Wake On LAN proxy 1. What is it? Probably the easiest way to explain is by way of usage. You have a constant connection to the Internet, but you are away from base. All machines except the gateway are powered off while you are away. Remotely you decide you want to access one of your machines. You need to power it up first. For machines with suitable NICs there is the Wake On LAN mechanism. But this doesn't work over the Internet because you would have to route a packet to your internal network. The firewall stops you from doing that, for good reasons. Even if you were able to route a packet, you wouldn't want this information to travel in the clear, otherwise other people who intercept your packets could learn how to turn on your machines remotely too. So you need some kind of authentication and privacy. Enter Wake On LAN proxy. This runs on your gateway, or on some other machine on the network that's always on, and can be reached from the Internet by port forwarding. You send a command to it to wake a particular machine and it broadcasts a suitable packet on the internal network. 2. How it works I won't explain how Wake On LAN works or how to set it up for your network machines here, a web search should find you material relating to WOL. I will just explain the proxy. The proxy and client both have the same table stored in a data file (with one exception, explained later). The proxy listens on a chosen port. When it gets a connection, it generates a 16 byte random challenge using /dev/random, and prints this to the client as 32 hex bytes. The client takes the challenge, concatenates it with the MAC address of the WOL target and the passphrase, computes the MD5 hash of that, and sends it back to the daemon as 32 hex bytes. The daemon uses the challenge and does the same computation with each of the entries in its table and compares each hash with the client's hash. If a match is found, then that's the WOL target, and the daemon broadcasts a WOL packet on the local network. The format of the table is like /etc/ethers, but with a third field. MAC-address IP-or-name passphrase IP-or-name is not used in the computation but for human reading. The passphrase goes to the end of the line. Beware of trailing whitespace. Comment lines start with #. See sample.dat for an example. On the client side, the passphrase can be missing, in which case the user is prompted to enter a passphrase. A timeout applies when reading the reply to prevent clients from tying up the daemon indefinitely. The default is 4 seconds. It can be changed with the -t option. 3. How to install There are two programs in the package, wold (server) and wolc.pl (client). 3.1 On the server side wold needs to be compiled from wold.c. Just say make and wold will be compiled. This runs on Linux. I don't know if /dev/random is implemented on other platforms so I can't say if it will run there. Install the binary in say /usr/local/sbin. Now add an entry to inetd (or equivalent in xinetd) that looks like this (all one line): port stream tcp nowait foo /usr/sbin/tcpd /usr/local/sbin/wold -f /usr/local/etc/wolp.conf The port is a number chosen by you, almost any free TCP port above 1024 should do. Remember to allow this port through any firewall rules or port forwarding. /etc/hosts.deny and /etc/hosts.allow should be edited if you wish to limit the client IPs that can access this server. You may also wish to limit the number of instances and frequency of invocation of this daemon to reduce the risk of DoS attack. foo is an account that has no special privileges and can read /usr/local/etc/wolp.conf, but no other normal account can. If the target LAN is not the route taken by packets to the broadcast address 255.255.255.255, e.g. on a firewall, where the default route is to the Internet, then you need to install a route entry that says that for packets to the host 255.255.255.255, use the LAN interface. You can also specify the IP address and port to send the WOL packet to with the command line -i and -p options. These default to 255.255.255.255 and 0x2fff respectively. 3.2 On the client side wolc.pl requires the following Perl modules: Getopt::Std, Term::ReadPassword, Digest::MD5, IO::Socket You will need to install any that are missing from your system. Install the client anywhere convenient. You may wish to create a wrapper shell script that supplies the common arguments such as the data file name and the host and port number, to reduce typing. Remember that wol.dat on the client side should be protected from public viewing. You may also wish to remove some or all of the passphrases so that you have to type them in at run time. If you can program feel free to create and contribute other implementations of clients. One for Java would be good for use from a browser. 4. Disclaimer I have tried to implement what I believe is sufficient security for this application but I don't guarantee anything. You take all the risks of running this program. If turning on your computer remotely overfeeds your tropical fish or worse, it's your problem. It boils down to a balance of benefit and risk. How much is it worth to you (and the intruder) to be able to turn on the machine remotely? How hard do you have to make it before the intruder decides it's not worth his while? I assume that any intruder can capture and observe the challenge and reply packets. To be able to spoof your server with a fake client, he would have to be able to send a reply that is legitimate. He could try to crack your MAC address and passphrase by brute force, i.e. MD5 hashing every combination until a match is found. The MAC address is limited by the addresses assigned to manufacturers so there aren't a lot of addresses there to try. That leaves the passphrase. That is why you should make it as long and complicated as feasible, letters of both case, numbers, punctuation marks, the usual drill. Also remember that the data files should be protected from public viewing. All that network security is useless if you just let this information escape. As for denial of service, you may wish to use your inetd's mechanisms for limiting the number and frequency of instances that can be started. 5. Copyright and contact Except for the files md5.c and md5.h, which have their own copyright conditions, the package is released under the GPL Version 2. If you have any suggestions on how to improve the program or have other implementations of the client to contribute, please contact me. My mail address is antispammed, you know what to do. ken underscore yap atsign users period sourceforge period net April 2003