Category Archives: How To

MikroTik IKEv2 setup with FastestVPN.com

These instructions are based on the tutorial written by MikroTik here.

First, download the UserTrust RootCA which fastestvpn servers use. The Mikrotik routes likes its certificates in .der file so if you could not get it, download one in .pem and simply rename the file to .der and upload it to the router using the Files button. Once it is uploaded, you can use this to import it:

**You can get the .pem certificate from here.

/certificate import file-name=NameOfTheCertFile.DER

Allow incoming connections to udp 500 and 4500 on your firewall
Make sure to add it before your explicit drop in the list if you have one set.

/ip firewall filter
add action=accept chain=input dst-port=500,4500 protocol=udp

Add an addresslist with the ips which are desired to be routed on this vpn. For me I wanted one whole subnet.

/ip firewall address-list
add address=192.168.234.0/24 list=vpn_hosts

Now configure the IPSec vpn

/ip ipsec mode-config
add name=FastVPN responder=no src-address-list=vpn_hosts use-responder-dns=yes
/ip ipsec policy group
add name=FastVPN
/ip ipsec profile
add name=FastVPN
/ip ipsec peer
add address=SERVER-HOSTNAME exchange-mode=ike2 name=FastVPN profile=FastVPN
/ip ipsec proposal
add name=FastVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=FastVPN peer=FastVPN policy-template-group=FastVPN username=FASTESTVPN.COM_USERNAME password=FASTESTVPN.COM_PASSWORD
/ip ipsec policy
add dst-address=0.0.0.0/0 group=FastVPN proposal=FastVPN src-address=0.0.0.0/0 template=yes

**Now you should be able to see the SAs under here:

/ip/ipsec/installed-sa/print

Congratulations, you are connected to the IPSec VPN

**If you do not see the 2 SAs then you might need to look at the log. If it is saying that it failed to authorise or just keep on disconnecting, then check your password again and try another server location.

How to extend HDD space in ubuntu 20 VM (this example is hosted on ESXi)

After extending the hard disk of the VM in ESXi or any other hypervisor, reboot the VM and boot using a bootable GPARTED iso image.

Before the extention, this VM has 200GB HDD which is almost full now

Once the GPARTED gui comes up, confirm that the free space is showing up and then select the partition which needs to be extended and use the slider to extend it my moving it towards right side. Then click on SAVE to write the changes. We are done here so we can now reboot the machine to claim the newly added space in the OS. If the disk is 100% used then the OS will not let you make/save any partition chanes to the disk which is counter intutive but that is how it is designed so when the OS is rebooted, press escape button on keyboard and then select advanced ubuntu startup options and drop to root shell. Once here, run apt-get clear && apt-get autoremove this will remove enough space to enable you to write changes to the disk.

GPARTED – extending the partition
Reboot GPARTED

After the reboot, run these commands in this sequence to extend the volume.

######## ANOTHER METHOD #########

  • sudo parted
  • print free space (This will show the partitions with numbers and the free space, we will use the partition number and free space next)
  • resizepart <NUMBER> <FREE SPACE i.e. 90GB>
  • write
  • quit
  • sudo lsblk (Note down the name of the partition and volume)
  • sudo pvresize /dev/sda3 (it was /dev/sda3 in this case as shown in output of lsblk, make sure it is correct)
  • sudo lvextend -l +100%FREE /dev/mapper/ubuntu–vg-ubuntu–lv
  • sudo resize2fs /dev/mapper/ubuntu–vg-ubuntu–lv
    • df -h (to check the resizing)

DHCP snooping not working – multiple switches in path

Lets look at this topology. The Server0 is configured with DHCP service and then it is connected to the Switch0 on port Fa0/1. This switch is connected to Switch1 from port Gi0/1 to Gi0/1. The laptop which is a DHCP client is connected to the Switch1 on Fa0/1.

dhcp snooping topology
Switch0
!
ip dhcp snooping vlan 500
ip dhcp snooping
!
!
interface FastEthernet0/1
 switchport access vlan 500
 ip dhcp snooping trust
 switchport mode access
!
!
interface GigabitEthernet0/1
 switchport mode trunk
!
!

Switch1
!
ip dhcp snooping vlan 500
ip dhcp snooping
!
!
interface FastEthernet0/1
 switchport access vlan 500
!
!
interface GigabitEthernet0/1
 ip dhcp snooping trust
 switchport mode trunk
!
services on Server0
DHCP request failed on the client

When the client is trying to get an address, it is not able to reach to the server because the cisco switches add option 82 by default to the DHCP requests and when that option is present on the packet, the other switches discard those packets with this message on the console

00:10:52: %DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: DHCP_SNOOPING drop message with non-zero giaddr or option82 value on untrusted port, message type: DHCP RELEASE, MAC sa: 0005.5E80.090B

Here are three ways to fix this issue:

  1. Least secure which will open a security risk: To trust the Gi0/1 port on the Switch0.
Switch(config-if)#inter gi 0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#
client got a valid ip address as a result of the above config

2. Somewhat better and safer: Disable the addition of option 82 on the DHCPREQUEST packets. This needs to be done on the switch where the end client is connected. In our case it is the Switch1

Switch1(config)#no ip dhcp snooping information option 
Switch1(config)#
Success on getting DHCP address assigned

3. The best option in my understanding: To allow the packets with option 82 make it to the DHCP server. We enable it on the upstream switch to allow DHCPREQUEST packets coming from untrusted ports. In our case we enable it on the Switch0

Switch0(config)#
Switch0(config)#ip dhcp snooping information option allow-untrusted
Switch0(config)#
DHCP success

I have attached the Cisco Packet Tracer file here. You can download the .pkt file for your tinkering pleasure.

ACME DNS-01 basic Autorenewing Script for txt records on dns.he.net

Options are limited when you want to generate a free Let’s Encrypt SSL certificate using WIN-ACME and you can not or do not want to publish verification files on the server – especially if you want the certificates to be auto-renewed. Also, I must mention that the SSL is for a wildcard domain.

I have domain records hosted on dns.he.net (Hurricane Electric) which is a free dynamic DNS provider and it has been very reliable for – I don’t even remember how many years. My aim is to generate a Let’s Encrypt SSL certificate and enable auto-renewal using DNS-01 verification from a script.

I should indicate that I am doing this on a Windows 2012 server machine not a linux machine.

First we will create a TXT record on HE portal, lower the time to live value and set the record type as dynamic.

Adding TXT Record on HE.NET for acme-challenge.

Once that is done, we will click on the refresh icon to setup our secret key which is used to authenticate valid requests.

Press the refresh/renew icon.
Type your desired key and click on Submit.

Now we will work on the server to create a very basic BAT script file.

@echo off
curl -4 "http://%1:Abcdef12345@dyn.dns.he.net/nic/update?hostname=%2&txt=%3"

Also, we will download curl from https://curl.se/windows/ and extract the contents to the root of the folder where we will keep our script file. I will probably be okay with the hardcoded secret key in the script as I have only 2 domains and I will use same key on both. If you have multiple domains then you may have to improvise on this part. I will not bother as it is okay for my needs.

Now it’s time to run the wacs.exe application and when it will ask for the domain validation method, I will select option 8 (at the time of writing this) which is the verification using your own script. When it will ask for the arguments, use these in this order:

{RecordName} {Identifier} {Token}

If you followed all the instructions as I stated, it will now succesfully validate and issue certificates. Its up to you how you want to install them as the wacs.exe script has good options for that too.

How utilize SSH tunnel for any remote service

This is something Advanced level so if you are a beginner, try to follow along and I will try to explain it in the easiest to understand way.

Why do we need SSH tunneling? Well, for me it makes it quite easy to manage the services from my private network to be available from the internet. All I need to do on my firewall is open or forward an open port to the SSH listening port on my SSH server. If you want to setup your SSH server, you may want to take a look at my other post.

In this post I will try to explain how to use RDP over SSH Tunnel. The idea is to access the RDP service on a Windows host from another computer without connecting to the RDP service port (by default 3389) using a SSH tunnel provided by an SSH server.

 

I am using PUTTY here.

  1. On the Client, open putty and scroll down on the left side and click on the + sign next to SSH to select Tunnels. Enter a port number higher than 1024 here which should not be same as any other running service on your (client) computer. I chose 2222 here and then enter the ip address of the host computer where you want to connect through tunnel (10.0.0.100 port 3389 providing RDP in our example) then click ADD.

     

     

  2. Now it should appear in the box above so scroll up on the left and click on Session.

     

     

  3. Now enter the ip address of the SSH server (10.0.0.2 and port 22 in our example) and click on OPEN.

     

     

  4. In the terminal window which just opened, enter the username and password for the SSH Server and keep it open.
  5. Now open mstsc.exe on your computer and use the localhost as the ip and 2222 (the one we chose in step 1) as the port and click on connect. You should see the login window and that’s it.

     

    Just remember to keep the Putty window open else the tunnel will drop and you will have to re-establish the connection. Have fun.

     

     

     

How to setup a lightweight Linux (Ubuntu) based SSH server

This is not a beginner level process so if you do not know why you would need an SSH server, this post is not for you. Now that is out of the way, let’s begin:

  1. Grab ISO for ubuntu server from here
  2. Install it on your hypervisor or physical machine if you are old school in that way.
  3. Install openssh server:
    1. Sudo apt-get update
    2. Sudo apt-get install openssh-server
  4. Enable and Start the SSH service
    1. Sudo systemctl enable ssh
    2. Sudo systemctl start ssh
    3. (to check it is running) sudo systemctl status ssh

[How To] Create Bootable Windows XP USB

Yesterday I ran into trouble while trying to install Windows XP on an old computer. The problem? Well I didn’t have a CD ROM drive on that computer and the only way to install was to use a bootable USB. I tried several well-known software tools available on the internet but somehow they didn’t work. May be because Windows XP was not designed to be USB bootable.

Finally I came across this amazing tool called rufus and it did it. The only other thing it needed was the ISO for Windows XP.

If you also want to make a Bootable Win XP USB, follow these steps:

Bootable WinXP USB
Howto Create Bootable USB Win XP

  1. Launch Rufus.
  2. Select your device from the drop down list.
  3. Click on the little CD Drive button and select the ISO file you want to use (Windows XP image)
  4. Hit Start button and off it goes.

Create Bootable USB Win XP

And you have your bootable Windows XP USB as simple as that.