IPSec Road Warrior Strongswan 5.8 IKEv2 swanctl Mikrotik RSA Auth

Hi,
here my Strongswan road-warrior config using Archlinux

/etc/swanctl/conf.d/somename.conf

connections {	
	somename {
		local_addrs  = %any
		remote_addrs = gw.domain.tld
		vips = %any
		version = 2
		proposals = aes256-sha256-modp2048
		dpd_timeout=120s
		rekey_time=1d
      
		local {
			auth = pubkey
			certs = cert_export_work_crt.pem
			id = "work@gw.domain.tld"
		}
		remote {
			auth = pubkey
			id = "CN=gw.domain.tld"
		}
		children {
			somename {
				#start_action = start
				remote_ts = 192.168.223.0/24
				esp_proposals = aes256-sha256-modp2048
				dpd_action=start
				life_time=8h
			}
		}
	}
}

secrets {
	rsa-somename {
		file = cert_export_work_private.pem
	}
}

Save your private key to

/etc/swanctl/private/cert_export_work_private.pem

Save your certificate to

/etc/swanctl/x509/cert_export_work_crt.pem

Save your ca-certificate to

/etc/swanctl/x509ca/cert_export_ca.pem

Start and stop your vpn connection via

systemctl restart strongswan

swanctl --initiate --child somename

swanctl --terminate --child somename

Have fun!

Archlinux SAMBA Fileserver Btrfs Qnap TS-459 PRO II

I’ve got an used half dead Qnap TS-459 PRO II in hands. The original Qnap OS won’t detect the installed disks not quite stable, due to a faulty Marvell SATA-Controller Chip.
The other Marvell SATA-Controller works fine. So only 2 of 4 disks are working.

Archlinux has very good btrfs support due to the fresh packages. Otherwise I would have used debian or ubuntu.

Problems with this special type of hardware:
*) Bios does not detect the connected disks on this devices, thus you only can boot from the internal USB device

You have to set /boot to the internal USB-Device

I’ve changed the /boot/grub/grub.cfg at the first line

set root='mduuid/daa55d04:df1b4f59:52419904:51489ef3'

set root='hd0,msdos1'

Now grub is reading it’s config files from that USB-Device.

WARNING! If you recreate your grub.conf with gurb-mkconfig -o /boot/grub/grub.cfg this change will be overwritten. I was to lazy to fix that :-)

Archlinux booting from Software-RAID you have to

mdadm --detail --scan >> /etc/mdadm.conf

vim /etc/mkinitcpio.conf

HOOKS=(base udev autodetect modconf block filesystems keyboard fsck mdadm btrfs)

mkinitcpio -p linux

mdadm will include the /etc/mdadm.conf in initramfs. I’m using btrfs for root and data partitions. Therefore I’ve added btrfs just in case :-). Normally it will be automatically included.

You also want some periodic check of your RAID consistency. This device has really old used disks built in. So I’ve “stolen” the checkarray script from an ubuntu installation and created a systemd timer

/etc/systemd/system/checkarray.timer

[Unit]
Description=Software RAID checkarray timer
[Timer]
OnCalendar=monthly
AccuracySec=1h
[Install]
WantedBy=timers.target

/etc/systemd/system/checkarray.service

[Unit]
Description=Software RAID checkarray service
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/checkarray --all --idle --quiet

Might you want to have lm_sensors support.
*) vim /etc/modules-load.d/sensors.conf
it87
*) Install lm_sensors and run pwmconfig.

Fancontrol runs really nice on this board!

Here my samba config file if you need it. I’ve enabled samba audit for the “daten” share. Very handy to handle Crypto-Trojans faster and easier.

[global]
workgroup = nas01.local
server string = nas01
domain logons = No
domain master = No
printing = bsd
security = user
hosts allow = 127.0.0.1 192.168.0.0/16
printcap name = /dev/null
#Windows XP fix
lanman auth = yes
ntlm auth = yes
full_audit:failure = none
full_audit:success = mkdir rename unlink rmdir pwrite write
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE

[daten]
comment = daten
hosts allow = 192.168.0.0/16
path = /daten/samba/daten
read only = No
valid users = daten
available = yes
create mode = 0644
directory mode = 0755
vfs objects = full_audit

[backup]
comment = daten
hosts allow = 192.168.0.0/16
path = /daten/samba/backup
read only = No
valid users = backup
available = yes
create mode = 0644
directory mode = 0755

[snapshots]
comment = daten
hosts allow = 192.168.0.0/16
path = /daten/.snapshots
force user = root
valid users = daten
read only = yes
available = yes

I’ve enabled btrfs snapshots with snapper and the corresponding systemd-timers of the Archlinux package. Useful if you want to recover accidentally deleted or overwritten files

WARNING! Snapshots do not replace a real Backup!

This device has also an LCD Display. Someone has written a very good ksh script dealing with it.
https://github.com/jdupl/QnapFreeLCD

I don’t need all of this goodness. So I wrote my on crappy script to display only the Information I need :-) It does what it should do :-)

https://www.paranoids.at/downloads/lcdMonitor.php.txt

Have fun!

Archlinuxarm Raspberry Pi3 B+ btrfs root subvolume

Hi,

Archlinuxarm ARMv8 (AArch64) uses uboot to boot the system
You have to modify /boot/boot.txt with your rootflags
mine look like this:

setenv bootargs console=ttyS1,115200 console=tty0 root=PARTUUID=${uuid} rootflags=subvol=root,compress rw rootwait smsc95xx.macaddr="${usbethaddr}"

So you have to insert “rootflags=subvol=root,compress” to boot from your btrfs subvolume!
After editing the text file you have to run

cd /boot/
./mkscr

This will recreate your boot.scr

Have fun!

l2tp ipsec linux client bash script

hi

here is my simple approach of a vpn client via bash
The main script i found https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup
I’ve adopted it to my needs.

First we configure strongswan:

/etc/ipsec.conf
conn yourcompany
    keyexchange=ikev1
    authby=secret
    type=transport
    left=%defaultroute
    leftprotoport=17/1701
    right=2.2.2.2
    rightprotoport=17/1701
    auto=add
/etc/ipsec.secrets
2.2.2.2 : PSK "yourpsk"

Now we configure xl2tpd

/etc/xl2tpd/xl2tpd.conf
[lac vpn-connection]
lns = 2.2.2.2
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
/etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
debug
lock
connect-delay 5000
name yourusername
password yourpassword

Here is my bash script

#!/bin/bash
if [ $# != 1 ] ; then
    echo "Usage: (sudo) sh $0 {start|stop}" 
    exit 1;
fi

VPN_ADDR=2.2.2.2

function getIP(){
    /sbin/ifconfig $1 | grep "inet "| awk '{print $2}'
}

function getGateWay(){
    /sbin/route -n | grep -m 1 "^0\.0\.0\.0" | awk '{print $2}'
}

function getVPNGateWay(){
    /sbin/route -n | grep -m 1 "$VPN_ADDR" | awk '{print $2}'
}

function saveInterface() {
    echo $(/sbin/route -n | grep -m 1 "^0\.0\.0\.0" | awk '{print $8}') > /tmp/interface.txt
}

function getInterface(){
    cat /tmp/interface.txt
}

GW_ADDR=$(getGateWay)  

function start(){
    saveInterface
    ipsec up youconnectioname
    sleep 2    #delay to ensure that IPsec is started before overlaying L2TP

    systemctl start xl2tpd
    sleep 2
    /bin/echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control     
    sleep 2    #delay again to make that the PPP connection is up.

    route add $VPN_ADDR gw $GW_ADDR $(getInterface)
    route add default gw $(getIP ppp0)
    route delete default gw $GW_ADDR
}

function stop(){
    ipsec down yourconnectioname
    /bin/echo "d vpn-connection" > /var/run/xl2tpd/l2tp-control
    systemctl stop xl2tpd
    
    VPN_GW=$(getVPNGateWay)
    route delete $VPN_ADDR gw $VPN_GW $(getInterface)
    route add default gw $VPN_GW
}
$1
exit 0