L2TP IPSec VPN, iOS compatible

Why an L2TP IPSec VPN

I use VPNs all the time these days to access resources that I have restricted on the servers I manage. I also want to be able to watch live TV programs from various countries regardless of where I am; in most cases live TV is only available in the country of origin, therefore without a VPN or similar solutions it is not possible to watch them from elsewhere, using the original websites. I know that there are reasons for these geographical restrictions, but that’s not the point of this article ;). I also own an iPad and an iPhone so I prefer having a private connection when I am on the move and need to surf the Internet or just check my emails, but have to use some network over which I have no control. Gmail and many sites I need use SSL, but nevertheless using a VPN gives peace of mind since you don’t have to worry as much about how much attention has been paid to the security aspects of these services, at least as far as the encryption of the data is concerned. So the VPN I use must also be compatible with these devices, and that’s why I have replaced my long time favourite OpenVPN with an L2TP IPSec VPN on each of my servers. These VPNs are IMO simpler to setup, secure, and compatible with most operating systems and devices without requiring additional client software in order to establish the connection. This is a plus, since it means I can also configure a VPN access on my iPhone without having to jail break it or install third party apps to be able to use another VPN.

So here’s a simple guide on how to set up an L2TP IPSec VPN on a Ubuntu server and get both a Mac and an iPhone connected. The process should be very similar with other Linux distributions. Hopefully this will help you save some trial and error; I won’t go in the details for each setting or command as I am myself not too familiar with several of them; so if you just want a “fast-track” how-to here you are.

To set up an L2TP IPSec VPN, you’ll need to install OpenSwan, which is an IPSec implementation for Linux; IPSec is responsible for the encryption of the packets.

apt-get install openswan

You will be asked Do you have an existing X509 certificate file that you want to use for Openswan?. If you, like me, want an L2TP IPSec VPN compatible with iPhones/iPads and other devices, answer No since these typically do not support setups with certificates.

Next you’ll need to edit a few configuration files. I’ll paste below the settings I currently use on 5 L2TP IPSec VPN servers and that I know work for sure; you may want to empty those files before pasting the configurations I suggest, just to keep things simpler.

First, edit /etc/ipsec.conf and change/add the following settings:

version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=the public IP of your server
leftprotoport=17/1701
right=%any
rightprotoport=17/%any

Obviously, replace the value for the left setting with the actual public IP of the box on which you are installing the L2TP IPSec VPN server.

Next, edit /etc/ipsec.secrets and add the following:

(server's public IP) %any: PSK "Your shared secret"

Again, you will have to specify here the public IP of the server and also a shared secret that will be used on clients together with the credentials for each specific client account.

Now create the file /etc/vpn-setup and paste the following in it:

#!/bin/bash

echo 1 > /proc/sys/net/ipv4/ip_forward

for each in /proc/sys/net/ipv4/conf/*
do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
done

Making sure you make this file executable with:

chmod +x /etc/vpn-setup

This is required to redirect all the Internet traffic through the L2TP IPSec VPN gateway; to ensure the commands in the file are executed at startup, edit /etc/rc.local and add, before the exit 0 line, /etc/vpn-setup. Run /etc/vpn-setup once, manually for now, so to apply these settings for the current session, then restart IPSec:

service ipsec restart

Next, let’s configure some firewall rules to allow the redirection of the web traffic. If you are using iptables, run the following commands to apply the required rules immediately:

iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.2.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.1.2.0/24 -j ACCEPT

Then backup the current configuration to file with:

iptables-save > /etc/iptables.rules

To ensure these rules are also applied at start up, update /etc/network/interfaces so it looks something like the following:

auto eth0
iface eth0 inet static
address ...
netmask ...
broadcast ...
network ...
post-up iptables-restore < /etc/iptables.rules

The important line that you need to add is the one starting with post-up.

At this point you should be able to establish an IPSec connection from a client -although we still need to sort out the authentication side- so it’s a good time to test this before going ahead:

ipsec verify

If all went well -and there are no problems with the version of the kernel you are using- you should see something like the following:

Checking your system to see if IPSec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
Checking for IPSec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send\_redirects [OK]
NETKEY detected, testing for disabled ICMP accept\_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

I can’t remember how to set up an L2TP IPSec VPN client on Windows or Linux desktop, but here’s how to do it on Mac: go to System Preferences -> Network, and create a new connection by clicking on the + button. When you’re asked for the type of the connection you want to create, choose VPN and leave the default type selected, in order to configure an L2TP IPSec VPN connection. Then give your connection whatever name you prefer:

1-1-jpg-1c6b9a

Then enter either the server’s IP or a hostname pointing to it, and in Account name enter whatever username you’ll want to use to establish the connection. Don’t worry if you haven’t configured this yet, the authentication will fail at first but we’ll need to verify the IPSec connection can be established correctly before proceeding with the rest of the configuration:

2-1-jpg-1c6b9a

Next, in Authentication Settings you need to enter the password you are going to use with your account and the shared secret specified in /etc/ipsec.secrets:

3-png-1c6b9a

In Advanced make sure the option Send all traffic over VPN connection is checked if you want to appear as from the location of your server:

4-png-1c6b9a-2

Now, still on your Mac, open a terminal and run

tail -f /var/log/system.log

then click on Connect in the L2TP IPSec VPN connection’s settings. If everything was fine so far you should see something like this:

Feb 16 22:32:50 Vitos-Mac-Pro-3.local configd[17]: SCNC: start, triggered by SystemUIServer, type L2TP, status 0Feb 16 22:32:50 Vitos-Mac-Pro-3.local pppd[87354]: pppd 2.4.2 (Apple version 596.13) started by vito, uid 502

Feb 28 22:32:50 Vitos-Mac-Pro-3.local pppd[87354]: L2TP connecting to server '...' (xxx.xxx.xxx.xxx)...
Feb 28 22:32:50 Vitos-Mac-Pro-3.local pppd[87354]: IPSec connection started
Feb 28 22:32:50 Vitos-Mac-Pro-3.local racoon[378]: Connecting.
Feb 28 22:32:50 Vitos-Mac-Pro-3.local racoon[378]: IPSec Phase1 started (Initiated by me).
Feb 28 22:32:50 Vitos-Mac-Pro-3.local racoon[378]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Feb 28 22:32:53 Vitos-Mac-Pro-3.local racoon[378]: IKE Packet: transmit success. (Phase1 Retransmit).
Feb 28 22:33:00 --- last message repeated 2 times ---
Feb 28 22:33:00 Vitos-Mac-Pro-3.local pppd[87354]: IPSec connection failed
Feb 28 22:33:00 Vitos-Mac-Pro-3.local racoon[378]: IPSec disconnecting from server xxx.xxx.xxx.xxx

Don’t worry about the message IP connection failed, that’s because we haven’t configured the authentication on the server yet; the important thing is that the connection is fine (i.e. IPSec connection started). Now, for the authentication, install xl2tpd with

apt-get install xl2tpd ppp

then edit /etc/xl2tpd/xl2tpd.conf and either change the following settings or just remove everything in there and paste what follows:

[global]
ipsec saref = yes

[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Next, edit /etc/ppp/options.xl2tpd and paste the following:

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

The last bit of configuration is the file /etc/ppp/chap-secrets which contains the credentials for each VPN account:

# Secrets for authentication using CHAP
# client server secret IP addresses
<username> l2tpd <password> *

Finally, restart the various services involved:

/etc/init.d/xl2tpd restart
/etc/init.d/ipsec restart
/etc/init.d/pppd-dns restart

You should now be able to successfully establish a connection from your Mac client and your IP address, as seen from the Internet, will be that of your L2TP IPSec VPN server.

Configuring the VPN client on a mobile device should be very simple in most cases; with the iPhone for example, go to Settings -> VPN:

5-png-1c6b9a

Then add a new VPN configuration:

6-png-1c6b9a

Then enter the same information you have used on your Mac or anyway other client.

7-png-1c6b9a

Ensure the Send all traffic is turned on, so to have a more private connection when you are on the move. Finally, go back to the first screen and turn the VPN on. As said in the beginning these instructions have worked for me with several L2TP IPSec VPN servers, but please let me know if they don’t work for you.

FileVault: User’s home directory on an encrypted second drive

FileVault 2

Using encryption on a laptop gives you peace of mind that if the laptop gets lost or stolen, others won’t be able to snoop inside your precious data. To this end, I’ve been using FileVault for years to encrypt my home directory; so I was glad that the new version introduced with Lion – also known as FileVault 2 – can now also encrypt entire disks, not just the home. So if you are a Mac user you really have no more excuses not to use encryption on your Mac these days.

Unfortunately, while FileVault makes it easy to enable full disk encryption for the main drive, it’s not as straightforward to encrypt other drives. Besides, it is not possible to move a user’s home directory to an encrypted drive other than the main drive. The reason is that FileVault normally “unlocks” only the main disk before a user logs in, while any other disks that are also encrypted will only be unlocked after the user has logged in. This means that the user’s home directory won’t be available during the login process, if stored on a secondary encrypted drive, causing nasty errors.

On my main MBP I’m lucky enough to have two SSD drives installed, so I wanted to leave the first one (OCZ-VERTEX3 MI) to the OS, and dedicate the second one (OWC Mercury Extreme Pro SSD) to user data, while also having both drives fully encrypted with FileVault.

Here I’ll describe the procedure I followed to achieve this.

Enabling the root user

For starters, I recommend you enable the root user: not only does this make it easier to change the location of your home directory, but it also ensures that if something goes wrong (we’ll see later the most common scenario) you will more likely be able to recover your data or fix your user profile.

You can find easy instructions for this on Apple’s support website.

Encrypting the second drive

I’ll assume here that you’ve already enabled FileVault on the main drive (if not, read this).

Once the root user is enabled, ensure you are logged out ad log in again but as root (from the login window, select ‘other’ and enter ‘root’ as username and whatever password you have set for the root user) and open a terminal. Find the disk you want to encrypt and that will store the home directory with diskutil list:

&gt; diskutil list development [2670cdc] untracked
/dev/disk0
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *240.1 GB disk0
1: EFI 209.7 MB disk0s1
2: Apple_CoreStorage 239.2 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
/dev/disk1
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *240.1 GB disk1
1: EFI 209.7 MB disk1s1
2: Apple_CoreStorage 239.7 GB disk1s2
3: Apple_Boot Boot OS X 134.2 MB disk1s3
/dev/disk2
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS OS *238.9 GB disk2
/dev/disk3
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS Data *239.4 GB disk3

In my case I have both drives already encrypted (see Apple_CoreStorage for both drives), but if I hadn’t yet encrypted my second drive, I’d have to run the command

diskutil cs convert /dev/disk1s2 -passphrase

in order to encrypt the partition on my second drive. cs stands for CoreStorage, which is the technology behind FileVault that handles encrypted volumes. The command above will ask for the password you want to use to encrypt the partition – make sure you remember it or keep a note about it somewhere safe, otherwise you won’t be able to access the contents of the encrypted partition later on if you forget it. diskutil will now start encrypting, or “converting” the selected drive, and this will take some time depending on how large the drive is and on how much data is already stored on it.

While diskutil is doing its thing (you can check the status of the conversion at any time with diskutil cs list), open another terminal session and install unlock (big thanks to the author Justin Ridgewell!) – this is required to have a secondary encrypted drive unlocked before logging in:

curl https://raw.github.com/jridgewell/Unlock/master/install.sh | bash

unlock will detect any encrypted drives other than the main one, and for each of them it will ask you if you want to unlock the drive before logging in. If you answer ‘yes’, you will be asked to enter the password required to unlock the drive and that you have set earlier when running the diskutil cs convert command.

Once unlock is installed, you can restart your Mac and then login again as root to proceed with the next step. Don’t worry if the conversion of the disk isn’t complete yet, as it will automatically be resumed once you have restarted.

Moving a user’s home directory

Once you have restarted and are again logged in as root, make a copy (for now) of your home directory to the newly encrypted (or encrypting) drive. For example, in my case the second drive is mounted as “Data”, therefore I copied the contents of my old home directory /Users/vito into /Volumes/Data/Users/vito. I suggest you make a copy rather than just moving your home directory to the new location, so to be able to recover your previous settings if something goes wrong.

When the copy is complete, open System Preferences -> Users & Groups and click on the lock to authenticate yourself and be able to make changes. Then right-click on the user whose home directory you have migrated, and click on Advanced options:

1-jpg-1c6b9a

You’ll see the current location of the home directory:

2-jpg-1c6b9a

In my case, since I have already migrated it, the current location is already /Volumes/Data/Users/vito. In your case it will likely be /Users/your-username. Click on choose, and select the copy of the home directory in the new location. Done that confirm the selection and log out; then login again with your usual user account, and if all went well you’ll see your usual desktop, dock icons, and all the rest. Just to be sure, open the terminal and type:

&gt; cd ~ ; pwd development [2670cdc] modified untracked
/Volumes/Data/Users/vito

If the change was successful, pwd will return the new location of your home directory. At this point, I’d recommend you restart the system once or twice to confirm that the second drive gets always unlocked before logging in, and that once logged in your user account works fine with the home directory in the new location. I find unlock pretty reliable, but you can never know, so it’s safer to check a few times; once you’re happy that everything works as expected, you should be able to safely delete the original home directory to free that disk space.

If something goes wrong….

From my experience over the past weeks, the procedure I described usually just works. However if for some reason you Mac happens to freeze completely and you can’t shut it down cleanly (it has already happened twice to me since upgrading to Mountain Lion), you could be in trouble. After restarting and logging back in, you might see something like this:

3-jpg-1c6b9a

Surprise! It might appear like your stuff is gone. Don’t panic yet – it’s very likely your data is still where it was and in most cases this is quite simple to fix, provided you haven’t disabled the root user! (or have some other admin account available).

If you did disable the root user once encrypted the second drive and moved your home directory across, you will likely end up fiddling with your terminal in a recovery session desperately trying to figure out how to fix your user account, or you’ll otherwise end up restoring from a backup (you do backups, don’t you?).

If you have left the root user enabled as I recommend, fixing should be easy. Log out and login again but as root, and open your terminal. Run the following ls command first to see what’s currently mounted:

Vitos-MacBook-Pro:~ root# ls /Volumes/
Data MobileBackups OS

In my case, I would see a directory named Data since that is the name given to my second drive. If your Mac wasn’t shut down cleanly though, once restarted it could happen that the second drive is not be mounted in that directory. So what happens when you login as your normal user following a forced restart, is that Lion/ML looks for the user directory in /Volumes/Data/Users/vito (or whatever it is in your case) and because it can’t find it, it creates a new home folder in the that location.

Just to confirm, type the following to check the size of your home directory as well as of the mount point for the second drive:

Vitos-MacBook-Pro:~ root# du -hs /Volumes/Data/Users/vito/
7.6M /Volumes/Data/Users/vito/

Vitos-MacBook-Pro:~ root# du -hs /Volumes/Data/
7.6M /Volumes/Data/

You’ll see that both the home directory and the mount point for the encrypted second drive are very small – you might want to check the contests too just to be 100% sure that location doesn’t contain your actual home directory.

So, to fix, you’ll simply need to delete the mount point:

rm -rf /Volumes/Data/

Then log out and log in again with your normal user account. The second drive will be mounted correctly in its usual location, and everything will look normal again.

I like this setup since I like SSDs for obvious performance reasons, but these drive tend to be expensive, so both of my SSDs are kinda small having a capacity of 240GB each. So it’s nice to have OS and apps on one drive, and all the user data on the other one, rather than a full primary drive.

This trick worked really well for me; if you give it a try, please let me know if it does for you too.

Thermal paste: how to reapply it on a Macbook Pro

Thermal paste: why you may want to reapply it

My main machine these days is a mid-2010 15″ Macbook Pro powered by a dual core i5 (2.53GHz) CPU. I also have a better performing Hackintosh at home, but because of the portability I find myself using the MBP more. It’s a thing of beauty and I love it, as I have the previous Macs I’ve had the pleasure to work with both at home and at work. Since I purchased it, however, it has always been plagued with excessive heat issues: even 85C in idle or with very, very light load! If I said that I could perhaps fry an egg on its surface at times, I don’t think I would be too far from the truth. The laptop got really, really hot at times to the point that touching it for more than a couple of seconds was often more likely painful than just uncomfortable. The CPU is rated to work just fine at a temperature of up to 105C, so until recently I didn’t really care too much about the temperatures since, after all, the Mac seemed to work fairly OK and I didn’t have any other problems with it.

That was until I got really tired of the noisy fans (always running at the max speed of 6K RPM), and I started to wonder whether I should bring it in. I had already tried the usual stuff like resetting the SMC, or the PRAM/NVRAM, with poor results. Then I also noticed that with no doubt the excessive heat was affecting the performance of the laptop quite badly, much more so than I’d have thought possible considering that the temperatures were anyway always well within the 105C max, so from that point of view the CPU was still operating “safely”; lately, however, the laptop seemed to be performing like a much older machine… which was no good. For example, Handbrake video encoding tasks were ridiculously slower than I’d expect from this sort of machine, and then I also noticed that the kernel_task process was almost constantly at the top of my activity monitor with 200-300% CPU utilisation. What the.. ?

Some research on the web confirmed my suspicions that there was indeed a relation between the temperatures, always high but strangely never above 90-92C, and the general slowness, in particular with tasks such as video encoding or heavy testing. Apparently, this is due to the CPU throttling that kernel_task in Mac OS operates to prevent heat from damaging the hardware. I did some simple tests to confirm this, such as watching a Flash HD video for a while and then killing it: video would play fine in the beginning and then become a little sluggish as the CPU got hotter; at that point, kernel_task would be throttling the CPU and stay at the top with very high CPU utilisation and higher priority, so Flash would naturally be slowed down as a consequence and the temperature would never go above 92C or so; once I killed Flash, things would return to normal again and kernel_task would go back to a much lower CPU utilisation. This is – I think – the mechanism used by the software to manage CPU utilisation and heat.

From personal experience, I am aware that heat issues on laptops are often caused by a poor application of the stock thermal paste (also known as “thermal interface material” or TIM), provided that the cooling system is functioning. The reason is simple: the thermal paste – as the name suggests – is supposed to facilitate the transfer of the heat from the CPU/GPU to the heatsink. This only works efficiently, though, if a very thin layer of thermal paste is applied between CPU and heatsink in such a way that minimises the chance of creating “air bubbles” (air has a bad thermal conductivity). So the problem is that very often, the stock thermal paste is applied in factories in ridiculously large amounts, that often spread out of the die of the CPU and that most certainly achieve the opposite effect by slowing down, instead of facilitating, the transfer of heat from CPU to heatsink. Sadly, Apple doesn’t seem to be any different from other manufacturers from this point of view, despite the higher prices and the generally wonderful design and construction quality. Plus, often the stock thermal paste used by some manufacturers is quite cheap, and not based on some very efficient thermally conductive material.

In the past, I have almost always reapplied the thermal paste in my computers and replaced the stock paste with something better (especially with desktops that I liked to overclock) very often with great results, but in this particular case, having purchased the very expensive Apple Care cover together with the laptop, ideally I didn’t want to void the warranty.

Disassembling the laptop, removing the thermal paste and reapplying it, then reassembling the laptop… obviously doesn’t fit in Apple’s description of “user replaceable parts” (only hard drives and memory can be replaced / upgraded on Macbook Pros by the owner without affecting the warranty).

The “surgery”

Having said that, I had already opened my MBP, previously, not only to upgrade the memory and replace the HDD with an SSD, but also to replace the optical drive with a cheap version of the OWC Data Doubler I found on Ebay, so that I can use the ultra speedy 240GB SSD for OS and applications, and at the same time have the stock 500GB HDD installed as additional storage for iTunes and iPhoto libraries, and that kind of stuff that takes a lot of disk space.

I am not sure of how likely an Apple employee could notice that I have also replaced the optical drive with the data doubler, if I were to bring the laptop to an Apple Store after restoring its original configuration, but I am aware that my warranty is already virtually void. So I didn’t really want to waste a lot of time by bringing the laptop back to its original state, just to be able to bring it in and try to get some Apple employee to replace the thermal paste due to heat issues… too much hassle, plus from reading the Apple Support Communities, it looks like only very a few people have managed to get this done by Apple, and in all cases the job was done as poorly as in the factory, or even worse. So, I just decided to do it myself, and therefore I purchased the best thermal paste available at the moment, the IC Diamond 7 Carat – you can find a small syringe on ebay for a few quids. Here’s how the syringe looks like:

20120122-1nd4si3jht8anbxn6yanjjix25-jpg-1c6b9a

As the name suggests, the IC Diamond is a special thermal paste in that it contains 92% pure Diamond, which has a much better thermal conductivity than materials such as the silver used in other popular types of thermal paste like the Arctic Silver 5. Besides the great thermal conductivity, another great advantage of such a thermal paste is that it is not electrically conductive, so it’s not as risky to use as the silver based ones. Unfortunately though the IC Diamond is a very hard paste and it can be tricky to apply, especially on laptops where heatsinks are very light; I would likely recommend this kind of thermal paste more for desktop computers than for laptops for this very reason. On desktop computers, the best way of applying a thermal paste is to place a pea-size amount of paste on the middle of the CPU’s die, and let some heavy heatsink press and spread the paste evenly across most of the surface of the die… on laptops, due to the heatsinks being very light and due to the light pressure when they are fixed against the CPU, this technique would not work well, especially with such a hard thermal paste like the IC Diamond. Therefore in these cases, the easiest way is to just spread a small amount of paste manually across the surface of the die (I usually use an old credit card or something similar) until a very thin layer of paste covers the whole surface. This won’t ensure that no air bubbles will be produced between the CPU and the heatsink, but works fairly well in most cases. Alternatively, you may want to use something like the Arctic Cooling MX-4, which is another pretty efficient thermal paste (albeit not as efficient as the IC Diamond on paper) and is also not electrically conductive, plus it is a lot easier to apply than the IC Diamond.

If you are experiencing the same kind of heat-related issues with your own MBP, and want to try and reapply the thermal paste – provided you are well aware that this will virtually void the warranty, if any – I’d recommend you to get some proper screw drivers first. I don’t have any particular set of tools with me, but I usually use these screw drivers that I got when I purchased the OWC SDD, and they are great for laptops (note the little bluish tool on the right, this is very useful with Apple’s ribbon cables):

20120122-g4acexb61er18j547wjygxkn67-jpg-1c6b9a

The only problem I had when I disassembled my MBP was removing the battery: apparently Apple has changed again the screws used for the battery and in my case I had to purchase a tri wing screw driver from Maplin like the one in the picture to be able to remove it:

20120122-1i7cbfpepd36f9p657daqc69gf-jpg-1c6b9a

I didn’t need any other tools, apart from some alcohol – I use Isopropanol – and some lint free cloth to properly clean both the CPU and the GPU after removing the old thermal paste and before reapplying the new one:

bottle-jpg-1c6b9a-1

20120122-pjw4dcmndxi9npkj8nf3f4rwa4-jpg-1c6b9a

Besides tools, you obviously need to be a little patient and have steady hands if you go the same route and want to reapply the thermal paste. It’s not a really complicated operation, but – perhaps needless to say – you must be very careful. And did I mention that this will void your warranty, if any? (I warned you)

Before jumping to the results, here’s a few more pics of my laptop while I disassembled, so that you can get an idea of what to expect from the inside if you have never opened a MBP – if you aren’t sure of how to remove the back cover of your MBP, please stop here 🙂

Inside

20120122-g2gr57tgsasi5wux1i3wtiucag-jpg-1c6b9a

You can see that my laptop was quite dusty inside. This is kinda important: because reapplying the thermal paste will void your warranty, I recommend you first try by cleaning up all the dust especially from the fans. If too much dust and dirt is preventing the regular air flow, you might be shocked to see the difference that just cleaning the fans might make with regards to the temperatures! In my case I saw a drop of 5C or even more just after cleaning the fans.

Dusty fans

20120122-8btxy7mp11yndyr9mrsiufapht-jpg-1c6b9a

Fans after some cleaning

fan-jpg-1c6b9a

20120122-855i7tgd4u5u9rwm33pbbudwh8-jpg-1c6b9a

The battery

20120122-11q5nupb99m7ta6i1qhap2adje-jpg-1c6b9a

Depending on the model it may be a bit annoying to remove and require a special screw driver (a tri wing in my case).

The logic board

20120122-1jtrj9cm1peihyqu5nq216tj3u-jpg-1c6b9a

To reapply the thermal paste, you need to remove it from the case of the laptop. It’s nothing complicated, but you do need to be careful with the small ribbon cables here and there.

Before…

20120122-tt7iqrrjwxn4iwkscxyeesecyp-jpg-1c6b9a
20120122-paufw7w4hshh1y9e9cumx3wp47-jpg-1c6b9a
This is how the CPU, the GPU and their heatsinks looked like before cleaning up and reapplying the thermal paste. You can see how ridiculous large amount of compound had been applied, and how poorly the application was made. No wonder both my CPU and GPU were choking due to the heat!

Spring cleaning…

20120122-r9ki2x7scha44wpi2cjw49pq2m-jpg-1c6b9a

And this is instead how CPU/GPU (I forgot to take a pic of the heatsinks at this stage) looked after removing the old thermal paste and cleaning up properly with the Isopropanol. Funny…you can see that the CPU was so clean that the Apple logo of my iPhone – which I used to take the pictures – was reflected on its die!

After…

20120122-nbb7b2q34f8eync9sj6r31y48y-jpg-1c6b9a.jpeg

Finally, this is how the chips looked like after carefully applying the new thermal paste with a credit card. It’s definitely not my best application, but the IC Diamond was so hard! I would probably have used the Arctic Cooling MX-4 if I had known the IC Diamond was so difficult to apply. I don’t think I would have seen a massive difference between the two, after all, despite the theoretical difference would suggest otherwise.

Amazing results!

Reapplying the thermal paste can yield different results depending on various factors (how good the stock paste is, how well or badly it has been applied, which other thermal paste you want to replace it with, and how well you apply it). In my case, the results were pretty amazing!

Light load

As said earlier, the temperature of my CPU was most of the time at least 85C with light load or even in idle; under heavy load, temperature would rise to 95C max and the system would then be slowing down badly due to the CPU throttling. This is how my Activity Monitor looked like most of the time:

20120123-dqudwhaahrcwmeexxp7ym84p9q-jpg-1c6b9a

You can see kernel_task and its ridiculously high CPU utilisation in a moment when I was just surfing the web with Safari (nothing else), and even with Flash disabled!

After reapplying the paste, everything changed: the average temperature of the CPU was always just above 50C – more than 30C drop! – with the same light load or even more (web browsing and a few more things running at the same time), with the fans running always at the minimum speed of 2K RPM!

20120123-jrhnsjrx9cs8bubkmqgmhg6jwg-jpg-1c6b9a

This is when the laptop is plugged in; when I use in on battery, I haven’t yet seen the temperature of the CPU go above 30C !!

Heavy load

The difference is even more noticeable under heavy load. Before, when running some video encoding tasks with Handbrake kernel_task would use up to 350% CPU, slowing down Handbrake a lot. Now, this is what I see after reapplying the thermal paste:

20120123-qiqstmaawed39w4hw4gp8ec7yh-jpg-1c6b9a

See kernel_task? It’s completely gone, basically – it only appears from time to time for its normal stuff but it no longer shows a ridiculously high CPU utilisation. Needless to say, the encoding is much, much faster now and as you can see it is Handbrake that uses the CPU! I can even do other things like web surfing or coding/testing at the same time, all works great as it should. Before, I could basically forget about doing something else while video encoding.

And look at the temperature! Video encoding is one of the most CPU intensive tasks, yet with the fans at 6K RPM I haven’t seen the CPU going above 80C.

This is a massive improvement. My laptop feels a lot snappier now, it almost feels like a CPU upgrade and it is finally almost silent when I do anything other than video encoding. I am definitely happy about the improvement and would definitely recommend the same “fix” to others who may be experiencing the same issues. It’s cheap, it doesn’t take longer than 30 minutes overall and you just need to be a little careful. Remember about the warranty though!

Faster Internet browsing with alternative DNS servers and a local cache

It is no secret to power Internet users that DNS resolution is one of the factors that mostly affect the performance of our Internet browsing, and sometimes even a very fast broadband can become a pain if a poor DNS service is used. DNS -which stands for “Domain Name System“- is a protocol which makes use of a networked database, plus a particular set of services for querying that database, with the main function of translating human friendly, symbolic hostnames such as “www.google.com”, into the numerical addresses or IP‘s of the machines hosting a website or service accessible from the Internet or, generally speaking, a typical network. Fast DNS servers, usually, make for a better user experience thanks to a faster Internet browsing, even with today’s fast broadband services. With today’s media-rich websites, social networks and content mashups, in fact, each time a web page is downloaded chances are that the page contains references to images or other content hosted on several different hosts, and therefore accessible from different hostnames / domain names. While sometimes developers may make this happen in purpose so that browsers can benefit from parallel downloading (see Steve Souders‘ famous 14 rules for faster loading web sites), since each hostname requires a trip to the DNS server, already just a few different hostnames can negatively affect the overall page loading time if a low performing DNS server is used.

ISP’s usually offer their own free DNS together with their Internet connectivity service; this is what most people normally use, and in many cases this may be just OK. However, the DNS service offered by ISP’s is often poor when it comes to performance. Luckily, nowadays there are quite a few alternative, more specialised DNS services which are also freely available and that usually offer either improved performance (thanks to smarter caching and a generally better setup/design) or additional features that go beyond the simple DNS resolution but that make use of DNS -most importantly, improved security with filters at DNS level that prevent users from reaching known malicious sites, protecting them against phishing and other threats . Some of these free services only promise to deliver better performance, such as Google Public DNS and DNS Advantage by UltraDNS, while others – such as Norton DNS or Comodo Secure DNS focus mainly on the security benefits of having an active filtering at DNS level.

Then, among the more popular ones, there is also OpenDNS, that does it all. This was likely the first specialised DNS service and remained basically the only one of its kind for a while, until several others spotted the significant potential of services based on DNS as well as new revenue opportunities. OpenDNS and others offer most of their services for free, while making money with “premium” services with additional features, as well as through NXDOMAIN hijacking: when a request is made for an unresolvable domain name, the browser won’t show the usual, expected error message; instead, as OpenDNS intercepts and processes the requests, it detects that the domain name cannot be resolved (or that the actual website isn’t loading at the time) and by default redirects the user to their OpenDNS Guide page with search results based on the mistyped or wrong domain name… plus some lovely ads, of course. This is a somewhat clever trick that makes them some decent money and therefore it shouldn’t surprise that others have copied it, competitors as well as many ISP’s who can’t miss the opportunity to make some more money the easy way. However this approach by ISP’s has often been criticised, since while OpenDNS makes it pretty clear how they make money out of their free DNS service, most others do not.

Out of the several DNS services around these days, OpenDNS still remains the most feature-rich of them all. Not only it still offers the best DNS performance in many locations (as is the case for me in London, UK), it also offers quite many other features that can be particularly useful when managing a network of computers or if you have small kids, thanks to security filtering and parental control. I recommend you to create an account (it’s free!) and configure the appropriate settings for your network(s) through their excellent dashboard, if you are interested in these features.

opendns-png-1c6b9a

Regardless of which DNS server you use, it is still possible to improve your DNS experience, thus your Internet browsing, a further bit by setting up a local DNS server to use as a cache. Some may argue that most operating systems and browsers already cache DNS query results locally, but while this is true, I have found that a local DNS server used as a cache still helps improve things, especially, of course, if this cache can also be shared with other clients in the same network (at home I use a local DNS cache as well as a caching proxy, Squid, to improve the overall browsing performance of my home clients).

Setting up a local DNS server is pretty easy and quick on Unix systems, provided you are familiar with the terminal. Here we’ll see how to do this on Snow Leopard, but it shouldn’t be too different on other Unix flavours once you have installed the DNS server we are going to use, BIND, with your package manager of choice (for Windows desktops, there was once upon a time a simple DNS server called TreeWalk DNS, but the project seems to have been abandoned years ago and the website is currently listed as malicious by Norton for some reason).

BIND is already installed on Mac OS X, although it is switched off by default. For starters, to prevent users on remote systems form being able to access and control our local BIND server, we need to make sure that a secret key is used to explicitly grant privileges to a host. BIND requires a daemon called named to be running on the system, while the utility rndc will take care of the administration of this daemon with commands that will only work if the keys specified in the two configuration files /etc/named.conf and /etc/rndc.conf match.

It is possible to automate this little configuration and create a key file by executing the command


sudo rndc-confgen -a

Since BIND expects the key to be in /etc while the command above creates the key in /private/etc (at least on Snow Leopard 10.6.5), you can either


sudo mv /private/etc/rndc.key /etc/rndc.key

or


sudo vim /etc/named.conf  

and change the line include “/etc/rndc.key”; to include “/private/etc/rndc.key”;

Update: as reader David Glover reminds me in the comments, there is no need to move the file /private/etc/rndc.key to /etc/rndc.key since /etc is already a symlink to /private/etc; I can’t remember why I had done that while getting BIND to work on my system, but you should be able to safely skip that step. Thanks David.

Next, we need to tell BIND which DNS servers it has to forward to any queries that it cannot answer directly either because they resolve yet locally unknown domain names or because the cached results have expired.

Open the file /etc/named.conf as sudo (unless you have it opened already from the previous step) with vim or your favourite editor, and add the following lines to the options section:

forwarders {
    208.67.222.222;
    208.67.220.220;
};

In this example, I am using OpenDNS’ servers, but you can use Norton’s public DNS (198.153.192.1, 198.153.194.1), Google Public DNS (8.8.8.8, 8.8.4.4), UltraDNS (156.154.70.1, 156.154.71.1) or whichever other DNS servers you prefer or that work best for you.

Now, depending on the version of OS X you are using, you may need or not to create the following – just skip this if you already have the folder /System/Library/StartupItems/BIND.

sudo mkdir -p /System/Library/StartupItems/BIND
sudo nano /System/Library/StartupItems/BIND/BIND

Copy the following lines in the file you’ve just created (unless it was already there), and save.

#!/bin/sh
. /etc/rc.common

if [ "${DNSSERVER}" = "-YES-" ]; then
    /usr/sbin/named
fi

Then make it executable

sudo chmod +x /System/Library/StartupItems/BIND/BIND

In the same folder, create the file

sudo vim /System/Library/StartupItems/BIND/StartupParameters.plist

and copy the following lines in it:

{
    Description = "DNS Server";
    Provides = ("DNS Server");
    OrderPreference = "None";
    Messages =
    {
        start = "Starting BIND…";
        stop = "Stopping BIND…";
    };
}

By default, the DNS server is set not to start at boot. Let’s change that by opening the file

sudo vim /etc/hostconfig

and changing the content so that it contains the line

DNSSERVER=-YES-

Save, then either reboot or load BIND manually for the current session with

sudo /System/Library/StartupItems/BIND/BIND

At this stage BIND should be up and running, but it is not used yet. You will need to go to System Preferences > Network > Advanced > DNS, and replace all the current DNS servers with the only 127.0.0.1 so that your local DNS server is used instead. To make sure this is working as expected, type in your terminal

scutil --dns

You should see an output similar to this:

DNS configuration
resolver #1
domain : config
nameserver[0] : 127.0.0.1
order   : 200000
....

Another thing that may be useful to know is how to flush the DNS cache should you need to do so for any reason:

sudo rndc -p 54 flush && dscacheutil -flushcache

You should now have and be using a local DNS cache and your Internet browsing should feel faster. Please let me know in the comments if this is the case for you as well or whether you see different results.