Openvpn 2.3.0 not working on on a Debian custom kernel.

First of all appologies for the long post.

I'm using Debian 3.0 testing (sarge) install of openvpn (2.3.0) with a
custom kernel (I need an ide patch). And I'm trying to connect two
gateways together.

At the moment they cannot even connect to each other using commandline:
'openvpn --remote GateB --ifconfig 10.4.0.1 10.4.0.2 --dev tun1' for
GateA 
'openvpn --remote GateA --ifconfig 10.4.0.2 10.4.0.1 --dev tun1' for
GateB

When I try and ping 10.4.0.2 from GateA I get:

0[0]: Current Parameter Settings:
1[0]:   persist_config = DISABLED
2[0]:   persist_mode = 1
3[0]:   show_ciphers = DISABLED
4[0]:   show_digests = DISABLED
5[0]:   genkey = DISABLED
6[0]:   askpass = DISABLED
7[0]:   show_tls_ciphers = DISABLED
8[0]:   local = '[UNDEF]'
9[0]:   remote = 'GateA ip'
10[0]:   local_port = 5000
11[0]:   remote_port = 5000
12[0]:   remote_float = DISABLED
13[0]:   ipchange = '[UNDEF]'
14[0]:   bind_local = ENABLED
15[0]:   dev = 'tun1'

Connect 2 segments of a network with VPN - HELP

Re: Openvpn 2.3.0 not working on on a Debian custom kernel.

Owain,

As they say on Star Trek, you may have experienced a temporal anomoly.  We're
still on 1.3.2, this side of the event horizon :)

Well aside from that, it appears that the UDP packets are not getting through
between the peers.  That's why you have "UDP WRITE" entries but no "UDP READ"
entries in the log.

Try using tcpdump to trace OpenVPN's UDP packets and see where they are
getting dropped.

James

Owain Evans <tom_jones_mk2 <at> yahoo.co.uk> said:

> First of all appologies for the long post.
> 
> I'm using Debian 3.0 testing (sarge) install of openvpn (2.3.0) with a
> custom kernel (I need an ide patch). And I'm trying to connect two
> gateways together.
> 
> At the moment they cannot even connect to each other using commandline:
> 'openvpn --remote GateB --ifconfig 10.4.0.1 10.4.0.2 --dev tun1' for
> GateA 
> 'openvpn --remote GateA --ifconfig 10.4.0.2 10.4.0.1 --dev tun1' for
> GateB
> 
> When I try and ping 10.4.0.2 from GateA I get:
> 
> 0[0]: Current Parameter Settings:
> 1[0]:   persist_config = DISABLED
> 2[0]:   persist_mode = 1
> 3[0]:   show_ciphers = DISABLED
> 4[0]:   show_digests = DISABLED
> 5[0]:   genkey = DISABLED
> 6[0]:   askpass = DISABLED
> 7[0]:   show_tls_ciphers = DISABLED
> 8[0]:   local = '[UNDEF]'
> 9[0]:   remote = 'GateA ip'
> 10[0]:   local_port = 5000
> 11[0]:   remote_port = 5000
> 12[0]:   remote_float = DISABLED
> 13[0]:   ipchange = '[UNDEF]'
> 14[0]:   bind_local = ENABLED
> 15[0]:   dev = 'tun1'
> 16[0]:   dev_type = '[UNDEF]'
> 17[0]:   dev_node = '[UNDEF]'
> 18[0]:   ifconfig_local = '10.4.0.1'
> 19[0]:   ifconfig_remote = '10.4.0.2'
> 20[0]:   shaper = 0
> 21[0]:   tun_mtu = 1300
> 22[0]:   tun_mtu_defined = DISABLED
> 23[0]:   udp_mtu = 1300
> 24[0]:   udp_mtu_defined = ENABLED
> 25[0]:   mlock = DISABLED
> 26[0]:   inactivity_timeout = 0
> 27[0]:   ping_send_timeout = 0
> 28[0]:   ping_rec_timeout = 0
> 29[0]:   ping_rec_timeout_action = 0
> 30[0]:   ping_timer_remote = DISABLED
> 31[0]:   persist_tun = DISABLED
> 32[0]:   persist_local_ip = DISABLED
> 33[0]:   persist_remote_ip = DISABLED
> 34[0]:   persist_key = DISABLED
> 35[0]:   resolve_retry_seconds = 0
> 36[0]:   username = '[UNDEF]'
> 37[0]:   groupname = '[UNDEF]'
> 38[0]:   chroot_dir = '[UNDEF]'
> 39[0]:   cd_dir = '[UNDEF]'
> 40[0]:   writepid = '[UNDEF]'
> 41[0]:   up_script = '[UNDEF]'
> 42[0]:   down_script = '[UNDEF]'
> 43[0]:   daemon = DISABLED
> 44[0]:   nice = 0
> 45[0]:   verbosity = 8
> 46[0]:   mute = 0
> 47[0]:   gremlin = DISABLED
> 48[0]:   comp_lzo = DISABLED
> 49[0]:   comp_lzo_adaptive = ENABLED
> 50[0]:   shared_secret_file = '[UNDEF]'
> 51[0]:   ciphername_defined = ENABLED
> 52[0]:   ciphername = 'BF-CBC'
> 53[0]:   authname_defined = ENABLED
> 54[0]:   authname = 'SHA1'
> 55[0]:   keysize = 0
> 56[0]:   packet_id = ENABLED
> 57[0]:   iv = ENABLED
> 58[0]:   test_crypto = DISABLED
> 59[0]:   tls_server = DISABLED
> 60[0]:   tls_client = DISABLED
> 61[0]:   ca_file = '[UNDEF]'
> 62[0]:   dh_file = '[UNDEF]'
> 63[0]:   cert_file = '[UNDEF]'
> 64[0]:   priv_key_file = '[UNDEF]'
> 65[0]:   cipher_list = '[UNDEF]'
> 66[0]:   tls_verify = '[UNDEF]'
> 67[0]:   tls_timeout = 5
> 68[0]:   renegotiate_bytes = 0
> 69[0]:   renegotiate_packets = 0
> 70[0]:   renegotiate_seconds = 3600
> 71[0]:   handshake_window = 60
> 72[0]:   transition_window = 3600
> 73[0]:   single_session = DISABLED
> 74[0]:   disable_occ = DISABLED
> 75[0]:   tls_auth_file = '[UNDEF]'
> 76[0]: OpenVPN 1.3.0 i386-pc-linux-gnu built on Sep 21 2002
> 77[0]: PTHREAD support initialized
> 78[0]: UDP link local (bound): [undef]:5000
> 79[0]: UDP link remote: xxx.xxx.xxx.xxx:5000
> 80[0]: ******* WARNING *******: all encryption and authentication
> features disabled -- all data will be tunnelled as cleartext
> 81[0]: Data Channel MTU parms: mtu=1300 extra_frame=0 extra_buffer=0
> extra_tun=0
> 82[0]: tun/tap device tun1 opened
> 83[0]: ifconfig tun1 10.4.0.1 pointopoint 10.4.0.2 mtu 1300
> 84[0]: select returned 1
> 85[0]: read from tun returned 84
> 86[0]: select returned 1
> 87[0]: write to UDP returned 84
> 88[0]: UDP WRITE to xxx.xxx.xxx.xxx:5000:  DATA 45000054 00004000
> 4001269f 0a040001 0a040002 08001bfd 94030000 3e634c1[more...]
> 89[0]: select returned 1
> 90[0]: read from tun returned 84
> 91[0]: select returned 1
> 92[0]: write to UDP returned 84
> 93[0]: UDP WRITE to xxx.xxx.xxx.xxx:5000:  DATA 45000054 00004000
> 4001269f 0a040001 0a040002 08002a07 94030100 3e634c1[more...]
> 94[0]: SIGINT received, exiting
> 95[0]: Closing tun/tap device
> 
> And when I try and use the --ping 15 option I get the following:
> 
> 84[0]: ELAPSED TRIGGER (15)
> 85[0]: SENT PING
> 86[0]: ELAPSED SOONEST (15/15)
> 87[0]: select returned 1
> 88[0]: write to UDP returned 16
> 89[0]: UDP WRITE to xxx.xxx.xxx.xxx:5000:  DATA 2a187bf3 641eb4cb
> 07ed2d0a 981fc748
> 90[0]: ELAPSED SOONEST (15/15)
> 91[0]: SIGINT received, exiting
> 
> So, I read the mailing lists and this all suggested that it was an
> iptables problem, so I used the firewall.sh script supplied, and it
> still doesn't work!
> 
> I have a custom kernel, but I'm not going to post that confg file here!
> :) (But is doesn't have PPP enabled) So first things first, do you
> think the problem is with my kernel or somewhere else?
> 
> I hope you can help!
> 
> __________________________________________________
> Do You Yahoo!?
> Everything you'll ever need on one web page
> from News and Sport to Email and Music Charts
> http://uk.my.yahoo.com
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

--

-- 

-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com

Re: Connect 2 segments of a network with VPN - HELP

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 27/1/2003

_______________________________________________________________________
Busca Yahoo!
O serviço de busca mais completo da Internet. O que você pensar o Yahoo! encontra.
http://br.busca.yahoo.com/

-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com

Re: OpenVPN configuration

Hello Ivan, 

It's a rare error, but I have seen it before.

Try openvpn --show-ciphers to see what ciphers your OpenSSL library is
exporting to openvpn.  It should show BF-CBC as one of the choices.  If it
doesn't, then your distro is using a non-standard build of the OpenSSL library.

Make sure your key file is not corrupted.

Try openvpn --test-crypto --secret [your key]

I heard once about a similar problem with slackware, something about their
OpenSSL library not being built with blowfish (i.e. BF-CBC).  If this is the
case, you might have to download and rebuild the openssl library.  By default,
openssl builds with blowfish, but I don't know how slackware builds it.  Or
you could add --cipher x, where x is one of the ciphers shown by --show-cipher.

James

ttyp0 <ttyp0 <at> inet2u.com> said:

> Hello!
> 
> My name is Ivan, I'm a spanish linux user since 7 years ago (more or
> less). I've been testing your software for making a VPN to connect two
> networks, and i have the next configuration:
> 
> at one point i'm running a gentoo linux box, in which i have no problem to
> run OpenVPN. At the other point i'm running a Slackware 8.1 linux box, and
> when i launch OpenVPN i get the next error line:
> 
> 81: Cipher algorithm 'BF-CBC' not found: error:0906D06C:PEM
routines:PEM_read_bio:no start line
> 82: Exiting
> 
> I've been loking over a lot of forums, mailing lists and over all google
> results, also in irc channels on freenode server... but noone seems to
> know anything about.
> This is why i ask you directly, i hope i'm not amusing you.
> 
> Thank you for all!
> 
> -------------------------------------------------------------
> ttyp0
> 
> ASSL founder (-http://assl.ath.cx-)
> [Linux User]: 265975
> -----------------------------------
> mailto: ttyp0 <at> inet2u.com
> 
> [x] As they didn't know it was impossible... they did it [x]
> 
> 
> --------------
> 

--

-- 

-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

Problems with NAT and openvpn

I would like to create a virtual private network between two FreeBSD
machines, duchess and ls-jtwilley, such that ls-jtwilley can connect
to duchess using duchess's 10.* address with UDP and TCP.

duchess (10.74.84.1) is on a network (10.74.84.0/24) that sits behind
an OpenBSD firewall named mulan (10.74.84.254 and 66.92.188.219) that
also provides NAT services.  mulan has rules to allow UDP port 5000 in
From outside and to redirect it to duchess.

ls-jtwilley (63.87.37.125) is on a network (63.87.37.0/24) that sits
behind a firewall of some unknown type that does not provide NAT
services.  To the best of my knowledge, this firewall does not block
any outgoing connections.

The addresses I have selected for my tunnel are 192.168.74.1 for the
duchess endpoint and 192.168.74.2 for the ls-jtwilley endpoint.

Here are the configuration files:

--begin duchess.conf--
dev tun0
ifconfig 192.168.74.1 192.168.74.2
up ./duchess.up
verb 8
--end duchess.conf

--begin duchess.up--
#!/bin/sh
route add -net 63.87.37.0 $5 255.255.255.0
--end duchess.up--

--begin ls-jtwilley.conf--
dev tun0
ifconfig 192.168.74.2 192.168.74.1
up ./ls-jtwilley.up
remote 66.92.188.219
verb 8
--end ls-jtwilley.conf

--begin ls-jtwilley.up--
#!/bin/sh
route add -net 10.74.84.0 $5 255.255.255.0
--end ls-jtwilley.up--

The debug output is very long, so I did not attach it to this
message.  I can make it available later if it would be helpful to
solve the problem.

I started up the openvpn processes and everything looked fine until I
attempted to telnet to port 25 on 10.74.84.1 from ls-jtwilley.  A few
packets on ls-jtwilley can be seen, with many many packets on duchess,
and nothing at all is seen in the telnet window.

Any help that can be provided would be dearly appreciated.

Thanks!

Jack.
--

-- 
Jack Twilley
jmt at twilley dot org
http colon slash slash www dot twilley dot org slash tilde jmt slash

Re: Problems with NAT and openvpn

Jack Twilley <jmt <at> twilley.org> said:

> I would like to create a virtual private network between two FreeBSD
> machines, duchess and ls-jtwilley, such that ls-jtwilley can connect
> to duchess using duchess's 10.* address with UDP and TCP.
> 
> duchess (10.74.84.1) is on a network (10.74.84.0/24) that sits behind
> an OpenBSD firewall named mulan (10.74.84.254 and 66.92.188.219) that
> also provides NAT services.  mulan has rules to allow UDP port 5000 in
> From outside and to redirect it to duchess.
> 
> ls-jtwilley (63.87.37.125) is on a network (63.87.37.0/24) that sits
> behind a firewall of some unknown type that does not provide NAT
> services.  To the best of my knowledge, this firewall does not block
> any outgoing connections.
> 
> The addresses I have selected for my tunnel are 192.168.74.1 for the
> duchess endpoint and 192.168.74.2 for the ls-jtwilley endpoint.
> 
> Here are the configuration files:
> 
> --begin duchess.conf--
> dev tun0
> ifconfig 192.168.74.1 192.168.74.2
> up ./duchess.up
> verb 8
> --end duchess.conf
> 
> --begin duchess.up--
> #!/bin/sh
> route add -net 63.87.37.0 $5 255.255.255.0
> --end duchess.up--
> 
> --begin ls-jtwilley.conf--
> dev tun0
> ifconfig 192.168.74.2 192.168.74.1
> up ./ls-jtwilley.up
> remote 66.92.188.219
> verb 8
> --end ls-jtwilley.conf
> 
> --begin ls-jtwilley.up--
> #!/bin/sh
> route add -net 10.74.84.0 $5 255.255.255.0
> --end ls-jtwilley.up--
> 
> The debug output is very long, so I did not attach it to this
> message.  I can make it available later if it would be helpful to
> solve the problem.
> 
> I started up the openvpn processes and everything looked fine until I
> attempted to telnet to port 25 on 10.74.84.1 from ls-jtwilley.  A few
> packets on ls-jtwilley can be seen, with many many packets on duchess,
> and nothing at all is seen in the telnet window.
> 
> Any help that can be provided would be dearly appreciated.

Do pings work over the tunnel?

If so, do large pings work (e.g. ping -s 2000) without --comp-lzo?

If small pings work but large pings don't, it's an MTU problem (try smaller
values for --udp-mtu, which normally defaults to 1300).

If large pings work, but telnet doesn't, then it may be some kind of firewall
problem.  Remember that tun devices, though virtual, are generally treated by
the OS as a first class network-capable device, meaning that you have to tell
the OS to allow incoming telnet connections on tun0 (for example).

Let us know if any of this works and if you solve the problem.

James

-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

routing over 802.11b?

This question is not an issue with openvpn, per se, but related because
openvpn is my weapon of choice. :)

I have a network in my home, call it 192.168.0.0/24, with a gateway to
the internet of .4. I also have two laptops, a Toshiba Tecra 8100 with a
Cisco wireless card, and a Mac Powerbook G3 with an Airport card. I have
gotten the two cards talking, now it is a matter of setting up the
networking piece of the puzzle. 

I decided that since 802.11 has enough security issues to make me very
uncomfortable with its general use, and since both the Mac and the
Toshiba (as well as the bulk of the rest of the network) run Linux, I
would set up an IPtables firewall on each wireless interface (eth1) and
run openvpn across the ether.

What I'm looking for is as transparent as possible access for the
roaming laptop (usually the Mac, since the batteries on the Tecra suck),
as if it were connected to the wired LAN. Given that the wired LAN is
192.168.0.0/24, I made the wireless LAN 192.168.1.0/30. This gives me
two addresses required for the point-to-point link. I got this far, but
did not get to the point of setting up the openvpn. I was able to
"double-hop" to the wired network from the roaming laptop (e.g. ssh to
the wired lappy, then ssh to, say, the mail server).

What would be the best way to make it as transparent as possible to get
the roaming laptop to be able to access both local services (dns, mail,
etc) as well as being able to get it out to the Net as if it were on the
wired LAN?

thanks,
--

-- 
--Brad
============================================================================
Bradley M. Alexander                |
Debian Developer, Security Engineer |   storm [at] tux.org
Debian/GNU Linux Developer          |   storm [at] debian.org
============================================================================
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34
============================================================================
Only a government that is afraid of it's citizens try to control them.

-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

Re: routing over 802.11b?

Bradley,

While I haven't personally run OpenVPN over a wireless network, I would expect
it to work on a configuration similar to that of a typical WAN setup with
multiple hosts communicating over the internet; only in this case just treat
the wireless LAN the same way as you would the internet.

Create two private, distinct subnets, one for the wireless LAN and two for the
VPN.  Decide if you want all VPN traffic to be routed through a central
server, or peer-to-peer between each host (in the latter case, each host needs
an explicit tunnel to every other host).  Firewall off the wireless LAN
interfaces to only allow secure protocols, i.e. openssh, openvpn, etc.  Set up
tunnels between the server and all wandering hosts.  If you are using OpenVPN
to make the tunnels, use the --ifconfig option to allocate secure IP address
endpoints to each host from the pool of addresses you've set aside for the VPN
subnet (Note the VPN subnet is not a true subnet in the sense that it is
really a just a collection of endpoints used in point-to-point routing).  Set
a default routing rule on the wandering hosts to route to the far endpoint of
the VPN link to the server (as in --ifconfig [near-endpoint] [far-endpoint]).
 The server will need to be set up to route traffic between interfaces, such
as tun* <-> tun* and tun* <-> eth0 (masquerading as eth0's public IP addr), so
that the wandering hosts have internet access.  When it's all working, you
would be able to connect to the web from a wandering host, the connection
would get routed over the secure wireless tunnel to the server, then get
masqueraded out to the net using the public IP address of the server.

Here's a more HOWTO-oriented document:

http://slackerbit.ch/archives/2002/12/11/securing_wifi_with_openvpn.html

James

Bradley Alexander <storm <at> tux.org> said:

> This question is not an issue with openvpn, per se, but related because
> openvpn is my weapon of choice. :)
> 
> I have a network in my home, call it 192.168.0.0/24, with a gateway to
> the internet of .4. I also have two laptops, a Toshiba Tecra 8100 with a
> Cisco wireless card, and a Mac Powerbook G3 with an Airport card. I have
> gotten the two cards talking, now it is a matter of setting up the
> networking piece of the puzzle. 
> 
> I decided that since 802.11 has enough security issues to make me very
> uncomfortable with its general use, and since both the Mac and the
> Toshiba (as well as the bulk of the rest of the network) run Linux, I
> would set up an IPtables firewall on each wireless interface (eth1) and
> run openvpn across the ether.
> 
> What I'm looking for is as transparent as possible access for the
> roaming laptop (usually the Mac, since the batteries on the Tecra suck),
> as if it were connected to the wired LAN. Given that the wired LAN is
> 192.168.0.0/24, I made the wireless LAN 192.168.1.0/30. This gives me
> two addresses required for the point-to-point link. I got this far, but
> did not get to the point of setting up the openvpn. I was able to
> "double-hop" to the wired network from the roaming laptop (e.g. ssh to
> the wired lappy, then ssh to, say, the mail server).
> 
> What would be the best way to make it as transparent as possible to get
> the roaming laptop to be able to access both local services (dns, mail,
> etc) as well as being able to get it out to the Net as if it were on the
> wired LAN?
> 
> thanks,
> -- 
> --Brad
> ============================================================================
> Bradley M. Alexander                |
> Debian Developer, Security Engineer |   storm [at] tux.org
> Debian/GNU Linux Developer          |   storm [at] debian.org
> ============================================================================
> Key fingerprints:
> DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
> RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34
> ============================================================================
> Only a government that is afraid of it's citizens try to control them.
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by:Crypto Challenge is now open! 
> Get cracking and register here for some mind boggling fun and 
> the chance of winning an Apple iPod:
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

--

-- 

-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

Re: Problems with NAT and openvpn

>>>>> "James" == James Yonan <jim <at> yonan.net> writes:

[...]

Jack> Any help that can be provided would be dearly appreciated.

James> Do pings work over the tunnel?

No.  When I try to ping, I see the occasional packet on the ls-jtwilley
side and many many packets on the duchess side, but nothing seems to
go through the tunnel.

[...]

James> Remember that tun devices, though virtual, are generally
James> treated by the OS as a first class network-capable device,
James> meaning that you have to tell the OS to allow incoming telnet
James> connections on tun0 (for example).

Neither duchess nor ls-jtwilley are firewalls themselves -- they are
both behind firewalls.  Once pinging works, I'll add 192.168.74.0/24
to the list of networks for postfix to test on that level.

I chose the tun0 interface because it started up without errors.
Should I use the tap0 interface?  If so, what sort of ifconfig line
should I stick in the up files?

James> Let us know if any of this works and if you solve the problem.

Nope, none of this worked.  Thanks anyway, though.  Any more
suggestions would be dearly appreciated.

James> James

Jack.
--

-- 
Jack Twilley
jmt at twilley dot org
http colon slash slash www dot twilley dot org slash tilde jmt slash