ubuntu – kayama.me

How to setup L2TP over IPSec VPN server (Ubuntu 16.04 – 20.04)

October 12, 2018

kayama

How to setup L2TP over IPSec VPN server (Ubuntu 16.04)

apt-get install strongswan xl2tpd

1	apt-get install strongswan xl2tpd

# (optional, need to check ) apt-get install ppp libgmp3-dev bison flex

Edit /etc/ipsec.conf

# /etc/ipsec.conf — Openswan IPsec configuration file modified for Strongswan
# (c) Kayama 2018
# Add connections here

conn L2TP-IPSEC
    authby=secret
    rekey=no
    keyingtries=3
    type=transport
    esp=aes128-sha1
    ike=aes128-sha-modp1024
    ikelifetime=8h
    keylife=1h
    left=XXX.XXX.XXX.XXX # your router’s external IP 
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    rightsubnet=0.0.0.0/0
    auto=add
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    #force all to be nat’ed. because of iOS
    forceencaps=yes

# /etc/ipsec.conf — Openswan IPsec configuration file modified for Strongswan

# (c) Kayama 2018

# Add connections here

conn L2TP-IPSEC

authby=secret

rekey=no

keyingtries=3

type=transport

esp=aes128-sha1

ike=aes128-sha-modp1024

ikelifetime=8h

keylife=1h

left=XXX.XXX.XXX.XXX # your router’s external IP

leftprotoport=17/1701

right=%any

rightprotoport=17/%any

rightsubnet=0.0.0.0/0

auto=add

dpddelay=30

dpdtimeout=120

dpdaction=clear

#force all to be nat’ed. because of iOS

forceencaps=yes

Edit /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.

: PSK “TypeYourPassPhraseHere”

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host

# which knows the public part.

: PSK “TypeYourPassPhraseHere”

Edit /etc/ppp/options.xl2tpd

require-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1410
mru 1410
connect-delay 5000
lock
hide-password
local
#debug
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

require-mschap-v2

refuse-mschap

ms-dns 8.8.8.8

ms-dns 8.8.4.4

asyncmap 0

auth

crtscts

idle 1800

mtu 1410

mru 1410

connect-delay 5000

lock

hide-password

local

#debug

modem

name l2tpd

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4

Edit /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = no
debug tunnel = no
debug avp = no
debug network = no
debug state = no
access control = no
rand source = dev
port = 1701
auth file = /etc/ppp/chap-secrets

[lns default]
ip range = 192.168.1.10-192.168.1.20
local ip = 192.168.1.1
require authentication = yes
name = l2tp
pass peer = yes
ppp debug = no
length bit = yes
refuse pap = yes
refuse chap = yes
pppoptfile = /etc/ppp/options.xl2tpd

[global]

ipsec saref = no

debug tunnel = no

debug avp = no

debug network = no

debug state = no

access control = no

rand source = dev

port = 1701

auth file = /etc/ppp/chap-secrets

[lns default]

ip range = 192.168.1.10-192.168.1.20

local ip = 192.168.1.1

require authentication = yes

name = l2tp

pass peer = yes

ppp debug = no

length bit = yes

refuse pap = yes

refuse chap = yes

pppoptfile = /etc/ppp/options.xl2tpd

And finally add password to the /etc/ppp/chap-secrets file

test    l2tpd     TestTest      “*”

service xl2tpd restart
service ipsec restart

test l2tpd TestTest “*”

service xl2tpd restart

service ipsec restart

Everything should work fine!

Upd. 2022.01

ubuntu git install and tips

git, linux, ubuntu

February 5, 2018

kayama

# update packages

sudo apt-get update

1

sudo apt-get update

# install gitolite server

sudo apt-get install gitolite3

1

sudo apt-get install gitolite3

# rename (not necessary) user gitolite3 to git

sudo usermod gitolite3 –login git

1

sudo usermod gitolite3 –login git

# clone git admin dir to your home account

cd ~ git clone git@172.16.0.100:gitolite-admin

1
2

cd ~
git clone git@172.16.0.100:gitolite-admin

# make changes in gitolite.conf — add new repo

“`repo web-app RW+ = admin“`

1
2
3

“`repo web-app

RW+ = admin“`

# show status

git status

1

git status

# add files to repo

git add -A .

1

git add -A .

# commit your changes

git commit -m ‘Added new repo’

1

git commit -m ‘Added new repo’

# for use simple git push

git config –global push.default simple

1

git config –global push.default simple

# push changes to repo

git push

1

git push

All done, your repo is ready.

Now go to dir with your app.

cd ~/web-app/

1

cd ~/web-app/

# initialize dir for git

git init

1

git init

# add url of «remote» repo

git remote add origin ssh://git@192.168.56.100:8822/web-app

1

git remote add origin ssh://git@192.168.56.100:8822/web-app

# check it

git remote -v

1

git remote -v

# commit and push your repo

git status git add -A . git commit -m ‘Initial commit’ git push –set-upstream origin master

1
2
3
4
5
6
7

git status

git add -A .

git commit -m ‘Initial commit’

git push –set-upstream origin master

# clone repo on desktop

git clone ssh://git@192.168.56.100:8822/web-app

1

git clone ssh://git@192.168.56.100:8822/web-app

kvm live backup

backup, kvm, linux, ubuntu

April 19, 2016

kayama

Live backup of your VM running in KVM under Ubuntu using qcow2 disk images

# First of all disable apparmor to allow access

aa-status

aa-complain /usr/sbin/libvirtd

aa-complain /etc/apparmor.d/libvirt/libvirt-xxxxxxxxxxxxxxxxxx

aa-status

aa-complain /usr/sbin/libvirtd

aa-complain /etc/apparmor.d/libvirt/libvirt-xxxxxxxxxxxxxxxxxx

# View disks

virsh domblklist test-backup

1	virsh domblklist test-backup

# Suspend the domain (This is optional. I do this so that the condition of virtual machines remains unchanged during the backup.)

virsh suspend test-backup

1	virsh suspend test-backup

# Create snapshot

virsh snapshot-create-as –domain test-backup test-snap1 \

–diskspec vda,file=/home/virtual/test_backup/test-c.img \

–diskspec vdb,file=/home/virtual/test_backup/test-d.img \

–disk-only –atomic

virsh snapshot-create-as –domain test-backup test-snap1 \

–diskspec vda,file=/home/virtual/test_backup/test-c.img \

–diskspec vdb,file=/home/virtual/test_backup/test-d.img \

–disk-only –atomic

# or

virsh snapshot-create-as –domain test-backup test-backup-snap1 –disk-only –atomic

1	virsh snapshot-create-as –domain test-backup test-backup-snap1 –disk-only –atomic

# View snapshots

virsh snapshot-list test-backup

1	virsh snapshot-list test-backup

# View disks (it must be running on snapshots)

virsh domblklist test-backup

1	virsh domblklist test-backup

# Copy drives to backup dir

rsync -avh –progress drive-c.qcow2 export/drive-c.qcow2-copy

rsync -avh –progress drive-d.qcow2 export/drive-d.qcow2-copy

rsync -avh –progress drive-c.qcow2 export/drive-c.qcow2-copy

rsync -avh –progress drive-d.qcow2 export/drive-d.qcow2-copy

# Perform active blockcommit by live merging contents

virsh blockcommit test-backup vda –active –verbose –pivot

virsh blockcommit test-backup vdb –active –verbose –pivot

virsh blockcommit test-backup vda –active –verbose –pivot

virsh blockcommit test-backup vdb –active –verbose –pivot

# View disks (it must be running on normal drives)

virsh domblklist test-backup

1	virsh domblklist test-backup

# Unsuspend the domain

virsh resume test-backup

1	virsh resume test-backup

# View snapshots again

virsh snapshot-list test-backup

1	virsh snapshot-list test-backup

# Delete snapshots

virsh snapshot-delete test-backup test-backup-snap1 –metadata

1	virsh snapshot-delete test-backup test-backup-snap1 –metadata

# View snapshots to check

virsh snapshot-list test-backup

1	virsh snapshot-list test-backup

# Delete snapshot files

rm -f /home/virtual/test_backup/drive-c.test-backup-snap1

rm -f /home/virtual/test_backup/drive-d.test-backup-snap1

rm -f /home/virtual/test_backup/drive-c.test-backup-snap1

rm -f /home/virtual/test_backup/drive-d.test-backup-snap1

Installing PostgreSQL BDR

BDR, linux, PostgreSQL, ubuntu

October 9, 2015

kayama

Install PostgreSQL BDR

For those who get the error:

apt-get install postgresql-bdr-9.4

1	apt-get install postgresql-bdr-9.4

…
The following packages have unmet dependencies:
postgresql-bdr-9.4: Depends: postgresql-bdr-client-9.4 but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

–

apt-get install postgresql-bdr-client-9.4

1	apt-get install postgresql-bdr-client-9.4

…
The following packages have unmet dependencies:
postgresql-bdr-client-9.4: Depends: libpq5 (>= 9.4.4) but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

That’s my solution based on https://wiki.postgresql.org/wiki/Apt and http://packages.2ndquadrant.com/bdr/apt/

sudo sh -c ‘echo “deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main” > /etc/apt/sources.list.d/pgdg.list’

sudo sh -c ‘echo “deb http://packages.2ndquadrant.com/bdr/apt/ $(lsb_release -cs)-2ndquadrant main” > /etc/apt/sources.list.d/2ndquadrant.list.list’

sudo apt-get install wget ca-certificates

sudo wget –quiet -O – https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add –

sudo wget –quiet -O – http://packages.2ndquadrant.com/bdr/apt/AA7A6805.asc | sudo apt-key add –

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install postgresql-bdr-9.4 postgresql-bdr-9.4-bdr-plugin

sudo sh -c ‘echo “deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main” > /etc/apt/sources.list.d/pgdg.list’

sudo sh -c ‘echo “deb http://packages.2ndquadrant.com/bdr/apt/ $(lsb_release -cs)-2ndquadrant main” > /etc/apt/sources.list.d/2ndquadrant.list.list’

sudo apt-get install wget ca-certificates

sudo wget –quiet -O – https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add –

sudo wget –quiet -O – http://packages.2ndquadrant.com/bdr/apt/AA7A6805.asc | sudo apt-key add –

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install postgresql-bdr-9.4 postgresql-bdr-9.4-bdr-plugin

Building an LXC Server

linux, lxc, ubuntu, zfs

June 4, 2015

kayama

Building an LXC Server on Ubuntu with ZFS and a container with public IP address

First update Ubuntu

apt-get update

apt-get dist-upgrade

apt-get update

apt-get dist-upgrade

Setup ZFS

apt-add-repository ppa:zfs-native/stable

apt-get update

apt-get install ubuntu-zfs

apt-add-repository ppa:zfs-native/stable

apt-get update

apt-get install ubuntu-zfs

Configure LXC

sudo apt-get install lxc

1	sudo apt-get install lxc

Configure ZFS

Create ZFS pool:

sudo zpool create -f tank /dev/sdX

1	sudo zpool create -f tank /dev/sdX

Keep in mind that deduplication takes much more memory and sometimes CPU.

The rule of Thumb says to have 1GB of Ram per TB of Data. For deduplicated ZPools you actually should have 5 GB of Ram for 1TB of Data. I don’t use it.

zfs set dedup=on tank

1	zfs set dedup=on tank

Turn on compression and create fs:

zfs set compression=on tank

zpool set feature@lz4_compress=enabled tank

zfs set compression=lz4 tank

zfs create tank/lxc

zfs create tank/lxc/containers

zfs set compression=on tank

zpool set feature@lz4_compress=enabled tank

zfs set compression=lz4 tank

zfs create tank/lxc

zfs create tank/lxc/containers

To configure LXC to use ZFS as the backing store and set the default LXC path, add the following to /etc/lxc/lxc.conf:

lxc.lxcpath = /tank/lxc/containers

lxc.bdev.zfs.root = tank/lxc/containers

lxc.lxcpath = /tank/lxc/containers

lxc.bdev.zfs.root = tank/lxc/containers

Creating a Container

Create the first container by doing:

lxc-create -t ubuntu -n node.name -B zfs

1	lxc-create -t ubuntu -n node.name -B zfs

Setup Bridged Network

apt-get install bridge-utils

1	apt-get install bridge-utils

Important Commands

Show bridge interfaces:

brctl show

1	brctl show

Simple Bridge

This setup can be used to connect multiple network interfaces. The bridge acts as a switch: each additional network interface is directly connected to the physical network.

Edit /etc/network/interfaces, remove eth0, add br0.

For dynamic IP:

#auto eth0

#iface eth0 inet dhcp

auto br0

iface br0 inet dhcp

bridge_ports eth0

bridge_stp off

bridge_fd 0

bridge_maxwait 0

#auto eth0

#iface eth0 inet dhcp

auto br0

iface br0 inet dhcp

bridge_ports eth0

bridge_stp off

bridge_fd 0

bridge_maxwait 0

For static IP:

auto br0

iface br0 inet static

bridge_ports eth0

bridge_stp off

bridge_fd 0

bridge_maxwait 0

address 192.168.0.101

netmask 255.255.255.0

network 192.168.0.0

broadcast 192.168.0.255

gateway 192.168.0.254

dns-nameservers 8.8.8.8 8.8.4.4

auto br0

iface br0 inet static

bridge_ports eth0

bridge_stp off

bridge_fd 0

bridge_maxwait 0

address 192.168.0.101

netmask 255.255.255.0

network 192.168.0.0

broadcast 192.168.0.255

gateway 192.168.0.254

dns-nameservers 8.8.8.8 8.8.4.4

reboot server

Is all OK?

Edit /tank/lxc/containers/node.name/config

lxc.network.type = veth

lxc.network.flags = up

lxc.network.link = br0

lxc.network.hwaddr = 00:16:3e:30:fa:4a

lxc.network.type = veth

lxc.network.flags = up

lxc.network.link = br0

lxc.network.hwaddr = 00:16:3e:30:fa:4a

start the node:

lxc-start -n node.name -d

1	lxc-start -n node.name -d

connect to the node:

lxc-console -n node.name

1	lxc-console -n node.name

On the lxc node /etc/network/interfaces:

auto eth0

iface eth0 inet static

address 192.168.0.102

netmask 255.255.255.0

network 192.168.0.0

broadcast 192.168.0.255

gateway 192.168.0.254

dns-nameservers 8.8.8.8 8.8.4.4

auto eth0

iface eth0 inet static

address 192.168.0.102

netmask 255.255.255.0

network 192.168.0.0

broadcast 192.168.0.255

gateway 192.168.0.254

dns-nameservers 8.8.8.8 8.8.4.4

It’s possible to use static IP address in node config and use dhcp inside the node, that works too.

But IPv6 didn’t work inside the node, I disabled it and then the node stopped receiving IP address at all.

I had to use static IP.

I’m going to solve this problem later.

How to setup L2TP over IPSec VPN server (Ubuntu 16.04 – 20.04)

ubuntu git install and tips

kvm live backup

Installing PostgreSQL BDR

Building an LXC Server