Menu

Archive for Doku

Build a list of IP Adresses to use it for a pfSense URL Table Alias

December 7, 2017 |  by  |  Computer Stuff, Doku    , , , ,  |  No Comments

Since AnyDesk is not willing or able to provide a list with the IP adresses of their relay hosts and I wanted to test how URL table aliases in pfSense are working I have built this nobrainoneliner which I call via cron every ten minutes.

simple site to site VPN with pfSense and OpenVPN

July 14, 2017 |  by  |  Computer Stuff, Doku    , , , , , ,  |  No Comments

I just had to set up a simple site to site VPN between a site with a fixed IP (SITE-B) and a site with a dynamic IP (SITE-A). Both routers are running the ‘Community Edition’ of pfSense and are installed on PC Engines APU.1C4. I have followed the documentation at pfSense.org about how to configure a Site To Site VPN with OpenVPN to get the VPN up and running. Because some things aren’t documented there I will put up my own HowTo here. Please do yourself a favour and read the documentation at pfsense.org first because it explains things in more detail than I will do here.

site to site openvpn schema

This HowTo will guide you trough the setup of:

  • An IPv4 ‘Site To Site VPN’ with OpenVPN on the pfSense platform (2.3.4 at time of writing) as seen in the schema above with the specific settings for the PC Engines APU hardware platform.
  • The client will autoconnect to the server and (in the event of disconnection) reconnect automatically.
  • The authentication between the client and the server will happen automatically via pre-shared key.

Sources:

 

Configure the OpenVPN server on SITE-B router

  • Navigate to ‘VPN – OpenVPN

SITE-B VPN- OpenVPN server list

  • On the ‘Servers‘-Tab click on the ‘+ Add‘-button to add a new server

SITE-B openvpn server configuration

  • In the ‘General Information‘-section:
    • Disable this server: ☐
    • Server mode: Peer to Peer (Shared Key)
    • Protocol: UDP
    • Device Mode: tun
    • Interface: set it to whatever external interface you want to have your OpenVPN server listening on. In my case this is ‘WAN‘.
    • Local port: set it to the port you want the local OpenVPN server to listen on. Default is ‘1194‘.
    • Description: Set an appropriate  description e.g. ‘Site_To_Site-SITE-A_SITE_B
  • In the ‘Cryptographic Settings‘-section:
    • Automatically generate a shared key: 🗹
    • Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
    • Auth digest algorithm: RSA-SHA512 (512-bit)
    • Hardware Crypto: No Hardware Crypto Acceleration (this is PC Engines APU specific, if your hardware has crypto support – enable it)
  • In the ‘Tunnel Settings‘-Section:
    • IPv4 Tunnel Network: 10.4.10.0/30 (this a very small subnet with 2 useable IP adresses since there is only one server and one client)
    • IPv6 Tunnel Network: leave empty
    • IPv4 Remote network(s): 10.3.2.0/24 (this is a comma separated list for all the networks you want to connect to on the client side (SITE A))
    • IPv6 Remote network(s): leave empty
    • Concurrent connections: 1
    • Compression: Enabled with Adaptive Compression
    • Type-of-Service: ☐ Set the TOS IP header value of tunnel packets to match the encapsulated packet value
    • Duplicate Connection: ☐ Allow multiple concurrent connections from clients using the same Common Name
    • Disable IPv6: 🗹 Don’t forward IPv6 traffic
  • In the ‘Advanced Configuration‘-section:
    • Custom options: leave empty
    • Verbosity Level: default
  • Click on ‘Save‘-button

You should now be forwarded to the list with your configured OpenVPN servers under ‘VPN – OpenVPN‘ on the ‘Servers‘-tab

SITE-B vpn openvpn server list edit button

  • Click on the ‘Edit‘-button (the pencil) and leave this window open because we will need to copy the ‘Shared Key‘ from this form later.

 

Configure the OpenVPN client on SITE-A router

  • Navigate to ‘VPN – OpenVPN

SITE-A vpn openvpn client list

  • Click the ‘Clients‘-tab
  • On the ‘Clients‘-tab click the ‘+ Add‘-button to add a new OpenVPN client

SITE-A vpn openvpn client configuration

  • In the ‘General Information’-section:
    • Disable this client: ☐
    • Server mode: Peer to Peer (Shared Key)
    • Protocol: UDP
    • Device mode: tun
    • Interface: Set to whatever external interface you want your OpenVPN client connect to the OpenVPN server at SITE-B. In my case this is ‘WAN‘.
    • Local port: leave empty
    • Server host or address: Set to the FQDN or IP address of the external SITE-B Interface. In this example it is ‘site-b.site-b.de‘.
    • Server port: Set to the same port you have set in the server setup at SITE-B. Default is ‘1194‘.
    • : leave empty
    • : leave empty
    • : none
    • Infinitely resolve server: 🗹
    • Description: Set an appropriate description e.g. ‘Site_To_Site-SITE-A_SITE_B
  • In the ‘Cryptographic Settings‘-section:
    • Peer Certificate Authority: nothing to do here
    • Peer Certificate Revocation list: nothing to do here
    • Automatically generate a shared key: ☐ – This will display a form field in which you can paste the key from the SITE-B server configuration.

Go back to SITE-B router. If you haven’t left the window open, navigate to ‘VPN – OpenVPN‘ and select the ‘Servers‘-tab, click on the ‘Edit‘-button (the pencil) next to the server you have created earlier

SITE-B vpn openvpn server config - copy the key

  • In the ‘Cryptographic Settings‘-section:
    • Copy everything from the ‘Shared key‘-field into your clipboard

Return to SITE-A OpenVPN client configuration

SITE-A vpn openvpn client configuration

  • In the ‘Cryptographic Settings‘-section:
    • Paste the contents of your clipboard into the ‘Key‘-field
    • Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block)
    • Auth digest algorithm: RSA-SHA512 (512-bit)
    • Hardware Crypto: No Hardware Crypto Acceleration (this is PC Engines APU specific, if you have hardware crypto – enable it)
  • In the ‘Tunnel Settings‘-section:
    • IPv4 Tunnel Network: 10.4.10.0/30
    • IPv6 Tunnel Network: leave empty
    • IPv4 Remote network(s):  10.4.2.0/24 (this is a comma separated list for all the networks you want to connect to on the server side (SITE B))
    • IPv6 Remote network(s): leave empty
    • Limit outgoing bandwidth: Set to whatever will fit your situation
    • Compression: Enabled with Adaptive Compression
    • Type-of-Service: ☐ Set the TOS IP header value of tunnel packets to match the encapsulated packet value
    • Disable IPv6: 🗹 Don’t forward IPv6 traffic
    • Don’t pull routes: ☐ Bars the server from adding routes to the client’s routing table
    • Don’t add/remove routes: ☐ Don’t add or remove routes automatically
  • In the ‘Advanced Configuration‘-section:
    • Custom options: leave empty
    • Verbosity Level: default
  • Click on ‘Save‘-button

 

Assign an interface to the OpenVPN server on SITE-B

  • Navigate to ‘Interfaces – (assign)

assign an interface

You will get a list of Interfaces which has a dropdown at the bottom end which is labeled ‘Available network ports

 

  • Set ‘Available network ports‘ to ‘ovpns1 (your chosen description of your VPN)
  • Click the ‘+ Add‘-button on the right

This will add a new Interface named ‘OPT<number>‘ to the list

site-b interfaces assign

  • Click on ‘Save’-button

site-b interfaces assign

  • Click on the name of the newly generated interface on the left (ususally the one with the highest trailing number)

This will open up the configuration for the interface which you have assigned to the OpenVPN server on SITE-B.

site-b interfaces if_opt1

  • In the ‘General Configuration‘-section
    • enable interface: 🗹
    • Description: STS_OPENVPN_S
    • IPv4 Configuration Type: leave empty
    • IPv6 Configuration Type: leave empty
    • MAC Address: leave empty
    • MTU: leave empty
    • MSS: leave empty
  • In the ‘Reserved Networks‘-section:
    • Block private networks and loopback addresses: ☐
    • Block bogon networks: ☐
  • Click on ‘Save‘-button

site-b interfaces if_opt1

  • Click on ‘Apply Changes

 

Assign an interface to the OpenVPN client on SITE-A

  • Navigate to ‘Interfaces – (assign)

You will get a list of Interfaces which has a dropdown at the bottom end which is labeled ‘Available network ports

site-a interfaces assign

  • Set ‘Available network ports‘ to ‘ovpnc1 (your chosen description of your VPN)
  • Click the ‘+ Add‘-button on the right

This will add a new Interface named ‘OPT<number>‘ to the list

site-a interfaces assign

  • Click on ‘Save’-button

site-a interfaces assign

  • Click on the name of the newly generated interface on the left (ususally the one with the highest trailing number)

This will open up the configuration for the interface which you have assigned to the OpenVPN server on SITE-B.

site-a interfaces if-opt1

  • In the ‘General Configuration‘-section
    • enable interface: 🗹
    • Description:  STS_OPENVPN_C
    • IPv4 Configuration Type: leave empty
    • IPv6 Configuration Type: leave empty
    • MAC Address: leave empty
    • MTU: leave empty
    • MSS: leave empty
  • In the ‘Reserverd Networks‘-section:
    • Block private networks and loopback addresses: ☐
    • Block bogon networks: ☐
  • Click on ‘Save‘-button

site-a interfaces if-opt1

  • Click on ‘Apply Changes

 

Firewall rules on SITE-B router

Now, to allow traffic to the OpenVPN server, a rule has to be added to the firewall on SITE-B router .

  • Navigate to ‘Firewall – Rules

site-b firewall rules

  • Select the ‘WAN‘-tab
  • Click the left ‘Add‘-button to add a rule to the top of the list

site-b firewall rules edit if-wan

  • In the ‘Edit Firewall Rule‘-section:
    • Action: Pass
    • Disable this rule:  ☐
    • Interface: WAN
    • Address Family: IPv4
    • Protocol: UDP
  • In the ‘Source‘-section:
    • Invert match:
    • Dropdown: any
  • In the ‘Destination‘-section:
    • Invert match:  ☐
    • Dropdown: WAN address
    • Destination Port Range: select OpenVPN (1194) in the left  dropdown (that will also set the other dropdown to the same option
  • In the ‘Extra Options‘-section:
    • Log packets that are handled by this rule:  ☐
    • Description: Set an appropriate description like ‘ALLOW ANY to WAN ADDRESS:1194 (OpenVPN – SITE-A/SITE-B)
  • Click the ‘Save‘-button

site-b firewall rules if-wan

  • Click ‘Apply Changes

Then add a firewall rule to allow traffic to pass through the tunnel.

site-b firewall rules if-wan

  • Stay at ‘Firewall – Rules
  • Select the ‘OpenVPN‘-tab

site-b firewall rules if-openvpn

  • Click the left ‘Add‘-button to add a rule to the top of the list

site-b firewall rules edit if-openvpn

 

  • In the ‘Edit Firewall Rule‘-section:
    • Action: Pass
    • Disable this rule: 
    • Interface: OpenVPN
    • Address Family: IPv4
    • Protocol: Any
  • In the ‘Source‘-section:
    • Invert match:  ☐
    • Dropdown: any
  • In the ‘Destination‘-section:
    • Invert match: ☐
    • Dropdown: any
  • In the ‘Extra Options‘-section:
    • Log: ☐ Log packets that are handled by this rule
    • Description: Set an appropriate description like ‘ALLOW ANY TO ANY on OPENVPN
  • Click the ‘Save‘-button

site-b firewall rules if-openvpn

  • Click ‘Apply Changes

 

Firewall rule on SITE-A router

On SITE-A router a firewall rule to allow traffic to pass through the tunnel has to be added.

  • Navigate to ‘Firewall – Rules

site-a firewall rules

  • Select the ‘OpenVPN‘-tab

site-a firewall rules if-openvpn

 

  • Click the left ‘Add‘-button to add a rule to the top of the list

site-a firewall rules edit if-openvpn

  • In the ‘Edit Firewall Rule‘-section:
    • Action: Pass
    • Disable this rule: ☐
    • Interface: OpenVPN
    • Address Family: IPv4
    • Protocol: Any
  • In the ‘Source‘-section:
    • Invert match: ☐
    • Dropdown: any
  • In the ‘Destination‘-section:
    • Invert match: ☐ 
    • Dropdown: any
  • In the ‘Extra Options‘-section:
    • Log: ☐ Log packets that are handled by this rule
    • Description: Set an appropriate description for the rule like ‘ALLOW ANY TO ANY on OPENVPN
  • Click the ‘Save‘-button

site-a firewall rules if-openvpn

  • Click ‘Apply Changes

 

Restart OpenVPN service at SITE-B

  • Navigate to ‘Status – OpenVPN

site-b status openvpn

  • In the ‘Peer to Peer Server Instance Statistics‘-section:
    • Find the entry named ‘Site_To_Site-SITE-A_SITE_B UDP:1194‘ and click the ‘Restart openvpn Service‘-icon in the ‘Service‘-column

 

Restart OpenVPN service at SITE-A

  • Navigate to ‘Status – OpenVPN

site-a status openvpn

  • In the ‘Client Instance Statistics‘-section:
    • Find the entry named ‘Site_To_Site-SITE-A_SITE_B UDP‘ and click the ‘Restart openvpn Service‘-icon in the ‘Service‘-column

 

additional postfix filter for fail2ban

June 18, 2017 |  by  |  Computer Stuff, Doku    ,  |  No Comments

My fail2ban-setup was missing a filter for a certain type of attack which has a different “_daemon”-string

 

Barracuda offers a new — and free — alternative to Spamhaus

March 31, 2017 |  by  |  Computer Stuff, Doku    , , ,  |  No Comments

Now a new, free alternative to Spamhaus has arrived: the Barracuda Reputation Block List (BRBL), provided by well-known, open source-based Barracuda Networks. And Barracuda CEO Dean Drako says the company has no plans to charge for the service in the future. He says that BRBL (pronounced “barbell”) “does cost us a little bit of money to run, but we think that the goodwill, the reputation and the understanding that Barracuda is providing the service will do us well in the long run.”

Source: Barracuda offers a new — and free — alternative to Spamhaus

Synergy, Ubuntu MATE, Raspberry Pi 3… and a Windows workstation

March 22, 2017 |  by  |  Computer Stuff, Doku    , , ,  |  No Comments

Synergy is available from https://symless.com/synergy.

My Raspberry is running Ubuntu MATE but this should work with Raspbian too. It is working on Kubuntu 16.10.

Sources:

  • https://www.raspberrypi.org/forums/viewtopic.php?t=165146&p=1065116
  • https://wiki.archlinux.org/index.php/synergy#Clients_configuration
  • https://neverendingsecurity.wordpress.com/2015/04/13/how-to-configure-synergy-on-linux/
  • https://wiki.ubuntuusers.de/Synergy/
  • https://ubuntu-mate.community/t/auto-login-to-the-desktop/60

Install newest version of Synergy client on Raspberry Pi 3

Install the necessary tools, get the source code, build, deploy and configure the Synergy client

Create a script to start Synergy client

Create the necessary Synergy client config file for encryption

Configure lightdm for auto login

To configure lightdm to auto login,  add the directive autologin-user, specifying a user name, to /etc/lightdm/lightdm.conf.d/60-lightdm-gtk-greeter.conf.

raspberry pi 3 with ubuntu mate – important information

March 13, 2017 |  by  |  Computer Stuff, Doku    , , , ,  |  No Comments

Weil es hier besser aufgehoben ist…

Upgrades

Please do not attempt to upgrade your raspberry pi to a newer version of the distribution (for instance, from 15.04 to 15.10) as the underlying kernel is not designed to do this. This process will take a very long time to complete while potentially filling up your SD card to a point where there is no more free space.

It is safer to back up all your data you wish to keep and re-flash the card with the new image. Attempting to upgrade may corrupt the SD card, prevent your installation from booting, or cause severe glitches.

You can, however, install regular updates via the Software Updater utility for your installed software.

Kernel Updates

The same kernel provided by the Raspberry Pi foundation is used in this edition of Ubuntu MATE. As this kernel is delivered like a “firmware” blob, updates are not distributed via the Software Updater or apt-get.

Instead, to update the kernel, open a terminal and run:

Hardware Acceleration

Currently, Hardware accelerated applications are not supported unlike Raspbian. Applicationsthat depend on OpenGL ES libraries or require the GPU will fail to start.

For playing videos, the application omxplayer will be able to do this and is pre-installed. If you are looking to play MPEG-2 or VC-1 video files then you will need MPEG-2 and/or VC-1 licenses from the Raspberry Pi Store.

Enable/Disable X11

For users who are looking to create their own headless “server” using Ubuntu MATE, there is a utility for toggling the graphical environment.

To disable X11 and login via the console:

To enable X11 to restore the Ubuntu MATE desktop:

Changes take effect after a reboot.

HowTo create statistics for greylisted messages using postgrey

March 7, 2017 |  by  |  Computer Stuff, Doku    ,  |  No Comments
Be careful, the code is containing errors, but it’s not too bad…

If you use Postgrey (and you should do it) on your mail servers and you want to have some statistics on the amount of greylisted messages and other information, you should find useful the following…

Source: How-To create statistics for Greylisted messages using Postgrey

 

Migrate ownCloud to Nextcloud and protect it against brute force attacks with fail2ban

July 6, 2016 |  by  |  Computer Stuff, Doku    , , , , , , ,  |  3 Comments
Updated on 2017/09/23: Fixed code in jail.local. Thank you Marco Lazzarotto!

Here is what I have done to migrate my ownCloud installation to Nextcloud. My installation is configured with the data directory outside of the webservers document root. To my surprise, the process was simple and painless.

  • First, I have updated my ownCloud installation to version 9.0.2, which I think is the newest BETA version, via the updater app.
  • Then I have made a full backup of the MySQL database via mysqldump and a full backup of the domains directory structure with tar (because of its size via sshfs to another server with sufficient space). There are howtos which are recommending exporting calendars and contacts prior to the migration, but I did not see what it should be good for after a full backup (and I do have filesystem snapshots on top of that).
  • The next step was to delete everything in the ownCloud installation directory but /config, /data (and the /data direcory outside the document root of course) and /themes.
  • After that I have extracted the Nextcloud 9.0.52 release ZIP just over what was left of my installation and then I have changed owner and group of the extracted files to the run user and group of the domain.
  • Now it’s been time to point my browser to the GUI of the new Nextcloud installation and just walk through the steps.
  • To finalize the migration I had to reactivate the calendar and contacts app.

To tighten the security of my Nextcloud installation a little, I have configured fail2ban to react on failed login attempts.

First you have to tell Nextcloud that you want to write a log file in /path/to/Nextcloud/config/config.php

The next thing to do is to configure a filter definition /etc/fail2ban/filter.d/nextcloud.conf to tell fail2ban how to find IP-Adresses to ban:

Then you have to add a jail definition to /etc/fail2ban/jail.local (yep, I know that I have long bans)

You can test your configuration with these commands:

 

and