Cisco VPN server alternative

October 19, 2021October 19, 2021 / Konkretor / Leave a comment

You are tired from openvpn performance issues. You want to use more opensource software? You wan to replace your Cisco ASA but don’t want to give up annyconnect VPN client software?
You want a reliable VPN server for your business? I found a solution for your requirements.

OpenConnect VPN Server called OCSERV

https://ocserv.gitlab.io/www/

You can use the AnnyConnect client to dial in to OCSERV VPN server or openconnect VPN client.

On Debian/Ubuntu
apt install ocserv

You have installed the VPN Server but in Enterprise enviroments that is not enough for security. You want to use this for hundred or thousand of employees.

I want to show you my configuration of OCSERV and RADIUS integration with Privacyidea a two factor opensource solution.

If you want to use OCSERV with RADIUS please read this first

https://ocserv.gitlab.io/www/recipes-ocserv-authentication-radius-radcli.html

You have to compile radcli from source first without this you have no RADIUS functionality.

Look at https://github.com/radcli/radcli/releases for the latest version

How to compile
https://ocserv.gitlab.io/www/recipes-ocserv-radcli-installation.html

Fill the information for your radius server under

/etc/radcli/radiusclient.conf


nas-identifier fw01
authserver 10.10.10.50
acctserver 10.10.10.50
servers /etc/radcli/servers
dictionary /etc/radcli/dictionary
default_realm
radius_timeout 10
radius_retries 3
bindaddr *

cat /etc/radcli/servers

# Server Name or Client/Server pair            Key             
## ----------------                             ---------------
#
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone
#
## uncomment the following line for simple testing of radlogin
## with freeradius-server
#
#localhost/localhost                            testing123
#
10.10.110.60 yourradiussecrectkey

After you have compile radcli on the system you can choose to install ocserv from the distribution repository or to compile it from source. I have use the repository from the distribution.

add following to the

ocserv.conf

auth = “radius[config=/etc/radcli/radiusclient.conf,groupconfig=true]”

Fixing some errors…

custom-header = “X-CSTP-Client-Bypass-Protocol: true”

Add your own certificate for your domain

server-cert =
server-key =

VPN Pool

ipv4-network = 10.10.100.128
ipv4-netmask = 255.255.255.128

Add route to network that you want to reach form the vpn server

route=

step by step Windows Server 2019 File Server clustering With powershell or GUI #Cluster #HA #Azure #WindowsAdminCenter #WindowsServer2019

October 7, 2021 / Konkretor / Leave a comment

Robert Smit MVP Blog

Next step is adding the File server Role to the Cluster and add the HA File Share.

In this case I have a fail over disk and I use the File Server for general use.

So when adding the Disk it is not showing the disk. This is The disk is added to the cluster but the disk isn’t formatted!

Keep in mind that formating the cluster disk while it is online is not possible. You need to set the disk in maintenance mode else the format will fail.

So after the disk format we will see the Disk appear and can be added to the File server

After this the File server is up and running. As you can see the setup is screen intense, building this with PowerShell is a lot faster.

Powershell

Next step is adding the file share.

go for the Quick setup

Pick the disk…

View original post 261 more words

Installing Linux into a 286 laptop from the year 1989

July 2, 2021 / Konkretor / Leave a comment

befinitiv

Ever wondered what useful things you could do with a 32 year old laptop? Well, this is one option:

In this project I added a Raspberry PI Zero to the insides of the laptop. Both are connected via a serial link and can exchange data via it. You could use this for several applications:

Using the 286 with a terminal emulator as an interface to the Linux of the Raspberry PI. This way you can do the typical Linux shell stuff on a retro machine. With this you are quite far up on the hipster level 🙂
Connecting the DOS on the 286 to the Internet
Transferring files to the DOS filesystem

Terminal emulator

On the 286 side you need to install MS-DOS Kermit: http://www.columbia.edu/kermit/mskermit.html

On the Raspberry side there is nothing to do. So this is really easy to setup.

Connecting DOS to the internet

The setup needed for…

View original post 86 more words

putty 0.75 crashes

May 17, 2021May 17, 2021 / Konkretor / Leave a comment

Say hello to this little bug

if you are using system colors with putty, disable it and you can work or use the latest snapshot version

More infos you can find here

https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/use-system-colours-crash.html

nsx-t password expiration

April 26, 2021 / Konkretor / Leave a comment

VMware NSX-T has a preconfigured password expiration policy of 90 days.
Attention you lower your security standards if you never change your password.
Same procedure for nsx-t edge nodes the same.

clear user admin password-expiration
clear user root password-expiration
clear user audit password-expiration

I think it is better you change your password once a year

set user admin password-expiration 365
set user root password-expiration 365
set user audit password-expiration 365

Seafile with Office Online Server

April 14, 2021 / Konkretor / Leave a comment

You can use Office Online Server with Seafile. How to install OOS you can read it here.

https://docs.microsoft.com/en-us/officeonlineserver/deploy-office-online-server

Config File for Seafile

vim /opt/seafile/conf/seahub_settings.py


# Enable Office Online Server
ENABLE_OFFICE_WEB_APP = True

# Url of Office Online Server's discovery page
# The discovery page tells Seafile how to interact with Office Online Server when view file online
# You should change `http://example.office-web-app.com` to your actual Office Online Server server address
OFFICE_WEB_APP_BASE_URL = 'http://192.168.2.131/hosting/discovery'

# Expiration of WOPI access token
# WOPI access token is a string used by Seafile to determine the file's
# identity and permissions when use Office Online Server view it online
# And for security reason, this token should expire after a set time period
WOPI_ACCESS_TOKEN_EXPIRATION = 30 * 60

# List of file formats that you want to view through Office Online Server
# You can change this value according to your preferences
# And of course you should make sure your Office Online Server supports to preview
# the files with the specified extensions
OFFICE_WEB_APP_FILE_EXTENSION = ('ods', 'xls', 'xlsb', 'xlsm', 'xlsx',
    'ppsx', 'ppt','pptm', 'pptx', 'doc', 'docm', 'docx')

# Enable edit files through Office Online Server
ENABLE_OFFICE_WEB_APP_EDIT = True

# types of files should be editable through Office Online Server
# Note, Office Online Server 2016 is needed for editing docx
OFFICE_WEB_APP_EDIT_FILE_EXTENSION = ('xlsx', 'pptx', 'docx')

restart seahub service

found here
https://blog.csdn.net/weixin_43136674/article/details/103484972

Asus hyper m.2 x16 card v2 put it on a server

April 7, 2021 / Konkretor / Leave a comment

Here we go, I have to put these card on to my server with C620 chipset. I need fast local storage.
The card is not very expensive but i need 4×4 TB SSD on these server. So we started with a simple test. I bought 4x 16 GB Optane SSD for under 14 $ per piece. When it runs with this SSD so it will run also with the big ones.
That this runs we need a chipset that supports bifurcation with PCIe. With bifurcation you can split your 16x PCIe lane into 2×8, 4x4x4x4x or 8x4x4x. We need 4x4x4x4x every SSD needs 4x PCIe lanes. Would you read more about this topic look here https://blog.donbowman.ca/2017/10/06/pci-e-bifurcation-explained/

I have not really enough space. On this server there are also 4x 2080 TI graphics cards. It was very close that the card fit in it.

Next step was to configure the BIOS(UEFI) to talk correctly to this card. The automatic mode is not working. In automatic mode it detect only one SSD, the first one on the Asus card.

I used on the motherboard slot 10, this information is important to configured PE3 on CPU2 correct. We look in the manual of the motherboard to see which slot is connected with the CPU. Slot11 is not working there is not enough PCIe lanes only 4x. We need 16x to split into 4x4x4x4x
Let´s jump in to the BIOS.

On the BIOS follow the ~~rabbit~~ pictures.

We have to choose the right CPU. We use PE3 on CPU2

Change the IOU2 from Auto to 4x4x4x4, every SSD should runs with 4x PCIe lanes.

That was it.

Check under Linux with the command dmidecode -t 9

Ubuntu 20.04 mount cifs stale file handle

March 30, 2021 / Konkretor / Leave a comment

What a pain in the ass. If you use mount.cifs under Ubuntu 20.04 and now you have stale file handle to edit files and more.

We look in to the manpage from mount.cifs and there is a option to solve this issue.

noserverino Client generates inode numbers itself rather than using the actual ones from the server.
See section INODE NUMBERS for more information.

Ubuntu 18.04 LTS upgrade error to 20.04 LTS

February 26, 2021 / Konkretor / Leave a comment

Today I have startet some release upgrades for some Ubuntu 16.04 VM machines. Sometimes I am strungling with this error.

error processing archive /var/cache/apt/archives/lxd_1%3a0.9_all.deb (--unpack):

apt purge lxd lxd-client

Attention if you need snap you should reinstall it

Found here

https://askubuntu.com/questions/1280499/upgrade-from-18-04-lts-to-20-04-lts-fails

linux pcie show available slots

February 15, 2021 / Konkretor / Leave a comment

Today I had a request from our user for add a PCIe SSD card to a server. One option is you walk to this server and open it. This not the best option to check if it a PCIe slot available.
Another option is use your Linux commandline.

You need your server mainboard manual to see which slot is labeled.

You have only to check under current usage is in use or available.

Current Usage: Available

dmidecode -t 9
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 3.2.1 present.
# SMBIOS implementations newer than version 3.2.0 are not
# fully supported by this version of dmidecode.
 
Handle 0x000B, DMI type 9, 17 bytes
System Slot Information
        Designation: CPU1 SLOT2 PCI-E 3.0 X16
        Type: x16 PCI Express 3 x16
        Current Usage: In Use
        Length: Long
        ID: 2
        Characteristics:
                3.3 V is provided
                Opening is shared
                PME signal is supported
        Bus Address: 0000:18:00.0
 
Handle 0x000C, DMI type 9, 17 bytes
System Slot Information
        Designation: CPU1 SLOT4 PCI-E 3.0 X16
        Type: x16 PCI Express 3 x16
        Current Usage: In Use
        Length: Short
        ID: 4
        Characteristics:
                3.3 V is provided
                Opening is shared
                PME signal is supported
        Bus Address: 0000:3b:00.0
 
Handle 0x000D, DMI type 9, 17 bytes
System Slot Information
        Designation: CPU2 SLOT6 PCI-E 3.0 X16
        Type: x16 PCI Express 3 x16
        Current Usage: In Use
        Length: Short
        ID: 6
        Characteristics:
                3.3 V is provided
                Opening is shared
                PME signal is supported
        Bus Address: 0000:86:00.0
 
Handle 0x000E, DMI type 9, 17 bytes
System Slot Information
        Designation: CPU2 SLOT8 PCI-E 3.0 X16
        Type: x16 PCI Express 3 x16
        Current Usage: In Use
        Length: Short
        ID: 8
        Characteristics:
                3.3 V is provided
                Opening is shared
                PME signal is supported
        Bus Address: 0000:af:00.0
 
Handle 0x000F, DMI type 9, 17 bytes
System Slot Information
        Designation: CPU1 SLOT9 PCI-E 3.0 X16
        Type: x16 PCI Express 3 x16
        Current Usage: Available
        Length: Short
        ID: 9
        Characteristics:
                3.3 V is provided
                Opening is shared
                PME signal is supported
        Bus Address: 0000:ff:00.0
 
Handle 0x0010, DMI type 9, 17 bytes
System Slot Information
        Designation: CPU2 SLOT10 PCI-E 3.0 X16
        Type: x16 PCI Express 3 x16
        Current Usage: Available
        Length: Short
        ID: 10
        Characteristics:
                3.3 V is provided
                Opening is shared
                PME signal is supported
        Bus Address: 0000:ff:00.0
 
Handle 0x0011, DMI type 9, 17 bytes
System Slot Information
        Designation: CPU2 SLOT11 PCI-E 3.0 X4(IN X8)
        Type: x4 PCI Express 3 x8
        Current Usage: Available
        Length: Short
        ID: 11
        Characteristics:
                3.3 V is provided
                Opening is shared
                PME signal is supported
        Bus Address: 0000:ff:00.0
 
Handle 0x0012, DMI type 9, 17 bytes
System Slot Information
        Designation: M.2 CONNECTOR
        Type: x4 M.2 Socket 2
        Current Usage: In Use
        Length: Short
        Characteristics:
                3.3 V is provided
                Opening is shared
                PME signal is supported
        Bus Address: 0000:02:00.0

Konkretor Blog, IT Stuff and more

linux, windows, ubuntu, aws, vmware