OpenVPN easy-rsa notes

Get the recent easy-rsa scripts:

# git clone openvpn/easy-rsa
git checkout v3.0.6
# copy easy-rsa directory to /etc/openvpn/server
cd /etc/openvpn/server/easy-rsa
./easyrsa init-pki
./easyrsa build-ca # this will need a password
./easyrsa gen-dh
./easyrsa gen-req servername.com nopass
./easyrsa sign-req server servername.com # requires ca passwd from above

Now you can edit your server/server.conf file and fire it up with

systemctl enable openvpn@server
systemctl start openvpn@server

and watch journalctl while you do that.

Generating a client:

./easyrsa gen-req clientname.com nopass
./easyrsa sign-req client clientname.com #requires ca passwd

Example conf file looks like:

client
proto udp
dev tun
remote support.foo.net 1194
keepaliave 10 120
keysize 256
cipher AES-256-CBC
 verb 3
compress lz4-v2
key ...
cert ...
ca ...
Advertisements

Ubuntu 18.04 Terminal Boot

Here are a series of commands to get Ubuntu 18.04 to boot into terminal mode, with various extras on how to get an automatic menu on boot up.

Skipping Graphical Boot

If you want to skip the graphical login screen, hit [Shift] or [Esc] before you see the grub menu to get to the grub menu. Add these features to the linux command:
systemd.unit=multi-user.target
Then hit Ctrl-X.

Changing the Default Boot Target

Become root. In /lib/systemd/system, change the default.target symlink:

# rm default.target; ln -s multi-user.target default.target
# systemctl daemon-reload

Checking the Filesystem Every Boot

If you do the first command above with a semicolon, you can still use tab-completion. Next, we go to /etc/default and update the grub settings:

# cd /etc/default
# vim grub
Change GRUB_CMDLINE_LINUX_DEFAULT to this value:
"fsck.mode=force fsck.repair=yes"

Run update-grub2:
# update-grub2

Reinforce this behavior by using tune2fs to make each file system run a check each boot. What file systems are you running?

# lsblk -o NAME,MOUNTPOINT # will produce output kinda like:
sda   
  sda1  /boot
  sda2  /
  sda3 [SWAP]
  sda4 /home

Running these command will make sda1, sda2, sda4 all check every mount:

# tune2fs -c1 /dev/sda1
# tune2fs -c1 /dev/sda2
# tune2fs -c1 /dev/sda4

Reboot:
# reboot

That shouldn’t take too long. You have a tty login now.

Creating an Automatic Menu

I’m disabling a few things:

systemctl disable snapd.service wpa_supplicant.service unattended-upgrades.service cups-browserd.service cups.service
systemctl daemon-reload

There will be lots of snaps you don’t want:

snap list --all | awk '/gnome|gtk/{print $1, $2}' | while read snapname snaprevision; do snap remove "$snapname" --revision="$snaprevision"; done
This didn't work well, maybe snap remove "$snapname" is enough
You are logged in on tty1 by default. (I don't know why tty0 exists.) Following this guide, create this directory:
# cd /etc/systemd/system
# mkdir getty@tty1.service.d
# cd getty@tty1.service.d
# vim override.conf
[Service]
ExecStart=
ExecStart=-/root/onboot.bash
StandardInput=tty
StandardOutput=tty
# vim /root/onboot.bash

#!/bin/bash
echo "This is a sound recorder appliance. Hit a key to start recording."
RECORDING=0
while true; do
  read -sn1 KEY
  if [[ $RECORDING = 0 ]]; then
    RECORDING=1
    echo "Now recording"
    /root/start-recording.bash
  else
    RECORDING=0
    echo "Recording stopped"
    /root/stop-recording.bash
  fi
done

 

# chmod +x /root/onboot.bash
# systemd daemon-reload
# reboot

All you have to do then is record things with the start-recording.bash and stop-recording.bash scripts.

ZFS Snapshot alias

Add this to your .bash_aliases for fun and profit:

function Snapshot () {
  local dst=""
  local atnam=""
  if [ -z "$1" ]; then
    dst=`df -l . | tail -1 |awk '{print $1}'`
  else
    if [[ $1 = *@* ]]; then
      atnam="${1##*@}"
      dst="${1%%@*}"
    fi
    dst=`df -l "$dst" | tail -1 |awk '{print $1}'`
  fi
  [ -z "$dst" ] && echo "wants file system name to snapshot" && return 1
  local NOW=`date +%Y%m%d-%H%M%S`
  [[ $dst = /* ]] && dst="${dst#/}"
  [[ $dst = */ ]] && dst="${dst%/}"
  [[ x$atnam = x ]] && atnam=$NOW
  sudo zfs snapshot "${dst}@${atnam}"
}

 

Ubuntu 18.04 Netplan!

This was unexpected, but I think I’m coping well. These are my notes on configuring netplan networking on my Ubuntu 18.04 server.

  1. systemctl disable NetworkManager.service NetworkManager-wait-online.service
  2. systemctl mask NetworkManager-wait-online.service
  3. systemctl daemon-reload
  4. apt install bridge-utils -y
  5. edit /etc/udev/rules.d/70-net.rules
    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0", ATTR{type}=="1", ATTR{address}=="c8:70:00:9f:d7:72", NAME="eth0"
    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0", ATTR{type}=="1", ATTR{address}=="00:e2:ed:17:09:60", NAME="eth1"
    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0", ATTR{type}=="1", ATTR{address}=="00:e2:ed:17:09:61", NAME="eth2"
    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0", ATTR{type}=="1", ATTR{address}=="00:e2:ed:17:09:62", NAME="eth3"
    SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{dev_id}=="0x0", ATTR{type}=="1", ATTR{address}=="00:e2:ed:17:09:63", NAME="eth4"
  6. edit /etc/netplan/01-netcfg.yaml
      version: 2
      renderer: networkd
      ethernets:
        eth0:
          dhcp4: no
          dhcp6: no
        eth1:
          dhcp4: no
          dhcp6: no
        eth2:
          dhcp4: no
          dhcp6: no
        eth3:
          dhcp4: no
          dhcp6: no
        eth4:
          dhcp4: no
          dhcp6: no
      bridges:
        br0:
          dhcp4: yes
          dhcp6: no
          interfaces:
             - eth0
          routes:
             -  to: 192.168.100.0/24
                via: 192.168.45.3
                on-link: true
        br1:
          dhcp4: no
          dhcp6: no
          addresses: [10.45.0.1/24]
          interfaces:
             - eth1
        br2:
          dhcp4: no
          dhcp6: no
          addresses: [10.45.1.1/24]
          interfaces:
             - eth2
        br3:
          dhcp4: no
          dhcp6: no
          addresses: [10.45.2.1/24]
          interfaces:
             - eth3
        br4:
          dhcp4: no
          dhcp6: no
          addresses: [10.45.3.1/24]
          interfaces:
             - eth4
    
  7. sudo netplan generate
  8. sudo netplan apply
  9. reboot

Without my eth1-eth4 devices plugged into a switch, rebooting takes forever.

Made it Fit

This is a Digium card, clearly intended for a 1U or ATX case. One of my goals is to reduce the number of high speed fans in the lab, so I repurposed my Lanner chassis. Using a typical twist drill bit is a poor choice for the job of an end mill, but it came out ok when I put a rotary steel brush to the aluminum plate.

20180216_152343-asterisk1

Soldered new cabling

20180216_152355-asterisk2

Heat shrinked cable ends fit nicely

Robocopy Notes

Install cmder: It’s the nicest shell I’ve seen for windows. Run your console as Administrator. Otherwise you can’t use the /B backup switch. Also rember you need to do a net use command as administrator.

Before you robocopy stuff, setup a dedicated drive letter. The drive letter is only available to the logged in session. So if you have drive p: for Bob, and then you boost your console to Administrator–no more drive p: ! So dont use the users drive mappings: create admin drive mappings.

net use p: \\nas02\backup\ "secret" /user:bob /persistent:yes

Remember to type the password with “double quotes” and not ‘single quotes’. If you type single quotes you may as well be typing capital Xes: they become part of your password.

The net use command to see if you already have a drive share. Close any File Explorer windows open to that server becuase that’s equivalent of have a net use $d /user:anonymous open at the same time, and windows wont cooperate. Mount the directory

There are a lot of switches. We’ll assume a C:\Users directory.

C:\Users\bob> mkdir c:\temp
C:\Users\bob> cd C:\Users
C:\Users> robocopy bob P:\bu-bob\ /mir /ZB /FFT /XA:SH /W:5 /R:2 /dcopy:T ^
 /XJ /XD "Temp*" "cache2" "temporary internet files" "*cache*" /NFL

First try the command without the /LOG switch. The command goes faster with the LOG turned on, do that later. /XF is a pattern to exclude files. Example log option: /LOG:C:\temp\bu.txt. The /NFL will show directories. not files.

The /MT flag is useful, but it prohibits logging, not available on Vista. The /XJ flag should be default, but sadly–no. Juntion points create these really frustrating backup path loops. Use /XJ!