Monthly Archives: January 2013

How to setup OpenVPN with bridging on Ubuntu 12.04

https://help.ubuntu.com/12.04/serverguide/openvpn.html
http://ubuntuguide.org/wiki/OpenVPN_server

# Setup your router to forward port 1194 to OpenVPN server or place server in DMZ (all incoming traffic is forwaded to OpenVPN server)

# install OpenVPN and bridge utilities
apt-get -y install openvpn bridge-utils

# setup bridge br0 interface and modify primary interface eth0 (assign eth0 IP address to br0 interface)
/etc/network/interfaces

auto eth0
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

auto br0
iface br0 inet static
bridge_ports eth0 tap0
address 10.0.0.100
netmask 255.255.255.0
gateway 10.0.0.138
dns-nameservers 8.8.8.8 8.8.4.4

Restart networking:
service networking restart

# Allow NAT using ufw as firewall
http://blog.philippklaus.de/2010/09/openvpn/
/etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

In /etc/ufw/sysctl.conf uncomment

net.ipv4.ip_forward=1

Restart the firewall:
ufw disable && sudo ufw enable

# Create certificates

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

/etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="CZ"
export KEY_PROVINCE=""
export KEY_CITY="Praha"
export KEY_ORG="Company name"
export KEY_EMAIL="my@email.cz"
export KEY_CN=openvpn-server
export KEY_NAME="OpenVPN Seerver"
export KEY_OU=""
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# CA

cd /etc/openvpn/easy-rsa/

# whichopensslcnf was broken so I had to hard code:
# export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"
# or cp openssl-1.0.0.cnf openssl.cnf
source vars
./clean-all
./build-ca

# server certs

./build-key-server server
./build-dh
cd keys/
cp server.crt server.key ca.crt dh1024.pem /etc/openvpn/

# client certs

cd /etc/openvpn/easy-rsa/
source vars
./build-key client1

# copy the following files to the client using a secure method:
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key

# server config

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

/etc/openvpn/server.conf
local 10.0.0.100
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
# router ip, netmask, first assigned IP, last assigned IP to client
server-bridge 10.0.0.138 255.255.255.0 10.0.0.90 10.0.0.99
push "route 10.0.0.0 255.255.255.0"
up "/etc/openvpn/up.sh br0 eth0"
keepalive 10 120
comp-lzo
;user nobody
;group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
mute 20
script-security 2

/etc/openvpn/up.sh

#!/bin/sh

BR=$1
ETHDEV=$2
TAPDEV=$3

/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV

chmod 755 /etc/openvpn/up.sh

# client config
# install OpenVPN client on Linux/Windows/OSX
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/user/openvpn/client.conf
/home/user/openvpn/client.conf

client
dev tap
proto udp
remote YOUR.SERVER.IP 1194
# if needed, adjust path to following certificates
ca ca.crt
cert client1.crt
key client1.key
;tls-auth ta.key 1
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;ns-cert-type server
comp-lzo
verb 3

# install and configure ufw

apt-get -y install ufw
ufw allow 1194

Don’t forget to allow ssh port 22 if you need it!

# start openvpn on the server
service openvpn start

# Check bridge status
Both interfaces eth0 and tap0 should be part of the br0.
brctl show

bridge name  bridge id    STP enabled  interfaces
br0    8000.000e2eac3d6a  no    eth0
              tap0

# install the client.conf and keys on the client, and connect!

Postfix SMTP Authentication

http://linux.about.com/od/ubusrv_doc/a/ubusg29t05.htm
http://www.jimmy.co.at/weblog/?p=52

apt-get install sasl2-bin libsasl2-2 libsasl2-modules

Configure Postfix to do SMTP AUTH using SASL (saslauthd):

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' > /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' > /etc/postfix/sasl/smtpd.conf

cd ~
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
mv smtpd.key /etc/ssl/private/
mv smtpd.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

/etc/default/saslauthd

START=yes
MECHANISMS="pam"

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

/etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

/etc/init.d/postfix restart
/etc/init.d/saslauthd start

Finally we test it using telnet. We need perl to generate the string for the SASL authentication:
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
e.g.
perl -MMIME::Base64 -e 'print encode_base64("jimmy\0jimmy\0real-secret");'
amltbXkAamltbXkAcmVhbC1zZWNyZXQ=

jimmy@reptile:~$ telnet jimmy.co.at 25
Trying 80.237.145.96...
Connected to jimmy.co.at.
Escape character is '^]'.
220 kitana.jimmy.co.at ESMTP Mailserver
ehlo reptile.g-tec.co.at
250-kitana.jimmy.co.at
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
AUTH PLAIN amltbXkAamltbXkAcmVhbC1zZWNyZXQ=
235 Authentication successful

Or you can test SASL authentication using this command:

testsaslauthd -u username -p password

Remove all unused kernels in debian based systems

http://www.unixmen.com/remove-all-unused-kernels-with-1-command-in-debian-based-systems/

sudo apt-get remove $(dpkg -l|egrep '^ii  linux-(im|he)'|awk '{print $2}'|grep -v `uname -r`)

If it doesn’t work, try this:

dpkg -l 'linux-*' | sed '/^ii/!d;/'"$(uname -r | sed "s/\(.*\)-\([^0-9]\+\)/\1/")"'/d;s/^[^ ]* [^ ]* \([^ ]*\).*/\1/;/[0-9]/!d' | xargs sudo apt-get -y purge

http://www.commandlinefu.com/commands/view/10520/remove-all-unused-kernels-with-apt-get