OpenVPN with Ubuntu 20.04 LTS

shtzeng Posted in 系統設定,Tags: , , ,
11 2 月 2022
0

Install Ubuntu 20.04 Server or Desktop

  • Update all packages
    • sudo apt update
    • sudo apt upgrade -y
    • sudo apt dist-upgrade -y
    • sudo apt autoremove
    • sudo shutdown -r now
  • Install easy-rsa for easy setup certifications
    • sudo apt update
    • sudo apt install easy-rsa -y
  • Install OpenVPN
    • sudo apt update
    • sudo apt install openvpn
  • Install OpenVPN with stable version (Option)
    • Ref: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
    • wget -O – https://swupdate.openvpn.net/repos/repo-public.gpg | sudo apt-key add –
    • echo “deb http://build.openvpn.net/debian/openvpn/statble focal main” > /etc/apt/sources.list.d/openvpn-aptrepo.list
    • sudo apt update
    • sudo apt install openvpn
  • Config OpenVPN Server
    • setup certifications using easyrsa for OpenVPN
      • but you can still use openssl command … XD
      • Ref: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
      • go to /etc/openvpn/ and run `sudo make-cadir easy-rsa`
      • go to easy-rsa dir, you must change to root account or change this dir permission for entry
      • edit vars file, or left default value
      • build require files
        • ./easyrsa init-pki
        • ./easyrsa build-ca
          • it will ask a password for this ca key, please remember it
        • ./easyrsa gen-dh
        • ./easyrsa gen-req openvpn-server nopass
        • ./easyrsa sign-req server openvpn-server
        • ./easyrsa gen-req client-user nopass
        • ./easyrsa sign-req client client-user
        • openvpn –genkey –secret tls-auth.key
      • now, you have files to config OpenVPN Server and Client under /etc/openvpn/ dir
        • easy-rsa/pki/ca.crt
        • easy-rsa/pki/issued/openvpn-server.crt
        • easy-rsa/pki/private/openvpn-server.key
        • easy-rsa/pki/issued/client-user.crt
        • easy-rsa/pki/private/client-user.key
        • easy-rsa/dh.pem
        • tls-auth.key
      • you can copy all of them to /etc/openvpn/ dir for less editing
    • setup OpenVPN config file
      • Ref: https://openvpn.net/community-resources/how-to/
      • back to /etc/openvpn/ dir
      • copy example file for less editing :)
        • cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ./
        • gunzip server.conf.gz
      • minimal modify server.conf, this section just use ssl certification to auth, if you want user / password for auth, see next part
        • push “redirect-gateway def1 bypass-dhcp”
          • uncomment it for route all traffic to vpn server
        • push “dhcp-option DNS 8.8.8.8”
        • ca ca.crt
        • cert openvpn-server.crt
        • key openvpn-server.key
        • dh dh.pem
        • tls-auth tls-auth.key 0
        • duplicate-cn
        • log-append /var/log/openvpn/openvpn.log
      • add following for user / password auth
        • Ref: https://openvpn.net/community-resources/how-to/#auth
        • use simple script
          • auth-user-pass-verify auth-user.sh via-env
          • script-security 3
          • username-as-common-name
        • use pam
          • auth-user-pass-verify auth-pam.pl via-file
            • auth-pam.pl at /usr/share/doc/openvpn/examples/sample-scripts/auth-pam.pl
            • sudo cp /usr/share/doc/openvpn/examples/sample-scripts/auth-pam.pl /etc/openvpn/
          • script-security 3
          • username-as-common-name
      • now OpenVPN Server configuration completed!
  • Config OpenVPN Client
    • go to /etc/openvpn/
    • copy example files for less editing :)
      • cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ./
    • mininal modify client.conf
      • Since we want just one config file, remove
        • ca ca.crt
        • cert client.crt
        • key client.key
        • tls-auth ta.key 1
      • Add or Modify
        • remote your-ip/your-fqdn 1194

        • —–BEGIN CERTIFICATE—–
          put your ca.crt content here
          —–END CERTIFICATE—–

        • —–BEGIN CERTIFICATE—–
          put your client-user.crt content here
          —–END CERTIFICATE—–

        • —–BEGIN PRIVATE KEY—–
          put your client-user.key content here
          —–END PRIVATE KEY—–

        • —–BEGIN OpenVPN Static key V1—–
          put you tls-auth.key content here
          —–END OpenVPN Static key V1—–
        • key-direction 1
    • Add for user / password auth
      • auth-user-pass
  • Start OpenVPN
    • check for OpenVPN ‘server.conf’ start at boot
      • sudo systemctl enable openvpn@server
    • start OpenVPN ‘server.conf’
      • sudo systemctl start openvpn@server
  • Ensure NAT traffic route correctly
    • put ip forward for NAT
      • add file /etc/sysctl.d/30-openvpn.conf
        • net.ipv4.ip_forward = 1
      • reload sysctl
        • sudo sysctl -p /etc/sysctl.d/30-openvpn.conf
    • setup iptable for NAT
      • sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -o ens5 -j MASQUERADE
    • save iptable for boot
      • sudo apt-get install iptables-persistent -y
      • sudo iptables-save > /etc/iptables/rules.v4
  • Test for Connect
    • open browser with https://ipinfo.io to check the ip you change to

ubuntu munin network traffic no data

shtzeng Posted in 系統設定
20 8 月 2020
0

Since old Ubuntu LTS doesn’t update package anymore,
some patches need add by yourself,
like munin if_ error.

: plugins/node.d.linux/if_

    # iwlist first)
    if [[ -r /sys/class/net/$INTERFACE/speed ]]; then
            SPEED=$(cat /sys/class/net/$INTERFACE/speed 2>/dev/null)
-           if [[ "$SPEED" -gt 0 ]]; then
+           if [ -n "$SPEED" -a "$SPEED" -gt "0" ]; then
                echo $SPEED
                return
            fi

GCP computer engine ubuntu disk size increase

shtzeng Posted in 系統設定
17 8 月 2020
0

Resize the persistent disk in the Google Cloud Platform Console:

1. Go to the Compute Engine page.
2. Click on “Disks” in the sidebar
3. Click the name of the disk that you want to resize.
4. At the top of the disk details page, click “Edit”.
5. In the “Size” field, enter the new size for your disk.
6. At the bottom of the disk details page, click “Save” to apply your changes to the disk.
7. Start server, sudo growpart /dev/sda 1 (if increase root disk)
8. sudo resize2fs /dev/sda1

Ref. https://stackoverflow.com/questions/22381686/how-can-size-of-the-root-disk-in-google-compute-engine-be-increased

Ubuntu 更新 ip 的方法

shtzeng Posted in 系統設定,Tags: ,
22 4 月 2020
0

平常裝 server 版本時,
更新 ip 就是去 `/etc/network/interfaces` 更新,
但是裝了 Desktop 版本以後,
發現 `/etc/network/interfaces` 根本是空的,
所以找了一下更新方法。

記得 Desktop 裝好後,會在 Unity 的介面右上角更動網路連線,
所以在 command line 下要改 ip,要去 `/etc/NetworkManager/system-connections/Wired connection X` 更動,
那個 X 只是設定檔的編號,找看看你寫在哪個設定就好~

然後呢,Ubuntu 12.04 更改完儲存馬上就會偵測到然後換 IP 了,ssh 就卡住了 WTF。
而 Ubuntu 16.04 只會在你 stop / start 後才變更,這樣才人性嘛~

記下來,反正下次還是會忘記

date 轉換時間格式在 ubuntu 及 macOS 的不同

shtzeng Posted in 系統設定,Tags: , ,
31 1 月 2020
0

常常用又常常碰壁 = =凸
寫一寫記錄下來

像是 Feb 26 23:59:59 2022 GMT 這串要轉成 unix time stamp 的時候
在 ubuntu 下可以直接用 date --date="Feb 26 23:59:59 2022 GMT" +%s 來轉
在 mac 下就得用 LANG=en_us_8859_1 date -j -f "%b %d %T %Y %Z" "Feb 26 23:59:59 2022 GMT" +%s
對的,因為我 mac 語系是 zh_TW.UTF-8,用來顯示時間的格式不同 zzz
shtzeng@shtzengde-MacBook-Air [~] [16:54:42] $ date "+%b %d %T %Y %Z"
1 31 16:55:44 2020 CST
shtzeng@shtzengde-MacBook-Air [~] [16:55:44] $
所以要帶正確的 LANG 環境變數進去使用

在 AWS 管理 SSL 憑證

shtzeng Posted in 系統設定,Tags: , , , ,
31 1 月 2020
0

以前就覺得 AWS 上要管理 SSL 憑證沒有一個好的介面
這幾天要上傳一個更新的憑證,就覺得 …. sucks
太多產品又沒好好整合

最一開始的是 IAM 管理憑證
我記得最初接觸到的點是 EC2 Load Balancer 上傳憑證
上傳後就找不到介面管理了
對,他就是一直都沒開發網頁介面給你,只能用 aws cli 去處理

shtzeng@jump [~] [03:43:16] $ aws iam list-server-certificates
{
"ServerCertificateMetadataList": [
{
"ServerCertificateId": "XXX",
"ServerCertificateName": "CCC",
"Expiration": "2020-02-27T23:59:59Z",
"Path": "/",
"Arn": "arn:aws:iam::QQQ:server-certificate/CCC",
"UploadDate": "2019-01-29T07:17:38Z"
},
{
"ServerCertificateId": "XXX",
"ServerCertificateName": "CCC",
"Expiration": "2021-10-24T23:59:59Z",
"Path": "/",
"Arn": "arn:aws:iam::QQQ:server-certificate/CCC",
"UploadDate": "2019-09-26T04:33:28Z"
},
{
"ServerCertificateId": "XXX",
"ServerCertificateName": "CCC",
"Expiration": "2022-02-26T23:59:59Z",
"Path": "/",
"Arn": "arn:aws:iam::QQQ:server-certificate/CCC",
"UploadDate": "2020-01-30T10:22:15Z"
}
]
}
shtzeng@jump [~] [03:43:19] $

而相關的指令有

shtzeng@jump [~] [03:45:24] $ aws iam help | grep server-certificate
o delete-server-certificate
o get-server-certificate
o list-server-certificates
o update-server-certificate
o upload-server-certificate
shtzeng@jump [~] [03:45:26] $

大概查一下 help 就能了解怎麼整理了,這大概就是第一代憑證管理

再來就是 ACM 了
這就有介面可以用了
但是…但是….
像是 Load Balancer 裡面要用的,那個區 ACM 就要放對應的憑證
婀對,像是我在 ap-northeast-1 要用到,ACM 的 ap-northeast-1 就要放一組
如果 us-west-2 也要用,那 us-west-2 那邊也得放
然後
api-gateway 如果自訂網址去用憑證,他只會抓 us-east-1 的資料來用 (不支援 IAM 就是了)
上面這個是走 cloudfront 體系的,我猜 cloudfront 應該也是只支援 us-east-1 的憑證了 zzz

就是很麻煩啦 \_/
不過 ACM 可以請 AWS 幫你產生憑證,還會自己 renew,這是很不錯的服務就是了 =w=

感謝看我的廢話 xd

NAT、IPsec 及 iptables 大亂鬥

shtzeng Posted in 系統設定,Tags: , , , ,
08 11 月 2016
0

之前在研究 IPsec 的時候
都馬是網頁寫什麼就抄什麼
這個有理也會通就沒特別追究其他問題了
然後也不知道哪裡抄來的 iptables 設定
hmmm….沒問題,但就是哪裡怪怪的
沒問題就先這樣吧

先來看看我遇到的狀況
NAT 跟 IPsec 在同一台
iptables 長這樣 (遮臉) 

iptables -t nat -A POSTROUTING -o eth0 -s 10.6.0.0/16 -j MASQUERADE

hmmm…這 VPC 下的機器可以連外
也可以連到其他 VPC
看似沒問題
但是連到其他 VPC 機器為什麼顯示的 ip 是這台 NAT + IPsec 的 ip ?
可是拿掉這段 iptables 設定,VPC 就無法連外了啊~~~~
所以看起來奇怪,還是先放著吧
過了幾個月,最近在弄服務偵測,需要動防火牆讓某些 monitor server ip 可以連過來
可是連不到,發現他是用上面的方式連線的時候,決定要來追一下問題

問題就出在 iptable POSTROUTING 部分寫錯了
NAT server 才需要將 ip 偽裝後連出去,而 ipsec 互連的部分卻不用
因為我的設定錯誤,導致以上的錯誤 T______T

那如果 NAT + IPsec 弄在一起呢
就讓 destination 不是 VPC 的網段被偽裝就好
例如 

iptables -t nat -A POSTROUTING -o eth0 ! -d 10.0.0.0/8 -j MASQUERADE

不是通往 10.0.0.0/8 的都被偽裝
hmmm….成功了
可是我們家有很奇怪的兩個網段耶 (該死的 AWS EC2 Classic)
iptables 無法支援 multi destination ,所以寫成 10.0.0.0/8, 172.31.0.0/16 之類的都無法
幸好有鄉民指點迷津,在這邊說了一個方法 

iptables -t nat -N NETMAP_dest
iptables -t nat -A NETMAP_dest -d 10.0.0.0/8 -j RETURN
iptables -t nat -A NETMAP_dest -d 172.31.0.0/16 -j RETURN
iptables -t nat -A NETMAP_dest -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j NETMAP_dest

利用 chain 的方式判斷,是否偽裝 ip
經證實可以使用,實在高明
也讓我的網管能力更上一層樓 (一樓到二樓 ? xd)

多錯多學
才能了解錯在哪

使用 Azure PowerShell 修改 AD User 密碼不過期

shtzeng Posted in Research, 系統設定,Tags: , , , , ,
11 10 月 2016
0

放一個國慶日,一早來就被 Azure 炸到
我們家的 jenkins 怎麼推不動 ansible 了
%e8%9e%a2%e5%b9%95%e5%bf%ab%e7%85%a7-2016-10-11-%e4%b8%8a%e5%8d%8810-39-27
查了一陣子發現 ansible 用的 azure  ad 帳號密碼過期需要重設
由於這是 api 用的帳號密碼
過於頻繁重設會讓管理者比較麻煩(要改很多job設定)
所以就去搜尋了一番
結論都是….要用 Azure PowerShell 去改設定
他媽的又是 Portal 又是 CLI 又是 PowerShell 的
三國鼎立不會很煩嗎
suck suck suck

還是要來說一下使用流程
第一是 windows 環境
然後下載 PowerShell 安裝檔安裝
教學網頁在這裡
下載連結在這裡
這是一個漫長的等待流程
再來下在 AD Moudle for PowerShell 安裝
教學網頁在這裡
下載連結在這裡
裝完後打開 AD Module 建立的捷徑
輸入 Connect-MsolService 後登入 AD 帳號,通常是 [email protected] 這個
檢查帳號設定 Get-MSOLUser -UserPrincipalName [email protected] | Select PasswordNeverExpires ,False 就是三個月密碼會過期,要換密碼喔~
設定密碼不過期 Set-MsolUser -UserPrincipalName [email protected] -PasswordNeverExpires $true
如果跟你說你沒權限,請登入 Classic 的網頁,將該使用者權限調大一點
教學網頁在這裡

整個做完之後還是覺得
suck suck suck

Jenkins Git Submodule Add Tag

shtzeng Posted in 系統設定,Tags: , , ,
15 6 月 2016
0

總是會有些需求
螢幕快照 2016-06-15 下午3.35.11
而需求就產生了程式碼
畢竟~Jenkins預設的外掛沒有對Submodule做新增標籤的功能
做法如下:

新增一隻 shell script 做以下事情處理 update submodule tag,放在最後確保是成功的狀態再新增標籤 

#!/bin/bash

if [ -e ".gitmodules" ]; then
	git submodule foreach git tag -f -a tag_name -m "Autotag from tag_name building"
	git submodule foreach git push origin tag_name
fi

然後呢,這時候就炸了
啊,別人的 repo 怎麼辦?
於是就有下列的 workaround,只搜尋想要加標籤的 submodule 來處理 

#!/bin/bash

if [ -e ".gitmodules" ]; then
	SUBMODULE_LISTS=`git config --file .gitmodules --get-regexp url | grep 逼哩八啦 | awk '{print $1}' | sed 's/^submodule\.//g' | sed 's/\.url$//g'`
    
    for SUBMODULE in $SUBMODULE_LISTS
    do
    	SUBMODULE_PATH=`git config --file .gitmodules --get-regexp path | grep $SUBMODULE | awk '{print $2}'`
        cd $SUBMODULE_PATH
        git tag -f -a tag_name -m "Autotag from tag_name building"
        git push origin tag_name
        cd $WORKSPACE
    done
fi

舒服舒服,惡搞的真舒服 Orz

用 OpenSSL 產生 CSR

shtzeng Posted in 系統設定,Tags:
17 5 月 2016
0

人懶就會有程式的產出 Orz
我只是不想一直打 openssl 的指令
所以就寫了 build_csr.sh 出來了 

#!/usr/bin/env bash

if [ $# -lt 1 ]; then
  echo 1>&2 "$0: Please use \"$0 aaa.domain.com\" or \"$0 *.domain.com\" to generate key and csr files."
  exit 2
fi

DOMAIN=${1//\*/star}

openssl req -new -newkey rsa:2048 -nodes -out "$DOMAIN".csr -keyout "$DOMAIN".key -subj "/C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./OU=Information Technology/CN=$1"

其中 subj 部分是公司資訊
偷 Yahoo 的樣式給大家看
請參考這篇 Certificate signing request 維基百科

結果範例 

$ ./build_csr.sh aaa.domain.com
Generating a 2048 bit RSA private key
...........................................+++
.....+++
writing new private key to 'aaa.domain.com.key'
-----
$ ./build_csr_y.sh *.domain.com
Generating a 2048 bit RSA private key
..................+++
................................+++
writing new private key to 'star.domain.com.key'
-----
ls
aaa.domain.com.csr      aaa.domain.com.key      build_csr.sh          star.domain.com.csr     star.domain.com.key
$

可以用 openssl req 指令來檢查 CSR 資訊 

$ openssl req -in star.domain.com.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=California, L=Sunnyvale, O=Yahoo Inc., OU=Information Technology, CN=*.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d0:46:97:78:c9:5f:b3:9a:2e:83:39:ed:f7:22:
                    44:ac:cc:e8:44:8b:9a:61:53:b8:39:46:8a:18:58:
                    79:51:65:c3:3a:68:a0:3e:93:71:d5:71:c8:a9:2f:
                    ba:74:f5:10:29:83:26:fa:50:cd:51:e9:0b:35:4d:
                    54:e0:25:70:96:b9:69:15:dc:12:df:51:be:65:34:
                    cc:de:00:44:7f:06:cc:78:a3:2e:6a:54:8a:49:8c:
                    12:4c:70:9d:8f:42:af:ab:87:c6:2e:4f:de:13:e4:
                    e5:0e:b7:4b:ec:ac:11:11:40:44:31:98:98:61:71:
                    83:52:0f:9e:36:e8:5c:1f:b5:ef:a4:35:fe:c7:7c:
                    2d:04:8b:fe:0d:77:b8:4a:e1:5d:04:70:b1:23:07:
                    26:4e:33:70:c3:ee:08:a7:b8:76:f6:a4:2f:17:a3:
                    b5:09:59:a4:33:2b:8c:87:e8:bb:48:f7:7c:5c:46:
                    3e:36:cb:95:c4:6b:ef:b0:e1:aa:97:b0:3d:b9:17:
                    3f:24:aa:e7:b1:a3:b8:35:26:1e:5d:4c:54:af:72:
                    62:ef:01:68:b3:81:f1:d0:f8:0b:a3:26:1e:04:ff:
                    de:9a:5b:61:33:68:45:00:14:33:20:4d:4e:e9:8c:
                    1e:02:a2:95:ab:b0:25:bb:de:10:c6:a5:37:f9:f2:
                    64:83
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        42:81:9b:1f:64:8a:07:61:89:2b:0d:9b:30:31:db:e7:62:b6:
        15:af:f1:b8:97:0d:cb:ad:db:76:d4:2d:43:ad:17:3e:dc:31:
        2f:40:08:a3:b3:d4:0d:9e:91:c8:33:d0:24:28:d6:ea:cb:af:
        54:b0:03:6c:d4:1c:e7:d2:7c:9d:93:02:77:79:64:1b:d3:b9:
        46:2d:ab:aa:c1:f7:b6:f7:e8:3f:e0:c7:61:ff:62:65:3f:38:
        8d:54:ea:8a:a4:17:56:e7:ea:20:7d:68:4b:9c:ce:37:b7:b5:
        06:1e:62:90:b7:7f:13:27:33:27:1d:b9:80:29:fb:c6:af:f9:
        cc:80:8c:3c:70:71:c5:07:29:55:51:d8:78:3b:0a:f0:35:5f:
        95:0f:75:d3:e6:5b:a9:5e:a0:81:51:5b:f1:38:a1:64:41:f9:
        a5:49:4d:b0:cc:9f:0a:4f:c4:4d:94:61:d7:e8:e4:e3:b7:04:
        af:07:02:29:52:d2:ce:bc:59:e2:7e:e1:da:60:e7:4a:ad:e7:
        57:05:90:6a:fb:b4:5d:cf:fa:b4:a8:7b:40:06:af:fe:c2:f1:
        00:f6:3e:d5:f6:3c:a0:68:00:24:de:80:84:c3:24:46:e4:4e:
        a3:a1:bf:d0:7e:4b:04:c0:51:77:8c:48:c9:d1:a1:89:41:98:
        d6:2a:58:d3
$

以上只是範例
請勿任意委造他人網域發佈憑證 :p

12 Next Last