Enable Layer3 on a Cisco Switch

This is what worked for me on a Cisco WS-C2960-24PS-L switch:

First you need to change the sdm prefer from dafult to lanbase-routing.
The lanbase-routing template supports IPv4 unicast routes for configuring static routing SVIs.
Static routing is supported only on switched virtual interfaces (SVIs) and not on physical interfaces. The switch does not support routing protocols.

conf t
sdm prefer lanbase-routing
end
wr
reload 

Then you have to enable ip routing:

conf t
ip routing

Then you can add the static routes you like.

Configure CISCO Catalyst 2960 ports to monitoring/mirroring mode

This will send all traffic that comes on the 0/1-0/9 ports to the Ga0/1 interface:

switch>enable
switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

switch(config)#monitor session 1 source interface fastEthernet 0/1
switch(config)#monitor session 1 source interface fastEthernet 0/2
switch(config)#monitor session 1 source interface fastEthernet 0/3
switch(config)#monitor session 1 source interface fastEthernet 0/4
switch(config)#monitor session 1 source interface fastEthernet 0/5
switch(config)#monitor session 1 source interface fastEthernet 0/6
switch(config)#monitor session 1 source interface fastEthernet 0/7
switch(config)#monitor session 1 source interface fastEthernet 0/8

switch(config)#monitor session 1 destination interface gigabitEthernet 0/1

Show info:

switch#show monitor session 1
Session 1
---------
Type    : Local Session
Source Ports :
 Both: Fa0/1-8
Destination Ports : Gi0/1
 Encapsulation : Native
  Ingress : Disabled

And now we can capture this traffic:

# tcpdump -i eth0 -n

Finding external IP using the command line

The easiest way is to use an external service via a commandline browser or download tool. Since wget is available by default in Ubuntu, we can use that.

To find your ip, use:

wget -qO- http://ipecho.net/plain ;

You can do the same using curl:

curl ipecho.net/plain ; echo

How to test a listening TCP/UDP port through nc

Netcat (nc) can also be used for a lot of other purposes. It can also be used as a very fast basic port scanner, you can scan a port or a range.

To scan a range of UDP ports 1 to 1000:

nc -vzu destination_ip 1-1000

To scan a range of TCP ports 1 to 1000

nc -vz destination_ip 1-1000

Using the IP command

The command /bin/ip has been around for some time now. But people continue using the older command /sbin/ifconfig. ifconfig won't go away quickly, but its newer version, ip, is more powerful and will eventually replace it.
So here are the basics of the new ip command.

Assign a IP Address to Specific Interface:

sudo ip addr add 192.168.50.5 dev eth1 

Check an IP Address:

sudo ip addr show 

Remove an IP Address:

sudo ip addr del 192.168.50.5/24 dev eth1 

Enable Network Interface:

sudo ip link set eth1 up 

Disable Network Interface:

sudo ip link set eth1 down 

 Check Route Table:

sudo ip route show 

Add Static Route:

sudo ip route add 10.10.20.0/24 via 192.168.50.100 dev eth0 

Remove Static Route:

sudo ip route del 10.10.20.0/24 

Add Default Gateway:

sudo ip route add default via 192.168.50.100

Iptables blacklists

Many of you already use online blacklists to fight spam. Recently I've dicovered http://www.openbl.org/ and started using their lists on my firewall to prevent attacks from hosts that are known to be preforming attacks. It works in a very similar way to all the spam blacklists out there, and this is how I've implemented them on my Firewall.

First of all you'll need to  have some packages installed:

sudo apt-get install iptables ipset wget

now create an ipset to store all the abusing IP addresses and use iptables to block them:

#!/bin/bash
BLOCKDB="block.txt"
WORKDIR="/tmp"
pwd=$(pwd)
cd $WORKDIR
#List of ips to block
ipset --create blackips iphash
## Obtain List of badguys from openbl.org
wget -q -c --output-document=$BLOCKDB http://www.openbl.org/lists/base.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -Ev "^#" $BLOCKDB | sort -u)
    for i in $IPList
    do
        ipset --add blackips $i
    done
fi
rm $BLOCKDB
## Obtain List of badguys from ciarmy.com
wget -q -c --output-document=$BLOCKDB http://www.ciarmy.com/list/ci-badguys.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -Ev "^#" $BLOCKDB | sort -u)
    for i in $IPList
    do
        ipset --add blackips $i
    done
fi
rm $BLOCKDB
## Obtain List of badguys from dshield.org
wget -q -c --output-document=$BLOCKDB http://feeds.dshield.org/top10-2.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -E "^[1-9]" $BLOCKDB | cut -f1 | sort -u)
    for i in $IPList
    do
        ipset --add blackips $i
    done
fi
rm $BLOCKDB
#List of networks to block
ipset --create blacknets nethash
## Obtain List of badguys from dshield.org
wget -q -c --output-document=$BLOCKDB http://feeds.dshield.org/block.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -E "^[1-9]" $BLOCKDB | cut -f1,3 | sed "s/\t/\//g" | sort -u)
    for i in $IPList
    do
        ipset --add blacknets $i
    done
fi
rm $BLOCKDB
## Obtain List of badguys from spamhaus.org
    wget -q -c --output-document=$BLOCKDB http://www.spamhaus.org/drop/drop.lasso
    if [ -f $BLOCKDB ]; then
      IPList=$(grep -E "^[1-9]" $BLOCKDB | cut -d" " -f1 | sort -u)
      for i in $IPList
      do
        ipset --add blacknets $i
      done
    fi
    rm $BLOCKDB
#Drop blacklisted ips
iptables -A FORWARD -m set --match-set blackips src -j DROP
iptables -A FORWARD -m set --match-set blacknets src -j DROP
cd $pwd

In the above script I've used two ipsets, one for storing IP addresses and another to store network addresses, you can add this scritp to your existing firewall and start taking advantage of the blacklists.
OpenBL is accepting donations http://www.openbl.org/donations.html if you can you should help.

NetFLOW over IPSEC VPN

I had the following NetFlow configuration on my router:

 ip flow-cache timeout active 1
 ip flow-export source FastEthernet0/1.1
 ip flow-export version 5
 ip flow-export destination 10.39.30.5 9996
!
interface FastEthernet0/0.2
 ip flow ingress
interface FastEthernet0/1.12
 ip flow ingress
interface FastEthernet0/1.40
 ip flow ingress

Witch worked fine on my other routers. But in this particular case, the NetFLOW server was only accecible through an IPSEC VPN and the flows weren't getting there.

The solution to this was to use "Flexible Netflow" configuration. This allows for the NetFlow export to be sent down the standard IPSEC VPN tunnel.

An example of the NetFlow config is as follows:

flow exporter FLOW_EXPORTER
 destination 10.39.30.5
 source FastEthernet0/1.1
 output-features
 transport udp 9996
 export-protocol netflow-v5
!
!
flow monitor FLOW_MONITOR
 record netflow-original
 exporter FLOW_EXPORTER
 cache timeout active 1
!
interface FastEthernet0/0.2
ip flow monitor FLOW_MONITOR input
!
interface FastEthernet0/1.12
ip flow monitor FLOW_MONITOR input
!
interface FastEthernet0/1.40
ip flow monitor FLOW_MONITOR input
!

Disable IPv6 on Ubuntu

Edit your /etc/sysctl.conf file and add the following to the bottom:

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Or you can use the following script:

echo "#disable ipv6" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.lo.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf

For this changes to take effect you must reboot your system.
After rebooting you can check if IPv6 has been disabled with the following command:

cat /proc/sys/net/ipv6/conf/all/disable_ipv6

0 means it's enabled and 1 - disabled.

Map Serial Device to a telnet port

You can achieve this using ser2net.

The ser2net program comes up normally as a daemon, opens the TCP ports specified in the configuration file, and waits for connections. Once a connection occurs, the program attempts to set up the connection and open the serial port. If another user is already using the connection or serial port, the connection is refused with an error message.

Install ser2net:

sudo apt-get install ser2net

now configure it

sudo vi /etc/ser2net.conf

The configuration file already comes with some examples, you just have to modify them to suit your needs. This
file consists of one or more entries with the following format:

<TCP port>:<state>:<timeout>:<device>:<options>

or

BANNER:<banner name>:<banner text>

after modifying the configuration file you must restart the service

/etc/init.d/ser2net restart

CentOS / RedHat Network config example

To configure eth0 you must edit it's configuration file:

vi /etc/sysconfig/network-scripts/ifcfg-eth0

Static configuration example:

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
HWADDR=06:01:78:a7:00:33
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
IPADDR=192.168.0.10
TYPE=Ethernet

To use DHCP:

DEVICE=eth0
BOOTPROTO=dhcp
HWADDR=00:19:D1:2A:BA:A8
ONBOOT=yes

Reference: http://www.how2centos.com/centos-configure-network/

Vodafone K5005 (Huawei E389) 4G modem on Ubuntu

This modem works with Ubuntu Precise Pangolin (12.04) but it is not detected automatically by network manager.

UPDATE: In the comments, a reader named "Big Brother" has a nicer solution, instead of using the scripts below, just follow this steps:

1- Add these lines to /lib/udev/rules.d/40-usb_modeswitch.rules:

# Vodafone K5005 (Huawei E398)
ATTRS{idVendor}=="12d1", ATTRS{idProduct}=="14c3", RUN+="usb_modeswitch '%b/%k'"

2- Create file /etc/usb_modeswitch.d/12d1:14c3:

# Vodafone K5005 (Huawei E398)
TargetVendor= 0x12d1
TargetProduct= 0x14c8
MessageContent="55534243123456780000000000000011062000000100000000000000000000"

3- Unplug device, plug it back and it should work automagically ;)

Deprecated method:
In order to get it working with network manager I have to use the following script (it must be ran as root):

#!/bin/bash
rmmod option
modprobe option
echo "12d1 14c8" > /sys/bus/usb-serial/drivers/option1/new_id
usb_modeswitch -v 12d1 -p 14c3 -V 12d1 -P 14c8 -M "55534243123456780000000000000011062000000100000000000000000000" -n 1

Note that the commands above are for the Vodafone branded (K5005) Huawei E389 dongle, for the unbranded device the product ID is different and you should use:

#!/bin/bash
rmmod option
modprobe option
echo "12d1 1506" > /sys/bus/usb-serial/drivers/option1/new_id
usb_modeswitch -v 12d1 -p 1505 -V 12d1 -P 1506 -M "55534243123456780000000000000011062000000100000000000000000000" -n 1

You can check the product id with:

lsusb

In my case I get:

Bus 002 Device 007: ID 12d1:14c3 Huawei Technologies Co., Ltd.

Limit bandwidth of rsync over ssh

This will limit the connection to 80Kb/s:

rsync -auvPe "trickle -d 80 ssh" user@host:/src/ /dst/

Linux Transparent bridge

First you need to install the bridge-utils:

apt-get install bridge-utils

Configuring the bridge:

ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 1.2.3.4 netmask 255.255.255.0 up
route add default gw 1.2.3.4 dev br0

In this example, I suppose you are using eth0 and eth1. In the ifconfig line, I assigned IP address 1.2.3.4 to the bridge so I can access it remotely. Use an IP address in your network.
You may check that the bridge is working by using tcpdump:

# tcpdump -n -i eth0
...
(lots of funny stuff)
...
# tcpdump -n -i eth1
...
(lots of funny stuff)
...

Plug your machine into the network, and everything should work. Your Linux box is now a big, expensive two-port switch.

Making the Bridge Permanent

Edit the file /etc/network/interfaces and add:

auto br0
iface br0 inet dhcp
bridge_ports eth1 eth2
bridge_stp on

VPN Ports

PPTP:
To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.

L2TP over IPSec
To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 4500.
To allow L2TP traffic, open UDP 1701.

OpenVPN:

OpenVPN uses port 1194 udp and tcp:

Here’s the Cisco access list: (gre=Protocol ID 47, pptp=1723, isakmp=500, non500-isakmp=4500):

permit gre any any
permit tcp any any eq 1194
permit udp any any eq 1194
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 5500
permit tcp any any eq 1723
permit udp any any eq 1701

Enable IP forwarding in Linux

This can be done in different ways, here are some of the most common.

Use procfs
This is maybe the most used way, it is a temporary change, and you need to enable it after every reboot.

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

You can add this line to /etc/rc.local file, and that way, each time you reboot your computer it will be enabled again.

You can check if IP forwarding is enabled or disabled by checking the content of /proc/sys/net/ipv4/ip_forward file:

cat /proc/sys/net/ipv4/ip_forward

If the output is 1, it is enabled if 0, then it is disabled.

Use sysctl
sysctl let’s you change Kernel values on the fly, so you can use it, to change the IP forward behaviour.

First, let’s check if it is enabled or disabled, as root run:

sysctl -a | grep net.ipv4.ip_forward

Now you can set its value to 1, to enable ip forwarding.

sysctl -w net.ipv4.ip_forward=1

This is also temporary, if you want it to be permanent, you can edit the file /etc/sysctl.conf:

sudo vi  /etc/sysctl.conf

And uncomment or add this line:

net.ipv4.ip_forward = 1

To make it effective you have to use this command

sudo sysctl -p

Permanent iptables Configuration

You can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save and iptables-restore.

Save your firewall rules to a file:

sudo sh -c "iptables-save > /etc/iptables.rules"

At this point you have several options. You can make changes to /etc/network/interfaces or add scripts to /etc/network/if-pre-up.d/ and /etc/network/if-post-down.d/ to achieve similar ends. The script solution allows for slightly more flexibility.

Solution #1 - /etc/network/interfaces

Modify the /etc/network/interfaces configuration file to apply the rules automatically.
Open your /etc/network/interfaces file:

sudo vi /etc/network/interfaces

Add a single line (shown below) just after ‘iface lo inet loopback’:

pre-up iptables-restore < /etc/iptables.rules

You can also prepare a set of down rules, save them into second file /etc/iptables.downrules and apply it automatically using the above steps:

post-down iptables-restore < /etc/iptables.downrules

A fully working example using both from above:

auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-restore < /etc/iptables.downrules

You may also want to keep information from byte and packet counters.

sudo sh -c "iptables-save -c > /etc/iptables.rules"

The above command will save the whole rule-set to a file called /etc/iptables.rules with byte and packet counters still intact.

Solution #2 /etc/network/if-pre-up.d and ../if-post-down.d


NOTE: This solution uses iptables-save -c to save the counters. Just remove the -c to only save the rules.

Alternatively you could add the iptables-restore and iptables-save to the if-pre-up.d and if-post-down.d directories in the /etc/network directory instead of modifying /etc/network/interface directly.

The script /etc/network/if-pre-up.d/iptablesload will contain:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
and /etc/network/if-post-down.d/iptablessave will contain:
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules
fi
exit 0

Then be sure to give both scripts execute permissions:

sudo chmod +x /etc/network/if-post-down.d/iptablessave
sudo chmod +x /etc/network/if-pre-up.d/iptablesload

Solution #3 iptables-persistent


Install and use the iptables-persistent package.

Tips

If you manually edit iptables on a regular basis
The above steps go over how to setup your firewall rules and presume they will be relatively static (and for most people they should be). But if you do a lot of development work, you may want to have your iptables saved everytime you reboot. You could add a line like this one in /etc/network/interfaces:

pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules

The line "post-down iptables-save > /etc/iptables.rules" will save the rules to be used on the next boot.

Setting up a Bridged VPN using OpenVPN

Install OpenVPN and bridging tools:

sudo apt-get install openvpn bridge-utils

Setting up the Bridge

Edit /etc/network/interfaces

When a Linux server is behind a NAT firewall, the /etc/network/interfaces file commonly looks like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo eth0
iface lo inet loopback
# The primary network interface
## This device provides internet access.
iface eth0 inet
 static address 192.168.1.10
 netmask 255.255.255.0
 gateway 192.168.1.1

Edit this and add a bridge interface:

sudo vi /etc/network/interfaces

so that it look similar to:

## This is the network bridge declaration
## Start these interfaces on bootauto lo br0
iface lo inet loopback
iface br0 inet static
 address 192.168.1.10
 netmask 255.255.255.0
 gateway 192.168.1.1
 bridge_ports eth0
iface eth0 inet manual
 up ip link set $IFACE up promisc on
 down ip link set $IFACE down promisc off

If you are running Linux inside a virtual machine, you may want to add the following parameters to the bridge connection:

bridge_fd 9 ## from the libvirt docs (forward delay time)
bridge_hello 2 ## from the libvirt docs (hello time)
bridge_maxage 12 ## from the libvirt docs (maximum message age)
bridge_stp off ## from the libvirt docs (spanning tree protocol)

Restart networking:

sudo /etc/init.d/networking restart

The bridging declarations come from the libvirt documentation.

Generating Certificates

Generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.

Copy files to the /etc/openvpn/easy-rsa/ directory:

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*/etc/openvpn/easy-rsa/

Than edit /etc/openvpn/easy-rsa/vars

sudo vi /etc/openvpn/easy-rsa/vars

And change these lines at the bottom so that they reflect your new CA.

export KEY_COUNTRY="US"export KEY_PROVINCE="CA"export KEY_CITY="SanFrancisco"export KEY_ORG="Fort-Funston"export KEY_EMAIL="me@myhost.mydomain"

Finally setup the CA and create the first server certificate

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and keycd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

The Certificate Authority is now setup and the needed keys are in /etc/openvpn/


Configuring the Server

By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.

First, we're going to create a couple of new scripts to be used by the openvpn server.

sudo vi /etc/openvpn/up.sh

This script should contain the following

#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl
/usr/sbin/brctl/usr/sbin/brctl addif $BR $DEV

Now, we'll create a "down" script.

sudo vi /etc/openvpn/down.sh

It should contain the following.

#!/bin/sh
BR=$1DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ip/sbin/ip link set "$DEV" down

Now, make both scripts executable.

sudo chmod +x /etc/openvpn/up.sh/etc/openvpn/down.sh

And finally on to configuring openvpn itself.

sudo vi /etc/openvpn/server.conf

mode server
tls-server
local <your ip address> ## ip/hostname of server
port 1194 ## default openvpn portproto udp
#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-keypersist-tun
#certificates and encryption
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS your.dns.ip.here"
push "dhcp-option DOMAIN yourdomain.com"
max-clients 10 ## set this to the max number of clients that should be connected at a time
#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

If the server initialization script will complain about WARN: could not open database for 4096 bits. Skipped, you can work around it by running this command:

touch /usr/share/openssl-blacklist/blacklist.RSA-4096

Now you will need to restart openvpn and load the new config with:

sudo /etc/init.d/openvpn restart

In case you run a firewall like ufw, please consider enabling ip forwarding, otherwise the clients will only be able to connect to the server, but not to other LAN servers.

Setting up a Routed VPN using OpenVPN

First let's install OpenVPN:

sudo apt-get install openvpn

OpenVPN must be installed in both client and server, the configuration file used for starting the service will define the role of each PC.

Now we can start, stop or restart OpenVPN as usual:

Start OpenVPN:

/etc/init.d/openvpn start

Stop OpenVPN:

/etc/init.d/openvpn stop

Restart OpenVPN:

/etc/init.d/openvpn restart

Every time you change settings in /etc/openvpn/openvpn.conf you need to restart OpenVPN.

Create Keys and Certificates

Now we need to create security certificates and keys. We'll do all this in the server as root:

cd /etc/openvpn/

Copy the directory easy-rsa to /etc/openvpn:

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .

Remember we're still inside the /etc/openvpn directory. Now let's edit the file vars with our favorite editor (replace vi with yours):

vi easy-rsa/vars

Kaiman reported a change for this part after June 2008:

vi easy-rsa/2.0/vars

Comment this line:

#export D=pwd

Add this one:

export D=/etc/openvpn/easy-rsa

And modify as below:

export KEY_COUNTRY=PEexport KEY_PROVINCE=LIexport KEY_CITY=Limaexport KEY_ORG="Nombre-OpenVPN"export KEY_EMAIL="tu-nombre@example.com"

Save and quit.

Now run:

. ./vars

Important: that's a period, a space and another period followed by /vars. This is a common confusion in many setups.

Now:

./clean-all

The next command creates your certificate authority (CA) using the parameters you just set, you should just add Common Name, I used OpenVPN-CA. For this step you'll need OpenSSL; if you don't have it in your server install it by running:

sudo apt-get install openssl

Ok, now we're ready:

./build-ca

Now let's create the keys, first the server:

./build-key-server server

This is important. When build-key-server asks for Common Name write server, the same parameter you provided to the command.

Also you'll need to answer yes to these two questions:

Sign the certificate? [y/n]

and

1 out of 1 certificate requests certified, commit? [y/n].

Now the key for the client:

./build-key client1

Use client1 as Common Name, the same parameter you used above for build-key.

You can repeat this step if you want to have more clients, just replace the parameter with client2, client3, etc.

Now let's create Diffie Hellman parameters:

./build-dh

There you are! Now you should have a new directory with your certificates and keys: /etc/openvpn/easy-rsa/keys. To configure your first client copy these files from servo to cliento:

ca.crtclient1.crtclient1.key

Ideally you should use a secure channel, I use scp with RSA authentication (topic for another article):

scp alexis@servo:ca.crt .
scp alexis@servo:client1.crtscp alexis@servo:client1.crt .
scp alexis@servo:client1.keyscp alexis@servo:client1.key .

These commands assume you've copied the files to the home of user alexis on the server and assigned read permissions. Then move the files to /etc/openvpn on the client.

The Configuration Files: openvpn.conf

Now go to your client and create openvpn.conf in /etc/openvpn. Write this inside:

dev tun
client
proto tcp
remote x.y.z.w 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
# Set log file verbosity.
verb 3

Replace x.y.z.w with your server's public IP.
Now in the server: create openvpn.conf in /etc/openvpn and put this:

dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push "redirect-gateway def1"
#log-append /var/log/openvpn
comp-lzo

If youre connections are a little slow you can try disabling compression with this:

#comp-lzo

Finally, configure IP forwarding and IPTables for doing NAT on the server:

echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

You can verify the rule was written correctly with:

sudo iptables -L -t nat

If you have a firewall you should make sure your VPN traffic can be routed.

If you made a mistake and want to remove all rules from IPTables:

sudo iptables -F -t nat

Now restart OpenVPN in both client and server and you should be set.

Running ifconfig and route -n you should see a new interface, tun0, in both PC's.

Confirm you can connect with a ping to your new tun0 interfaces, for example:

ping 10.8.0.1

Block P2P Traffic on a Cisco IOS Router using NBAR

In the following example, we'll use NBAR to block P2P traffic on our router's Gigabit interface.

• Create a class-map to match the protocols to be blocked.
• Create a policy-map to specify what should be done with the traffic.
• Apply the policy to the user-facing (incoming) interface.

conf t
!--- IP CEF should be enabled at first to block P2P traffic.
!--- P2P traffic cannot be blocked when IPC CEF is disabled.
ip cef
!
!--- Configure the class map named p2p to match the P2P protocols
!--- to be blocked with this class map p2p.
class-map match-any p2p
!--- Mention the P2P protocols to be blocked in order to block the
!--- P2P traffic flow between the required networks. edonkey,
!--- fasttrack, gnutella, kazaa2, skype are some of the P2P
!--- protocols used for P2P traffic flow. This example
!--- blocks these protocols.
!
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
!
!
!--- Here the policy map named SDM-QoS-Policy is created, and the
!--- configured class map p2p is attached to this policy map.
!--- Drop is the command to block the P2P traffic.
!
policy-map SDM-QoS-Policy
class p2p
drop
!
!--- Use the inferface where you wich to block the P2P traffic
interface GigabitEthernet 0/1
!
!--- The command ip nbar protocol-discovery enables NBAR
!--- protocol discovery on this interface where the QoS
!--- policy configured is being used.
ip nbar protocol-discovery
!
!--- Use the service-policy command to attach a policy map to
!--- an input interface so that the interface uses this policy map.
service-policy input SDM-QoS-Policy
!
end
!
!--- Save the current configuration
wr

And that's it.
You can ensure the policy is working with the command:

show policy-map

However if your version of IOS is older than 12.2(13)T, you will need some extra steps. This process relies on setting the DSCP field in the incoming packets, and then dropping those packets on the outbound interface. In the following example, we'll block P2P using the DSCP field.

• Create a class-map to match the protocols to be blocked.
• Create a policy-map to specify what should be done with the traffic.
• Create an access-list to block packets with the DSCP field set to 1.
• Apply the policy to the user-facing (incoming) interface.
• Apply the blocking access-list to the outbound interface.

conf t
!--- IP CEF should be enabled at first to block P2P traffic.
!--- P2P traffic cannot be blocked when IPC CEF is disabled.
ip cef
!
!--- Configure the class map named p2p to match the P2P protocols
!--- to be blocked with this class map p2p.
!
class-map match-any P2P
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
!
!
policy-map P2P
class P2P
set ip dscp 1
!
!--- Block all traffic with the DSCP field set to 1.
!
access-list 100 deny ip any any dscp 1
access-list 100 permit ip any any
!
interface GigabitEthernet0/1
service-policy input P2P
!
interface POS1/1
ip access-group 100 out

Packet loss monitoring with zabbix

1. create a file named "packetloss" at this location "/etc/zabbix/externalscripts/"

vi /etc/zabbix/externalscripts/packetloss

note: you may need to create the external scripts directory:

mkdir -p /etc/zabbix/externalscripts

2. cut out and paste this in "packetloss" file

#!/bin/sh
if [ -z $1 ]
then
echo "missing ip / hostname address"
echo " example ./packetloss 192.168.201.1 10000"
echo "10000 = 10000 bytes to ping with. the more you use the harder the network will have to deliver it and you start see packetloss. ping with normal ping size is kinda pointless, on LAN networks I recommend to use 10000 - 20000 and on Internet around 1394 (1500 - 48(pppoe + IP + TCP) - 58(ipsec)"
echo "Remember some firewalls might block pings over 100"
echo " "
fi
if [ -z $2 ]
then
echo "missing ping size"
echo " example ./packetloss 192.168.201.1 10000"
echo "10000 = 10000 bytes to ping with. The more you use the harder the network will have to deliver
it and you start see packetloss. ping with normal ping size is kinda pointless, on LAN networks I recommend to use 10000 - 20000 and on Internet around 1394 (1500 - 48(pppoe + IP + TCP) - 58(ipsec)"
echo "Remember some firewalls might block pings over 100"
echo " "
exit
fi
PINGCOUNT = 10
tal=`ping -q -i0.30 -n -s $2 -c$PINGCOUNT $1 | grep "packet loss" | cut -d " " -f6 | cut -d "%" -f1`
if [ -z $tal ]
then
echo 100
else
echo $tal
fi

3. Make the file runnable by typing:

chmod u+x etc/zabbix/externalscripts/packetloss

4. in zabbix verify the host/template you want to monitor the packet loss on have a valid IP or host name and the correct "Connect to" selected.

Then under Item you create a new Item for that host/template

Type: External Check
Key: packetloss[10000]

SAVE

5. now check monitoring -> latest data for that host and you should start seeing packet loss values.

Done.

The number 10000 is Ping size, its very hard to spot packet loss when only sending a few bytes as a normal ping does.

Try increasing the size until you see packet loss then you know you pushing your equipment to the limit.