Now my new server is a dedicated machine in Paris.
AP8,1 allows VPN using IKEv2, so I tried ti set it up on my new server following this tutorial:
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
Doesn't work yet. Main drawback: WP8.1 VPN setup screen claims I don't have any certificates installed! (of course I imported both the CA Root and my client P12 cert).
What about username+password EAP based authentication? Will try when I'm out of office wifi.
lundi 19 janvier 2015
jeudi 7 août 2014
Xubuntu on Virtualbox: resolution blocked to 640*480?
Just install Xdiagnose:
sudo apt-get install Xdiagnose
Then enable all debug stuff inside.
And suddenly all resolutions are back! Don't understand why but that's it.
sudo apt-get install Xdiagnose
Then enable all debug stuff inside.
And suddenly all resolutions are back! Don't understand why but that's it.
dimanche 24 février 2013
Update DDNS script - run at startup on Synology (part 2)
How to make DDNS update run at startup:
1_ Install PYthon via Synology package manager
2_ Take script from here (www.debian-administration.org/articles/28) and modify it to run the DDNS PY script through a SCREEN session (the following must be in the "start" session of some startup script):
echo "Starting refresh from FTPD" >> /root/refreshlog
/opt/bin/screen -d -m sh -c "/etc/init.d/pythonstrap"
/etc/init.d/pythonstrap being defined like this:
/usr/bin/python /etc/init.d/refresh_DDNS_JB.py
3_ You need "screen"! For that you need to install ipkg. Follow this: http://forum.synology.com/wiki/index.php/Overview_on_modifying_the_Synology_Server,_bootstrap,_ipkg_etc#How_to_install_ipkg
4_ ipkg is not working! You need to add /opt/bin AT THE BEGINING of your PATH at following locations:
* /root/.profile
* /etc/profile
4_ Now finish install ipkg:
* ipkg update
* ipkg upgrade
5_ Install screen:
* ipkg install screen
6_ ... Make DDNS script run at startup. I'M STUCK HERE. I copied my .sh script here (with CHMOD 0755) and there but it won't run at startup, don't know why:
* /opt/etc/init.d/S99refreshDDNSJB.sh
* /usr/syno/etc/rc.d/S99refreshDDNSJB.sh
So for now I run the script manually after each reboot... but what if power outage...
7_ FOUND THE REASON: in startup scripts, you must specify the full path to screen! Like: /opt/bin/screen. Yeepee!!!
8_ And: I had to put the script insite S99ftpd.sh. A standalone script won't be launched! But I'm tired to find out why.... There must be a Synology command to refresh the startup list but who cares.
Nice reference about startup scripts on Synology: http://forum.synology.com/enu/viewtopic.php?f=27&t=48260
1_ Install PYthon via Synology package manager
2_ Take script from here (www.debian-administration.org/articles/28) and modify it to run the DDNS PY script through a SCREEN session (the following must be in the "start" session of some startup script):
echo "Starting refresh from FTPD" >> /root/refreshlog
/opt/bin/screen -d -m sh -c "/etc/init.d/pythonstrap"
/etc/init.d/pythonstrap being defined like this:
/usr/bin/python /etc/init.d/refresh_DDNS_JB.py
3_ You need "screen"! For that you need to install ipkg. Follow this: http://forum.synology.com/wiki/index.php/Overview_on_modifying_the_Synology_Server,_bootstrap,_ipkg_etc#How_to_install_ipkg
4_ ipkg is not working! You need to add /opt/bin AT THE BEGINING of your PATH at following locations:
* /root/.profile
* /etc/profile
4_ Now finish install ipkg:
* ipkg update
* ipkg upgrade
5_ Install screen:
* ipkg install screen
6_ ... Make DDNS script run at startup. I'M STUCK HERE. I copied my .sh script here (with CHMOD 0755) and there but it won't run at startup, don't know why:
* /opt/etc/init.d/S99refreshDDNSJB.sh
* /usr/syno/etc/rc.d/S99refreshDDNSJB.sh
So for now I run the script manually after each reboot... but what if power outage...
7_ FOUND THE REASON: in startup scripts, you must specify the full path to screen! Like: /opt/bin/screen. Yeepee!!!
8_ And: I had to put the script insite S99ftpd.sh. A standalone script won't be launched! But I'm tired to find out why.... There must be a Synology command to refresh the startup list but who cares.
Nice reference about startup scripts on Synology: http://forum.synology.com/enu/viewtopic.php?f=27&t=48260
jeudi 7 février 2013
How to fix Synology DDNS update (with No-IP)
Synology NAS are accessible from the outside using DDNS server, but their client apparently fails to update public IP changes when standing behind a NAT router (which is the common case for home usage, unless you're lucky enough to have an IPv6 ISP).
So what could I do? After not finding a solution, needing one and still loving my NAS, I wrote my own update script in Python.
To run it at startup: http://www.debian-administration.org/articles/28
Enjoy:
# Update my dynamic IP address on No-IP.org
import urllib2
import time
from datetime import datetime
URL = 'http://dynupdate.no-ip.com/nic/update?hostname=homebj.no-ip.org'
useragent = 'Synology DDNS bugfixer/1.0 your_email_noip@canazzi.com'
username = 'your_noip_username'
password = 'your_noip_password'
while 1:
try:
passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
passman.add_password(None, URL, username, password)
authhandler = urllib2.HTTPBasicAuthHandler(passman)
opener = urllib2.build_opener(authhandler)
opener.addheaders = [('User-agent', useragent)]
urllib2.install_opener(opener)
pagehandle = urllib2.urlopen(URL)
reply_good = pagehandle.read()
pagehandle.close()
print datetime.now(), ":", reply_good
# every hour: update!
time.sleep(3600)
except:
print datetime.now(), ":", "Failed to update IP! "
time.sleep(300)
So what could I do? After not finding a solution, needing one and still loving my NAS, I wrote my own update script in Python.
To run it at startup: http://www.debian-administration.org/articles/28
Enjoy:
# Update my dynamic IP address on No-IP.org
import urllib2
import time
from datetime import datetime
URL = 'http://dynupdate.no-ip.com/nic/update?hostname=homebj.no-ip.org'
useragent = 'Synology DDNS bugfixer/1.0 your_email_noip@canazzi.com'
username = 'your_noip_username'
password = 'your_noip_password'
while 1:
try:
passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
passman.add_password(None, URL, username, password)
authhandler = urllib2.HTTPBasicAuthHandler(passman)
opener = urllib2.build_opener(authhandler)
opener.addheaders = [('User-agent', useragent)]
urllib2.install_opener(opener)
pagehandle = urllib2.urlopen(URL)
reply_good = pagehandle.read()
pagehandle.close()
print datetime.now(), ":", reply_good
# every hour: update!
time.sleep(3600)
except:
print datetime.now(), ":", "Failed to update IP! "
time.sleep(300)
vendredi 25 janvier 2013
How to write your own DDNS IP update script
My brand new Synology D413j can't update it's public IP address on public DDNS sevices, like synology.om or noip.com. As it prevents remote access to it, I've started to work on the problem.
But today I'm tired, will fix that tomorrow! For now, here are the rought steps:
1)
You'll have to create a Cront table to run periodial updates, i.e. runnung the update script: you're going to write:
DiskStation> cat /etc/crontab
#minute hour mday month wday who command
15 23 * * 2,5 root /usr/syno/bin/synopkg chkupgradepkg
2) Your update script must find the current public IP. To my surprise, that's doable using standard too curl:
curl ip.alt.io
3) Finally, you must send the new address to the side. They API is HTTP-based so I just tried to go through Wget:
wget --http-user=yean3d --http-password=heythisismypassword --user-agent="Synology DDNS bugfixer/1.0 myniceamail@gmail.com" http://dynupdate.no-ip.com/nic/update?hostname=mynoiphostname.no-ip.org&myip=THE_IP_RETURN_BY_CURL
.... so far Wget says: "cannot write to update, access is defined". I'm tired, I'll figure out tomorrow.
NOTE: may httpget is even better and simpler?
But today I'm tired, will fix that tomorrow! For now, here are the rought steps:
1)
You'll have to create a Cront table to run periodial updates, i.e. runnung the update script: you're going to write:
DiskStation> cat /etc/crontab
#minute hour mday month wday who command
15 23 * * 2,5 root /usr/syno/bin/synopkg chkupgradepkg
2) Your update script must find the current public IP. To my surprise, that's doable using standard too curl:
curl ip.alt.io
3) Finally, you must send the new address to the side. They API is HTTP-based so I just tried to go through Wget:
wget --http-user=yean3d --http-password=heythisismypassword --user-agent="Synology DDNS bugfixer/1.0 myniceamail@gmail.com" http://dynupdate.no-ip.com/nic/update?hostname=mynoiphostname.no-ip.org&myip=THE_IP_RETURN_BY_CURL
.... so far Wget says: "cannot write to update, access is defined". I'm tired, I'll figure out tomorrow.
NOTE: may httpget is even better and simpler?
dimanche 2 décembre 2012
OpenVPN and SSH tunnel
Big Brother doesn't like my OpenVPN server, time to try something else. How about SSH tunneling!
In the following example I'll use local port 1234, but it could be any.
Btw what's "SSH tunneling"? Check this: http://www.revsys.com/writings/quicktips/ssh-tunnel.html, or that (nice graphs): http://www.akadia.com/services/ssh_putty.html
The web page below indicate how to run OpenVPN over SSH tunnel:
http://www.niteoweb.com/blog/openvpn-over-ssh
First I need to install SQUID on my server:
apt-get install squid
--> seems Squid is up and running right after that, listening on port 3128.
_ add /etc/squid a line "http_access allow all" ... (insecure but...)
_ keep playing around with "http_access" in squid config (haven't found the optimal config yet)
Create the SSH tunnelling on Windows side:
_ Run Putty
_ Go to Connection / Data / Tunnels
_ Check "Local port accept connections from other host" (!!! not sure that is needed ???)
_ Add new port: 1234, host "yourvpnserver_address:3128"
[EDIT Feb. 2nd 2013 : I don't use OpenVPN at all anymore. I've just setup proxy 127.0.0.1:1234 in my Firefox ]
And finally tweak the OpenVPN config as indicated on niteoweb.com. With a little difference: SQUID being an HTTP proxy, not a SOCKS proxy. I'm lazy for the time being:
_ in server.conf:
(the latest is because I've kept the old server on 1194. Note: I first made a mistake and set 1194 for the new IPTABLES rule, and the new server on 1195 still worked! So not sure how useful it is in my setup).
In the following example I'll use local port 1234, but it could be any.
Btw what's "SSH tunneling"? Check this: http://www.revsys.com/writings/quicktips/ssh-tunnel.html, or that (nice graphs): http://www.akadia.com/services/ssh_putty.html
The web page below indicate how to run OpenVPN over SSH tunnel:
http://www.niteoweb.com/blog/openvpn-over-ssh
First I need to install SQUID on my server:
apt-get install squid
--> seems Squid is up and running right after that, listening on port 3128.
_ add /etc/squid a line "http_access allow all" ... (insecure but...)
_ keep playing around with "http_access" in squid config (haven't found the optimal config yet)
Create the SSH tunnelling on Windows side:
_ Run Putty
_ Go to Connection / Data / Tunnels
_ Check "Local port accept connections from other host" (!!! not sure that is needed ???)
_ Add new port: 1234, host "yourvpnserver_address:3128"
[EDIT Feb. 2nd 2013 : I don't use OpenVPN at all anymore. I've just setup proxy 127.0.0.1:1234 in my Firefox ]
And finally tweak the OpenVPN config as indicated on niteoweb.com. With a little difference: SQUID being an HTTP proxy, not a SOCKS proxy. I'm lazy for the time being:
_ in server.conf:
proto tcp_ in client.conf:
proto tcp http-proxy 127.0.0.1 1234 route <some_IP_on_the_net> 255.255.255.255 net_gateway_ Add a new IPTABLE rule on server side:
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
or: iptables -I INPUT 1 -p tcp --dport 1195 -j ACCEPT
(the latest is because I've kept the old server on 1194. Note: I first made a mistake and set 1194 for the new IPTABLES rule, and the new server on 1195 still worked! So not sure how useful it is in my setup).
lundi 1 août 2011
Install OpenVPN with all traffic routed thru
New: my server is now located in Hong-Kong, and is running Debian 6 / OpenVZ
How to install an OpenVPN server? What I wanted was a fully-routed VPN server, I mean: to make all PC-applications traffic be transparently routed through the gateway, just by establishing VPN connection, and without having to set-up proxy. OpenVPN allows that.
First step: get a Linux server. If you want to bypass the Great Firewall, I recommend http://vpshosting.com.hk, good prices and support.
But when running OpenVpn, I've got following error:
Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory
Don't panic, if like me you are running a virtual server, your TUN interface might be disabled by default for your container. Kindly mail your hosting provider so he enables it for you ("dear sir/madam, please enable TUN interface for my container", took mine one hour).
To ensure TUN interface is enabled, check this:
cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state <- mean TUN exists :)
Second step: install OpenVPN. With Debian it takes one command:
apt-get install openvpn
Third step: configure VPN
Here I give you the warning: here are some errors I made and that slowed me down.
1_ Don't read 10 tutorial at a time. Focus on http://openvpn.net/index.php/open-source/documentation/howto.html, it just works.
2_ Don't create a secret key-based VPN, for some reason it prevents full traffic redirection (don't have the full picture, it just turned out to be so for me.
3_ Instead of 2, make sure you create a client - server configuration. Follow those steps and save time, they are the truth: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
4_ Oh but, wait, the "iptables" command from previous step is not working? Indeed, it's using "MASQUERADE" rules, which is not supported in OpenVz-based VPS (like yours probably). Fortunately a geek out there found a solution, simply applies his steps: http://unixtitan.net/main/2010/09/20/openvpn-in-openvz-no-masquerade/
IPTABLES rules I finally had to apply:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to $VPS_STATIC_IP
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $VPS_STATIC_IP
That's it. I avoid copy-pasting all my own steps, don't want to be yet-one-more easy step-by-step tutorial (they got me lost).
Redirecting all traffic: this was my main purpose. The keys resides in the two following lines to add to your server.conf:
_ push "redirect-gateway def1"
_ push "dhcp-option DNS 8.8.8.8"
That's directing the client to redirect all traffic through the gateway. 8.8.8.8 is Google's public DNS, which just works well. Note: in some tutorial, tell you to use the "bypass-dhcp" option for full-traffic redirection. It doesn't work unless your VPN server is also a DNS server.
Hmm I think that's all.
If you follow all those steps, all remains is to run your server.
openvpn my_server.conf
You can run it manually if you want, but if you're a newbie like me don't forget the "screen" command (that I let you google)!
Then from client perspective, the OpenVpnGui is pretty easy to use.
How to install an OpenVPN server? What I wanted was a fully-routed VPN server, I mean: to make all PC-applications traffic be transparently routed through the gateway, just by establishing VPN connection, and without having to set-up proxy. OpenVPN allows that.
First step: get a Linux server. If you want to bypass the Great Firewall, I recommend http://vpshosting.com.hk, good prices and support.
But when running OpenVpn, I've got following error:
Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory
Don't panic, if like me you are running a virtual server, your TUN interface might be disabled by default for your container. Kindly mail your hosting provider so he enables it for you ("dear sir/madam, please enable TUN interface for my container", took mine one hour).
To ensure TUN interface is enabled, check this:
cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state <- mean TUN exists :)
Second step: install OpenVPN. With Debian it takes one command:
apt-get install openvpn
Third step: configure VPN
Here I give you the warning: here are some errors I made and that slowed me down.
1_ Don't read 10 tutorial at a time. Focus on http://openvpn.net/index.php/open-source/documentation/howto.html, it just works.
2_ Don't create a secret key-based VPN, for some reason it prevents full traffic redirection (don't have the full picture, it just turned out to be so for me.
3_ Instead of 2, make sure you create a client - server configuration. Follow those steps and save time, they are the truth: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
4_ Oh but, wait, the "iptables" command from previous step is not working? Indeed, it's using "MASQUERADE" rules, which is not supported in OpenVz-based VPS (like yours probably). Fortunately a geek out there found a solution, simply applies his steps: http://unixtitan.net/main/2010/09/20/openvpn-in-openvz-no-masquerade/
IPTABLES rules I finally had to apply:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to $VPS_STATIC_IP
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $VPS_STATIC_IP
That's it. I avoid copy-pasting all my own steps, don't want to be yet-one-more easy step-by-step tutorial (they got me lost).
Redirecting all traffic: this was my main purpose. The keys resides in the two following lines to add to your server.conf:
_ push "redirect-gateway def1"
_ push "dhcp-option DNS 8.8.8.8"
That's directing the client to redirect all traffic through the gateway. 8.8.8.8 is Google's public DNS, which just works well. Note: in some tutorial, tell you to use the "bypass-dhcp" option for full-traffic redirection. It doesn't work unless your VPN server is also a DNS server.
Hmm I think that's all.
If you follow all those steps, all remains is to run your server.
openvpn my_server.conf
You can run it manually if you want, but if you're a newbie like me don't forget the "screen" command (that I let you google)!
Then from client perspective, the OpenVpnGui is pretty easy to use.
Inscription à :
Articles (Atom)
