Tag Archives: debian

Using Strongswan as a VPN client – and a Windows Firewall gotcha

How do you monitor a Windows server over the internet? This one is not in Azure but an actual server, running Hyper-V of course, and the requirement is to monitor both the Hyper-V host and the VMs for things like free memory, disk space and CPU usage.

There is a nice solution called Cacti which does this, using SNMP. You just have to enable SNMP in Windows Server, install Cacti on some other server, and make sure the two can communicate on UDP port 161 (or you can configure another port).

The target server is behind a Linux firewall which has a VPN endpoint, so a good solution is to have a VPN connection between Cacti on-premises and the firewall to enable SNMP traffic over a secure tunnel. This VPN endpoint is already in use using the excellent Shrew soft VPN client, so it was just a matter of finding a suitable Linux VPN client for the VM on which I installed Cacti.

I had installed Debian Linux on a VM to run Cacti, without any GUI (I mean, who needs a GUI on a server?) so looked for a suitable command-line VPN client.  I soon gathered that the usual choice used to be Racoon but is now strongSwan – though note that both of these are more often used to set up a VPN endpoint on a server rather than as clients, though they work fine in either role.

I am sure that someone with more experience than myself in Linux VPNs and networking would have had this up and running in no time, but for me it was somewhat arduous. There are two aspects to a VPN tunnel, one of which is creating the secure tunnel and the second being the networking. StrongSwan will do most of this on your behalf, but you do need to get the configuration right in /etc/ipsec.conf and I chased down several false trails before getting it working.

One issue was that I am using XAuth authentication, and despite strongSwan supporting this I thought by default, got the error “no XAuth method found.” What worked for me was to install libstrongswan-extra-plugins and then make sure that xauth-generic.conf is set to load the xauth-generic plugin.

Next, it was not obvious to me what to put in the strongSwan left and leftsubnet key pairs. I thought the left subnet should be the subnet of my local network (192.168.255.0/24) but in fact I needed the subnet that was configured for VPN clients, in my case 192.168.40.0/24. Until I figured this out I was getting “no matching CHILD_SA config found” and “HASH N(INVAL_ID)” errors when trying to connect.

I fixed that but it still did not work. After trying various things I hit upon left=%any in ipsec.conf and got a successful connection at last.

I had a tunnel, but traffic did not pass. Now, there are two things I did to get this working. One was to put auto=route in ipsec.conf.  The docs sayroute loads a connection and installs kernel traps.” Note that the networking configuration is done not by modifying iptables rules, but through xfrm policy, and to see the current policy you type:

ip xfrm policy

in the shell. It was still not quite right.

The final step was to change left=%any to left=%defaultroute in ipsec.conf. With this last piece of magic in place, everything works.

It was not (for me) quick and easy to configure, but the result is excellent. Just type:

ipsec up [connectionname]

and the tunnel comes up almost instantly. Using snmpwalk I can verify that that traffic is flowing:

image

That said, now is the time to mention a little gotcha with the Windows Firewall for SNMP. When you install the service, Windows creates a firewall rule that opens the SNMP port (normally UDP 161) for incoming traffic, for both private and public profiles.

image

Note there is a separate rule for Domain profiles, which is a clue that something is different. That difference is the scope of the rule. By default, the rule for private and public profiles is scoped only to the local subnet, making it in effect disabled.

image

The idea I guess is to encourage you to restrict traffic to specified IPs if you access the SNMP service from outside the domain, which is good security advice. You can also configure this on the SNMP service properties. But if you are wondering why the service is no responding, this is one thing to check.

Fixing lack of output in AWstats after Debian Linux upgrade

I use AWStats to analyse logs on several web sites that I manage. After a recent upgrade to Debian 7.0 “Wheezy” I was puzzled to find that my web stats were no longer being updated.

I verified that the Cron job which runs the update script was running. I verified that if I ran the same command from the console, it ran correctly. I verified this even using sudo to run with the same permissions as Apache. I also noted that the update button on the stats pages worked correctly. An odd problem.

This is how it rested for a while, and I manually updated the stats. It was annoying though, so I took a closer look.

First, I amended one of the Cron jobs so that it output to a file. Reading the file after the next failed update, I could see the error message:

Error: LogFile parameter is not defined in config/domain file
Setup file, web server or permissions) may be wrong.

I knew the config file was fine, but checked anyway, and of course the LogFile was specified OK.

It was a clue though. Eventually I came across this bug report by Simone Capra:

Hi all, i’ve found a problem:
When run from another perl program, it finds a config file that doesn’t exist!

I applied the suggested fix in awstats.pl, changing:

if (open( CONFIG, "$SiteConfig" ) ) {

to

if ($SiteConfig=~ /^[\\/]/ && open( CONFIG, "$SiteConfig" ) ) {

Presto, everything is running OK.

Trying out nide – a cloud IDE for Node.js

I was intrigued by reports of nide, a web-based IDE for Node.js. It was one of the entries in the Node.js Knockout challenge last summer.

So how do you install it? One line on Linux; but I did not want to put it on my web server and I re-purposed my spare Linux machine last year after one of my other servers broke.

I decided to run up a Debian install on a Hyper-V server that has a little spare capacity.

image

I then followed the setups here for setting up Node.js and npm (Node Package Manager). I also installed nginx which I have been meaning to try for a while. Linux on Hyper-V works fine, though you have to use a “Legacy” network adapter which compromises performance a bit, unless you are willing to tackle installing Microsoft’s Hyper-V integration components for Linux, which do not support Debian though it is said to work. I do not need a GUI and the legacy network adapter is OK for this.

Everything works OK, though I found that nide does not work in Internet Explorer 9. I used Google Chrome, which makes sense I guess since the same JavaScript engine is used by Node.js.

Nide is a simple affair which is essentially a file manager. Projects are displayed in a tree view, and you select a file to view or edit it. The icons at the bottom left of the screen let you create and delete files and folders.

image

The smartest feature is version management. Files are saved automatically and you can easily compare versions and revert if necessary. The “Go backward in time” button shows that auto-saves are quite frequent.

image

There is also a GUI for npm built-in. Pretty good for a competition entry, though I had a few problems.

If you are interested in web-based IDEs, another interesting one is Orion, an Eclipse project.  Executive Director Mike Milinkovich says Orion will ship a 1.0 release later this year.

image