Oct 262021
 October 26, 2021  Posted by at 1:20 pm Tutorial, vpn 12 Responses »

Wireguard is a wonderfully superior VPN. Its simple, fast, lightweight, modern, GPL licensed and very secure. Read more at Wireguard.com

Here is the setup: is the home lan subnet with as the OpenWRT gateway/router (v19.07.4). is a public vlan that we will setup to route over the vpn. is the wireguard subnet with as the Wireguard interface (wg0).
Each wireguard client will be assigned an address between

Begin by installing the required packages on the OpenWRT gateway (Alternately, this can be done from Luci. System -> Software)
ssh root@
opkg update
opkg install luci-app-wireguard wireguard wireguard-tools
Add a new interface for Wireguard. From the Luci interface go to “Network -> Interfaces -> Add New interface”. Call it wg0

Generate a public/private key for the server using the wg utility
wg genkey | tee [name].privatekey | wg pubkey > [name].publickey
For example:
wg genkey | tee mywgserver.privatekey | wg pubkey > mywgserver.publickey

cat mywgserver.publickey
cat mywgserver.privatekey

Create the Wireguard interface.
Add the private key from above
listen port 51820
keep alive of 25

Optionally, add the following to /etc/config/network

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'QFLJ9p7MFz31DxTqNKCTu2ARhxLvN0lWhvoKarBT2Vg='
	option listen_port '51820'
	list addresses ''

Create a firewall zone for the wg0 interface and allow forwarding to and from the lan and public zones. As well as allow it to forward to the wan zone. This is needed when routing all traffic through the vpn.   Network -> Firewall -> Add (zone)

Optionally, add the following to /etc/config/firewall

config zone
	option name 'wg'
	option input 'ACCEPT'
	option network 'wg0'
	option output 'ACCEPT'
	option forward 'REJECT'
config forwarding
	option dest 'lan'
	option src 'wg'
config forwarding
	option dest 'public_zone'
	option src 'wg'
config forwarding
	option dest 'wg'
	option src 'lan'
config forwarding
	option dest 'wg'
	option src 'public_zone'
config forwarding
        option dest 'wan'
        option src 'wg'

We need to open up the Wireguard port  in the firewall. You can use any port you like. I’m using the default (51820).
Network -> Firewall -> Traffic Rules -> Add
Change the following, leaving everything else default
Name: wan-local-wg
Protocol: UDP
Source zone: wan
Destination zone: Device
Destination port: 51820

Optionally, add a firewall rule to /etc/config/firewall

config rule
        option dest_port '51820'
        option src 'wan'
        option name 'wan-local-wg'
        option target 'ACCEPT'
        list proto 'udp'

Now lets setup a peer (client).

Generate a public private keypair
wg genkey | tee jason.privatekey | wg pubkey > jason.publickey

cat jason.privatekey
cat jason.publickey 

From Network -> Interfaces. “Edit” wg0 -> Peers -> Add Peers

– Add a description: jason
– Paste the public key: N6bm45DTywv+dvTK5FRk47Agil+n+k5N0JyaOvfL7iw=
– Add a Preshared Key if you are worried about quantum computing compromising your keypair sometime in the future.
– Set “Allowed IPs” to an ip inside the wireguard subnet ( For this peer we will use If you add another peer this address will need to be unique. So the next peer can use .11/32.
Wireguard uses a ip to pubkey mechanism called cryptokey routing. In this case any traffic destined for will be encrypted with this peers public key “…L7iw=” and sent to its most recent endpoint address.
– Change the “Persistent Keep Alive” to 25 seconds, which is recommended for traversing NAT. If your not behind NAT leave it blank.

Optionally, you can add a peer directly to /etc/config/network

config wireguard_wg0
	option persistent_keepalive '25'
	option public_key 'N6bm45DTywv+dvTK5FRk47Agil+n+k5N0JyaOvfL7iw='
	option description 'jason'
	list allowed_ips ''

After adding a peer the wg0 interface needs to be restarted!

Now we are ready connect as a peer to this server. This can be done a number of ways. Wireguard has adopted a modular model like most GNU projects. They don’t concern themselves with the configuration or key distribution.
Here is a quote from the project “WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peers’ public keys, and then you send packets across it. All issues of key distribution and pushed configurations are out of scope of WireGuard; these are issues much better left for other layers, lest we end up with the bloat of IKE or OpenVPN

There are a few client connection options. You can do this manually (or scripted) using ip and wg or there is a helper script called wg-quick.
This is part of the wireguard-tools package on Debian.
I recommend wg-quick because its easy and slick. Create a config file called something like jasonvpn.conf either in your home directory someplace or in /etc/wireguard/
I prefer the vpn config in my home directory. I place mine in a directory called ~/wg/
Here is the client config with some options commented out (#) for reference. Save this to a file called whatever.conf and run wq-quick up whatever.conf

Address =
PrivateKey = OHs907NqGJD1NWY2yvrGjhYvNju48Q+E8/nnSy4jKmE=
#DNS =

PublicKey = LOXb3qL66NfFMWim9tQP+RhWsEVpnlQpm1kpcpJsYHU=
Endpoint = [wireguard server IP or hostname]:51820
#AllowedIPs =, ::/0
AllowedIPs =,

# This is for if you're behind NAT
PersistentKeepalive = 25

Take note that the [Peer] PublicKey is the servers (openwrt gateway) public key and the [Interface] PrivateKey is the private key we generated for Jason. The corresponding public key for Jason is what we added to the servers Peer section.

The above “AllowedIPs” will allow for split tunnel, where the client can connect to remote subnet and and any other traffic will route out of their default gateway. If you want to route all traffic through the vpn then set “AllowedIPs =, ::/0”

Wireguard uses some fancy routing features of iproute2. Containers, Namespaces, and using fwMark to solve deficiencies of the old routing methods.
Lets test the above whatever.conf connection. Instead of calling it whatever.conf I have called it vv.conf and saved it in ~/wg/
Now lets start the vpn

sudo wg-quick up wg/vv.conf 
Warning: `/home/jason/wg/vv.conf' is world accessible
[#] ip link add vv type wireguard
[#] wg setconf vv /dev/fd/63
[#] ip -4 address add dev vv
[#] ip link set mtu 1420 up dev vv
[#] ip -4 route add dev vv
[#] ip -4 route add dev vv

Can we ping the remote gateway?

PING ( 56(84) bytes of data.
--- ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8188ms

Nope. Lets check the status using wg show

sudo wg show
interface: vv
  public key: N6bm45DTywv+dvTK5FRk47Agil+n+k5N0JyaOvfL7iw=
  private key: (hidden)
  listening port: 42233
peer: LOXb3qL66NfFMWim9tQP+RhWsEVpnlQpm1kpcpJsYHU=
  endpoint: [remote ip]:51820
  allowed ips:,
  transfer: 0 B received, 6.36 KiB sent
  persistent keepalive: every 25 seconds

Looks like its setup but not receiving any data. Aha! I forgot to restart the server interface after adding a peer.

Also, lets fix the error “Warning: `/home/jason/wg/vv.conf’ is world accessible”
chmod o-r /home/jason/wg/vv.conf

A convenient way to use wireguard is by adding the client to your network-manager.
Left click Network Manager -> VPN Connections -> “Configure VPN…”

or run nm-connection-editor from a terminal  (I don’t know how to do this from Gnome’s network manager front end).

Lastly, you can automatically start wireguard using systemd

Place your client config (vv.conf) in /etc/wireguard/

and run systemctl enable wg-quick@vv

Oct 132021
 October 13, 2021  Posted by at 11:46 am Tutorial Tagged with: , ,  No Responses »

This is a concise tutorial, it is not meant to be a hand holding step by step guide. Please comment or contact me if you find errors.

Setup a domain/sub domain with an A record to the ip of the server or a CNAME to a “dynamic DNS” hostname. I recommend https://freedns.afraid.org.
The server needs to have ports 80 and 443 reachable to the public. The DNS must be propagated for letsencrypt to be successful.

Start the install

apt-get install apache2 mariadb-server libapache2-mod-php php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-bz2 python3-certbot-apache redis-server php-redis php-bcmath php-gmp ffmpeg curl coreutils

Download Nextcloud

wget https://download.nextcloud.com/server/releases/latest-22.tar.bz2

Make sure the md5 matches
md5sum latest-22.tar.bz2
curl https://download.nextcloud.com/server/releases/latest-22.tar.bz2.md5

Extract the tar file and change permissions
tar xfv nextcloud-22.x.tar.bz2
mv nextcloud/ /var/www/example.com/
chown www-data:www-data -R /var/www/example.com/

Setup Apache

Create a apache virtual site
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.com.conf

edit /etc/apache2/sites-available/example.com.conf
uncomment and change
ServerName example.com
change log location if you would like
ErrorLog ${APACHE_LOG_DIR}/example.com_error.log
CustomLog ${APACHE_LOG_DIR}/example.com_access.log combined

a2ensite example.com

a2enmod php7.4 rewrite headers env dir mime userdir dav ssl

service apache2 restart

Setup Letsencrypt

certbot --apache -d example.com

tell it to redirect http to https

Edit /etc/apache2/sites-enabled/example.com-le-ssl.conf

  <Directory /var/www/example.com/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
    <IfModule mod_dav.c>
      Dav off

Configure php
edit /etc/php/7.4/apache2/php.ini

memory_limit = 768M
upload_max_filesize = 1024M
post_max_size = 1024M
max_execution_time = 300

Create a database, user and password for nextcloud

mariadb -uroot

CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'PASSWORD';
FLUSH privileges;

run the installer at https://example.com/

Now we can setup Redis

edit /etc/redis/redis.conf
Under the # Unix socket. section add the following

port 0
unixsocket /var/run/redis/redis-server.sock
unixsocketperm 770

add www-data to redis group

usermod -a -G redis www-data
/etc/group will now have an entry like this “redis:x:119:www-data”

systemctl enable redis-server

Add the following to /var/www/example.com/config/config.php

'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'dbindex' => 0,
    'timeout' => 1.5,

edit /etc/php/7.4/apache2/php.ini

  opcache.revalidate_freq = 1

systemctl restart redis-server
systemctl restart apache2
Setup cron for Nextcloud

crontab -u www-data -e
*/5 * * * * php -f /var/www/example.com/cron.php


Jan 202020
 January 20, 2020  Posted by at 11:36 pm Tutorial Tagged with: , ,  12 Responses »

The reason I use x11vnc is that it connects to the existing graphical session. Most other vnc servers will spawn an entirely new graphical session. While that is super cool, I don’t want that feature. This is for remote support, where I want the user and the supporter to share the same session. I use the ‘-auth guess’ to have x11vnc guess the XAUTHORITY file‐name and use it appropriately. This avoids the annoying hard coding of gdm, lightdm, xdm or specific users .Xauthority.

Install x11vnc
# apt-get install x11vnc

The following should work for any distro that uses systemd, just the apt bits are Debian specific.

Generate the password and store it under etc so no users can change this password, only root. You can do this under your users home so that its not managed by root. In my case I didn’t want the user to be able to change or accidentally delete the password.
# x11vnc -storepasswd /etc/x11vnc.pwd

edit (create new) the following file
use whatever text editor you prefer, here I use vi
# vi /etc/systemd/system/x11vnc.service

And add the following, making any changes you want to the x11vnc ExecStart
See the man page for explanations of the switches

Description=Start x11vnc at startup.

ExecStart=/usr/bin/x11vnc -auth guess -forever -loop -noxdamage -repeat -rfbauth /etc/x11vnc.pwd -rfbport 5900 -shared -o /var/log/x11vnc.log


Now enable the above, start it and verify its running and listening properly
# systemctl enable x11vnc
# systemctl start x11vnc
# netstat -pat
tcp 0 0* LISTEN 2806/x11vnc

Now that the server is all setup lets move onto the client
apt-get install tigervnc-viewer
vncviewer [remote host ip or hostname]


Sep 132018
 September 13, 2018  Posted by at 5:53 pm Tutorial Tagged with: , ,  2 Responses »

The new versions of OpenWRT (18 and newer) have the ability to add vlan interfaces directly from LuCI (web gui). You can now skip the manual editing of the /etc/config/network file.

Using 802.1q in OpenWRT is very difficult when working on a device that doesn’t have a built-in switch or the when the switch chipset isn’t supported.

Creating VLANS is not possible via the web interface (luci) or using the “config switch_port” options in /etc/config/network. The Luci web gui will not have the “Network -> Switch” option available.

In this example, we add a public interface and vlan 2 on ports eth0 and eth1.

Start by getting into the device:
ssh root@
vi /etc/config/network

config interface 'public'         
        option type 'bridge'       
        option proto 'static'     
        option ifname 'eth0.2 eth1.2'
        option ipaddr ''
        option netmask ''

config device 'eth0_2'       
        option name 'eth0.2' 

config device 'eth1_2' 
        option name 'eth1.2'

This creates three interfaces eth0.2, eth1.2 and both are bridged into the interface br-public.

You can use luci to configure the interface if you use the “custom interface” and manually refer to the vlan like this:

Just be sure you’ve already added the necessary VLAN to /etc/config/network:

config device 'eth0_2' 
        option name 'eth0.2'

After this, the VLAN will be defined but not show up in luci. You will need to specify it using the “custom interface” as shown in the red circle above.

Dec 282014
 December 28, 2014  Posted by at 12:19 am hardware, Tutorial, wireless Tagged with: , , ,  No Responses »

I have many open-mesh OM1P units laying around from failed wireless projects. Needless to say I’m not a big fan of open-mesh and have some other projects in mind for this hardware. It was a painful process but well worth it. Now I have nice little OpenWRT units for any hacking pleasure.

I have made a concise synopsis of the openwrt wiki page for flashing proper firmware on the OM1p/Fon/Fonera/Accton/etc. Please visit http://wiki.openwrt.org/toh/fon/fonera#openwrt for more detail.

Begin with serial access
You will need a TTL serial to usb or similar like this https://www.adafruit.com/products/284

Consult the openwrt wiki for pinout of om1p

Use minicom or screen to access it.

We need a tftp server (don’t worry its super easy if your using Debian :-).
I tried with http (apache) and it doesn’t work.

apt-get install atftpd

cd /srv/tftp/
wget http://downloads.openwrt.org/backfire/10.03.1/atheros/openwrt-atheros-vmlinux.lzma
wget http://downloads.openwrt.org/backfire/10.03.1/atheros/openwrt-atheros-root.squashfs

(don’t install anything newer than 10.03.1, this little thing is old)

stop network manager so we can assign static ip:
/etc/init.d/network-manager stop
assign static ip:
ip address add dev eth0

connect to the usb serial:
screen /dev/ttyUSB0 9600

a few seconds into the boot you will see the following:

Board: ap51 
RAM: 0x80000000-0x82000000, [0x8003f640-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 3.000 seconds - enter ^C to abort

You have 3 seconds to press ctrl+c to interrupt the boot process and enter into redboot boot loader

On the om1p, in RedBoot, run the following commands.

Set the ip of redboot and the tftp server:
(Don’t forget to connect them with ethernet cable.)

RedBoot> ip_address -h -l

IP:, Gateway:
Default server:

download linux onto the om1p:
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma

Using default protocol (TFTP)
Raw file loaded 0x8003f800-0x8011f7ff, assumed entry at 0x8003f800

initialize the current flash partition, this will erase openmesh firmware, yay!:
RedBoot> fis init

About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

Now flash the kernel image to memory:
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7

... Erase from 0xa8030000-0xa8110000: ..............
... Program from 0x8003f800-0x8011f800 at 0xa8030000: ..............
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

Now load the rootfs:
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs

Using default protocol (TFTP)
Raw file loaded 0x8003f800-0x8021f7ff, assumed entry at 0x8003f800

And then flash the rootfs:
RedBoot> fis create rootfs

... Erase from 0xa8110000-0xa82f0000: ..............................
... Program from 0x8003f800-0x8021f800 at 0xa8110000: ..............................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .

Reboot the om1p:
RedBoot> reset

You will see OpenWRT booting and creating filesystems and such.

jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
jffs2_build_filesystem(): unlocking the mtd device... done.
jffs2_build_filesystem(): erasing all blocks after the end marker... done.
mini_fo: using base directory: /
mini_fo: using storage directory: /overlay
BusyBox v1.15.3 (2011-11-24 02:38:24 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 Backfire (10.03.1, r29592) ------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua 
  * 1/3 shot Bailey's  on the bottom, then Bailey's, 
  * 1/3 shot Vodka     then Vodka.

Now we need to set a heartbeat for the hardware watchdog otherwise the om1p reboots every 5 minutes.

vi /etc/config/om1pwatchdog

gpioctl dirout 3 ; gpioctl clear 3
sleep 1
gpioctl set 3

Make it executable:
chmod 755 /etc/config/om1pwatchdog

Run every 2 minutes:
crontab -e
add the following and save
*/2 * * * * /etc/config/om1pwatchdog

Start NM again, you will now get an ip from the om1p openwrt dhcp server.
/etc/init.d/network-manager start

connect with firefox at

yay, no more crap open-mesh!

Jul 072013
 July 7, 2013  Posted by at 12:54 pm firewall, networking, Tutorial, wireless Tagged with: , ,  10 Responses »

In this scenario we will be implementing a openWRT as a wireless access point only. One wireless essid will be LAN accessible and the other will be segregated from the LAN but able to access the WAN. The openWRT in this example will not be the gateway to the network. Another device is the gateway and there is an existing dhcp server.

                            PUBLIC wifi
                     public gateway and dhcp server
                   Source NAT to
ISP <-Gateway-> LAN wired <-openWRT-> 
                           LAN wifi (wpa2+aes)

1. Add a new wireless access point


2. Settings for the new wireless access point. Create a new network interface of “public”. Don’t use any encryption, as this is for general public use.


3. Edit network interface for the public network


4. Edit PUBLIC interface settings. Set to static address and enable DHCP server for this new network.


5. Edit the LAN interface. Set the lan interface to an un-used ip of the existing network. Don’t set to “dhcp client” as you will lose connectivity and need to perform a recovery on your openwrt device. Be sure to disabled the DHCP server as the existing network already has one.


6. Add a new zone and call it “public_zone”. Masquarade it and put it in the public network. Allow forwarding to and from “lan” zone. We will limit this later with specific firewall rules.


7. This is what the general firewall zones should look like


8. Under the Firewall -> Traffic Rules section add a new Source NAT Rule. Call it “pub2lan“. Set the “Source zone” to “public_zone” and the “Destination zone” to “lan” and set the drop down option “To source IP” to br-lan interface, in this example its Leave “To source port” blank. This SNAT rule will translate all traffic on the public wireless network of into the IP of This is the redirect rule from /etc/config/firewall

config redirect
option target 'SNAT'
option src 'public_zone'
option dest 'lan'
option proto 'all'
option name 'pub2lan'
option src_dip ''
option enabled '1'

9. Setup a “New forward rule:” Set name to allow2gw or similar. Source zone to “public_zone” Destination zone to “lan” Click “Add and edit…” Protocols should be “Any”, Destination address is the gateway of the network. In this case The following is the /etc/config/firewall rule for reference. This will allow traffic from the public_zone to reach the gateway of the network.


config rule
option target 'ACCEPT'
option proto 'all'
option name 'allow2gw'
option src 'public_zone'
option dest 'lan'
option dest_ip ''

10. Setup a “New forward rule”. Set the name to drop2lan or similar. Set the Source zone to “public_zone” and Destination zone to “lan”. Click “Add and edit…” Set Protocol to “Any”, Destination address to custom and enter the subnet of the LAN. In this case its, set “Action” to “drop”. You can add more rules like this one to limit access to other networks or hosts as needed.


config rule
option name 'drop2lan'
option src 'public_zone'
option proto 'all'
option target 'DROP'
option dest 'lan'
option dest_ip ''


11. Firewall Traffic Rule overview. There is an error on this view. The following rules have “option proto ‘all'” set and the luci web interface shows “Any TCP+UDP”. This is simply a bug in the luci interface and can be ignored. The order of these rules is very important. In this case you can see we added the “Allow to” before the “Drop to”. If reversed, the lan including the gateway would not be accessible from the public wireless AP. Therefore, you would not be able to reach the Internet.


Apr 262013
 April 26, 2013  Posted by at 12:45 pm Tutorial, vpn Tagged with: , , ,  6 Responses »


That said, if you want to setup pptp on the openwrt here is a guide.
The router is Backfire 10.03.1 at address This configuration will setup the PPtP VPN server and it should be pointed out that its not a very secure VPN. Basically, it requires that someone capture the authentication handshake of a pptp connection. Then extract the keys and crack the hashes or bruteforce. There is a service that was released last year that will crack these keys and produce the authentication hash, that can auth as the password. This was done to encourage people to stop using this lame technology. Here is a great write up that will answer all questions https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

With the above insecurity disclaimer and a note that this really shouldn’t be used for anything requiring real security. I proceed..

opkg install pptpd kmod-mppe

== /etc/pptpd.conf ==

option /etc/ppp/options.pptpd
speed 115200
stimeout 10

== /etc/ppp/options.pptpd ==

logfile /tmp/pptp-server.log
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
mtu 1482
mru 1482
proxyarp #required to be able to connect to the lan subnet without being directly connected.
mppe required,no40,no56,stateless

== /etc/ppp/chap-secrets ==

jason * testypass *

== /etc/firewall.user ==

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Allow all traffic in and out of the ppp interface. No reason to specify nets.
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT

== /etc/config/firewall ==

config 'rule'
option 'target' 'ACCEPT'
option '_name' 'pptpd'
option 'src' 'wan'
option 'proto' 'tcpudp'
option 'dest_port' '1723'
Apr 242013
 April 24, 2013  Posted by at 1:37 pm security, Tutorial, Uncategorized 2 Responses »

UPDATE: The easiest way to do this is through the web interface (LuCI). System -> Administration -> SSH-Keys. Paste your public key (~/.ssh/id_rsa.pub) and click “Add key”

I’ve been using so many openwrt devices lately I wanted to setup my public ssh key on each device so I can auto login. Also, I can setup a really unfriendly password for the root account that is very secure and use my public key to authenticate. Convenient and secure? What a concept!!
Since this is dropbear and not openssh the typical ~/.ssh/authorized_keys file doesn’t work. Instead you need the authorized_keys file to be in /etc/dropbear/

This is how I do it quickly and efficiently.

Using the ssh-copy-id command to copy your public key to the remote devices authorized_keys. This is the same you would do to copy your public key to your server or such. Thanks to Sam for turning me onto this most valuable tool.

From your local user account (must have a public/private key, see ssh-keygen if you need to generate keys)

$ ssh-copy-id root@

enter current password, the following will display if you entered password correctly

Now try logging into the machine, with "ssh 'root@'", and check in:


to make sure we haven't added extra keys that you weren't expecting.

now ssh to the device and move the authorized_keys to dropbear directory

$ ssh root@
root@'s password:
root@MyOpenWrt:~# mv /root/.ssh/authorized_keys /etc/dropbear/

verify the permissions are 600

root@MyOpenWrt:~# ls -l /etc/dropbear/
-rw-------    1 root     root          394 Apr 24 20:09 authorized_keys

logout and ssh back to This time it will ask for your ssh key passphrase instead of the root password. $ ssh root@
Enter passphrase for key ‘/home/jason/.ssh/id_rsa’:

If you would like to login without ssh asking for your passphrase you can use ssh-agent to store your identity. Use ssh-add to add to ssh-agent.

$ ssh-add
Enter passphrase for /home/jason/.ssh/id_rsa:

Now ssh to again, this time it doesn’t ask for a password!

$ ssh root@
BusyBox v1.15.3 (2011-11-24 00:44:20 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
|__| W I R E L E S S   F R E E D O M
Backfire (10.03.1, r29592) ------------------------
* 1/3 shot Kahlua    In a shot glass, layer Kahlua
* 1/3 shot Bailey's  on the bottom, then Bailey's,
* 1/3 shot Vodka     then Vodka.


You can also do this via the luci web interface. Its actually very easy. Copy your ~/.ssh/id_rsa.pub and paste it into “System” -> “Administration” -> “SSH-Keys” and then “Save & Apply”. Done

Mar 042011
 March 4, 2011  Posted by at 1:33 pm documentation, Tutorial Tagged with: , , , , , , , , , , , , , , , , , ,  No Responses »

Here are some random notes that I find useful. I also tend to forget and use as reference.

== LINKS ==
iproute2 cheat sheet by dmbaturin http://baturin.org/docs/iproute2/
The MTU/MSS calculator, encapcalc

The BEST -> http://www.dslreports.com/speedtest

data transfer calculator

[] Vim reference
:e filename (open filename)
:q! (quit, don’t save)
:w (write/save)
:wq (write and quit)
:x (write if changed, otherwise exit)
:changes (show list of edits in the buffer)
a (insert after)
A (insert after line)
h j k l (left, down, up, right)
$ (move to end of line)
^ or 0 (move to beginning of line)
G (move to end of file)
gg (move to top of file)
gUU (uppercase entire line)
guu (lowercase entire line)
gUw (uppercase a word, u lowers)
:n (move to “n” line, n=number)
x (delete to the right)
X (delete to the left)
D (delete to the end of line)
dd (delete current line)
yy (yank/copy current line)
V (begin highlight, up and down to select “y” to yank selection)
vn (yank “n” lines below cursor, n=number)
p (put/paste)
u (undo)
ctrl+r (redo)
/string (search for “string”)
n (search for next string match)
:s/yellow/green/gc (replace yellow with green on current line, g is for global, each match is replaced in a line, instead of the first match in a line. c is for confirm/ask)
:%s/yellow/green/g (replaces yellow with green on the entire page)
:%s:/usr/local/bin:/opt/users/bin:g (use something other than / as delineation so you don’t have to escape “/”. Like this nasty example: :s/\/usr\/local\/bin/\/usr\/loca\/bin)
:%s#http://jasonschaefer.com#https://jasonschaefer.com#g (Switch the delimiter to # for strings with : and / to avoid annoying escapes!)
:2,$s/ */ /g (After the 2nd line, replace 1 (2 spaces with a *) or more spaces with 4 spaces, globally)

$ echo the day and time is currently `date +"%a at %T"`
Sat, Jun 23 22:01:40 “%a, %b %d %T”
Sat, Jun 23 2018 7:04 PM “%a, %b %d %Y %l:%M %p”

[] bash tricks
stop bash history:

[] find command
find . -name "name" -exec [command goes here] {} \;
find . -type d -exec chmod 750 {} \;
recursively changes type directories to user=rwx, group=r-x, other=—
find . -type f -exec chmod 664 {} \;
recursively changes type file user=rw-, group=rw-, other=r– (so that files are not executable)
find /home/BACKUP -mtime +14 -exec rm -fr {} \;
-mtime options:
n exactly n days
+n more than n days
-n less than n days

find files that are newer than specified date time:
find /path/ -newermt 2018-01-15

use -ls to output long listing of matches
find /path/ -newermt “may 21 2018 16:00” -ls
yesterday or today can be used instead

find files between a date reference
finds files between 16:00 and 16:47 on may 21
find /path/ -newermt “may 21 2018 16:00” ! -newermt “may 21 2018 16:47”

to convert all backslash \ to forward slash /
find . -type f -iname *.xml -exec sed -i 's:\\:/:g' {} \;

find hard links (directories have multiple links so use type file and not with 1 link)
find /path -type f ! -links 1

find -exec has two variants:
this variant runs the command (echo in this case) once per match
-exec echo '{}' \;
echo ./match1
echo ./match2
echo ./1match

and this runs the command once against all matches
-exec echo '{}' \+
echo ./match1 ./match2 ./1match

[] Image Conversions and Resizing in batch groups
This will resize all jpg’s in the current directory “.” to 1024×768 and put them in the directory small
find . -iname "*.jpg" | xargs -l -i convert -resize 1024x768 {} small/{}
or a better use of find and convert would be
find -iname "*.jpg" -exec convert -resize 20% {} {}_small.jpg \;

You can replace the “convert -resize” with convert -quality 85% to compress the images instead.

merge multiple images into one pdf
convert blah-page1.png blah-page2.png blah.pdf
wildcards work
convert *.png blah.pdf
convert is a part of imagemagick

[] Edit EXIF data on images
Using exiftool to shift wrong date caused by a camera with the wrong time. man Image::ExifTool::Shift.pl for a manual.
exiftool "-AllDates+=1:0:21 0:0:0" *.JPG
This adds (+=) 1 year, 0 months and 21 days, 0 hrs, 0 min, 0 sec to all files ending in .JPG

[] tar
tar with various exclude examples
tar zcfv backup-website.tar.gz --exclude=stuff --exclude=path/to/stuff --exclude="more stuff with spaces in the name" --exclude=*.wild /home/website

[] chmod tricks
chmod can be used in a way where it preserves executable permissions, if they are already present. using upper X
chmod -R u=rwX,g=rwX,o=rX /path/to/
This recursively (-R) sets user and group to rw- dirs and files that don’t already have executable permissions (the X is similar to x but preserves executable perms if they were preexisting). If the dir or file has any executable permissions then it sets user and group to rwx. This can be handy if you want to change lots of files and dirs at once but not make files executable. For instance, chmod -R u=rwx,g=rwx would blanket files and dirs making them all executable. Of course, using find with type and exec can more explicitly set permissions. But it will reset any executable files as well. Thus the benefit of chmod and X.
To see what files are executable, if any, do
find /path/ -executable -type f

Proper permissions for wordpress:
chown www-data:wwwmaster -R /home/www/
find /home/www/ -type f -exec chmod g=rws {} \;
find /home/www/ -type d -exec chmod g=rwxs {} \;

[] How to recursively force a group permission + umask per user on gnu/linux.
First you can recursively set the desired owner and group. Recursive is optional, only needed if you have sub dirs.
chown -R root.users /path/to/dir
Then force all files and directories created under /path/to/dir to be owned by the creator and the group will be set to “users” group. Notice the chmod g+rwxs is adding the (s)etGID bit for the group.
find /path/to/dir -type d -exec chmod g+rwxs {} \;
You will notice that when a user now creates files or directories under /path/to/dir they come out as (on a typical system)
-rw-r--r-- 1 jason users 0 Aug 29 16:49 this is a file
drwxr-sr-x 2 jason users 6 Aug 29 16:49 this is a directory

You will need to change your umask. You can find it under your home directory in ~/.profile
Uncomment or add umask 002 so that the group “users” will be able to read your files and execute your directories.

[] changing default new file or directory permissions, umask on debian wordaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646692
change /etc/login.defs
UMASK 022 (equivalent to 644/rw-r–r– files and 755/rwxr-xr-x directories)
UMASK 002 (equivalent to 664/rw-rw–r– files and 775/rwxrwxr-x directories)

If that doesn’t work. Enable the pam_umask module like this.
echo "session optional pam_umask.so usergroups" >> /etc/pam.d/common-session

[] Cleanup /etc/passwd and /etc/group

sort /etc/passwd in place
pwck -s

sort /etc/group in place
grpck -s

[] Rename multiple files

remove space from all files ending in .mp3
rename 's/ //'g *.mp3
rename all files ending in .ZIP to .zip
rename 's:\.ZIP:\.zip:' *.ZIP

[] search and replace text within a group of files

find /etc/NetworkManager/system-connections/ -exec sed -i "s/mac-address=0:1e:4c:27:40:00/mac-address=EC:55:F9:0F:5D:00/g" {} \;
use -name, -type to refine the match if you need.

jedit is a gui program that can do this.

[] SSH stuffs

copy your ssh public key to remote hosts ~/user/.ssh/authorized_keys file
ssh-copy-id user@host

Use ‘ssh-add’ to add your private key to the ssh-agent, so you don’t need to type your passphrase each time you ssh someplace.

create a listen socket on your local computer, that redirects port to a host on remote network (
ssh -L localhost:3389: user@host
-L [bind_address:]port:host:hostport
(now you can rdesktop to localhost and it will connect to the remote
rdesktop -g90% localhost

create a remote socket that forwards port 2222 on localhost of server to port 22 on initiating host.
Useful for remote support sessions.
ssh -R localhost:2222:localhost:22 user@hostname
-R [bind_address:]port:host:hostport
(now you can ‘ssh -p2222 localhost’ from the server and reach the host)

create a socks4/5 proxy over ssh
ssh -D8080 user@hostname
(now you can configure your browser to use socks5 proxy at localhost:8080 and you can reach the remote networks web servers, or just use it to securely proxy your web traffic through the remote hosts internet connection)

[] Sending mail with telnet:
telnet hostname 25
helo me
mail from:myaddress@mydom.com
rcpt to:youraddress@yourdom.com
This is a test

(thats a newline [enter] – period – and another newline [enter])

[] Fix MBR for windows

from gnulinux:
ms-sys -m /dev/hda

from msdos or nt recovery console:
fdisk /mbr

[] Batch and snippets (yuck)

echo Cleanup .bak files older than 7 days
forfiles /p d:\backup /m *.bak /d -7 /c "cmd /c del /q @path"

echo Set variable date as yyyymmdd
set date=%date:~-4,4%%date:~4,2%%date:~-7,2%
echo %date%

[] Filesystem stuff

make clone image of sda
dd if=/dev/sda of=/dev/sdb bs=4096 conv=notrunc,noerror

notrunc or ‘do not truncate’ maintains data integrity by instructing dd not to truncate any data.
noerror instructs dd to continue operation, ignoring all input errors. Default behavior for dd is to halt at any error. Useful when imaging damaged drives.
bs=4096 sets the block size to 4k, an optimal size for hard disk read/write efficiency and therefore, cloning speed.

backup mbr
dd if=/dev/sda of=mbr.backup bs=512 count=1

check status of dd transfer (use pgrep to find process id, kill to send user define signal 1, dd progress will be displayed on terminal where dd was run)

kill -USR1 $(pgrep ^dd)

mount image
losetup /dev/loop0 sda.img
mount /dev/loop0 /mnt

Initialize all SATA buses:
for x in /sys/class/scsi_host/host*; do echo "- - -" > $x/scan; done

xfs filesystem and xfsprogs
Determine the amount of fragmentation on sda2
xfs_db -c frag -r /dev/sda2

Filesystem re-organizer, by default, with no arguments. It re-organizes files in mounted partitions for 2 hours. Use -t to change the time.)
These tools reside in the xfsdump package

[] Recover Files
testdisk (recover lost partitions)

photorec (part of the testdisk suite)

foremost sda.img
-t (type doc,jpg,exe etc. all is default)
-a (no error detection, recovers partial files)
-d (indirect block, use for nix filesystems)
-o (output dir)
-T (timestamp output dir)

extundelete /dev/sda1 –restore-directory /home/jason


mdadm RAID

[] KVM Virtualization

Interface config for bridging to virtualized client /etc/network/interfaces
wireless interfaces rarely ever support bridging.

# The primary network interface
iface eth0 inet manual
auto br0
  iface br0 inet dhcp
  bridge_ports eth0
  bridge_stp off
  bridge_waitport 0
  bridge_fd 0

Resize/Add storage to kvm image:
dd if=/dev/zero of=myvirtualhost.img bs=1M count=78k oflag=append conv=notrunc
notrunc MUST be used or else append will overwrite beginning of image.

Alternately, creates a sparse file which suffers from fragmentation and possible corruption if host system doesn’t provide proper space for the sparse image to fill into. So its not recommended.
truncate -s +10G image.raw
Alternate method sparse:
qemu-img create -f raw addon.img 10G
be sure to make a backup of original.img
now you can append addon.img to original.img
cat addon.img >> original.img

Now, boot the .img vm and use cfdisk to partition the new space. Reboot, and build a filesystem OR boot the instance with a live distro that has gparted and merge/resize the new partition with the old.

Convert a qcow2 image to raw image and remove the sparsity (-S 0 is non-sparse).
qemu-img convert -p -O raw -S 0 win7pro.qcow2 win7pro.img

Also, fallocate is a great way to allocate non-sparse file images. “preallocation is done quickly by allocating blocks and marking them as uninitialized, requiring no IO to the data blocks. This is much faster than creating a file by filling it with zeroes”
fallocate -l 128GiB virtualhost.img
preferred method for expanding a disk image (make a backup!!)
original.img is 64GB and you want to expand it to 128
fallocate -l 128GiB original.img
use gparted to expand the partition and filesystem into the extra space.

Backup virtual images into a sparse file to save space
cp --sparse=always winblows7.img SNAPSHOTS/winblows7.img_oct06-2017
Be sure to unsparsify the file if you need to restore it!
cp --sparse=never SNAPSHOTS/winblows7.img_oct06-2017 winblows7.img

[] KVM with Windows

The best way to get virtio is on install. Download the block driver floppy image and attach it, I use virt-manager. Set your hard drive to type virtio and start your windows install. It will will prompt you to press f6 to install third party drivers. Then press S (you have a disk from a third party manufacturer, your floppy image)

If you already have a disk type IDE and want it to be virtio (better). Then do this:
1. Create a temporary image
kvm-img create -f qcow2 temp-virtio.img 1G
2. Shutdown your virtual machine and attach temp-virtio.img as a hard drive, as type virtio.
3. Attach the virtio-win-x.x.x.vfd (i used the one from fedoraproject.org, see below) to you virtual machine
4. Boot up and install the drivers
5. Shutdown, remove the old hard drive image and re-add it as type virtio
6. Boot up and since you already installed the drivers it will boot. Otherwise, you get BSOD..
(You can remove the temp-virtio.img and floppy image).. All done.

For network drivers.. Shutdown, set the “device model” to virtio. Attach the NETKVM-xxxx.iso as a cdrom. Bootup and install drivers. yay!

virtio network drivers, quamranet

virtio block device drivers (aka, hard drive)
http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/bin/ or

[] Windows Policy

run gpedit.msc to edit policy

to backup or move to new host, copy the following
%systemroot%\system32\GroupPolicy\Machine and User dirs

to apply changed policy’s
gpupdate /force

[] RDP tricks

plain old vnc is no more, not to say its not useful but xrdp is a super combo rambo pack. when it comes to ease of use, autostart scripts in debian, built in encryption, performance and cross platform the xrdp project rules the roost. Follow these simple steps.
on server: apt-get install xrdp
on client: rdesktop -g95% [server name or ip]
-g is for geometry, look it up in man rdesktop
done; wow!
obviously, you will need rdesktop or some other remote desktop protocol installed on the client.
If you have issues with the arrow up and down keys minimizing and maximizing your X terminal do the following:
In gnome, use gnome-control-center -> Go to keyboard ‘Shortcuts’ tab, ‘Windows’ on the left pane -> select super+up and super+down shortcuts -> press backspace to disable these shortcuts on these actions.

xfreerdp is a fork of rdesktop that has newer features like certificate verification that comes with new versions of MS Windows.

xfreerdp +clipboard /v: /u:accounting /drive:share,/home/accounting/share /smart-sizing /workarea
see the new documentation for details https://github.com/FreeRDP/FreeRDP/wiki/CommandLineInterface

SeamlessRDP http://www.cendio.com/seamlessrdp/
rdesktop -A -s "c:\seamlessrdp\seamlessrdpshell.exe c:\program files\internet explorer\iexplore.exe" -u username -p password hostname
uhhh, for the record I have NEVER gotten this to work properly. Please contact me if you have!

[] Self Signed certificate on debian, the easiest way possible
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/hostcert.crt
This script will ask for a domain and write the certificate. to /etc/ssl/private/hostcert.crt


[] OpenVPN reference
analyze a certificate
openssl x509 -text -in jason.crt
openssl x509 -noout -in jason.crt -subject

verify a certificate revocation list
openssl crl -text -noout -in crl.pem

recommended ovpn:

remote [host] 1194 udp
dev tun
mute 5
remote-cert-tls server
resolv-retry infinite
keepalive 10 60
#redirect-gateway def1
ca ca.crt
cert [user].crt
key [user].key

[] tshark and tcpdump packet capture

To run tshark remotely and pipe results back to wireshark locally. Can be tcpdump instead of tshark. Needs root access..

ssh root@server 'tshark  -w -' | wireshark -k -i -

Examples of filter
also check the man page for pcap-filter
man pcap-filter
Common uses —
tshark -i eth0 host
tshark -i eth0 net
tshark -i eth0 port 80
tshark -i eth0 port 80 and host and not port 22
tshark -i eth0 tcp port 80 or tcp port 443 -V -R “http.request || http.response”

[] OpenWRT Notes

OpenWRT failsafe recovery mode

flashing with atftp (follow the instuctions for particular device at http://wiki.openwrt.org/toh/start)
curl -T openwrt-xxxx-xxxxx-squashfs-factory-xxxx.img tftp://
or the more complicated annoying way
atftp --trace --tftp-timeout=1 --put --local-file openwrt-xxxxx-xxxxx.img

Setup SSL/TLS (https) for Luci web interface and disable insecure plaintext (http)
opkg install luci-ssl
be sure the following is commented out in /etc/config/uhttpd
# HTTP listen addresses, multiple allowed
# list listen_http
# list listen_http [::]:80

Also change the cert px5g options to be more unique and add more days to the self signed certificate.
/etc/init.d/uhttpd restart

Disable/Enable Wireless on a schedule, automatically

The first line will use bridge control to remove the wireless interface (wlan0-1) from the lan bridge (br-lan) at 22:30. The next cron will add the interface back at 6:00. Redirect (>) all output to dev null. Substitute wlan0-1 for whichever interface you need to. Add this to crontab:
30 22 * * * brctl delif br-lan wlan0-1 >/dev/null 2>&1
0 6 * * * brctl addif br-lan wlan0-1 >/dev/null 2>&1

use “brctl show” to see which interfaces are in the bridge:

root@OpenWRT:~# brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.c6031578e51d	no		eth0.1

[] Cron and wget with Afraid free DNS
Its best to use curl. Install curl with opkg update and then opkg install curl or apt or yum, etc.
*/10 * * * * /usr/bin/curl -k https://freedns.afraid.org/dynamic/update.php?[random string]

wget is overly complicated… but if its all you got, then its great.
*/10 * * * * /usr/bin/wget --no-check-certificate -O - https://freedns.afraid.org/dynamic/update.php?[random string] > /dev/null 2>&1

add to /etc/rc.local so that it updates immediately on bootup. This doesn’t always work if the wan interface isn’t operational at time of execution.

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
/usr/bin/curl -k https://freedns.afraid.org/dynamic/update.php?[random string]
exit 0


mysql> create database newdb;

mysql> CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
mysql> GRANT ALL PRIVILEGES ON newdb . * TO 'newuser'@'localhost';

(GRANT ALL PRIVILEGES ON [database name].[table name] TO ‘[username]’@’localhost’;)

mysql> SET PASSWORD FOR 'newuser'@'localhost' = PASSWORD('newpassword');

mysql> DROP USER 'newuser'@'localhost';

update table g2_PluginMap and set column g_active to 0 where column g_pluginID is captcha. This disables the captcha plugin in gallery2
UPDATE g2_PluginMap SET g_active = '0' WHERE g_pluginId = captcha;
DELETE FROM g2_FactoryMap WHERE g_implModuleId='captcha';

(unrelated to mysql, you will need to clear the cache to fully disabled this plugin -> http://your-domain.tld/gallery/lib/support/index.php

rsync highlights:
typical use —
rsync -av --delete --stats --exclude media/* /home/ /mnt/usb/rsync-home-mirror
copy [a]rchive, [v]verbosely, –delete any files on the destination that don’t exist in source (mirror), show transfer [stat]istics, [exclude] any files inside directory media, copy contents of /home/ into /mnt/rsync-home-mirror

advanced use — useful for copying entire OS
rsync -aAHXi --super --numeric-ids /source/ /destination
-a archive, -A copy ACL, -H copy hard links, -X copy extended attributes, -i show changes, –numeric-ids preserves uid and gid numerically instead of by name.

Use -n to do a dry run! Especially valuable when using –delete switch.

You can think of a trailing / on a source as meaning “copy the contents of this directory” as opposed to “copy the directory by name”

rsync over ssh
rsync -aiz /source/path username@
rsync -aiz user@host:/remote/source /local/destination

[] fstrim
fstrim one-liner for cron. every sunday at 12:30 timestamp the log and include two partitions, / and /home.
30 12 * * 0 /bin/date +\%c > /tmp/fstrim.log && /sbin/fstrim -v / >> /tmp/fstrim.log 2>&1 && /sbin/fstrim -v /home >> /tmp/fstrim.log 2>&1

[] wget

for range in {1..7};do wget http://URL/Episode$range.mp3 ; done
for range in {{1..3},{5..7}};do wget http://URL/Episode$range.mp3 ; done
Mirror entire site with wget
wget --mirror -p --convert-links http://URL
wget --recursive --no-clobber --page-requisites --html-extension --convert-links --no-parent --domains website.org http://website.org
[] ffmpeg

convert video to webm
ffmpeg -i be-hose.mp4 -acodec libvorbis -aq 5 -ac 2 -qmax 25 -threads 2 be-hose.webm

[] encrypted partitions
#to create
cryptsetup luksFormat /dev/sdb
cryptsetup luksOpen /dev/sdb backupdrive
mkfs.xfs /dev/mapper/backup
mount /dev/mapper/backup /mnt/
umount /mnt
cryptsetup luksClose backup

#to open
cryptsetup luksOpen /dev/sdd1 [devmappername]

#to close
cryptseup luksClose [devmappername]

#dump hd encrypted headers (if drive fs is damaged, you can restore from this dump)
cryptsetup luksHeaderBackup /dev/sdd1 > file.bk

#to restore header
cryptsetup luksRestore /dev/sdd1 –header-backup-file file.bk

[] booting os from grub2
set root=(hd0,gpt2)
linux /boot/vmlinuz-2.6.18-6-686 root=/dev/sda1
initrd /boot/initrd.img-2.6.18-6-686

[] Text Manipulation, simple and common techniques

file.txt contains:

a b c d e
f g h i j

awk '{print $2 "\t" $5}' file.txt
b e
g j

awk '{print $2","$5}' file.txt

cut -d " " -f 2 file.txt

cut -d " " -f 2,4 file.txt
b d
g i

cut -d " " -f 3-5 file.txt
c d e
h i j

MATH with awk!
file.txt contains:

1 2 3 4
5 6 7 8

awk '{print $2 + $4}' file.txt

awk '{print $2 * $3}' file.txt

consult the oracle: zless /usr/share/doc/exim4-base/README.Debian.gz

dpkg-reconfigure exim4-config
update-exim4.conf; service exim4 stop; service exim4 start

Enable tls:
enable the following in /etc/default/exim4
SMTPLISTENEROPTIONS='-oX 25:465:587 -oP /run/exim4/exim.pid'

enable plain_server: PLAIN and LOGIN in /etc/exim4/exim4.conf.template

swaks -a -tls -q HELO -s smtp.schaeferconsulting.com -au test -ap '<>'

for x in $(mailq | grep frozen | sed -e ‘s/^……….//’ -e ‘s/ .*//’); do exim -Mrm $x; done

[] GPG
jason gets the public key for geoff from keyserver
gpg --keyserver keys.openpgp.org --recv-keys 6058D99C
gpg --keyserver keys.openpgp.org --search-keys email@address
signs the key with his B0EE80C1 key
gpg --default-key B0EE80C1 --sign-key 6058D99C
export the signed key to send to geoff
gpg --output 6058D99C.asc --export --armor 6058D99C
send geoff_6058D99C.asc to geoff
geoff receives key and imports
gpg --import geoff_6058D99C.asc
sends the updated key to keyserver
gpg --keyserver keys.openpgp.org --send-keys 6058D99C

gpg --keyserver keys.openpgp.org --refresh-keys 6058D99C
gpg --list-sigs 6058D99C
gpg --list-keys

Oct 282010
 October 28, 2010  Posted by at 12:20 pm documentation, Tutorial, vpn Tagged with: , ,  No Responses »

These are the manual instructions for installing and configuring OpenVPN client.

After having many problems over the years with openvpn gui breaking, I have devised a reliable work around. Create the following batch script, name it something like ovpnConnect.bat, and right click to “Run as Administrator”. This does require the openvpn gui from openvpn.net to be installed. It calls the openvpn.exe. You can also add multiple vpn client connections!

@echo off

net session >nul 2>&1
if %errorLevel% == 0 (
    echo Success: Administrative permissions confirmed.
) else (
    echo Failure: Please right click and "Run as administrator"
exit 0

cd "c:\Program Files\OpenVPN\config\" && "c:\Program Files\OpenVPN\bin\openvpn.exe" [userconfig].ovpn

Download openvpn gui at http://openvpn.net/index.php/open-source/downloads.html#latest-stable

Run installer

Leave the components section as default.

Accept the TAP driver install

Right click on OpenVPN GUI and select properties

Go to Compatibility tab and select “run this program as administrator”
(It requires admin priviledges because it needs to write routes for the new VPN tunnel. Without, it will connect but won’t know how to reach the other network.)

Get your OpenVPN configuration files from the system administrator. Copy and paste them into C:\Program Files\OpenVPN\config

ca.crt (certificate authority)
jason.crt (client certificate)
jason.key (client secret key)
jason.ovpn (client configuration). Here are the contents of jason.ovpn:

dev tun0
cert jason.crt
key jason.key
ca ca.crt
remote vpn.server 1194

Now you can launch OpenVPN GUI by double clicking the icon on the desktop (the one we just set to run as admin). This will launch the OpenVPN GUI into the system tray.

Click on system tray, right click on OpenVPN GUI, left click “Connect”.

If all goes well, you will successfully connect. The OpenVPN GUI systray icon turns green. Now you are on the Virtual Private Network!