Thursday, April 19, 2018

configure openvpn on openwrt

1- download openvpn image from link below

$ gzip lede-17.01.4-x86-64-combined-ext4.img.gz

2- create xml file for virsh
<domain type="kvm">
  <clock offset="utc"/>
    <boot dev="hd"/>
    <graphics type="vnc" port="-1"/>
    <interface type="bridge">
      <source bridge="virbr0"/>
      <model type="virtio"/>
    <interface type="bridge">
      <source bridge="virbr1"/>
      <model type="virtio"/>
    <interface type="bridge">
      <source bridge="virbr2"/>
      <model type="virtio"/>
    <interface type="bridge">
      <source bridge="virbr3"/>
      <model type="virtio"/>
    <interface type="bridge">
      <source bridge="virbr4"/>
      <model type="virtio"/>
    <interface type="bridge">
      <source bridge="virbr5"/>
      <model type="virtio"/>
    <input bus="ps2" type="mouse"/>
    <serial type="pty">
      <target port="0"/>
    <serial type="tcp">
      <source host="" mode="bind" service="39180"/>
      <protocol type="raw"/>
      <target port="1"/>
    <disk device="disk" type="file">
      <target bus="virtio" dev="vda"/>
      <source file="/home/user1/Downloads/openwrt/lede-17.01.4-x86-64-combined-ext4.img"/>
      <driver type="raw" name="qemu"/>

3- then start the vm
$ virsh creaet openwrt.xml
$ vrish console openwrt1

4- you can use dnsmasq for providing the ip setting to openwrt wan interface
$ dnsmasq -i virbr1 --dhcp-range=, --dhcp-option=3, --dhcp-option=6,

5- install install the openvpn package
$ opkg update
$ opkg install openvpn-openssl luci-app-openvpn

6- create certifications
$ cd /usr/share/easy-rsa
$ mkdir keys
$ touch keys/index.txt
$ echo 01 > keys/serial
$ source ./vars
$ export PATH=$PATH:/usr/share/easy-rsa
$ pkitool --initca
$ pkitool --server server1]
$ pkitool client1

$ openssl dhparam -out keys/dh1024.pem 1024

 7- copy files to openwrt directory /etc/openvpn

8- execute the following command on openwrt shell
$ ssh -l root


# Modify /etc/config/network
  uci set network.vpnserver='interface'
  uci set network.vpnserver.proto='none'
  uci set network.vpnserver.ifname='ovpns0'
  uci set'1'
uci commit network

# Modify /etc/config/firewall
  uci add firewall rule
  uci set firewall.@rule[-1].name='Allow-OpenVPN-Inbound'
  uci set firewall.@rule[-1].target='ACCEPT'
  uci set firewall.@rule[-1].src='*'
  uci set firewall.@rule[-1].proto='tcpudp'
  uci set firewall.@rule[-1].dest_port='1194'

  uci add firewall zone
  uci set firewall.@zone[-1].name='vpnserver'
  uci set firewall.@zone[-1].input='ACCEPT'
  uci set firewall.@zone[-1].forward='REJECT'
  uci set firewall.@zone[-1].output='ACCEPT'
  uci set firewall.@zone[-1].masq='1'
  uci set firewall.@zone[-1].network='vpnserver'

  uci add firewall forwarding
  uci set firewall.@forwarding[-1].src='vpnserver'
  uci set firewall.@forwarding[-1].dest='wan'

  uci add firewall forwarding
  uci set firewall.@forwarding[-1].src='vpnserver'
  uci set firewall.@forwarding[-1].dest='lan'
uci commit firewall

# Modify /etc/config/openvpn
  uci set openvpn.vpnserver='openvpn'
  uci set openvpn.vpnserver.enabled='1'
  uci set openvpn.vpnserver.dev_type='tun'
  uci set'ovpns0'
  uci set openvpn.vpnserver.port='1194'
  uci set openvpn.vpnserver.proto='udp'
  uci set openvpn.vpnserver.comp_lzo='yes'
  uci set openvpn.vpnserver.keepalive='10 120'
  uci set openvpn.vpnserver.persist_key='1'
  uci set openvpn.vpnserver.persist_tun='1'
  uci set'/etc/openvpn/ca.crt'
  uci set openvpn.vpnserver.cert='/etc/openvpn/server1.crt'
  uci set openvpn.vpnserver.key='/etc/openvpn/server1.key'
  uci set openvpn.vpnserver.dh='/etc/openvpn/dh1024.pem'
  uci set openvpn.vpnserver.tls_auth='/etc/openvpn/tls-auth.key 0'
  uci set openvpn.vpnserver.mode='server'
  uci set openvpn.vpnserver.tls_server='1'
  uci set openvpn.vpnserver.server=''
  uci set openvpn.vpnserver.topology='subnet'
  uci set openvpn.vpnserver.route_gateway='dhcp'
  uci set openvpn.vpnserver.client_to_client='1'

  uci add_list openvpn.vpnserver.push='comp-lzo yes'
  uci add_list openvpn.vpnserver.push='persist-key'
  uci add_list openvpn.vpnserver.push='persist-tun'
  uci add_list openvpn.vpnserver.push='topology subnet'
  uci add_list openvpn.vpnserver.push='route-gateway dhcp'
  uci add_list openvpn.vpnserver.push='redirect-gateway def1'
  uci add_list openvpn.vpnserver.push='route'
  uci add_list openvpn.vpnserver.push='dhcp-option DNS'
uci commit openvpn

- restart the service

$ /etc/init.d/openvpn restart

9- on client: configuration file:
dev tun
proto udp
remote 1194
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
verb 3

10- run
$ openvpn --config client.conf

if there's problem you can edit the openvpn file directly and run it as below

$ cat /tmp/etc/openvpn-vpnserver.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server1.crt
comp-lzo yes
dev ovpns0
dev-type tun
dh /etc/openvpn/dh1024.pem
keepalive 10 120
key /etc/openvpn/server1.key
mode server
port 1194
proto udp
push "comp-lzo yes"
push "persist-key"
push "persist-tun"
push "topology subnet"
push "route-gateway dhcp"
push "redirect-gateway def1"
push "route"
push "dhcp-option DNS"
push "route"
push "dhcp-option DNS"
route-gateway dhcp
topology subnet

-- and run it
$ openvpn --config /tmp/etc/openvpn-vpnserver.conf

-- we can also remove firewall setting, if there's any doubt
$ iptable -F

read wikipedia offline -- kiwix

kiwix is a very nice piece of software. it allows us to read wikipedia without internet access.

it supports most of the operating system, Android and iOS to Microsoft Windows, macOS and GNU/Linux.

to use it first you can download the software from from link below

then the content also host at the same page you can either download it as in torrent form on http, i recommend using torrent because some file is really big in size.

those contents are
TED talks

configure openvpn on mikrotik

1- create certifications
$ cd /usr/share/easy-rsa
$ mkdir keys
$ touch keys/index.txt
$ echo 01 > keys/serial
$ source ./vars
$ export PATH=$PATH:/usr/share/easy-rsa
$ pkitool --initca
$ pkitool --server server1]
$ pkitool client1

2- upload these files below to mikrotik

3- import keys to mikrotik
import file=server1.crt
import file=server1.key
import file=ca.crt

4- create pool1 on mikrotik
/ip pool export
/ip pool
add name=pool1 ranges=

5- create openvpn profile
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default remote-ipv6-prefix-pool=\
    none use-compression=default use-encryption=default use-ipv6=yes use-mpls=\
    default use-vj-compression=default
add change-tcp-mss=default local-address= name=ovpn only-one=default \
    remote-address=pool1 use-compression=default use-encryption=default \
    use-ipv6=yes use-mpls=default use-vj-compression=default
set 2 change-tcp-mss=yes name=default-encryption only-one=default \
    remote-ipv6-prefix-pool=none use-compression=default use-encryption=yes \
    use-ipv6=yes use-mpls=default use-vj-compression=defaul

6- create a username password
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=user1 \
    password=password profile=ovpn routes="" service=any

7- enable ovpn server interface on mikrotik
/interface ovpn-server server
set auth=sha1,md5 certificate=cert1 cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn enabled=yes keepalive-timeout=60 mac-address=FE:E0:F2:AF:C8:35 max-mtu=1500 mode=ip netmask=32 port=1194 require-client-certificate=no

--------------------on client------------

1- use  certification from

--- configuration file: client.conf
dev tun
proto tcp
remote 1194
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher none
verb 3
auth-user-pass auth.txt

-- auth.txt:

2- to connect
$ openvpn --config client.conf

if you got the following message
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1528', remote='link-mtu 1527'
WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'

mean that you enable comp-lzo on client.conf, so just remove it, the connection will establish successfully

Tuesday, April 3, 2018

dingo, dns over https client for google dns

1- download  a binary from link below, that work with your platform

2- run the application
$ sudo ./dingo-linux-amd64  -port=53

3- then finally change your dns setting in linux
# echo  nameserver > /etc/resolv.conf

then all the dns request will forward to dingo, then dingo request to google dns over https.

convert text to image

1- with libre office

$ soffice --convert-to jpg textfile.txt

2- with imagemagick

-from file
$ convert -size 1920x1080 -fill black -strokewidth 2 -stroke red -font Verdana -density 96 -pointsize 56 caption:@textfile.txt out.png

if there's error check policy /etc/ImageMagick-6/policy.xml and comment out one policy like below

  <!-- in order to avoid to get image with password text -->
<!--  <policy domain="path" rights="none" pattern="@*"/> -->

-from stdout

$ ifconfig |convert -size 1920x1080 -fill black -strokewidth 2 -stroke red -font Verdana -density 96 -pointsize 56 caption:@- out.png

-with border
$ ifconfig |convert -size 1920x1080 -fill black -strokewidth 0.7  -stroke black -font cour.ttf  -gravity west -border 10x20 -density 128 -background '#e6e6e6' -bordercolor '#e6e6e6' -interline-spacing 1.5  caption:@- out.png