Proxmox – installs with enterprise repo for no-subscription installations causing openvswitch-switch issues

If you’re also running into trouble with openvswitch-switch and really have no clue why it is not running as it should, you might also have a mismatch of a default no-subscription installation (it comes out of the box this way) and the default repo configured to work with the subscription/enterprise version only.

Unless you have a subscription key you will never get any updates for the PVE system itself – so before changing the network configuration to work with openvswitch-switch, change your repo in /etc/apt/sources.list.d/pve-enterprise.list as follows:

#deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription

Update the package lists (apt update) and upgrade (apt upgrade) – you will get updates for openvswitch-switch!

Multi-Gateway change script for pfSense

Since pfSense is not actually rerouting router traffic itself (such as DNS, VPN, …) but only incoming traffic when a gateway goes down and another one is configured in the same gateway group, I have written the following script that you can use in a cron job. It will change the IPv4 default route for basically all traffic not specifically treated via FW rules – including the internal services.

  • MOBILE1 needs to be set to your second gateway, in my case a mobile LTE device
  • MOBILE2 and MOBILE3 need to be set to rarely used IPs – so the LTE traffic going there is not too much as
  • MOBILE2 and MOBILE3 need to be statically routed via LTE, always, to check their reachability
  • WAN1 needs to be set to your main gateway, in my case a FritzBox
  • WAN2 and WAN3 need to be set to pages you usually want to reach, but it is not so bad to be unreachable in case of a downtime of the WAN gateway as
  • WAN2 and WAN3 need to be statically routed via WAN, always, to check their reachability

The script will log changes and send mails to the email address configured in pfSense.

#!/usr/local/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin

ROUTE=/sbin/route
LOG=/root/switched.txt

# Destinations, die man fast nie braucht (Traffic-Beschraenkung via MOBILE) und von MOBILE gehen sollten, muessen via MOBILE geroutet werden!
# Router selber
MOBILE1=192.168.166.1
# www.t-online.de
MOBILE2=217.6.164.162
# www.lrz.de
MOBILE3=129.187.255.234

# Normale IPs, muessen via WAN geroutet werden!
# Router selber
WAN1=192.168.178.1
# www.berlin.de
WAN2=212.45.111.17
# www.hamburg.de
WAN3=212.1.41.12

TRIES=3
SLEEP=0

WAN_SUCCESS=0
MOBILE_SUCCESS=0

# Router does not count
let MIN_TIMES=$TRIES*2

if [ $(netstat -nr4 | grep default | grep $WAN1 | wc -l) -eq 1 ]
then
  ON_WAN=1
  ON_MOBILE=0
else
  ON_WAN=0
  ON_MOBILE=1
fi

for try in $(seq 1 $TRIES)
do
  for ip in $WAN1 $WAN2 $WAN3;
  do
    ping -t 2 -c 1 $ip 2>/dev/null >/dev/null && let WAN_SUCCESS=$WAN_SUCCESS+1
    sleep $SLEEP
  done
done
echo "3 WAN IPs reachable $WAN_SUCCESS times in $TRIES runs, minimum is $MIN_TIMES."

if [ $WAN_SUCCESS -ge $MIN_TIMES ] && [ $ON_WAN -eq 1 ]
then
  echo "Enough WAN results and on WAN, nothing to do, exiting!"
  exit
elif [ $WAN_SUCCESS -ge $MIN_TIMES ] && [ $ON_MOBILE -eq 1 ]
then
  echo "Enough WAN results but on MOBILE, change back to WAN"
  echo -n "Switching to WAN at " >> $LOG
  date >> $LOG
  echo "" | /usr/local/bin/mail.php -s"Switching to WAN"

  $ROUTE del default && $ROUTE add default $WAN1
  exit
fi

# Not enough WAN results, continue with MOBILE checks/actions

for try in $(seq 1 $TRIES)
do
  for ip in $MOBILE1 $MOBILE2 $MOBILE3;
  do
    ping -t 2 -c 1 $ip 2>/dev/null >/dev/null && let MOBILE_SUCCESS=$MOBILE_SUCCESS+1
    sleep $SLEEP
  done
done
echo "3 MOBILE IPs reachable $MOBILE_SUCCESS times in $TRIES runs, minimum is $MIN_TIMES."

if [ $MOBILE_SUCCESS -ge $MIN_TIMES ] && [ $ON_MOBILE -eq 1 ]
then
  echo "Enough MOBILE results and on MOBILE, nothing to do, exiting!"
  exit
elif [ $MOBILE_SUCCESS -ge $MIN_TIMES ] && [ $ON_WAN -eq 1 ]
then
  echo "Enough MOBILE results but on WAN, change to MOBILE"
  echo -n "Switching to MOBILE at " >> $LOG
  date >> $LOG
  echo "" | /usr/local/bin/mail.php -s"Switching to MOBILE"

  $ROUTE del default && $ROUTE add default $MOBILE1
  exit
fi

Bulk import DHCPD data into pfSense

Similar to my previous post, if you are trying to bulk import your current DHCPD data into pfSense, the built-in pfSense shell comes in handy.

Here we’ll start to use the current ISC-DHCPD configuration file, /etc/dhcp/dhcpd.conf, which will have entries like this:

host pi31 { hardware ethernet AA:BB:CC:DD:EE:FF; fixed-address pi31; }
host pi32 { hardware ethernet DD:EE:FF:AA:BB:CC; fixed-address pi32; }
host MobilePhone { hardware ethernet CC:DD:AA:BB:EE:FF; fixed-address mobilephone; }

Then run the following script – modify it to your needs – which will print out the commands for the pfSense shell. Since my DHCPD configuration is relying upon existing DNS entries and I am having hostnames as “fixed-address” entries, I need to resolve these entries with a dig command. If your file is always using IP addresses, just parse them out:

echo "global \$config;"
echo "parse_config(true);"

index=0
grep '^host' /etc/dhcp/dhcpd.conf | while read line
do
  hostname=$(echo $line | cut -d ' ' -f 2)
  mac=$(echo $line | cut -d '{' -f 2 | cut -d ' ' -f 4 | cut -d';' -f 1)
  ip=$(dig +short $hostname.mydomain.com)

if test -n "$ip"
then
  echo "\$config['dhcpd']['lan']['staticmap']['$index']['mac']=\"$mac\";"
  echo "\$config['dhcpd']['lan']['staticmap']['$index']['cid']=\"$hostname\";"
  echo "\$config['dhcpd']['lan']['staticmap']['$index']['ipaddr']=\"$ip\";"
  echo "\$config['dhcpd']['lan']['staticmap']['$index']['hostname']=\"$hostname\";"
  echo "\$config['dhcpd']['lan']['staticmap']['$index']['descr']=\"Automatically migrated\";"
else
  # echo "NO IP KNOWN FOR $hostname"
  echo -n ""
fi

let index=$index+1
done
echo "write_config();"
echo "exec"

This will generate the following output, ready to paste into the pfSense shell:

global $config;
parse_config(true);
$config['dhcpd']['lan']['staticmap']['0']['mac']="AA:BB:CC:DD:EE:FF";
$config['dhcpd']['lan']['staticmap']['0']['cid']="pi31";
$config['dhcpd']['lan']['staticmap']['0']['ipaddr']="192.168.1.1";
$config['dhcpd']['lan']['staticmap']['0']['hostname']="pi31";
$config['dhcpd']['lan']['staticmap']['0']['descr']="Automatically migrated";
$config['dhcpd']['lan']['staticmap']['1']['mac']="DD:EE:FF:AA:BB:CC";
$config['dhcpd']['lan']['staticmap']['1']['cid']="pi32";
$config['dhcpd']['lan']['staticmap']['1']['ipaddr']="192.168.1.2";
$config['dhcpd']['lan']['staticmap']['1']['hostname']="pi32";
$config['dhcpd']['lan']['staticmap']['1']['descr']="Automatically migrated";
$config['dhcpd']['lan']['staticmap']['2']['mac']="CC:DD:AA:BB:EE:FF";
$config['dhcpd']['lan']['staticmap']['2']['cid']="MobilePhone";
$config['dhcpd']['lan']['staticmap']['2']['ipaddr']="192.168.1.3";
$config['dhcpd']['lan']['staticmap']['2']['hostname']="MobilePhone";
$config['dhcpd']['lan']['staticmap']['2']['descr']="Automatically migrated";
write_config();
exec

Please keep in mind the index starts at 0, valid for an empty list of host names in your pfSense DHCPD configuration. For each already existing entry you have to add 1 to the starting index of 0.

Bulk import DNS data into pfSense

If you are trying to bulk import your current DNS data into pfSense, the built-in pfSense shell comes in handy.

First, get your current data into a file with 2 columns like this:

name.domain.com.  192.168.1.1
name2.domain2.com. 192.168.2.1
name3.domain2.de. 192.168.2.2

Then run the following script – modify it to your needs – which will print out the commands for the pfSense shell:

echo "global \$config;"
echo "parse_config(true);"

index=0
cat alldns.txt | while read name ip
do
  hostname=$(echo $name | cut -d '.' -f 1)
  domain=$(echo $name | cut -d '.' -f 2- | sed -e 's/\.$//')

  echo "\$config['unbound']['hosts']['$index']['host']=\"$hostname\";"
  echo "\$config['unbound']['hosts']['$index']['domain']=\"$domain\";"
  echo "\$config['unbound']['hosts']['$index']['ip']=\"$ip\";"
  echo "\$config['unbound']['hosts']['$index']['descr']=\"Automatically migrated\";"

  let index=$index+1
done
echo "write_config();"
echo "exec"

This will generate the following output, ready to paste into the pfSense shell:

global $config;
parse_config(true);
$config['unbound']['hosts']['0']['host']="name";
$config['unbound']['hosts']['0']['domain']="domain.com";
$config['unbound']['hosts']['0']['ip']="192.168.1.1";
$config['unbound']['hosts']['0']['descr']="Automatically migrated";
$config['unbound']['hosts']['1']['host']="name2";
$config['unbound']['hosts']['1']['domain']="domain2.com";
$config['unbound']['hosts']['1']['ip']="192.168.2.1";
$config['unbound']['hosts']['1']['descr']="Automatically migrated";
$config['unbound']['hosts']['2']['host']="name3";
$config['unbound']['hosts']['2']['domain']="domain2.de";
$config['unbound']['hosts']['2']['ip']="192.168.2.2";
$config['unbound']['hosts']['2']['descr']="Automatically migrated";
write_config();
exec

Please keep in mind the index starts at 0, valid for an empty list of host names in your pfSense Unbound/DNS configuration. For each already existing entry you have to add 1 to the starting index of 0.

Sixxs Heartbeat Tunnel without Aiccu but Python (pfSense compatible)

For systems that do not provide Sixxs’ aiccu package to setup a GIF tunnel automatically, you can easily start the tunnel (not setup the routing ­čÖé ) by executing the following script once per minute via cron:

#!/usr/local/bin/python2.7

import time,hashlib,subprocess,socket,os

localv6="2001:3880:fe20:121::2"
password="abcdef1234567890abcdef123456"
remotev4="98.76.54.123"
remotev6="2001:3880:fe20:121::1"

hbBase="HEARTBEAT TUNNEL " + localv6 + " sender " + str(int(time.time()))
hbToSend=hbBase + " " + hashlib.md5(hbBase + " " + password).hexdigest()
sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
sock.sendto(hbToSend, (remotev4, 3740))
sock.close()
with open(os.devnull, "w") as fnull:
  subprocess.call(["/sbin/ping6", "-s", "8", "-c", "1", remotev6], stdout=fnull, stderr=fnull)

This solution was first posted here:

UBNT – Sixxs Tunnel

Output JSON-Code in readable and sorted form so it’s diffable

This code will read in a JSON file and print it out again in readable form and keys in sorted order – making two files diffable!

Usage: jsonsort.py

#!/usr/bin/env python

import json
import sys

file = sys.argv[1]

with open(file, 'r') as f:
  read_data = f.read()
f.closed

print json.dumps(json.loads(read_data),sort_keys=True, indent=4, separators=(',', ': '))

OpenVPN complains about wrong user/password without you requesting one?

If your OpenVPN client is complaining about a wrong user/password combination (AUTH_FAILED), although you are not requesting it on your server, it might be a completely different reason.

After migrating to a new operating system but taking OpenVPN’s configuration with me, I was running into this problem. All clients were complaining about wrong username and password.

The reason is simple:

openvpn_client-connect.sh: line 3: mail: command not found
Wed May 25 23:16:22 2016 CertName/192.168.1.12:54211 WARNING: Failed running command (--client-connect): could not execute external program
Wed May 25 23:16:25 2016 CertName/192.168.1.12:54211 PUSH: Received control message: 'PUSH_REQUEST'
Wed May 25 23:16:25 2016 CertName/192.168.1.12:54211 Delayed exit in 5 seconds
Wed May 25 23:16:25 2016 CertName/192.168.1.12:54211 SENT CONTROL [CertName]: 'AUTH_FAILED' (status=1)

I configured OpenVPN to send an email on connect and disconnect of a client. The script wants to use the mail command – which is not installed as default by Xenial. This leads to a client-connect-script error which in turn leads OpenVPN to respond with an AUTH_FAILED. Which in turn gives the “Wrong username/password” error message on the clients.

Solution: Make the client-connect script working again ­čśÇ

Epic fail: Wo lebt unser Innenmister? Auch in Deutschland?

Zitat aus dem Spiegel:

Maa├čen warnt vor IS-Anschl├Ągen – “Deutsche St├Ądte werden genannt

Der “Islamische Staat” (IS) hat mit seinen Anschl├Ągen auch in Europa f├╝r Angst und Schrecken gesorgt. Jetzt gesteht Verfassungsschutzpr├Ąsident Hans-Georg Maa├čen: Seine Beh├Ârde habe die Terrormiliz zun├Ąchst falsch eingesch├Ątzt. So habe man es zun├Ąchst f├╝r unwahrscheinlich gehalten, dass der IS den Fl├╝chtlingsstrom nutzen werde, um Anh├Ąnger nach Deutschland zu bringen, sagte Maa├čen der “Welt am Sonntag”. “Wir dachten, das Risiko sei schlichtweg viel zu hoch. Mittlerweile wissen wir: Was den IS angeht, m├╝ssen wir eben auch dazulernen.”

Was die Spatzen von den D├Ąchern pfeiffen, hat unser oberster Verfassungssch├╝tzer anscheinend nicht mitbekommen… wozu brauchen wir nochmals noch mehr Daten ├╝ber die B├╝rger, wenn wir schon das Offensichtliche nicht sehen?

EPIC FAIL, Herr Minister!

Installing a Vagrant BaseBox of CentOS

  • Install a minimal system of CentOS in VirtualBox
  • Activate networking on boot by enabling eth0 in
    .
    .
    .
    ONBOOT=yes
    .
    .
    .
    
  • Add a vagrant user and assign the password vagrant to it
  • Give sudo rights to that user by adding vagrant ALL=(ALL) NOPASSWD: ALL with visudo
  • Disable requirement of having a TTY by commenting out the following settings with visudo:
    #Defaults    requiretty
    #Defaults   !visiblepw
  • Add insecure Vagrant public key from https://github.com/mitchellh/vagrant/blob/master/keys/vagrant.pub to vagrant’s authorized_keys
  • Add development tools for building the guest addons with
    yum --disablerepo=\* --enablerepo=c6-media install kernel-devel gcc make dkms perl

    The repo options are useful if you want to install from local installation media (ISOs) instead of fetching all from the net.

  • Install guest addons with
    ./VBoxLinuxAdditions.run --nox11
  • halt the machine
  • Remove all hardware that is not necessary from the base machine or else it will be available on the machines set up with Vagrant later!
  • Package Box with
    vagrant package --base Name-Of-Machine-In-VirtualBox

Done!

Should Vagrant be unable to connect to your boxes derived from that base box, you might have a problem with SELinux, see here how this can be fixed!

SSH doesn’t allow logins with keys? SELinux!

If you have correctly setup your authorized_keys and are sure it should allow you logins with keys – then maybe SELinux is giving you a hard time. Especially if your user is not under the normal home directory folder /home. In your /var/log/{auth,secure} files you will see that sshd is not allowed to open authorized_keys and/or authorized_keys2 after you set the “LogLevel DEBUG” in /etc/ssh/sshd_config.

In that case, try to set the correct settings again:

chcon -t ssh_home_t ~PROBLEMATIC_USER/.ssh/
chcon -t ssh_home_t ~PROBLEMATIC_USER/.ssh/authorized_keys

Now everything will work again.