This article tries to explain how to set up VPN connectivity from your network to the Amazon VPC (Virtual Private Cloud). The Amazon Web Services cloud offering is really quite sophisticated, and it enables businesses to extend their traditional IT services to an environment with little to no financial commitment. So like most IT departments, I decided to get my feet wet in this new boom town, and I quickly realized that it would be so much nicer to manage the virtual servers and services much like I do today with all our other physical gear. The first time I tried this was almost a year ago and it really just wasn’t ready for prime time, and the options for connectivity were limited. They are still slim, but now there is a serious low cost method for extending your network into the cloud. Initially I wanted to extend connectivity to the AWS cloud using our Cisco ASA, however Amazon requires that when using that style of connectivity, that you need to exchange routes using BGP, which unfortunately wasn’t available as an option on our Cisco ASA5520. Digging around the net like usual pointed to many people that had some sort of solution working, but yet not enough information to get it working. I spent some time researching the options available, and landed on using a low cost solution using the community version of Vyatta.

What I used:

• VMware ESXi
• Vyatta Community Edition
• Amazon AWS account with VPC enabled

I’m going to make the assumption here, that you have your Amazon AWS account created and enabled and you also have a working VMware ESXi environment.

Some Background

Amazon Virtual Private Cloud (Amazon VPC)

Get Vyatta Up and Running

You need to download the Vyatta Community edition of the software, at the time of this writing Vyatta Core 6.3 was the most recent version. It comes in ISO format, just download it and save it to your local hard disk. From there you’ll want to upload it into your VMware ESXi hosts local disk store using the Datastore Browser .

From here, you’ll want to create a simple VM of type Other 2.6 Linux (32 bit), which has 512MB RAM, 2 network interface cards, and a 4GB hard disk. One network card should be on your outside or Internet VLAN, and the inside interface card should be on your internal network. Mount the ISO that you recently uploaded to your ESXi host’s datastore and then boot up the VM. The setup should look like this:

Once the ISO boots, it becomes ready, but is in the “live CD” mode and isn’t installed on the local disk. Log in with the userid vyatta and password vyatta.

Once logged in, type the following:

install-image

For the most part, all you need to do is accept the default answers and it will install it to the local hard disk you created.

Type:

shutdown

Shut down the VM, unmount the ISO from the the vSphere Client and boot it back up.

Now you’ll want to configure the most basic network configuration so that you will be able to SSH into it and manage it outside of the vSphere Client.

Log in again using vyatta/vyatta, in my case eth0 is my external interface on the Internet, and eth1 is my internal interface. The following will be different for your situation, but here is what you need to do to get basic connectivity going:

configure

set interfaces ethernet eth0 address 207.182.253.60/27

set interfaces ethernet eth1 address 10.1.12.200/24

set protocols static route 0.0.0.0/0 next-hop 207.182.253.33

set protocols static route 10.1.0.0/16 next-hop 10.1.12.1

set service ssh

commit

save

exit

What I’ve done here is assigned the IP addresses to both the internal and external interfaces, set the default route to be our Internet router, and then routed our internal private address space at our internal router. I’ve also enabled the SSH service so you can now access it from something like a Putty SSH client.

Ok, so now SSH into it, your route table should look something like:

# ssh vyatta@10.1.12.200
Welcome to Vyatta
vyatta@10.1.12.200's password:
Linux vyatta 2.6.37-1-586-vyatta-virt #1 SMP Thu Jul 7 22:30:24 PDT 2011 i686
Welcome to Vyatta.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc/*/copyright.
Last login: Tue Jan 17 22:23:18 2012 from 10.1.12.30
vyatta@vyatta:~$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         207.182.253.33  0.0.0.0         UG        0 0          0 eth0
10.1.0.0        10.1.12.1       255.255.0.0     UG        0 0          0 eth1
10.1.12.0       0.0.0.0         255.255.255.0   U         0 0          0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
207.182.253.32  0.0.0.0         255.255.255.224 U         0 0          0 eth0
vyatta@vyatta:~$

So at this point, the basics are there, and we can move onto the Amazon AWS VPC side of things.

Get VPC Up and Running

Before we start, here is a very simple network diagram to help explain things a little:

The next step is to get the Amazon side of things going. Log into your AWS Management Console and select the VPC tab. I’m going to keep things super simple here, I’ll be creating a VPC with Private Subnet Only and Hardware VPN Access.

I used these values:

Customer gateway, use the Internet or public IP address that you assigned to eth0, in my case 207.182.253.60

One VPC section I am using: 10.20.0.0/16

One Subnet section I am using 10.20.1.0/24

It should look like this:

Hit the Create VPC button.

When completed, it will prompt you to Download Configuration, click the button.

For the Vendor, select Generic

This should save a text file to your computer using a filename something like vpn-0f90c14a.txt. You will need this to convert it to Vyatta configuration format. To do the conversion, I found a great little website on the net, and it was just awesome for doing all the heavy lifting, here is the URL you need to navigate to:

http://gen-vyatta-conf.fluxflex.com/en/index.html

Once there, for the IPSEC interface value, use eth0.

For Your Private network, use the network you chose for your internal network on eth1, in my case it was 10.1.12.0/24

For the VPC IP CIDR block, you use the /16 that was defined when you created the VPC in the AWS Management Console. In my case 10.20.0.0/16

Open up the text file you saved, and cut and paste all the text into the section that asks for the Configuration of Generic Customer Gateway, and hit the Generate button.

You will then need to save the Configuration for Vyatta information. I just copied it into my clipboard, and created a file using vi in the Vyatta SSH session.

I saved my file as /home/vyatta/vpc_config.txt and you can get it here: vpc_config.txt.

Now from the SSH prompt type the following:

configure
merge /home/vyatta/vpc_config.txt
commit
save
exit

 

Hopefully at this point, the Vyatta VPN subsystem will start up the connection to the Amazon VPC. You can validate PHASE_1 or IKE on the Vyatta system, by doing the following:

show vpn ike sa

This should show you if you have IKE security associations:

 

vyatta@vyatta:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
204.246.163.76                          207.182.253.60

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----  -------  -----  ------  ------
    up     aes128   sha1  2        no     1015    28800
    up     aes128   sha1  2        no     284     28800

Peer ID / IP                            Local ID / IP
------------                            -------------
204.246.163.77                          207.182.253.60

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----  -------  -----  ------  ------
    up     aes128   sha1  2        no     992     28800
    up     aes128   sha1  2        no     283     28800

vyatta@vyatta:~$

So now we have our PHASE_1 IKE SA’s, lets check for the IPSEC SA’s now

show vpn ipsec sa

It should look something like:

vyatta@vyatta:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
204.246.163.76                          207.182.253.60

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       up     1.9K/1.9K      aes128   sha1  no     1059    3600    all
    2       up     0.0/0.0        aes128   sha1  no     849     3600    all

Peer ID / IP                            Local ID / IP
------------                            -------------
204.246.163.77                          207.182.253.60

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       up     1.7K/1.6K      aes128   sha1  no     1129    3600    all
    2       down   n/a            n/a      n/a   no     0       3600    all

vyatta@vyatta:~$

Notice that the second tunnel on peer 2 is down, this is ok and expected, Amazon has you create two VPN connections to them for when they do their system maintenace.

Ok, lets make sure our BGP peer is also established:

show ip bgp summary

It should look something like:

vyatta@vyatta:~$ show ip bgp summary
BGP router identifier 207.182.253.60, local AS number 65000
RIB entries 1, using 64 bytes of memory
Peers 2, using 5048 bytes of memory

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
169.254.253.17  4  7224     143     144        0    0    0 00:02:23        0
169.254.253.21  4  7224     142     143        0    0    0 00:02:20        0

Total number of neighbors 2

Fix the Gotcha

Before you go and spin up a server instance in your newly configured VPC, you will have to resolve a small little gotcha. It took me a while, as when I first did this, I could NOT talk to the other side. The Amazon VPC is configured for tunnel mode and will only encrypt packets for networks that it learns from the BGP route exchange. In this above default case, your internal network subnet of 10.1.0.0/16 is not allowed to speak to 10.20.0/16 yet because you haven’t announced that route via BGP. You can see this by typing the following:

show ip bgp neighbors 169.254.253.17

It returns the following information:

vyatta@vyatta:~$ show ip bgp neighbors 169.254.253.17 advertised-routes
BGP table version is 0, local router ID is 207.182.253.60
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 0.0.0.0          169.254.253.18           0         32768 i

Total number of prefixes 1
vyatta@vyatta:~$

You will notice that we are only announcing a default route, which in our case won’t allow any VPC instance to talk back to us on the internal network of 10.1.0.0/16 and in our very specific case 10.1.12.0/24. To correct this, you will need to do the following:

configure
set protocols bgp 65000 network 10.1.0.0/16
commit
save
exit

Now when we have a look at the advertised routes, we should see our internal network being advertised to the Amazon VPC VPN.

show ip bgp neighbors 169.254.253.17 advertised-routes

It returns the following information:

vyatta@vyatta:~$ show ip bgp neighbors 169.254.253.17 advertised-routes
BGP table version is 0, local router ID is 207.182.253.60
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 0.0.0.0          169.254.253.18           0         32768 i
*> 10.1.0.0/16      169.254.253.18           0         32768 i

Total number of prefixes 2
vyatta@vyatta:~$

From the Amazon Management Console, if you select the VPC tab an then click the VPN Connections link on the left it should look something like:

Spin up your first instance in your VPC

Now it’s time to get something running on the other side, this blog posting assumes you already know how to do this, so I’ll show you what to expect. Select the EC2 tab in your AWS Management Console and click the Launch Instance button:

I’m just going to pick something simple to demonstrate connectivity:

We’ll just use a 32bit basic Amazon Linux instance:

Amazon makes a “small” instance the minimum for launching in a VPC, so you’ll need to use at least that size, also you will need to select the VPC radio button and choose the subnet to be used for the instance.

The defaults are fine for the next screen as we are just using this for demonstration purposes. If you leave the IP address blank, Amazon provides the instance with an IP from that subnet via DHCP.

Just click continue on the next screen:

And finally choose your Key Pair and click continue:

For this example, the Security Group defaults are fine as well, so click continue:

Ok, you should be ready to Launch:

Once the instance has spun up, you should be able to see that it is inside your new VPC and has been assigned an IP address out of the VPC subnet you previously defined.

Now you should be able to connect to it via SSH:

vyatta@vyatta:~$ ssh -i vantagemedia-west.pem ec2-user@10.20.1.244

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

See /usr/share/doc/system-release/ for latest release notes.
[ec2-user@ip-10-20-1-244 ~]$

Adjusting the Security Group

One thing you may choose to do, is enable PING to work, and to do so, you would need to modify the Security Group. Go to your EC2 tab, select Security Groups on the left, and highlight the quick-start-1 security group that you created above. Down below, you should select the Inbound tab, and add a Custom ICMP rule, where the Type is Echo Request and the Source is 10.1.0.0/16. Click Add Rule, and click Apply Rule Changes:

You should now be able to ping the instance.

vyatta@vyatta:~$ ping 10.20.1.244
PING 10.20.1.244 (10.20.1.244) 56(84) bytes of data.
64 bytes from 10.20.1.244: icmp_req=1 ttl=62 time=10.7 ms
64 bytes from 10.20.1.244: icmp_req=2 ttl=62 time=10.7 ms
64 bytes from 10.20.1.244: icmp_req=3 ttl=62 time=10.7 ms
^C
--- 10.20.1.244 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 10.710/10.743/10.783/0.123 ms
vyatta@vyatta:~$

This is a review of the HIS 6870 IceQ 1GB GDDR5 PCI-E HDMI/2xDVI/2xMini DP video card.  This is my second HIS video card, as my first was a HIS HD 5770. Before I get into the details, I figured for some of you, will just want the summary:

 

Summary

Overall this is a great video card, and I definitely recommend that you buy it! Amazingly quiet and the price for performance on this card can’t be beat!

Pros:

- Blazing fast graphics! You can play Battlefield 3 at Ultra settings using 1920 x 1280 resolutions!

- Eyefinity support, I ran with three monitors (20″ – 28″ – 20″ )  and this adds a completely new gaming experience!

- This card is amazingly quiet!

Cons:

- This card is long, be sure you check your case dimensions as for my case the Antec Sonata III 500, it was tight fit.

- Three monitor setup would not allow me to use the HDMI port and the two DVI ports, only the mini display port and two DVI ports.

- Had to buy another mini display port to DVI adapter.

Review

I decided it was time to upgrade my video card as I wanted to play the new Battlefield 3 Video game! It’s not that my previous card was not working well it was, but I wanted to take it to the next level. My previous experience with HIS video cards was a very positive one. I purchased my first card by them almost a year ago on a Boxing Day sale from Memory Express. Since my current card was working so well, I decided to continue using the great products from HIS. Like many of you, I’m sure price per performance is a key factor, not all of us want to empty the wallet on the latest and greatest, and the HIS 6870 IceQ is the perfect bang for the buck video card model!

What’s In the Box:

• HIS Graphics Card
• CrossFireXTM Bridge
• 2x Power Cable 2x 4pin in, 6 pin out
• DVI-VGA Adapter
• Install CD with Multilingual User Guide
• Quick Installation Guide
• HIS Power Up Label
• DiRT® 3™ Redemption Coupon

Specs:

Model Name: HIS 6870 IceQ 1GB GDDR5 PCI-E HDMI/2xDVI/2xMini DP
Chipset Radeon: HD 6870 PCIe Series
ASIC: RadeonTM HD 6870 GPU
Manu.Process (Micron): 40nm
Memory Size (MB): 1024
Memory Type: GDDR5
Engine CLK (MHz): 900Mhz
Memory CLK (Gbps): 4.2Gbps
Memory Interface (bit): 256
Power Supply Requirement: 500 Watt or greater power
Max. Resolution: 2560*1600
Bus Interface: PCI Express x16
Mini Display Port: Yes
HDMI: Yes

My Experience:

Overall I am happy with this card. The installation was a bit difficult as compared to my previous card, as this video card is much longer. In fact, I had to take some extra care to get this card installed as it is very long. The computer case I have is an Antec Sonata III 500, and what I would consider a very popular case so when I went to install this card, I found it to be a very tight fit. Be advised when you purchase this card to check the following dimensions: 13.8 x 4.6 x 28.7 cm (HxWxD), and make sure it going to fit for you.

Once I got the card physically installed, I went to hook things up. My setup includes three monitors, two Dell 20″, and one Viewsonic 28″. Unfortunately I couldn’t get the HDMI port to work at the same time as the DVI ports, it just isn’t a supported configuration, and that being said, I needed to purchase an active mini display port to DVI adapter cable to get all three monitors working at the same time. HIS has switched from the full size display port connector, to a mini display port connector, so I needed to purchase another adapter cable. On the plus side however, they include 2 mini display ports so you can connect up to 4 displays! Once the monitors were connected I found that I needed to uninstall my previous drivers, and to install the latest and greatest from the HIS website. Windows 7 recognized everything as you’d expect, and using the Catalyst Control Panel was very easy and intuitive to get my three monitors working just as I wanted.

Once things are configured correctly, this card just works. I next installed the PC version of  Battlefield 3. The installation went flawlessly and the game recognized and used the video card perfectly. I was able to configure and play using 1920 x 1080 at Ultra settings! The gaming detail and fluid frame rates of this card make playing this game an awesome experience! If you are into any sort of game playing, this card will not disappoint! My second test for this card, was to set up Eyefinity. For some, you may not know what this is. Essentially, if you have more than one monitor, you can configure the monitor software to extend the games playing screen across all of your monitors. In my case, I have my Viewsonic 28″ monitor in the middle, and on each side I have a 20″ Dell monitor. When configured with Eyefinity, I can have my central play view on the big 28″ monitor, and see to my left and right in the game without moving my mouse, only my head! The reality that this brings to a game is second to none, and if you have more than one monitor, this is just a must have!

I’m not going to go into benchmarking this card, as there are many sites that already do this. This review is from the point of view of a user, and most of us just want a card we can rely on, and something that just works out of the box. This card definitely does that, and you won’t be disappointed when you buy this card.

Where to buy:

You can buy the HIS HD 6870 card through Amazon

You can also buy this at Tiger Direct.

I have a problem with systems that are using Microsoft Communicator 2007, where they are unable to synchronize the address book. This of course makes searching for contacts nearly impossible and is quite annoying. I Googled around and found all sorts of people with similar issues, but it appears the same symptom can be caused by many things. I’m going to describe what I did to fix my particular situation.

A really important detail in my situation, is that this was only affecting users that were on computers that were not part of our Active Directory domain, such as a personal PC at home. They would install Microsoft Communicator and connect up to the VPN, sign in and they would get connected, however there would be a little red exclamation point in the top right of the Communicator GUI that looks like this:

When you select the twisty, you’ll see an error message that says “Cannot Synchronize Address Book”

When you select the menu item Cannot Synchronize Address Book you would get the following error dialog box:

Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem persists, contact your system administrator.

The issue of course is you can not search for people from the global address book and are forced to add them manually.

For my particular situation, the problem was actually with the SSL certificate. Specifically the problem is the client computer can not get to the CRL (Certificate Revocation List) URL. For whatever reason, I’m still not sure why yet, the default URL for the CRL used HTTP instead of HTTPS. The IIS virtual web on our Microsoft Certificate Authority server listens on port 80 just fine, but then anything your request from it just returns:

The page must be viewed over a secure channel The page you are trying to access is secured with Secure Sockets Layer (SSL). Please try the following: Type https:// at the beginning of the address you are attempting to reach and press ENTER. HTTP Error 403.4 – Forbidden: SSL is required to view this resource. Internet Information Services (IIS) Technical Information (for support personnel) Go to Microsoft Product Support Services and perform a title search for the words HTTP and 403. Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Secure Sockets Layer (SSL), andAbout Custom Error Messages.

Work around

Ok, I have a solution I will post a bit further down, but for those who don’t have control of the CA IIS configuration, here is a workaround. Now before you complain, what I am suggesting affects things globally on your computer. By default Windows is configured to stop when it can not reach the CRL, so what we need to do is tell it not to. You do this by doing the following from Internet Explorer:

1. Go to Internet Options
2. Select the Advanced Tab
3. Scroll down to the Security section, and then uncheck: “Check for server certificate revocation”.
4. Close IE
5. Exit out of Microsoft Communicator
6. Start Microsoft Communicatior

At this point if your problem is the same one I had, then the red exclamation should go away and you should have downloaded the address book and be able to search contacts by name.

 

 

My Solution

What I decided to do was to have the IIS server on the Microsoft Certificate Authority server issue a redirect for all HTTP requests, ie) http://yourcahostname -> https://yourcahostname

In order to do this I located the Default Web Site on the IIS server on our CA, and then changed the non SSL port from 80 to 8888.

Then I created a dummy virtual web site called https redirect and had it listen to port 80. Under the home directory tab I changed the content to “A redirection to a URL” and put in https://yourcahostname  and then checked the “A permanent redirection for this resource”.

Now when your SSL certificate tells the computer to go the HTTP CRL URL it will get a 302 redirect the the HTTPS CRL URL and things should just work.

Long Term Solution

We have many certificates that we created that have this incorrect CRL URL, and I’m not about to go and change all of them, but for now the above solution achieves what I was looking for which was to get rid of the red exclamation point error, and to allow me to syncronize with the corporate address book.
I did find a Microsoft article that tells you how to change the CRL URL list and that will be the long term solution, so that any new certificates I create internally and sign with our CA will have the CRL URL that uses the proper HTTPS URL reference to our CA.

Here is the URL:  http://support.microsoft.com/kb/232161

 

Recently we had an issue with one of our applications that was trying to post data via SSL to a provider that had their certificate signed by GoDaddy. It turns out the certificate was signed by their Intermediate CA. The JDK 1.6.0U24 we were using did not have these intermediate CA’s in the local key store, so we were seeing the following error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I did some Googling and came up with a recipe to importing these certificates into the local store.

First you need to download the two intermediate certificates from GoDaddy. You can get them here:https://certs.godaddy.com/anonymous/repository.seam

The two you need are:

gd_cross_intermediate.crt
Go Daddy Secure Server Certificate (Cross Intermediate Certificate)

gd_intermediate.crt
Go Daddy Secure Server Certificate (Intermediate Certificate)

Download these two files to a directory on your Linux server.

The following is a script you can run to import the intermediate certificates:
import_gd.sh

export JAVA_HOME=/usr/java/default
$JAVA_HOME/bin/keytool -import -alias cross -file ./gd_cross_intermediate.crt -storepass changeit -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts
$JAVA_HOME/bin/keytool -import -alias root -file ./gd_intermediate.crt -storepass changeit -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts


I ran it here:

sh ./import_gd.sh
[root@webserver]# sh ./import_gd.sh
Certificate was added to keystore
Certificate was added to keystore

I guess in some ways its a good problem to have if you are Amazon, but apparently the latest generation of the Kindle WiFi is already out of stock for the 2010 Christmas season! I just tried to order one online and this is what I saw!

Now I’m from Canada, but it’s hard to believe that the folks at Amazon could make such a blunder at one of the biggest shopping times of the year. Any time there is a Kindle stock shortage it can’t be good, but apparently the US version of the Kindle WiFi is in stock and shipping to US customers.  I guess they wanted to give first dibs on the remaining stock of readers to US customers. Once again, Canada is in the second class.

It kind of makes sense, as we already bought our Second edition reader last Christmas and we just love it, and this year my Dad wanted to buy my Mom one. With all sorts of age demographics wanting this latest technology trend, it’s no wonder that they have run out of stock.

We decided on getting a nice little case for it as well, and it comes with a light for when you want to read your favorite book just before bed!
At any rate, the current estimated shipping date is late January, but like me, most folks will just suck it up and place their order and wait. I guess my mom is getting a nice little color printout of what her Kindle will look like instead of the real thing.

Some of the key differences with the new Kindle are:

• All-New, High-Contrast E Ink Screen – 50% better contrast with latest E Ink Pearl technology
• Read in Bright Sunlight – No glare
• New and Improved Fonts – New crisper, darker fonts
• New Sleek Design – 21% smaller body while keeping the same 6″ size reading area
• 17% Lighter – Only 8.5 ounces, weighs less than a paperback
• Battery Life of Up to One Month – A single charge lasts up to one month with wireless off
• Double the Storage – Up to 3,500 books
• Built-In Wi-Fi – Shop and download books in less than 60 seconds
• 20% Faster Page Turns – Seamless reading
• Enhanced PDF Reader – With dictionary lookup, notes, and highlights
• New WebKit-Based Browser – Browse the web over Wi-Fi (experimental)