I have setup wireguard server and client.
Server - Ubuntu 18.04
Client - Windows 11(x64)
Wireguard Interface Subnet - 10.200.1.0/24
Wireguard Server IP - 10.200.1.27/24
server.conf
Address = 10.200.1.27/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
ListenPort = 51820
PrivateKey = WHnFUoljugAbX3XkmHg2TmZH4k2ptbX0N1xB7cruN2g=
[Peer]
PublicKey = *********
AllowedIPs = 10.200.1.72/32, 192.168.1.0/24
Endpoint = ********:63587
[Peer]
PublicKey = ********
AllowedIPs = 10.200.1.71/32
Endpoint = ********:10295
Wireguard Client is in home network 192.168.1.0/24 and windows 11 has the IP address 192.168.1.25
windows11-Wireguard-Client-Config
[Interface]
Address = 10.200.1.72/24
ListenPort = 63587
PrivateKey = *******
[Peer]
PublicKey = ********
AllowedIPs = 10.200.1.0/24
Endpoint = *******:51820
PersistentKeepalive = 30
Problem
From another peer, I am able to ping 192.168.1.25 but I have a macOS running on IP 192.168.1.6, so I am unable to ping the macbook.
I even tried adding route on windows
route add -p 192.168.1.0 mask 255.255.255.0 10.200.1.72
From the other peer if I ping after adding the above route the ICMP response will be,
FROM 10.200.1.72: icmp_seq=1 Redirect Network(New nexthop: 192.168.1.6)
Can someone please guide me in what to do, as I have ran out of thoughts.
Related
I am looking for a Powershell command that disables DHCP and sets the machine's private IP as a static IP; basically, I'm looking for the Powershell equivalent of following actions in the UI.
Control panel -> Network and Sharing Center -> Ethernet -> Properties -> IPv4 -> Properties -> toggle off "Obtain an IP address automatically" and toggle on "Use the following IP address" -> fill out IPv4 address, default gateway, and subnet mask.
The following commands, taken from this guide, seems to describe what I'm after, but Remove-NetIPAddress results in kicking me off the server and locking me out.
$IP = "10.10.10.10"
$MaskBits = 24 # This means subnet mask = 255.255.255.0
$Gateway = "10.10.10.1"
$Dns = "10.10.10.100"
$IPType = "IPv4"
# Retrieve the network adapter that you want to configure
$adapter = Get-NetAdapter | ? {$_.Status -eq "up"}
# Remove any existing IP, gateway from our ipv4 adapter
If (($adapter | Get-NetIPConfiguration).IPv4Address.IPAddress) {
$adapter | Remove-NetIPAddress -AddressFamily $IPType -Confirm:$false
}
If (($adapter | Get-NetIPConfiguration).Ipv4DefaultGateway) {
$adapter | Remove-NetRoute -AddressFamily $IPType -Confirm:$false
}
# Configure the IP address and default gateway
$adapter | New-NetIPAddress `
-AddressFamily $IPType `
-IPAddress $IP `
-PrefixLength $MaskBits `
-DefaultGateway $Gateway
I'm unable to create a new IPv4 address so long as the existing one is still around, but removing the existing one borks the connection to the server.
That is incorrect. You can set multiple IPs on the same interface. So you simply add the new one with New-NetIPAddress and then remove the previous one.
$currentIP = Get-NetIPAddress | where ipaddress -eq '192.168.43.96'
New-NetIPAddress -InterfaceAlias $currentIP.InterfaceAlias -IPAddress 192.168.43.20 -PrefixLength 24
Remove-NetIPAddress -InterfaceAlias $currentIP.InterfaceAlias -IPAddress $currentIP.IPAddress
The DNS and Gateway are separate things. Just don't change those if you don't need to. To avoid the confirmation prompt, simply add -Confirm:$false to the Remove-NetIPAddress command.
How should i define VM made on Vagrant from my host in ansible?
I have just one Vagrant machine with default config:
`
Vagrant.configure("2") do |config|
config.vm.box = "centos/7"
config.vm.network "private_network", ip: "55.55.55.55"
and in ssh-config i have port 2222.
When i try from host ssh dvory#55.55.55.55:2222 i can not login (user is created on both), i am not even prompted set password. Also i have same situation in ansible
55.55.55.55 ansible_ssh_port=2222 ansible_ssh_user=vagrant ansible_ssh_private_key_file=~/.ssh/id_rsa
Is possible to do that in this way? I dont want to create two Vagrant VMs and have server/client, i have no idea where i should put my ansible code to have it persistant per server.
The 2222 SSH port in Vagrant is the value on the host (your localhost) of the forwarded port 22 of the guest (the VM).
==> ansible: Forwarding ports...
ansible: 22 (guest) => 2222 (host) (adapter 1)
So you should connect by using either:
localhost on port 2222
55.55.55.55 on port 22
I don't know if you did put your ~/.ssh/id_rsa.pub in the authorized keys on the guest, but by default it's not and you should use the private key .vagrant/machines/<MACHINE_NAME>/virtualbox/private_key.
Also, you can connect into the VM using SSH with vagrant ssh <MACHINE_NAME>.
Usually I use an inventory script with my vagrant hosts (to put in the same dir as Vagrantfile):
#!/bin/bash
INVENTORY_DIR=$(cd $(dirname $0) && pwd)
list() {
cat <<EOF
{
"all": {
"hosts": [
"$(vagrant status --machine-readable | cut -d ',' -f 2 | sort -u | sed '/^$/d' | paste -sd ',' - | sed 's/,/","/g')"
]
}
}
EOF
}
host() {
local hostname=$1
local port="$(VAGRANT_CWD=${INVENTORY_DIR} vagrant port --guest 22 ${hostname})"
[[ ! ${port} =~ ^[0-9]+$ ]] && port=0
cat <<EOF
{
"ansible_host": "localhost",
"ansible_port": ${port},
"ansible_user": "vagrant",
"ansible_ssh_private_key_file": "${INVENTORY_DIR}/.vagrant/machines/${hostname}/virtualbox/private_key"
}
EOF
}
case $1 in
--list) list;;
--host) host $2;;
*) exit 1;;
esac
Then you can use ansible with --inventory <INVENTORY_SCRIPT>
I want to use "hmac-md5-96" algorithm to create Security Associations at client side. I am using setkey ipsec tools. while adding spd entry, It is giving syntax error and unable to identify hmac-md5-96
I have tried keyed-md5 which is also not supported.
setkey -c << EOF
add $pcscf $ue esp $spi_uc -m transport -E aes-cbc $ck -A hmac-md5-96 "1234567890123456" ;
spdadd $pcscf/32[$port_ps] $ue/32[$port_uc] tcp -P in ipsec esp/transport//require ;
spdadd $pcscf/32[$port_ps] $ue/32[$port_uc] udp -P in ipsec esp/transport//require ;
EOF
Use ip xfrm state add instead of setkey, i.e.:
ip xfrm state add src $pcscf dst $ue proto esp spi $spi_uc enc "cbc(aes)" $ck auth-trunc "hmac(md5)" "1234567890123456" 96 mode transport
For some dummy parameters it creates the following SAD entry:
src 11.22.33.44 dst 22.33.44.55
proto esp spi 0x00000457 reqid 0 mode transport
replay-window 0
auth-trunc hmac(md5) 0x31323334353637383930313233343536 96
enc cbc(aes) 0x3131313131313131313131313131313131313131313131313131313131313131
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 0.0.0.0/0 dst 0.0.0.0/0
Good luck!
I'm writing a script that will check/open ports/protocols in the event any are blocked. What I have so far is below. The port/protocol names look strange to me. I would have expected IP addresses, but I've never done this before. Would the host be IP address of the DSLAM? Also, can I run nc without specifying host if it's the current machine? Otherwise, does this script do what is needed?
#!/bin/bash
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
echo -e "############################nnnPresent ports opened on this machine are
$(iptables -nL INPUT | grep ACCEPT | grep dpt)
nCompleted listing...nnn#########################"
#these look funny to me
PORTS=( 123 161 69 "UDP" 80 443 22 8443 8080 23 25 3307 "TCP" "HTTPS" "SNMP" "SFTP" "TFTP")
#modified ip's for public sharing
HOSTS=( "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x")
for HOST in "${HOSTS[#]}"
do
for PORT in "${PORTS[#]}"
do
#see which ones need opening...0 is pass (open), 1 fail, 5 timeout; need host still
#alternatively try nmap
nc -z -v -w5 ${HOST} ${PORT}
#if it's not open, then open it
if [ "$?" ne 0 ]; then #shellcheck err this line: Couldn't parse this test expression.
iptables -A INPUT -m tcp -p tcp --dport "$PORT" -j ACCEPT &&
{ service iptables save;
service iptables restart;
echo -e "Ports opened through iptables are n$(iptables -nL INPUT | grep ACCEPT | grep dpt)"; }
else
echo "Port $PORT already open"
fi
done
done
I've been referring to test if port is open, and also open port.
These lines seem odd, OP edit #6 adds an outer for loop which assigns the same value to $HOST on each go-round:
HOSTS=( "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x")
for HOST in "${HOSTS[#]}"
do
< stuff ... >
done
Assuming running < stuff ... > four times is not necessary, then
the seven lines above, as written, would be equivalent to:
HOST="10.x.x.x"
< stuff ... >
(Fixed.) Remove the commas from this line:
PORTS=( 123, 161, 69, UDP, 80, 443, 22, 8443, 8080, 23, 25,
3307, TCP, HTTPS, SNMP, SFTP, TFTP)
bash does not use commas to define arrays, and if commas are used
they become chars in the the array data. Example, given the array
exactly as it is above:
echo ${PORTS[0]}
Outputs:
123,
I could not find a question similar to this, there were others mentioning https redirects, but not about minimizing the redirects.
Been looking for a solution, and could not sort it out yet.
We use Docker > Traefik for WordPress and have www as the preferred version for WordPress. There are multiple WP instances. Domains are added dynamically.
However, with this config, I am receiving two redirects, from http to https to https www
http://example.com/
https://example.com/
https://www.example.com/
Is there any way to minimize the redirect?
ideally a 301 redirect from
http://example.com directly to https://www.example.com
Traefik config file as follows
defaultEntryPoints = ["http", "https"]
[web]
address = ":8080"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[acme]
email = "email#domain.com"
storage = "acme.json"
entryPoint = "https"
onDemand = false
OnHostRule = true
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "traefik.example.com"
watch = true
exposedbydefault = false
Try replacing your [entryPoints.http.redirect] entry with this:
[entryPoints.http.redirect]
#entryPoint = "https"
regex = "^http:\/\/(www\.)*(example\.com)(.*)"
replacement = "https://www.$2$3"
permanent = true
Regex101
It will not handle the https://example.com/ entry so you need to add:
[entryPoints.https.redirect]
regex = "^https:\/\/(example\.com)(.*)"
replacement = "https://www.$1/$2"
permanent = true
If you have multiple frontedns, the regex can get hard to handle, so instead you can consider having a label on the container, like this:
traefik.frontend.headers.SSLRedirect=true
traefik.frontend.headers.SSLHost=www.example.com
As of 1.7 there is new option SSLForceHost that would force even existing SSL connection to be redirected.
traefik.frontend.headers.SSLForceHost=true
Here's what I had to do. The above answer was helpful, but traefik wouldn't start because you actually need a double \ to escape in the .toml.
Also you still need to make sure you have the normal entry points and ports there.
Here's my complete entryPoints section:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.http.redirect]
regex = "^http:\\/\\/(www.)*(example\\.com)(.*)"
replacement = "https://www.$2/$3"
permanent = true
[entryPoints.https.redirect]
regex = "^https:\\/\\/(example.com)(.*)"
replacement = "https://www.$1/$2"
permanent = true
[entryPoints.https.tls]
This is how I got it to work with docker provider behind AWS ELB.
traefik container
/usr/bin/docker run --rm \
--name traefik \
-p 5080:80 \
-p 5443:443 \
-v /etc/traefik/traefik.toml:/etc/traefik/traefik.toml \
-v /var/run/docker.sock:/var/run/docker.sock \
traefik
traefik.toml
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
docker labels
-l traefik.enable=true \
-l traefik.http.middlewares.redirect.redirectregex.regex="^http://(.*)" \
-l traefik.http.middlewares.redirect.redirectregex.replacement="https://\$1" \
-l traefik.http.routers.web-redirect.rule="Host(\`domain.com\`)" \
-l traefik.http.routers.web-redirect.entrypoints="http" \
-l traefik.http.routers.web-redirect.middlewares="redirect" \
-l traefik.http.routers.web-secure.rule="Host(\`domain.com\`)" \
-l traefik.http.routers.web-secure.entrypoints="https" \
ELB listeners