Archives 2006

Using BackupPC with mobile Windows XP clients via OpenVPN and Cygwin Rsync Server

BackupPC assumes your mobile hosts will occassionally visit your network and allows backup of those hosts while they are on your local network. But what if you need to backup mobile Windows hosts that NEVER connect to your BackupPC LAN? We will use OpenVPN to build a VPN connection between the client and the BackupPC server. We will configure BackupPC server to backup via an Rsync Server on the BackupPC client. This solution is working well for several remote PCs (Windows XP) and Servers (Windows 2000).

Due to the nature of mobile users, the BackupPC server may not be able to reliably locate and connect to the SSH service on these PCs. Besides, numerous users have reported problems with BackupPC via SSH, due to an alleged bug in the Cygwin SSH server. If your Windows PC is accessible via SSH, running BackupPC via rsync over an SSH tunnel works fine. Simply write pre-backup and post-backup scripts to initiate an SSH tunnel and tear down the SSH tunnel when you are finished.

I have found that using a combination of OpenVPN and Cygwin Rsync Server works well when performing backups of mobile Windows PCs. We use OpenVPN to maintain a secure connection between the PC and the BackupPC server. We then configure BackupPC to connect to the Rsync Server on the Windows PC via the VPN connection. The ONLY problem we have had with this is reminding users to make sure their OpenVPN connection is always working. The Windows GUI for OpenVPN does not always automatically reconnect to the BackupPC server between suspend-power operations on laptops. It generally does fine between reboots, though.

The documentation below assumes you are already successfully using BackupPC to backup local hosts. The documentation does not cover installation or configuration of BackupPC for local hosts.

Preparing SSL Certificates for OpenVPN server

OpenVPN requires one SSL certificate for your OpenVPN server and one SSL certificate for each OpenVPN client. We will assume you do not already have a public key infrastructure in place. We will begin by creating a Certificate Authority (CA) key, then we will create a key for the server (signed by CA key) and a key for the first client (also signed by the CA key). You will need to create an additional key for each additional client.

NOTE: If you are managing a large number of hosts, you should replace the example common names and file names with actual hostnames for the BackupPC server (ie: and each BackupPC client (ie: This will make it much easier for you to manage a large number of certificates.

[sourcecode language=”bash”]
# Create a directory for storing your certificates
mkdir /opt/ssl
chmod 700 /opt/ssl
cd /opt/ssl

# Generating Certificate Authority Keys (Common Name: “ca”)
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 3650 -key ca.key -out ca.cer

# Generating OpenVPN Server Keys (Common Name: “server”)
openssl req -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl ca -policy policy_anything -cert ca.cer -in server.csr \
-keyfile ca.key -days 365 -out server.crt

# Generating OpenVPN Client Keys (Common Name: “client1”)
openssl req -new -out client1.csr
openssl rsa -in privkey.pem -out client1.key
openssl ca -policy policy_anything -cert ca.cer -in client1.csr \
-keyfile ca.key -days 365 -out client1.crt

Install and Configure OpenVPN on the BackupPC server

[sourcecode language=”bash”]
cd /opt/
rpm -ivh lzo-1* openvpn*

cd /etc/openvpn/
vi server.conf
cp /opt/ssl/ca.crt .
cp /opt/ssl/server.crt .
cp /opt/ssl/server.key .
openssl dhparam -out dh1024.pem 1024

chkconfig openvpn on
service openvpn restart

If you are running an IPtables Firewall, you must accept OpenVPN traffic (1194/udp) on the BackupPC server. Edit your iptables script and the rule shown below right above or right below similar UDP rules. Afterwards, restart iptables to force changes to take effect.

[sourcecode language=”bash”]
vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p udp -m udp –dport 1194 -j ACCEPT

service iptables restart

Install and Configure OpenVPN on the BackupPC client

Download and install the newest Windows OpenVPN GUI package with TAP interface from the following website. During installation, accept all of the default options. You MUST reboot after installation, or else the VPN connections will not work properly. When you are finished, you should have a new OpenVPN GUI icon in your tray and a new TAP interface in you list of Network Connections.

Website Link:

For this example, we used OpenVPN 2.09 GUI 1.0.3. We provided a link to the version we used for this example, but highly recommend installing the latest version once you have things up and running!

Download Link:

COMMON PROBLEM: The TAP interface does not appear in your Network Connections. If this happens, your registry is missing one of the following keys/folders that is required for TAP interface installation (who knows why, it doesn’t appear to be used). Simply create an empty key/folder in it’s place, then uninstall OpenVPN, then reinstall OpenVPN.

[sourcecode language=”bash”]

After installing the OpenVPN GUI, you need to copy several files to the following directory. Be sure to rename the client files to client.crt and client.key. This allows you to use the same OpenVPN config file (.ovpn) on each mobile computer.

[sourcecode language=”bash”]
C:\Program Files\OpenVPN\config\

ca.crt # copied from /opt/ssl/ca.crt on your BackupPC server
client.crt # copied from /opt/ssl/client1.crt on your BackupPC server
client.key # copied from /opt/ssl/client1.key on your BackupPC server
server.ovpn # download via link below

Download Link: server.ovpn

You must edit “server.ovpn” and change “” (see line 41) to the actual hostname of your BackupPC server. Your mobile PCs should be able to PING the BackupPC server via this hostname.

FIREWALL NOTE: If you are using firewall(s), you will need to allow OpenVPN traffic (1194/udp) from the mobile PCs to the server. Be sure to update firewalls that may restrict outbound traffic on the mobile PC network as well as firewalls that may restrict incoming traffic on the BackupPC server network. Most importantly, be sure to update your host based firewall on your BackupPC server so that it does not block these incoming connections. An example for updating the iptables firewall running on your BackupPC server was shown above.

When you are finished, you should be able to ping your BackupPC server ( from your BackupPC client. You should also be able to ping your BackupPC client from your BackupPC server. The IP address assigned by the VPN should appear in a balloon popup window when your OpenVPN GUI tray icon changes to a green color.

NOTE: If you can ping the server from the client, but not vice-versa, check your Windows Firewall. You may need to allow Incoming Echo Requests under ICMP Settings on the Advanced firewall configuration tab.

Configure OpenVPN to Start Connection Automatically

OpenVPN GUI can start a connection automatically when it runs. To enable autoconnect simply add this string to the command that starts the OpenVPN app:

[sourcecode language=”bash”]
–connect client1.ovpn

In Windows, you need to append it to the following registry key: OpenVPN-Startup.reg (right-click, save, and run)

[sourcecode language=”bash”]
Windows Registry Editor Version 5.00

“openvpn-gui”=”C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe –connect client1.ovpn

Change client1 as needed for the name of each client config file.

Configure OpenVPN server Static IP for “client1” (first client)

You must assign a static IP address to each VPN client so that the BackupPC server can locate the correct client each time it performs a backup of the client.

[sourcecode language=”bash”]
cd /etc/openvpn/
vi ccd/client1 # file name MUST match the Common Name on client SSL certificate

vi /etc/hosts # hostname MUST match the Common Name on client SSL certificate client1

Configure OpenVPN server Static IP for “client2” (additional clients)

Routing for the static IP above had already been configured. You must configure routing for each new static IP block as shown below.

[sourcecode language=”bash”]
cd /etc/openvpn/
vi ccd/client2 # file name MUST match the Common Name on client SSL certificate

vi server.conf # configure routing for new static IP (near similar line 152)

vi /etc/hosts # hostname MUST match the Common Name on client SSL certificate client2

Download Link: server.conf

Install and Configure Cygwin Rsync Server on the BackupPC client

CYGWIN NOTE: If you are only using Cygwin to run an Rsync Server on your client PC, they you can use the standalone installation package for the Cygwin Rsync Server below. If you are using other Cygwin items on the client PC, you need to install the Rsync Server through the standard Cygwin setup menu. We will assume no other Cygwin software is installed.

Download and install the newest Cygwin Rsync Server (cwRsync Server) package from the following website. During installation, accept all of the default options. You can ignore the service account password. No need to reboot after installation. When you are finished, confirm that you have a new Rsync Server service in your list of Windows Services. Configure the service for “automatic” startup rather than “manual” startup.

Website Link:

For this example, we used Cygwin Rsync Server 2.0.10. We provided a link to the version we used for this example, but highly recommend installing the latest version once you have things up and running!

Download Link:

COMMON PROBLEM: The “Rsync Server” service would not appear in the service list. Conflicting versions of Cygwin software on a system WILL cause you problems, so uninstall other Cygwin software packages if possible. We had to uninstall an older Cygwin-based SSH tools we previously used to backup these Windows PCs before we could successfully install a working copy of the Cygwin Rsync Server.

After installing the Cygwin Rsync Server, you need to copy several files to the following directory. I recommend you generate a new randon password for the rsyncd.secrets file on each client computer. Each line of the rsyncd.secrets file contains a valid username/password for the Rsync Server.

[sourcecode language=”bash”]
C:\Program Files\cwRsyncServer\

rsyncd.conf # downloaded via link below
etc\rsyncd.secrets # downloaded via link below

Download Link: rsyncd.conf
Download Link: rsyncd.secrets

After you have finished configuring rsync (above), start/restart the Rsync Server service. You can do this through Windows Services or by using the following commands.

[sourcecode language=”bash”]
net stop rsyncserver
net start rsyncserver

NOTE: You can confirm that the Rsync Server is running via “netstat -an” and confirming that TCP port 873 is LISTENING. You can also confirm that the Rsync Server is running via “telnet localhost 873” which should show you “@RSYNCD: 29” (press CTRL+] to exit, then type “quit” to close telnet). If either of these tests fail, restart Rsync Server and test again.

You should be able to connect to the Rsync Server from the BackupPC server over the VPN. If you cannot, you will need to allow an exception for “Rsync Server” port “873” protocol “TCP” in your Windows Firewall.

[sourcecode language=”bash”]
[root@backuppc backuppc]# telnet 873
Connected to client1 (
Escape character is ‘^]’.

Once you have confirmed you can connect to the Rsync Server on the Windows client from the BackupPC server, you can configure of client backups on the BackupPC server.

Configure client on the BackupPC server

Edit the following files within your BackupPC directory.

[sourcecode language=”bash”]
conf/hosts # add host entry similar to example below.
pc/client1/ # downloaded via link below

Example Host Entry:
client1 0 client1user

Download Link:

You must update the client IP address in (line 8, line 16) to reflect the VPN address you assigned to the client. BackupPC will connect to the Rsync Server on this IP address.

You must update the client password in (line 19) to reflect the password you assigned in “rsyncd.secrets” file.

NOTE: Use WordPad to edit these files (not NotePad). Be sure that you have several blank lines at the end of your “rsyncd.secrets” file. Due to a bug with the Cygwin Rsync Server, it cannot read a username/password pair if it is in the last line of the secrets file.

Afterwards, reload the BackupPC server so that it will read these new configuration settings.

[sourcecode language=”bash”]
[root@backuppc pc]# service backuppc reload

The new client should appear in your BackupPC interface and can now be backed up!

2006/12/01 – Jason Klein

Configuring Sipura SPA-3000 as trunk within Asterisk VoIP PBX Server

This article describes how I successfully configured the Sipura SPA-3000 (fw 2.0.13) for use as a single line inbound/outbound trunk within Asterisk at Home (asterisk 1.2.1). Unlike the other examples I found, this configuration is fairly simple and does NOT require configuration of special extensions, etc. This configuration should be fairly secure, but any suggestions and/or feedback are very welcome!

When incoming calls are received by the SPA-3000, they are forwarded to the Asterisk PBX with CALLER ID information and can be routed like any other POTS trunk (ie: as per Incoming Calls config and/or Inbound Routing config by CID). When outgoing calls are placed through the SPA-3000, this device dials the number and connects the call. The person making the call WILL hear the DTMF tones (aka touch tones) that are dialed by the SPA-3000 just before the call is connected. I have not been able to find a way of preventing this (yet).

Configuring Trunk within Asterisk PBX using AMP

Login to AMP (Asterisk Management Portal). Navigate to Setup, Trunks, and choose “Add SIP Trunk”.

General Settings

[sourcecode language=”bash”]
Outbound Caller ID: (leave blank – cannot be used by POTS line)
Maximum Channels: 1 (required – see note below)

NOTE: Each SPA-3000 supports a single channel. You need to setup multiple trunks for multiple SPA-3000 devices.

Outgoing Dial Rules

[sourcecode language=”bash”]
Dial Rules:
1+NXXNXXXXXX ; prefix 10 digit dialing with “1”
1NXXNXXXXXX ; allow all 11 digit dialing as-is
NXXXXXX ; allow all 7 digit dialing as-is

Outgoing Settings

[sourcecode language=”bash”]
Trunk Name: pstn_spa01

Peer Details:
host= ; IP address of SPA device
nat=yes ; omit if no NAT exists between PBX and SPA

Incoming Settings

[sourcecode language=”bash”]
User Context: spa01

User Details:
host= ; IP address of SPA device
nat=yes ; omit if no NAT exists between PBX and SPA


[sourcecode language=”bash”]
Register String: ; omit – not necessary to register w/ SPA device?

Configuring Outbound Routing within Asterisk PBX using AMP

Login to AMP (Asterisk Management Portal). Navigate to Setup, Outbound Routing, and choose “Add Route”.

Add Route

[sourcecode language=”bash”]
Route Name: ; user preference, avoid special characters here?

Dial Patterns: ; dial 5 plus 11 digit, 10 digit, and 7 digit numbers
; omit each “5|” to use trunk without dialing prefix
5|1NXXNXXXXXX ; accept 5 + 11 digit dialing
5|NXXNXXXXXX ; accept 5 + 10 digit dialing
5|NXXXXXX ; accept 5 + 7 digit dialing

Trunk Sequence: ; add each available SPA-3000 trunk

Configuring the Sipura SPA-3000

The following example only illustrates changes to default settings. Start by performing a factory reset of your SPA-3000. Connect a handset to the PHONE jack on the SPA-3000 and dial “****” to access the configuration menu, then dial “73738#” (aka “RESET#”) to perform a factory reset.

Login to the web interface of your SPA-3000, click “Admin”, then click “Advanced”. Configuration changes for each tab/page are shown below.


[sourcecode language=”bash”]
USER PASSWORD: secretpwd ; secures the SPA web interface
; username ‘user’ or ‘admin’?

DHCP: no ; recommend static ip address

HOSTNAME: voip-spa1 ; optional
DOMAIN: ; optional
PRIMARY DNS: ; optional
SECONDARY DNS: ; optional
PRI NTP: ; optional
SEC NTP: ; optional


[sourcecode language=”bash”]
RTP Packet Size: 0.020 ; improves sound quality (was 0.030)?


[sourcecode language=”bash”]
TIME ZONE: GMT-05:00 ; Central Time Zone


[sourcecode language=”bash”]
NAT Mapping Enable: yes ; only change if NAT exists between PBX and SPA
NAT Keep Alive Enable: yes ; only change if NAT exists between PBX and SPA

PROXY: ; IP address of Asterisk PBX

DISPLAY NAME: ; leave blank
USER ID: 3501 ; optional?
PASSWORD: ; leave blank

DTMF Process INFO: Yes ; default value
DTMF Process AVT: No ; resolve issues with DTMF
DTMF Tx Method: Auto ; default value

DIAL PLAN 8: (S0<:s@>)
; forwards incoming PSTN calls to PBX
; resolve issues with DTMF


VOIP USER 1 AUTH ID: asterisk
VOIP USER 1 DP: none
VOIP USER 1 PASSWORD: 012345678901

PSTN RING THRU LINE 1: no ; incoming calls do not ring LINE1

PSTN ANSWER DELAY: 5 ; answer incoming PSTN call in X sec
; need to allow time for CALLER ID
; if no CID, you can safely set to 0
; was set to 16

Note regarding FAX transmissions

We have not been able to successfully receive fax transmissions using this configuration, but not for lack of trying. We were also attempting to use a Digium TDM card to accept faxes for a while, with mixed results. We finally concluded that faxing capabilities of Asterisk were not reliable enough for production. Rather than moving to an Asterisk Fax solution, we moved from our older *NIX fax server to an online fax provider who accepts our faxes and forwards them as PDF images.

2006/10/15 – Jason Klein

Patching OneOrZero Helpdesk Software (PHP/MySQL) to Support Multiple LDAP Base DN records in Novell NDS

This article demonstrates a working configuration of OneOrZero helpdesk that was setup to authenticate to Novell NDS via LDAP. I wrote a simple patch for OneOrZero that is designed to accept multiple Base DN records and search through each record for the requested username (uid).

Configuring OneOrZero to Authenticate to Novell NDS via LDAP

First, I should describe the customer’s tree. When viewing the tree from within Console One, I see something similar to the following:

[sourcecode language=”bash”]

Unfortunately, OneOrZero is not compatible with this tree design. Instead, OneOrZero expects a tree desigin similar to the following. While the following is the recommended way of configuring an NDS tree, I occassionally see trees structured without a Base Container.

[sourcecode language=”bash”]

Here is the LDAP portion of the configuration file (configuration/website_settings.php) for the first example. This configuration should work for anyone using Novell eDirectory 8.7 with modifications only to ‘ldap_host’ and ‘ldap_rootdn’. This configuration does not require an ‘ldap_domain’ since this setting is only required for Active Directory. This config does not require an ‘ldap_binddn’ or an ‘ldap_bindpwd’ since these settings are not required for anonymous binding to the LDAP directory. If the tree had been created with a base container as shown in the second NDS example, I would change the ‘ldap_rootdn’ from ‘o=container1’ to ‘o=basecontainer’.

[sourcecode language=”bash”]
auth_method = “LDAP”
ldap_host = “”
ldap_domain = “”
ldap_binddn = “”
ldap_bindpwd = “”
ldap_rootdn = “o=container1”
ldap_searchattr = “uid”
ldap_fname = “givenname”
ldap_lname = “sn”
ldap_uname = “uid”
ldap_email_add = “mail”
ldap_office = “l”
ldap_phone = “telephonenumber”
ldap_context = “dn”

Patching OneOrZero to Search for Username in Multiple Root DN records

When using an tree structure similar to the first NDS example, this configuration will only allow users within Container1 to access the OneOrZero helpdesk website. I have written the following patch (for common/common.php) that will allow OneOrZero to accept multiple ‘ldap_rootdn’ records and will search through each Root DN for the username that is attempting to authenticate.

[sourcecode language=”bash”]
[root@web html]# diff common/common.php common/common.php.orig
< // 2006-07-25 : dni/jrk < // OoZ Patch : Support for multiple Root DN records, separated by ";" delimiter < // without modifying existing lines of code. Could do better job of recycling < // data retrieved from LDAP. We currently discard data and query a second time < // using the original code to search the correct Base DN. < < // If delimiter ";" exists in 'ldap_rootdn' setting, search for username in each DN < if ( strpos($ldap_rootdn , ";") ) { < $ldap_rootdn_recs = explode(";",$ldap_rootdn); < foreach( $ldap_rootdn_recs as $ldap_rootdn ) { < $sr = ldap_search($ldapconn, $ldap_rootdn, $filter, $justthese); < $info = ldap_get_entries($ldapconn, $sr); < if ( (!(!sr)) && ($info["count"] > 0) ) {
< // Username exists in current DN. Stop searching and use this DN. < break; < } < } < } < unset( $sr , $info , $ldap_rootdn_recs , $ldap_rootdn_rec ); < [/sourcecode] The diff above shows you that the following lines were added to common.php starting at line 167. If you backup your common.php file and run a similar diff command after patching the file, you should receive similar output. The LDAP section of the OneOrZero configuration was changed as follows to provide multiple Root DN records. When used in conjunction with the patch shown above, this new setting will cause OneOrZero to search for the username within each container listed (Container1, Container2, Container3, etc). Although the containers could be listed in any order, you should list containers with the most users first (for performance reasons), since the containers will be searched in the order listed until a username is found. [sourcecode language="bash"] auth_method = "LDAP" ldap_host = "" ldap_domain = "" ldap_binddn = "" ldap_bindpwd = "" ldap_rootdn = "o=container2;o=container3;o=container1" ldap_searchattr = "uid" ldap_fname = "givenname" ldap_lname = "sn" ldap_uname = "uid" ldap_email_add = "mail" ldap_office = "l" ldap_phone = "telephonenumber" ldap_context = "dn" [/sourcecode] LDAP Agent for Novell eDirectory (10554.24) OneOrZero v1.6.5.2 patch 2 ( ( 2006/07/25 - Jason Klein

Windows Terminal Server Printer Driver Compatibility

We are often asked to assist with printer configuration in Terminal Server environments. This article provides a brief list of the native printer drivers we have successfully used with numerous “unsupported” printers. This driver compatibility list is helpful since Microsoft and others recommend you avoid using third-party printer drivers on your Terminal Server. You should only use the native printer drivers provided by Microsoft to ensure system stability (ie: avoid blue screens and other unnecessary errors).

Physical Printer Client Compatible Driver Server Confirmed
Canon PC1200/iC D700 WinXP had to use redirection Win2003 2006/07/20
HP PSC 1400 WinXP hp deskjet 3320 series Win2003 2006/07/20

If you find a native driver that is compatible with the printer AND is available on both the RDP server as well as the RDP client, then you should install a second printer on the client that uses this driver. We normally rename this second printer to match the original printer name and then add a “(TS)” suffix to the printer name. Remember that you must also install this printer driver on the Terminal Server before automatic printer mapping will occur. The simplest way of doing this is to create a printer with this driver on an unused port (ie: LPT3) and then remove the printer. The necessary driver files will be installed during creation of the printer.

2006/07/21 – Jason Klein

Setup Solomon IV client in Terminal Server 2003

We are often hired to assist customers with application compatibility issues on Windows Terminal Server. We use a variety of methods to determine why an application is not working (properly) on a Terminal Server. Today, I was tasked with configuration of the Solomon IV client on Windows Terminal Server 2003. The application was returning numerous errors, mostly while trying to use Print or Print Preview functionality. The Solomon IV server had already been properly installed and configured and had already been used to successfully install the Solomon IV client on standard Windows workstations. This article assumes you are also to this point and only addresses installation of the Solomon IV client onto a Terminal Server.

Begin by mapping a drive to the Solomon IV share on your file server. We setup our login script to map the “S:” drive to the “\\exfs01\sol32” share.

Next, we will install the Solomon IV client on the Terminal Server by opening “Add/Remove Programs” and clicking the “CD or Floppy” button. Then, we browse to the SETUP.EXE file on the mapped drive. In our case, the path was “s:\rms\sol32\wrkstn\setup.exe”. We HIGHLY recommend you reboot the terminal server immediately after any software installation. Traditionally, it has been important to use the “Add/Remove Programs” menu while installing software on a Terminal Server to automatically enable INSTALL mode. You can manually change to INSTALL mode with the change command (run “change user /?” for details).

At this point, you will most likely receive the following error when you try to click Print or Print Preview within Solomon IV.

Crystal Reports Helper Application for Solomon IV

Cannot start print job.
Report: s:\rms\sol32\ao610dp.rpt
Crystal Print Engine Error: 0 - Error in formula ,
The ) is missing.

You may also receive missing file errors for “p2lodbc.dll”, “p2sodbc.dll”, and/or “u2fodbc.dll” when you try to run certain queries and/or printing filters.

If you receive either of these errors, execute the following batch file while logged into Terminal Server as a Solomon IV user. Each user must execute this script. We made the script available through the user Start Menu within Terminal Server sessions as “Repair Solomon IV” and instructed each user to run the script if/when they encountered the above errors. The script simply copies required files from the Solomon IV network share to the necessary directory within each user profile.

@echo off

cd \
mkdir "%HOMEPATH%windows\"

mkdir "%HOMEPATH%windows\crystal\"
copy /y c:\system\sol32\crystal\* "%HOMEPATH%windows\crystal\"

mkdir "%HOMEPATH%windows\system32\"
copy /y c:\system\sol32\system32\* "%HOMEPATH%windows\system32\"

The contents of the CRYSTAL directory in this example were copied from “s:\rms\sol32\wrkstn\windows\crystal\”, and the contents of the SYSTEM32 directory in this example were copied from “s:\rms\sol32\wrkstn\windows\winsys\” AND from “s:\rms\sol32\wrkstn\windows\winsys\register\”. You could modify the script to copy all files directly from these directories into the corresponding directories in the user profile. You could also modify the script to copy files only if they are missing and then launch the Solomon IV application. The Solomon IV icon could then be pointed to the script (instead of the .exe) and automatically resolve this missing file problem for new users.

The errors listed above were immediately prevented / resolved after copying these files to the user profile.

Solomon IV version 4.21SP2.1465

2006/07/20 – Jason Klein