description>
        </serviceProvider>
     </serviceProviders>
     <serviceInstances>
        <serviceInstance provider="credstore.provider" name="credstore">
           <property value="./" name="location"/>
        </serviceInstance>
        <serviceInstance provider="jaas.login.provider" name="CustomLoginModule">
           <property value="SUFFICIENT" name="jaas.login.controlFlag"/>
           <property value="SEVERE" name="log.level"/>
           <property value="org.calwin.view.CustomLoginModule" name="loginModuleClassName"/>
        </serviceInstance>
        <serviceInstance provider="idstore.xml.provider" name="idstore.xml">
           <property value="./jazn-data.xml" name="location"/>
           <property value="OBFUSCATE" name="jps.xml.idstore.pwd.encoding"/>
           <property value="jps" name="subscriber.name"/>
        </serviceInstance>
        <serviceInstance provider="policystore.xml.provider" name="policystore.xml">
           <property value="./jazn-data.xml" name="location"/>
        </serviceInstance>
     </serviceInstances>
     <jpsContexts default="TestMultiDatasource">
        <jpsContext name="TestMultiDatasource">
           <serviceInstanceRef ref="idstore.xml"/>
           <serviceInstanceRef ref="credstore"/>
           <serviceInstanceRef ref="policystore.xml"/>
        </jpsContext>
        <jpsContext name="anonymous">
           <serviceInstanceRef ref="credstore"/>
        </jpsContext>
     </jpsContexts>
  </jpsConfig>My Login Module Class:
  package org.calwin.view;
  import java.io.IOException;
  import java.security.Principal;
  import java.util.Map;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.callback.NameCallback;
  import javax.security.auth.callback.PasswordCallback;
  import javax.security.auth.callback.UnsupportedCallbackException;
  import javax.security.auth.login.LoginException;
  import javax.security.auth.spi.LoginModule;
  import javax.servlet.http.HttpServletRequest;
  import weblogic.security.auth.callback.ContextHandlerCallback;
  import weblogic.security.principal.WLSUserImpl;
  import weblogic.security.service.ContextHandler;
  public class CustomLoginModule
      implements LoginModule
    // initial state
    private Subject subject;
    private CallbackHandler callbackHandler;
    // the authentication status
    private boolean succeeded = false;
    private boolean commitSucceeded = false;
    // username and password
    private String username;
    private String password;
    // testUser's SamplePrincipal
    private Principal userPrincipal;
     * Initialize this <code>LoginModule</code>.
     * <p>
     * @param subject the <code>Subject</code> to be authenticated. <p>
     * @param callbackHandler a <code>CallbackHandler</code> for communicating
     *      with the end user (prompting for user names and
     *      passwords, for example). <p>
     * @param sharedState shared <code>LoginModule</code> state. <p>
     * @param options options specified in the login
     *      <code>Configuration</code> for this particular
     *      <code>LoginModule</code>.
    public void initialize(Subject subject, CallbackHandler callbackHandler,
                           Map sharedState, Map options) {
      this.subject = subject;
      this.callbackHandler = callbackHandler;
     * Authenticate the user by prompting for a user name and password.
     * <p>
     * @return true in all cases since this <code>LoginModule</code>
     *    should not be ignored.
     * @exception FailedLoginException if the authentication fails. <p>
     * @exception LoginException if this <code>LoginModule</code>
     *    is unable to perform the authentication.
    public boolean login() throws LoginException {
      if (callbackHandler == null)
        throw new LoginException("Error: no CallbackHandler available " +
                                 "to garner authentication information from the user");
      Callback[] callbacks = new Callback[3];
      callbacks[0] = new NameCallback("user name: ");
      callbacks[1] = new PasswordCallback("password: ", false);
      callbacks[2]=new ContextHandlerCallback();
        try {
          callbackHandler.handle(callbacks);
        } catch (UnsupportedCallbackException uce) {
            throw new LoginException("Callback Not Supported");
        } catch (IOException ioe) {
            throw new LoginException("I/O Failed");
        username = ((NameCallback)callbacks[0]).getName();
        char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword();
        if (tmpPassword == null) {
          tmpPassword = new char[0];
        password = new String(tmpPassword);
        ((PasswordCallback)callbacks[1]).clearPassword();
      // verify the username/password
      boolean usernameCorrect = true;
      boolean passwordCorrect = true;
      succeeded = true;
      return true;
     * <p> This method is called if the LoginContext's
     * overall authentication succeeded
     * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
     * succeeded).
     * <p> If this LoginModule's own authentication attempt
     * succeeded (checked by retrieving the private state saved by the
     * <code>login</code> method), then this method associates a
     * <code>SamplePrincipal</code>
     * with the <code>Subject</code> located in the
     * <code>LoginModule</code>.  If this LoginModule's own
     * authentication attempted failed, then this method removes
     * any state that was originally saved.
     * <p>
     * @exception LoginException if the commit fails.
     * @return true if this LoginModule's own login and commit
     *    attempts succeeded, or false otherwise.
    public boolean commit() throws LoginException {
      if (succeeded == false) {
        return false;
      } else {
        userPrincipal = new WLSUserImpl(username);
        if (!subject.getPrincipals().contains(userPrincipal))
          subject.getPrincipals().add(userPrincipal);
        // in any case, clean out state
        username = null;
        password = null;
        commitSucceeded = true;
        return true;
     * <p> This method is called if the LoginContext's
     * overall authentication failed.
     * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules
     * did not succeed).
     * <p> If this LoginModule's own authentication attempt
     * succeeded (checked by retrieving the private state saved by the
     * <code>login</code> and <code>commit</code> methods),
     * then this method cleans up any state that was originally saved.
     * <p>
     * @exception LoginException if the abort fails.
     * @return false if this LoginModule's own login and/or commit attempts
     *    failed, and true otherwise.
    public boolean abort() throws LoginException {
      if (succeeded == false) {
        return false;
      } else if (succeeded == true && commitSucceeded == false) {
        // login succeeded but overall authentication failed
        succeeded = false;
        username = null;
        if (password != null) {
          password = null;
        userPrincipal = null;
      } else {
        // overall authentication succeeded and commit succeeded,
        // but someone else's commit failed
        logout();
      return true;
     * Logout the user.
     * <p> This method removes the <code>SamplePrincipal</code>
     * that was added by the <code>commit</code> method.
     * <p>
     * @exception LoginException if the logout fails.
     * @return true in all cases since this <code>LoginModule</code>
     *          should not be ignored.
    public boolean logout() throws LoginException {
      subject.getPrincipals().remove(userPrincipal);
      succeeded = false;
      succeeded = commitSucceeded;
      username = null;
      if (password != null) {
        password = null;
      userPrincipal = null;
      return true;
  }My adf-config.xml:
  <sec:adf-security-child xmlns="http://xmlns.oracle.com/adf/security/config">
      <CredentialStoreContext credentialStoreClass="oracle.adf.share.security.providers.jps.CSFCredentialStore"
                              credentialStoreLocation="../../src/META-INF/jps-config.xml"/>
      <sec:JaasSecurityContext initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
                               jaasProviderClass="oracle.adf.share.security.providers.jps.JpsSecurityContext"
                               authorizationEnforce="true"
                               authenticationRequire="true"/>
    </sec:adf-security-child>My jazn.xml:
  <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
  <jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data-11_0.xsd">
    <jazn-realm default="jazn.com">
      <realm>
        <name>jazn.com</name>
      </realm>
    </jazn-realm>
  </jazn-data>My web.xml:
  <filter>
      <filter-name>JpsFilter</filter-name>
      <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
      <init-param>
        <param-name>enable.anonymous</param-name>
        <param-value>true</param-value>
      </init-param>
      <init-param>
        <param-name>remove.anonymous.role</param-name>
        <param-value>false</param-value>
      </init-param>
    </filter>
  <servlet>
      <servlet-name>adfAuthentication</servlet-name>
      <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>
  <servlet-mapping>
      <servlet-name>adfAuthentication</servlet-name>
      <url-pattern>/adfAuthentication</url-pattern>
    </servlet-mapping>
  <security-constraint>
      <web-resource-collection>
        <web-resource-name>adfAuthentication</web-resource-name>
        <url-pattern>/adfAuthentication</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>valid-users</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/error.html</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
      <role-name>valid-users</role-name>
    </security-role>weblogic.xml:
    <security-role-assignment>
      <role-name>valid-users</role-name>
      <principal-name>users</principal-name>
    </security-role-assignment>Regards,
  Saikiran

  Ours is not a Desktop Application, but we want to handle Authentication(Which authenticates the userid and password by making a Tuxedo call) and add the Principal to Subject in session, so that ADF Authorization and securityContext can be used as is,
  but doing this with Custom Authentication Provider in weblogic needs me to have a lot of Tuxedo Service related jars in weblogic/system classpath which i feel is not right thing to do, as the same jars are required in application also, which means i will have the jars in class path twice and i need to deploy the jars to both places everytime there is any change.
  Is there any way by which i can set Authenticated principal to Subject in the created session from within Application?

• How to configure Firefox to use OpenVPN?

  summary: I'm running OpenVPN from a Debian client through a Debian jumpbox/server. After I [start the server, start the client] most IP-based applications (DNS, ping, ssh) seem to work from the client, but client's Firefox cannot connect to http://www.whatismyip.com/ (or any other URI). How to configure Firefox to use the VPN? or otherwise fix the problem? or further debug it?
  details:
  I have a laptop running debian_version==jessie/sid with Firefox version=33.0 which needs to access a compute cluster. The cluster formerly required only an SSL VPN (enabled by a Firefox plugin) to access, but now has several additional requirements, which I seek to satisfy by running the SSL VPN through a jumpbox running an OpenVPN server. The jumpbox is running a "vanilla" Debian 7.7.
  I have been using the laptop successfully for a few years without network problems. Currently I have the laptop connected by wire directly to an ISP-supplied modem/router. With `openvpn` NOT running on the laptop, I see:
  * `ifconfig` shows no entry='tun0' (just "the usual" entries for 'eth0', 'lo', 'wlan0'), and shows the expected client IP# bound to 'eth0'.
  * I can `ping` my jumpbox/server using its real IP#, but cannot `ping 10.8.0.1`
  * I can `ssh` to my jumpbox/server using its real IP#, but cannot `ssh 10.8.0.1`
  * `nslookup www.whatismyip.com` gives correct results
  * browsing to http://www.whatismyip.com/ shows my client's IP# (as also shown in `ifconfig`)
  Both my client/laptop and server/jumpbox setups are quite generic OpenVPN-wise, and are almost exactly as described on the Debian wiki
  https://wiki.debian.org/openvpn%20for%20server%20and%20client
  me@jumpbox:~$ date ; cat /etc/openvpn/server.conf
  Sat Nov 8 16:49:00 EST 2014
  port 1194
  proto udp
  dev tun
  ca /etc/openvpn/ca.crt
  cert /etc/openvpn/server.crt
  key /etc/openvpn/server.key
  dh /etc/openvpn/dh1024.pem
  server 10.8.0.0 255.255.255.0
  ifconfig-pool-persist ipp.txt
  push "redirect-gateway def1 bypass-dhcp"
  push "dhcp-option DNS 8.8.8.8" # google public DNS
  keepalive 10 120
  comp-lzo
  user nobody
  group nogroup
  persist-key
  persist-tun
  status openvpn-status.log
  verb 3
  me@laptop:~$ date ; cat /etc/openvpn/client1.conf
  Sat Nov 8 16:51:31 EST 2014
  client
  dev tun
  proto udp
  remote ser.ver.IP.num 1194
  resolv-retry infinite
  nobind
  user nobody
  group nogroup
  persist-key
  persist-tun
  mute-replay-warnings
  ca /etc/openvpn/ca.crt
  cert /etc/openvpn/client1.crt
  key /etc/openvpn/client1.key
  ns-cert-type server
  comp-lzo
  verb 3
  up /etc/openvpn/update-resolv-conf
  down /etc/openvpn/update-resolv-conf
  My jumpbox/server firewall is currently set to forward everything, using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`:
  me@jumpbox:~$ date ; sudo iptables -L
  Sat Nov 8 16:42:06 EST 2014
  Chain INPUT (policy ACCEPT)
  target prot opt source destination
  fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
  Chain FORWARD (policy ACCEPT)
  target prot opt source destination
  Chain OUTPUT (policy ACCEPT)
  target prot opt source destination
  Chain fail2ban-ssh (1 references)
  target prot opt source destination
  RETURN all -- anywhere anywhere
  After I start `openvpn` on first the server and then the client, I see no OpenVPN errors on either the server or the client:
  me@jumpbox:~$ sudo openvpn --script-security 2 --config /etc/openvpn/server.conf &
  Sat Nov 8 17:48:25 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
  Sat Nov 8 17:48:25 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  Sat Nov 8 17:48:25 2014 Diffie-Hellman initialized with 1024 bit key
  Sat Nov 8 17:48:25 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
  Sat Nov 8 17:48:25 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
  Sat Nov 8 17:48:25 2014 ROUTE default_gateway=ser.ver.gate.way
  Sat Nov 8 17:48:25 2014 TUN/TAP device tun0 opened
  Sat Nov 8 17:48:25 2014 TUN/TAP TX queue length set to 100
  Sat Nov 8 17:48:25 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  Sat Nov 8 17:48:25 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
  Sat Nov 8 17:48:25 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
  Sat Nov 8 17:48:25 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
  Sat Nov 8 17:48:25 2014 GID set to nogroup
  Sat Nov 8 17:48:25 2014 UID set to nobody
  Sat Nov 8 17:48:25 2014 UDPv4 link local (bound): [undef]
  Sat Nov 8 17:48:25 2014 UDPv4 link remote: [undef]
  Sat Nov 8 17:48:25 2014 MULTI: multi_init called, r=256 v=256
  Sat Nov 8 17:48:25 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
  Sat Nov 8 17:48:25 2014 ifconfig_pool_read(), in='TomRoche,10.8.0.4', TODO: IPv6
  Sat Nov 8 17:48:25 2014 succeeded -> ifconfig_pool_set()
  Sat Nov 8 17:48:25 2014 IFCONFIG POOL LIST
  Sat Nov 8 17:48:25 2014 TomRoche,10.8.0.4
  Sat Nov 8 17:48:25 2014 Initialization Sequence Completed
  me@laptop:~$ sudo openvpn --script-security 2 --config /etc/openvpn/client1.conf &
  Sat Nov 8 17:49:12 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  Sat Nov 8 17:49:12 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
  Sat Nov 8 17:49:12 2014 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
  Sat Nov 8 17:49:12 2014 UDPv4 link local: [undef]
  Sat Nov 8 17:49:12 2014 UDPv4 link remote: [AF_INET]jump.box.IP.num:1194
  Sat Nov 8 17:49:12 2014 TLS: Initial packet from [AF_INET]jump.box.IP.num:1194, sid=25df7af6 0ece4089
  Sat Nov 8 17:49:13 2014 VERIFY OK: depth=1, <my config data/>
  Sat Nov 8 17:49:13 2014 VERIFY OK: nsCertType=SERVER
  Sat Nov 8 17:49:13 2014 VERIFY OK: depth=0, <my config data/>
  Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
  Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
  Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
  Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
  Sat Nov 8 17:49:14 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
  Sat Nov 8 17:49:14 2014 [TomRoche] Peer Connection Initiated with [AF_INET]jump.box.IP.num:1194
  Sat Nov 8 17:49:16 2014 SENT CONTROL [TomRoche]: 'PUSH_REQUEST' (status=1)
  Sat Nov 8 17:49:16 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
  Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: timers and/or timeouts modified
  Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ifconfig/up options modified
  Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: route options modified
  Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
  Sat Nov 8 17:49:16 2014 ROUTE_GATEWAY lap.top.gate.way/255.255.255.0 IFACE=eth0 HWADDR=la:pt:op:MAC:ad:dr
  Sat Nov 8 17:49:16 2014 TUN/TAP device tun0 opened
  Sat Nov 8 17:49:16 2014 TUN/TAP TX queue length set to 100
  Sat Nov 8 17:49:16 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  Sat Nov 8 17:49:16 2014 /sbin/ip link set dev tun0 up mtu 1500
  Sat Nov 8 17:49:16 2014 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
  Sat Nov 8 17:49:16 2014 /etc/openvpn/update-resolv-conf tun0 1500 1542 10.8.0.6 10.8.0.5 init
  dhcp-option DNS 8.8.8.8
  Sat Nov 8 17:49:16 2014 /sbin/ip route add lap.top.IP.num/32 via lap.top.gate.way
  Sat Nov 8 17:49:16 2014 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
  Sat Nov 8 17:49:16 2014 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
  Sat Nov 8 17:49:16 2014 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
  Sat Nov 8 17:49:16 2014 GID set to nogroup
  Sat Nov 8 17:49:16 2014 UID set to nobody
  Sat Nov 8 17:49:16 2014 Initialization Sequence Completed
  I then see the following on my client:
  * `ifconfig` shows a new entry=`tun0`, which looks correct
  * I can `ping` the server using either its real IP# or `10.8.0.1`
  * I can `ssh` to the server using either its real IP# or `10.8.0.1`
  * `nslookup www.whatismyip.com` gives correct results
  ... but I get no connection if I open a new instance of Firefox and browse to http://www.whatismyip.com/ :-( "Looking up www.whatismyip.com..." succeeds quickly but the status line continues to display "Connecting to www.whatismyip.com..." until the attempt times out. I also get the same behavior (connection timeout) if I open a new instance of Chrome, or if I browse to http://www.whatismyip.com/ with a Firefox opened prior to starting OpenVPN. FWIW I get the same behavior browsing to any URI, including (e.g.) Google.
  This is a major problem for me! For the SSL VPN to work, I need to start a Firefox and run it (since the SSL VPN's vendor only supports it on Linux via a Firefox plugin) to access a particular remote-access website. Furthermore I need the SSL VPN to run through the jumpbox/OpenVPN. (Don't ask, it's a long, sad story ...)
  Is there something I must do to configure Firefox to use the VPN? Or is there some other way to fix this?
  Alternatively, what should I do to further debug the problem? It just seems odd to me that the other services work (e.g., `nslookup`, `ssh`) but Firefox does not. That being said, both Firefox and Chrome fail in this usecase, so the problem might be generic to web browsers.
  your assistance is appreciated, Tom Roche <[email protected]>

  You're kidding. You have to go through that rigamarole just to put your bookmarks on your own server? Where's the simple FTP option?
  Also, the above-linked article has a broken link. The link to the weaveserver (which is what you have to set up on your own server) is no good, and there is no obvious replacement. There are plenty of Weave-related repositories here:
  http://hg.mozilla.org/labs
  but it's not clear what you need.