Category Archives: Linux Notes - Page 3

Restart network on Ubuntu (bridge network)

sudo ifdown br0 && sudo ifup br0

Clear Remmina SSL Cert Cache

Note to self: Self-Signed SSL Certs for RDP will auto-renew and cause Remmina to stop talking to your hosts.  Not very talkative about why.

The solutions is to nuke the ~/.freerdp/kndown_hosts file…

QEMU/KVM Startup Script

Right now I’m running this with root privileges for the bridged network adapter.  I really need to find a better, cleaner way to do this…

export QEMU_AUDIO_DRV=alsa
qemu-system-x86_64 –enable-kvm -drive file=${DISKIMG},if=virtio -m 8192 \
-device virtio-net,netdev=tunnel -netdev tap,id=tunnel,ifname=vnet0 \
-drive file=${VIRTIMG},index=3,media=cdrom \
-cdrom ${CZ} \
-rtc base=localtime,clock=host -smp cores=8 \
-drive file=${APPIMG},if=virtio \
-no-quit -no-frame \
-usbdevice tablet -soundhw all -cpu host -vga vmware
#-usb -device usb-host,hostbus=1,hostaddr=6
# Last part was working for USB pass through — disabled for now, slow?

Clonezilla Image Restored in Qemu/KVM

I managed to finally get a clonezilla image of an existing Windows 7 box to restore onto a KVM instance with Qemu. The kicker was getting the storage drivers installed onto the windows image. I found the key here:!

dism /image:c:\ /add-driver /driver:d:\win7\amd64\viostor.inf

C: will be whatever drive your system (winows installation) is recognized as — in my case it was actually e: due to my launch parameters.  Similarly “d:” will be the wherever the iso image for the virtio drivers is located — in my case it was “f:”.

OpenVPN Notes

Trying OpenVPN on Ubuntu 14.04 EC2 instnace. Warning these are mostly just notes to myself — use with caution. That includes you, future me…

TLDR version: If it absolutely comes down it it, I think I could eventually make the community version do what I need. However, with more than just this on my plate, it is probably more cost effective (and sane) to go with the commercially supported one. Too many irons in the fire…


I will note that I did have my hostname set to the desired value going into this. It might make a difference since I’m going to be making keys…

sudo bash # because I’m lazy….
apt-get update && apt-get dist-upgrade
apt-get install openvpn
apt-get install easy-rsa

root@vpn:~# whereis openvpn
openvpn: /usr/sbin/openvpn /etc/openvpn /usr/lib/openvpn /usr/include/openvpn /usr/share/openvpn /usr/share/man/man8/openvpn.8.gz

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

vi /etc/openvpn/easy-rsa/vars  (straight from the Ubunut help article referenced above — I modified the first 5 lines and left the last three as is.)

export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL=""
export KEY_CN=MyVPN
export KEY_OU=MyVPN

root@vpn:~# cd /etc/openvpn/easy-rsa/
root@vpn:/etc/openvpn/easy-rsa# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
root@vpn:/etc/openvpn/easy-rsa# ./clean-all
root@vpn:/etc/openvpn/easy-rsa# ./build-ca
error on line 198 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
140316838659744:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198

line 198 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf:
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy

vi /etc/openvpn/easy-rsa/vars

# Added to fix error on build-ca line 198 of openssl-1.0.0.cnf seems to want
# a environment variable KEY_ALTNAMES — not sure what it does
# gonna give it something memorable in case it comes up later…
export KEY_ALTNAMES=”BoogaBooga”

source vars


I accepted the defaults as I had already customized the text config file…

I did my initial attempt with the default values (except the last two that require you to hit y). This means that I did NOT include
a challenge password. That is something I may want to look into..

./build-dh (Note that this use 2048 bits by default rather than 1024)
cd keys/
cp .crt .key ca.crt dh2048.pem /etc/openvpn/

Build each client key (these should ultimately be removed from the server and exist only on the client machines…):
I think I will need to do this each time a new client machine is add (ick — need to script this out…)

cd ../ (cd /etc/openvpn/easy-rsa/)
source vars
./build-key client1

Server Config (From included sample files):

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gzip -d server.conf.gz

vi server.conf:

ca ca.crt
cert .crt
key .key # This file should be kept secret

# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh2048.pem

service openvpn restart (Just to make sure an old version wasn’t running)

root@myvpn:/etc/openvpn# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr: P-t-P: Mask:
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@myvpn:/etc/openvpn# lsof -i
extra services
openvpn 2437 root 6u IPv4 11132 0t0 UDP *:openvpn

tar cvzf ~/client1.tgz client1.crt client1.key ca.crt

then scp those to the client for testing

on the client:

sudo apt-get install openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

sudo cp ca.crt client1.crt client1.key /etc/openvpn

vi /etc/openvpn/client.conf

remote my.vpn.svr.ip 1194
ca ca.crt
cert client1.crt
key client1.key

root@fizban:/etc/openvpn# service openvpn restart
* Stopping virtual private network daemon(s)… * No VPN is running.
* Starting virtual private network daemon(s)… * Autostarting VPN ‘client’

root@fizban:/etc/openvpn# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr: P-t-P: Mask:
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@fizban:/etc/openvpn# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=106 ms
— ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 106.110/106.110/106.110/0.000 ms

So, now I have a vpn server that can talk over a tunnel to 1 client. At this point the client can ONLY talk to the VPN server….

So now I have to figure out IPTables…
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

if all goes well, I will :
service iptables save (that’s actually RHEL I think)
apt-get install iptables-persistent
service iptables-persistent start

vi /etc/sysctl.conf
-> uncomment: net.ipv4.ip_forward=1

sysctl -p

copy the from my nat instance (so I think it originates from the Amazon NAT AMI):

# Configure the instance to run as a Port Address Translator (PAT) to provide
# Internet connectivity to private instances.

function log { logger -t “vpc” — $1; }

function die {
[ -n “$1” ] && log “$1”
log “Configuration of PAT failed!”
exit 1

# Sanitize PATH

log “Determining the MAC address on eth0…”
ETH0_MAC=$(cat /sys/class/net/eth0/address) ||
die “Unable to determine MAC address on eth0.”
log “Found MAC ${ETH0_MAC} for eth0.”

log “Metadata location for vpc ipv4 range: ${VPC_CIDR_URI}”

VPC_CIDR_RANGE=$(curl –retry 3 –silent –fail ${VPC_CIDR_URI})
if [ $? -ne 0 ]; then
log “Unable to retrive VPC CIDR range from meta-data, using instead. PAT may ma
squerade traffic for Internet hosts!”
log “Retrieved VPC CIDR range ${VPC_CIDR_RANGE} from meta-data.”

log “Enabling PAT…”
sysctl -q -w net.ipv4.ip_forward=1 net.ipv4.conf.eth0.send_redirects=0 && (
iptables -t nat -C POSTROUTING -o eth0 -s ${VPC_CIDR_RANGE} -j MASQUERADE 2> /dev/null ||
iptables -t nat -A POSTROUTING -o eth0 -s ${VPC_CIDR_RANGE} -j MASQUERADE ) ||

sysctl net.ipv4.ip_forward net.ipv4.conf.eth0.send_redirects | log
iptables -n -t nat -L POSTROUTING | log

log “Configuration of PAT complete.”
exit 0

I need to run this from something akin to rc3.d/S99local (add that to my todo list)

I copied this file to /usr/local/sbin/ and added it to /etc/rc.local (which seems like the place to put it for Ubunut 14.04).

Then I’m gonna reboot and see if anything works. I may have to configure routes for my subnets in aws???

You know it is at this point, where the configuation ceases to be fun. I started looking more at the commercial version. Given that I have killed an entire afternoon and still have only the server and one client talking to each other, the price of the licenses is starting to look good!

Long term, I’d like to come back and work on this some more, but for now, it just isn’t cost effective to spend more time on it…