I've been trying to download templates and stuff for my clients.
However, usually they would want those in their "internal" network that means NO INTERNET!
What about those fonts that most templates use now?
How can i make those google fonts offline?
-> https://google-webfonts-helper.herokuapp.com/fonts
:P
Thursday, July 02, 2015
Wednesday, April 29, 2015
Ubuntu for VMWARE splitting into 2 screens!
And so i was testing a ubuntu installation on a VMware.
However, was given 2 screens.
Mirroring each other...
How How How...
Disable vmwgfx fbdev in ubuntu.
Edit the VM file /etc/modprobe.d/vmwgfx-fbdev.conf to say
options vmwgfx enable_fbdev=0
sudo update-initramfs -u && reboot
Heng ah!
However, was given 2 screens.
Mirroring each other...
How How How...
Disable vmwgfx fbdev in ubuntu.
Edit the VM file /etc/modprobe.d/vmwgfx-fbdev.conf to say
options vmwgfx enable_fbdev=0
sudo update-initramfs -u && reboot
Heng ah!
Sunday, April 12, 2015
Installing Google Chrome on Kali Linux
Lets get Google GNU GPG Keys.
wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
Lets create a new Chrome Repository
echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list
apt-get update
apt-get install google-chrome-stable
To run.
Create a non-root user
useradd -m chromeuser
Create a shortcut to run google chrome
gksu -u chromeuser google-chrome
Thursday, April 02, 2015
Learning Git & Installing Gitlist
The company that i've worked for has tons of codes EVERYWHERE.
And using a file directory system guess it's not gonna work for them.
Introducing GIT....
Which i hope will be able to solve the problem... hahaha!
Which i hope will be able to solve the problem... hahaha!
Install Debian
apt-get update
apt-get install php5 apache2 git
Now I will assume the following:
Path to my git is at : /home/code/
mkdir /home/code/
chmod -R 744 /home/code/
chown -R www-data:www-data /home/code/
Install gitlist ( Web for git )
http://gitlist.org/ or cd /var/www/ && wget "https://s3.amazonaws.com/gitlist/gitlist-0.5.0.tar.gz"
tar -zxf gitlist-0.5.0.tar.gz
cd /var/www/gitlist/
rm config.ini-example ( Or you can rename it to config.ini with the following contents )
nano config.ini
[git]
client = '/usr/bin/git' ; Your git executable path
default_branch = 'master' ; Default branch when HEAD is detached
repositories[] = '/home/code/' ; Path to your repositories
; If you wish to add more repositories, just add a new line
; WINDOWS USERS
;client = '"C:\Program Files (x86)\Git\bin\git.exe"' ; Your git executable path
;repositories[] = 'C:\Path\to\Repos\' ; Path to your repositories
; You can hide repositories from GitList, just copy this for each repository you want to hide
; hidden[] = '/home/git/repositories/BetaTest'
[app]
debug = false
cache = true
theme = "default"
title = ""
baseurl = 'http://localhost/gitlist';
; If you need to specify custom filetypes for certain extensions, do this here
[filetypes]
; extension = type
; dist = xml
; If you need to set file types as binary or not, do this here
[binary_filetypes]
; extension = true
; svh = false
; map = true
; set the timezone
[date]
; timezone = UTC
; format = 'd/m/Y H:i:s'
Lets enable mod-rewrite
a2enmod rewrite
For the .htaccess in /var/www/gitlist/, make sure the rewrite rule becomes /gitlist/index.php instead of the original index.php
root@gitlist:/var/www/gitlist# cat .htaccess
Options -MultiViews +SymLinksIfOwnerMatch
RewriteEngine On
#RewriteBase /var/www/gitlist/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /gitlist/index.php/$1 [L,NC]
order allow,deny
deny from all
Make a directory called cache and chmod 777 to it
mkdir cache
chmod 777 /var/www/gitlist/cache/
chown -R www-data:www-data /var/www/gitlist/
/etc/init.d/apache2 restart
Lets init an empty git.
cd /home/code/
git init --bare my-project.git
Tuesday, March 03, 2015
Creating a HTTPS client authentication based web server with CRL.
Ok.
I am in need of a web server that uses HTTPS client certificate authentication.
I think this should keep those without the client cert off my https! :P
Lets start
Lets create a directory to store every thing
Lets echo a number for our CRLNumber file ( CRL number is for the next number for the next cert )
echo 1000 > crlnumber
Lets touch an index. ( A database of all the certs in there )
touch index.txt
Lets create an openssl.cnf file. This will be the config file passed in to all the commands.
===== Start =====
dir = /xxx
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/crlnumber
new_certs_dir = $dir/certs
database = $dir/index.txt
policy = policy_match
default_days = 365
default_md = md5
default_crl_days = 1
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
[ req ]
distinguished_name = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = SG
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Singapore
localityName = Locality Name (eg, city)
localityName_default = Singapore
0.organizationName = Organization Name (eg, company)
0.organizationName_default = XXX
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
===== Start =====
Lets create a CA ( Remember the password )
openssl genrsa -aes256 -out ca.key.pem 4096
Lets create the cert out of the key!
openssl req -new -x509 -days 3650 -key ca.key.pem -sha256 -extensions v3_ca -out ca.cert.pem
Ok, the CA seems to be fixed now.
Lets create our apache web server key and cert
openssl genrsa -out server.key.pem 4096
Create a CSR out of it
openssl req -sha256 -new -key server.key.pem -out server.csr.pem
Lets sign it
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -extensions usr_cert -notext -md sha256 -in server.csr.pem -out server.cert.pem -config openssl.cnf
Lets fix Apache
SSLEngine on
SSLCertificateFile /xxx/server.cert.pem
SSLCertificateKeyFile /xxx/server.key.pem
SSLCACertificateFile /xxx/ca.cert.pem
Now your apache should be HTTPS enabled.
Though you should get a cert not trusted sign.
Lets move on to allow our clients to login...
SSLCARevocationFile /xxx/crl.pem
SSLVerifyClient require
SSLVerifyDepth 1
==== Create user script
#!/bin/bash
echo "Creating Private Key for $1"
openssl genrsa -out $1.key.pem 4096
echo "Creating CSR for $1"
openssl req -new -key $1.key.pem -out $1.csr.pem -config openssl.cnf
echo "Signing CSR from CA Key"
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -extensions usr_cert -notext -md sha1 -in $1.csr.pem -out $1.cert.pem -config openssl.cnf
echo "Creating P12 keys"
openssl pkcs12 -export -clcerts -in $1.cert.pem -inkey $1.key.pem -out $1.p12
==== Create user script
==== revokeUser.sh
#!/bin/bash
echo "Revoke user: $1"
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -revoke $1.cert.pem -config openssl.cnf
clear
echo "Generating new CRL"
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -gencrl -out crl.pem -config openssl.cnf
/etc/init.d/apache2 restart
==== revokeUser.sh
To create the user ./createUser.sh nameofuser
To revoke ./revokeUser.sh nameofuser
I am in need of a web server that uses HTTPS client certificate authentication.
I think this should keep those without the client cert off my https! :P
Lets start
Lets create a directory to store every thing
Lets echo a number for our CRLNumber file ( CRL number is for the next number for the next cert )
echo 1000 > crlnumber
Lets touch an index. ( A database of all the certs in there )
touch index.txt
Lets create an openssl.cnf file. This will be the config file passed in to all the commands.
===== Start =====
dir = /xxx
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/crlnumber
new_certs_dir = $dir/certs
database = $dir/index.txt
policy = policy_match
default_days = 365
default_md = md5
default_crl_days = 1
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
[ req ]
distinguished_name = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = SG
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Singapore
localityName = Locality Name (eg, city)
localityName_default = Singapore
0.organizationName = Organization Name (eg, company)
0.organizationName_default = XXX
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
===== Start =====
Lets create a CA ( Remember the password )
openssl genrsa -aes256 -out ca.key.pem 4096
Lets create the cert out of the key!
openssl req -new -x509 -days 3650 -key ca.key.pem -sha256 -extensions v3_ca -out ca.cert.pem
Ok, the CA seems to be fixed now.
Lets create our apache web server key and cert
openssl genrsa -out server.key.pem 4096
Create a CSR out of it
openssl req -sha256 -new -key server.key.pem -out server.csr.pem
Lets sign it
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -extensions usr_cert -notext -md sha256 -in server.csr.pem -out server.cert.pem -config openssl.cnf
Lets fix Apache
SSLEngine on
SSLCertificateFile /xxx/server.cert.pem
SSLCertificateKeyFile /xxx/server.key.pem
SSLCACertificateFile /xxx/ca.cert.pem
Now your apache should be HTTPS enabled.
Though you should get a cert not trusted sign.
Lets move on to allow our clients to login...
SSLCARevocationFile /xxx/crl.pem
SSLVerifyClient require
SSLVerifyDepth 1
==== Create user script
#!/bin/bash
echo "Creating Private Key for $1"
openssl genrsa -out $1.key.pem 4096
echo "Creating CSR for $1"
openssl req -new -key $1.key.pem -out $1.csr.pem -config openssl.cnf
echo "Signing CSR from CA Key"
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -extensions usr_cert -notext -md sha1 -in $1.csr.pem -out $1.cert.pem -config openssl.cnf
echo "Creating P12 keys"
openssl pkcs12 -export -clcerts -in $1.cert.pem -inkey $1.key.pem -out $1.p12
==== Create user script
==== revokeUser.sh
#!/bin/bash
echo "Revoke user: $1"
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -revoke $1.cert.pem -config openssl.cnf
clear
echo "Generating new CRL"
openssl ca -keyfile ca.key.pem -cert ca.cert.pem -gencrl -out crl.pem -config openssl.cnf
/etc/init.d/apache2 restart
==== revokeUser.sh
To create the user ./createUser.sh nameofuser
To revoke ./revokeUser.sh nameofuser
Thursday, February 19, 2015
Creating an Encrypted Disk ( Persistence ) boot for Kali Linux on thumbdrive.
Get Kali Linux first.
https://www.kali.org/downloads/
Then lets DD to our thumbdrive. ( Replace iso image and sdb for your device )
dd if=kali-linux-1.0.8-amd64.iso of=/dev/sdb bs=1M
Or you can use those windows GUI such as Win32DiskImager for the job.
To enable persistence so your work is saved between reboots ( Linux image with gparted best )
Insert bootable disk.
Run gparted.
For the thumbdrive partition, you should see /dev/sdb1 and /dev/sdb2 with an unallocated area.
Right click unallocated area and make it as a ext4 file system with label: persistence.
Add and apply.
Run the following commands:
For unencrypted partition.
mkdir -p /mnt/my_usb
mount /dev/sdb3 /mnt/my_usb
echo "/ union" > /mnt/my_usb/persistence.conf
umount /dev/sdb3
For an encrypted partition
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb3
cryptsetup luksOpen /dev/sdb3 my_usb
mkfs.ext4 -L persistence /dev/mapper/my_usb
e2label /dev/mapper/my_usb persistence
mkdir -p /mnt/my_usb
mount /dev/mapper/my_usb /mnt/my_usb
echo "/ union" > /mnt/my_usb/persistence.conf
umount /dev/mapper/my_usb
cryptsetup luksClose /dev/mapper/my_usb
Copied from: https://forums.kali.org/showthread.php?22166-Making-a-Persistent-usb-flash-drive-with-kali-linux-1-08
https://www.kali.org/downloads/
Then lets DD to our thumbdrive. ( Replace iso image and sdb for your device )
dd if=kali-linux-1.0.8-amd64.iso of=/dev/sdb bs=1M
Or you can use those windows GUI such as Win32DiskImager for the job.
To enable persistence so your work is saved between reboots ( Linux image with gparted best )
Insert bootable disk.
Run gparted.
For the thumbdrive partition, you should see /dev/sdb1 and /dev/sdb2 with an unallocated area.
Right click unallocated area and make it as a ext4 file system with label: persistence.
Add and apply.
Run the following commands:
For unencrypted partition.
mkdir -p /mnt/my_usb
mount /dev/sdb3 /mnt/my_usb
echo "/ union" > /mnt/my_usb/persistence.conf
umount /dev/sdb3
For an encrypted partition
cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb3
cryptsetup luksOpen /dev/sdb3 my_usb
mkfs.ext4 -L persistence /dev/mapper/my_usb
e2label /dev/mapper/my_usb persistence
mkdir -p /mnt/my_usb
mount /dev/mapper/my_usb /mnt/my_usb
echo "/ union" > /mnt/my_usb/persistence.conf
umount /dev/mapper/my_usb
cryptsetup luksClose /dev/mapper/my_usb
Copied from: https://forums.kali.org/showthread.php?22166-Making-a-Persistent-usb-flash-drive-with-kali-linux-1-08
Sunday, February 08, 2015
Tun missing! Find them!
And so I had this problem when my TUN disappeared.
It all started when my OPENVPN suddenly did not want to work.
When i manually tried to openvpn the server.conf file. All i got was this.
Wed Feb 4 10:05:18 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Wed Feb 4 10:05:18 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Feb 4 10:05:18 2015 Diffie-Hellman initialized with 1024 bit key
Wed Feb 4 10:05:18 2015 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Feb 4 10:05:18 2015 Socket Buffers: R=[133120->131072] S=[133120->131072]
Wed Feb 4 10:05:18 2015 ROUTE: default_gateway=UNDEF
Wed Feb 4 10:05:18 2015 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Wed Feb 4 10:05:18 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Feb 4 10:05:18 2015 /sbin/ifconfig 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
SIOCSIFADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFDSTADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFMTU: No such device
Wed Feb 4 10:05:18 2015 Linux ifconfig failed: external program exited with error status: 1
Wed Feb 4 10:05:18 2015 Exiting
As you can see, there was an error opening the TUN interface with error number 2.
I then checked with my VPS provider and apparently the fault was on their end.
They then make TUN appear.
To show that TUN was there:
root@xxx:/# cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state
root@xxx:/#
However, running the openvpn server.conf now produces a different kind of error.
root@xxx:/etc/openvpn# openvpn server.conf
Thu Feb 5 15:33:14 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Thu Feb 5 15:33:14 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Feb 5 15:33:14 2015 Diffie-Hellman initialized with 1024 bit key
Thu Feb 5 15:33:14 2015 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Feb 5 15:33:14 2015 Socket Buffers: R=[133120->131072] S=[133120->131072]
Thu Feb 5 15:33:14 2015 ROUTE: default_gateway=UNDEF
Thu Feb 5 15:33:14 2015 Note: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
Thu Feb 5 15:33:14 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Feb 5 15:33:14 2015 /sbin/ifconfig 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
SIOCSIFADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFDSTADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFMTU: No such device
Thu Feb 5 15:33:14 2015 Linux ifconfig failed: external program exited with error status: 1
Thu Feb 5 15:33:14 2015 Exiting
root@xxx:/etc/openvpn#
It now shows that errno is 1.
I then ding dong with the VPS but they could not help me out as my SLA did not cover 3rd party.
Thus, i am left with the harsh choice of reinstalling my VPS.
However, after reinstalling, the problem exist.
Out of the blue, i just issue the ultimate command.
rm /dev/net/tun && reboot
SUDDENLY, all was fine....
So if next time you have such an error, just remove the god dam tun....
It all started when my OPENVPN suddenly did not want to work.
When i manually tried to openvpn the server.conf file. All i got was this.
Wed Feb 4 10:05:18 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Wed Feb 4 10:05:18 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Feb 4 10:05:18 2015 Diffie-Hellman initialized with 1024 bit key
Wed Feb 4 10:05:18 2015 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Feb 4 10:05:18 2015 Socket Buffers: R=[133120->131072] S=[133120->131072]
Wed Feb 4 10:05:18 2015 ROUTE: default_gateway=UNDEF
Wed Feb 4 10:05:18 2015 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Wed Feb 4 10:05:18 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Feb 4 10:05:18 2015 /sbin/ifconfig 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
SIOCSIFADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFDSTADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFMTU: No such device
Wed Feb 4 10:05:18 2015 Linux ifconfig failed: external program exited with error status: 1
Wed Feb 4 10:05:18 2015 Exiting
As you can see, there was an error opening the TUN interface with error number 2.
I then checked with my VPS provider and apparently the fault was on their end.
They then make TUN appear.
To show that TUN was there:
root@xxx:/# cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state
root@xxx:/#
However, running the openvpn server.conf now produces a different kind of error.
root@xxx:/etc/openvpn# openvpn server.conf
Thu Feb 5 15:33:14 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Thu Feb 5 15:33:14 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Feb 5 15:33:14 2015 Diffie-Hellman initialized with 1024 bit key
Thu Feb 5 15:33:14 2015 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Feb 5 15:33:14 2015 Socket Buffers: R=[133120->131072] S=[133120->131072]
Thu Feb 5 15:33:14 2015 ROUTE: default_gateway=UNDEF
Thu Feb 5 15:33:14 2015 Note: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
Thu Feb 5 15:33:14 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Feb 5 15:33:14 2015 /sbin/ifconfig 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
SIOCSIFADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFDSTADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFMTU: No such device
Thu Feb 5 15:33:14 2015 Linux ifconfig failed: external program exited with error status: 1
Thu Feb 5 15:33:14 2015 Exiting
root@xxx:/etc/openvpn#
It now shows that errno is 1.
I then ding dong with the VPS but they could not help me out as my SLA did not cover 3rd party.
Thus, i am left with the harsh choice of reinstalling my VPS.
However, after reinstalling, the problem exist.
Out of the blue, i just issue the ultimate command.
rm /dev/net/tun && reboot
SUDDENLY, all was fine....
So if next time you have such an error, just remove the god dam tun....
Setting up the openvpn server ( again )
Lets install OpenVPN
apt-get install openvpn
Lets create the easy-rsa and copy some sample files over
cd /etc/openvpn
mkdir easy-rsa
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* easy-rsa/
Lets clean the easy rsa folder first
cd easy-rsa
source ./vars
./clean-all
Lets build the CA
./build-ca
Lets build the server
./build-key-server server
Lets build the DH parameters
./build-dh
For each client
./build-key clientname
Lets make sure that ipv4_forward and iptables can jump here and there.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -j SNAT --to-source
Lets save the IPtables
iptables-save > /etc/iptables.up.rules
Lets create the openvpn server config
nano /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt # generated keys
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # keep secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.9.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun
status log/openvpn-status.log
verb 3 # verbose mode
client-to-client
cd /etc/openvpn
mkdir -p log/
touch log/openvpn-status.log
#This is needed if you want to route all traffic through the VPN
push "redirect-gateway def1 bypass-dhcp"
#Push down DNS just in case
push "dhcp-option DNS 8.8.8.8"
apt-get install openvpn
Lets create the easy-rsa and copy some sample files over
cd /etc/openvpn
mkdir easy-rsa
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* easy-rsa/
Lets clean the easy rsa folder first
cd easy-rsa
source ./vars
./clean-all
Lets build the CA
./build-ca
Lets build the server
./build-key-server server
Lets build the DH parameters
./build-dh
For each client
./build-key clientname
Lets make sure that ipv4_forward and iptables can jump here and there.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -j SNAT --to-source
Lets save the IPtables
iptables-save > /etc/iptables.up.rules
Lets create the openvpn server config
nano /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt # generated keys
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # keep secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.9.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun
status log/openvpn-status.log
verb 3 # verbose mode
client-to-client
cd /etc/openvpn
mkdir -p log/
touch log/openvpn-status.log
#This is needed if you want to route all traffic through the VPN
push "redirect-gateway def1 bypass-dhcp"
#Push down DNS just in case
push "dhcp-option DNS 8.8.8.8"
Restart the openvpn service and it should be up and running!
For the client config:
client
dev tun
port 1194
proto udp
remote VPNSERVER_IP 1194 # VPN server IP : PORT
nobind
ca ca.crt
cert clientname.crt
key clientname.key
comp-lzo
persist-key
persist-tun
verb 3
Copied from : https://wiki.debian.org/OpenVPN
Saturday, February 07, 2015
Email alert when SSH logged in!
cd /home/username/
nano .bashrc
Add this line last
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" your@yourdomain.com
EG:
ALERT - Root Shell Access (Database Replica) on: Thu Nov 28 16:59:40 IST 2013 tecmint pts/0 2013-11-28 16:59 (172.16.25.125)
Copied from: http://www.tecmint.com/get-root-ssh-login-email-alerts-in-linux/
nano .bashrc
Add this line last
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" your@yourdomain.com
EG:
ALERT - Root Shell Access (Database Replica) on: Thu Nov 28 16:59:40 IST 2013 tecmint pts/0 2013-11-28 16:59 (172.16.25.125)
Copied from: http://www.tecmint.com/get-root-ssh-login-email-alerts-in-linux/
Subscribe to:
Posts (Atom)