pfSense as XCP-ng/XENServer guest

pkg install xe-guest-utilities
echo 'xenguest_enable="YES"' >> /etc/rc.conf.local
ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/xenguest.sh
service xenguest start
xe vm-list
xe vif-list vm-uuid=08fcfc01-bda4-21b5-2262-741da6f5bfb0
uuid ( RO)            : 789358b4-54c8-87d3-bfb3-0b7721e4661b
         vm-uuid ( RO): 57a27650-6dab-268e-1200-83ee17ee3a55
          device ( RO): 1
    network-uuid ( RO): 5422a65f-4ff0-0f8c-e8c3-a1e926934eed


uuid ( RO)            : a9380705-8da2-4bf7-bbb0-f167d8f0d645
         vm-uuid ( RO): 57a27650-6dab-268e-1200-83ee17ee3a55
          device ( RO): 0
    network-uuid ( RO): 4f7e43ef-d28a-29bd-f933-68f5a8f36241
xe vif-param-set uuid=789358b4-54c8-87d3-bfb3-0b7721e4661b other-config:ethtool-tx="off"
xe vif-param-set uuid=a9380705-8da2-4bf7-bbb0-f167d8f0d645 other-config:ethtool-tx="off"

Dual WAN fail over settings with MikroTik

Basic idea is that we always use our primary ISP, but when it’s offline automatically switch to the secondary / backup ISP. No load balance, only fail over.

Naming method:
WAN1, WAN2 – phisical interfaces on the router for the internet connections
ISP1, ISP2 – Name of the ISP, eg. Telekom, UPC, etc..
192.168.X.254 – routers’ addresses X=1 for WAN1, X=2 for WAN2

First we need to check both connections are up. For this method I’ll use ping OpenDNS server addresses; via ISP1 208.67.222.222 and via ISP2 208.220.220. Create 2 static routes for the servers on different paths:

/ip route add dst-address="208.67.222.222" gateway="192.168.1.254" comment="Net check via ISP1" 
/ip route add dst-address="208.67.220.220" gateway="192.168.2.254" comment="Net check via ISP2"

Now we need create 2 firewall rules on the forward chain, where I drop the connections where it should not be on. It’s necessary because routing options not enough, it will use default route if static fails, and can you get
false positive results from the pinging.

/ip firewall filer add chain=forward action=drop dst-address=" 
208.67.222.222" out-interface="WAN2" comment="Reachable only via ISP1"
/ip firewall filer add chain=forward action=drop dst-address="
208.67.220.220" out-interface="WAN1" comment="Reachable only via ISP2"

Now I’ll make a script called “ISP_state_check”. It will monitor which ISP is up and which is not. If the primary is online there is noting to do, but when it’s not and the secondary is online, then switch to it.

:local message;
:set message "Net check state: ";

:if ([/ping 208.67.222.222 count=5 interface=WAN1]=0) do={
:set message ($message ."ISP1 is DOWN and ");
} else={
:set message ($message ."ISP1 is UP and ");
}

:if ([/ping 208.67.220.220 count=5 interface=WAN2]=0) do={
:set message ($message ."ISP2 is DOWN");
} else={
:set message ($message ."ISP2 is UP");
}
:log info ($message);

:local defGW;
:if ([/ip route get [/ip route find where dst-address="0.0.0.0/0"] gateway]="192.168.1.254") do={
:log info ("Default GW: ISP1");
:set defGW "WAN1";
}
:if ([/ip route get [/ip route find where dst-address="0.0.0.0/0"] gateway]="192.168.2.254") do={
:log info ("Default GW: ISP2");
:set defGW "WAN2";
}

:log info ("Checking via default gateway: " . $defGW . " " . [/ip route get [/ip route find where dst-address="0.0.0.0/0"] gateway]);
:if ([/ping 8.8.8.8 count=3 interface=$defGW]=0) do={
:log info ("Cannot ping Google, switching ISP");
/system script run ISP_switcher
} else={
:log info ("Everything seems fine, nothing to do here..");
}

Then we can create the “ISP_switcher” script, which will check the actual active gateway, and switch it to the other

:local i;
:local defGateway;

:set i [/ip route find where dst-address="0.0.0.0/0"]
:set defGateway [/ip route get $i gateway];

:log info ($defGateway);
:if ($defGateway="192.168.2.254") do={
:log info ("Active ISP: ISP2, checking ping via ISP1");
:if ([/ping 208.67.222.222 count=5 interface=WAN1]=0) do={
:log info ("ISP1 is DOWN, cannot switch default gateway");
} else={
:log info ("ISP1 is UP, switching default gateway");
/ip route set [/ip route find dst-address=0.0.0.0/0] gateway=192.168.1.254
/interface disable WAN2
:delay 8s
/interface enable WAN2
}
}

:if ($defGateway="192.168.1.254") do={
:log info ("Active ISP: ISP1, checking ping via ISP2");
:if ([/ping 208.67.220.220 count=5 interface=WAN2]=0) do={
:log info ("ISP2 is DOWN, cannot switch default gateway");
} else={
:log info ("ISP2 is UP, switching default gateway");
/tool e-mail send to=your@mail.com subject="ISP1 is down" body="Your main ISP went away, ISP switched to backup. Happy troubleshooting"
/ip route set [/ip route find dst-address=0.0.0.0/0] gateway=192.168.2.254
/interface disable WAN1
:delay 8s
/interface enable WAN1
}
}

Final step is making a scheduled task with a 30 sec interval, and run the “/system script run ISP_state_check”.

OpenVPN install on a single Ubuntu 18.04 server with EasyRSA 3.0.5

Update the system and install the OpenVPN server

apt update && apt dist-upgrade -y
apt install openvpn

Get the right version of the EasyRSA from GitHub

cd ~
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz
tar xvf EasyRSA-nix-3.0.5.tgz
cd ~/EasyRSA-3.0.5/

Configure the vars file

cp vars.example vars
nano vars
set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"

Run init-pki to initiate the public key infrastructure

./easyrsa init-pki

Build the CA

./easyrsa build-ca nopass

Generate a request and sign the OpenVPN server’s certificate

 ./easyrsa gen-req server nopass 
./easyrsa sign-req server server

Copy the server.key server.crt and ca.crt to the right place

cp ~/EasyRSA-3.0.5/pki/private/server.key /etc/openvpn/
cp ~/EasyRSA-3.0.5/pki/issued/server.crt /etc/openvpn/
cp ~/EasyRSA-3.0.5/pki/ca.crt /etc/openvpn/

Create a strong Diffie-Hellman key and HMAC signature, than copy to /etc/openvpn/ directory

./easyrsa gen-dh
openvpn --genkey --secret ta.key
cp ~/EasyRSA-3.0.5/ta.key /etc/openvpn/
cp ~/EasyRSA-3.0.5/pki/dh.pem /etc/openvpn/

Generating a Client Certificate and Key Pair

mkdir -p ~/client-configs/keys
chmod -R 700 ~/client-configs
cd ~/EasyRSA-3.0.5/
./easyrsa gen-req client1 nopass
cp pki/private/client1.key ~/client-configs/keys/

System Rescue CD via PXE and HTTP

Download the ISO

Mount it under Linux, than copy rescue32 and the initram.igz to the tftp/sysres folder and sysrcd.dat and the md5 hash file under the /var/www/html/sysres/ folder.

Prepare the pxelinux.cfg/default file

LABEL sysres
MENU LABEL System Rescue CD x86
KERNEL sysres/rescue32
APPEND initrd=sysres/initram.igz netboot=http://{SERVER-IP-OR-DNS-NAME}/sysres/sysrcd.dat setkmap=hu

rc.local compatibility on Ubuntu 18.04

nano /etc/systemd/system/rc-local.service
[Unit]
Description=/etc/rc.local Compatibility
ConditionPathExists=/etc/rc.local

[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99

[Install]
WantedBy=multi-user.target
nano /etc/rc.local
#!/bin/sh -e
[...]
exit 0
chmod +x /etc/rc.local
systemctl enable rc-local
systemctl start rc-local.service
systemctl status rc-local.service

XCP-ng install via PXE

Get the install media

XCP-NG ISO

Mount it under Linux, and populate the xcp folder under the tftpboot like this:

├── pxelinux.cfg
│ └── default
├── pxelinux.0
└── xcp
├── efiboot.img
├── gcdx64.efi
├── grubx64.efi
├── install.img
├── isolinux
│ ├── boot.cat
│ ├── isolinux.bin
│ ├── isolinux.cfg
│ ├── mboot.c32
│ ├── memtest
│ ├── menu.c32
│ ├── pg_help
│ ├── pg_main
│ └── splash.lss
├── vmlinuz
└── xen.gz
LABEL xcp-ng
MENU LABEL XCP-ng Hypervisor
KERNEL mboot.c32
APPEND xcp/xen.gz dom0_max_vcpus=1-2 dom0_mem=1024M,max:1024M com1=115200,8n1 console=com1,vga --- xcp/vmlinuz xencons=hvc console=hvc0 console=tty0 install --- xcp/install.img

Copy all the files from the iso to a read-only NFS share or to a webserver directory. During the install use NFS or HTTP as a media source.

VNC desktop on Xubuntu 18.04 / CentOS 7.5 with nvidia proprietary driver (x11vnc)

Nvidia driver install on CentOS 7.5

Download the nvidia drivers for unix systems

Install prerequisites

sudo yum -y update
sudo yum -y install epel-release
sudo yum -y groupinstall "GNOME Desktop" "Development Tools"
sudo yum -y install kernel-devel dkms
reboot

Edit /etc/default/grub. Append the following to “GRUB_CMDLINE_LINUX”

rd.driver.blacklist=nouveau nouveau.modeset=0

Generate a new grub configuration to include the above changes.

sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Edit/create /etc/modprobe.d/blacklist.conf and append:

blacklist nouveau

Backup your old initramfs and then build a new one

mv /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r)-nouveau.img
sudo dracut /boot/initramfs-$(uname -r).img $(uname -r)
reboot

The NVIDIA installer will not run while X is running so switch to text mode and run the installer:

sudo systemctl isolate multi-user.target
sh NVIDIA-Linux-x86_64-*.run
reboot

Nvidia driver install on Xubuntu 18.04

sudo apt update
sudo apt dist-upgrade -y
sudo apt autoremove -y
sudo apt install linux-headers-$(uname -r) build-essential
sudo add-apt-repository ppa:graphics-drivers
sudo apt install nvidia-driver-*latest*

x11nvc install and set up for autostart

sudo apt install x11vnc

Make the password file and set up with the right permissions

x11vnc -storepasswd /home/*USER*/.x11vnc.password
sudo chmod 744 .x11vnc.password

Test the connection with the current settings (might need some changes on the firewall)

x11vnc -noxrecord -noxfixes -noxdamage -display :0 -auth guess -forever -rfbauth /home/*USER*/.x11vnc.password -rfbport 5900

If it works, let’s make the autostart daemon
Create the /lib/systemd/system/x11vnc.service with the following content:

[Unit]
Description=Start x11vnc at startup.
After=multi-user.target

[Service]
Type=simple
ExecStart=/usr/bin/x11vnc -noxrecord -noxfixes -noxdamage -display :0 -auth guess -forever -rfbauth /home/USER/.x11vnc.password -rfbport 5900

[Install]
WantedBy=multi-user.target
sudo systemctl enable x11vnc.service
sudo systemctl daemon-reload
sudo systemctl start x11vnc.service
reboot

If there is no monitor attached to the PC, just create the /etc/X11/xorg.conf.d/10-monitor.conf file, with the following content:

Section        "Monitor"
Identifier "Monitor0"
VendorName "Unknown"
ModelName "Unknown"
HorizSync "28.0 - 33.0" #Virtual monitor needs this
VertRefresh "43.0 - 72.0" #this, too
Option "DPMS"
EndSection
Section "Device"
Identifier "Device"
Driver "nvidia"
VendorName "NVIDIA Corporation"
Option "NoLogo" "1"
EndSection

Section "Screen"
Identifier "Screen0"
Device "Device0"
Monitor "Monitor0"
DefaultDepth "24"
SubSection "Display"
Depth "24"
Virtual "1920 1080"
Option "AllowEmptyInitialConfiguration" "True"
EndSubSection
EndSection

TeamSpeak 3 server on systemd (Ubuntu 18.04, Debian 9, CentOS 7)

Create a user for the teamspeak server and switch to it

adduser --disabled-login teamspeak
su teamspeak

Get the latest TeamSpeak 3 files for 64-bit Linux server and unpack it

tar xvf teamspeak3-server_linux_amd64-*.tar.bz2

Get the admin token

cd teamspeak3-server_linux_amd64
touch .ts3server_license_accepted
sh ts3server_startscript.sh start

Make the daemon file

nano /lib/systemd/system/teamspeak3-server.service
[Unit]
Description=TeamSpeak 3 Server
After=network.target

[Service]
Environment=LD_LIBRARY_PATH=/home/teamspeak/teamspeak3-server_linux_amd64/
WorkingDirectory=/home/teamspeak/teamspeak3-server_linux_amd64/
Type=simple
ExecStart=/home/teamspeak/teamspeak3-server_linux_amd64/ts3server inifile=ts3server.ini license_accepted=1
User=teamspeak
Group=teamspeak
StandardOutput=journal
StandardError=inherit
RestartSec=30

[Install]
WantedBy=multi-user.target

Enable the daemon

systemctl daemon-reload
systemctl start teamspeak3-server.service
systemctl enable teamspeak3-server.service

Ports used by TS3

  • 9987/UDP
  • 30033/TCP
  • 10011/TCP