OpenVPN – Client working on Linux

I have been having a great time with my new pfsense router setup, especially the OpenVPN remote access server that I have setup on it. Connecting to my home network through my phone has been great for remote troubleshooting and all around fun. Unfortunately,  I was having a little trouble getting my Digital Ocean VPS to connect to over the VPN to my home network. After a few hours, and many google searches with little results I finally figured out the issue. Hopefully this will help out others who are trying to get this working on a headless VPS!

From the pfsense box, you are going to want to export your client configs for the VPS you are wanting to connect. This is pretty straightforward and can be done from the pfsense web interface (VPN|OpenVPN|Client Export). If you run into trouble here, make sure that you have a user setup (System|User Manager). I recommend that you use the “Standard Configurations|Archive option for the export.

Once you have the config files, get them over to your VPS securely. I used SFTP to copy the files over. Now here is where the real fun starts!

Normally to connect to the OpenVPN access server you simply use the following command:

sudo openvpn <config>

Where the <config> is your configuration file (default exported as a .ovpn file). The issue I was running into was that after entering this command the client would start but it would just sit there and no connection to the access server would be made.

To find more info on what exactly was going on I used the verbose flag in the configuration file by adding this line:

verb 3

This showed me that the connection was waiting for the management-hold whatever that is. I think this is used if you are running the client from a computer running network-manager but I’m not sure. Once I found this out I edited the configuration file to comment out the management sections like so:

# dont terminate service process on wrong password, ask again
auth-retry interact
# open management channel
#management 127.0.0.1 166
# wait for management to explicitly start connection
#management-hold
# query management channel for user/pass
#management-query-passwords
# disconnect VPN when management program connection is closed
#management-signal
# forget password when management disconnects
#management-forget-disconnect

Notice that I did not comment out the ‘auth-retry intereact’ line but I’m not sure if it makes a difference.

Once the config file was edited I was able to get the client to get to the point where it prompts for the username and password and everything connected just fine! Hopefully this will help out others who where having this issue. From searching online, I mostly found information on how to connect with the network-manager GUI which is useless in a headless case like this.

 

[DwarfFortress] Duerer Tileset

Normally when I play Dwarf Fortress I tend to play with the vanilla release and the ASCII tileset. In the past, I have tried out many of the different graphical tilesets that are popular (spacefox, Pheobus) but none of them have really stuck. I always end up going back to the plain ASCII because it gives me more room for imagination. The dwarfs don’t look any certain way on the screen, it leaves the way they look up to me and I like that. Part of the fun of playing DF is that you get to use your imagination to create the world… The game itself is just a framework, a scaffolding to help you create a story and a world.

A while back I came across a post on the DF forum by user ‘HaterSkater’ posting his fabulous ‘Duerer’ tileset. The tileset attempts to make the game look like an old 15th century map. In his very own words: “That’s it. Engraved Dwarf Fortress.”

Here is a link to the post where you can see examples of the wonderful artwork: DF Forum Post

As you can see it’s really beautiful, and the first time I saw it I was impressed with the way it transformed the game. Most tilesets make the game more ‘playable’ but they also add a cartoon like element as well as often changing certain symbols into a picture of the object which can cause confusion when reading text for example. The Duerer tileset dose little of that and actually makes the game look like you are playing in a whole new world. Some kind of  cross between an old 90’s Age of Empires slash Kings Quest and an old Ultima map.

I loaded up the tileset last night on an existing fort I’m running and I was amazed on how it changed the feel of the fortress right away! It’s almost as if I am playing a whole different game!

Here are some screenshots:

This slideshow requires JavaScript.

As you can see, the map looks amazing and he really did a lot of work to get the feel just right. I have to say this tileset may be the one that rips me away from the default. I just love the brown feel of the world now! Hats off to you HaterSkater!

(Book) Symbols of Transformation

Yesterday, I was in Sacramento CA for work and had some time at lunch to head by one of my favorite book stores “Beers Books”. While browsing around I glanced upon the Psychology section and found a book “Symbols of Transformation” by CG Jung. Thumbing through the pages I was thrilled to find everything I was reading was insightful and enthralling to me. I’ve never been deep into Psychology in any capacity besides a ephemeral interest simply because I like to think about things; but this book has really captivated me! I’ve spent some time jumping around and reading random bits before deciding to start from page one and plow through it. I’m on page 25 and have already come across some great tidbits of information that I thought i would share:

  • Individual consciousness is only the flower and the fruit of a season, sprung from the perennial rhizome beneath the earth; and it would find itself in better accord with the truth if it took the existence of the rhizome into its calculations for the root matter is the mother of all things.
  • I do not consider scientific work as a dogmatic contest, but rather as a work done for the increase and deepening of knowledge.
  • Language was organizing a system emotive and imitative sounds… Thus, language, in its origin and essence, is simply a system of signs and symbols that denote real occurrences or their echo in the human soul.
  • Speech is generated by the intellect and in turn generates intellect.
  • American life is in subtle ways so one sided. The real natural man is just in open rebellion against the utterly inhuman form of life.
  • We have become rich in knowledge, but poor in wisdom.
  • All the creative power that modern man pours into science and [technology] the man of antiquity devoted to his myths.

These are just a few of the great thoughts that I have found in this text. The man is a modern day (or as close to modern day) magician. If consciousness is the catalyst of creation; then the deep dive into the mind of intelligent beings is the act of the mystic. It is exciting to me that I have stumbled upon this wonderful mind and his awesome works. As I work my way through this book I hope to find many more fascinating bits of knowledge.

Migrate FSMO Roles (INFO.DUMP)

I recently installed a few new Server 2012  servers to my existing Server 2003 domain and one of them is going hold the FSMO roles for the forest. Below are my notes that I compiled on how to transfer all the important roles from a Server 2003 machine to a Server 2012 machine. Keep in mind that the processes is the same for Server 2008 migrations as well and will also work when doing 2012 to 2012 migrations.

<Begin (INFO.DUMP)>

To transfer a domain-level operations master role:
—————————————————————————-
1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue.

2. At the top of the console tree, right-click Active Directory Users and Computers, and then click Change Active Directory Domain Controller.

3. Ensure that the correct domain name is entered in Look in this domain. The available domain controllers from this domain are listed.

4. In the Name column, click the name of the domain controller to which you want to transfer the role, and then click OK.

5. At the top of the console tree, right-click Active Directory Users and Computers, click All Tasks, and then click Operations Masters.

6. The name of the current operations master role holder appears in the Operations master box. The name of the domain controller to which you want to transfer the role appears in the lower box.

7. Click the tab for the operations master role that you want to transfer: RID, PDC, or Infrastructure. Verify the computer names that appear, and then click Change. Click Yes to transfer the role, and then click OK.

8. Repeat steps 5 and 6 for each role that you want to transfer.
# Note: If you are creating multiple domains you will want the ‘Infrastructure’ master role to be seperate from the ‘Global Catalog’ server. If you are creating a single domain then it does not matter.

Transfer the schema master role:
—————————————————————————-
1. Open the Active Directory Schema snap-in. If you have not already installed the Active Directory Schema snap-in, please see Install the Active Directory Schema snap-in (http://go.microsoft.com/fwlink/?LinkID=209652).

3. In the console tree, right-click Active Directory Schema and then click Change Domain Controller.
# Note: This must be done on the existing scehma master.

4. Click Specify Name and type the name of the domain controller that you want to hold the schema master role.

5. In the console tree, right-click Active Directory Schema, and then click Operations Master.

6. Click Change.

To transfer the domain naming master role:
—————————————————————————-
1. Open Active Directory Domains and Trusts.

2. In the console tree, right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.

3. In Enter the name of another domain controller, type the name of the domain controller you want to hold the domain naming master role.

Or, click the domain controller in the list of available domain controllers.

4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.

5. Click Change.

NOTES:
—————————————————————————-
* RID Role: The RID Master FSMO role owner is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for moving an object from one domain to another during an interdomain object move.
* http://msdn.microsoft.com/en-us/library/cc223751.aspx

* PDC Role: Handels password changes, logon authentication master, account lockout, etc.
* http://msdn.microsoft.com/en-us/library/cc223752.aspx

* Infrastrcuture Role: When an object in one domain is referenced by another object in another domain, it represents the reference as a dsname. There is one Infrastructure FSMO role per domain and application NC in a directory.
* http://msdn.microsoft.com/en-us/library/cc223753.aspx

* Instructions to identify operations master roles: http://technet.microsoft.com/en-us/library/cc758669(v=ws.10).aspx
* RID: dsquery server -hasfsmo rid
* PID: dsquery server -hasfsmo pdc
* Infrastructure: dsquery server -hasfsmo infr
* Domain Naming Master: dsquery server -hasfsmo name
* Schema Master: dsquery server -hasfsmo schema

 <End (INFO.DUMP)>

Crazy-Bad Windows 8 Metro Chrome crap.

If you can’t tell I have a little animosity towards Windows 8. A while back, before Windows 8 was released, seeing a video put out by M$ talking about how their analytic’s showed that no one was using the “Start Button”. I remember thinking that this was an insightful remark because I know that everyone who uses Windows 7 will launch applications from either the desktop or the “Task Bar” without ever even touching the “Start Menu”.

So in my mind I’m thinking they are going to end-up with something similar to the Mac OS launcher that resides at the bottom of the screen. But OH NO! That would be a good thing and M$ has to always fuck up. So what do they do? They essentially force everyone to use the “Start Button” by 1) making the start menu the default screen when you log in 2) making the start menu full screen!

But I digress….

Today I just want to do a quick post on how to get Google Chrome to open as a window on the desktop rather than full screen as a Metro style app.

In order to do this you have to edit the registry (disclaimer: you can really mess things up when editing the registry. If you don’t know what you are doing then you might want to just leave it alone.)

Here is the key that you need to edit:

HKEY_CURRENT_USER\Software\Google\Chrome\Metro\launch_mode

On my machine I had to create the “launch_mode” DWORD. (Right-click\New\DWORD (32-bit) Value).

Set the value to “0” and then re-open Chrome. It should now open in the sane windows desktop mode rather than the insane Metro mode.

Setup SSL (https) for ownCloud (info.dump)

Here is another info.dump with directions on how to setup SSL on your ownCloud server.  This will greatly improve the security of your server by not allowing an attacker to intercept your password in plain text over the internet. If you are going to be using the ownCloud outside of a private LAN, this is a must!

NOTE: Most of these directions where found here on the ‘Ubuntu Server Guide’ site…

http://ubuntuserverguide.com/2013/04/how-to-setup-owncloud-server-5-with-ssl-connection.html

Server is assumed to be running Linux (Ubuntu 12.04).

Change to ‘root’:
sudo -i

Edit file /etc/apache2/sites-enabled/000-default,  change AllowOverride None to AllowOverride All.

You should edit the section of the file to looks like this:
DocumentRoot /var/www
Options FollowSymLinks
AllowOverride All

You will need to enable apache module mod_rewrite, mod_headers and mod_ssl to enable both modules use the following command:
a2enmod rewrite && a2enmod headers && a2enmod ssl

Restart apache2 daemon:
service apache2 restart

Edit the configuration file /ect/ssl/openssl.cnf:
Change the following lines in the document with the following information:

dir = /root/SSLCertAuth
default_days = 3650
default_bits = 2048
countryName_default = US
0.organizationName_default = "Organization Name"

Create Directory to save the SSL Certificate Authority, in this case make the directory name SSLCertAuth:

mkdir /root/SSLCertAuth
chmod 700 /root/SSLCertAuth
cd /root/SSLCertAuth
mkdir certs private newcerts
echo 1000 > serial
touch index.txt

To generate the Certificate Authority (CA) run the following:
Note: Be sure to enter in your PEM passphrase and log it in a secure location. Also, you should make sure that you fill in the correct information for your cert. The common name will be your sites external site address.

openssl req -new -x509 -days 3650 -extensions v3_ca \
-keyout private/cakey.pem -out cacert.pem \
-config /etc/ssl/openssl.cnf

Create a Certificate Signing Request:

openssl req -new -nodes \
-out apache-req.pem \
-keyout private/apache-key.pem \
-config /etc/ssl/openssl.cnf

Generate the certificate:

openssl ca \
-config /etc/ssl/openssl.cnf \
-out apache-cert.pem \
-infiles apache-req.pem

Copy the files to directory /etc/ssl:

mkdir /etc/ssl/crt
mkdir /etc/ssl/key
cp /root/SSLCertAuth/apache-cert.pem /etc/ssl/crt
cp /root/SSLCertAuth/private/apache-key.pem /etc/ssl/key

Configure HTTPS apache2 web server, create the SSL log and create a new file /etc/apache2/conf.d/owncloud5-ssl.conf to add the SSL virtualhost:

mkdir/var/www/logs
touch /etc/apache2/conf.d/owncloud5-ssl.conf

Edit the file with the following info:

ServerName "Server IP"
SSLEngine on
SSLCertificateFile /etc/ssl/crt/apache-cert.pem
SSLCertificateKeyFile /etc/ssl/key/apache-key.pem
DocumentRoot /var/www/owncloud
CustomLog /var/www/logs/ssl-access_log combined
ErrorLog /var/www/logs/ssl-error_log

Restart the apache2 server:

service apache2 restart

That is it! Now goto your ownCloud page with https:// and you should have a secure connection!

NOTES:

  • You will need to make sure that you have your NAT forwarding port 443 to your server to allow the secure traffic to reach it.
  • If this does not work (EX. You dont get a webpage) you may need to make sure that you have the correct info entered in the /etc/apache2/conf.d/owncloud5-ssl.conf under DocumentRoot /var/www/owncloud. I have seen this location possibly be different if you did not install using the ownCloud repo (see me other post on installing ownCloud for the right way to do it: https://atari911.com/2013/07/29/install-owncloud-info-dump/).
  • You will see a red X over the https://. This is because we are using a “self signed certificate” and it was not verified with a trusted authority. All this means is that the world wide web does not trust you because you are not a big, money hungry corporation. This message can be safely ignored because if you cant trust yourself, who can you trust?

Install ownCloud (info.dump)

Here is a quick info.dump that lays out the commands required for installation of ownCloud 5.0.x on a server running Ubuntu 12.04.

Run the following as root (EX sudo -i):

Add the repository key to apt:
wget http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_12.04/Release.key
apt-key add - < Release.key

Add the PPA:
echo 'deb http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_12.04/ /' >> /etc/apt/sources.list.d/owncloud.list

Install:
sudo apt-get update
sudo apt-get install owncloud

That is about it!

Notes:
./var/www/owncloud/data is where the info is stored.
./var/www/owncloud/config/config.php is where the configuration file is located.

Check active internet connections

Every once in a while I will notice the network light on my laptop is flashing when I am not doing anything that I know of online that would cause this. Wouldn’t it be nice to be able to see what programs are communicating with the network?

By using the ‘netstat’ command you can! Just use the following switches to get a nice list of what programs are communicating with what remote server and on what port:

netstat -tunp

You should get an output similar to this:
outputofnetstat

PLEX Media Server

I recently setup PLEX on my home media server. Here I will go over the setup and configuration required to allow PLEX to serve your media files and then push them to your Roku for TV viewing.

There where a few things to note about PLEX:

* I could find no solution for adding authentication to your PLEX server. This means I would not recommend that you point your PLEX server to the outside world. If you do, anyone who knows your IP address could brows and watch your media. Also, this may open up a plethora of attack vectors to your server.

* PLEX is a great solution if you have a ‘headless’ server. Headless means that you only have the server connected via network connection and do not have a monitor attached. In this case I would connect the PLEX server to something like a Roku box (http://www.roku.com).

* It is very important to the PLEX server how you organize your media. Once setup (see below), PLEX does an excellent job of searching various databases for media information and it displays that information seamlessly. Once everything is configured it does all the work for you.

This being said I am going to go over how to install PLEX on an Ubuntu 12.10 (Most other versions of Ubuntu and flavors of Linux should be similar, if not the same) configure it and organize your media files.

Install PLEX:

Installation of PLEX as a breeze because they support Linux from the start so no compiling of source code is required. They also make it easy for Debian based distributions (EX Ubuntu) by including a .deb on their site.

First thing you will want to do is download the package:

Version 0.9.7.28.3 64-bit: 
wget http://plex.r.worldssl.net/plex-media-server/0.9.7.28.33-f80a4a2/plexmediaserver_0.9.7.28.33-f80a4a2_amd64.deb

Version 0.9.7.28.3 32-bit:
wget http://plex.r.worldssl.net/plex-media-server/0.9.7.28.33-f80a4a2/plexmediaserver_0.9.7.28.33-f80a4a2_i386.deb

NOTE: They also have RPM packages for CentOS and Fedora available on the site: http://www.plexapp.com/getplex/

Now that you have the package downloaded on your server you are going to want to install that package:

dpkg -i <package.deb>
Where <package.deb> is the name of the package you downloaded.

This will install the PLEX server onto your system. That’s really all there is to it.

Configuration of PLEX:

Once PLEX is installed on your server you can check to make sure it is running, as well as configure the server by pointing your browser to:

http://localhost:32400/web/index.html

To begin adding content to your PLEX server you will have to point the server to where you have your media stored. You can do this by going to the “My Library” section at the top of the page and clicking on the “+” sign to path a location. When you press the “+” button you will be presented with the following window:
 
1_PLEX Add Library Section
It is important here to point out the different options that you are able to select because each option will tell the server what ‘type’ of media is stored at the location.

For instance, if you point the Movies section of the PLEX server to a folder that contains all of your Simpsons episodes, the server will not display the media in the correct format. It will think that every episode is a movie and will attempt to download movie information about each episode and fail, leaving you with a mess of content and no media info.

You can refer to the Wiki to get a good idea of the proper naming conventions here:
http://wiki.plexapp.com/index.php/Media_Naming_and_Organization_Guide

Once I pointed PLEX’s “Movies” option to the folder that contained all my movies, it picked it up and automatically added the meta data without any special re-naming of the actual sub-folders or video files.

Also, PLEX has dealt with just about every video format and container that I have thrown at it without a problem.