Archive for the ‘tools’ Category

Open VPN with PAM

June 23, 2011

Your Private tunnel to the Internet.

OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

Installation 

apt-get install openvpn
apt-get install libpam0g-dev ( for PAM support )

Configuration

You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server.  I chose tun for my case.

Authentication methods

  1. Certificates/keys
  2. Smart cards,
  3. Username/password credentials

Preparing to generate the keys

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/

Generate the certificate authority (CA) which will be used to sign the server and client certificates.

.  ./vars
./clean-all
./build-ca

Next, we need to create the server keys

./build-key-server server

Answer ‘yes’ when asked to sign the certificate and commit to the database, and then you’ll need to generate the diffie-hellman parameters which are used for key exchange between the client and

./build-dh

As I decide to use PAM based authentication I just avoid creating the cert keys for client authentication here.

Here is my config file for server ( /etc/openvpn/server.conf)

  1. port 1194
    proto tcp-server
    dev tun
    
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key  # This file should be kept secret
    dh /etc/openvpn/keys/dh1024.pem
    
    server 192.168.50.0 255.255.255.0
    
    ifconfig-pool-persist ipp.txt
    
    keepalive 10 120
    
    push "route 192.168.0.0 255.255.240.0"
    push "dhcp-option DNS 192.168.1.1"
    
    persist-key
    persist-tun
    
    status openvpn-status.log
    
    log /var/log/openvpn.log
    log-append /var/log/openvpn.log
    verb 3
    
    plugin /usr/lib/openvpn/openvpn-auth-pam.so login
    client-cert-not-required
    username-as-common-name

/etc/init.d/openvpn start|stop|restart ( /var/log/openvpn.log to find the error during service boot )

My client.conf file

client
dev tun
proto tcp-client
remote test.com 1194
ca keys/ca.crt ( the same file used for server)
verb 3
auth-user-pass

For Windows use openvpn-gui to connect to openvpn server and keep the name of conf as file.ovpn of openvpn/conf directory and before try connecting to the server must check whether dhcp client service is running on your windows machine otherwise route wont work.

How to install Cisco VPN client on Debian / Ubuntu (jaunty and Karmic) 64 bit

May 24, 2010

Cisco module again doesn’t let us compile against the new kernel in Ubuntu 9.04 and 9.10 beta:

/home/lamnk/vpnclient/interceptor.c: In function ‘interceptor_init’:
/home/lamnk/vpnclient/interceptor.c: In function ‘remove_netdev’:
/home/lamnk/vpnclient/interceptor.c:294: error: ‘struct net_device’ has no member named ‘hard_start_xmit’
make[2]: *** [/home/lamnk/vpnclient/interceptor.o] Error 1
make[1]: *** [_module_/home/lamnk/vpnclient] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.31-1-generic’
make: *** [default] Error 2
Failed to make module “cisco_ipsec.ko”.

Before installtion I assume that you have the latest version 4.8.02.0030 and the required packages for compiling ie gcc, libstdc++6 … The kernel version should be from 2.6.30 to 2.6.32

* Download the client and extract it
* Go to vpnclient folder:

cd vpnclient

* Download patch file for 64 bit and apply it (users on 32bit systems can skip this step):

wget http://lamnk.com/download/vpnclient-linux-4.8.02-64bit.patch

patch < ./vpnclient-linux-4.8.02-64bit.patch

sed -i 's/^CFLAGS/EXTRA_CFLAGS' Makefile

* Download patch file for newer kernel (2.6.30+) and apply it:

wget http://lamnk.com/download/vpnclient-linux-2.6.31-final.diff

patch < ./vpnclient-linux-2.6.31-final.diff

* Next we must edit a kernel source file

sudo sed -i 's/const\ struct\ net_device_ops\ \*netdev_ops;/struct\ net_device_ops\ \*netdev_ops;/' `find /usr/src -name netdevice.h`

Yes, it is a one liner, you should copy & paste that command instead of typing 😉 The command's translation into English: find the string const struct net_device_ops *netdev_ops; and change it to struct net_device_ops *netdev_ops; in the file locates at

find /usr/src -name netdevice.h

* And finally, install Cisco VPN Client:

sudo ./vpn_install

Get Information About Your BIOS / Server Hardware From a Shell

November 17, 2009

dmidecode – Read biosdecode data in a human-readable format

Data provided by biosdecode is not in a human-readable format. You need to use dmidecode command for dumping a computer’s DMI (SMBIOS) table contents on screen. This table contains a description of the system’s hardware components, as well as other useful pieces of information such as serial numbers and BIOS revision. Thanks to this table, you can retrieve this information without having to probe for the actual hardware.
Task: Display information about IPMI Device

# dmidecode –type 38

You need to pass dmidecode following keywords:

* bios
* system
* baseboard
* chassis
* processor
* memory
* cache
* connector
* slot

All DMI types you need to use with dmidecode –type {Number}:
# Type Short Description
0 BIOS
1 System
2 Base Board
3 Chassis
4 Processor
5 Memory Controller
6 Memory Module
7 Cache
8 Port Connector
9 System Slots
10 On Board Devices
11 OEM Strings
12 System Configuration Options
13 BIOS Language
14 Group Associations
15 System Event Log
16 Physical Memory Array
17 Memory Device
18 32-bit Memory Error
19 Memory Array Mapped Address
20 Memory Device Mapped Address
21 Built-in Pointing Device
22 Portable Battery
23 System Reset
24 Hardware Security
25 System Power Controls
26 Voltage Probe
27 Cooling Device
28 Temperature Probe
29 Electrical Current Probe
30 Out-of-band Remote Access
31 Boot Integrity Services
32 System Boot
33 64-bit Memory Error
34 Management Device
35 Management Device Component
36 Management Device Threshold Data
37 Memory Channel
38 IPMI Device
39 Power Supply

How to get detailed information about my Linux server hardware information?

A. You need to use tool called lshw to extract detailed information on the hardware configuration of the machine. It can report exact memory configuration, firmware version, main board configuration, CPU version and speed, cache configuration, bus speed, etc. on DMI-capable x86 or IA-64 systems and on some PowerPC machines.

It currently supports DMI (x86 and IA-64 only), OpenFirmware device tree (PowerPC only), PCI/AGP, CPUID (x86), IDE/ATA/ATAPI, PCMCIA (only tested on x86), SCSI and USB.

squid basic option

August 27, 2009

http_port 192.168.[98|106].64:port
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
dns_timeout 1 minutes
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl [se|fx]-net src 192.168.[98|106].0/24
acl safe_urls dstdomain .xxx.com
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port
acl Safe_ports port http_port https_port # http, https
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny !safe_urls
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access allow [se|fx]-net
http_access deny all
http_reply_access allow all
cache_mgr someone@some.com
coredump_dir /usr/local/squid/var/cache

Open-Solaris VPNC

August 18, 2009

Connecting Opensolaris to a Cisco VPN, (thanks for the head start!) but some changes were needed for my system. (2008.11)

pkg install sunstudioexpress
export CC=/opt/SunStudioExpress/bin/cc

Download the tun/tap driver from Kazuyoshi.

run ./configure and then you will need to edit the Makefile (for x64 only!)

Change these options

modules: tun.o tap.o
$(LD) -r -o tun tun.o
$(LD) -r -o tap tap.o

to

modules: tun.o tap.o
$(LD) -melf_x86_64 -r -o tun tun.o
$(LD) -melf_x86_64 -r -o tap tap.o

Now you can run make & make install, or you can (at your own risk, they work for me!) download the pkg of both 32 and 64 bit kernels.

tuntap-0.2.5-opensolaris-i386.pkg.gz (http://www.mediafire.com/?ny0wqzsmyct)
tuntap-0.2.5-opensolaris-x86_64.pkg.gz (http://www.mediafire.com/?ny0wqzsmyct)

Next you need to get vpnc, I grabbed vpnc-0.5.3

pkg install SUNWgmake

Now edit the Makefile and change install to ginstall (on each cmd line), for example:

install -m600 vpnc.conf $(DESTDIR)$(ETCDIR)/default.conf

to

ginstall -m600 vpnc.conf $(DESTDIR)$(ETCDIR)/default.conf

Optionally change PREFIX from /usr/local to /usr

0.5.3 will not compile correct until you modify tunip.c changing (1061)

openlog(“vpnc”, LOG_PID | LOG_PERROR, LOG_DAEMON);

to

openlog(“vpnc”, LOG_PID, LOG_DAEMON);

Now you can run gmake & gmake install, or you can (at your own risk, they work for me!) download the pkg for vpnc.

vpnc-0.5.3-opensolaris-i386.pkg.gz(http://www.mediafire.com/?0tcwnx3e4xy)

edits to the vpnc-script (included in above package), to facilitate a working vpn..

commented out line 62 #IPROUTE=…

ADDED:

route add `echo “$INTERNAL_IP4_ADDRESS” | awk ‘{ printf “%s\n”,$1}’ FS=.`.0.0.0 “$INTERNAL_IP4_ADDRESS” -interface

to the end of the set_network_route() function (lets say your ip on the vpn is 192.168.0.140, this will route all 192.* through the vpn..

ADDED:

route $route_syntax_del default “$INTERNAL_IP4_ADDRESS”

to the end of the reset_default_route() function (disconnecting left some rouge route entries, it still leaves a few…but this gets things back to working order)
Now I have full vpn access to the cisco networks I normally connect to!