Author: Josh Reichardt

Setting up an L2TP VPN with pfSense

Josh Reichardt 1 Comment

UPDATE:  I think it is important that I inform readers that this guide is strictly for setting up and using L2TP.  It has come to my attention that many of you are are looking for a L2TP/IPSec solution, which is currently not supported in PFSense as of the version I am using (2.0.1).  I will update this post with full L2TP/IPSec instructions once this functionality has been added in new versions of PFSense.

I’ve been toying around with setting up a home VPN for about a week or so now, which has progressively improved.  At first, I had a working VPN implementation with PPTP and life was good.  But apparently  PPTP is known to be less secure than other methods.  So that got me thinking about beefing up my security.  Here’s a quick summary I found.

PPTP has been the subject of many security analyses and serious security vulnerabilities have been found in the protocol. The known vulnerabilities relate to the underlying PPP authentication protocols used, the design of the MPPE protocol as well as the integration between MPPE and PPP authentication for session key establishment.

After discovering this information I decided to poke around for a little bit to decide what would work the best for me.  There were pretty much two options when it came down to setting up my VPN server the way I wanted it.  L2TP and OpenVPN.  They are both considered secure and from what I’ve read OpenVPN is considered slightly better.  The reason I chose L2TP is becuase it is built in to the VPN client on pretty much every OS these days, making client set up and configuration fairly quick and painless (I’m sure its not difficult to set up and use OpenVPN either but I didn’t get that far, maybe I will experiment with it in the future).

There isn’t really all that much to getting things up and going.  Open up the pfSense management interface and navigate to the L2TP VPN settings.  VPN -> L2TP

Next, we have to configure our settings.

  • Server address – Use an ip address that doesn’t fall into the subnet that the VPN clients connect to.  I used my external IP address to make things easier.
  • Remote address range – This will be the subnet that VPN clients connect to.  I am using the 192.168.2.0/24 subnet.
  • Subnet mask – I am using the entire subnet so I chose /24.
  • Number of L2TP users – pretty self explanatory, I have 10 right now for testing purposes.

>I left everything else as the default initially.  Here is what the configuration page looked like for me when I got everything working.  Remember to change these values accordingly.

Next we need to throw up some user accounts.

So far so good.  Now we need to set up some traffic rules for our L2TP clients that connect.  This is the absolute most basic method you can go with, so if you have restraints here you will need to adjust these settings.

<

The last and most important piece to get this working is setting up the firewall rules for the WAN interface.  I got stuck at this part and didn’t realize there were two sets of ports that I needed to allow through for things to work correctly.  Port 500 for Internet Key Exchange (IKE) UDP traffic and port 1701 for L2TP UDP traffic.  Here’s what the rules look like.

That should be it.  Try connecting to your VPN server with an endpoint client.  I was testing this with my Android phone and had no problems after creating the two firewall rules.  Happy VPNing!

 

Read More

Updating Ubuntu (10.04 and up) to use Sun Java

Josh Reichardt 17 Comments

I am in the middle of a home project to build a virtual environment using Proxmox and running into Java issues. Since Proxmox uses java as a VNC console it is necessary to use the correct version (of Java) to access VM’s.  By using the wrong version you can cause instability issues and thus bad things to happen.

This is not just a problem with Proxmox either, there are a few other programs and apps that behave poorly with this version of Java, notably for me, Minecraft. Apparently newer versions of Ubuntu have shipped with the OpenJDK version as their default version and in this post I will discuss how to use to the Sun Java 6 version.

Switch to the appropriate directory, in my case I used my home directory and either punch these commands in or copy/past them to get get Ubuntu to see the correct repos.

cd ~/
wget https://raw.github.com/flexiondotorg/oab-java6/master/oab-java6.sh -O oab-java6.sh
chmod +x oab-java6.sh
sudo ./oab-java6.sh

Once this script goes through and does its thing you should have access to the old sun-java6 repos.  So to install the correct pieces for Proxmox use apt-get to install the appropriate packages.

sudo apt-get install sun-java6-jre sun-java6-fonts sun-java6-plugin

To set system settings to prefer Sun Java over the OpenJDK version type the following commands:

sudo update-alternatives --set java /usr/lib/jvm/java-6-sun/jre/bin/java
sudo update-alternatives --set javaws /usr/lib/jvm/java-6-sun/jre/bin/javaws
sudo update-alternatives --set mozilla-javaplugin.so /usr/lib/jvm/java-6-sun/jre/lib/*/libnpjp2.so

Now you should have a much more stable experience using Proxmox and the console to take a look at your VM’s!  I can’t take the credit for this but I can ease the burden for anybody that comes across this post.

References:
https://github.com/flexiondotorg/oab-java6
http://pve.proxmox.com/wiki/Java_Console_(Ubuntu)

Read More

Gather system details using BGInfo

Josh Reichardt 1 Comment

I keep telling myself that I will write more blog posts but keep finding ways not to.  I keep getting more ideas to write about so I just need to kick myself into gear and get going on these.  The protip this February is a useful trick for getting quick and easy access to important server information using a tool written by Bryce Cogswell of the Sysinternals suite, called BGInfo.  This tool comes in handy when you begin to manage more than a handful of servers and need to keep your p’s and q’s straight.

So, to start things off I have made a quick guide for setting up a nice BGInfo background for Windows computers.

I found out that this script doesn’t update the background for users in Windows 7 unless you  explicitly tell it to write the background upon login.   So if you are interested, the color scheme  I have elected to use is R:29 G:95 B:122 (which happens to be the default Server 2008 background).

I have found it useful to gather a few extra   pieces of information through WMI as well as a few vb scripts to make my life as an administrator easier, plus these are kind of cool.  Adding to the basic information I have added free memory, number of processors, brand and  model.   I’m sure there are others but I haven’t had time to experiment with them yet.  Maybe you can come up with some suggestions?

Free Memory script:

winmgt = “winmgmts:{impersonationLevel=impersonate}!//”

Set oWMI_Qeury_Result = GetObject(winmgt).InstancesOf(“Win32_OperatingSystem”)

For Each oItem in oWMI_Qeury_Result
iFreeMemory   = oItem.FreePhysicalMemory
Next
iFreeMemory = Round(iFreeMemory/(1024))

Echo “” & iFreeMemory & ” MB”

Note: This will only check the amount of free memory when the script is run, either at logn or if the bginfotemplate is run manually.   It does not update itself otherwise.

Model:

SELECT Model FROM Win32_ComputerSystem

System Brand:

SELECT Manufacturer FROM Win32_Computer System

Processors:

SELECT NumberOfProcessors FROM Win32_ComputerSystem

We will need the following files for BGInfo to do its thing once we have adjusted our templates  to suit our needs.

To have the background populate when a   user logs in, we need to set up a group policy.  Call it BGInfo or something easy to remember.   Edit the policy to point at Users -> Windows Settings ->Scripts -> Logon

To create the script to run BGInfo when a user logs in, copy the following and create a file named bgscript.bat

%logonserver%\netlogon\bginfo\Bginfo.exe %logonserver%\netlogon\bginfo\servertemplate.bgi /Timer:0 /NoLicPrompt

I have applied this script to a user OU in active directory called ‘Admins’.   Members of this group are the only  set of users which this policy will apply to.   So for example, people that I have given   Admin rights  will all see this background when they log on.   Which, in my case is our sysadmin team.

That’s it!  Now we have a nice clean background on all of our servers (assuming we log on with admin priveliges) to quickly look up information that may be handy and to keep yourself from getting mixed up when working on multiple servers concurrently.

Resources:

http://jensolekragh.wordpress.com/2008/08/22/using-bginfo-exe-to-create-and-evaluate-wmi-queries/
http://www.zoutenbier.nl/ict-experience-kb/windows-servers/6-implement-bginfo-with-the-group-policys

Read More

What’s in Your Windows Toolboox?

Josh Reichardt 9 Comments

I think the title explains what I will be talking about in this post pretty well. In my day to day work, as I have mentioned before, work primarily with Windows. I thought it would be a good idea to carve out a set of must have Windows administration tools, to have as a reference in the future. A good number of these tools are open source or freeware and some are people’s pet projects, so could become abandoned over time, that is why it will be good to come back and look at every now and then.  I would also suggest donating to the independent authors to help keep their efforts alive!

Since I will just be covering the essentials I don’t really feel a need to group or categorize them in any certain way. So let’s get Started.

Windirstat

This one is pretty handy for figuring out what is eating up all your disk space by organizing your drives visually.  But of course there are a number of really handy features, like organizing directories by largest size for a quick tree view of your disk, color coating based on file types.  This one kind of falls under the category, do one thing and do it well.  It also happens to be great for quickly analyzing disk and file sizes.


windirstat

RDTabs

I would like to shake the hand of the genius who created this piece of Windows goodness.  I honestly love this program.  It is an intuitive tool to help manage RDP sessions, which happens to work out very nicely since I am in Windows all day 😀  It has matured a great deal in its lifetime and offers things like tabbing (I hope that is obvious), favorite management, a handy dandy  built in  screenshot feature, detaching RDP sessions into separate windows, encrypted passwords, importing and exporting of favorites, a boatload of options for customization and many more I’m sure that I am forgetting.  Highly recommended.  You should seriously consider checking out this hidden gem.  I believe this one is freeware, so if you like you should hook the creator up!


BGInfo

What can I say, Mark Russinovich and Bryce Cogswell are kind of awesome.  This tool is really helpful for quickly looking up information and stats (I love stats) about the system you are working on.  Essentially it creates a custom bitmap image over top of your background desktop image based on the configuration information you feed it.  Fast, easy, clean.  This utility also gives you the ability to add custom queries to check for practically anything via WMI calls or registry entries. It also has command line options for scripting, so yeah.  Good stuff.  I can’t tell you how helpful something like this is if you have 5-10 remote connections open at a time to look at what server you are on quickly.


BGInfo configuration page

Wireshark

I don’t think I want to go into very much detail for this one at the risk of looking foolish, especially since I don’t use it that much and there is a vast amount of things that this program can do.  I mean, we’re talking about stuff like graphing TCP time/seq graphs or troubleshooting performance of certain types of network traffic, crazy stuff that I have no business looking at.  What I can say though, is that it has helped me a time or two when I have been otherwise clueless on network troubleshooting issues. It is a really powerful tool to have in your bag of tricks.


JavaRa

I just found this one today actually, which was sort of the inspiration for this blog post.  I don’t know about you but I absolutely hate dealing with Java, its updates, its previous versions, etc.  This tools is a quick and dirty way to purge old versions and update to the most current version.  That’s it.  And that is how it should be, I don’t know why Sun previously or Oracle now could have made a tool to do this a long time ago.  This one is all open source.


javara

mRemoteNG

I thought I would mention this tool as well.  Although it has fallen out of favor for me personally it was my go to remote administration tool when I had Mac’s, Linux and Windows to worry about.  This tool allows for administration through a number of remote protocols including SSH, VNC, RDP, ICA, telnet, etc.  So it really comes in handy for those admins that jump all over the board in terms of different platforms.  Completely open source, highly recommended.


mRemoteNG interface

OneNote

Now before you start to hate me for this one just hear me out.  I kind of felt the same way until I actually started using it.  I have searched a fair amount for a program that does what OneNote does and nothing comes even close.  To make my life and job easier, I love to take notes on things I do for projects for future reference.  In OneNote I can organize my thoughts and process easily.  As an example, we are in the middle of an Exchange migration and our setup will be fairly complex, so I have been keeping notes for everything I am doing.  This not only helps me to understand the process more clearly but gives me a reference if shit hits the fan later on as well.

Some nice features that OneNote provides for this type of note taking are things like the ability to copy in screenshots quickly for documenting my own steps via a built in snipping tool, pasting in website links instead of having to go to research Google later on down the road once I have already forgotten what I did  originally  saving time and energy, linking to network resources and scritps, exe’s, etc. from within OneNote.  This  program really is worth its weight in gold.  If you still turn your nose up at this product since it comes from Micro$oft you might check out Evernote, I have heard good things about it, though you won’t have nearly as much power with it.


Conclusion

I think this is just the tip of the iceburg.  As I get more comfortable in my current environment I’m sure I will continue to experiment many more tools for making my life as an admin easier.  I want to point out that this list only covers my favorite Windows tools for administration, as I know there are vastly more tools out there in both the Linux and Windows world.

What feedback do you have on these?  What sorts of tools do you like to make your life easier?  I would really like to hear your feedback.

Read More

Protip: January

Josh Reichardt 9 Comments

I found this one a little while back and figured I might as well share it out since not that many people I talk to seem to know about it. For the longest time if I wanted to search through all my old commands I would do something like this:

history | less

and just kind of wade my way through previously executed commands not very efficient. Once I started getting lazier and the list of items in my history cache grew I started to use this one:

history | grep -i "bleh"

This is a little better, but still a lot more searching and typing than I want. Finally, thanks to the helpful folks over at reddit, I stumbled across this hidden gem:

Ctrl + r "bleh"

So, just press Ctrl then R keys and then a piece of the command you are looking for, bleh in this example, then just hit tab to pull the command up you were looking for once you have enough of the string matched. This is a shortcut that executes the “reverse-i-search” command, and it is freakin awesome. So if there was a command you ran a really long time ago and can’t remember the syntax 100% but know the general idea you can use this to capture the pieces you do remember, saving yourself all that extra time of having to go back through trying to figure out what the hell you were doing.

Read More