Skip to content


How to fix permissions on wordpress docker file system

docker exec -t -i mycontainer /bin/bash
chown -R www-data:www-data *

Posted in Uncategorized.


edgerouter

#edgerouter

Create CA
First, you’ll need to become root.

sudo su –
Next, move into the necessary directory and create a new CA certificate.

cd /usr/lib/ssl/misc/
./CA.sh -newca
Once this completes, you’ll have a new directory called demoCA. The two most important files in here are as follows:

private/cakey.pem – This is the private key for your CA (keep this secret)
cacert.pem – This the public key for your CA (you’ll be giving this out to your clients)
Create server certificate
Next, we’ll generate a public/private key for the server. The Common Name (CN) of your server certificate should be something unique (I used my dynamic DNS name).

./CA.sh -newreq
Once this completes, you’ll have two new files, as follows:

newkey.pem – This is the private key for your server (keep this secret)
newreq.pem – This is the unsigned public key of the server (this needs to be signed by your CA)
Now, sign the request.

./CA.sh -sign
You’ll have one more file, shown below.

newcert.pem – This is the public key for your server
Move files
I recommend moving the important files to a directory where they won’t be wiped out during a firmware upgrade. In addition to moving the files, we’re also renaming them.

cp /usr/lib/ssl/misc/demoCA/cacert.pem /config/auth/
cp /usr/lib/ssl/misc/demoCA/private/cakey.pem /config/auth/
mv /usr/lib/ssl/misc/newcert.pem /config/auth/host.pem
mv /usr/lib/ssl/misc/newkey.pem /config/auth/host.key
DH parameters
Next, generate Diffie-Hellman (DH) parameters to ensure Perfect Forward Secrecy (PFS). Expect this to take 5-10 minutes with one CPU at 100%.

openssl dhparam -out /config/auth/dh2048.pem -2 2048
A good explanation of DH parameters and why you need them is located here.

Create user certificate(s)
Next, generate a request and sign it for a new user certificate. The Common Name (CN) of your user certificate should be something unique (I used my client’s host name).

./CA.sh -newreq
./CA.sh -sign
Move the new files into your preserved directory while renaming them.

mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key
Repeat this as necessary for each client.

Decrypt keys
You’ll need to remove the password from the host and client(s) keys so that OpenVPN can run in interactive mode.

openssl rsa -in /config/auth/host.key -out /config/auth/host-decrypted.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-decrypted.key
Repeat this as necessary for each client(s).

EdgeRouter setup
First, I would recommend exiting back to the normal ubnt user.

exit
whoami

Create interface
Now, we’ll need to create a new interface for the VPN and set a few settings.

configure
set interfaces openvpn vtun0
set interfaces openvpn vtun0 description “OpenVPN server”
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 server subnet 192.168.105.0/24
set interfaces openvpn vtun0 server push-route 192.168.5.0/24
set interfaces openvpn vtun0 server name-server 192.168.5.254
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/host.pem
set interfaces openvpn vtun0 tls key-file /config/auth/host-decrypted.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
set interfaces openvpn vtun0 openvpn-option “–port 1194”
set interfaces openvpn vtun0 openvpn-option –tls-server
set interfaces openvpn vtun0 openvpn-option “–comp-lzo yes”
set interfaces openvpn vtun0 openvpn-option –persist-key
set interfaces openvpn vtun0 openvpn-option –persist-tun
set interfaces openvpn vtun0 openvpn-option “–keepalive 10 120”
set interfaces openvpn vtun0 openvpn-option “–user nobody”
set interfaces openvpn vtun0 openvpn-option “–group nogroup”
commit
save

Setup firewall
We’ll need to open a port in the firewall for OpenVPN. If you’re not using the standard port (1194), change it appropriately.

configure
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description “OpenVPN”
set firewall name WAN_LOCAL rule 50 destination port 1194
set firewall name WAN_LOCAL rule 50 log enable
set firewall name WAN_LOCAL rule 50 protocol udp
commit
save
Set DNS
Tell DNS to listen for requests on the new vtun0 interface.

configure
set service dns forwarding listen-on vtun0
commit
save
Setup client configuration
The client configuration will vary from client-to-client, but the configuration below should work for Android phones or Linux clients. If you’re using Windows, you’re going to have a tougher time, because it needs some extra options.

Posted in HowTo, Uncategorized.

Tagged with .


media box build list(update June 2018)

media box build list(update June 2018)

setup influxdb and Grafana for smarthings
copy files
setup nfs
setup samba
setup apache
-setup mysql
-setup phpmysql
setup websites
setup mythtv
setup cron jobs
setup plex
setup ssl
-setup email server
-setup unifi and attach aps to it
https://help.ubnt.com/hc/en-us/articles/220066768-UniFi-How-to-Install-Update-via-APT-on-Debian-or-Ubuntu
echo ‘deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti’ | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
apt-key adv –keyserver keyserver.ubuntu.com –recv 06E85760C0A52C50
apt-get update
apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless; update-alternatives –config java
apt-get install unifi
https://community.ubnt.com/t5/UniFi-Routing-Switching/MongoDB-3-6/td-p/2195435/page/2
setup awstats
setup cacti
direct all computers to new server
direct all nfs mounts to new server
sync 1s and 2s
unmount 1s and 2s and mount 1s as local file system
direct all internet traffic to media
start cron sync job and verify
stop cron jobs on old vm
backup new vm
turn off old vm
delete old vms

Posted in Uncategorized.


esxi 6.0

patching
https://esxi-patches.v-front.de/ESXi-6.0.0.html

update 1a
esxcli software profile update -p ESXi-6.0.0-20151004001-standard
-d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

11/25/2016
esxcli software profile update -p ESXi-6.0.0-20151104001-standard
-d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

update 1b
esxcli software profile update -p ESXi-6.0.0-20160104001-standard
-d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

esxcli software profile update -p ESXi-6.0.0-20160101001s-standard
-d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

2/23/2016
esxcli software profile update -p ESXi-6.0.0-20160204001-standard
-d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Posted in Uncategorized.


freenas

#freenas

Speedup nfs access
vfs.zfs.cache_flush_disable value 1 Type loader
zfs.cache_flush_disable value 1 Type loader

owncloud
edit /mnt/v1/Jail/owncloud_1/usr/pbi/owncloud-amd64/www/owncloud/.htaccess
to increase file limits

add server name to config
edit /mnt/v1/Jail/owncloud_1/usr/pbi/owncloud-amd64/www/owncloud/config/config.php
example add 1 => ‘files.newy.org’,

Posted in Uncategorized.

Tagged with .


edgerouter copy restart

#edgerouter

when upgrading the edgerouter lite work on the following
right after the upgrade
apt-get update
apt-get install rsync iftop iptraf vnstat nano

webvnstat config:
ln -s /config/newy/vnstat /var/www/htdocs/stat

Verify the first line is in the /etc/lighttpd/lighttpd.conf file after the upgrade

url.rewrite-once = (
“^/stat/(.*)” => “/stat/$1”,
“^(/(lib|media|ws|tests)/.*)” => “$0”,
“^/([^\?]+)(\?(.*))?$” => “/index.php/$1?$3”
)

restart lighttpd:
sudo kill -SIGTERM $(cat /var/run/lighttpd.pid)
sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
verify https://gw5.newy.org/stat/index.php

contents of /config/scripts/firstboot.d/postinstall.sh

#!/bin/bash

doneit=’/var/lib/my_packages’
packages=’rsync iftop iptraf vnstat nano’

if [ -e $doneit ]; then
exit 0;
fi

#copy old vnstat data
cp -a /root.dev/w.o/var/lib/vnstat /var/lib/

apt-get update
apt-get install -y $packages
if [ $? == 0 ]; then
echo package install successful
touch $doneit
else
echo package install failed
fi
exit 0

#restart vnstat
service vnstat restart

Posted in Uncategorized.

Tagged with , , .


ubuntu zfs

#ubuntu
#zfs

ZFS on linux http://zfsonlinux.org/
https://launchpad.net/~zfs-native/+archive/stable
sudo apt-add-repository ppa:zfs-native/stable && sudo apt-get update
sudo apt-get install ubuntu-zfs zfs-auto-snapshot
commands: https://wiki.ubuntu.com/ZFS/ZPool

Posted in Uncategorized.

Tagged with , .


edgerouter

#edgerouter
This assumes your wan interfaces is eth0 and your lan interface is eth1

1. sudo vi /etc/sysctl.conf

Add the following lines:
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.eth0.accept_ra = 2

2. Load your changes:
sudo sysctl -p /etc/sysctl.conf

3. Setup the wide-dhcpv6 client
sudo vi /etc/wide-dhcpv6/dhcp6c.conf

Add the following at the end:
interface eth0 {
send ia-pd 0;
request domain-name-servers;
};

id-assoc pd 0 {
prefix-interface eth1 {
sla-id 1;
sla-len 0;
};
};

4. Start wide-dhcpv6:
sudo /etc/init.d/wide-dhcpv6-client start

Check your eth1 interface for an IPv6 address..
sudo ipconfig
Look for lines like…
inet6 addr: fe80::618:d6ff:fef0:7744/64 Scope:Link
inet6 addr: 2602:306:bdbe:966f:xxxx:xxxx:xxxx:xxxx/64 Scope:Global

5. Set up radvd
Use the following commands:
configure
set interfaces ethernet eth1 ipv6 router-advert prefix ::/64
commit

Workstations should now get addresses and all should be well.

Posted in Uncategorized.

Tagged with .


edgerouter

#edgerouter
build ubnt router from ground up

backup vnstat db’s
setup wan
setup lan1
setup lan2
setup vlans
setup dhcp
setup firewall
setup nat
setup repos
apt-get install vnstat vnstati nano iftop
setup vnstat to auto run
restore vnstat db’s
setup ddns

go over configs to compare old to new and fix anything missed

Posted in Uncategorized.

Tagged with .


edgerouter

#edgerouter
– Login to your EdgeRouter by ssh with your default admin user/pwd information:

– Change to sudo shell

sudo -i
– Change to /config/auth/ and create an empty directory openvpn/keys. In this way any generated key and certificates are also part of backups/archives.

cd /config/auth/
mkdir openvpn
mkdir openvpn/keys

– Change to the directory /config/auth/openvpn/keys and create textfiles index.txt and serial.

cd /config/auth/openvpn/keys
touch index.txt
echo 00 > serial

– Change to the directory /config and create a directory openvpn. Then prerequisites for generating OpenVPN keys and certifications are made.

cd /config
mkdir openvpn
cd /config/openvpn

cp -p /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars ./

– Edit with vi the file /config/openvpn/vars.

cd /config/openvpn
vi ./vars
modifing the following lines and save it:


export EASY_RSA=”/usr/share/doc/openvpn/examples/easy-rsa/2.0″

export KEY_DIR=”/config/auth/openvpn/keys”

# export PKCS11_MODULE_PATH=”dummy” # commented out
# export PKCS11_PIN=”dummy” # commented out

export KEY_COUNTRY=”MyCountryCode” # e.g. “US”
export KEY_PROVINCE=”MyProvince”
export KEY_CITY=”MyCity”
export KEY_ORG=”MyOrganisationName”
export KEY_EMAIL=”admin@MyDomain.com”
export KEY_EMAIL=admin@MyDomain.com
export KEY_CN=gateway.MyDomain.com # can be some other gateway domain
export KEY_NAME=MyOrganisation_MyGatewayName # can be some other name
export KEY_OU=Operation
# export PKCS11_MODULE_PATH=changeme # commented out
# export PKCS11_PIN=1234 # commented out

– change to directory /usr/share/doc/openvpn/examples/easy-rsa/2.0 and create certificates and keys

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0

# look at the dot and space
. /config/openvpn/vars

# cleans all in /config/auth/openvpn/keys previously genrated keys and certificates
./clean-all

# takes some time
./build-dh

# confirm all question with return or yes leave password unchanged/void
./build-ca

# take the same value as parameter as set in vars for KEY_CN=gateway.MyDomain.com
# confirm all question with return or yes leave password unchanged/void
./build-key-server gateway.MyDomain.com
the directory /config/auth/openvpn/keys should now contain the following files:

01.pem
ca.crt
ca.key
dh1024.pem
gateway.MyDomain.com.crt
gateway.MyDomain.com.csr
gateway.MyDomain.com.key
index.txt
index.txt.attr
index.txt.old
serial
serial.old
server.key

– Create an user group nobody which will be used by the OpenVPN server configuration

addgroup nobody

– Create now your OpenVPN client users in the EdgeRouter GUI or CLI. Select as user level “operator” and and set for each an appropriate password. You can create an delete users, and modify passworts as you want and at any time.

– Leave now the sudo shell with exit and enter the CLI configure mode

exit

configure
now create the OpenVPN server configuration

# we select a tun setup as the OpenVPN Client for IOS does not support actually dev tap
set interfaces openvpn vtun0
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 openvpn-option “–tls-server”
set interfaces openvpn vtun0 openvpn-option “–proto udp”
set interfaces openvpn vtun0 openvpn-option “–port 1194”

# set this only if you want the OpenVPN server to push DNS settings to the client and to overwrite its DNS-setting in order to pass all traffic over the VPN
# set interfaces openvpn vtun0 openvpn-option “–push dhcp-option DNS 192.168.5.254”

# change to your own LAN subnet
set interfaces openvpn vtun0 openvpn-option “–push route 192.168.5.0 255.255.5.0”
set interfaces openvpn vtun0 openvpn-option “–tun-mtu 1400”
set interfaces openvpn vtun0 openvpn-option “–persist-key”
set interfaces openvpn vtun0 openvpn-option “–persist-tun”
set interfaces openvpn vtun0 openvpn-option “–persist-local-ip”
set interfaces openvpn vtun0 openvpn-option “–persist-remote-ip”
set interfaces openvpn vtun0 openvpn-option “–keepalive 8 30”
set interfaces openvpn vtun0 openvpn-option “–comp-lzo”
set interfaces openvpn vtun0 openvpn-option “–duplicate-cn”
set interfaces openvpn vtun0 openvpn-option “–user nobody –group nobody”
set interfaces openvpn vtun0 openvpn-option “–plugin /usr/lib/openvpn/openvpn-auth-pam.so login”
set interfaces openvpn vtun0 openvpn-option “–client-cert-not-required –username-as-common-name”
set interfaces openvpn vtun0 openvpn-option “–verb 1”
set interfaces openvpn vtun0 openvpn-option “–client-to-client”
set interfaces openvpn vtun0 server
# change the VPN privat subnet if needed
set interfaces openvpn vtun0 server subnet 172.17.0.0/16
set interfaces openvpn vtun0 server topology subnet

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/openvpn/keys/ca.crt
# change to the appropriate file name
set interfaces openvpn vtun0 tls cert-file /config/auth/openvpn/keys/gw.newy.org.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/openvpn/keys/dh1024.pem
# change to the appropriate file name
set interfaces openvpn vtun0 tls key-file /config/auth/openvpn/keys/gw.newy.org.key

– Commit now this settings with CLI commit. If the settings can not be commited have a look at the Log

more /var/log/messages
if commit was successful the OpenVPN Server is allready up. Save the settings with CLI save and exit from configure mode.

– Create in the EdgeRouter GUI a backup and export it to your desktop. In the backup you will find also the certificate you will need to configure your OpenVPN clients. On your desktop unpack the backup-archiv file.

I will now shortly describe how to configure OpenVPN client for Apple IOS devices (tested only on IOS 6.x). The configuration for MacOSX OpenVPN client like Tunnelblick is very similar (see at the end).

– Take an OpenVPN Client profile template or create a profile from scratch with a text editor in raw text mode and UTF-8 encodig. Set the following entries:

client
float
# we select a tun setup as the OpenVPN Client for IOS does not support actually dev tap
dev tun
proto udp
# replace gateway.MyDomain.com with Domain-Name or public IP of your EdgeRouter to connect to remote
gw.newy.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# uncomment this lines if you use an OpenVPN Client
; ca ca.crt
; cert client.crt
; key client.key
cipher AES-128-CBC
auth-user-pass pull
comp-lzo
verb 3

—–BEGIN CERTIFICATE—–
# put your certificate block here
—–END CERTIFICATE—–

# this is an random certificate and is used in OpenVPN IOS Client. It can be copied as it is

—–BEGIN CERTIFICATE—–
MIIB1jCCAT+gAwIBAgIEAmLSTjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP
cGVuVlBOIENBMB4XDTEzMDExNzAyMTExMloXDTIzMDEyMjAyMTExMlowKDEmMCQG
A1UEAxQdZnJyaWN0aW9uQGdtYWlsLmNvbV9BVVRPTE9HSU4wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALVEXIZYYu1Inmejuo4Si6Eo5AguTX5sg1pGbLkJSTR4
BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlUtWnVCwCYtewYfEc/+azH7+7eU6ue
T2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCedptgWyiL50N7FMcUUMjjXYh/hftB
AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3
DQEBBQUAA4GBABhVzSYXHlQEPNaKGmx9hMwwnNKcHgD9cCmC9lX/KR2Y+vT/QGxK
7sYlJInb/xmpa5TUQYc1nzDs9JBps1mCtZbYNNDpYnKINAKSDsM+KOQaSYQ2FhHk
bmBZk/K96P7VntzYI5S02+hOWnvjq5Wk4gOt1+L18+R/XujuxGbwnHW2
—–END CERTIFICATE—–

# this is an random key and is used in OpenVPN IOS Client. It can be copied as it is

—–BEGIN PRIVATE KEY—–
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVEXIZYYu1Inmej
uo4Si6Eo5AguTX5sg1pGbLkJSTR4BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlU
tWnVCwCYtewYfEc/+azH7+7eU6ueT2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCe
dptgWyiL50N7FMcUUMjjXYh/hftBAgMBAAECgYEAsNjgOEYVRhEaUlzfzmpzhakC
SKT8AALYaAPbYO+ZVzJdh8mIbg+xuF7A9G+7z+5ZL35lrpXKnONuvmlxkK5ESwvV
Q7EOQYCZCqa8xf3li3GUBLwcwXKtOUr3AYXhdbOh2viQdisD4Ky7H6/Nd3yMc3bu
R4pErmWeHei+l6dIwAECQQDqljNxi9babmHiei6lHaznCMg5+jfAyDXgHvO/afFr
1bDQVDTDK+64kax4E9pvDZC6B/HGse9hOUGWXTjb0WZBAkEAxdAw/14iJIUcE5sz
HDy2R0RmbUQYFjrNgBCi5tnmr1Ay1zHAs1VEF+Rg5IOtCBO50I9jm4WCSwCtN6zF
FoFVAQJAUGfBJDcZIm9ZL6ZPXJrqS5oP/wdLmtFE3hfd1gr7C8oHu7BREWB6h1qu
8c1kPlI4+/qDHWaZtQpJ977mIToJwQJAMcgUHKAm/YPWLgT31tpckRDgqgzh9u4z
e1A0ft5FlMcdFFT8BuWlblHWJIwSxp6YO6lqSuBNiuyPqxw6uVAxAQJAWGxOgn2I
fGkWLLw4WMpkFHmwDVTQVwhTpmMP8rWGYEdYX+k9HeOJyVMrJKg2ZPXOPtybrw8T
PUZE7FgzVNxypQ==
—–END PRIVATE KEY—–

Save the file as raw text and append the file suffix “.ovpn”

– Open on your Desktop the unpacked EdgeRouter backup-archive. Go to the folder /config/auth/openvpn/keys and locate the file ca.crt. Open this file with an text editor in raw mode that supports UTF-8. Copy the certificate block in-between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” and paste it to the OpenVPN profile in-between the tags . – and -blocks contains random code but are required by the OpenVPN Client for IOS. Without these blocks the profile can not be successfully imported in to the OpenVPN Client for IOS.

– In our case we deployed the OpenVPN Client profile to the IOS devices by eMail. This may be a security issue but it was the fastest way to test and get ready. The same profile can be used for all users configured previously or in future on the EdgeRouter GUI (users are differentiated by there user/pwd ).

– Install the OpenVPN Client for IOS from the App-Store:

https://itunes.apple.com/ch/app/openvpn-connect/id590379981
– Send the previously create OpenVPN Client profile “.ovpn” as attachment to an eMail Account that is already configurated on the IOS device.

– Open the appropriate sent eMail on the IOS device and then open the OpenVPN Client profile attachment by clicking on the icon. The OpenVPN Connect App should now open and shows the new Client profile to import. Approve the import and enter the user/pwd info you configured in the EdgeRouter user GUI. Now you are ready to connect by OpenVPN to your EdgeRouter (this works of course only from outside of your EdgeRouters LAN).

– Configuration for MacOSX OpenVPN Client Tunnelblick is straightforward forward. Install Tunnelblick if it is not allready installed on your system

http://code.google.com/p/tunnelblick/wiki/DownloadsEntry?tm=2

– Create on your MacOSX Destop a new folder and name it as you want your profile been shown later on in the Tunnelblick: e.g. “openvpn MyCompany”.

– Copy your previously create OpenVPN Client profile “.ovpn” file into the previously create folder “openvpn MyCompany”.

– Add to the folders name the suffix “.tblk” in order it shows like “openvpn MyCompany.tblk”. In the moment when the suffix “.tblk” is added the folder gets a package and shows up as file with the Tunnelblick.app icon.

– Doubleclick on this new Tunnelblick file. In succession the Tunnelblick.app will open and your profile is importet. Your are now ready to connect to your remote EdgeRouter. For the first time you connect you will asked your MacOSX user account info or admin info (the profile gets ready only) and then also it ask in an appropriate user/password dialog for your OpenVPN user/pwd information to connect to your remote EgdeRouter.

Posted in Uncategorized.

Tagged with .