Tag Archives: linode

Gentoo: IPSec, L2TP VPN for iOS

There are thousands of guides out there on this subject, however I still struggled to set up an IPSEC VPN at first. This is a HOWTO for my own benefit – maybe someone else will use it too. I struggled because most of the guides involved setting up the VPN on a NAT’d host and connecting to the VPN inside the network. I didn’t do that on my linode, which has a static public IP.

My objectives were clear:

  1. Create a connection point that was semi-secure while connecting to open wifi networks
  2. Bypass some “You are not in the US” restrictions while on the road

Step 1: Install applications, net-misc/openswan, net-dialup/xl2tpd
Step 2: Configure openswan:

# cat /etc/ipsec.conf 
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
    oe=off
    protostack=auto

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=1.1.1.1
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    dpddelay=15
    dpdtimeout=30
    dpdaction=clear
# cat /etc/ipsec.secrets
1.1.1.1 %any: PSK "TestSecret"

Where 1.1.1.1 is your public eth0 address and 10.152.2.0 is the subnet that xl2tpd will assign IPs from (can be anything, I picked this at the advice of a guide because it is unlikely to be assigned from a router on a public network)

Step 3: Configure xl2tpd:

# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no

[lns default]
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

The local IP must be inside the subnet but outside the IP range above.

# cat /etc/ppp/options.xl2tpd
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

The ms-dns lines are configurable to any DNS server you have access to.

# cat /etc/ppp/chap-secrets
# Format:
# client server secret IP-addresses
#
# Two lines are needed since it is two-sided auth
test l2tpd testpass *
l2tpd test testpass *

Step 4: Configure kernel parameters (sysctl)

# cat /etc/sysctl.conf
# only values specific for ipsec/l2tp functioning are shown here. merge with
# existing file
# iPad VPN
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

Remember that sysctl.conf is evaluated at boot so run sysctl -p to get the settings enabled now as well.

Step 5: Configure firewall (iptables):
This is the critical step that I wasn’t grokking from the existing guides in the wild. Even when bringing the firewall down to test, you need the NAT/forwarding rules:

# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -s 10.152.2.0/24 -j ACCEPT
# iptables -A FORWARD -j REJECT
# iptables -t nat -A POSTROUTING -s 10.152.2.0/24 -o eth0 -j MASQUERADE

Step 6: Configure the device/client:
Settings -> General -> Network -> VPN -> Add VPN Configuration

L2TP
Description: Description
Server: 1.1.1.1 (or the hostname)
Account: test
RSA SecurID=OFF
Password: testpass
Secret: TestSecret
Send All Traffic=On

Step 7: Verify it works by going to some IP display webpage and it should show 1.1.1.1

Conclusion: The above examples should be enough to get the VPN working. There are some tweaking oppurtunities that I didn’t document or elaborate on. There is plenty of examples out there to look at or research, however. This was all setup without the firewall configuration and the client would connect but there would be no onward internet activity. It acted just like there was a invalid DNS server configured, at that point I looked into setting up a NAT, dnsmasq on the local interface, and other wierd things. In the end, just needed to forward the traffic properly.

With that knowledge of the firewall issue, the ultimate instructions would probably be this page: https://www.openswan.org/projects/openswan/wiki/L2TPIPsec_configuration_using_openswan_and_xl2tpd

Linode: don’t use barriers and ext-4

On my Linode running Gentoo Linux, I converted to ext4 some time ago and didn’t have any issues until now for some reason, mostly because I don’t reboot that often to notice. The symptoms are :

Every reboot, you will see:

EXT4-fs error (device xvda): ext4_journal_start_sb:296: Detected aborted journal
EXT4-fs (xvda): Remounting filesystem read-only

and a subsequent reboot fixes this by a forced run of fsck. Now that is an annoying one, every other reboot results in a crippled system and otherwise a fsck “fixes” it and you have no issues.

So, after some research I found that barriers are enabled by default and they don’t really make sense on a hosted vm guest. I qualify the last statement by google research, not an expert but it seems that the common knowledge is that disabling barriers is safe for battery backed up storage, and Linode disabled barriers completly.

The solution to the above problem is simply disabling barriers. Like so:

In /etc/fstab:
/dev/xvda / ext4 noatime,barrier=0 0 1

Source: Linode Forums

Linode: Migrating from HE.net IPv6 tunnel to native IPv6

A few days ago, Linode.com announced native IPv6 roll out in their datacenters. Now, while I haven’t wrote about Linode in the past 6 months, I am still a happy customer. I am documenting the steps I took to migrate away from my HE.net tunnel.

  1. Set the TTL low on any DNS addresses that you will be changing. Ideally, do this a fair amount ahead of time.
  2. Send in a support ticket to get your /64 allocated. Sidenote: response time: 4 minutes
  3. Reboot ‘node so the backend system deploys your IPv6 after it was allocated. Verify IPV6 status on your ‘node.
  4. From a different IPv6 host, run nmap -6 on the existing address to verify listening services.
  5. Update DNS, define static networking, be happy.

Another reason to love Linode.com

It should be no secret that this site and my other co-location needs are hosted at Linode.com, for which I am a happy customer running Gentoo Linux.

The reason for this post is that after an announcement today. All I had to do was reboot and then I received a 42% RAM increase. Yay.

Thanks Linode, you are exceeding your competition!
(Shameless plug for my referral code :) )

Gentoo: static IPv4 & IPv6 (HE.net tunnel)

For some reason, Linode.com (my review) sets up their hosts to use dhcpd to grab the static IPv4 address on boot. This is in contrast to Host Virtual which uses the “Gentoo-way” to set static addresses. Now, there isn’t anything exactly wrong with using dhcpd on hosts with static addresses, actually, it may be simpler (and this is probably why they did it). However, I don’t like it for a few reasons, booting takes longer as it probes for IPs and it uses extra space for dhcpd binary on a low resource host – this includes extra time for updating. I know these are minor issues, but they bother me, at least. So, let’s take the easy way and assign eth0 the IP is should have:


Snippet from: /etc/conf.d/net
config_eth0=(
    "69.164.197.24 netmask 255.255.255.0 broadcast 69.164.197.255"
    )
routes_eth0=(
    "default via 69.164.197.1"
    )

So, that makes sense for all the right reasons and there is not much more to say. Let’s shift the attention to IPv6. Linode doesn’t offer IPv6 by default unlike their competition. To be honest, I don’t need IPv6, but it is something fun to play with and I have been learning something. It turns out that my tunnel from HE.net (free) is actually lower latency to some parts of the world than my IPv4 route and almost always less hops. Using the great examples from Robin (robbat2), I was able to put my IPv6 tunnel in /etc/conf.d/net too, so that is it created on reboot as tun0. Makes sense to do, right?

Snippet from: /etc/conf.d/net
HE="2001:0470" # 2001:470::/32 is the HE.net allocation
v6net64="${HE}:1f0f:2a0" # your initial /64 allocation from HE.net

# HE.net tunnel configuration
link_tun0="eth0" # tunnel IFACE (internet-facing iface, eg ppp0/eth0)
# tunnel IPv4 endpoint, remote, HE.net tells you this
iptunnel_tun0_remote="216.218.224.42"
# tunnel IPv4 endpoint, local
# this is the address of IFACE ${link_tun0}
iptunnel_tun0_local="69.164.197.24"

iptunnel_tun0="mode sit remote ${iptunnel_tun0_remote} local
${iptunnel_tun0_local} ttl 255 dev ${link_tun0}"
mtu_tun0=1280
config_tun0="${v6net64}::2/64" # /126
routes_tun0="default via ${v6net64}::1"

This is not exactly perfect, because I am using my tunnel’s /64 as my IPv6 address. The purists might say something about this practice, I respect that, but don’t really mind for my personal use. Of course, if you didn’t have a tunnel and instead had native IPv6, it would look a lot simpler because you just add the IP and route to the interface it is on, probably eth0.

Gentoo: Easy way to ditch your ISP nameserver

My linode is now my personal DNS resolver. I have officially ditched the ISP nameservers from this point forward now that I found unbound. Unbound is a lightweight, recursive resolver that is perfect for your LAN, co-located host, or even a single host.

For your single host, emerge unbound, start the service, add 127.0.0.1 to the first nameserver in /etc/resolv.conf. Unbound is setup (by default) to accept connections from localhost and refuse anything else. If you are using dhcp at home (likely) then also emerge openresolv and uncomment name_servers=127.0.0.1 in /etc/resolvconf.conf, openresolv then “intercepts” dhcpcd when it tries to write to /etc/resolv.conf and adds 127.0.0.1 as your first nameserver :) For your LAN, just configure your router to look to the host that you setup unbound on, with additional configuration.

Finally, you can also have unbound run on your co-located host. Just edit /etc/unbound/unbound.conf to a) listen on an outside interface and b) allow your other host to query it. This will be left as an exercise for the reader, it is easy to figure out.

Lastly, a shout-out to Linux Gazette for an excellent write-up on GoogleDNS (and why you should use something like unbound) and DNS/LAN metaphors. Suggested reading if you feel out of your league with DNS internals, like me. :)

A quote from the above linked article: Why outsource to anyone, when you can do a better job locally, at basically no cost in effort? and really, that is the truth. Have fun.

About PHP_FCGI_MAX_REQUESTS and lighttpd

If you are running PHP on a limited-resource box, like a VPS then you may have seen your PHP pages randomly hang. I was able to trace this issue down because the PHP pages were hung up and the normal html pages were still being served. The problem was ‘solved’ when I restarted the web server. Some research later, and talking to Thilo (bangert), I found out about PHP_FCGI_MAX_REQUESTS. This is an environment variable that PHP respects, it basically tells how many requests to serve before respawning fcgi. In my case, 500 seemed like a good number after testing. Your mileage may vary, but it is worth a try if you have those symptoms.


%% cat /etc/lighttpd/mod_fastcgi.conf 
server.modules += ("mod_fastcgi")
fastcgi.server = ( ".php" =>
    ( "localhost" =>
        (
            "socket"   => "/var/run/lighttpd/lighttpd-fastcgi-php-" + PID + ".socket",
            "bin-path" => "/usr/bin/php-cgi",
            "max-procs" => "2", # default 4
            "bin-environment" => (
                "PHP_FCGI_CHILDREN" => "2", # default 1
                "PHP_FCGI_MAX_REQUESTS" => "500" #default 1000
            )
        )
    )
)

Gentoo on Acer Aspire1, including binpkgs

About a month ago, I installed Gentoo on the new-to-me Acer Aspire1. Installation went like anything else, it is just a normal x86 host after all. I don’t have everything on it working, because I don’t care. If you are looking for additional resources on getting the extras working, you may want to look here or here.

The exciting part, that I got working and am ready to announce publicly, is my new atom-x86 binpkg repo. What makes this repo different than the binpkgs located on tinderbox.dev.gentoo.org/default-linux is that this repo has CFLAGS specific to the Intel Atom processor. I identified the compiler flags by using the following gcc command: gcc -Q --help=target -march=native and set the following -march=prescott -mtune=generic -msahf. On my linode (review) host, I have a chroot that builds all new packages in my world file once a day which comes from the aspire1. In this manor, I am able to always have binary packages available to me whenever I update my aspire1. Now, I have all the benefits of a source distro and the speed of a binary distro. :)

If you would like to use this repo, set PORTAGE_BINHOST in /etc/make.conf and add ‘getbinpkg’ to FEATURES (or use the emerge options directly). Be advised, that thought this works for me, I make no guarantees for you.

PORTAGE_BINHOST="http://tinderbox.jolexa.net/atom-x86/"
FEATURES="${FEATURES} getbinpkg"

I also have an html view of the packages available.