Skip to content


edgerouter

#edgerouter
build ubnt router from ground up

backup vnstat db’s
setup wan
setup lan1
setup lan2
setup vlans
setup dhcp
setup firewall
setup nat
setup repos
apt-get install vnstat vnstati nano iftop
setup vnstat to auto run
restore vnstat db’s
setup ddns

go over configs to compare old to new and fix anything missed

Posted in Uncategorized.

Tagged with .


edgerouter

#edgerouter
– Login to your EdgeRouter by ssh with your default admin user/pwd information:

– Change to sudo shell

sudo -i
– Change to /config/auth/ and create an empty directory openvpn/keys. In this way any generated key and certificates are also part of backups/archives.

cd /config/auth/
mkdir openvpn
mkdir openvpn/keys

– Change to the directory /config/auth/openvpn/keys and create textfiles index.txt and serial.

cd /config/auth/openvpn/keys
touch index.txt
echo 00 > serial

– Change to the directory /config and create a directory openvpn. Then prerequisites for generating OpenVPN keys and certifications are made.

cd /config
mkdir openvpn
cd /config/openvpn

cp -p /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars ./

– Edit with vi the file /config/openvpn/vars.

cd /config/openvpn
vi ./vars
modifing the following lines and save it:


export EASY_RSA=”/usr/share/doc/openvpn/examples/easy-rsa/2.0″

export KEY_DIR=”/config/auth/openvpn/keys”

# export PKCS11_MODULE_PATH=”dummy” # commented out
# export PKCS11_PIN=”dummy” # commented out

export KEY_COUNTRY=”MyCountryCode” # e.g. “US”
export KEY_PROVINCE=”MyProvince”
export KEY_CITY=”MyCity”
export KEY_ORG=”MyOrganisationName”
export KEY_EMAIL=”admin@MyDomain.com”
export KEY_EMAIL=admin@MyDomain.com
export KEY_CN=gateway.MyDomain.com # can be some other gateway domain
export KEY_NAME=MyOrganisation_MyGatewayName # can be some other name
export KEY_OU=Operation
# export PKCS11_MODULE_PATH=changeme # commented out
# export PKCS11_PIN=1234 # commented out

– change to directory /usr/share/doc/openvpn/examples/easy-rsa/2.0 and create certificates and keys

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0

# look at the dot and space
. /config/openvpn/vars

# cleans all in /config/auth/openvpn/keys previously genrated keys and certificates
./clean-all

# takes some time
./build-dh

# confirm all question with return or yes leave password unchanged/void
./build-ca

# take the same value as parameter as set in vars for KEY_CN=gateway.MyDomain.com
# confirm all question with return or yes leave password unchanged/void
./build-key-server gateway.MyDomain.com
the directory /config/auth/openvpn/keys should now contain the following files:

01.pem
ca.crt
ca.key
dh1024.pem
gateway.MyDomain.com.crt
gateway.MyDomain.com.csr
gateway.MyDomain.com.key
index.txt
index.txt.attr
index.txt.old
serial
serial.old
server.key

– Create an user group nobody which will be used by the OpenVPN server configuration

addgroup nobody

– Create now your OpenVPN client users in the EdgeRouter GUI or CLI. Select as user level “operator” and and set for each an appropriate password. You can create an delete users, and modify passworts as you want and at any time.

– Leave now the sudo shell with exit and enter the CLI configure mode

exit

configure
now create the OpenVPN server configuration

# we select a tun setup as the OpenVPN Client for IOS does not support actually dev tap
set interfaces openvpn vtun0
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 openvpn-option “–tls-server”
set interfaces openvpn vtun0 openvpn-option “–proto udp”
set interfaces openvpn vtun0 openvpn-option “–port 1194”

# set this only if you want the OpenVPN server to push DNS settings to the client and to overwrite its DNS-setting in order to pass all traffic over the VPN
# set interfaces openvpn vtun0 openvpn-option “–push dhcp-option DNS 192.168.5.254”

# change to your own LAN subnet
set interfaces openvpn vtun0 openvpn-option “–push route 192.168.5.0 255.255.5.0”
set interfaces openvpn vtun0 openvpn-option “–tun-mtu 1400”
set interfaces openvpn vtun0 openvpn-option “–persist-key”
set interfaces openvpn vtun0 openvpn-option “–persist-tun”
set interfaces openvpn vtun0 openvpn-option “–persist-local-ip”
set interfaces openvpn vtun0 openvpn-option “–persist-remote-ip”
set interfaces openvpn vtun0 openvpn-option “–keepalive 8 30”
set interfaces openvpn vtun0 openvpn-option “–comp-lzo”
set interfaces openvpn vtun0 openvpn-option “–duplicate-cn”
set interfaces openvpn vtun0 openvpn-option “–user nobody –group nobody”
set interfaces openvpn vtun0 openvpn-option “–plugin /usr/lib/openvpn/openvpn-auth-pam.so login”
set interfaces openvpn vtun0 openvpn-option “–client-cert-not-required –username-as-common-name”
set interfaces openvpn vtun0 openvpn-option “–verb 1”
set interfaces openvpn vtun0 openvpn-option “–client-to-client”
set interfaces openvpn vtun0 server
# change the VPN privat subnet if needed
set interfaces openvpn vtun0 server subnet 172.17.0.0/16
set interfaces openvpn vtun0 server topology subnet

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/openvpn/keys/ca.crt
# change to the appropriate file name
set interfaces openvpn vtun0 tls cert-file /config/auth/openvpn/keys/gw.newy.org.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/openvpn/keys/dh1024.pem
# change to the appropriate file name
set interfaces openvpn vtun0 tls key-file /config/auth/openvpn/keys/gw.newy.org.key

– Commit now this settings with CLI commit. If the settings can not be commited have a look at the Log

more /var/log/messages
if commit was successful the OpenVPN Server is allready up. Save the settings with CLI save and exit from configure mode.

– Create in the EdgeRouter GUI a backup and export it to your desktop. In the backup you will find also the certificate you will need to configure your OpenVPN clients. On your desktop unpack the backup-archiv file.

I will now shortly describe how to configure OpenVPN client for Apple IOS devices (tested only on IOS 6.x). The configuration for MacOSX OpenVPN client like Tunnelblick is very similar (see at the end).

– Take an OpenVPN Client profile template or create a profile from scratch with a text editor in raw text mode and UTF-8 encodig. Set the following entries:

client
float
# we select a tun setup as the OpenVPN Client for IOS does not support actually dev tap
dev tun
proto udp
# replace gateway.MyDomain.com with Domain-Name or public IP of your EdgeRouter to connect to remote
gw.newy.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# uncomment this lines if you use an OpenVPN Client
; ca ca.crt
; cert client.crt
; key client.key
cipher AES-128-CBC
auth-user-pass pull
comp-lzo
verb 3

—–BEGIN CERTIFICATE—–
# put your certificate block here
—–END CERTIFICATE—–

# this is an random certificate and is used in OpenVPN IOS Client. It can be copied as it is

—–BEGIN CERTIFICATE—–
MIIB1jCCAT+gAwIBAgIEAmLSTjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP
cGVuVlBOIENBMB4XDTEzMDExNzAyMTExMloXDTIzMDEyMjAyMTExMlowKDEmMCQG
A1UEAxQdZnJyaWN0aW9uQGdtYWlsLmNvbV9BVVRPTE9HSU4wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALVEXIZYYu1Inmejuo4Si6Eo5AguTX5sg1pGbLkJSTR4
BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlUtWnVCwCYtewYfEc/+azH7+7eU6ue
T2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCedptgWyiL50N7FMcUUMjjXYh/hftB
AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3
DQEBBQUAA4GBABhVzSYXHlQEPNaKGmx9hMwwnNKcHgD9cCmC9lX/KR2Y+vT/QGxK
7sYlJInb/xmpa5TUQYc1nzDs9JBps1mCtZbYNNDpYnKINAKSDsM+KOQaSYQ2FhHk
bmBZk/K96P7VntzYI5S02+hOWnvjq5Wk4gOt1+L18+R/XujuxGbwnHW2
—–END CERTIFICATE—–

# this is an random key and is used in OpenVPN IOS Client. It can be copied as it is

—–BEGIN PRIVATE KEY—–
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVEXIZYYu1Inmej
uo4Si6Eo5AguTX5sg1pGbLkJSTR4BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlU
tWnVCwCYtewYfEc/+azH7+7eU6ueT2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCe
dptgWyiL50N7FMcUUMjjXYh/hftBAgMBAAECgYEAsNjgOEYVRhEaUlzfzmpzhakC
SKT8AALYaAPbYO+ZVzJdh8mIbg+xuF7A9G+7z+5ZL35lrpXKnONuvmlxkK5ESwvV
Q7EOQYCZCqa8xf3li3GUBLwcwXKtOUr3AYXhdbOh2viQdisD4Ky7H6/Nd3yMc3bu
R4pErmWeHei+l6dIwAECQQDqljNxi9babmHiei6lHaznCMg5+jfAyDXgHvO/afFr
1bDQVDTDK+64kax4E9pvDZC6B/HGse9hOUGWXTjb0WZBAkEAxdAw/14iJIUcE5sz
HDy2R0RmbUQYFjrNgBCi5tnmr1Ay1zHAs1VEF+Rg5IOtCBO50I9jm4WCSwCtN6zF
FoFVAQJAUGfBJDcZIm9ZL6ZPXJrqS5oP/wdLmtFE3hfd1gr7C8oHu7BREWB6h1qu
8c1kPlI4+/qDHWaZtQpJ977mIToJwQJAMcgUHKAm/YPWLgT31tpckRDgqgzh9u4z
e1A0ft5FlMcdFFT8BuWlblHWJIwSxp6YO6lqSuBNiuyPqxw6uVAxAQJAWGxOgn2I
fGkWLLw4WMpkFHmwDVTQVwhTpmMP8rWGYEdYX+k9HeOJyVMrJKg2ZPXOPtybrw8T
PUZE7FgzVNxypQ==
—–END PRIVATE KEY—–

Save the file as raw text and append the file suffix “.ovpn”

– Open on your Desktop the unpacked EdgeRouter backup-archive. Go to the folder /config/auth/openvpn/keys and locate the file ca.crt. Open this file with an text editor in raw mode that supports UTF-8. Copy the certificate block in-between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” and paste it to the OpenVPN profile in-between the tags . – and -blocks contains random code but are required by the OpenVPN Client for IOS. Without these blocks the profile can not be successfully imported in to the OpenVPN Client for IOS.

– In our case we deployed the OpenVPN Client profile to the IOS devices by eMail. This may be a security issue but it was the fastest way to test and get ready. The same profile can be used for all users configured previously or in future on the EdgeRouter GUI (users are differentiated by there user/pwd ).

– Install the OpenVPN Client for IOS from the App-Store:

https://itunes.apple.com/ch/app/openvpn-connect/id590379981
– Send the previously create OpenVPN Client profile “.ovpn” as attachment to an eMail Account that is already configurated on the IOS device.

– Open the appropriate sent eMail on the IOS device and then open the OpenVPN Client profile attachment by clicking on the icon. The OpenVPN Connect App should now open and shows the new Client profile to import. Approve the import and enter the user/pwd info you configured in the EdgeRouter user GUI. Now you are ready to connect by OpenVPN to your EdgeRouter (this works of course only from outside of your EdgeRouters LAN).

– Configuration for MacOSX OpenVPN Client Tunnelblick is straightforward forward. Install Tunnelblick if it is not allready installed on your system

http://code.google.com/p/tunnelblick/wiki/DownloadsEntry?tm=2

– Create on your MacOSX Destop a new folder and name it as you want your profile been shown later on in the Tunnelblick: e.g. “openvpn MyCompany”.

– Copy your previously create OpenVPN Client profile “.ovpn” file into the previously create folder “openvpn MyCompany”.

– Add to the folders name the suffix “.tblk” in order it shows like “openvpn MyCompany.tblk”. In the moment when the suffix “.tblk” is added the folder gets a package and shows up as file with the Tunnelblick.app icon.

– Doubleclick on this new Tunnelblick file. In succession the Tunnelblick.app will open and your profile is importet. Your are now ready to connect to your remote EdgeRouter. For the first time you connect you will asked your MacOSX user account info or admin info (the profile gets ready only) and then also it ask in an appropriate user/password dialog for your OpenVPN user/pwd information to connect to your remote EgdeRouter.

Posted in Uncategorized.

Tagged with .


How to relay mail from an ubuntu server running postfix to gmail servers

Edit /etc/postfix/main.cf with the following

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CApath = /etc/ssl/certs
relayhost = smtp.gmail.com:587

echo “smtp.gmail.com:587 smtp_user:smtp_passwd” > /etc/postfix/sasl_passwd
postmap hash:/etc/postfix/sasl_passwd
service postfix restart
echo “Test mail from postfix” | mail -s “Test Postfix” you@example.com

Posted in General.


todo-list

#todo-list
—–Media server build—–
-build basic server
-add storage
-move files from 1s
-setup plex
-setup apache
-setup websites
-setup security and htpasswords
-setup postfix
-setup phpmyadmin
-setup webmin
-setup nfs
-setup samba
-setup users
-cron jobs
-update computers mapped to network drive
-update eyefi mapping
-update cifs shares
-setup mysql
-setup wireless
-setup dsm 5.2 vm

power off old servers
-media
-webvm1 after sites are moved and all mail server entries are updated

clean up esx drives to remove a few from server

Posted in Uncategorized.

Tagged with .


Build mythbuntu 14.04 frontend

Installed from 14.04 (usb drive, cd-rom or pxe boot)
reconfigure sources.list to point to local repo and install aptitude
apt-get update
apt-get upgrade
apt-get install openssh-server rpcbind nfs-common snmpd smartmontools mutt postfix ssh dstat iptraf logwatch dselect mailutils sysv-rc-conf gparted ntp iftop apcupsd ethtool libauthen-pam-perl libio-pty-perl apt-show-versions libnet-ssleay-perl
mkdir /dvr /offline
nano /etc/fstab
192.168.1.220:/offline /offline nfs soft,intr,rsize=32768,wsize=32768,async,nfsvers=3,bg,actimeo=0,tcp
192.168.1.220:/dvr /dvr nfs soft,intr,rsize=32768,wsize=32768,async,nfsvers=3,bg,actimeo=0,tcp

mount -a
copy blootube theme
cp -R /dvr/files/blootubelite-wide/ /usr/share/mythtv/themes/

RSYNC
cp /offline/files/rsync/rsyncd.conf /etc
cp /offline/files/rsync/rsyncd.secrets /etc
chmod 600 /etc/rsyncd.secrets
nano /etc/default/rsync and enable
/etc/init.d/rsync restart

SNMP
cp /offline/archive/common/snmpd.conf /etc/snmp
/etc/init.d/snmpd restart

SMARTD
cp /offline/archive/common/smartd.conf /etc/smartd.conf
nano /etc/default/smartmontools
start_smartd=yes
/etc/init.d/smartmontools restart

APCUPSD
cp /offline/archive/common/apcupsd.conf /etc/apcupsd
nano /etc/default/apcupsd and make isconfigured=yes
/etc/init.d/apcupsd restart

WEBMIN
dpkg -i /offline/files/webmin_1.610_all.deb

Mythtv log files changes
rm /etc/logrotate.d/mythtv-*
cp /dvr/scripts/logrotate.d/mythtv /etc/logrotate.d/
mkdir /var/log/mythtv/old
chown syslog.adm /var/log/mythtv/old
cp /dvr/files/lirc/mythtv.precise /home/desktop/.lirc

Wake on lan if supported
echo ‘ethtool -s eth0 wol g’ >> /etc/rc.local

Posted in Linux, Mythtv.


todo-list

#todo-list
Fix damaged wood on shed and shed doors
adjust sprinkler heads
plant shrubs on side of house
mulch areas that need more mulch
raise shed
power wash portch
power wash house
power wash deck
stain deck

Posted in Uncategorized.

Tagged with .


startssl.com

#startssl.com
Create the server key (in this example RSA 1024 bit):
openssl genrsa -out host.key 4096
Make a certificate out of it (it won’t be signed yet):
openssl req -new -key host.key -out host.csr
Create your CA certificate (will be valid for a year):
openssl req -new -x509 -days 365 -key host.key -out host.crt
Copy info from host.csr and plug it into startssl.com website. It will create text you will put in a .csr file

Create the .csr file in the /etc/apache2/ssl area, in this case I called it my host name webvm1.csr.

cp host.key webvm1.key

Enable the SSL module

sudo a2enmod ssl
Listen to port 443

echo “Listen 443″ | sudo tee -a /etc/apache2/ports.conf
Create and enable the SSL site

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
Modify it so it looks something like this

NameVirtualHost *:443

ServerAdmin webmaster@localhost

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/webvm1.newy.org.startssl.csr
SSLCertificateKeyFile /etc/apache2/ssl/webvm1.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /etc/apache2/ssl/ca.pem

…and enable it

sudo a2ensite ssl

don’t forget to modify /etc/apache2/sites-available/default

NameVirtualHost *:80

Posted in Uncategorized.

Tagged with .


mythtv mythbackend

#mythtv
#mythbackend
Install using mythbuntu media
verify frontend works
exit frontend and start backend config, add cards, lineups etc
apt-get install aptitude
aptitude install cacti phpmyadmin backuppc
aptitude install openssh-server portmap nfs-common snmpd smartmontools mutt postfix ssh dstat iptraf logwatch dselect mailutils sysv-rc-conf gparted ntp iftop apcupsd xfsprogs

mkdir /dvr /offline
nano /etc/fstab

192.168.1.210:/offline /offline nfs soft,intr,rsize=32768,wsize=32768,async,nfsvers=3,bg,actimeo=0,tcp
192.168.1.210:/dvr /dvr nfs soft,intr,rsize=32768,wsize=32768,async,nfsvers=3,bg,actimeo=0,tcp

mount -a

nx debs
sudo dpkg -i /offline/files/nx/nxclient_3.5.0-7_amd64.deb
sudo dpkg -i /offline/files/nx/nxnode_3.5.0-9_amd64.deb
sudo dpkg -i /offline/files/nx/nxserver_3.5.0-11_amd64.deb

RSYNC
cp /offline/files/rsync/rsyncd.conf /etc
cp /offline/files/rsync/rsyncd.secrets /etc
chmod 600 /etc/rsyncd.secrets
nano /etc/default/rsync and enable
/etc/init.d/rsync restart

SNMP
cp /offline/archive/common/snmpd.conf /etc/snmp
/etc/init.d/snmpd restart

SMARTD
cp /offline/archive/common/smartd.conf /etc/smartd.conf
nano /etc/default/smartmontools
start_smartd=yes
/etc/init.d/smartmontools restart

APCUPSD
cp /offline/archive/common/apcupsd.conf /etc/apcupsd
nano /etc/default/apcupsd and make isconfigured=yes
/etc/init.d/apcupsd restart

WEBMIN
aptitude install libauthen-pam-perl libio-pty-perl apt-show-versions libnet-ssleay-perl
dpkg -i /offline/files/webmin_1.590_all.deb

Posted in Uncategorized.

Tagged with , .


sshl

#sshl
1. aptitude install sslh
2. change line in /etc/default/sslh to RUN=yes
3. update DAEMON_OPS line to listen and forward from correct ip/port to correct ip/port
4. change /etc/apache/ports.conf from Listen 443 to Listen 127.0.0.1:443

Posted in Uncategorized.

Tagged with .


mythtv mythfrontend

#mythtv
#mythfrontend
Installed from 12.04 (usb drive, cd-rom or pxe book)
reconfigure sources.list to point to local repo and install aptitude
aptitude update
aptitude upgrade
aptitude install openssh-server rpcbind nfs-common snmpd smartmontools mutt postfix ssh dstat iptraf logwatch dselect mailutils sysv-rc-conf gparted ntp iftop apcupsd ethtool
mkdir /dvr /offline
nano /etc/fstab
192.168.1.220:/offline /offline nfs soft,intr,rsize=32768,wsize=32768,async,nfsvers=3,bg,actimeo=0,tcp
192.168.1.220:/dvr /dvr nfs soft,intr,rsize=32768,wsize=32768,async,nfsvers=3,bg,actimeo=0,tcp

mount -a
copy blootube theme
cp -R /dvr/files/blootubelite-wide/ /usr/share/mythtv/themes/

RSYNC
cp /offline/files/rsync/rsyncd.conf /etc
cp /offline/files/rsync/rsyncd.secrets /etc
chmod 600 /etc/rsyncd.secrets
nano /etc/default/rsync and enable
/etc/init.d/rsync restart

SNMP
cp /offline/archive/common/snmpd.conf /etc/snmp
/etc/init.d/snmpd restart

SMARTD
cp /offline/archive/common/smartd.conf /etc/smartd.conf
nano /etc/default/smartmontools
start_smartd=yes
/etc/init.d/smartmontools restart

APCUPSD
cp /offline/archive/common/apcupsd.conf /etc/apcupsd
nano /etc/default/apcupsd and make isconfigured=yes
/etc/init.d/apcupsd restart

WEBMIN
aptitude install libauthen-pam-perl libio-pty-perl apt-show-versions libnet-ssleay-perl
dpkg -i /offline/files/webmin_1.610_all.deb

Mythtv log files changes
rm /etc/logrotate.d/mythtv-*
cp /dvr/scripts/logrotate.d/mythtv /etc/logrotate.d/
mkdir /var/log/mythtv/old
chown syslog.adm /var/log/mythtv/old
cp /dvr/files/lirc/mythtv.precise /home/desktop/.lirc

Wake on lan if supported
echo ‘ethtool -s eth0 wol g’ >> /etc/rc.local

Posted in Uncategorized.

Tagged with , .