TroubleNow.org » debian

Howto setup openvpn in bridge mode on debian

Arno Haverlach — Wed, 21 Dec 2011 13:29:23 +0000

Below is my setup for a OpenVPN server in bridged mode with local firewall.
In short we will create a VPN server with the following setup:

Debian 6 as VPN server.
VPN Server on TCP port 443
(SSL port so it works behind firewall’s)
2048bit key size.
Local subnet of 192.168.255.0/24
Max 10 VPN Clients
(Can be increased by changing dhcp pool size)
All config files will be kept in /etc/openvpn
Local firewall to control access for VPN users

Note, if you are using ESXi follow this post first: OpenVPN bridge and vmware esxi

Installation

First install the required packages:

apt-get install openssl bridge-utils openvpn zip

Copy over the example easy-rsa 2.0 data to /etc/openvpn

cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa

Now we need to edit the vars file in the easy-rsa folder to match your organization information, so change EXAMPLE to your own info.

cd /etc/openvpn/easy-rsa
sed -i '/export EASY_RSA=/ c\export EASY_RSA=\"/etc/openvpn/easy-rsa\"' vars
sed -i '/export KEY_SIZE=/ c\export KEY_SIZE=2048' vars
sed -i '/export KEY_COUNTRY=/ c\export KEY_COUNTRY=\"EXAMPLE\"' vars
sed -i '/export KEY_PROVINCE=/ c\export KEY_PROVINCE=\"EXAMPLE\"' vars
sed -i '/export KEY_CITY=/ c\export KEY_CITY=\"EXAMPLE\"' vars
sed -i '/export KEY_ORG=/ c\export KEY_ORG=\"EXAMPLE\"' vars
sed -i '/export KEY_EMAIL=/ c\export KEY_EMAIL=\"user\@example.com\"' vars

Now build your CA and server key (you already have provided all the right info in the vars file so press enter all the way through).

source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh<;/pre>
<br>

Now we need to create a server.conf file in /etc/openvpn

cd /etc/openvpn && vi server.conf

server.conf
I will use TCP port 443 for the VPN server with a local subnet of 192.168.255.0/24
IP’s 192.168.255.200~192.168.255.210 will be used for client DHCP (max 10 clients), and 192.168.255.3 is the OpenVPN server himself.

Server.conf (Click to expand)

port 443
proto tcp
dev tap0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.255.3 255.255.255.0 192.168.255.200 192.168.255.210
keepalive 10 120
comp-lzo
persist-key
persist-tun
log /var/log/openvpn.log
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
verb 3

#===================================================#
# Client Settings
#===================================================#
# If you need to push routes you can do so here for example:
#push "route 192.168.0.0 255.255.255.0 192.168.255.1"

push "ping 10"
push "ping-restart 60"

push "dhcp-option DOMAIN example.local"
push "dhcp-option DNS 192.168.255.1"
push "dhcp-option DNS 192.168.255.2"
push "dhcp-option WINS 192.168.255.1"
push "route-delay 5"

push "echo "
push "echo Welcome to the EXAMPLE Network!"
push "echo "

Now we need to bridge the OpenVPN tap0 interface with your network interface (eth0 in this example).
Make sure to change the settings for your network (IP, subnet, gateway etc) as this will replace your current interface configuration don’t do this remotely.

vi /etc/init.d/bridge

/etc/init.d/bridge (Click to expand)

#!/bin/bash  
 
### BEGIN INIT INFO
# Provides:             bridge
# Required-Start:       $remote_fs $syslog
# Required-Stop:        $remote_fs $syslog
# Default-Start:        2 3 4 5
# Default-Stop:
# Short-Description:    Bridge for OpenVPN
### END INIT INFO
 
# Define Bridge Interface 
br="br0" 
# Define list of TAP interfaces to be bridged, 
# for example tap="tap0 tap1". 
tap="tap0" 
# Define physical ethernet interface to be bridged 
# with TAP interface(s) above. 
eth="eth0" 
eth_ip="192.168.255.3" 
eth_netmask="255.255.255.0" 
eth_broadcast="192.168.255.255" 
gw="192.168.255.254"   
 
#################################   
# Set up Ethernet bridge on Linux   
# Requires: bridge-utils   
#################################    
start_bridge () {   
        for t in $tap; do
                openvpn --mktun --dev $t   
        done   
 
        brctl addbr $br
        brctl addif $br $eth
 
        for t in $tap; do
                brctl addif $br $t
        done
 
        for t in $tap; do
                ifconfig $t 0.0.0.0 promisc up   
        done
        ifconfig $eth 0.0.0.0 promisc up
        ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
        route add default gw $gw $br
} 
 
####################################   
# Tear Down Ethernet bridge on Linux   
####################################    
stop_bridge () {   
        ifconfig $br down
        brctl delbr $br    
        for t in $tap; do
                openvpn --rmtun --dev $t   
        done   
        ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
        route add default gw $gw $eth
}  
 
####################################
# OPTIONS
####################################
case "$1" in 
        start)   
          echo -n "Starting Bridge"   
          start_bridge   
          ;; 
        stop)   
          echo -n "Stopping Bridge"   
          stop_bridge   
          ;; 
        restart)   
          stop_bridge   
          sleep 2   
          start_bridge   
          ;; 
        *)   
          echo "Usage: $0 {start|stop|restart}" &gt;&amp;2   
          exit 1   
          ;; 
esac

Now make the script executable and set it as a default startup script:

chmod 755 /etc/init.d/bridge
update-rc.d bridge defaults

User creation script

For easy management I create a template config file and a script to create the certificate and zip the certificates and config file so you can send it to a user.

First we will create a template config file for openvpn, make sure to edit the VPNSERVERHOSTNAME to your hostname/ip for the VPN Server.
Create a configs directory, here we will keep the user configuration zip files later on.

cd /etc/openvpn
mkdir configs
cd /etc/openvpn/configs
vi template-config.ovpn

client
dev tap
proto tcp
remote VPNSERVERHOSTNAME 443
resolv-retry infinite
nobind
pkcs12 <>.p12
ns-cert-type server
comp-lzo
verb 3
#redirect-gateway

Then create the new-user script.

cd /etc/openvpn
vi new-user

newuser (Click to expand)

#!/bin/bash
action="$1"
option="$2"
base="/etc/openvpn"
#
#if [ -n $base/configs/$username ]
 
#----------------------------------------------------------------#
# new user
#----------------------------------------------------------------#
function new_user()
{
 echo "Creating the new user $username"
 
 # source the easy-rsa variables:
 source $base/easy-rsa/vars
 
 echo "Checking if user already exists"
 if [ -x $base/configs/$username ]
  then
   echo "ERROR: user already exists"
   echo ""
   exit 0
 else
  echo "Please check the already filled in answers and press"
  echo "enter for all the options finaly press 'Y' twice."
  echo ""
  sleep 5
  $base/easy-rsa/build-key-pkcs12 $username
 
  echo "Creating the config directory"
  userdir=$base/configs/$username
  mkdir $userdir
  cp $base/easy-rsa/keys/$username.p12 $userdir
  cp $base/configs/template-config.ovpn $userdir/$username.ovpn
  sed -i "s/<>/$username/g" $userdir/$username.ovpn
  cd $userdir
  /usr/bin/zip $userdir/$username.zip $username.*
 
  echo ""
  echo "User created"
  echo ""
 fi
}
 
#----------------------------------------------------------------#
# show the usage
#----------------------------------------------------------------#
function show_usage()
{
  echo ""
  echo "Usage: $0 [option] [arg]"
  echo "Where [option] is:"
  echo ""
  echo "-new"
  echo "   Create a new user"
  echo "   [arg] = "
  echo ""
  echo ""
}
#----------------------------------------------------------------#
 
#----------------------------------------------------------------#
# Parse action
#----------------------------------------------------------------#
function parse_action()
{
   case $action in
      -new)
        username="$option"
        new_user
        ;;
      *)
        show_usage
        ;;
   esac
exit 0
}
#----------------------------------------------------------------#
 
#----------------------------------------------------------------#
# Main function
#----------------------------------------------------------------#
function main()
{
  if [ "X${action}" == "X" ]
   then
    show_usage
    exit 0
   else
    parse_action
  fi
 
}
#----------------------------------------------------------------#
 
#----------------------------------------------------------------#
# run the Main script
#----------------------------------------------------------------#
main
#----------------------------------------------------------------#

Now make the script executable and run it with “-new johndoe” to create a new vpn certificate for user John Doe.

cd /etc/openvpn
chmod 700 new-user
./new-user -new johndoe

And finally we start the openvpn service:

/etc/init.d/openvpn start

Firewall

Now we add a IPtables firewall script to protect the network from the VPN clients.

mkdir /opt/firewall
vi /opt/firewall/localfw

localfw (Click to expand)

#!/bin/bash
#----------------------------------------------------#
#   Firewall for bridged openvpn
#   ver 0.1 20111021
#----------------------------------------------------#
 
echo "--------------------------------"
echo "IPTABLES FIREWALL SCRIPT LOADING"
echo "--------------------------------"
 
modprobe ip_tables
 
#--------------IP Variables -------------------------#
DNS1=192.168.255.1                      # dns server 1
DNS2=192.168.255.2                      # dns server 2
DNSSERVERS="$DNS1 $DNS2"
 
WAN_IF="br0"                            # WAN Interface
WAN_IP="192.168.255.3"                  # WAN IP
 
LANRANGE="192.168.255.0/24"               # LAN Range
#-----------------------------------------------------#
IPTABLES="/sbin/iptables"       # path to iptables
 
#-----------------------------------------------------#
# Check how we are started
CMD=$1
echo "Checking how we are started"
if ( [ -z $CMD ] ); then CMD="start"; fi
#-----------------------------------------------------#
 
#-----------------------------------------------------#
if ( [ $CMD = "start" ] ); then
#-----------------------------------------------------#
 
 echo "checking if we need to enable IP forwarding"
 IPFWDCHK="`cat /proc/sys/net/ipv4/ip_forward`"
 if ( [ "$IPFWDCHK" != "1" ] ); then 
   echo "IP forwarding not enabled yet enabling forwarding now"
   echo 1 > /proc/sys/net/ipv4/ip_forward
 fi
 
 
#--------------- Firewall default --------------------#
 
 # Default policy: ACCEPT
 $IPTABLES -P FORWARD ACCEPT
 $IPTABLES -P INPUT ACCEPT
 $IPTABLES -P OUTPUT ACCEPT
 
 # Flush
 echo "Flushing all rules"
 $IPTABLES -F
 $IPTABLES -t mangle -F
 $IPTABLES -t nat -F
 $IPTABLES -F FORWARD
 $IPTABLES -F INPUT
 $IPTABLES -F OUTPUT
 
 # Default policy: ACCEPT
 $IPTABLES -P FORWARD ACCEPT
 $IPTABLES -P INPUT ACCEPT
 $IPTABLES -P OUTPUT ACCEPT
#-----------------------------------------------------#
 
 # high-volumes
 $IPTABLES -N Aforward
 
 #allow fragmentation-needed
 $IPTABLES -A Aforward -p icmp --icmp-type fragmentation-needed -j ACCEPT
 
fi
 
echo "Start setting VPN Client rules"
 
#-----------------------------------------------------#
#       VPN CLIENT RULES FROM HERE                    #
#-----------------------------------------------------#
 
if ( [ $CMD = "VPN" -o $CMD = "start" ] ); then
        ####################################################
        # VPN Clients
        #########################
        echo " - Setting rules for VPN Clients"
        $IPTABLES -F vpn-clients
        $IPTABLES -X vpn-clients
        $IPTABLES -N vpn-clients
        if ( [ $CMD = "start" ] ); then
                for ip in 192.168.255.200 192.168.255.201 192.168.255.202 192.168.255.203 192.168.255.204 192.168.255.205 192.168.255.206 192.168.255.207 192.168.255.208 192.168.255.209 192.168.255.210
                    do
                        $IPTABLES -A FORWARD -s $ip -j vpn-clients
                        $IPTABLES -A FORWARD -d $ip -j vpn-clients
                done
        fi
 
        # YOUR RULES GO HERE
 
        # HTTP to a local webserver (for example)
        $IPTABLES -A vpn-clients -p tcp -d 192.168.255.10 --dport 80 -j ACCEPT
        $IPTABLES -A vpn-clients -p tcp -s 192.168.255.10 --sport 80 ! --syn -j ACCEPT
 
        # ALLOW Ping
        $IPTABLES -A vpn-clients -p icmp -j ACCEPT
 
        # DROP ALL Other
        $IPTABLES -A vpn-clients -j LOG --log-prefix "[DROP-vpn-clients ]"
        $IPTABLES -A vpn-clients -j DROP
        #########################
        # VPN range
        ####################################################
fi
 
#-----------------------------------------------------#
echo "Done setting VPN Client Rules"
#-----------------------------------------------------#
#       VPN CLIENT RULES UNTIL HERE                   #
#-----------------------------------------------------#
 
 
#-----------------------------------------------------#
if ( [ $CMD = "start" ] ); then
        #********************************************************
        # VPNServer local rules
        #********************
        echo "Setting local rules"
        # ssh in
        $IPTABLES -A INPUT -p tcp -d $WAN_IP --dport 22 -j ACCEPT
        $IPTABLES -A OUTPUT -p tcp -s $WAN_IP --sport 22 ! --syn -j ACCEPT
 
        # VPN in
        $IPTABLES -A INPUT -p tcp -d $WAN_IP --dport 443 -j ACCEPT
        $IPTABLES -A OUTPUT -p tcp -s $WAN_IP --sport 443 -j ACCEPT
 
        # DNS lookups naar DNS
        for i in $DNSSERVERS
        do
          $IPTABLES -A OUTPUT -p udp --sport 53 -d $i -j ACCEPT
          $IPTABLES -A INPUT  -p udp -s $i --sport 53 -j ACCEPT
          $IPTABLES -A OUTPUT -p udp -d $i --dport 53 -j ACCEPT
          $IPTABLES -A INPUT  -p udp -s $i --dport 53 -j ACCEPT
          $IPTABLES -A OUTPUT -p tcp -d $i --dport 53 -j ACCEPT
          $IPTABLES -A INPUT  -p tcp -s $i --dport 53 -j ACCEPT
          $IPTABLES -A OUTPUT -p tcp --sport 53 -d $i ! --syn -j ACCEPT
          $IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT
          $IPTABLES -A INPUT -p udp --sport 123 -j ACCEPT
        done
 
        # local everything
        $IPTABLES -A OUTPUT -p tcp -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT
        $IPTABLES -A INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
        $IPTABLES -A INPUT -p tcp -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT
        $IPTABLES -A OUTPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
 
        $IPTABLES -A OUTPUT -p udp -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT
        $IPTABLES -A INPUT -p udp -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
        $IPTABLES -A INPUT -p udp -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT
        $IPTABLES -A OUTPUT -p udp -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
 
        $IPTABLES -A OUTPUT -p icmp -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT
        $IPTABLES -A INPUT -p icmp -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
        $IPTABLES -A INPUT -p icmp -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT
        $IPTABLES -A OUTPUT -p icmp -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
 
        # browse (apt, etc..)
        $IPTABLES -A OUTPUT -p tcp -s $WAN_IP --dport 80 -j ACCEPT
        $IPTABLES -A INPUT -p tcp -d $WAN_IP --sport 80 ! --syn -j ACCEPT
        $IPTABLES -A OUTPUT -p tcp -s $WAN_IP --dport 443 -j ACCEPT
        $IPTABLES -A INPUT -p tcp -d $WAN_IP --sport 443 ! --syn -j ACCEPT
 
        # ALLOW ICMP
        $IPTABLES -A INPUT -p icmp -j ACCEPT
        $IPTABLES -A OUTPUT -p icmp -j ACCEPT
 
        # deny rest
        $IPTABLES -A INPUT -j LOG --log-prefix "[DROP-INPUT-WAN] "
        $IPTABLES -A INPUT -j DROP
        $IPTABLES -A OUTPUT -j LOG --log-prefix "[DROP-OUTPUT-WAN] "
        $IPTABLES -A OUTPUT -j DROP
        #$IPTABLES -A FORWARD -j LOG --log-prefix "[DROP-FORWARD-WAN] "
        $IPTABLES -A FORWARD -j DROP
 
        # Reset default policy: DROP
        $IPTABLES -P FORWARD DROP
        $IPTABLES -P INPUT DROP
        $IPTABLES -P OUTPUT DROP
fi
#-----------------------------------------------------#
 
echo "--------------------------------"
echo "IPTABLES FIREWALL SCRIPT LOADED "
echo "--------------------------------"
#-----------------------------------------------------#
#eof
#-----------------------------------------------------#

Then make the script executable and add the firewall to run at startup

chmod 700 /opt/firwall/localfw
vi /etc/rc.local (add <strong>/opt/firewall/localfwstrong> just before exit 0)

VPN status

This script will show you some statistics on the VPN server.

vi /usr/local/bin/openvpn-status

openvpn-status (Click to expand)

#!/usr/bin/env python
# -*- coding: utf-8 -*-
 
STATUS = "/var/log/openvpn-status.log"
 
status_file = open(STATUS, 'r')
stats = status_file.readlines()
status_file.close()
 
hosts = []
 
headers = {
    'cn':    'Common Name',
    'virt':  'Virtual Address',
    'real':  'Real Address',
    'sent':  'Sent',
    'recv':  'Received',
    'since': 'Connected Since'
}
 
sizes = [
    (1<<50L, 'PB'),
    (1<<40L, 'TB'),
    (1<<30L, 'GB'),
    (1<<20L, 'MB'),
    (1<<10L, 'KB'),
    (1,       'B')
]
 
def byte2str(size):
    for f, suf in sizes:
        if size >= f:
            break
 
    return "%.2f %s" % (size / float(f), suf)
 
for line in stats:
    cols = line.split(',')
 
    if len(cols) == 5 and not line.startswith('Common Name'):
        host  = {}
        host['cn']    = cols[0]
        host['real']  = cols[1].split(':')[0]
        host['recv']  = byte2str(int(cols[2]))
        host['sent']  = byte2str(int(cols[3]))
        host['since'] = cols[4].strip()
        hosts.append(host)
 
    if len(cols) == 4 and not line.startswith('Virtual Address'):
        for h in hosts:
            if h['cn'] == cols[1]:
                h['virt'] = cols[0]
 
fmt = "%(cn)-25s %(virt)-18s %(real)-15s %(sent)13s %(recv)13s %(since)25s"
print fmt % headers
print "\n".join([fmt % h for h in hosts])

Now make the script executable.

chmod 700 /usr/local/bin/openvpn-status

If you run it and a client is connected you will see something like this:

# /usr/local/bin/openvpn-status
Common Name               Virtual Address    Real Address             Sent      Received           Connected Since
johndoe                   00:00:00:00:00:00  1.2.3.4          1.11 MB     489.49 KB  Wed Dec 11 13:26:42 2011

References

Installing VMware server 2.0.2 on debian 6.0.1 X64

Arno Haverlach — Sat, 14 May 2011 15:06:23 +0000

Download VMware-server-2.0.2-203138.x86_64.tar.gz from the vmware website and place it in /usr/src (you need to register on the VMware website before you can download)

Download my install file below and unpack it to /usr/src:

cd /usr/src
wget http://www.troublenow.org/files/vmware/vmware2.0.2-on-debian6.0.1.tar.gz
tar xvzf vmware2.0.2-on-debian6.0.1.tar.gz
cd /usr/src/vmware2
sh install-vmware-2.0.2.sh

This wil unpack the files, patch them for debian 6.0.1 and start the vmware installation.
Answer all the questions during the vmware install and the installation should complete.

Now reboot the server and you should be ready to go.

The above vmware2.0.2-on-debian6.0.1.tar.gz file has the following content:

00-vmware-2.6.32_functional.diff
01-vmware-2.6.32_cosmetic.diff
02-vmnet-include.diff
install-vmware-2.0.2.sh
patch-vmware_2.6.3x.sh
vmware-config.pl.diff

All files except install-vmware-2.0.2.sh are from NerdbyNature.de with some small modifications.
install-vmware-2.0.2.sh is a simple setup script I created for easy install.

References:

Mobile internet using you mobile phone in Linux

Arno Haverlach — Sun, 24 Aug 2008 16:22:20 +0000

When I am on the road sometimes its very handy to have internet around.

luckily this is very easy to accomplish in Linux. In this case I will be using a Samsung F700 Mobile phone connected to my Asus EEE 701 laptop running Ubuntu linux.

A few things however to think of before you start:
- Do you have a ‘unlimited’ or limited (100MiB/1GiB etc..) contract (‘unlimited’ is recommended)
- Does your provider allow dial up using your phone & laptop (By Vodafone it is not allowed but if you use it for ‘normal’ web browsing they don’t mind (if you start using it to download your latest TV episode’s or whatever you will be shutdown.)

So lets start:

First connect the phone to the laptop using the USB cable in my case the phone will ask me in what ‘mode’ the phone should operate, I need to select ‘pc studio’ to use the phone as a gateway to the internet.

Now when the phone is connected to the PC open a terminal and run wvdialconf to create a new config file:

trouble@sun:$ sudo wvdialconf /etc/wvdial.conf

Editing `/etc/wvdial.conf'.

Scanning your serial ports for a modem.

ttyS0<*1>: ATQ0 V1 E1 -- failed with 2400 baud, next try: 9600 baud
ttyS0<*1>: ATQ0 V1 E1 -- failed with 9600 baud, next try: 115200 baud
ttyS0<*1>: ATQ0 V1 E1 -- and failed too at 115200, giving up.
Modem Port Scan<*1>: S1 S2 S3
WvModem<*1>: Cannot get information for serial port.
ttyACM0<*1>: ATQ0 V1 E1 -- OK
ttyACM0<*1>: ATQ0 V1 E1 Z -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- ERROR
ttyACM0<*1>: Modem Identifier: ATI -- Manufacturer: SAMSUNG ELECTRONICS CORPORATION
ttyACM0<*1>: Speed 4800: AT -- OK
ttyACM0<*1>: Speed 9600: AT -- OK
ttyACM0<*1>: Speed 19200: AT -- OK
ttyACM0<*1>: Speed 38400: AT -- OK
ttyACM0<*1>: Speed 57600: AT -- OK
ttyACM0<*1>: Speed 115200: AT -- OK
ttyACM0<*1>: Speed 230400: AT -- OK
ttyACM0<*1>: Speed 460800: AT -- OK
ttyACM0<*1>: Max speed is 460800; that should be safe.
ttyACM0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK

Found an USB modem on /dev/ttyACM0.
Modem configuration written to /etc/wvdial.conf.
ttyACM0: Speed 460800; init "ATQ0 V1 E1 S0=0 &C1 &D2"

As you can see it found my Samsung F700 phone and updated the wvdial.conf file.

Now we need to edit the wvdial.conf file to add a few paramaters (user/pass & dial number)
the default config file looks like this:

trouble@sun:$ $ cat /etc/wvdial.conf

[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2
Modem Type = USB Modem
Baud = 460800
New PPPD = yes
Modem = /dev/ttyACM0
ISDN = 0
; Phone =
; Password =
; Username =

Now you will need to know the ‘Target Phone Number’ for vodafone in the Netherlands this is ‘*99#’ but this might be different in your case so just ‘google’ around if you have a other provider for the target phone number.

The username and password can be just random but I like to keep it simple and changed both to ‘vodafone’

Also you need to enable ‘stupid mode’ in wvdial to work around some of the ‘intelligence’ in wvdial to get it to work.

So vi the wvdial.conf file and it should look like this:

trouble@sun:$ $ sudo vi /etc/wvdial.conf
[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2
Modem Type = USB Modem
Baud = 460800
New PPPD = yes
Modem = /dev/ttyACM0
ISDN = 0
Phone = *99#
Password = vodafone
Username = vodafone
Stupid Mode = 1

Now you are ready to go, so start ‘wvdial’ and you should be connected (I created a desktop terminal launcher with the command: ‘sudo wvdial’ for this).

trouble@sun:$ $ sudo wvdial
--> WvDial: Internet dialer version 1.60
--> Cannot get information for serial port.
--> Initializing modem.
--> Sending: ATZ
ATZ
OK
--> Sending: ATQ0 V1 E1 S0=0 &C1 &D2
ATQ0 V1 E1 S0=0 &C1 &D2
OK
--> Modem initialized.
--> Sending: ATDT*99#
--> Waiting for carrier.
ATDT*99#
CONNECT
--> Carrier detected. Starting PPP immediately.
--> Starting pppd at Sun Aug 24 18:14:11 2008
--> Pid of pppd: 23198
--> Using interface ppp0
--> pppd: ��[06][08]��[06][08]
--> pppd: ��[06][08]��[06][08]
--> pppd: ��[06][08]��[06][08]
--> pppd: ��[06][08]��[06][08]
--> pppd: ��[06][08]��[06][08]
--> pppd: ��[06][08]��[06][08]
--> pppd: ��[06][08]��[06][08]
--> local IP address YOURIP
--> pppd: ��[06][08]��[06][08]
--> remote IP address GATEWAYIP
--> pppd: ��[06][08]��[06][08]
--> primary DNS address DNSIP
--> pppd: ��[06][08]��[06][08]
--> secondary DNS address DNSIP
--> pppd: ��[06][08]��[06][08]

Burning a video DVD VIDEO_TS in Linux

Arno Haverlach — Tue, 15 Jan 2008 18:01:59 +0000

You can rip dvd’s with multiple tools, and some of these rip the dvd to a ‘VIDEO_TS’ and ‘AUDIO_TS’ folder. You can burn them again with the tool mkisofs.

Place your ‘VIDEO_TS’ and ‘AUDIO_TS’ in a folder (lets say /home/user1/mymovie/)

Install mkisofs:

trouble@sun:$ apt-get update
trouble@sun:$ apt-get install mkisofs

Then use mkisofs to create a ISO file from the folder:

trouble@sun:$ mkisofs -dvd-video -o /home/user1/mymovie.iso /home/user1/mymovie/

Now in /home/user1 you have a iso file called ‘mymovie.iso’

now use brazero or any other burning tool to burn the .iso file to a DVD.

Firewall VMware Server 1.0.x guest with iptables on the host

Arno Haverlach — Thu, 06 Dec 2007 12:33:07 +0000

Running a linux host with VMware 1.0.x Server you are not able to firewall the VMware guests on the host machine. Because vmware runs in the kernel the traffic to the guest is already handled by vmware before iptables will see the traffic.

Now it is possible to firewall the client by setting up a dummy network interface and bridge the physical interface to the dummy, this way you can let VMware setup his bridge to the dummy interface and you see the traffic passing by.

The layout

Lets say you have the following setup (click for larger):

host01 has a virtual host ‘guest01′ and it is bridged to eth0 and eth1 so it has a connection to the internet and a connection to the backlan to reach the DB0x servers.

However host02 has the same setup, but I don’t want ‘guest02′ to reach ‘guest01′, this could be aranged with a firewall on the guests but thats a bad solution if they are running windows (you don’t want to overload a already bloated windows with a extra firewall right?), so however there are multiple ways to fix this one solution is to setup a bridge on the host machine’s and firewall the traffic before it reaches the guest.

The following image should explain it a little more (click for larger):

The configuration

In this setup the ‘host’ machine is running ubuntu 6.06.1 LTS, has 2 nic’s and we are using VMware Server 1.0.4. that should have a bridge to both nics.
We will be creating 2 dummy network interfaces called ‘dummy0′ and ‘dummy1′ and 2 bridges called ‘br0′ and ‘br1′.
Then bind eth0 to dummy0 with br0 and eth1 to dummy1 with br1.

First install bridge utilities

trouble@sun:$ apt-get install bridge-utils

Now connect to the console of the server as you can’t do this remote (well you can but then do 1 interface at a time)
Shutdown vmware and shutdown the interfaces

trouble@sun:$ /etc/init.d/vmware stop
trouble@sun:$ ifdown eth0
trouble@sun:$ ifdown eth1

Now be sure to comment out the settings in /etc/network/interfaces for eth0 and eth1 so these are not read anymore.

create the dummy interfaces

trouble@sun:$ modprobe dummy -o dummy0
trouble@sun:$ modprobe dummy -o dummy1

then create bridge 0 and bridge 1 and bind the interfaces to them, in my network I need to put stp ‘off’ but check in your case.

# br0, eth0 and dummy0

trouble@sun:$ brctl addbr br0
trouble@sun:$ brctl addif br0 eth0
trouble@sun:$ brctl addif br0 dummy0
trouble@sun:$ brctl stp br0 off

# br1, eth1 and dummy1

trouble@sun:$ brctl addbr br1
trouble@sun:$ brctl addif br1 eth1
trouble@sun:$ brctl addif br1 dummy1
trouble@sun:$ brctl stp br1 off

Now with the command ‘brctl show’ you should see the interfaces.

trouble@sun:$ brctl show
bridge name bridge id STP enabled interfaces
br1 8000.00112f164152 no eth1
dummy1
br0 8000.00112f164151 no eth0
dummy0

Oke now the bridges are configured, time to add a ipaddress to br0 and br1 so we can also connect to the server for management. Currently I will do this with ifconfig instead of putting it in the network file (see below for the complete script)

trouble@sun:$ ifconfig eth0 0.0.0.0
trouble@sun:$ ifconfig dummy0 0.0.0.0
trouble@sun:$ ifconfig eth1 0.0.0.0
trouble@sun:$ ifconfig dummy1 0.0.0.0
trouble@sun:$ ifconfig br0 10.1.1.2 netmask 255.255.255.0
trouble@sun:$ ifconfig br1 192.168.10.2 netmask 255.255.255.0
trouble@sun:$ route add default gw 10.1.1.1

Now the host should be reachable again on his network interfaces.

Now its time to reconfigure VMware with vmware-config.pl, when it asks for the network settings change them in the ‘editor’ mode and set bridging on ‘vmnet0′ to ‘br0′ and ‘vmnet2′ to ‘br1′.
Edit your virtual machine to use vmnet0 and vmnet2 and you should be ready to go with network on the virtual machines again.

The Firewall Rules

So the bridges are set, now its time to create some firewall rules, I won’t start explaining iptables here so here is an example configuration script that creates the bridged interfaces and configures the firewall.

To explain it a little:
First I will create the bridges and add ipaddresses to them, and only do this if they are not already created.
Then we move all traffic flowing through br0 in ‘Aforward’ (traffic to dummy0), and all traffic flowing through br1 in ‘Bforward’ (traffic to dummy1)(Just give it your own names if you wish this is logical for me

Now make sure to put your firewall rules for the guests in the section marked as:

1 2	##### Firewall rules for br0 from here! #### ##### Firewall rules for br0 until here! ####

And the same for br1, and configure your local firewall rules to the ipaddresses of the host in:

1 2	#-------- Local Firewall Rules to this host ----------# #-----------------------------------------------------#

And you should be ready to go firewalled all traffic flowing through the vmware guests. Be sure to understand that this will only firewall the traffic from the ‘outside’ to your guest if you have multiple guests on your vmware host traffic is not firewalled between the 2 guests. This could be fixed by putting every guest in a seperate vmnet and use the host to NAT traffic to it but that won’t work in every setup.
Currently in the setup I am using I only have 2 Windows servers on 2 different hosts so I bridged those, firewalled those on the hosts, and the linux guests on the same hosts have there own firewall rules so I don’t have this problem. (you do firewall all your nodes in a network right?)

And the complete script:

#!/bin/bash
#----------------------------------------------------#
#   Arno Haverlach (arno (at) haverlach (dot) nl)
#   Firewall/Bridge script for vmware
#   ver 0.1 20071204
#----------------------------------------------------#
 
#--------------IP Variables -------------------------#
DNS1=10.1.1.1		        # dns server 1
DNS2=10.1.1.2                   # dns server 2
MANAGEMENTHOST=x.x.x.x          # Management host
#-----------------------------------------------------#
 
#---------------- variables --------------------------#
# Bridge 0 (WAN)
BR0IP="10.1.1.2"            # ip of the LAN interface
BR0MASK="255.255.255.0"       # subnetmask of the LAN
BR0IF1="eth0"                   # The physical LAN interface
BR0IF2="dummy0"                 # This should be the dummy
BR0GW="1"                       # 0 for no 1 for yes to enable the gateway
BR0GWIP="10.1.1.1"          # the ip of the gateway if BRI1GW=1
 
# Bridge 1 (LAN)
BR1IP="192.168.10.2"          # ip of the LAN interface
BR1MASK="255.255.255.0"         # subnetmask of the LAN
BR1IF1="eth1"                   # The physical LAN interface
BR1IF2="dummy1"                 # This should be the dummy
BR1GW="0"                       # 0 for no 1 for yes to enable the gateway
BR1GWIP="0.0.0.0"               # the ip of the gateway if BRI1GW=1
 
# A few paths
IPTABLES="/sbin/iptables"       # path to iptables
MODPROBE="/sbin/modprobe"       # path to modprobe
BRCTL="/usr/sbin/brctl"         # path to brctl
IFCONFIG="/sbin/ifconfig"       # path to ifconfig
ROUTE="/sbin/route"             # path to route
 
# Check how we are started
CMD=$1
if ( [ -z $CMD ] ); then CMD="start"; fi
 
#-----------------------------------------------------#
 
#--------------- And now the fun stuff ---------------#
 
if ( [ $CMD = "start" ] ); then
 
#---------------- Create br0 -------------------------#
 
# load the module if needed
 MDCHK1="`lsmod | grep -i dummy0 | awk {' print $1 '}`"
 if ( [ "$MDCHK1" != "dummy0" ] ); then $MODPROBE dummy -o dummy0; fi
 
# create the bridge if needed
 BRCHK1="`brctl show | grep br0 | awk {' print $1 '}`"
 if ( [ "$BRCHK1" != "br0" ] ); then
  $BRCTL addbr br0
  $BRCTL addif br0 $BR0IF1
  $BRCTL addif br0 $BR0IF2
  $BRCTL stp br0 off
  $IFCONFIG $BR0IF1 0.0.0.0
  $IFCONFIG $BR0IF2 0.0.0.0
  $IFCONFIG br0 $BR0IP netmask $BR0MASK
  if ( [ "$BR0GW" = "1" ] ); then
   $ROUTE add default gw $BR0GWIP
  fi
 fi
#-----------------------------------------------------#
 
#---------------- Create br1 -------------------------#
# load the module if needed
 MDCHK1="`lsmod | grep -i dummy1 | awk {' print $1 '}`"
 if ( [ "$MDCHK1" != "dummy1" ] ); then $MODPROBE dummy -o dummy1; fi
 
# create the bridge if needed
 BRCHK1="`brctl show | grep br1 | awk {' print $1 '}`"
 if ( [ "$BRCHK1" != "br1" ] ); then
  $BRCTL addbr br1
  $BRCTL addif br1 $BR1IF1
  $BRCTL addif br1 $BR1IF2
  $BRCTL stp br1 off
  $IFCONFIG $BR1IF1 0.0.0.0
  $IFCONFIG $BR1IF2 0.0.0.0
  $IFCONFIG br1 $BR1IP netmask $BR1MASK
  if ( [ "$BR1GW" = "1" ] ); then
   $ROUTE add default gw $BR1GWIP
  fi
 fi
 
#-----------------------------------------------------#
 
#--------------- Firewall default --------------------#
 
# Default policy: ACCEPT
 $IPTABLES -P FORWARD ACCEPT
 $IPTABLES -P INPUT ACCEPT
 $IPTABLES -P OUTPUT ACCEPT
 
# Flush
 $IPTABLES -F
 $IPTABLES -t mangle -F
 $IPTABLES -F FORWARD
 $IPTABLES -F INPUT
 $IPTABLES -F OUTPUT
 
# Default policy: ACCEPT
 $IPTABLES -P FORWARD ACCEPT
 $IPTABLES -P INPUT ACCEPT
 $IPTABLES -P OUTPUT ACCEPT
 
#-----------------------------------------------------#
 
#-------------- We put br0 in Aforward ---------------#
 
 # Create Aforward
 $IPTABLES -N Aforward
$IPTABLES -A FORWARD -i br0 -j Aforward
 $IPTABLES -A FORWARD -o br0 -j Aforward
 
# Drop all crap on Aforward
    $IPTABLES -A Aforward -p TCP --tcp-flags SYN,FIN SYN,FIN -j DROP
    $IPTABLES -A Aforward -p TCP --tcp-flags SYN,RST SYN,RST -j DROP
    $IPTABLES -A Aforward -p TCP --tcp-flags FIN,RST FIN,RST -j DROP
    $IPTABLES -A Aforward -p TCP --tcp-flags ACK,FIN FIN -j DROP
    $IPTABLES -A Aforward -p TCP --tcp-flags ACK,PSH PSH -j DROP
    $IPTABLES -A Aforward -p TCP --tcp-flags ACK,URG URG -j DROP
 
##### Firewall rules for br0 from here! ####
 
##### Firewall rules for br0 until here! ####
 
# drop the rest on Aforward
    $IPTABLES -A Aforward -j DROP
 
#-----------------------------------------------------#
 
#-------------- We put br1 in Bforward ---------------#
 
 # Create Bforward
 $IPTABLES -N Bforward
$IPTABLES -A FORWARD -i br1 -j Bforward
 $IPTABLES -A FORWARD -o br1 -j Bforward
 
# Drop all crap on Bforward
    $IPTABLES -A Bforward -p TCP --tcp-flags SYN,FIN SYN,FIN -j DROP
    $IPTABLES -A Bforward -p TCP --tcp-flags SYN,RST SYN,RST -j DROP
    $IPTABLES -A Bforward -p TCP --tcp-flags FIN,RST FIN,RST -j DROP
    $IPTABLES -A Bforward -p TCP --tcp-flags ACK,FIN FIN -j DROP
    $IPTABLES -A Bforward -p TCP --tcp-flags ACK,PSH PSH -j DROP
    $IPTABLES -A Bforward -p TCP --tcp-flags ACK,URG URG -j DROP
 
##### Firewall rules for br1 from here! ####
 
##### Firewall rules for br1 until here! ####
 
# drop the rest on Bforward
    $IPTABLES -A Bforward -j DROP
 
#-----------------------------------------------------#
 
#--------------- Drop on FORWARD ---------------------#
 
 $IPTABLES -A FORWARD -j LOG --log-prefix "[DROP-FORWARD] "
 $IPTABLES -A FORWARD -j DROP
 
#-----------------------------------------------------#
 
#-------- Local Firewall Rules to this host ----------#
 
## INPUT ##
 
# VMWARE Console management hosts
 
 $IPTABLES -A INPUT -p tcp -s $MANAGEMENTHOST --dport 902 -j ACCEPT
 $IPTABLES -A OUTPUT -p tcp -d $MANAGEMENTHOST --sport 902 ! --syn -j ACCEPT
 $IPTABLES -A INPUT -p tcp -s $MANAGEMENTHOST --dport 8222 -j ACCEPT
 $IPTABLES -A OUTPUT -p tcp -d $MANAGEMENTHOST --sport 8222 ! --syn -j ACCEPT
 $IPTABLES -A INPUT -p tcp -s $MANAGEMENTHOST --dport 8333 -j ACCEPT
 $IPTABLES -A OUTPUT -p tcp -d $MANAGEMENTHOST --sport 8333 ! --syn -j ACCEPT
 
# ssh in from everyone and all interfaces
 
 $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
 $IPTABLES -A OUTPUT -p tcp --sport 22 ! --syn -j ACCEPT
 
## OUTPUT ##
 
# port 80 to browse a bit for updates and stuff (you should limit this)
 $IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
 $IPTABLES -A INPUT -p tcp --sport 80 ! --syn -j ACCEPT
 
# DNS lookups
 
 DNSSERVERS="$DNS1 $DNS2"
 for dnsip in $DNSSERVERS
  do
   $IPTABLES -A OUTPUT -p udp --sport 53 -d $dnsip -j ACCEPT
   $IPTABLES -A INPUT  -p udp -s $dnsip --sport 53 -j ACCEPT
   $IPTABLES -A OUTPUT -p udp -d $dnsip --dport 53 -j ACCEPT
   $IPTABLES -A INPUT  -p udp -s $dnsip --dport 53 -j ACCEPT
   $IPTABLES -A OUTPUT -p tcp -d $dnsip --dport 53 -j ACCEPT
   $IPTABLES -A INPUT  -p tcp -s $dnsip --dport 53 -j ACCEPT
   $IPTABLES -A OUTPUT -p tcp --sport 53 -d $dnsip ! --syn -j ACCEPT
  done
 
# deny rest
 
 $IPTABLES -A INPUT -j LOG --log-prefix "[DROP-INPUT] "
 $IPTABLES -A INPUT -j DROP
 $IPTABLES -A OUTPUT -j LOG --log-prefix "[DROP-OUTPUT] "
 $IPTABLES -A OUTPUT -j DROP
 $IPTABLES -A FORWARD -j DROP
 
#-----------------------------------------------------#
 
#---------------- End the if cmd=start ---------------#
fi
#-----------------------------------------------------#
 
#------------- Set default policy to DROP ------------#
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
#-----------------------------------------------------#
#eof