Route all traffic from certain programs through a PPTP VPN tunnel on FreeBSD

The problem

You’d like to route certain traffic over a VPN tunnel, but you only know which program is generating the traffic, not which ports it will be using or which IP ranges it will be connecting to. The only way to crack this nut seems to be to set the default route to the VPN tunnel, but this will send all traffic through the tunnel, which may be a problem if the tunnel is slow and laggy, e.g. if the endpoint happens to be the IPREDator service in Sweden. The common solution seems to be “run the program in a virtual machine,” but that seems like overkill. What to do?

The solution

If you’re on FreeBSD, you’re in luck: since 7.1, FreeBSD has supported multiple routing tables (FIBs). You can set up a secondary routing table that goes through the VPN tunnel by default, and bind any program you wish to that specific routing table.

Kernel support

Your kernel must be rebuilt with support for at least 2 FIBs; the default kernel only has support for one. Add

options    ROUTETABLES=2

to your kernel configuration and rebuild.

MPD configuration

The PPP client of choice is the netgraph-based Multilink PPP Daemon (mpd5 in ports). The relevant section of mpd.conf looks like this:

pptp_client:
        create bundle static B1
        set iface up-script /usr/local/etc/mpd5/pptp-up.sh
        set iface down-script /usr/local/etc/mpd5/pptp-down.sh
        set ipcp ranges 0.0.0.0/0 0.0.0.0/0

        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set bundle enable crypt-reqd
        set mppc yes stateless

        create link static L1 pptp
        set link action bundle B1
        set auth authname ***********
        set auth password ***********
        set link max-redial 0
        set link mtu 1460
        set link keep-alive 20 75
        set pptp peer vpn.ipredator.se
        open

Note the lack of a route command. The IPREDator folks have set up their VPN service in a slightly problematic way: the endpoint of the tunnel is also the remote router. The best route to this network node is therefore the direct link over the PPP tunnel, and the kernel will attempt to send the PPP packets over the tunnel itself, like a truck trying to drive up its own tailpipe. Any time this happens, MPD will kill the link. To avoid this condition, you’ll have to set up the routes manually in the up- and down-scripts, which MPD runs whenever the link is brought up or torn down:

interface=$1
proto=$2
tun_ip=$3
tun_endpoint=$4

tun_iface=ng0
eth_iface=em0

eth_gateway=`route get default -iface em0 | awk '/gateway/ { print $2}'`

route delete $tun_endpoint
route add $tun_endpoint $eth_gateway

# make this the default route for the secondary FIB
setfib -1 route flush
setfib -1 route add $tun_endpoint $eth_gateway
setfib -1 route add default $tun_endpoint

The trick is to delete the direct link and force traffic to the tunnel endpoint to run over the physical ethernet interface. The last part of the script does the same trick with the secondary FIB and then adds a default route pointing to the tunnel.

In the down script, you just have to delete the route to the tunnel endpoint. I also flush the routing table in the secondary FIB, since I want traffic to halt completely if the tunnel isn’t available.

interface=$1
proto=$2
tun_ip=$3
tun_endpoint=$4

eth_iface=em0

route delete $tun_endpoint

# kill all routing on the secondary FIB
setfib -1 route flush

Use

You can run a program in the tunneled environment via setfib -1 $cmd. Hooray!

Rebroadcast RealAudio streams as mp3 via HTTP

The problem

iTunes + Remote app for iPod touch + AirPort Express = best kitchen radio ever. Most of my favorite public radio stations offer MP3 streams over HTTP. My wife, however, has a soft spot in her heart for certain stations that insist on broadcasting RealAudio over RTSP. How to get these to stream to the Airport Express in the kitchen?

The solution

The ingredients:

• Mplayer built with support for RealAudio/COOK (an exercise for the reader)
• LAME mp3 encoder
• Python!

The rudimentary solution

Mplayer, when built properly, can stream and decode RealAudio over RTSP. In the simplest form, this looks something like:

url="rtsp://stream2.rbb-online.de/encoder/antenne-live.ra"
mplayer -cache 48 -vo null -vc null -ao pcm:waveheader -ao pcm:file=foo.wav "${url}"

This is nice, but ideally we’d like to transcode a stream on the fly. Named pipes to the rescue!

url="rtsp://stream2.rbb-online.de/encoder/antenne-live.ra"
mkfifo dump.pipe
mkfifo transcode.pipe
mplayer -cache 48 -vo null -vc null -ao pcm:waveheader -ao pcm:file=dump.pipe "${url}" &
lame -r dump.pipe transcode.pipe

The transcoded MP3 can be read from transcode.pipe. Now, to wrap the whole kit an caboodle up in Python.

The full solution

This all gets wrapped up in a Python HTTP request handler based on SimpleHTTPRequestHandler. The handler forks instances of mplayer and lame and creates the named pipes on the fly. When the client closes the stream, the child processes are cleaned up automatically.

from subprocess import *
from SimpleHTTPServer import SimpleHTTPRequestHandler
from BaseHTTPServer import HTTPServer
import os,tempfile,signal,urlparse

class StreamHandler(SimpleHTTPRequestHandler):
  dumper = None
  default_url = "rtsp://stream2.rbb-online.de/encoder/antenne-live.ra"

  def parse_qs(self,query_string):
    values = [pair.split('=') for pair in query_string.split('&')]
    return dict(values)

  def do_GET(self):
    """Serve a GET request."""
    f = self.send_head(True)
      if f:
      try:
        self.copyfile(f, self.wfile)
        f.close()
      except:
        self.cleanup()
    self.cleanup()

  def __del__(self):
    self.cleanup()

  def cleanup(self):
    if self.dumper is not None:
      self.log_message('Stream terminated, cleaning up...')
      # mplayer forks a child, so we should go all Agamemnon via SIGINT 
      os.kill(self.dumper.pid,signal.SIGINT)
      os.kill(self.transcoder.pid,signal.SIGINT)
      # reap dead children
      self.dumper.wait()
      self.transcoder.wait()
      # remove tempfiles
      os.remove(self.dump_pipe)
      os.remove(self.trans_pipe)
      os.rmdir(self.tmpdir)
      self.fnull.close()
      # unset instance variables
      self.dumper = None
      self.transcoder = None
      self.dump_pipe = None
      self.trans_pipe = None
      self.tmpdir = None

  def send_head(self,is_get=False):
    if is_get:
      f = open(self.make_stream(),'rb')
    else:
      f = open(os.devnull,'r')
      self.send_response(200)
      self.send_header("Content-type", "application/octet-stream")
      self.end_headers()
      return f

  def make_stream(self):
    qs = urlparse.urlparse(self.path).query
    if len(qs) > 0:
      query = self.parse_qs(qs)
    else:
      query = dict()
    url = query.get('url',self.default_url)
    self.log_message('Making a stream for %s',url)
    self.tmpdir = tempfile.mkdtemp()
    self.dump_pipe = os.path.join(self.tmpdir,'dump.pipe')
    self.trans_pipe = os.path.join(self.tmpdir,'transcode.pipe')
    os.mkfifo(self.dump_pipe)
    os.mkfifo(self.trans_pipe)
    self.fnull = open(os.devnull, 'w')
    self.dumper = Popen(['mplayer','-cache','64','-vc','null','-vo','null','-ao','pcm:file=%s' % self.dump_pipe,url],stdout=self.fnull,stderr=self.fnull)
    self.transcoder = Popen(['lame','-r','--preset','fast','standard',self.dump_pipe,self.trans_pipe],stdout=self.fnull,stderr=self.fnull)
    return self.trans_pipe

def run():
  httpd = HTTPServer(('',8001), StreamHandler)
  sa = httpd.socket.getsockname()
  print "Serving HTTP on", sa[0], "port", sa[1], "..."
  httpd.serve_forever()

if __name__ == "__main__":
  run()

To add a transcoded radio stream, make an M3U playlist like this:

#EXTM3U
#EXTINF:0,Antenne Brandenburg Frankenstream
http://localhost:8001/?url=rtsp://stream2.rbb-online.de/encoder/antenne-live.ra

and drag it into iTunes. Voila, (fake) RealAudio/RTSP support in iTunes!

Subtleties

There are a few potential stumbling blocks to be aware of:

• When streaming unlimited data over HTTP, you should not set the Content-Length header, as this will cause the client to close the connection after reading a set number of bytes rather than streaming forever.
• When streaming and transcoding, Mplayer forks a child process to handle some of the work. If killed with SIGINT, the parent process will kill the child, but if killed with SIGKILL, it will exit immediately, leaving a zombie Mplayer every time the stream is stopped and restarted.