DD-WRT OpenVPN Router To Router

Client Configuration - DD-WRT

This is the configuration for an OpenVPN Client running on another DD-WRT box.

Just set the OpenVPN server name (its WAN address or name) and port (1194) using the GUI, and then put in the certs similar to the procedure on the server:

Box	File to insert
Public Server Cert	ca.crt
Public Client Cert	suc19cli4res.crt
Private Client Key	suc19cli4res.key

build-key suc19cli4res

Setup OpenVPN Client to connect to DD-WRT OpenVPN Service

Fedora 18 , sshd & SELiNUX

Trying to change the default port of sshd , selinux appeared :

service sshd status
Redirecting to /bin/systemctl status  sshd.service
sshd.service - OpenSSH server daemon
      Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
      Active: failed (Result: exit-code) since Thu 2013-04-25 16:01:52 EEST; 1min 25s ago
     Process: 1950 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255)
     Process: 1944 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)

 systemd[1]: Starting OpenSSH server daemon...
 systemd[1]: Started OpenSSH server daemon.
 sshd[1950]: error: Bind to port 248 on 0.0.0.0 failed: Permission denied.
 sshd[1950]: error: Bind to port 248 on :: failed: Permission denied.
 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
 systemd[1]: Unit sshd.service entered failed state

everything is ok with :

semanage port -a -t ssh_port_t -p tcp 248

SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket .

*****  Plugin bind_ports (99.5 confidence) suggests  *************************

If you want to allow /usr/sbin/sshd to bind to network port 248
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 248
    where PORT_TYPE is one of the following: ssh_port_t, xserver_port_t.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that sshd should be allowed name_bind access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:reserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          248
Host                          82-79-141-236.static.resita.rdsnet.ro
Source RPM Packages           openssh-server-6.1p1-6.fc18.x86_64
Target RPM Packages          
Policy RPM                    selinux-policy-3.11.1-91.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing

Platform                      Linux   3.8.8-202.fc18.x86_64 #1 SMP Wed Apr 17 23:25:17
                              UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-04-25 16:01:52 EEST
Last Seen                     2013-04-25 16:01:52 EEST
Local ID                      fffbad56-ad32-4ff4-b98d-3de411d41505

Raw Audit Messages
type=AVC msg=audit(1366894912.989:94): avc:  denied  { name_bind } for  pid=1950 comm="sshd" src=248 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1366894912.989:94): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7ff6baf563b0 a2=1c a3=7fffe9432d74 items=0 ppid=1 pid=1950 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,reserved_port_t,tcp_socket,name_bind

audit2allow

#============= sshd_t ==============
allow sshd_t reserved_port_t:tcp_socket name_bind;

audit2allow -R
require {
    type sshd_t;
}

#============= sshd_t ==============
corenet_tcp_bind_reserved_port(sshd_t)

Fedora 18 , yum groupinstall , systemd

yum groupinstall "GNOME Desktop"
yum groupinstall "MATE-Desktop"
yum groupinstall cinnamon

How do I change the default runlevel? 

rm /etc/systemd/system/default.target 

ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target

ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target

SysVinit to Systemd Cheatsheet

 

Services

Sysvinit Command	Systemd Command	Notes
service frobozz start	systemctl start frobozz.service	Used to start a service (not reboot persistent)
service frobozz stop	systemctl stop frobozz.service	Used to stop a service (not reboot persistent)
service frobozz restart	systemctl restart frobozz.service	Used to stop and then start a service
service frobozz reload	systemctl reload frobozz.service	When supported, reloads the config file without interrupting pending operations.
service frobozz condrestart	systemctl condrestart frobozz.service	Restarts if the service is already running.
service frobozz status	systemctl status frobozz.service	Tells whether a service is currently running.
ls /etc/rc.d/init.d/	systemctl list-unit-files --type=service (preferred) ls /lib/systemd/system/*.service /etc/systemd/system/*.service	Used to list the services that can be started or stopped Used to list all the services and other units
chkconfig frobozz on	systemctl enable frobozz.service	Turn the service on, for start at next boot, or other trigger.
chkconfig frobozz off	systemctl disable frobozz.service	Turn the service off for the next reboot, or any other trigger.
chkconfig frobozz	systemctl is-enabled frobozz.service	Used to check whether a service is configured to start or not in the current environment.
chkconfig --list	systemctl list-unit-files --type=service(preferred) ls /etc/systemd/system/*.wants/	Print a table of services that lists which runlevels each is configured on or off
chkconfig frobozz --list	ls /etc/systemd/system/*.wants/frobozz.service	Used to list what levels this service is configured on or off
chkconfig frobozz --add	systemctl daemon-reload	Used when you create a new service file or modify any configuration

Note that all /sbin/service and /sbin/chkconfig lines listed above continue to work on systemd, and will be translated to native equivalents as necessary. The only exception is chkconfig --list.

Runlevels/targets

Systemd has a concept of targets which serve a similar purpose as runlevels but act a little different. Each target is named instead of numbered and is intended to serve a specific purpose. Some targets are implemented by inheriting all of the services of another target and adding additional services to it. There are systemd targets that mimic the common sysvinit runlevels so you can still switch targets using the familiar telinit RUNLEVEL command. The runlevels that are assigned a specific purpose on vanilla Fedora installs; 0, 1, 3, 5, and 6; have a 1:1 mapping with a specific systemd target. Unfortunately, there's no good way to do the same for the user-defined runlevels like 2 and 4. If you make use of those it is suggested that you make a new named systemd target as /etc/systemd/system/$YOURTARGET that takes one of the existing runlevels as a base (you can look at /lib/systemd/system/graphical.target as an example), make a directory /etc/systemd/system/$YOURTARGET.wants, and then symlink the additional services that you want to enable into that directory. (The service unit files that you symlink live in /lib/systemd/system).

Sysvinit Runlevel	Systemd Target	Notes
0	runlevel0.target, poweroff.target	Halt the system.
1, s, single	runlevel1.target, rescue.target	Single user mode.
2, 4	runlevel2.target, runlevel4.target, multi-user.target	User-defined/Site-specific runlevels. By default, identical to 3.
3	runlevel3.target, multi-user.target	Multi-user, non-graphical. Users can usually login via multiple consoles or via the network.
5	runlevel5.target, graphical.target	Multi-user, graphical. Usually has all the services of runlevel 3 plus a graphical login.
6	runlevel6.target, reboot.target	Reboot
emergency	emergency.target	Emergency shell

Changing runlevels:

Sysvinit Command	Systemd Command	Notes
telinit 3	systemctl isolate multi-user.target (OR systemctl isolate runlevel3.target OR telinit 3)	Change to multi-user run level.
sed s/^id:.*:initdefault:/id:3:initdefault:/	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target	Set to use multi-user runlevel on next reboot.

systemd command reference

sysVinit command	systemd command	Notes
service sshd start	systemctl start sshd.service	Used to start a service (not reboot persistent)
service sshd stop	systemctl stop sshd.service	Used to stop a service. (not reboot persistent)
service sshd restart	systemctl restart sshd.service	Used to start and stop a service.
service sshd reload	systemctl reload sshd.service	When supported, reloads the config file without interrupting pending operations.
service sshd condrestart	systemctl condrestart sshd.service	Restarts if the service is already running.
service sshd status	systemctl status sshd.service	Tells whether a service is currently running.
ls /etc/rc.d/init.d/	systemctl list-unit-files --type=service	Lists all available services.
chkconfig sshd on	systemctl enable sshd.service	Always run the service at this target (runlevel.)
chkconfig sshd off	systemctl disable sshd.service	Do not automatically run the service at this target (runlevel.)
chkconfig --list	systemctl list-units -t service --all	Print a table of available services and their status.
chkconfig sshd --list	ls /etc/systemd/system/*.wants/sshd.service	Lists the targets that will include the service.
chkconfig sshd --add	systemctl daemon-reload	Used when you create a service file or modify any configuration.
telinit 3	systemctl isolate multi-user.target	Move system into another target (change runlevels.)
[no comparable command]	systemctl show -p "Wants" multi-user.target	Lists units pulled in by a given target.
[no comparable command]	systemctl show -p "After" sshd.service	Shows dependent services and other targets.
[no comparable command]	systemd --test --system --unit=multi-user.target	Simulates booting the system to a given target
[no comparable command]	systemd-analyze plot > boot.svg	Generates a diagnostically useful graphical representation of the boot process.
ps xawf -eo pid,user,cgroup,args	systemd-cgls	Display control group process tree.

HDD speed can bottleneck gigabit transfer

http://www.tomshardware.co.uk/forum/29448-42-network-adapter-100mb-speed

Suggestion:

1. Cat 6 cable should squeeze more speed out of your connection
2. Cable length - Keep it as short as possible
3. Your best speed results will be between 2 computers with gigabit connections. Internet usage speeds will be lower in most cases.
4. Make sure jumbo frames are set in network properties for your network adapter. Set to the max value which is 9k. 
5. Hard Disk speed can bottleneck your gigabit transfers

http://www.wikihow.com/Upgrade-Your-Network-to-Gigabit-Ethernet

Hard Drive Delivers SATA-III 6-Gbit/s Transfer Rate

http://electronicdesign.com/boards/hard-drive-delivers-sata-iii-6-gbits-transfer-rate

Will a Gigabit Switch Speed Up My Home Network?
http://www.ehow.com/info_12215278_gigabit-switch-speed-up-home-network.html#ixzz2RJpBXjUQ

Setup OpenVPN Client to connect to DD-WRT OpenVPN Service

We consider that we have an ASUS RT-N16 wireless router with the following firmware installed :
" DD-WRT v24-sp2 (08/07/10) vpn "

( some day  I will write an article about how I've installed DD-WRT firmware and configured OpenVPN service in ASUS RT-N16 ) 

First of all , we must choose to install a stable OpenVPN version : 2.1.4 ;
Can be downloaded from : 

http://openvpn.net/index.php/open-source/downloads/471-old-releases.html

http://swupdate.openvpn.org/community/releases/openvpn-2.1.4-install.exe
After installation , OpenVPN-GUI can be run as administrator if there are problems ; 

Setting up OpenVPN Client to connect to DD-WRT OpenVPN Service we have to create or to already have : 

1) a configuration file ("ita2cli4resita2asus.ovpn")
2) a router certificate  ("ca_resita2asus.crt")
3) a openvpn client certificate ("ita02cli4res.crt")
4) a client key file = ("ita02cli4res.key")

We can follow the steps from : howtogeek.com

The problem in that article is that after you create some keys and certificates and if after 

a while you want to create for one more user , you have to recreate all the keys and certificates for all client users ... 

So , lets see the steps to create config , key and certificate for one client user ; 

Then close the command window , restart Windows and after that try to create just one more : 

Let's assume that we are using Windows 7 - 64 bit edition ;

Under Accessories there is "Command Prompt" ;
Right click on it and click Run as administrator.

DO RUN : "cd c:\Program Files (x86)\OpenVPN\easy-rsa"

( open-vpn client 32 bit edition on a Windows 7 64 bit ) 

for the last client , created after a Windows restart

do not run : "init-config"

do not edit vars.bat file   

do not run : "clean-all"

DO RUN : "build-key ita02cli4res"

Just be sure to enter ita02cli4res as the Common Name when prompted. 

We don't have to recreate the server key : 

do not run : build-key-server server

do not run :  build-dh

Disable Autorun in Windows 7

Disable Autorun For Removable Media In Windows 7

Run (Win + R) Gpedit.msc

Computer Configuration > Administrative Templates >
      Windows Components

Edit and enable "Turn off Autoplay" option

 

Fedora 18 : disable firewalld & install iptables

Changing back to IPTables in Fedora 18

How to enable iptables(instead of firewalld) services on Fedora 18?

systemctl disable firewalld.service
systemctl stop firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
systemctl start iptables.service
systemctl start ip6tables.service

yum -y install iptables-services iptables-utils

Firewall

Currently the developers of Fedora are trying to reinvent the wheel using some wrappers. I like what they are trying to do with systemd but I am not satisfied their firewall attempts. I like the good old tools so we have to fix some minor issues. Because I upgraded from Fedora 17 to Fedora 18 I have to remove some other tools.
I want to revert back to our good-old iptables stuff.

removing unwanted stuff

# removing UFW - Uncomplicated Firewall (from F17 LiveDVD Setup)
systemctl disable ufw.service
systemctl stop ufw.service
yum remove ufw

# removing firewalld (from F18 Upgrade)
systemctl disable firewalld.service
systemctl stop firewalld.service
yum remove firewalld firewall-config firewall-appled
                                               
# disabling ip6tables
systemctl disable ip6tables.service
systemctl stop ip6tables.service

# enabling iptables
systemctl enable iptables.service
systemctl start ip6tables.service

FYI: the firwall startup process

When I fixed this issue I found some good-to-know dependencies.

/bin/systemctl status  iptables.service

-- calls --> /usr/lib/systemd/system/iptables.service
--- calls --> /etc/sysconfig/iptables (iptables-rules like iptables-save)

-- calls --> /usr/libexec/iptables/iptables.init
--- calls --> /etc/sysconfig/iptables (iptables-rules like iptables-save)
--- calls --> /etc/sysconfig/iptables-config (default-behaviour)

Issues

WARNING: The state match is obsolete. Use conntrack instead
I am now trying to restart the good old firwall. It seems to work, but there were some issues.

systemctl status iptables
iptables.service - IPv4 firewall with iptables
          Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
          Active: active (exited) since Mo 2013-02-04 18:01:39 CET; 5min ago
         Process: 345 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)

Feb 04 18:01:37 vmama systemd[1]: Starting IPv4 firewall with iptables...
Feb 04 18:01:38 vmama iptables.init[345]: iptables: Applying firewall rules: WARNING: The state match is obsolete. Use conntrack instead.
Feb 04 18:01:38 vmama iptables.init[345]: WARNING: The state match is obsolete. Use conntrack instead.
Feb 04 18:01:39 vmama iptables.init[345]: [  OK  ]
Feb 04 18:01:39 vmama systemd[1]: Started IPv4 firewall with iptables.

There were some syntax-changes in iptables so we have to fix these rules wherever we find them. Typically in all your custom iptables-save rules and inside our default-location at /etc/sysconfig/iptables

Replace every occurrence of -m state --state -m conntrack --ctstate and reload your rules. I decided to use the default iptables config file instead of iptables -A

# backup the existing (default) configuration file (created by system-config-firewall)
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig

# backup the existing rules
iptables-save > /etc/sysconfig/iptables

Now modify the file /etc/sysconfig/iptables

# OLD
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# NEW
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# restore the settings
iptables-restore < /etc/sysconfig/iptables

Issue fixed

[root@vmama sysconfig]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
          Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
          Active: active (exited) since Mo 2013-02-04 18:34:36 CET; 53min ago
         Process: 1037 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
         Process: 1083 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)

Feb 04 18:34:36 vmama systemd[1]: Starting IPv4 firewall with iptables...
Feb 04 18:34:36 vmama iptables.init[1083]: iptables: Applying firewall rules: [  OK  ]
Feb 04 18:34:36 vmama systemd[1]: Started IPv4 firewall with iptables.

Internet Connection Sharing using iptables

iptables can be used to share an internet connection from a Linux system. Another method of doing this is using a proxy server like squid.

Enable IP forwarding

Run as root
sysctl -w net.ipv4.ip_forward=1
To enable it in system startup, edit the file /etc/sysctl.conf and set
net.ipv4.ip_forward = 1

iptables

Run command as root

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save 

Status

# iptables -t nat -L POSTROUTING 
cat /proc/sys/net/ipv4/ip_forward 1
# iptables -L

iptables-restore under f18
http://forums.fedoraforum.org/showthread.php?t=284675

Hello! I set up my iptables in fedora 18, saved them to "/etc/iptables.save" and wanted to add the "iptables-restore" command in /etc/rc.local... Well the file doesn't exist anymore under that path - where can I now put this restore-command so that my iptables are being loaded with every boot - preferable before network starts.
 

Auto running commands at boot

IF AT BOOT MUST RUN A SCRIPT : 
http://pantestmb.blogspot.ro/2013/09/fedora-systemctl-start-rc-local.html

Install LibreOffice 4.0.2 64-bit version on Fedora 18

http://www.if-not-true-then-false.com/2012/install-libreoffice-on-fedora-centos-red-hat-rhel/

wget http://download.documentfoundation.org/

libreoffice/stable/4.0.2/rpm/x86_64/LibreOffice_4.0.2_Linux_x86-64_rpm.tar.gz

tar-xvf LibreOffice_4.0.2* 

cd LibreOffice_4.0.2*

yum install pangox-compat

yum localinstall RPMS/*.rpm
yum localinstall RPMS/desktop-integration/libreoffice4.0-freedesktop-menus-4.0.2*.noarch.rpm 

Fedora 18 - install 64-bit Flash Player 11

http://fedoraproject.org/wiki/Flash
http://lifeofageekadmin.com/how-to-install-adobe-reader-and-flash-on-fedora-18/

x86_64 (64-bit)

sudo yum install 
http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm -y 

Install the Adobe Flash web browser plugin

The first command imports the GPG key for the Adobe Flash plugin repository and the second command installs the plugin itself :

sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
sudo yum install flash-plugin -y

http://www.mjmwired.net/resources/mjm-fedora-f19.html#flash