Share your VPN tun0 with a network interface eth0

My laptop and a home server are both in the same room, behind a very restrictive NAT. My VPN provider just provide a GUI interface, so my laptop can connect to google & Co, but my server NOT! So no apt-get update for my home server…so, should we give up? No, a few commands and the problem will be solved, letting your home server (odroid c1) surfing the waves of the free web. Let’s start by allowing forwading in the system:

Now we will allow tun0 to forward data, and then create the rule to forward all the packet coming from eth0 to the VPN tun0 (yes, iptable is magic).

Now we will install a simple DHCP server on the laptop, so it will give IP address to the server when connecting the server to the laptop.

Edit the  /etc/dhcp/dhcpd.conf  to tell the DHCP server how to attribute the IP to the server (that will connect through eth0 with ethernet cable):

Edit  /etc/default/isc-dhcp-server  to tell the DHCP server which Network interface to use:

then check your config is correct with dhcpd -t /etc/dhcp/dhcpd.conf and start/restart the DHCP server:

Now set your  eth0  ip to the same IP as the gateway IP defined in the DHCP.conf using this command:

Only then connect, your server ethernet port to your laptop ethernet port, the server is dhcp client for me, so it will be dispatched an IP address from the DHCP server running on the laptop. Most probably it will be 10.10.0.25. You can connect to your server from your laptop using:

and from your server, running  apt-get update && apt-get dist-upgrade  which is going through your laptop VPN !! BRAVO !!

credit to this and this.

Note : In case your ISC-DHCP-SERVER won’t start

It happened to me the second time I followed this procedure, impossible to get isc-dhcp-server to work, so I ditched it apt-get remove isc-dhcp-server and installed dnsmasq instead apt-get install dnsmasq then edit

find these lines and edit them like this:

then manually set you laptop a fixed ip (10.10.0.1). finally open the needed ports in the firewall with sudo ufw allow bootps and ufw enable before connecting the ethernet of the server to your laptop. You can check the logs by tail -f /var/log/syslog . You can run  service dnsmasq restart .

credit for dnsmasq config.

Bonus

To find the IP you server was attributed (so you can ssh into it), you can use

To find the gateway of you server (properly redirected to your laptop IP through eth0) do route -n .

because i didn’t research it, dnsmasq do not attribute dns name to the dhcp clients, so you will have to add it with echo "nameserver 8.8.8.8" > /etc/resolv.conf

Extend a (not LVM) partition to use full space of the SDcard

We will use the fdisk utility to delete the too small partition and then recreate a bigger one, making full use of the SDcard space. After what we will resize the file system. All the details are explained here, and below is the set of commands (Credits to mdrjr):

 

Extend a LVM partition after increasing its virtual disk on Virtualbox

No Linux machine at work? the easy way could be to simply install Virtualbox in one of the PC, create a VDI and install Ubuntu 14.04 in it. But the day will come when you need more space! Here is how to resize it:

Resize Virtualbox VDI

Open Virtualbox, make sure to shutdown your virtual machine. Then open a terminal (here windows):

This is the Virtualbox official manual of available commands. And this is a website to convert Gb into Mb (–resize takes Mb as input, 200Gb = 204800Mb).

Boot Gparted to resize the partition

After a default install of Ubuntu Server on one physical disk, you will have a SWAP partition, and then an extended partition in which you’ll have your LVM partition (So 3 partitions). Download Gparted .iso, then in your Virtualbox VM settings add a optical drive that point to Gparted.iso, start the VM, press F12 and choose to boot on CD-ROM. Then in Gparted resize first the extended partition to take all the available space, and then same for the LVM partition. Confirm changes, and reboot the VM on its hard drive.

Resize the LVM stack

Let’s resize the PV (Physical Volume) so it takes all the

Now let’s extend the LV (Logical Volume) to the full size of the PV. First display its name:

And then extend it to full size available (100%):

Now let’s check filesystem of partition:

It’s ext4, and as you can see, the filesystem size is still 99G (and not 200G as wanted). So the last step is to extend the filesystem on the whole LV:

That’s it! Now you can run  df -Th again and see that the available space has increased. Congrats, job done!

Ubuntu server 14.04 + OpenVPN + Android client

We are going to install Openvpn on Ubuntu server 14.04 and then use Android to connect to it (so you can bypass Chinese firewall for example 😉

Install OpenVPN

We need to allow IPv4 forwarding so the server can send out packets on the VPN’s behalf. let’s  nano /etc/sysctl.conf and uncomment this line:

Then  sudo sysctl -p to reload the modified conf. Then  nano /etc/default/ufw and edit this line:

finally  nano /etc/ufw/before.rules and edit like this:

Open the openvpn port with  ufw allow 1194/udp and restart ufw  service ufw restart .

Create Server Keys

We will use Easy-RSA to generate the server side keys.

Now copy the server keys to the root of the openvpn directory:

Create Client Certificates

Those commands will create new files int the easy-rsa/keys directory called client-name.crt and client-name.key.

/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client-name.crt
/etc/openvpn/easy-rsa/keys/client-name.key

These 3 files need to be copied to the client, so the client software can use them to make the connection with the server.  You can use filezilla to download them on the client for example.

Tweak OpenVPN config

Server side

Copy/extract the default Openvpn conf file:

nano /etc/openvpn/server.conf  and make the following changes:

Change this so all your client traffic passes through the VPN.

Push specific DNS address to your clients.

Change the following to increase security so the VPN service has restricted access

Specify where to output the log of openvpn

finally:

Android side

Now on your android device, download the official OpenVPN client from F-Droid market (https://f-droid.org/wiki/page/de.blinkt.openvpn), add a profile, and edit the server address in the config (your server IP or FQDN). Give the android the path to the 3 files you previously downloaded. And start the connection!

home openvpn-main-page settings

That’s it, you can enjoy Youtube & co in China.

Add Full Text Search (FTS) to your Dovecot using Solr 4.10 on Ubuntu 14.04

As explained on Dovecot Wiki, dovecot imap server support FTS, one of them use Solr (from Apache Lucene project).

Now that Java is installed, let’s install Solr (with Jetty web server embedded):

Then you can test your Solr installation, first launch it:

Check if it works by visiting http://YOUR_IP:8983/solr.

Screenshot from 2014-11-05 09:54:48

When it works, go back into your SSH session and close the window with Ctrl+C. The integrated Jetty server that comes with Solr is configured to bind to port 8983 on all IP adresses by default. This configuration is unsafe: anyone could clear your Solr index! Let’s make Jetty listen only on localhost by nano /opt/etc/jetty.xml and add default="127.0.0.1" to:

Save. Next time you want to access the solr admin, first open a SSH tunnel with your server:  ssh -L localhost:8080:127.0.0.1:8983 user@server -N -C   and then set firefox with SOCKS 5 proxy to go through port 8080, and finally in the firefox address bar type http://localhost:8080/solr .

Jetty (java webserver)

Let’s continue with some Jetty config. Edit nano /etc/default/jetty and add this:

Now nano /opt/solr/etc/jetty-logging.xml  and add:

Then, create the Solr user and grant it permissions:

After that, download the start file and set it to automatically start up:

Finally, try to start Jetty/Solr again with the new way: sudo service jetty start and try to access the admin panel. Nice!

Solr 4.10

Now let’s configure Solr. We’ll rename the default “Schema” and download a new one that is customized for Dovecot.

That’s good thing done. Now as I store my email in an encrypted (ecryptfs) Private folder, I also want my solr index to be encrypted, right? So let’s symlink the data folder into my encrypted Private folder: ln -s /home/user/Private/mail/solr/data /opt/solr/solr/collection1/data and be sure to chown solr:solr the new folders properly.

Dovecot 2.2

Now let’s configure Dovecot. First they mention some pre-requisite on the wiki page, so let’s install them (they may already be installed) :

then let’s enable solr in Dovecot config by nano /etc/dovecot/conf.d/10-mail.conf and find/add this line mail_plugins = fts fts_solr . And set the plugin settings by nano /etc/dovecot/conf.d/90-plugins and add/edit/replace with

break-imap-search : Use Solr also for indexing TEXT and BODY searches. This makes your server non-IMAP-compliant. (This is always enabled in v2.1+)  It’s a good thing.

Now we need to compile Dovecot as for me, under  a fresh Ubuntu 14.04 my Dovecot didn’t have Solr support ! but it’s very simple, so don’t be scared (it will take around 10~15mn with a low config server):

After having reinstalled Dovecot and installed Solr support, you can verify your dovecot conf directory and version is still the same as before:

Rock it!

Restart everything,

and try the new Solr search by logging into your imap server a1 login user@server password and searching with a3 SEARCH text "test" see below for the full process:

Yeah! 0,002 secs instead of 117,98 secs. Now you can go log in Roundcube or open Thunderbird, and start leverage the FTS to datamine your mails.

Because Solr index needs to be optimized, and Dovecot doesn’t tell Solr to do it, you should add a cron job crontab -e with these commands:

If you want to index again your mailbox (for whatever reason), use this command  doveadm fts rescan -u <username> and then log into dovecot server and do a search (as above). It will start indexing the mailbox.

Note : Thunderbird builds its own local index, if you want to send a IMAP search to Dovecot (that will search using Solr) you can launch the search box using ctrl+shift+f

 Thanks

This article was inspired from Extremshok and digitalocean. All the mail configuration was done by mailinabox. Thanks to them.

iRedMail can also be used to automagically setup the mailserver.

 

Debugging the iRedmail stack

iRedMail is a script that will take care of all the configuration of a mail server. That’s a lot less trouble for the admin as it’s really automagical! But recently after upgrading Ubunt server 12.04 to 14.04, I couldn’t send/receive my mails anymore.

And as everytime, I completly forgot where are the proper log to consult, which program were installed by iRedMail etc…Here is a post to simplify this next time I’ll have a problem:

iRedMail Debugging

If not able to send/receive mails, first try to connect the IMAP server (dovecot) using K9-mail or Roundcube. (Dovecot log : /etc/log/dovecot.log)

If login is OK, try sending a mail. And look at /etc/log/mail.log and /etc/log/mail.err

If you see :  connect to 127.0.0.1[127.0.0.1]:10024: Connection refused the it means that Amavis is not running (port 10024). Try restarting  /etc/init.d/amavis restart   and check that it’s well running netstat -tap | grep amavisd   if not, it could be that you server do not have enough RAM (iRedMail needs 1Go minimum). In such case, you still can run the mail server, but you’ll have to disable Amavis/ClamAV/SpamAssassin.

If your server has 1Go, then you should run Amavis in debug mode using /etc/init.d/amavis debug   and see the output.

In my case, a folder in /var/lib/amavis didn’t had the appropriate rights and Amavis daemon couldn’t write inside (see below debug output)

So I just chown -R amavis: /var/lib/amavis/virusmails   and restarted my server (thanks to ZhangHuangBin). It works great now! Below, a summary of the whole iRedMail stack:

The iRedMail stack

Details of iRedMail installation with Conf files, logs, RC-start scripts…etc

SSL cert keys (size: 2048):
– /etc/ssl/certs/iRedMail_CA.pem
– /etc/ssl/private/iRedMail.key

Mail Storage:
– Root directory: /var/vmail
– Mailboxes: /var/vmail/vmail1
– Backup scripts and copies: /var/vmail/backup

PHP:
* Configuration file: /etc/php5/apache2/php.ini
* Disabled functions: show_source,system,shell_exec,passthru,exec,phpinfo,proc_open

OpenLDAP:
* Configuration files:
– /etc/ldap
– /etc/ldap/slapd.conf
– /etc/ldap/ldap.conf
– /etc/ldap/schema/iredmail.schema
* Log file related:
– /etc/rsyslog.d/iredmail.conf
– /var/log/openldap.log
– /etc/logrotate.d/openldap
* Data dir and files:
– /var/lib/ldap
– /var/lib/ldap/vbonhomme.fr
– /var/lib/ldap/vbonhomme.fr/DB_CONFIG
* RC script:
– /etc/init.d/slapd
* See also:
– /root/iRedMail-0.8.6/conf/ldap_init.ldif

Postfix (basic):
* Configuration files:
– /etc/postfix
– /etc/postfix/aliases
– /etc/postfix/main.cf
– /etc/postfix/master.cf

Postfix (LDAP):
* Configuration files:
– /etc/postfix/ldap/virtual_mailbox_domains.cf
– /etc/postfix/ldap/relay_domains.cf
– /etc/postfix/ldap/transport_maps_domain.cf
– /etc/postfix/ldap/transport_maps_user.cf
– /etc/postfix/ldap/virtual_mailbox_maps.cf
– /etc/postfix/ldap/sender_login_maps.cf
– /etc/postfix/ldap/virtual_alias_maps.cf
– /etc/postfix/ldap/virtual_group_maps.cf
– /etc/postfix/ldap/virtual_group_members_maps.cf
– /etc/postfix/ldap/catchall_maps.cf
– /etc/postfix/ldap/recipient_bcc_maps_domain.cf
– /etc/postfix/ldap/recipient_bcc_maps_user.cf
– /etc/postfix/ldap/sender_bcc_maps_domain.cf
– /etc/postfix/ldap/sender_bcc_maps_user.cf

Policyd (cluebringer):
* Web UI:
– URL: httpS://xxxxxxxxxxx/cluebringer/
– Username: xxxxxXXXXX
– Password: xxxxxXXXXX
* Configuration files:
– /etc/cluebringer/cluebringer.conf
– /etc/cluebringer/cluebringer-webui.conf
* RC script:
– /etc/init.d/postfix-cluebringer
* Database:
– Database name: cluebringer
– Database user: cluebringer
– Database password: xxxxxxXXXXXXXX

* Log file:
– /etc/rsyslog.d/iredmail.conf

Dovecot:
* Configuration files:
– /etc/dovecot/dovecot.conf
– /etc/dovecot/dovecot-ldap.conf (For OpenLDAP backend)
– /etc/dovecot/dovecot-mysql.conf (For MySQL backend)
– /etc/dovecot/dovecot-pgsql.conf (For PostgreSQL backend)
– /etc/dovecot/dovecot-used-quota.conf (For real-time quota usage)
– /etc/dovecot/dovecot-share-folder.conf (For IMAP sharing folder)
* RC script: /etc/init.d/dovecot
* Log files:
– /var/log/dovecot.log
– /var/log/sieve.log
* See also:
– /var/vmail/sieve/dovecot.sieve
– Logrotate config file: /etc/logrotate.d/dovecot

ClamAV:
* Configuration files:
– /etc/clamav/clamd.conf
– /etc/clamav/freshclam.conf
– /etc/logrotate.d/clamav
* RC scripts:
+ /etc/init.d/clamav-daemon
+ /etc/init.d/clamav-freshclam
* Log files:
– /var/log/clamav/clamd.log
– /var/log/clamav/freshclam.log

Amavisd-new:
* Configuration files:
– /etc/amavis/conf.d/50-user
– /etc/postfix/master.cf
– /etc/postfix/main.cf
* RC script:
– /etc/init.d/amavis
* MySQL Database:
– Database name: amavisd
– Database user: amavisd
– Database password: xxxxxxXXXXXX

SpamAssassin:
* Configuration files and rules:
– /etc/mail/spamassassin
– /etc/mail/spamassassin/local.cf

iRedAPD – Postfix Policy Daemon:
* Version: 1.4.2
* Listen address: 127.0.0.1, port: 7777
* Related files:
– /opt/iRedAPD-1.4.2/
– /opt/iredapd/
– /opt/iredapd/etc/settings.py

iRedAdmin – official web-based admin panel:
* Version: 0.3
* Configuration files:
– /usr/share/apache2/iRedAdmin-0.3/
– /usr/share/apache2/iRedAdmin-0.3/settings.py*
* URL:
– https://xxxxxxxxxxx/iredadmin/
* Login account:
– Username: xxxxxxxxxxx, password: xxxxxxxxxxxx
* SQL database account:
– Database name: iredadmin
– Username: iredadmin
– Password: xxxxxxxxxxxxxxxxxxx
* Settings:
– /usr/share/apache2/iRedAdmin-0.3/settings.py
* See also:
– /etc/apache2/conf.d/iredadmin.conf

Roundcube webmail:
* Configuration files:
– /usr/share/apache2/roundcubemail-0.9.5/
– /usr/share/apache2/roundcubemail-0.9.5/config/
* URL:
– http://xxxxxxxxxxxxx/mail/
– https://xxxxxxxxxxxx/mail/ (Over SSL/TLS)
– http://xxxxxxxxxxxxx/webmail/
– https://xxxxxxxxxxxxx/webmail/ (Over SSL/TLS)
* See also:
– /etc/apache2/conf.d/roundcubemail.conf

phpLDAPadmin:
* Configuration files:
– /usr/share/phpldapadmin/config/config.php
* See also:
– /etc/apache2/conf.d/phpldapadmin.conf

 

Hope it will be helpful to you.

Move your mails from one IMAP server to another using IMAPSYNC

I lived for almost 5 years with a @gmail address, and I was happy with that. But recently, personal concerns about privacy convinced me to switch to a self-run mail server (easy install thanks to iRedMail, mail.dir being stored in a ecryptfs container). It works perfectly, but I was still frequently logging back in my Gmail account to search my mail history. So I decided to move all my @gmail mails to my email server…And fortunately IMAPSYNC comes in handy for this task. Here are the few steps  I had to follow to assure a successful migration:

Install dependencies

Download the source code from git

In your /root directory for example:

Then cd into the imapsync directory, and try to compile.

The compiling should fail…it’s normal, perl still misses some dependencies:

Then run the following command to be sure that all the needed dependencies are well installed, if yes, the return will be empty:

Then sudo make install  again, and confirm the installation went smoothly by finding out the version of imapsync  imapsync -version  .

Migrate your emails

Now it’s time to move your email from Gmail to your self-run IMAP server.

New mail account

I personally decided to create a new email on my mail server to specifically store all my gmail mails. So I had to create this new mail, which is a very simple process thanks to the iredadmin web interface bundled in iRedMail.

Tweak some Gmail settings

Gmail runs on top of an IMAP server, but it has its own way to classify mails, beginning with the folders. You can go in the settings of your Gmail account and disable some “custom gmail folder” if you don’t want them to be copied by imapsync during the migration.

Note: You can actually tell imapsync to map specific Gmail IMAP server folder to another folder on your new IMAP server, as well as tell him to not copy some folders, which let you avoid the step below. Refer to this post to see the script.

Selection_040-1024x406

I also deleted all my gmail labels because the “tag” concept doesn’t exists in the IMAP, and so I suspected imapsync would maybe try to convert them into folders (but maybe not!). Anyway, I never really used these labels.

My IMAP server installed by iRedMail is Dovecot (which is supported by IMAPSYNC). All right, here is the final one command that worked for me (omit  --dry --justfolders   if you want to start the migration for real):

If you want to know more about each statement purpose, refer to this article.

I only had one small problem as I didn’t use the command to map folders together, it created a [GMAIL]/[SENT] folder in my new IMAP server. I used Thunderbird with a DRAGn’DROP to move them into the usual SENT folder of my IMAP server. But next time, I will add this to the command to map the Google directories with the dovecot architecture:

So I successfully moved 28 000+ emails to my new IMAP server ! 😉

Cisco router basic command and config

Show the hardware + software specifications of the router:  show version

Show the current global configuration:  show running-config

NAT

Enter the config mode  configure terminal   and only then add a static NAT rule:  ip nat inside source static tcp <inside_local_ip> <port> <outside_global_ip> <port>

If you want to remove this NAT rule, run the same command but adding no at the beggining (in config mode as well!).

Refer to this article for more details.

Note: There are two main copies of Cisco Router configuration file. The configuration file where router stores the configuration changes when the router is up and running is called the “running-config” file. The “running-config” file is NOT persistent (stored in RAM), which means that the changes made in the “running-config” while the router is running are not retained after a reboot. To make it persistent after a reboot, we need to save it into the “startup-config” file using this command:

copy running-config startup-config 

Show interface

The  show interface  command displays the status of the router’s interfaces. For a summary we can use show ip interface brief

SECURITY

Disable HTTP access to the Cisco router :

Setup Nginx + Passenger + RVM (ruby and rails) + Redmine 2.5

Recently I had to move a Redmine instance on a new server (Ubuntu 14.04).  When I was lost in process overwhelmed by some ruby, bundler and rake commands, I swore to myself that I would write down al the steps once succeeded. Here we are:

RVM

RVM is a program that let you install a precise version of Ruby (the one required by Redmine for example) and then let you partition all ruby gem in a specific folder (as once agin, Redmine required a precise version of each gem).

Run this as a regular user in your home folder:

This will install RVM in one command. Then, you have to source it to use it:

Then install Ruby 2.0.0 as required by Redmine:

If you install multiple version of Ruby, use rvm use ruby_version  to switch the version of Ruby you want to work with. Then we will create a specific folder called gemset to store Redmine gems and switch RVM focus on this folder:

You will have something similar to this  .rvm/gems/ruby-2.0.0-p481@redmine2.5/gems/

Note: Running rvm ruby_version@gemset_name  as your regular user before installing any gem (using gem install  or bundle install  is very important. Moreover, you shouldn’t run the command from Byobu/Screen, or you will have this error like “rvm is not a function”.

REDMINE 2.5

Prior to the Redmine install, you can install these program as you will need them (some headers are required for the gem compilation below):

I recommend following the official guide for the installation. The point is to give right on the Redmine2.5 folder to the user that is used by passenger to run your app. You can check which user run your app using ps aux | grep -i passenger  which should be the user who installed RVM, then apply the proper rights:

And then be sure to have select the right version of ruby and the right gemset, and to be in the Redmine2.5 folder before running these commands:

 

first let’s install a version of Nginx compiled with passenger using the official guide of Passenger project.

Passenger help Nginx to handle ruby code. We need to tell Nginx which version of Ruby to use when running the app.

Run this comand /usr/bin/passenger-config --root  and copy its result in the file /etc/nginx/nginx.conf  It should look something like passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;  . Then from your gemset dir run: passenger-config --ruby-command  that will tell you where is the wrapper for the correct version of ruby that you want Nginx+Pasenger to use! According to this, edit you nginx vhost, and add the line:

So you can run a different version of ruby and a different set gem for every app using a different passenger_ruby line in your nginx vhost. That’s the trick!

BONUS PROXY

If when running gem or bundler the gem server is unreachable because you are behing a proxy (or in China :) then you should tell your bash to go through a proxy using this command:

BONUS LDAP Active Directory

Maybe you want to authenticate your redmine users against your company AD LDAP (windows server…bouh). Then I advise you to first discover the LDAP server architecture using a LDAP browser from Linux or Windows. And maybe setup a user than has read access on the LDAP schema, as Redmine ned one. Here is the official documentation to setup LDAP authentication.

And here is my config :

Enjoy 😉

Ubuntu 12.04 + nginx + passenger + SPDY

SPDY is a improvment on HTTP and will soon become HTTP 2.0, most of the major browser support SPDY so if you enable it on your webserver, you will save a hundred milliseconds to your visitor (and to yourself). It cannot hurt right?

But here is the problem, Nginx do not support loadable module, which means that you have to add the SPDY option when compiling it. I personnally don’t like compiling stuff on my small VPS, and I always miss some dependencies. And last, the Nginx you get when doing apt-get install nginx on Ubuntu 12.04 has Passenger support, but not SPDY.

so the cool guys at Phusion provide us an alternative : Nginx downloadable binary with Passenger and SPDY already included. Everything is explained on this page.

The idea is to copy their binary over the apt-get provided nginx binary. And everytime apt-get wants to upgrade you nginx, copy over again.

That simple, and then you can say that your blog is “SPDY READY“!