IPSec Road Warrior Strongswan 5.8 IKEv2 swanctl Mikrotik RSA Auth

here my Strongswan road-warrior config using Archlinux


connections {	
	somename {
		local_addrs  = %any
		remote_addrs = gw.domain.tld
		vips = %any
		version = 2
		proposals = aes256-sha256-modp2048
		local {
			auth = pubkey
			certs = cert_export_work_crt.pem
			id = "work@gw.domain.tld"
		remote {
			auth = pubkey
			id = "CN=gw.domain.tld"
		children {
			somename {
				#start_action = start
				remote_ts =
				esp_proposals = aes256-sha256-modp2048

secrets {
	rsa-somename {
		file = cert_export_work_private.pem

Save your private key to


Save your certificate to


Save your ca-certificate to


Start and stop your vpn connection via

systemctl restart strongswan

swanctl --initiate --child somename

swanctl --terminate --child somename

Have fun!

Archlinux SAMBA Fileserver Btrfs Qnap TS-459 PRO II

I’ve got an used half dead Qnap TS-459 PRO II in hands. The original Qnap OS won’t detect the installed disks not quite stable, due to a faulty Marvell SATA-Controller Chip.
The other Marvell SATA-Controller works fine. So only 2 of 4 disks are working.

Archlinux has very good btrfs support due to the fresh packages. Otherwise I would have used debian or ubuntu.

Problems with this special type of hardware:
*) Bios does not detect the connected disks on this devices, thus you only can boot from the internal USB device

You have to set /boot to the internal USB-Device

I’ve changed the /boot/grub/grub.cfg at the first line

set root='mduuid/daa55d04:df1b4f59:52419904:51489ef3'

set root='hd0,msdos1'

Now grub is reading it’s config files from that USB-Device.

WARNING! If you recreate your grub.conf with gurb-mkconfig -o /boot/grub/grub.cfg this change will be overwritten. I was to lazy to fix that :-)

Archlinux booting from Software-RAID you have to

mdadm --detail --scan >> /etc/mdadm.conf

vim /etc/mkinitcpio.conf

HOOKS=(base udev autodetect modconf block filesystems keyboard fsck mdadm btrfs)

mkinitcpio -p linux

mdadm will include the /etc/mdadm.conf in initramfs. I’m using btrfs for root and data partitions. Therefore I’ve added btrfs just in case :-). Normally it will be automatically included.

You also want some periodic check of your RAID consistency. This device has really old used disks built in. So I’ve “stolen” the checkarray script from an ubuntu installation and created a systemd timer


Description=Software RAID checkarray timer


Description=Software RAID checkarray service
ExecStart=/usr/local/sbin/checkarray --all --idle --quiet

Might you want to have lm_sensors support.
*) vim /etc/modules-load.d/sensors.conf
*) Install lm_sensors and run pwmconfig.

Fancontrol runs really nice on this board!

Here my samba config file if you need it. I’ve enabled samba audit for the “daten” share. Very handy to handle Crypto-Trojans faster and easier.

workgroup = nas01.local
server string = nas01
domain logons = No
domain master = No
printing = bsd
security = user
hosts allow =
printcap name = /dev/null
#Windows XP fix
lanman auth = yes
ntlm auth = yes
full_audit:failure = none
full_audit:success = mkdir rename unlink rmdir pwrite write
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE

comment = daten
hosts allow =
path = /daten/samba/daten
read only = No
valid users = daten
available = yes
create mode = 0644
directory mode = 0755
vfs objects = full_audit

comment = daten
hosts allow =
path = /daten/samba/backup
read only = No
valid users = backup
available = yes
create mode = 0644
directory mode = 0755

comment = daten
hosts allow =
path = /daten/.snapshots
force user = root
valid users = daten
read only = yes
available = yes

I’ve enabled btrfs snapshots with snapper and the corresponding systemd-timers of the Archlinux package. Useful if you want to recover accidentally deleted or overwritten files

WARNING! Snapshots do not replace a real Backup!

This device has also an LCD Display. Someone has written a very good ksh script dealing with it.

I don’t need all of this goodness. So I wrote my on crappy script to display only the Information I need :-) It does what it should do :-)


Have fun!

Archlinuxarm Raspberry Pi3 B+ btrfs root subvolume


Archlinuxarm ARMv8 (AArch64) uses uboot to boot the system
You have to modify /boot/boot.txt with your rootflags
mine look like this:

setenv bootargs console=ttyS1,115200 console=tty0 root=PARTUUID=${uuid} rootflags=subvol=root,compress rw rootwait smsc95xx.macaddr="${usbethaddr}"

So you have to insert “rootflags=subvol=root,compress” to boot from your btrfs subvolume!
After editing the text file you have to run

cd /boot/

This will recreate your boot.scr

Have fun!

l2tp ipsec linux client bash script


here is my simple approach of a vpn client via bash
The main script i found https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup
I’ve adopted it to my needs.

First we configure strongswan:

conn yourcompany
/etc/ipsec.secrets : PSK "yourpsk"

Now we configure xl2tpd

[lac vpn-connection]
lns =
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
idle 1800
mtu 1410
mru 1410
connect-delay 5000
name yourusername
password yourpassword

Here is my bash script

if [ $# != 1 ] ; then
    echo "Usage: (sudo) sh $0 {start|stop}" 
    exit 1;


function getIP(){
    /sbin/ifconfig $1 | grep "inet "| awk '{print $2}'

function getGateWay(){
    /sbin/route -n | grep -m 1 "^0\.0\.0\.0" | awk '{print $2}'

function getVPNGateWay(){
    /sbin/route -n | grep -m 1 "$VPN_ADDR" | awk '{print $2}'

function saveInterface() {
    echo $(/sbin/route -n | grep -m 1 "^0\.0\.0\.0" | awk '{print $8}') > /tmp/interface.txt

function getInterface(){
    cat /tmp/interface.txt


function start(){
    ipsec up youconnectioname
    sleep 2    #delay to ensure that IPsec is started before overlaying L2TP

    systemctl start xl2tpd
    sleep 2
    /bin/echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control     
    sleep 2    #delay again to make that the PPP connection is up.

    route add $VPN_ADDR gw $GW_ADDR $(getInterface)
    route add default gw $(getIP ppp0)
    route delete default gw $GW_ADDR

function stop(){
    ipsec down yourconnectioname
    /bin/echo "d vpn-connection" > /var/run/xl2tpd/l2tp-control
    systemctl stop xl2tpd
    route delete $VPN_ADDR gw $VPN_GW $(getInterface)
    route add default gw $VPN_GW
exit 0