Ubiquiti EdgeMAX routers

EdgeMAX – L2TP Server

How to configure the EdgeRouter to act as an L2TP (Layer-2 Tunnel Protocol) server for remote access.

Note: These instructions assume that eth0 is your WAN (Internet) connection. Early in the configuration, a specific command should be used in case you receive a DHCP-assigned IP address from your Internet service provider, while a separate command should be used if you receive a static IP address from your Internet service provider.

Steps


Access the router’s command line interface. You can do this using the CLI button while inside the Web UI or by using an SSH program such as PuTTY. PuTTY is generally quicker, as it allows easy copying and pasting (copy in Windows, paste using the right mouse button).

Note: Commands that start with a pound (#) are explanatory comments that you do not need to enter.

The steps follow below:

#Enter configuration mode.

configure

#Define the interface ipsec will use for internet connections (eth0 in this example).

set vpn ipsec ipsec-interfaces interface eth0

#Enable NAT traversal (this is mandatory).

set vpn ipsec nat-traversal enable

#Set the allowed subnet (allowing all subnets).

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

# Make sure that IPSec offload is enabled.

set system offload ipsec enable

#Show the ipsec configuration.

show vpn ipsec

DHCP ONLY:  If you obtain your IP address from your internet service provider via DHCP, use this

# command:

set vpn l2tp remote-access dhcp-interface eth0

STATIC IP ONLY:  If you have a static IP address and do NOT obtain your IP address from your

# internet service provider via DHCP, then use this command instead of the one above:

set vpn l2tp remote-access outside-address STATICIP

Replace “STATICIP” in the command above with your actual static IP address!

#Set up the pool of IP addresses that remote VPN connections will assume.

# In this case we make 10 addresses available (from.101 to .110) on subnet #192.168.100.0/24.

# You can also issue IP addresses used in your subnet, but make sure that

# They do not overlap with IP addresses issued by your DHCP Server or used by

# other devices on your network.

set vpn l2tp remote-access client-ip-pool start 192.168.100.101
set vpn l2tp remote-access client-ip-pool stop 192.168.100.110

#Set the IPsec authentication mode to pre-shared secret.

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret

#Set the pre-shared secret (replace “secret phrase” with your desired passphrase)

set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret "secret phrase"

#Set the L2TP remote access authentication mode to local.

set vpn l2tp remote-access authentication mode local

#Set theL2TP remote access username and password.

#Replace testuser with your desired username and testpassword with your desired password.

#Repeat this line as needed.

set vpn l2tp remote-access authentication local-users username testuser password testpassword

#Set the MTU

set vpn l2tp remote-access mtu 1492

#Set DNS Servers:

set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4

#Commit the change.

commit

#Show the l2tp remote access configuration.

show vpn l2tp remote-access

#Save the settings

save

#Open the required ports using the Web UI.

#Access the Web UI.  Click on the “Security Tab.”  Find the “WAN_LOCAL” rule (or whatever you called the rule that controls access to the router), and click “Actions” to the right of it.  Select “Edit Ruleset” from the pull-down.  Add a new rule somwhere before you drop invalid packets as follows:

Basic Tab:

• Description:  Allow L2TP

• Check Enable.

• Action:  Accept.

• Protocol:  Choose a protocol by name:  udp

Destination Tab:

• Port:  500,1701,4500

#Click Save.

Fix IE10 and SBS 2008 RWW error

You just upgraded your workstation to Internet Explorer 10. But when you try to remote into your SBS 2008 server, you get a “VBScript: Remote Desktop Connection” error message, like this:

 

The detail error message reads: The wizard cannot configure Remote Desktop Connection settings. Make sure that the client version of Remote Desktop Protocol (RDP) 6.0 or later is installed on this computer.

 

Solution:

The solution is so easy, you probably will miss it. After clicking OK on the error window, click on the Compatibility switch icon  at the top of your IE10 window.

Your RWW login screen will refresh. Log back in and try connecting to the remote computer, and it should be working as expected.

N.B. It probably is incorrect to call this a “solution”, as it is more of a “workaround”. It’s not a bug with IE10, it’s that the decision was made that it’s acceptable to have a “workaround” rather than to fix IIS to flag compat mode from the server.

Installing and using VirtualBox on CentOS

1. RPMforge for CentOS 6

The default RPMforge repository does not replace any CentOS base packages. In the past it used to, but those packages are now in a separate repository (rpmforge-extras) which is disabled by default.

You can find a complete listing of the RPMforge package packages at http://packages.sw.be/

Download the rpmforge-release package. Choose one of the two links below, selecting to match your host’s architecture. If you are unsure of which one to use you can check your architecture with the command uname -i

The preferred rpmforge-release package to retrieve and to install in order to enable that repository is one of the two listed above.

Install DAG’s GPG key

rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt

If you get an error message like the following the key has already been imported:

error: http://apt.sw.be/RPM-GPG-KEY.dag.txt: key 1 import failed.

Verify the package you have downloaded

rpm -K rpmforge-release-0.5.2-2.el6.rf.*.rpm

<!> Security warning: The rpmforge-release package imports GPG keys into your RPM database. As long as you have verified the md5sum of the key injection package, and trust Dag, et al., then it should be as safe as your trust of them extends.

Install the package

rpm -i rpmforge-release-0.5.2-2.el6.rf.*.rpm

This will add a yum repository config file and import the appropriate GPG keys.

Then try to install something like this

yum install htop

 

2. Installing VirtualBox

The (VirtualBox) website has a lot of quality documentation including:

  • End-user documentation
  • Technical documentation
  • Source code repository timeline
  • List of changes (changelog)

This article will briefly cover the installation process. Both i386 and AMD64 (x86_64) versions are available.

You will need to be the root user for the following tasks. Login to a root shell or “su -” in a terminal window.

Download the RHEL repo config.

  • Note: As an alternative, you may choose to download and install individual RPMS rather than configuring the repository. That procedure is documented on the VB web site and will not be covered here.
cd /etc/yum.repos.d
wget http://download.virtualbox.org/virtualbox/rpm/rhel/virtualbox.repo
  • Optionally add a line “enabled=0″ if you do not want the repo enabled by default. This will require adding “–enablerepo virtualbox” to yum commands to access the repo.

The installation of VB will require the building of kernel modules. If DKMS (Dynamic Kernel Module Support) is installed it will be used and will simplify kernel upgrades. Installing DKMS from RPMforge or EPEL repository is recommended before installing VirtualBox. Don’t forget to configure the yum-priorities plugin. Installing DKMS will pull in required development dependencies.

 

yum --enablerepo rpmforge install dkms
<!> A forum user notes that all but the latest version of DKMS from Dell may be buggy.

If DKMS is not used and the development environment and kernel source are not already installed:

yum groupinstall "Development Tools"
yum install kernel-devel

You may also choose to only install a minimum set of individual development tool packages (at least gcc and make are required) rather than the groupinstall which some may consider overkill. Replace “kernel-devel” with “kernel-PAE-devel” if using a PAE kernel. If you are not using a standard CentOS kernel, you must acquire and install the source for your kernel from wherever you got the kernel. Do not try to use VirtualBox with a Xen kernel, nor to install a Xen kernel in a Guest OS.

  • Note: For CentOS as a Guest OS the same packages are used to build the “Guest Additions” drivers.

Install the RPM:

yum install VirtualBox-4.1

The installer will create the “vboxusers” group and create the necessary kernel modules if the development environment has been correctly configured.

For each “username” that will run VirtualBox:

usermod -a -G vboxusers username

or use the GUI Users and Groups tool.

 

4. Running VirtualBox

Run VB as a user that is a member of the “vboxusers” group. For VirtualBox-4.0 or 4.1 you may install the optional VirtualBox Extension Pack from a running instance of the GUI interface via the File / Preferences / Extensions menu. The root password will be required for this operation.

  • From a terminal command line enter “VirtualBox &”
  • In GNOME or KDE run under “Applications / System Tools / Oracle VM VirtualBox”

Accept the license, optionally register, and create a new VM. VMware virtual machines should be usable with Virtual box. Google “vmware to virtualbox” for information.

Help is available from the menu or online.

 

5. Making USB Work in VirtualBox

VirtualBox requires the user have write access to “usbfs” devices for USB access. As root perform the following:

mkdir /vbusbfs
echo "none /vbusbfs usbfs rw,devgid=$(awk -F : '/vboxusers/ {print $3}' /etc/group),devmode=664 0 0" >> /etc/fstab
mount -a

 

  • If running CentOS as a guest OS in a VM the same development and DKMS packages should be installed in the VM prior to installing VBox Guest Additions.
  • VB users may also be interested in the phpVirtualBox implementation of the VirtualBox user interface written in PHP.

WordPress and problems with RewriteRules and w00t

Have you been recently seeing these URLs in error.log

[error] [client 69.162.74.102] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

The F flag sends a 403 Forbidden response when the rule matches:

RewriteRule /w00tw00t\.at\.ISC\.SANS\.DFind – [F]

Add this just after RewriteBase /.

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule /w00tw00t\.at\.ISC\.SANS\.DFind – [F]
RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule \.php /index.php [L,R=404]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

BTW the [error] client sent HTTP/1.1 request without hostname errors suggest that apache is replying with a 400 Bad request status and these requests don’t even hit wordpress.

Install GD Library For PHP5 On CentOS

An easy task, using yum. First step, see if it’s already installed.

[root@optusnet]# rpm -qa | grep php
php-common-5.1.6-27.el5_5.3
php-cli-5.1.6-27.el5_5.3
php-5.1.6-27.el5_5.3
php-pdo-5.1.6-27.el5_5.3
php-mysql-5.1.6-27.el5_5.3

If the GD Library isn’t present in that list, it wasn’t installed on the server yet. Install it using yum.

[root@optusnet]# yum install php-gd

Easy going, isn’t it?
Restart your apache, and you’re ready to rock.

[root@optusnet]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

Simple as that!

WordPress permalink on CentOS 5 tutorial

The installation of WordPress is simple and straightforward. Really. So I’m not going to detail the installation process, which is well documented here. However, the permalink feature does not work out of the box on a standard CentOs 5 distribution. Some changes have to be made in the apache configuration files to enable mod_rewrite in your WordPress directory.

Let’s say you installed WordPress in the root of your website. By default on your CentOs’s apache, the document root of your website is located in /var/www/html.

  1. create an empty a .htaccess file in this directory.
  2. WordPress should be able to read/write this file when updating your settings in the admin pages, so make sure the user running apache has the right to write this file. If not, chmod/chown it. Usually this should do the trick:
    chown apache:apache /var/www/html/.htaccess
  3. now edit the /etc/httpd/conf/httpd.conf file. Search the following:
  4. <Directory “/var/www/html”>

    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be “All”, “None”, or any combination of the keywords:
    # Options FileInfo AuthConfig Limit
    #
    AllowOverride None

  5. Change this line to:

    AllowOverride All

  6. This allows apache to read and interpret the .htaccess located in you document root.

  7. Restart Apache

    [root@optusnet]# service httpd restart

  8. Now you can change your permalink settings in the admin pages of WordPress, which will modify the .htaccess file created above.

Linux Remote Desktop For Controlling Windows XP / Vista / 7 / Server 2003 2008 ( rdesktop )

I am responsible for couple of MS-Windows servers and Windows XP/Vista/7 workstations too. When I work from home, I need a way to get into Windows XP/2000/Vista/2003/2008/7/Vista operating systems for work.

I have Debian and CentOS Linux at home, I needed a way to login into Microsoft windows desktop from Linux OS. Many of us working at tech support use rdesktop to connect to customers’ MS-Windows systems.

Especially it is very useful to configure Outlook or something else when customers do not understand how to configure or troubleshoot problem. This is the best way to fix a problem.

Say Hello To rdesktop

Fortunately, Linux has rdesktop utility. It is a client for remote desktop protocol (RDP), used in a number of Microsoft products including Windows NT Terminal Server, Windows 2000 Server, Windows XP and Windows 2003 / 2008 Server. You do not need to install VNC server. All you need is rdesktop client on Linux or BSD workstation.

Install rdesktop

Type the following command as root user:

# apt-get install rdesktop

To connect to MS-Windows systems from Linux, type the following command at a shell prompt (connect to Windows server called hg-167ox.mycorp.com)

$ rdesktop hg-167ox.mycorp.com

Or connect to windows XP/Vista workstation having IP 192.168.1.17:

$ rdesktop 192.168.1.17

Please note that you must enable remote desktop connection under MS0Windows operating systems; otherwise it will not work. Turn on remote desktop under MS-Windows operating systems:

  • Go to MS-Windows desktop,
  • Right Click on My Computer,
  • Select properties,
  • Select Remote tab,
  • Enable Remote desktop,
  • Save the changes.

Make sure enterprise firewall allows incoming connection on TCP port 3389. rdesktop supports many other options, type the following command to read the man page of rdesktop or visit project website for more information.

man rdesktop