# Trying to get me head round orenosp



## CarlWalters (Oct 17, 2001)

as in the subject line - I'm trying to install orenosp using the instructions listed here however the version o0f orenosp that I have downloaded seems to be 0.8.3 and the sproxy.conf file looks a bit different.

Does anyone have an idiot's guide which covers the changes that need to be made to this newer flavour of sproxy.conf file

I'm happy enough about the changes that need to be made to

# listen port
proxy_listen_name = lis-ssl [email protected] https

but everything else seems different


----------



## Fatbloke (Feb 26, 2002)

not quite what you asked - but here's the version I used.

orenosp038_e


----------



## CarlWalters (Oct 17, 2001)

thanks very much - I'll give it a go tonight! I couldn't find an earlier version. I presume there's no problem using this as opposed to the latest all singing version?


----------



## Fatbloke (Feb 26, 2002)

Mine happily does the job and has never crashed as far as I'm aware.

btw - here's the CFG I use:


> #
> # Very simple orensp ssl reverse proxy configuration
> # for 0.3.8 or later
> 
> ...


192.168.1.200 being my Tivo IP.
replace LOGON_ID and XXXXXXXX of course.


----------



## elvistheking (Sep 10, 2004)

Has anyone had any joy getting the gtOrenoPC (the Orensop powered VNC/RDP proxy) to *also* do reverse proxying for Tivo?

Stephen


----------



## CarlWalters (Oct 17, 2001)

OK - well I think it's working now I can certainly go to 
https://mydomain.dyndns.org:xxxx/ and get to TiVoWeb. But I do then get a message that says something along the lines of

"The server's certificate chain is incomplete, and the signer(s) are not registered. Accept?"

and then something about

"the certificate for "localhost" is signed by the unknown certificate authority "Orenosp Auto-Generated CA xxxxxxxxxxxx". It is not possible to verify that this is a valid ...

Should I worry about this?


----------



## Fred Smith (Oct 5, 2002)

Well I don't worry, I get the second message and it all still works fine with these browsers: IE 6, Firefox 1 and Pocket IE. The only problem it causes me is that my mobile phone browser (Nokia 5140) keeps re-displaying it throughout a manual record input. So it's just a nuisance on the odd occcasion I use the mobile. I have not seen the first message but maybe thats because you are using later version of Orenosp to me.


----------



## iankb (Oct 9, 2000)

> _Originally posted by CarlWalters _
> *"the certificate for "localhost" is signed by the unknown certificate authority "Orenosp Auto-Generated CA xxxxxxxxxxxx". It is not possible to verify that this is a valid ...
> 
> Should I worry about this? *


That's because you haven't bought a site certificate from a trusted authority such as Verisign or Thawte. There's no point in wasting money by doing that, since you know that your site is a trusted one. If you wanted to, you could generate your own certificate using Microsoft tools, but it still wouldn't be trusted by anybody but you.

What's important is that you are using SSL, which negotiates a strong encryption key for hiding the entry of your username and password from nosy hackers.


----------



## CarlWalters (Oct 17, 2001)

OK - excellent. I shan't worry about that then 

Now my next problem is when trying to access TiVoWeb from work (with Opera) which is the whole point - I navigate to

https://mydomain.dyndns.org:xxxxx

I get an error message

HTTP 502 Proxy Error - The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. (12204)
Internet Security and Acceleration Server.

Is this a problem with my work's setup or can I get around it by using the standard SSL port 443? I used a non standard port xxxxx as suggested in the orenosp set-up description.


----------



## B33K34 (Feb 9, 2003)

The easy answer to this one is to try using 443! 

My attempts to forward other ports through my Netgear router were unsuccessful and i figure it's secure enough.

Currenly i'm using the supplied Certificate. A brief look at the instructions for generating my own with the tools supplied with orenosp established that it would need a bit of time to work out. Is it worth the effort or is the orenosp "test" certificate enough?


----------



## CarlWalters (Oct 17, 2001)

does anyone have any idea how I could test whether an https://xxxxxx:443 address would work from here at my work PC? Is there a site I could browse to to check?


----------



## iankb (Oct 9, 2000)

The only benefit of having a personalised certificate is that anybody connecting to your site with SSL is assured that they haven't been redirected to some other place, where somebody could attempt to grab your login or other details. However, unless you buy a trusted certificate, anybody could create a certificate with your details, and so that doesn't really solve anything. Apart from the cost, a trusted certicate is only issued when they have performed Dun & Bradstreet checks, etc, on your company to prove who you say you are.

Since there is no commercial reason for somebody to impersonate your site, I wouldn't worry.


----------



## iankb (Oct 9, 2000)

You don't need to specify port 443 if you prefix the URL with htpps, since that is the default. Your company firewall will almost certainly allow port 443 out, since you wouldn't be able to use sites that require creditcard entry, etc, without it.

The problem with using non-standard ports sounds like it might be an issue with a software firewall on your home PC. Are you running Windows XP SP2 firewall, Norton Internet Security, or similar? It would be best if your router allows you to translate a high-numbered port to port 443 when you specify port redirection, since port scanners are less likely to check high-numbered ports.


----------



## Fatbloke (Feb 26, 2002)

If your work is anything like mine (bank) then you'll only have port access to 80 (http) 443 (https) and 21 (ftp).
This has forced me to set my router to accept 443 as an incoming port, forwarding it to the PC running orenosp.

I'd ensure your setup runs correctly on 443 before trying anything else.

internet https-->port 443 on router --> port x on pc via port forwarding on router --> port xx on Tivo via port forwarding on orenosp.


----------



## iankb (Oct 9, 2000)

Actually, it's almost certainly a company firewall problem, since they appear to be using a proxy server to access the internet. Fatbloke is right in that you'll probably have to use port 443.


----------



## CarlWalters (Oct 17, 2001)

> _Originally posted by Fatbloke _
> *If your work is anything like mine (bank) then you'll only have port access to 80 (http) 443 (https) and 21 (ftp).
> This has forced me to set my router to accept 443 as an incoming port, forwarding it to the PC running orenosp.
> 
> ...


so I'd do something like


 net stop orenosp 
 edit sproxy.conf to listen on port 443 
 net start orenosp? 
 change netgear router port forwarding to forward port 443 to orenosp
 orenosp already forwards to TiVoWeb on port 80


----------



## B33K34 (Feb 9, 2003)

That sounds right to me.


----------



## Fatbloke (Feb 26, 2002)

Agreed - the most important bit is that your router is listening to 443 from Internet traffic. This will (hopefully) be allowed by your work's firewall. Once it's in the router, that could then send in to port 666 for example where you could change orenosp to be listening. But tbh, it's more straight forward to keep them on the same ports


----------



## steford (Oct 9, 2002)

Anyone got tunnelling set up in orenosp? Tivo, xbox and router all available over my secure connection but I use remote ABC (a non http client for ABC) which I'd like to securely tunnel (and possibly telnet). My IP webcam also loses picture when I use orenosp to access it. Seems there's some way to run a Java applet from my server on my local machine and "VPN" via orenosp that way. Looks rather complicated though.


----------



## CarlWalters (Oct 17, 2001)

OK  I have changed everything as suggested so that it all works from port 443. I can access TiVoWeb OK from my PC using https://mydomain.dyndns.org:443/ and
using my mobile phone (Sony Ericsson K700i) I can also go to https://mydomain.dyndns.org:443/ and I get asked to enter Username and Password (which can then be saved on the phone) and to my amazement I got the top level of TiVoWeb - on my phone!!! How cool is that!  Dead exciting.

But - and there's always a but with me isn't there  - I could navigate the top level of TiVoWeb but when I clicked on any of the main menus ("Search", "User Interface" etc) I just kept getting the top level menu. ie I couldn't navigate down to any of the useful bits.

I think my phone understands HTML (must do if it can see TiVoWeb menu I suppose). I'm not running TiVoWebWAP at all (and I don't think I need to). Any ideas why I can't go down a menu level?


----------



## Fozzie (Sep 3, 2001)

Any difference if you ditch the ":443/"? You shouldn't need that.


----------



## CarlWalters (Oct 17, 2001)

DOH  

As usual it's just me. Sorry. The menus were displaying properly - it's just that I hadn't scrolled doen to see them. So embarassed!

So I can get to my TiVo via my K700i phone OK and navigate the menus. But is there any advantage to doing this via WAP pages rather than via the normal HTML pages? I assume that WAP pages must be "lighter" and would therefore be cheaper to download?


----------



## sanderton (Jan 4, 2002)

A little. Many phones won't do HTML.


----------



## CarlWalters (Oct 17, 2001)

Changing the port to the standard 443 works. I can now access TiVo from work! Cool!

What next......


----------



## zippy7272 (Dec 29, 2004)

Sorry to jump on your thread - may be someone here could help me?

I've install the orenosp .exe included above and copied and replaced the .conf file from above.

Changed the login / password and ip address - to my tivo's ip address (not this PC)

I restart the service

I pull up IE on and enter my ip address (this machine:443) - get the login & password prompt.

Enter them in, and get a 'standard' MS windows restricted access to protect me.

So I thought windows firewall (I'm on XP SP2 - with latest fixes installed) - switched if off (it's back on now!)

and still got the same - what do I have to do to tell IE 6 to stop protecting me?


----------



## SRB (Mar 26, 2003)

I've trawled and trawled and this seems to be the thread closest to my problem :
I've been running orenosp quite happily for about a year, no problems, using much the same script as Fat Bloke. However, a friend of mine has gone over to Skyplus and I recently bought his TiVo. I've now installed the second box on my network. 

I tried to follow the "install 2 TiVos info"here :
tivohelp.swiki.not allowed to type net/83

but I can't get the service to run. As soon as I add the last line in the above article 
It won't start. If I leave these lines out then I can access the two boxes via the 2 ports used (443 and 80), but not having the password is a bit pointless. If I use the line from my original 1 TiVo setup which starts : proxy_auth_path and has my single username and password (The Forum won't let me post the lines here)
and then add the port numbers to the web URL, it works fine, I can access both boxes BUT using the same password. 

Is it possible to have different passwords for each box or is the service actually working as it should ?

Any help would be great.


----------



## CarlWalters (Oct 17, 2001)

Just got through the stresses of moving house and upgrading the PC to something a little less clunky. All seems good so far - wireless network OK, can ping and telnet tivo OK, can access TiVoWeb locally fine.

When I upgraded to this new PC (still WinXP) I used a TransferMyPC program to automatically copy across all the useful data. This seemed to work fine. So I decided to install orenosp on the new PC and get TiVoWeb accessible from work again. But the TransferMyPC program already seems to have transferred the orenosp service onto the new PC. So I thought I'd remove the whole thing and re-install afresh using the instructions here.

- installed orenosp083_e
- created my sproxy.conf which looks like this

```
#  
# Very simple orensp ssl reverse proxy configuration  
# for 0.3.8 or later

# proxy listens on standard HTTPS port  
# and forwards all requests to http://localhost:80

# listen port  
proxy_listen_name = lis-ssl [email protected] https

# forward all requests received on lis-ssl to backend server (localhost:80)  proxy_pass_by = lis lis-ssl MyTiVoIPAddress

#  
# SSL: pass phrase for server private key  
#
proxy_ssl_keypass = MyPassword

# access log file  
proxy_log_access_io = single logs/access.log

#proxy_auth_path = [options]  
proxy_auth_path = / -u="MyUserName:MyPassword" -rlm="Carl's TivoWeb Access"

#end
```
- then ran "net start orenosp"

But I then get error messages like this


```
2006/03/23 20:41:46 [75484.75420](svmain)===== orenosp/0.8.3 starting up...  
2006/03/23 20:41:46 [75484.75420](svmain)Couldn't read key file.  key passphrase is wrong?  
2006/03/23 20:41:46 [75484.75420](svmain)sslprof: failed to initialize SSL profile [svdflt]  
2006/03/23 20:41:46 [75484.75420](svmain)orenosp svthread_init failed with status -1
```
Have I missed something obvious this time round (I usually do )


----------



## ptruman (Jan 8, 2003)

I've got, and *WAS * running OrenoSP 0.8.*4*

It was a sod to setup, but I did tie it into Windows authentication using IIS.

However, I STRONGLY recommend doing what I do now, and buying a Linksys WRT54G or WRT54GS router (circa £80), upgraded to the DD-WRT or Sveasoft firmware, and running a DropBear SSH server on the router. This gives you SSL level encryption, lets you into TiVO and anything else on your network, along with lots of other good stuff (and your PC doesnt have to be on)

Talk to me first if you go the router route, there are a couple of things to be careful of (like AVOID the WRT54GS V5 - if you can, get a V2)


----------



## -MC- (Dec 9, 2005)

the error message shows that orenops couldnt find the SSL certificate, you may have to re generate a new one, preferably using the same "keypass" name that used originally.


----------



## jkrell (Nov 27, 2002)

ptruman said:


> I've got, and *WAS * running OrenoSP 0.8.*4*
> 
> It was a sod to setup, but I did tie it into Windows authentication using IIS.
> 
> ...


Question about this, if anyone is listening. I have a cable modem hooked up to a Vonage WIRED router, then through a 16-port switch to all the rooms in my house. Upstairs, I have a WRT54G which acts as a wireless access point and switch in our upstairs office.

If I set up my Vonage router to forward incoming requests to the WRT54G, which is at 192.168.2.1 (as opposed to the default 192.168.1.1), can I run DropBear on it as you mentioned above? It sounds interesting to me. Alternately, if I cannot do that I think I will just run a server on one of my Linux boxes (like my storage server) that is always on.


----------



## jkrell (Nov 27, 2002)

Fatbloke said:


> Agreed - the most important bit is that your router is listening to 443 from Internet traffic. This will (hopefully) be allowed by your work's firewall. Once it's in the router, that could then send in to port 666 for example where you could change orenosp to be listening. But tbh, it's more straight forward to keep them on the same ports


Hey Guys:

This is going to fix the problem I am experiencing as well. I wonder why Orenosp does not mention the fact that many work computers restrict outgoing ports. This way, people would know why they cannot access it from work, etc. OK, enough ranting......

My question is:

I have 4 TiVos that I would like to be able to access remotely. Orenosp is supposed to be able to handle this, but you need to use different port numbers which it then forwards to different IP addresses on your network. How do you manage this if you can only use one port number (443, the default)?


----------

