I’ve been issuing a lot of x.509 certs and OpenVPN user configurations lately, and I came across something that has reduced the complexity quite a bit. It seems that OpenVPN configuration files can now include data inline. So rather than generating and distributing the following for each user:
- a configuration file
- a chain of CA certs
- a client certificate
- a client key
- a tls HMAC authentication file
- the OpenVPN client
one may distribute to users just the following:
- a configuration file with data inline
- the OpenVPN client
This process and the process of creating new users/certificates is automated by the fine people who develop OpenVPN itself and the OpenVPN AS management software. It is good to know that if you are unable to use this service, the process is at least much less complicated these days.
One thing to keep in mind is that some platforms do not support all OpenVPN configuration file options. One in particular that has been giving me trouble is the dev and dev-type options. If your configuration file (.ovpn or .conf) is intended for use with Tunnelblick on OSX, be sure to set dev to either tun or tap, and be sure not to use the dev-type option. It seems that the tuntap code on OSX does not support arbitrary names for the devices; the device names must be generated by the kernel.
Posted in CentOS, debian, Free Software, linux, Networking, OpenVPN, OSX, security, Software, tls, tuntap, ubuntu, Windows, work, x509
cjac@foxtrot:/usr/src/deb/strongswan-5.1.0$ ping6 -c 5 google.com | tail -3
— google.com ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 65.235/74.957/103.039/14.122 ms
go go gadget ipsec
And make you all some treats? For Christmas? Or another holiday of your choosing? Such as Solstice or something?
Also: happy very Solstice.
So back when I was working for MySQL AB as support manager for MaxDB, I created an IRC bot to help manage the #maxdb channel on Freenode. We didn’t get a lot of traffic, and Daniel De Graaf mentioned that he could use a bot to help manage some iptables factoids over on #netfilter. So I had her join. He taught her all sorts of interesting things. She stored these factoids in a MySQL database. I have just migrated from MySQL to MariaDB which I compiled from source. Here are the packages:
cjac@mariadb:~$ mysql -u root -p
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5322
Server version: 5.5.32-MariaDB-1-log (Debian)
Copyright (c) 2000, 2013, Oracle, Monty Program Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use maxine;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
15:22 < cj> maxine: iptables?
15:22 < maxine> hmmm... iptables is a generic table structure for the
definition of rulesets. Each rule within a chain consists of a
number of classifiers (iptables matches) and one optional
connected action (iptables target).
Posted in colliertech, Databases, debian, Free Software, freenode, irc, linux, MariaDB, mysql, nsa, open source, SELinux
I am a Millipede I am amazing
I command you to gaze upon my face
You’ll never find someone charming as I am
I’m the swankiest bug out in space
I’m a star I’m a god I’m a thing to behold
There is none as resplendent as I
With my sleek little legs and my three hundred eggs
of my majesty none can deny
Because I am the millipede I am mysterious
When I vanish I never leave a trace
You will not find a bug with such illusions
I’m a creature of fathomless grace
Millipede meets allure
Millipede meets couture
Millipede meets grandeur
Millipede meets saviour
Millipede meets mature
Millipede meets so pure
Millipede meets the cure for all lesser breeds
I am a millipede I am the champion
no one else in the universe keeps pace
You’ll never find someone quite so enchanting
While I’m here there’s just no second place
I’m an idol a King I’m an object of awe
There is none quite so gleaming as I
I’ve got glamour to spare
You are right when you stare
I’m the who, what, when, where, and the why
I am a millipede I am astounding
wisdom flows from my personage like lace
You’ll never find someone darling as I am
I’m the swankiest
Certainly best dressed
Bug out in space!
And now I have them all. Maybe I can reduce the load on my wan pipe by setting up a mirror for the island.
Posted in bittorrent, C.J. Insider, colliertech, debian, Free Software, government, gtk+, gtk+ 3.0, gtkglarea, gtkglarea-sharp, linux, mono, network saturation, Networking, opengl, perl, quake3, rate limiting, storage, Unix, washington, wheezy, winter
Creating var directory '/usr/src/git/debian/pkg-mariadb/builddir/mysql-test/var'...
Checking supported features...
MariaDB Version 5.5.32-MariaDB-1
Installing system database...
- SSL connections supported
Using server port 42388
TEST RESULT TIME (ms) or COMMENT
worker Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019
oqgraph.basic [ skipped ] No OQGraph
oqgraph.binlog [ skipped ] No OQGraph
sphinx.sphinx [ skipped ] No Sphinx
archive.archive-big [ skipped ] Test needs --big-test
binlog.binlog_multi_engine [ skipped ] ndbcluster disabled
binlog.binlog_spurious_ddl_errors [ disabled ] BUG#11761680 2013-01-18 astha Fixed on mysql-5.6 and trunk
binlog.binlog_truncate_innodb [ disabled ] BUG#11764459 2010-10-20 anitha Originally disabled due to BUG#42643. Product bug fixed, but test changes needed
federated.federated_server [ skipped ] Test needs --big-test
Posted in autotools, C.J. Insider, colliertech, Databases, debian, Free Software, MariaDB, microsoft, perl, security, Software, tls, wheezy, winter, x509
But it looks like we’ve recovered from that outage. Finally.
I’m now working through our LLC on contract with a hosting company based out of California. I think it’s going well so far. I certainly enjoy working with the networking team. I’m learning more about network operations by the day and I’ve got the opportunity to use some pretty amazing equipment, too.
So, I’m taking vacation this week and next. Here’s a (partial) list of tasks that are left to do:
- Visit BC for NANOG 55
- Work with Threshold Communications to verify interop is working as well as it seems to be
- Make sure the UTC has acknowledged receipt of our 2012 filing
- Complete move of storage from old chassis to new-ish hot-ish-ness
- Bring one of these chassis online to handle VoIP for the wireless L2 segment
- Bring a 1600 online at our Bartel POP
- Take the disk image created for the above and duplicate it 3x for California-based 44Net nodes
- Bring the VMs whose storage was being provisioned via iSCSI back online
- get the ATA and DSLAM online and hook up the customers who are demanding service.
- Call CenturyLink and explain to them that I WILL report them to the consumer protection department of the Utilities and Transportation Commission if they do not take action to correct their failure in regard to contract negotiation and accounting.
That’s probably enough, if not too much. Here’s some of the bits I’ve done this week:
- Re-establish IPv6 connectivity for many of my hosts
- Twiddled quite a few bits on the BIG-IPs
- Set up a home brew provisioning server for some 1120E hardware SIP phones I’ve got laying around (DHCP + TFTP + a bunch of twiddly firmware bits and config files – ping me if you want them)
- Did a lot of updates to the DNS infrastructure. We have slave DNS servers in all of our DCs now
- hung out on IRC a lot
- Started accepting IPv4 HTTP requests for web.colliertech.org in Bothell instead of Tukwila
- Put together some perl & php for the WA NGB to help with their online recruiter finder
- Reduced size of SAN base OS (squeeze) to something that fits on a CF
- Moved disks from old SAN chassis to the new one.
- Booting from CF now instead of first partition of first disk in array
- Discovered small (~3k bytes) disk error on one of the RAID members
- Made complete backup of entire array using dd
- Replaced failing disk and began recovery, with great thanks to the linux-raid list
md0 : active raid5 sdg2 sdc2 sdb2 sdd2 sdf2 sde2
4864240640 blocks level 5, 64k chunk, algorithm 2 [6/5] [UUUUU_]
[=========>...........] recovery = 46.9% (456668928/972848128) finish=1461.9min speed=5884K/sec
- Brought up 802.11g AP for wireless VoIP service
- Configured asterisk to accept 24 SIP lines from GrandStream ATA
- Brought GrandStream ATA online. Currently sending SIP/RTP calls over OpenVPN tunnel to avoid NAT issues. This will be corrected when the new asterisk server is brought online. I’ll have it connect to the core with IAX, and it will be on the same physical L2 as the GrandStream and 1120Es
- recovered RAID-1 array on laptop
- made sure KE7KMO is still functioning
And probably some other stuff ;-)
Posted in abuse, ajax, asterisk, C.J. Insider, colliertech, debian, dns, F5, feds, Free Software, freenode, government, Hardware, irc, kvm, libvirt, linux, military, Networking, performance, perl, quagga, Software, storage, Telephony, virtualization, washington, wireless, xen