Skip to main content

Introduction

Are you ready to go down the rabbit hole? To visit a surreal world, where black is white and white is carrots?

A friend, Metacognician in Shanghai, describes the situation as follows: “Life is more absurd than movies. I've gone down the rabbit hole too, when it just becomes more and more strange and you wonder how that all is supposed to make sense.” I asked him if I should just embrace it. He answered, “Why should you ... change the universe?”

It started with a psychotic named Jim Kiraly who resides, we think, at 6329 Twinberry Circle, Avila Beach, California.

Jim Kiraly is a respected citizen. A churchgoer. A Vice President of Transamerica Corporation. And a violent abuser who tried to use an emergency anti-violence measure, one intended to protect battered women, to stop his victim in a wheelchair from writing a book.

Concise enough? :)

For attorneys: Jim Kiraly filed for CLETS against his son and victim, who lived 200 miles away, did not own a car, and was in a wheelchair. His son and victim was not asked to end communications. Jim had no (zero) specific and relevant allegations that were not perjury. But he turned down repeated offers of no-contact and a signed stipulation that gave him everything but CLETS. He insisted on CLETS if his victim ever once “discussed” him with third parties.

In the end, Jim Kiraly signed an agreement far weaker than the ones he'd been offered.

A review of Court paperwork and other materials will tend to confirm that Jim and other parties, including attorneys on all sides, committed multiple felonies, crimes, and faux pas. :P

The word “abuser” is stated here publicly and without equivocation. A formal offer is hereby made to reaffirm the word in writing and under oath. Attorneys will understand the significance of the point. In short, there is little terror of a threatened defamation suit on this side. Actually, we feel that such a suit will fit nicely up Jim Kiraly's abuser ass.

Jim has one son, Ken Kiraly, who invented the Amazon Kindle and is one of the leads at Amazon's secret Lab126. Another son, Tom Kiraly is one of the leads, a Vice President-CFO type, at medical insurance firms, including one of the largest, Humana Corporation.

These people and some of the biggest names in Silicon Valley legal circles have committed or are involved in multiple crimes.

For the next decade or two, we're going to explore the crimes that these people committed, the motivations and the denial involved, the background and histories that led each person to make the choices that they did, and ways to build upon what happened and move towards positive societal goals.

There's plenty to go over. These people committed or were involved in: Spousal abuse, child abuse, DDOS (a highly prosecutable violation of CFAA), extortion, perjury, conspiracy to commit perjury (a possible felony), false police reports, conspiracy to file false police reports (a possible felony), unlawful threats, barratry, defamation, malpractice, civil harassment, criminal harassment, abuse of process, and violations of SCCBA Professional Standards.

The point was to force Jim's oldest son and victim, me, to sign a gag order. I was in a wheelchair. I'd never made a single inappropriate threat against my abuser. I wasn't even asked to not to call anybody. But Jim threatened to put me in a violence database unless I agreed never to write about him.

I won the right to write, but I lost my home of 25 years, most of my possessions, my chances for retirement, everything. Everything but a realization.

I can make a difference. I can conduct research for legitimate and reasonable purposes, document what happened, and analyze the choices of the people involved:

Maggie told me that she didn't know what she could say to me about what happened. However, we have decades to work it out. It will be productive. I'd like to direct the attention of attorneys and other parties to the:

Legitimate and Reasonable Purposes List

Questions or comments are welcome. For technical notes and disclaimers, click here.

Free Downloads


The current free ebook is located at this link:
http://haggishell.com/ridgeproject.pdf

For details about the ebook, click here.

^ TOP

131101 Friday — More Kiraly Cases Irony

Tags: cases kiraly tech
A full Kiraly Cases tags system will be added in 2014.


131101. The Kiralys and/or their associates tried to portray me as a “hacker”. Without making a single specific accusation. Then they themselves set up a highly illegal Botnet. Irony enough.

As it turns out, I only know a bit about such matters. But perhaps they should have thought things through. Honest to God, with no disrespect to Him intended, how did Jim Kiraly of Transamerica Corporation and Tom Kiraly of Humana Corporation and Sheridan Health Care expect this to play out? What did they think would happen?

They are involved with a highly prosecutable felony now. And I happen to be neurodiverse and good at patterns. A fact they've known for half a century. Somebody who is able to learn lawful and appropriate ways to deal with Botnets. And to Gather Information for Legitimate Purposes.

As always, potential attorneys for any person or side are invited to review the Legitimate Purposes list at the following link:

Legitimate Purposes for Gathering Information

On a separate and unrelated note, a recent conversation with a white hat follows.

The illustration below the post is distributed under the following license. For attribution purposes, the creator and rights holder is Bakushade:

Creative Commons Attribution Noncommercial No Derivative Works 3.0



<OldCoder> I did not explain the redacted hacker place trick. Shall I?
<Hiro> that would be nice :)
<OldCoder> OK

<OldCoder> It was accidental, sort of. First, you are *not* Transhumanist? In exchange for how your minor secret was revealed, be open with me.
<Hiro> i am not

<OldCoder> We talked a while back. How do you assess me now?
<Hiro> you seem a little better
<OldCoder> Better and worse
<Hiro> you were scattered then
<OldCoder> I may not live long. And I am scattered at times.

<OldCoder> Do not be too quick to judge me negatively. I assume that Transhumanist has, as he has not talked to me in a year. Why will you speak with me? And he will not? It is a rhetorical question.

<Hiro> alright
<Hiro> so what trick did you use in order to locate redacted hacker place

<OldCoder> The answer is trivial. It does not involve Transhumanist though it is an odd coincidence that he turned up there. The following bit is a favor to you. Minor, but a favor regardless.

<Hiro> alright
<OldCoder> Fix your goddamn bookmarks. You have a bookmark or link that usually logs you in to redacted hacker place. You used that to jump over to ME.

<Hiro> i think that makes sense
<OldCoder> Bad move, Mr. Hacker! :P
<Hiro> ha
<OldCoder> ^ Offered in good faith
<Hiro> of course
<OldCoder> I hope to talk further

<OldCoder> Will you say hello to Transhumanist for me?
<Hiro> i have not met him though i have spoken to him
<OldCoder> We are not friends but we have never fought


Hackers do not really look like this. But who am I to spoil the fun? BTW I'd like to hire some white hats.
Hacker

^ TOP

131101 Friday — Silly and Serious

Tags: general
A full Kiraly Cases tags system will be added in 2013.


131101. The conversations below are part of a sidebar to the Kiraly Cases.

The illustration below the post is distributed under the following license. For attribution purposes, the creator and rights holder is Blazbaros:

Creative Commons Attribution Noncommercial No Derivative Works 3.0

There's more humor here than usual for a Kiraly Case matter. Bedivere didn't want to talk, but he insisted on talking for an hour. I wanted to talk, but I told him for an hour to go away and sleep. It's like one of the more lightweight Monty Python sketches.

Humor or not, though, the issues involved are worth thinking about.

Bedivere is intelligent. He has integrity. We might have become friends. But that was ruled out by the Kiraly Cases. The conversations below took place on a recent night. At the start, he has just revealed that he has returned.

Bedivere was an employee of Amazon Corporation in mid-2012. In these conversations, he alludes briefly to Amazon's connection to the Kiraly Cases.

However, Bedivere was not one of Ken Kiraly's associates. Ken, for those who are new to this nonsense, was the inventor of the Amazon Kindle. And, in a regrettable move by God, Ken was my little Brother.

Bedivere also was not a member of the Amazon Corporation associated group that stalked and harassed me. Those were your people, Ken Kiraly, weren't they?

I don't think the Amazon Corporation connection is significant in this instance. But these conversations are about something that matters.

People are animals. Who reach for the stars. It is an interesting combination.

When the Kiralys came after me to stop the book, people I'd helped turned on me. They decided things based not on facts but on the Fur. The principle that facts don't matter. That people are to be judged based on group affiliations. On whether or not somebody has a “place” in the world.

A place that is defined not by what somebody does. But by who loves somebody. And by who hates them.

If those in power wish somebody gone, and resources are brought to bear, the target ceases to have an identity. No reason is needed. Others need only be aware that in some unspecified way, the target is “bad” and must be shunned.

Or must die.

This is not unusal. It is one of the forces that defines human society.

The text below has been edited for length, for clarity, and to address concerns that Bedivere expressed. In some cases, as IRC is asynchronous, questions and answers have been moved so that they are adjoining.



<Bedivere> Nick redacted
<OldCoder> You?
<Bedivere> yup
<Bedivere> just figured that out
<OldCoder> You are different

<OldCoder> I often talk about you
<Bedivere> i told you i have had a hard time recalling things
<OldCoder> You are the one who I helped a little and who then told me... “I leave you now, Robert, to your death”
<OldCoder> Do you remember that? If that was you... you apologized later

<Bedivere> i do recall that, yes
<Bedivere> i did apologize
<OldCoder> You seem different
<OldCoder> Did you change? What happened
<Bedivere> i feel different

<Bedivere> i feel fine, i still get odd pains now and again
<OldCoder> Pain happens
<Bedivere> but i mostly find peace with it now
<OldCoder> I never did understand... if that was you... what was the whole greeting my death thing about? I never did anything wrong.
<OldCoder> If you are objective and can explain, what was it about?

<Bedivere> a wealth of things complicated
<Bedivere> but i don't feel much room to honor what was said
<OldCoder> You ARE him
<OldCoder> That is exactly how he would talk
<Bedivere> uh huh

<OldCoder> “room to honor what was said”
<Bedivere> no need to dig up artifacts
<OldCoder> What does that mean? And I don't get an explanation, just the apology of a year ago?
<Bedivere> you just seemed insistent to know
<OldCoder> Know what?
<Bedivere> under what nick's we had spoken

<Bedivere> do you know why i changed my nicks so many times?
<OldCoder> hacker stuff?
<Bedivere> no
<OldCoder> So, for my book...
<Bedivere> yes? please continue

<OldCoder> In exchange for what I felt when you wished my death... you will not try to explain your feelings? Or you cannot do so?

<OldCoder> What I felt... when somebody I'd spent even a few hours helping said that. Without a cause that I was able to perceive? I have learned since then how rare it is. Even for people to spend 5 minutes. Thinking of others. I am hunted. Yet I have done nothing. And people will not explain.

<Bedivere> my suspicion is that this sort of thing will continue
<OldCoder> Go on
<Bedivere> and people will have to decide once again to raise up the bottom line for a better quality of life

<OldCoder> I loved the way you talked. What does that mean? If it is OK to ask. I am still surprised at the thought that you are him. Such a difference and yet the same.

<Bedivere> probably most like the fantasia cartoon
<Bedivere> what is there really to be said

<Bedivere> i have a compiler — it's not even a compiler anymore :) — and i am attempting to hotfix a broken web scraper
<OldCoder> Anything that will help me to understand
<Bedivere> they really shouldn't call it “scraper”, that's so derogatory
<OldCoder> If you are busy, come again another time

<OldCoder> I will not press you. But you are valuable to me.
<Bedivere> i just wanted you to know i had identified the name i went under

<OldCoder> That is fine. Have I offended you by making the connection. To a cornerstone of my story? The person who I helped and who wished my death without cause? Speak further over Time to me. It is not much to request.

<Bedivere> i did not wish that for you
<OldCoder> No harm is intended
<OldCoder> I have taken enough Time
<OldCoder> When you are able; explain what it meant and why you said it

<OldCoder> I need to understand people. I have paid a high enough price. For the privilege. Go now. Work on the scraper. See me if you need help.

<Bedivere> there's no price
<OldCoder> Oh?
<Bedivere> is it greed? was there exchange?
<Bedivere> the coincidence that i was working at amazon maybe had you compelled to share with me as you did
<Bedivere> but that had not much to do with me

<OldCoder> I am not able to follow. Greed on my part? I did not absorb that you were Amazon.
<OldCoder> I recall that you had a business of some sort
<Bedivere> and i would leave whatever it was that transpired back there with that company

<OldCoder> And problems with others under you or associates. Neither you nor I exhibited greed; the word does not apply. You were concerned about decisions. And about an IRC channel that we both viewed as significant. Foolish us. If Amazon was in the mix I did not really think about it. And you did not strike me as greedy.

<OldCoder> There was no exchange either. I gave of my time freely. I did that for everybody. But you were not the only person among those I sympathized with, and tried to help, who spoke of my death.

<OldCoder> I realized subsequently what people are. I sought to change the human condition in a small way. It will come to nothing in the end. But I wish to write of it.

<OldCoder> When you are able to speak to me further, I request this. I believe I know what people are and how decisions are made. I do need to write of this.

<Bedivere> are you able to find peace out of it
<Bedivere> respectfully, :)
<Bedivere> here i am, aren't i?

<OldCoder> In time, if I can write about it. Until I can tell the story, there will be no peace. They hunt me still with the funds at their disposal.

<OldCoder> You are here now but I suspect you yourself have not thought about the answers
<Bedivere> you are correct
<OldCoder> Go in peace and come again. Be patient. Perhaps it will be possible to find good in this.

<Bedivere> i too have a story unresolved
<OldCoder> How so?
<Bedivere> it's not the time to tell it
<Bedivere> i am better

<OldCoder> Very well. I am better and worse. I am attempting to send you away that you may come again. Go in peace and return to me.
<Bedivere> very well, be well

<OldCoder> I did pay a price... without a purchase. Redeem part of the price. I will be waiting. Good night.

<Bedivere> i don't know that you're exactly seeking fairness in this
<Bedivere> it concerns something personal for you
<Bedivere> you gave that to me unsolicited
<Bedivere> and i'll admit that i was conflicted about what to do

<OldCoder> What I seek is entirely fair. And I bend over backwards. You can't be compelled to speak with me. It must be your decision. Speak another time therefore. What conflict? What conflict is there in Truth?

<OldCoder> Please, rest. I am older than you. But you need rest as well. Come again when you are able.
<OldCoder> Help others. If you can. This is the most important issue that there is
<Bedivere> it is
<OldCoder> There is nothing in Life that matters more

<OldCoder> Do not use words such as greed again. Or seek, if you speak to me again, to dodge the core. People are what they are. The idea is to understand what that is.

<Bedivere> we'll speak another time
<OldCoder> Good
<OldCoder> Rest and reflect
<Bedivere> be well
<OldCoder> Thank you
* Bedivere has quit (Quit: Page closed)

<Bedivere> hi OldCoder
<Bedivere> resting and reflecting on this matter is tough
<Bedivere> i too have had to face difficult things with my family

<OldCoder> Do not reflect now. That was not the advice. Your Time has value. So does your life. To hear the questions is burden enough for one night. I wish you well too.

<Bedivere> i understand, faithfully
<OldCoder> Please put the matter aside. But understand...
<OldCoder> It is important. You can help people. Another Time.
* Bedivere has quit (Ping timeout: 250 seconds)

<Bedivere> please allow me space from that matter. it was bad timing. i meant only to address the name under which i had gone, and i knew it would stir your arousal. i understand that it would have made cause for what it did, and that is fine.

<Bedivere> the timing was off, but it may not have been due to the set of circumstances between you or i. there were occurrences where action simply was required. this circumstance still remains.

<Bedivere> so i only told you the name i had gone under because integrity is important to me

<OldCoder> Bedivere, to quote a S.F. movie of the 1990s, “Sleep, Now.” You have no obligation to me. Only to what may help others. Or to what may be right.

<OldCoder> If I tell you that I am pleased to hear your marvelous phrasing again, and that I mean well, will you take things in stride? I am here to help you and others before I die. I do not judge you or others save for those who hunt me. I wish you for a friend.

<OldCoder> Please rest and come again.
<OldCoder> Is this acceptable?
* OldCoder chuckles as he really has tried to be positive here

<Bedivere> i would give up lavishes to live simply
<OldCoder> As would I. I sought to do so. Let me explore the thread. Return and explore it with me.

<Bedivere> this internet thing is strange
<OldCoder> I was going to live in third world countries. I ran out of funds even to do that.

<Bedivere> but i see the strange things it causes in a way that does not yield happiness
<OldCoder> it is mixed
<Bedivere> it is

<OldCoder> See my History of the Internet
<Bedivere> so just be a little more yielding when you go there on the internet
<Bedivere> uh huh
<OldCoder> The Internet is what stands between us and tyranny

<Bedivere> interrupting my night :)
<Bedivere> it's fine
<OldCoder> Huh. I seek to send you to bed.
<Bedivere> shoosh
<OldCoder> Not to interrupt dreams
<OldCoder> shoosh yourself :P go sleep and return sometime

<OldCoder> What happened to me was unique. And it is no longer a topic for this evening.
<Bedivere> it's hard to tell i guess
<OldCoder> What is hard to tell?

Side issue redacted
<OldCoder> Your very dialect is gold
<Bedivere> that's not important

<OldCoder> What is important, then?
<OldCoder> Friends are
<OldCoder> Doing good is
<Bedivere> i don't care to piss around with you about that
<OldCoder> The Truth is most important, Bedivere
<OldCoder> There is no piss

<OldCoder> I am in a calm and reflective mood. Life matters to me though I may lose it. I will accomplish something before I go.

<OldCoder> Speak to me again and see me as human. Friendly and honest. I was not made for any of this. I sought to do good.

<OldCoder> The price will be fierce. And it is not your burden.
<Bedivere> vain romantic, OldCoder
<OldCoder> Vain, no
<OldCoder> Romantic, too late

<Bedivere> it started somewhere
<OldCoder> I am the Mechanical Boy
<OldCoder> But I am real at last
<Bedivere> pencils in the shirt pocket
<Bedivere> there you go
<OldCoder> Oh, yes
<Bedivere> go on then

<OldCoder> Hm? pencils in the shirt pocket. What about them? Braces, too. Retainers. Fall to the ground. Clumsy kid.

<OldCoder> Not sure I follow
<Bedivere> nothing to follow, really
<OldCoder> All right. You should have been asleep long since.
<OldCoder> Vain... No
<OldCoder> Romantic... 40 years ago

<Bedivere> you sure output a lot
<OldCoder> That boy died and that part of him did not return
<OldCoder> Huh... *You* are the one who is verbose this evening
<OldCoder> Are you referring to the weblog?
<Bedivere> yup

<OldCoder> Heh. It is getting better.
<Bedivere> it is
<OldCoder> Started out as clumsy as the boy
<Bedivere> thankfully
<OldCoder> heh
<Bedivere> ha

<OldCoder> Look, you try learning to write again under these conditions
<OldCoder> I don't recommend it
<OldCoder> But it has been educational
<Bedivere> i've done the same thing
<Bedivere> it was not fun
<OldCoder> Written?
<Bedivere> yup

<OldCoder> Make your choice... you are the one pressing at this time
<Bedivere> but i guess we've all had a strange adjustment
<OldCoder> How so?
<Bedivere> i don't understand it enough to comment
<OldCoder> I would not expect it

<OldCoder> Can you not take my advice; that you put this aside for now? I wish you for a friend as I need friends. To remain alive.
<OldCoder> Let the conflict settle for now. Go to sleep.

<Bedivere> you are a nice man, but in this matter you are far too complicated for taste

<OldCoder> If you dream, dream of an Old Coder who is what he is. It is not my concern that I be suitable to your taste or any other.

<OldCoder> This is a world that I never made. I sought nothing but to live and to do so simply. Even this was denied me. And to talk about it... That is a crime indeed.

<Bedivere> sometimes i think inaction is the best form of protest
<OldCoder> Now *that* should be explained someday

<Bedivere> do you see how needy this is though?
<Bedivere> i wish to treat the elders well
<Bedivere> but the young have a lot of tending needed
<Bedivere> do you see this conflict you're giving me?

<OldCoder> You fumble about looking for an exit from the Truth. When I have made no demands of you. Save that you rest. And try to help people.

<Bedivere> your words demanded my presence
<OldCoder> Young? One moment...
<Bedivere> i have my own pains
<OldCoder> I would not doubt it. One moment please.
<OldCoder> http://christfollower.me/images/me.jpg

<OldCoder> There is the boy who was killed 40 years ago. It happens. He was a ghost who looked out through my eyes. And wept.

<Bedivere> you're an odd person
<OldCoder> Is there anybody who is not?
<OldCoder> Speak not to me of the young... but I ask you to be happy and to rest

<Bedivere> some people lose their way
<OldCoder> Is there anybody who does not?
<Bedivere> and we return where we were before

<OldCoder> If only. No man crosses the river twice. To be trite but true.
<Bedivere> and whatever river you happen to be on
<OldCoder> For it's not the same river and he's not the same man

<Bedivere> i leave you to it and i see not where it goes
<OldCoder> There is no going back
<OldCoder> “Leave to it...” It is worded politely
<Bedivere> it is
<Bedivere> more politely than the last
<Bedivere> but the same words nonetheless

<OldCoder> Help those who you can. And face the truth when you are able to. Not the same words at all. I wish to live. I help when I can. Who will even speak of the Truth? I understand the answer now. Better than in the past.

<Bedivere> alrighty
<Bedivere> guy's gotta get his sleep
<OldCoder> Yes you do
<OldCoder> As I have been saying for an hour

<OldCoder> Task me not with *that* point. Why was it you felt compelled to talk?
<Bedivere> nope
<Bedivere> not going there
<OldCoder> I will refrain from asking of what you are speaking

<OldCoder> As I have said repeatedly, go to sleep
<OldCoder> Come again if you wish to help. Not me but all people.
<OldCoder> I will sign off now as you will not sleep otherwise
<Bedivere> likely
<OldCoder> That is not my burden to carry
<Bedivere> i need my rest :)
<Bedivere> it is not?

<OldCoder> I leave you now to your rest. Heh. Is that acceptable? I leave you now to be happy. To dream of the future. To return when you are able.

<Bedivere> tired people
* OldCoder has quit (Quit: Page closed)



<MaskedLua> that was an odd conversation
<OldCoder> Yes
<OldCoder> He is an odd sort. I tried to help him. He thanked me. And said to die.

<MaskedLua> hmmm... I don't get why however

<OldCoder> It has been an odd 2 years. And he is not the only person. Who wished somebody who tried to help to die. And who cannot articulate why.

<MaskedLua> lets save those thoughts for tomorrow, I have a reason I think is plausible but can't articulate it correctly tonight, and I need to be headed to bed

<MaskedLua> also, death in regards to those I care about is a subject that I dislike to contemplate, it is hard to imagine anyone I care for dead
<MaskedLua> good night

<OldCoder> Do not leave on that note. This is a good person. He is troubled by the issue. When you say good-night to me. Or to the world. Reflect on more than one thing. Seek balance.


Bedivere of Amazon Corporation
Bedivere discusses the Kiraly Cases

^ TOP

131027 Sunday — Masked Lua Network Class

Tags: network tech
A full Kiraly Cases tags system will be added in 2013.


131027. If the Kiralys come after you with a Botnet, it's good to know somebody like the Masked Lua.



Good evening, I am the Masked Lua.

Recently I had some server troubles (self caused). It revolved around one silly idea that we knew must work and that we must learn how to do it.

We accomplished the idea, though there was a good deal of trouble associated with it. We would like to thank our kind server host for being there physically (somewhat) to physically reboot our server every time we made a mistake that locked us out.

The issue is about OpenVPN.

OpenVPN is an open source project that does VPNs and is an extension in some senses upon traditional VPNs. It has pros and cons like any solution.

As a technical note, OpenVPN requires a VPN account with a VPN company in order to work.

There are other protocols for VPNs like a proprietary one from Cisco and IPSEC, which is secured communications between 2 sites such that you are in their network while connected.

You can see VPNs in use at educational environments, companies that have remote workers, by people who want to hide who they are, and for special purposes.

In my case, I needed a VPN to establish a static IP address. Due to my network setup, without a VPN, I could not have had a fully operational static IP. I could have had a static IP. But it would not have had a full set of ports and would have lacked UDP.

I chose OpenVPN because it was free, open source, worked on Linux, and would do what I needed.

The primary problem was this. We had got a new static IP and the static IP was provided to us thru the powers of OpenVPN. Now the thing is, after OpenVPN started, connections via the physical network interface, i.e. the original physical adapter, no longer worked.

Any existing connections or new attempted connections over the physical interface went to /dev/null in a manner of speaking.

We looked at many things, tried many things, and many things came up as a dead end.

Upon research, after OpenVPN was started, we noticed first of all that a new interface had appeared. The interface was named: tun0

We also observed that new routes had been set up by the OpenVPN server. It had changed the routing tables. Old entries were still there but some were different in unexpected ways.

For example, OpenVPN subverted the default route, or at least made things more confusing. Initially, the system had routed 0.0.0.0/0 to a physical interface named enp3s0. As 0.0.0.0/0 matches everything, this made enp3s0 the default gateway.

But OpenVPN pushed a new rule through to the client side, my system, that routed 0.0.0.0/1 to OpenVPN gateways. Specifically, 10.29.112.5 or 10.29.112.6. The new rule was inserted above the old default rule. As 0.0.0.0/1 matches a large number of IP addresses, this meant that OpenVPN had preempted the default.

We needed to understand this. So we set off to play with routes. We managed to lock ourselves out many times before we realized that we needed a routing table per device.

Hold on there, read that again, a routing table per device. We researched and looked thru the Internet and found documentation lacking desperately, but found one thing of hope that might help us:

http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html

Reading through that page, we started our journey.

The rest of this post shall discuss the state of our network before VPN, after VPN, and after VPN plus changes. The discussion is intended to benefit those who wish to learn. It is presented such that they can see how all the information was gleaned to create the change.

The OS used for experiments was Arch Linux. The utility used was primarily ip.

Note that due to me running a dual port Ethernet card and some virtual machines, I likely had more than what was necessary for some purposes. Some other important notes are that we were using a TUN VPN, not a TAP one.

OpenVPN, the type of VPN that I used, supported either a TUN or a TAP connection. TAP connections seem common in some places and TUN overall seems prevalent in others. TAP sends packets between the client and server totally encapsulating an Ethernet frame, resulting in TAP having a higher overhead.

This means that TAP and TUN work at different layers in the OSI scheme. My assumption is that TAP is working at a layer where multi-routing is inapplicable or different or difficult. I've heard of difficulties related to TAP and multi-routing previously.

TUN, by comparison, apparently works well at Layer 3, the routing layer. Additionally the VPN company that I used more or less chose TUN for me. This article is therefore oriented towards TUN.

Last but not least, read thru the routing tables provided closely, they reveal a lot. For instance, no one has any idea how a VPN company's internal network looks. But thru careful inference we can figure out enough to make our solution work. Basically, we route multiple uplinks and providers.

You will see the lines in ip route that say “via”. The part after “via” is the gateway.

The hardest part of my experiments was, and remains, writing code to get gateways associated to an interface and an IP address as well as getting the appropriate netmask for that interface.

When you look thru ip route output using the human brain to parse, things are fairly easy. It is natural for me. However, getting the appropriate steps done programatically is more difficult. I continue to work on this part.

I tend to find that my mind can autosolve a problem in such a way that trying to go over the steps to solve that problem becomes harder than solving the problem.

The vibr* entries are not important because, 1) they existed before VPN startup, 2) they were virtual interfaces that were started by libvirtd for virtual machines, and 3) they had no effect on the actual topology of the two networks with direct connections to the Internet. However, entries of this type are included for completeness.

Initially:

command: ip addr produced the output:

1: lo: <LOOPBACK,UP,LOWER_UP>
mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever

enp3s0 and enp5s0 are two halves of a normal  dual port  Ethernet NIC.
enp3s0 is connected to a LAN. enp5s0 is not connected to anything  and
is therefore not relevant to the discussion.

2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:21:5a:49:a9:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 brd 192.168.1.255 scope global enp3s0
valid_lft forever preferred_lft forever
inet6 fe80::221:5aff:fe49:a972/64 scope link
valid_lft forever preferred_lft forever

3: enp5s0: <BROADCAST,MULTICAST>
mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:21:5a:49:a9:74 brd ff:ff:ff:ff:ff:ff

As  mentioned previously,  the virbr* entries are also not relevant to
the discussion. They are,  again, included  for the  sake of complete-
ness.

4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP>
mtu 1500 qdisc noqueue state DOWN
link/ether 8e:f5:cb:18:9d:ff brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever

5: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc noqueue state UP
link/ether 52:54:00:67:c9:4f brd ff:ff:ff:ff:ff:ff
inet 10.0.3.1/24 brd 10.0.3.255 scope global virbr1
valid_lft forever preferred_lft forever

6: virbr1-nic: <BROADCAST,MULTICAST>
mtu 1500 qdisc pfifo_fast master virbr1 state DOWN qlen 500
link/ether 52:54:00:67:c9:4f brd ff:ff:ff:ff:ff:ff

vnet0 and vnet1 are related to the virbr* entries.

7: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc pfifo_fast master virbr1 state UNKNOWN qlen 500
link/ether fe:54:00:be:8c:3a brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:febe:8c3a/64 scope link
valid_lft forever preferred_lft forever

8: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc pfifo_fast master virbr1 state UNKNOWN qlen 500
link/ether fe:54:00:2f:23:fc brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe2f:23fc/64 scope link
valid_lft forever preferred_lft forever

command: ip route produced the output:

default via 192.168.1.1 dev enp3s0
10.0.3.0/24             dev virbr1 proto kernel
                        scope link src 10.0.3.1
192.168.1.0/24          dev enp3s0 proto kernel
                        scope link src 192.168.1.22
192.168.122.0/24        dev virbr0 proto kernel
                        scope link src 192.168.122.1

command: route -n (or netstat -rn, both display the same) produced
the output:

Kernel IP routing table
Destination     Gateway      Genmask         Flags Iface
0.0.0.0         192.168.1.1  0.0.0.0         UG    enp3s0
10.0.3.0        0.0.0.0      255.255.255.0   U     virbr1
192.168.1.0     0.0.0.0      255.255.255.0   U     enp3s0
192.168.122.0   0.0.0.0      255.255.255.0   U     virbr0

command: ip rule produced the output:

0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

After OpenVPN was used to start a VPN, things changed as shown below. Two notes:

a. There were no problems with the entries displayed by ip addr. The real issue was an added rule that I mentioned previously. The ip addr entries did help me to figure things out, though.

b. ip route entries are somewhat better for this type of thing than ip addr are. They provide more complete information. However, both types are sufficient if effort is put into the matter.

command: ip addr produced the output:

1: lo: <LOOPBACK,UP,LOWER_UP>
mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever

2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:21:5a:49:a9:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 brd 192.168.1.255 scope global enp3s0
valid_lft forever preferred_lft forever
inet6 fe80::221:5aff:fe49:a972/64 scope link
valid_lft forever preferred_lft forever

3: enp5s0: <BROADCAST,MULTICAST>
mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:21:5a:49:a9:74 brd ff:ff:ff:ff:ff:ff

4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP>
mtu 1500 qdisc noqueue state DOWN
link/ether 42:ad:be:c6:53:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever

5: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc noqueue state UP
link/ether 52:54:00:67:c9:4f brd ff:ff:ff:ff:ff:ff
inet 10.0.3.1/24 brd 10.0.3.255 scope global virbr1
valid_lft forever preferred_lft forever

6: virbr1-nic: <BROADCAST,MULTICAST>
mtu 1500 qdisc pfifo_fast master virbr1 state DOWN qlen 500
link/ether 52:54:00:67:c9:4f brd ff:ff:ff:ff:ff:ff

7: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc pfifo_fast master virbr1 state UNKNOWN qlen 500
link/ether fe:54:00:be:8c:3a brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:febe:8c3a/64 scope link
valid_lft forever preferred_lft forever

8: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP>
mtu 1500 qdisc pfifo_fast master virbr1 state UNKNOWN qlen 500
link/ether fe:54:00:2f:23:fc brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe2f:23fc/64 scope link
valid_lft forever preferred_lft forever

9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP>
mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.29.112.6 peer 10.29.112.5/32 scope global tun0
valid_lft forever preferred_lft forever

command: ip route produced the output:

The first rule below is the one that caused  most of the problems that
I mentioned before.

0.0.0.0/1 via 10.29.112.5   	dev tun0
default via 192.168.1.1         dev enp3s0
10.0.3.0/24                     dev virbr1  proto kernel
                                scope link  src 10.0.3.1
10.29.112.1 via 10.29.112.5     dev tun0
10.29.112.5                     dev tun0    proto kernel
                                scope link  src 10.29.112.6
64.191.29.112 via 192.168.1.1   dev enp3s0
128.0.0.0/1 via 10.29.112.5     dev tun0
192.168.1.0/24                  dev enp3s0  proto kernel
                                scope link  src 192.168.1.22
192.168.122.0/24                dev virbr0  proto kernel
                                scope link  src 192.168.122.1

command: route -n produced the output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Iface
0.0.0.0         10.29.112.5     128.0.0.0       UG    tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    enp3s0
10.0.3.0        0.0.0.0         255.255.255.0   U     virbr1
10.29.112.1     10.29.112.5     255.255.255.255 UGH   tun0
10.29.112.5     0.0.0.0         255.255.255.255 UH    tun0
64.191.29.112   192.168.1.1     255.255.255.255 UGH   enp3s0
128.0.0.0       10.29.112.5     128.0.0.0       UG    tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     enp3s0
192.168.122.0   0.0.0.0         255.255.255.0   U     virbr0

command: ip rule produced the output:

0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

The VPN didn't work as desired. Here is what happened. When I started the VPN, say that the physical interface was eth0 and the virtual interface created by the VPN was tun0.

After the VPN was started, all of a sudden, all connections on eth0 dropped, any new connections were impossible, both receiving or sending. All traffic had to go thru the VPN and the VPN only.

Decisions were fed by looking at the differences between before and after starting VPN. When I saw more routes and looked at IPs things started to not make sense. So I asked myself questions. And learned and researched more. And tried some things that didn't work at all.

Locked myself out the machine a lot. Then as I researched I stumbled across two posts on the Internet about multi-table routing. One was geared torwards multi-uplink and the other one looked more general. But neither showed what to expect much other than for it to work without thinking.

Someone in IRC reminded me that 0.0.0.0/1 and 128.0.0.0/1 are the first and second halves of the Internet. I figured that since OpenVPN pushed rules containing those 2 netmasks, those rules should not be in the main routing table where they would subvert other routing tables that might be created to fix the issue we were experiencing; therefore, their removal was promptly executed.

That was also something I tried before multi-table routing. What it did was make enp3s0 start working but tun0 stopped working.

The endeavor was fueled by wanting a solution that would allow both to be used as needed. And wanting a couple of ideas I had earlier to work that wouldn't be possible if both interfaces weren't functioning.

I set about researching it, going thru multiple ideas and failing, stumbling upon multi-table routing, piecing things together, changing things up slightly. Finally getting it to work.

After changes were in place:

command: ip addr produced the same results as before

command: ip route produced the output:

default via 192.168.1.1
                 dev enp3s0
10.0.3.0/24      dev virbr1  proto kernel
                 scope link  src 10.0.3.1
10.29.112.0/24
                 dev tun0
                 scope link  src 10.29.112.6
10.29.112.1 via 10.29.112.5
                 dev tun0
10.29.112.5      dev tun0    proto kernel
                 scope link  src 10.29.112.6
64.191.29.112 via 192.168.1.1
                 dev enp3s0
192.168.1.0/24   dev enp3s0  proto kernel
                 scope link  src 192.168.1.22
192.168.122.0/24 dev virbr0  proto kernel
                 scope link  src 192.168.122.1

command: route -n produced the output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    enp3s0
10.0.3.0        0.0.0.0         255.255.255.0   U     virbr1
10.29.112.0     0.0.0.0         255.255.255.0   U     tun0
10.29.112.1     10.29.112.5     255.255.255.255 UGH   tun0
10.29.112.5     0.0.0.0         255.255.255.255 UH    tun0
64.191.29.112   192.168.1.1     255.255.255.255 UGH   enp3s0
192.168.1.0     0.0.0.0         255.255.255.0   U     enp3s0
192.168.122.0   0.0.0.0         255.255.255.0   U     virbr0

command: ip rule produced the output:

0:	from all            lookup local
32764:	from 10.29.112.6    lookup T2
32765:	from 192.168.1.22   lookup T1
32766:	from all            lookup main
32767:	from all            lookup default

Now looking thru all that, you can see changes, you could even deduce how to do most of these from that given time and some pain killers. We won't make you do that, however.

Basically, to get an idea of what we are doing, let's turn those numbers into something more easy to understand; i.e., names.

$IF1 shall be the name of interface 1 (the one that exists no matter if the tunnel exists or not, in our case enp3s0)

$IF2 shall be the name of the VPN interface (tun0)

$IP1 shall be the IPV4 of our interface $IF1 (192.168.1.22)

$IP2 shall be the IPV4 of our interface $IF2 (10.29.112.6)

$P1 shall be the gateway of $IF1 (192.168.1.1)

$P2 shall be the gateway of $IF2 (10.29.112.5)

$P1_NET shall be the subnet of $IF1 (192.168.1.0/24)

$P2_NET shall be the subnet of $IF2 (10.29.112.0/24)

All that information about *2 was gathered from inspecting the routing tables before and after plus IPV4 info.

The key was to get anything coming in over enp3s0 to be routed back out the same way it came in (the same went for tun0).

So we needed per-device routing tables at this point. Let's call them T1 and T2 where T1 is for $IF1 (enp3s0) and T2 is for $IF2 (tun0). To initialize these tables we put some lines in the file indicated below:

/etc/iproute2/rt_tables

The lines in question were:

echo 1 T1 >> /etc/iproute2/rt_tables
echo 2 T2 >> /etc/iproute2/rt_tables

Basically, we named two tables and gave them each an ID.

Next, we set those two tables up:

ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

Next, we set up the main table:

ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2

Then, we made our default route:

ip route add default via $P1

Next, we added routing rules (these chose what routing table to route with):

ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

next we removed two rules the VPN had pushed to route the entire internet thru its gateway:

ip route del 0.0.0.0/1 via 10.29.112.5 dev tun0
ip route del 128.0.0.0/1 via 10.29.112.5 dev tun0

Now for some words of advice:

If you try this kind of thing, have someone nearby to your machine physically to power it on and off when you make mistakes.

Never, ever, enter commands of this type one by one. Put them in a script and run the script. You will get all the way to a certain rule — and then be locked out — if you do not heed this advice.

Also, test your script, and modify it when network topologies change. There will be rules in your script that may not run due to routes being already existent or not existent. Remove them (or at least comment them out).

Now, if you are a tinker and thinker, you may be wondering why in the “Fixed” portion of our examples, some of the rules we added aren't showing up.

ip route seems to show only the main table. Run: ip route show table all

and you'll get something like this:

192.168.1.0/24              dev enp3s0  table T1
                            scope link  src 192.168.1.22
                            default via 10.29.112.5
                            dev tun0    table T2
10.29.112.0/24              dev tun0    table T2
                            scope link  src 10.29.112.6
                            default via 192.168.1.1
                            dev enp3s0
10.0.3.0/24                 dev virbr1  proto kernel
                            scope link  src 10.0.3.1
10.29.112.0/24              dev tun0
                            scope link  src 10.29.112.6
10.29.112.1 via 10.29.112.5
                            dev tun0
10.29.112.5                 dev tun0    proto kernel
                            scope link  src 10.29.112.6
64.191.29.112 via 192.168.1.1
                            dev enp3s0
192.168.1.0/24              dev enp3s0
                            scope link  src 192.168.1.22
192.168.122.0/24            dev virbr0  proto kernel
                            scope link  src 192.168.122.1
broadcast 10.0.3.0          dev virbr1  table local  proto kernel
                            scope link  src 10.0.3.1
local 10.0.3.1              dev virbr1  table local  proto kernel
                            scope host  src 10.0.3.1
broadcast 10.0.3.255        dev virbr1  table local  proto kernel
                            scope link  src 10.0.3.1
local 10.29.112.6           dev tun0    table local  proto kernel
                            scope host  src 10.29.112.6
broadcast 127.0.0.0         dev lo      table local  proto kernel
                            scope link  src 127.0.0.1
local 127.0.0.0/8           dev lo      table local  proto kernel
                            scope host  src 127.0.0.1
local 127.0.0.1             dev lo      table local  proto kernel
                            scope host  src 127.0.0.1
broadcast 127.255.255.255   dev lo      table local  proto kernel
                            scope link  src 127.0.0.1
broadcast 192.168.1.0       dev enp3s0  table local  proto kernel
                            scope link  src 192.168.1.22
local 192.168.1.22          dev enp3s0  table local  proto kernel
                            scope host  src 192.168.1.22
broadcast 192.168.1.255     dev enp3s0  table local  proto kernel
                            scope link  src 192.168.1.22
broadcast 192.168.122.0     dev virbr0  table local  proto kernel
                            scope link  src 192.168.122.1
local 192.168.122.1         dev virbr0  table local  proto kernel
                            scope host  src 192.168.122.1
broadcast 192.168.122.255   dev virbr0  table local  proto kernel
                            scope link  src 192.168.122.1
local ::1                   dev lo                   proto kernel
                            metric 256
fe80::/64                   dev enp3s0               proto kernel
                            metric 256
fe80::/64                   dev vnet0                proto kernel
                            metric 256
fe80::/64                   dev vnet1                proto kernel
                            metric 256
unreachable default         dev lo      table unspec proto kernel
                            metric 4294967295  error -101
local ::1                   dev lo      table local  proto none
                            metric 0
local fe80::221:5aff:fe49:a972
                            dev lo      table local  proto none
                            metric 0
local fe80::fc54:ff:fe2f:23fc
                            dev lo      table local  proto none
                            metric 0
local fe80::fc54:ff:febe:8c3a
                            dev lo      table local  proto none
                            metric 0
ff00::/8                    dev enp3s0  table local
                            metric 256
ff00::/8                    dev vnet0   table local
                            metric 256
ff00::/8                    dev vnet1   table local
                            metric 256
unreachable default         dev lo      table unspec proto kernel
                            metric 4294967295  error -101

Now for the final part, an OpenVPN script that I'm still refining. It works for me and, when finished, might work for others.

This version is specific to the network that I used. I hope to write a generic version that might work on all networks. Until it is done, this version suffices me (tho I have made minor changes) and it may be useful as an example to educate others.

#!/usr/bin/env bash
IF1=enp3s0
IF2=tun0
IP1=192.168.1.22
IP2=10.29.112.6
P1=192.168.1.1
P2=10.29.112.5
P1_NET=192.168.1.0/24
P2_NET=10.29.112.0/24

ip route del $P1_NET dev $IF1 src $IP1 table T1
#ip route del default via $P1 table T1
ip route del $P2_NET dev $IF2 src $IP2 table T2
ip route del default via $P2 table T2
ip route del $P1_NET dev $IF1 src $IP1
ip route del $P2_NET dev $IF2 src $IP2
ip route del default via $P1
ip rule del from $IP1 table T1
ip rule del from $IP2 table T2

ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
ip route add default via $P1
ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

ip route del 0.0.0.0/1   via 10.29.112.5 dev tun0
ip route del 128.0.0.0/1 via 10.29.112.5 dev tun0


OpenVPN icon by Archeinre. License for artwork: Creative Commons Attribution-Share Alike 3.0.
Hacker

^ TOP

Continue reading


For the next older page, click here

For the next newer page, click here


Latest 067 066 065
064 063 062 061
060 059 058 057
056 055 054 053
052 051 050 049
048 047 046 045
044 043 042 041
040 039 038 037
036 035 034 033
032 031 030 029
028 027 026 025
024 023 022 021
020 019 018 017
016 015 014 013
012 011 010 009
008 007 006 005
004 003 002 001