Astaro Site to Site VPN with DD-WRT

3

So – I received my Astaro Security Gateway 220 last week and this morning I decided to get it hooked up and configured. The most important configuration being linking it to my second site. Soon i’ll have two Astaro’s but right now the other site still has a linksys router with DD-WRT v24 installed. First things first – DD-WRT does NOT support IPSEC so forget about it. In this post I’ll show you how to configure the Astaro as an OpenVPN server and the DD-WRT as a client.

Step 1

Log into the astaro and click on Site-to-site VPN

Choose SSL from the drop down. You will be presented with the connections tab. Click New SSL connection.

Connection Type: Server

Connection Name: Site B

Local Networks: Internal (Network)

Click the plus sign next to Remote Networks and fill it in according to your remote network.

Save that and then make sure you leave Automatic packet filter rules checked. Then click Save.

Next Click Settings your settings should look like this:

Save any changes and then click Advanced

Now I’m sure the encryption and authentication can be changed – but for the sake of this article this is how I’m going to configure it.

I’ve enabled debug mode for now so we can see whats going on. Apply those settings and then click back on Connections.

Now you want to download the configuration file – unencrypted – and open it in notepad++ or something similar.

Inside that file you should see 2 certificates and 1 RSA Private Key. The first cert in the file is the Public Client Cert the second is the CA Cert and the last RSA Private key is the Private Client Key

Open up your dd-wrt router (hopefully at this point you have remote access to a computer on the remote network)

You should copy and paste those values into the correct inputs in the DD-WRT (under services, VPN, OpenVPN Client) and save and apply.

Next inside the asg.apc file you downloaded – at the very end you should see something like this:

The first highlighted value is the username – the second is the password. We need to use these in a configuration startup script. On the DD-WRT click administration and then commands.

sleep 30
echo “REF_uClaMWVnny
REF_VMHOQOXAGW0000ref_vmhoqoxagw” > /tmp/openvpncl/user.conf
sleep 10
echo “client
dev tun
proto udp
hand-window 30
port 1195
remote REMOTE SERVER
resolv-retry infinite
nobind
persist-key
persist-tun
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
cipher BF-CBC
auth SHA1
comp-lzo
route-delay 4
verb 3
reneg-sec 0
auth-user-pass /tmp/openvpncl/user.conf” > /tmp/openvpncl/vpn.conf
( sleep 10 ; killall openvpn ; /usr/sbin/openvpn –config /tmp/openvpncl/vpn.conf –auth-user-pass /tmp/openvpncl/user.conf –route-up /tmp/openvpncl/route-up.sh –down /tmp/openvpncl/route-down.sh –daemon ) &

Make sure you use YOUR username and password – also replace REMOTE GATEWAY with the Astaro Gateway IP.

Reboot the DD-WRT and you should be good to go.

Create Zip file on the fly with PHP

0

A short search on Google has lead me to theCreate ZIP File PHP class from Rochak Chauhan.

This class can create ZIP archives from lists of files.

The class provides means to add individual files or whole directories to the list of files packed into a ZIP archive.

The class can generate the packed archive as a string value.

The class can also output the necessary request response headers to serve the generated ZIP archive for download.

The supplied example demonstrates how to use the class to store the ZIP archive in a file, serve it for download and delete the file after it is served.
addDirectory("dir/");

$fileContents = file_get_contents("img.jpg");
$createZip -> addFile($fileContents, "dir/img.jpg");

$fileName = "archive.zip";
$fd = fopen ($fileName, "wb");
$out = fwrite ($fd, $createZip -> getZippedfile());
fclose ($fd);

$createZip -> forceDownload($fileName);
@unlink($fileName);
?>

Windows Update Error 80072EE2 – Hyper-V Guest

0

Setup a new 2008 R2 Server on a new Hyper-V server, Windows Update would sometimes work however it completely stopped. Luckily Nick Whittome had already figured it out. All you have to do is disable checksum offload.

Check out his original blog post

Manually Export Printer Drivers to install on a Terminal Server

0

Recently I had a client who was unable to print to his local printer on his Windows 7 x64 bit machine from a Windows 2008 R2 x64 server. Checking the event viewer I could see that Windows was unable to find the driver for the Canon printer. Canon did not have a driver download for a Windows 7 machine or a x64 bit machine for that matter that I could find on their website.

To install the printer driver from the client’s machine i opened the registry and found this printer listed in the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\

for x86 its located here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3\

from there if you select the printer key you will see a string value for InfPath

It should give you a path to C:\Windows\System32\DriverStore\FileRepository\ and the corresponding folder the cached driver is in.

I copied the contents of that folder to the Terminal Server. From there I installed on the Server a local printer – Clicked’Have Disk..’ and selected the inf from the folder I copied to the Server.

As a test I logged into the Terminal Server with the users credentials and found that his local printer now redirects correctly. The only thing left to do was delete the dummy local printer we created and your golden.

Special thanks to Vittorio Pavesi for getting me on the right track.

Windows Explorer Defaults to Libraries Folder in Windows 7

0

When you open Windows Explorer in Windows 7, it opens the Libraries folder by default. You can change the default startup folder using the Windows Explorer shortcut properties, as you did in earlier versions of Windows. Note that you cannot change the default start folder if you’re using WinKey + E to launch Explorer.

In Windows 7, right-clicking on the Windows Explorer Taskbar icon will show the Jump Lists. To access the shortcut properties, hold the SHIFT key down, right-click on the shortcut and choose Properties. Rest of the procedure is the same as in other versions of Windows.

To change the startup folder to (My) Computer, use this target path:

explorer.exe ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

Where the GUID {20D04FE0-3AEA-1069-A2D8-08002B30309D} represents the My Computer folder.

For Documents folder, use this target path:

explorer.exe ::{450D8FBA-AD25-11D0-98A8-0800361B1103}

You may also suffix the full path instead of using GUID. For example,

explorer.exe D:\Scripts

Source: WinHelpOnline

PrivateKeyMissing Exchange Certificate Install

0

I was trying to renew my UCC certificate for my Exchange 2010 server. All was going fine until I tried to enable the certificate. I got the following error message:

Enable-ExchangeCertificate : The certificate with thumbprint *** was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate -Thumbprint *** -Services "IIS"
  1. Open MMC and add the Certificate Snap-In for the Local Computer account.
  2. Double-Click on the recently imported certificate.
  3. Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.

  4. Select the Details tab.
  5. Click on the Serial Number field and copy that string.
  6. Note: You may use CTRL+C, but not right-click and copy.

  7. Open up a command prompt session. (cmd.exe aka DOS Prompt)
  8. Type: certutil -repairstore my “SerialNumber” (SerialNumber is that which was copied down in step 4.)
  9. After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC)
  10. Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: “You have a private key that corresponds to this certificate.
  11. Note: In Windows Server 2008 there will be a golden key to the left of the certificate, so there is no need to double-click the certificate.

  12. Now that the Private Key is attached to the certificate, please proceed to enable Exchange Services via Enable-ExchangeCertificate.

Exchange 2010 for SMB’s

0

I’ve been deploying Exchange 2010 more and more now. Most of them are single server installations or at the very least they only have one server available for exchange. Below are a few tricks I’ve found that help in the deployment.

Recipient Validation

To reduce the load on the server and the amount of Non-Delivery Reports sent by the server (which can get you on blacklists) I strongly recommend that you use Recipient Validation. This will allow Exchange 2010 to reject unknown recipients immediately rather than let your server accept the message and attempt to deliver it and fail. Also, while Microsoft has documentation on how to do this, it is all written with the assumption that you’re using/have an Edge Transport Server. This is how to do it on a Hub Transport server.

First open the Exchange Management Shell
Change the directory to:

C:\Program Files\Microsoft\Exchange Server\V14\Scripts

Run the following command:

  ./install-AntispamAgents.ps1

Restart the Exchange Transport service.

 Restart-Service MSExchangeTransport

After it restarts you need to tell the service what your internal SMTP servers are, even if you only have one you have to specify it.

  Set-TransportConfig -InternalSMTPServers 192.168.254.200

Where 192.168.254.200 is the internal IP of your server.
Last but not least you want to enable Recipient Validation you can do that with this command:

Set-RecipientFilterConfig -RecipientValidationEnabled $true

You’re all set! You can test it out with nwtools.com or some other tool of your choosing.

SMTP Banner

I find that this gets skipped a lot. By default your server is probably not reporting your external mail server’s address. This should be the same address that the reverse DNS is reporting. To change this you must do it in the shell. It can be achieved with this command:

Set-ReceiveConnector "From the Internet" -Banner "220 mail.contoso.com"

You must include 220, however, you can change everything else after.

Hope this helps!

Sources:
http://technet.microsoft.com/en-us/library/bb124740.aspx
http://technet.microsoft.com/en-us/library/aa998613.aspx
http://technet.microsoft.com/en-us/library/bb201691.aspx

Black Eyed Peas via cracked.com

0
I’ve heard this song before, and its actualy not half bad. Unless you notice how terrible it is.

#1 way to skip class

1

090611_kennedy_163

Dude how cool would it be to be excused by the president. Kennedy’s note read:

To Kennedy’s teacher,
Please excuse Kennedy’s absence … She’s with me.
Barack Obama

WinCDEmu – Mount ISO in Vista or XP for free!

1

Gone are the days you have to use that hacked copy of alcohol 120. New and improved version 2.2 of WinCDEmu works with x64 and x86 and will mount the most common type of disk images. This includes ISO, CUE, BIN/RAW/IMG file formats! It can even mount them from any network share.

This is by far the easiest application to use as it requires nothing more than double clicking on the image (as many as you want it will mount them all at the same time). Better yet, when you install it you won’t have to hassle with a restart like you do with other programs.

You can find this great software at the homepage or at sourceforge. You can also donate to the cause here.

Windows 7 is not officialy supported as of yet but you can find the download link for the unofficial release here.

Go to Top