QEMU/KVM Startup Script

Right now I’m running this with root privileges for the bridged network adapter.  I really need to find a better, cleaner way to do this…

#!/bin/sh
export QEMU_AUDIO_DRV=alsa
DISKIMG=/export/vm/win7old.qcow2
APPIMG=~/vm/apps.qcow2
VIRTIMG=/export/vm/virtio-win-0.1-81.iso
#CZ=~/vm/clonezilla-live.iso
CZ=~/vm/win7-64.iso
qemu-system-x86_64 –enable-kvm -drive file=${DISKIMG},if=virtio -m 8192 \
-device virtio-net,netdev=tunnel -netdev tap,id=tunnel,ifname=vnet0 \
-drive file=${VIRTIMG},index=3,media=cdrom \
-cdrom ${CZ} \
-rtc base=localtime,clock=host -smp cores=8 \
-drive file=${APPIMG},if=virtio \
-no-quit -no-frame \
-usbdevice tablet -soundhw all -cpu host -vga vmware
#-usb -device usb-host,hostbus=1,hostaddr=6
# Last part was working for USB pass through — disabled for now, slow?

Clonezilla Image Restored in Qemu/KVM

I managed to finally get a clonezilla image of an existing Windows 7 box to restore onto a KVM instance with Qemu. The kicker was getting the storage drivers installed onto the windows image. I found the key here: http://christian.hofstaedtler.name/blog/2013/01/using-dism-to-add-drivers.html!

dism /image:c:\ /add-driver /driver:d:\win7\amd64\viostor.inf

C: will be whatever drive your system (winows installation) is recognized as — in my case it was actually e: due to my launch parameters.  Similarly “d:” will be the wherever the iso image for the virtio drivers is located — in my case it was “f:”.

OpenVPN Notes

Trying OpenVPN on Ubuntu 14.04 EC2 instnace. Warning these are mostly just notes to myself — use with caution. That includes you, future me…

TLDR version: If it absolutely comes down it it, I think I could eventually make the community version do what I need. However, with more than just this on my plate, it is probably more cost effective (and sane) to go with the commercially supported one. Too many irons in the fire…

References:
https://help.ubuntu.com/14.04/serverguide/openvpn.html
http://www.linuxfunda.com/2013/09/14/how-to-install-and-configure-an-open-vpn-with-nat-server-inside-aws-vpc/

I will note that I did have my hostname set to the desired value going into this. It might make a difference since I’m going to be making keys…

sudo bash # because I’m lazy….
apt-get update && apt-get dist-upgrade
apt-get install openvpn
apt-get install easy-rsa

root@vpn:~# whereis openvpn
openvpn: /usr/sbin/openvpn /etc/openvpn /usr/lib/openvpn /usr/include/openvpn /usr/share/openvpn /usr/share/man/man8/openvpn.8.gz

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

vi /etc/openvpn/easy-rsa/vars  (straight from the Ubunut help article referenced above — I modified the first 5 lines and left the last three as is.)

export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="steve@example.com"
export KEY_CN=MyVPN
export KEY_NAME=MyVPN
export KEY_OU=MyVPN

root@vpn:~# cd /etc/openvpn/easy-rsa/
root@vpn:/etc/openvpn/easy-rsa# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
root@vpn:/etc/openvpn/easy-rsa# ./clean-all
root@vpn:/etc/openvpn/easy-rsa# ./build-ca
error on line 198 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
140316838659744:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198

DOH!
line 198 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf:
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES

vi /etc/openvpn/easy-rsa/vars

# Added to fix error on build-ca line 198 of openssl-1.0.0.cnf seems to want
# a environment variable KEY_ALTNAMES — not sure what it does
# gonna give it something memorable in case it comes up later…
export KEY_ALTNAMES=”BoogaBooga”

source vars
./clean-all
./build-ca

./build-key-server

I accepted the defaults as I had already customized the text config file…

I did my initial attempt with the default values (except the last two that require you to hit y). This means that I did NOT include
a challenge password. That is something I may want to look into..

./build-dh (Note that this use 2048 bits by default rather than 1024)
cd keys/
cp .crt .key ca.crt dh2048.pem /etc/openvpn/

Build each client key (these should ultimately be removed from the server and exist only on the client machines…):
I think I will need to do this each time a new client machine is add (ick — need to script this out…)

cd ../ (cd /etc/openvpn/easy-rsa/)
source vars
./build-key client1

Server Config (From included sample files):

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gzip -d server.conf.gz

vi server.conf:

ca ca.crt
cert .crt
key .key # This file should be kept secret

# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh2048.pem

service openvpn restart (Just to make sure an old version wasn’t running)

root@myvpn:/etc/openvpn# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@myvpn:/etc/openvpn# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
extra services
openvpn 2437 root 6u IPv4 11132 0t0 UDP *:openvpn

tar cvzf ~/client1.tgz client1.crt client1.key ca.crt

then scp those to the client for testing

on the client:

sudo apt-get install openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

sudo cp ca.crt client1.crt client1.key /etc/openvpn

vi /etc/openvpn/client.conf

remote my.vpn.svr.ip 1194
ca ca.crt
cert client1.crt
key client1.key

root@fizban:/etc/openvpn# service openvpn restart
* Stopping virtual private network daemon(s)… * No VPN is running.
* Starting virtual private network daemon(s)… * Autostarting VPN ‘client’

root@fizban:/etc/openvpn# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@fizban:/etc/openvpn# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=106 ms
^C
— 10.8.0.1 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 106.110/106.110/106.110/0.000 ms

So, now I have a vpn server that can talk over a tunnel to 1 client. At this point the client can ONLY talk to the VPN server….

So now I have to figure out IPTables…
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

if all goes well, I will :
service iptables save (that’s actually RHEL I think)
Ubuntu:
apt-get install iptables-persistent
service iptables-persistent start

vi /etc/sysctl.conf
-> uncomment: net.ipv4.ip_forward=1

sysctl -p

copy the configure-pat.sh from my nat instance (so I think it originates from the Amazon NAT AMI):

#!/bin/bash
# Configure the instance to run as a Port Address Translator (PAT) to provide
# Internet connectivity to private instances.

function log { logger -t “vpc” — $1; }

function die {
[ -n “$1” ] && log “$1”
log “Configuration of PAT failed!”
exit 1
}

# Sanitize PATH
PATH=”/usr/sbin:/sbin:/usr/bin:/bin”

log “Determining the MAC address on eth0…”
ETH0_MAC=$(cat /sys/class/net/eth0/address) ||
die “Unable to determine MAC address on eth0.”
log “Found MAC ${ETH0_MAC} for eth0.”

VPC_CIDR_URI=”http://169.254.169.254/latest/meta-data/network/interfaces/macs/${ETH0_MAC}/vp
c-ipv4-cidr-block”
log “Metadata location for vpc ipv4 range: ${VPC_CIDR_URI}”

VPC_CIDR_RANGE=$(curl –retry 3 –silent –fail ${VPC_CIDR_URI})
if [ $? -ne 0 ]; then
log “Unable to retrive VPC CIDR range from meta-data, using 0.0.0.0/0 instead. PAT may ma
squerade traffic for Internet hosts!”
VPC_CIDR_RANGE=”0.0.0.0/0″
else
log “Retrieved VPC CIDR range ${VPC_CIDR_RANGE} from meta-data.”
fi

log “Enabling PAT…”
sysctl -q -w net.ipv4.ip_forward=1 net.ipv4.conf.eth0.send_redirects=0 && (
iptables -t nat -C POSTROUTING -o eth0 -s ${VPC_CIDR_RANGE} -j MASQUERADE 2> /dev/null ||
iptables -t nat -A POSTROUTING -o eth0 -s ${VPC_CIDR_RANGE} -j MASQUERADE ) ||
die

sysctl net.ipv4.ip_forward net.ipv4.conf.eth0.send_redirects | log
iptables -n -t nat -L POSTROUTING | log

log “Configuration of PAT complete.”
exit 0

I need to run this from something akin to rc3.d/S99local (add that to my todo list)

I copied this file to /usr/local/sbin/configure-pat.sh and added it to /etc/rc.local (which seems like the place to put it for Ubunut 14.04).

Then I’m gonna reboot and see if anything works. I may have to configure routes for my subnets in aws???

You know it is at this point, where the configuation ceases to be fun. I started looking more at the commercial version. Given that I have killed an entire afternoon and still have only the server and one client talking to each other, the price of the licenses is starting to look good!

Long term, I’d like to come back and work on this some more, but for now, it just isn’t cost effective to spend more time on it…

AWS and VPN’s

I’m about to enter the wonderful, world of AWS and VPN’s.  I <think> I want to set up my own VPN server on the cloud to allow individual users to connect to a private test/development network rather than setting up a site to site VPN using the regular VPN tools.  I’m rather hoping that IPSec configuration is much better on the client side, than it was 5-6+ years ago when I last looked into it.  Dang, I’m getting old all of the sudden…

AWS and Windows AD networks

I am starting on my first “real” design of a Windows AD forest on AWS.  I’m attempting to do it using some of the recommended approaches.

I’m using a mostly private network with NAT and RDP gateways across multiple availability zones.  I’m also trying to plan for future network growth and additional functionality as the use case grows.  Far too often, tight schedules end up causing designs to “happen” rather than be researched and planned.

Some days I feel like I’m trying to walk a rather large, determined, and eager Golden Retriever — while wearing roller-skates…

FYI: Me + roller-anything = REALLY bad idea.

Here goes nothing…

Not much here yet.