I have to use VPNs at work. Specifically, to access my production webservers (etc), I have to use a Cisco VPN client. Sadly, the VPN concentrator overrides my choice of allowing local LAN access. So, when I am on the VPN, I have my DNS options changed so I can’t use any local servers. This is a serious, serious pain. So painful in fact, that many times instead of fight with it, I simply would run a Windows session in VMware (on my Mac) and connect the VPN there. This has drawbacks too, but it’s better than not having local network access.

So I set out to find a solution and I found a post by loudhush which described using the scutil to modify DNS network settings after connecting to a Cisco VPN. This was great, but I needed something a bit handier.

So, I cranked out the following which goes in my /Users/username/.profile:

# .profile or .bash_profile
function myvpn {
vpnclient connect VPNPROFILENAME user MYVPNUSERNAME
myworkdns
}
function myworkdns {
printf "get State:/Network/Service/com.cisco.VPN/DNS\nd.add ServerAddresses * 192.168.1.252, 192.168.1.198\nd.add SearchDomains * example.com, other.example.com\nset State:/Network/Service/com.cisco.VPN/DNS" | sudo scutil
}


These are bash functions which i run from the command line. (I also find the Client GUI Cisco to be a pain, and prefer command line)

So, obviously, you’ll need to substitute in your Cisco VPN profile name ( found in /etc/opt/cisco-vpnclient/Profiles), your VPN username, your DNS server IP addresses, and your DNS search domains to your legitimate values.

To use, run Terminal, then type myvpn. The VPN client will prompt you for your username and password. You’ll then have to hit CTRL+Z to suspend the VPN client so the script can run the DNS updates; this part uses sudo to run the command as root, so you will probably need to type your Mac password immediately after hitting CTRL+Z. If you didn’t want to bother with the command line VPN client, you could just use your GUI Cisco VPN client, then run myworkdns from Terminal, which will still probably prompt you for your Mac password.

Hope others find this useful. If I find a cleaner way, I’ll post that too.

I had this error popup today on my Mac OS X Lepopard 10.5.4 machine.

This is not cool as, well, I NEED MY VPN TO WORK!

Thankfully google came to my rescue. The solution is to execute the following in Terminal:

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

Thanks for the answer, VirtuallyShocking.com.

Aaron (one of my co-workers), recently posted a link about OpenID. I’ve given OpenID only cursory glances over the last year, but the Coding Horror link in Aaron’s post had a comment to this Google Video where Simon Willison gives a Google Tech Talk on The Implications of OpenID. The video is nearly a year old, but to date, it’s done more to convince me to get on the OpenID bandwagon than anything else.

In my last post I outlined how I followed others’ directions to enable netatalk on Linux and Time Machine backups to a shared AFP folder. Originally, I also described how to put all your shares on netatalk. I suppose if only have Mac clients or you REALLY want to use AFP, you can do so. As I worked with files over AFP shares, I started noticing that the performance seemed to be quite bad. No, I didn’t benchmark, but copying large video files to a shared folder over my gigabit network was substantially slower over AFP (netatalk) than over CIFS/SMB (samba). I use my network shares pretty heavily, so this was a concern. Also, netatalk tries very hard to replicate an HFS filesystem complete with resource fork support. This means that your shared directories end up with lots of extra folders named “.AppleDouble”(and a few others) containing Mac specific info. (Note: even on CIFS you’ll get the “.AppleDB” folders unless you disable a setting in Finder. I can deal with .AppleDB better than .AppleDouble AND .AppleDB) So, because of these two issues I decided to try using CIFS and samba again.

Read more »

Read more »

Network directory services are core to Internet functionality. The Domain Name System (DNS) provides a global (and/or local) directory of hosts and services. Lightweight Directory Access Protocol (LDAP) servers can provide some of the same information as DNS (or be used to back DNS), but are more frequently used to create network user databases, store user group information, providing centralized account information and password storage.

I recently completed an upgrade of these two core services on a network I manage. We had been running outdated (but functional) BIND v8 and OpenLDAP v2.0 instances for of DNS and LDAP servers. Also, throw a Windows Server 2003 into the mix, which, as an Active Directory domain controller has to run its own DNS and LDAP (AD is tweaked LDAP) servers.

Read more »