Posts in my old blog, which hasn’t been maintained for serveral years, has been successfully migrated to this new room!
How to disable Meltdown and Spectre Patches on Linux
Meltdown and Spectre are vulnerabilities in modern processors, which allow a rogue process to read all memory which is currently processed on the computer, including passwords, documents, security credentials, and your photos. Your operating system and software may have included corresponding patches to mitigate those vulnerabilities if they are up to date. However, those patches significantly slowdown your computer.
If you have offline computers that run only trusted software, you may want to disable those patches to regain performance lost. This article will show you how to disable those patches on Linux. There is also an instruction for Windows.
Currently this article only covers the instructions to disable the Meltdown patch.
Check if Meltdown and Spectre patches are applied
Run the following command:
grep . /sys/devices/system/cpu/vulnerabilities/*
The following output means that the patches are enabled for the Meltdown and Spectre vulnerability:
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
Disable vulnerability fixes
You can disable those patches by adding nopti boot option to kernel.
Assume your Linux distribution uses grub2 as the boot manager:
Firstly modify GRUB_CMDLINE_LINUX parameter in the /etc/default/grub and append nopti boot option at the end of the line, like:
GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap rhgb quiet nopti"
Then regenerate the grub config file. If your OS is booted from legacy BIOS, run:
sudo grub2-mkconfig -o /etc/grub2.cfg
Otherwise if your OS is booted from UEFI, run:
sudo grub2-mkconfig -o /etc/grub2-efi.cfg
Lastly, reboot your computer.
Verify if the patches are disabled
Rerun the following command:
grep . /sys/devices/system/cpu/vulnerabilities/*
If successful, your output should be something like:
shspectre fedora
/sys/devices/system/cpu/vulnerabilities/meltdown:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable
Re-enable the patches
Just remove the nopti boot option from /etc/default/grub and regenerate the grub boot config file like what we did before.
Set up an IPSec VPN that forwards all Internet traffic from LAN to the remote peer
My PS4 has trouble connecting to PSN service these days. I suspect my ISP has blocked all traffic to oversea PSN servers. Fortunately there is an OpenWrt router in my room, so that I can get through this kind of block by setting up a VPN connection to forward all traffic from my PS4 to my oversea VPS. Here is the expected connection solution:
PS4 <---> OpenWrt Router <---> VPN tunnel <---> VPS <----> Internet
I have two VLANs behind my OpenWRT router. VLAN1 brings my laptop, smart phone, and other devices together, while VLAN2 is for PS4.
VLAN1 has IP address range 192.168.0.0/24 and VLAN2 has 192.168.1.0/24. My aim is to forward all Internet traffic from 192.168.1.0/24 to the VPN tunnel but exclude all LAN traffic. Upon the successful establishment of my IPSec tunnel, devices in VLAN1 and VLAN2 can also get access to each other.
Install strongSwan
I use strongSwan, an open source IPsec-based VPN software, to set up my IPSec tunnel. The first step is to install strongSwan on both VPS and OpenWrt router.
yum install strongswan # for Fedora, RHEL/CentOS with EPEL
apt-get install strongswan # for Debian/Ubuntu
opkg update && opkg install strongswan-full # for OpenWrtCertificate Authority
For security reasons, I choose RSA authentication with X.509 certificates for my VPN tunnel. Both peers of strongSwan instances will identify themselves by corresponding X.509 certificates.
Start by creating a self singed root CA. Create a private key on your PC:
# create a 4096-bit RSA key named 'rootCA.key'
openssl genrsa 4096 > rootCA.key
# be care of the access permission
chmod 600 rootCA.keyThen generate a self singed root CA certificate:
# generate a self singed root CA certificate 'rootCA.crt', which will expire automatically after 3650 days.
openssl req -new -x509 -key rootCA.key -out rootCA.crt -days 3650 -subj '/C=US/O=My Company/CN=My VPN Root Certificate Authority'You can view the details of your root CA certificate with the following command:
openssl x509 -noout -text -in rootCA.crtExample output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12291557605863188796 (0xaa946284e1b9e93c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=My Company, CN=My VPN Root Certificate Authority
Validity
Not Before: Nov 13 04:29:33 2015 GMT
Not After : Nov 10 04:29:33 2025 GMT
Subject: C=US, O=My Company, CN=My VPN Root Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:e7:1f:7f:8c:06:96:76:ae:1c:48:97:6a:33:
bc:4e:cd:5b:3c:bc:a2:fd:b8:c0:2f:4c:fc:da:23:
ac:16:7b:9a:b5:43:d8:2a:68:57:54:48:22:c2:e2:
bb:c8:e0:ed:f7:16:b1:5d:32:48:bf:93:d2:a4:2c:
65:e0:d7:ee:6f:d8:c1:64:58:d5:58:2f:e0:47:94:
39:5d:8e:c6:66:aa:a9:21:44:a2:e6:b8:ca:0d:a3:
5d:9f:dd:81:98:e7:d8:77:0d:00:f2:cf:20:21:60:
1b:99:80:76:31:68:2a:72:ad:87:db:85:27:5c:69:
8b:06:ce:72:70:c6:c2:e7:a9:38:14:ad:b3:cb:24:
45:68:d3:b1:6b:2d:07:73:2c:5a:ba:16:42:77:1e:
41:4a:81:3b:76:03:cf:b7:c9:3d:c9:9c:b3:19:7d:
ee:aa:45:47:84:65:19:e7:bf:71:a3:a3:9b:b4:bd:
0e:51:2f:74:9b:2c:4e:b3:98:a3:91:ae:8e:d5:e1:
1b:c1:4a:10:58:2c:08:12:ec:38:4f:32:af:74:18:
4d:45:be:ea:f8:2f:cb:07:be:fd:dd:ed:fe:c0:bd:
13:a6:2b:0a:4e:4c:b9:f7:89:af:61:6b:bf:9f:42:
10:85:5f:bf:cc:68:cd:8b:82:eb:c6:14:bd:c4:18:
5e:3b:77:f1:4a:21:92:d2:c4:76:27:35:28:72:8e:
f0:c7:37:9f:fb:7b:b4:b2:90:17:7a:7e:dd:3a:eb:
a3:73:00:d9:86:db:38:06:5c:b8:08:a1:91:59:f7:
71:a2:ee:48:11:4a:89:21:32:6d:6e:d4:1d:58:68:
2b:82:8a:fd:36:2e:2d:d3:c9:aa:4e:b4:e5:c7:c4:
1a:64:f3:2b:ff:86:21:d5:91:77:e9:67:33:b7:d7:
77:97:c2:ce:23:66:7d:e2:16:05:0d:37:1c:95:8f:
ef:87:4a:01:e8:ad:91:00:8b:ad:39:cc:e5:f7:73:
60:c5:76:61:65:a9:27:db:30:33:b8:fd:24:69:93:
99:4d:e8:d5:e2:c9:14:da:6c:01:1c:c0:c1:c5:75:
69:35:6f:84:73:4d:d3:f2:9a:33:a6:b9:98:f5:d0:
3a:cf:d1:f3:43:56:59:98:49:d9:c2:b3:39:3d:49:
0c:4c:90:36:0e:dd:98:1e:55:a0:4a:28:93:c1:2a:
a0:e6:0e:e4:e9:14:0d:73:10:b2:09:80:fb:75:ff:
a2:b7:df:e6:7f:50:1f:a7:6c:25:ec:b8:3a:5e:03:
72:8a:67:cf:5e:97:90:ea:01:77:4c:70:7a:29:fc:
92:4f:ac:d3:23:4a:e1:2e:b2:18:21:67:4c:5f:77:
87:fa:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
23:85:28:FE:44:D5:C3:20:99:27:0D:F0:1B:D2:E4:19:2F:E7:86:D2
X509v3 Authority Key Identifier:
keyid:23:85:28:FE:44:D5:C3:20:99:27:0D:F0:1B:D2:E4:19:2F:E7:86:D2
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
37:04:ce:97:fc:b8:ea:d8:97:9a:5f:a6:c5:1e:c8:cf:60:76:
f3:88:ed:3c:c6:7e:9c:cd:a3:24:c3:69:13:82:7d:3f:77:6e:
f2:f1:d9:af:08:9d:2e:09:d0:16:f2:14:27:d8:b2:0b:bc:b7:
57:4a:bf:8d:ec:fb:91:fb:b9:95:23:86:02:07:94:91:fd:28:
c2:ee:03:0b:e9:bf:62:ca:d2:e5:e6:24:96:1f:86:a2:b0:d8:
80:a3:8b:cd:df:c6:b5:ff:42:e3:0d:72:23:4f:2b:e8:0e:54:
0e:50:19:85:ab:26:33:0d:25:eb:a7:bf:82:7c:f3:77:a8:d0:
dd:d4:6f:22:fb:c7:c6:e6:19:03:76:fd:29:ac:89:cc:1b:ff:
dd:08:f8:f9:12:a8:f0:b9:3d:c5:fa:aa:83:59:d8:a7:5c:e6:
e3:b4:61:33:42:7b:ca:87:27:18:82:1b:3c:9b:00:51:a4:5e:
5f:c7:cb:5a:f2:2d:33:41:0b:6a:38:9f:4e:88:be:75:36:af:
23:aa:99:26:fb:c8:24:54:03:09:00:54:96:2a:74:8c:c7:11:
11:03:aa:81:31:fd:36:10:6e:43:80:d1:23:67:d0:93:a2:a9:
76:8c:05:47:1f:ac:48:2b:7e:be:e2:b6:b2:f0:07:80:2d:90:
06:7a:ee:0e:61:8c:f7:79:c9:1b:28:a6:10:8d:1d:69:11:2b:
88:ee:e6:c0:7a:eb:f0:10:ad:1a:a5:7f:0e:a1:89:73:45:8d:
8c:29:45:24:a7:1e:ed:9c:2e:13:04:aa:7b:53:5f:01:08:d7:
cc:f2:6a:88:ac:95:a6:a5:3c:5a:9f:79:8a:b2:b4:26:79:57:
26:c7:93:72:d3:fa:9a:99:7f:33:4a:c1:04:35:86:4f:ec:73:
02:6e:dd:f5:e7:7e:ec:b5:fd:b5:74:cb:b9:16:ff:75:01:a1:
b2:0d:01:85:04:0e:52:9c:de:42:40:9d:89:cf:38:a1:63:23:
8f:37:63:d6:49:88:50:47:ab:4a:4c:79:de:1d:aa:64:25:0b:
c4:6f:00:ec:80:9b:4c:04:07:10:0f:ce:62:23:aa:7d:d1:1a:
62:f9:80:34:19:c0:4a:f0:4a:a1:a2:8c:d7:3d:df:d6:f3:c8:
d9:c8:7e:14:87:52:c0:09:a2:c0:3b:d2:b3:a1:a4:3d:5b:6a:
f9:f3:09:e7:1a:90:66:3a:d2:26:69:0b:5f:45:2d:13:8a:ae:
43:a4:f5:e9:6f:09:6e:e1:59:51:e0:93:7a:53:73:11:75:2f:
ad:ef:10:5d:b1:c9:4d:2a:9c:65:bb:82:0d:61:d4:63:e9:83:
ce:bb:b4:e0:fa:40:49:3eCreate an X.509 v3 extension file ext.cnf containing the following content
in order to issue X.509 v3 certificates instead of v1 ones to end clients:
[ usr_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2Having the CA certificate, you are able to issue client certificates to your VPS and OpenWrt router later.
Issue a Certificate For VPS
On your VPS, create a private key:
# create a 2048-bit RSA key named 'vpsHost.key'
openssl genrsa 2048 > vpsHost.key
# be care of the access permission
chmod 600 vpsHost.keyThen create a certificate request file:
# create a certificate request file 'vpsHost.csr'
openssl req -new -key vpsHost.key -out vpsHost.csr -subj '/C=US/O=My Company/CN=vpsHost'Copy your certificate request file vpsHost.csr from VPS to your PC.
On your PC, use the following command to issue a client certificate to your VPS:
# issue a client certificate 'vpsHost.crt' to your VPS from your CA. The client certificate will expire automatically after 730 days.
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -in vpsHost.csr -out vpsHost.crt -days 730 -sha256 -extfile ext.cnf -extensions usr_certYou can view the certificate details with the following command:
openssl x509 -noout -text -in vpsHost.crtExample output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15485463545527761144 (0xd6e76b0c957178f8)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=My Company, CN=My VPN Root Certificate Authority
Validity
Not Before: Nov 13 05:19:06 2015 GMT
Not After : Nov 12 05:19:06 2017 GMT
Subject: C=US, O=My Company, CN=vpsHost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:0e:85:7f:44:8a:91:f3:5f:f8:4d:41:68:86:
22:ce:d6:e1:a9:2a:75:09:f4:16:27:05:32:9d:fd:
da:a5:f7:24:ce:ac:29:9d:91:42:ef:7e:77:3d:09:
2f:f2:9e:82:a4:6c:fc:12:4b:39:01:73:fe:09:6d:
ea:9c:22:bf:ee:e6:ee:70:ea:00:c3:bf:92:c2:5f:
49:ae:f7:cf:90:26:d4:89:62:b5:87:e8:4c:57:1d:
d9:a2:f1:35:f4:2b:58:38:7e:d3:9f:03:fa:58:e3:
03:61:d6:2c:dc:6e:07:e2:4e:de:bd:0b:9c:97:2e:
0e:52:31:4b:22:8b:d8:a2:82:1d:0e:5d:f1:f4:01:
32:49:dc:2e:e8:e4:d9:03:8e:d5:f3:8e:3f:99:a7:
f2:b1:02:a9:e2:0c:0c:ff:77:72:6f:b9:8f:18:01:
42:0e:f2:75:92:6d:db:d0:fb:12:77:a8:6a:95:4c:
99:f4:a7:1b:30:67:34:4e:93:02:ab:1d:10:3e:b5:
68:75:d3:9d:a8:f6:42:90:87:96:2b:4f:c5:d6:81:
1b:ec:c0:32:be:af:59:64:04:25:ac:37:dc:fa:8b:
c8:35:5d:37:f3:fb:88:18:3a:a9:da:71:22:f0:fc:
ab:dd:c1:73:ab:b0:6b:46:d1:a3:9d:b4:4a:c8:46:
f7:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Subject Key Identifier:
79:E5:96:AB:4F:74:A1:8E:C6:EB:98:E9:A7:A7:52:8F:6B:6F:63:2A
X509v3 Authority Key Identifier:
keyid:23:85:28:FE:44:D5:C3:20:99:27:0D:F0:1B:D2:E4:19:2F:E7:86:D2
DirName:/C=US/O=My Company/CN=My VPN Root Certificate Authority
serial:AA:94:62:84:E1:B9:E9:3C
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
Signature Algorithm: sha256WithRSAEncryption
4c:11:42:4c:af:df:4c:4e:99:16:41:4f:1f:5b:88:96:5c:ed:
d3:b2:80:05:46:ab:12:1a:06:a8:f7:ce:6d:e3:e5:14:6c:88:
3f:c4:e6:6e:28:87:1f:5b:51:dd:e5:15:66:2d:5a:49:2c:67:
90:3b:1b:c6:6b:64:e4:56:0b:71:ab:95:3f:2c:a0:8e:12:bb:
d5:89:27:cd:30:54:c6:94:bc:0f:7c:a9:b5:d3:06:0f:71:1f:
5c:d5:c3:6a:0e:7e:db:68:cd:38:f2:b6:73:85:03:04:54:95:
53:6c:8a:01:e8:87:19:46:f4:bd:9f:f4:cf:70:1a:fa:2d:fd:
9c:01:c2:31:0e:43:5e:3b:b0:09:e8:9e:45:40:a5:bf:ce:ec:
7a:1c:00:2f:56:28:c2:74:ce:60:ae:14:ba:dc:97:55:82:bc:
08:2a:45:78:cb:f3:6f:aa:64:5e:0a:1c:86:09:50:29:50:fe:
88:63:2d:23:16:62:35:c8:7a:69:a5:f7:70:ca:07:ef:a1:ca:
cf:7b:32:d9:5b:61:e1:31:4f:c8:c1:22:b7:67:e9:d2:5a:60:
ab:a0:0d:08:9f:1f:bd:a7:7f:b8:7f:fd:5d:c6:d0:dc:23:fc:
8f:0c:14:fc:48:d8:3b:0a:cf:43:91:7c:7d:54:3f:77:41:11:
de:a4:74:09:15:30:de:9a:77:a7:2f:99:e8:f8:8d:ff:81:fb:
9a:51:bd:01:53:f5:ac:e0:e0:ea:65:69:0d:08:7f:c6:0b:f1:
16:3e:fe:b3:06:de:24:dc:34:02:0c:d9:97:f4:60:5f:a4:95:
07:3a:a5:c9:cb:1f:15:ee:fc:5b:60:04:be:d9:78:6a:03:63:
aa:2b:8c:9f:6d:d4:80:93:05:8e:29:c7:2b:dd:90:14:78:a6:
b8:c1:a7:ae:4c:a9:89:31:e5:eb:21:71:01:78:b9:22:e1:54:
83:7d:fe:7e:40:83:42:98:c5:31:47:35:6d:71:8a:43:e7:1c:
3b:f1:56:f6:49:be:6e:b6:e2:65:d8:ea:95:eb:ac:59:91:9f:
8e:58:ed:79:14:50:d6:bf:cb:86:46:a0:6d:73:27:d7:65:7c:
6f:73:7f:d0:45:84:da:f9:05:07:79:6a:d4:77:22:eb:d5:0f:
44:c8:82:32:f6:b7:e5:89:1c:42:d7:af:b7:8c:0f:58:32:97:
85:d2:45:78:28:32:cc:43:b0:67:17:0e:62:2a:cb:1f:8e:8c:
c1:7b:ac:5b:84:a8:9b:96:dc:6d:d3:48:59:ff:2f:50:05:23:
3b:4f:ec:c7:33:d8:61:d1:72:73:85:df:1c:67:01:ae:d5:29:
be:e8:99:19:5a:cd:8d:fcCopy your certificate files rootCA.crt and vpsHost.crt from your PC to your VPS.
Issue a Certificate For OpenWrt Router
On your OpenWrt Router, create a private key:
# make sure you have installed openssl on your router
opkg update && opkg install openssl-util
# create a 2048-bit RSA key named 'openwrtHost.key'
openssl genrsa 2048 > openwrtHost.key
# be care of the access permission
chmod 600 openwrtHost.keyThen create a certificate request file:
# create a certificate request file 'openwrtHost.csr'
openssl req -new -key openwrtHost.key -out openwrtHost.csr -subj '/C=US/O=My Company/CN=openwrtHost'Copy your certificate request file openwrtHost.csr from OpenWrt router to your PC.
On your PC, use the following command to issue a client certificate to your OpenWrt router:
# issue a client certificate 'openwrtHost.crt' to your VPS from your CA. The client certificate will expire automatically after 730 days.
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -in openwrtHost.csr -out openwrtHost.crt -days 730 -sha256 -extfile ext.cnf -extensions usr_certYou can view the certificate details with the following command:
openssl x509 -noout -text -in openwrtHost.crtExample output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15485463545527761145 (0xd6e76b0c957178f9)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=My Company, CN=My VPN Root Certificate Authority
Validity
Not Before: Nov 13 05:27:01 2015 GMT
Not After : Nov 12 05:27:01 2017 GMT
Subject: C=US, O=My Company, CN=openwrtHost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:cd:49:e7:ab:d9:91:ed:05:6a:ae:56:bd:80:
bc:cf:8c:c5:db:ac:d7:2d:16:3c:ce:0d:f8:40:2d:
bd:60:fb:0b:37:d7:a4:b7:fe:a5:87:43:ea:c0:44:
d4:2e:b2:ae:53:09:7c:be:f0:d4:ec:38:c6:5d:54:
b8:d6:96:dd:3d:54:af:7f:94:a3:77:d5:1d:0d:0e:
71:54:59:c3:a3:19:ae:ca:10:de:cf:53:4a:7a:c1:
ca:c0:ff:00:8c:77:f3:15:2a:84:22:56:7d:58:80:
ea:60:51:82:ec:18:45:19:c6:7b:0a:b1:32:19:f4:
32:ad:2f:c9:dd:18:c1:ba:f6:c5:db:bf:0d:5d:91:
16:69:57:1f:03:f6:d7:87:be:15:58:3e:1a:3d:d6:
c6:80:0e:cf:97:ee:3a:12:fc:39:e2:40:d8:5f:6b:
6e:eb:6a:79:3a:4e:d6:ee:e3:8e:62:d7:ad:23:f7:
95:59:b0:01:a8:df:76:a7:51:df:39:80:87:fc:dc:
d5:cc:07:b1:8d:0a:2e:fa:8c:63:04:e3:01:0b:a7:
2f:aa:67:12:4e:18:d2:00:e6:e8:15:f0:cc:0a:d2:
7d:a7:e0:a3:3f:cb:8b:d2:dc:70:24:c7:d8:bd:e9:
04:d9:32:3e:1e:7f:ca:c4:9d:10:6d:1e:4d:0a:0e:
61:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Subject Key Identifier:
9D:4E:FA:66:23:C0:4D:06:DF:D4:36:31:CB:59:2D:F8:52:28:06:2D
X509v3 Authority Key Identifier:
keyid:23:85:28:FE:44:D5:C3:20:99:27:0D:F0:1B:D2:E4:19:2F:E7:86:D2
DirName:/C=US/O=My Company/CN=My VPN Root Certificate Authority
serial:AA:94:62:84:E1:B9:E9:3C
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
Signature Algorithm: sha256WithRSAEncryption
43:05:ea:f4:be:8e:7b:9b:cb:8a:d9:22:3d:e3:b6:46:a4:1d:
f2:2e:a6:75:88:1e:ec:66:78:53:b4:0c:80:5e:f3:7f:69:43:
8f:ba:24:33:13:47:97:ab:ad:8e:0c:c8:05:ab:a2:3b:cd:92:
12:72:7f:65:ac:fe:21:23:bf:87:3e:b3:88:12:b7:a7:69:df:
eb:49:87:d7:3c:01:36:a1:41:8a:71:a5:f9:dd:e3:5f:41:35:
bc:c9:04:56:20:dc:4c:59:e7:57:4f:a6:dd:5e:51:2f:47:7e:
08:c5:36:92:74:37:31:13:82:9d:be:96:17:c9:58:45:be:a0:
04:17:4c:59:c5:5f:bb:e6:50:86:05:08:f9:ee:b7:3d:9a:a8:
c6:95:37:55:08:30:17:db:9f:41:e3:01:4e:33:7d:cd:ff:ca:
bd:40:f6:7b:72:d0:59:6f:9e:40:24:20:cf:ed:e4:f4:3f:73:
15:0c:45:01:fa:74:a3:53:79:a8:ae:38:9e:77:ac:f2:a7:12:
7f:22:7b:a9:7f:03:9b:8d:48:9f:5d:7a:c6:c9:eb:df:00:9e:
77:eb:4b:78:56:69:8f:67:7d:7f:ff:a5:da:93:64:5c:83:de:
5e:53:0d:c1:1c:2e:0d:eb:ea:25:66:b3:56:20:e4:f7:06:11:
87:2b:74:29:9d:71:8c:c9:67:cf:44:d9:0b:1c:d1:fd:4b:cb:
0c:25:37:ee:a5:57:2d:5a:7c:cd:27:17:c6:20:8b:0f:19:4e:
5c:d0:b9:e1:0c:f0:db:69:41:d9:24:e4:09:b6:a1:22:3a:95:
6f:c2:c6:cb:c1:24:a0:75:7c:13:c3:52:16:4e:2b:f4:0a:c4:
ce:6e:f7:39:ec:95:e0:4c:96:48:67:8b:29:70:09:06:ea:d1:
a7:c7:19:99:d1:91:7d:76:59:ba:7f:06:83:d5:f0:b0:86:a4:
d0:2a:f6:c8:20:55:60:69:02:4b:43:07:64:d9:75:24:ce:fa:
3e:d4:47:c7:53:eb:93:0f:44:4c:18:b1:48:21:4e:de:07:37:
a5:0b:70:17:cd:bb:9a:2a:98:6a:58:e3:86:b6:aa:06:87:2f:
f6:e0:02:6f:ff:a9:8d:10:5c:df:1a:e6:dd:26:2c:48:08:96:
54:c9:ce:f0:eb:5c:8e:f5:6f:d7:ef:c5:0a:8d:35:e0:a1:16:
6f:34:9c:19:a1:70:72:c8:e5:ae:95:52:90:3a:00:ee:c2:cf:
86:82:94:04:ec:ae:de:76:99:6d:2e:10:24:22:f0:46:c1:02:
d6:cc:43:6c:8c:17:cf:8e:90:24:ce:c0:fd:41:cb:e7:46:45:
bb:df:89:ce:10:96:4c:3dCopy your certificate files rootCA.crt and openwrtHost.crt from your PC to your OpenWrt router.
Configure VPS peer
On your VPS, copy rootCA.crt to /path_to_strongSwan/ipsec.d/cacerts:
cp rootCA.crt /etc/strongswan/ipsec.d/cacerts # for Fedora/RHEL/CentOS
cp rootCA.crt /etc/ipsec.d/cacerts # for Debian/UbuntuCopy vpsHost.crt to /path_to_strongSwan/ipsec.d/certs:
cp vpsHost.crt /etc/strongswan/ipsec.d/certs # for Fedora/RHEL/CentOS
cp vpsHost.crt /etc/ipsec.d/certs # for Debian/UbuntuCopy vpsHost.key to /path_to_strongSwan/ipsec.d/private:
cp vpsHost.key /etc/strongswan/ipsec.d/private # for Fedora/RHEL/CentOS
cp vpsHost.key /etc/ipsec.d/private # for Debian/UbuntuTell strongSwan where to find the private key by editing /path_to_strongSwan/ipsec.secrets:
# /etc/strongswan/ipsec.secrets - strongSwan IPsec secrets file for Fedora/RHEL/CentOS
# /etc/ipsec.secrets - strongSwan IPsec secrets file for Debian/Ubuntu
: RSA vpsHost.keyConfigure IPSec policy by editing /path_to_strongSwan/ipsec.conf. Here is an example:
# ipsec.conf - strongSwan IPsec configuration file. See https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
# /etc/strongswan/ipsec.conf - for Fedora/RHEL/CentOS
# /etc/ipsec.conf - for Debian/Ubuntu
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default # default configuration
left=%any
leftfirewall=yes # tell strongSwan to auto configure your firewall
leftauth=pubkey # Use X.509 pubkey authentication for local peer
leftcert=vpnHost.crt # tell strongSwan where to find the certificate file for local peer
leftid=@vpnHost # must match the CN part of the certificate
keyexchange=ikev2 # use IKEv2
esp=aes192-aes256-sha1-sha256! # Cipher suit for ESP
ike=aes192-aes256-sha256-modp4096-modp3072! # Cipher suit for IKE
dpdaction=clear # Related to Dead Peer Detection. Clear connections when a dead peer is detected
dpddelay=15m # Detect dead peer every 15 minutes
fragmentation=yes # use IKE fragmentation (proprietary IKEv1 extension or IKEv2 fragmentation as per RFC 7383).
conn openwrtHost # connection to my OpenWrt router
leftsubnet=0.0.0.0/0 # allow traffic to any IPv4 address
rightauth=pubkey # Use X.509 pubkey authentication for remote peer
right=%any # Since my OpenWrt router has a dynamic public IP address, I have to allow any IP address to connect.
rightid=@openwrtHost must match the CN part of remote peer's certificate
rightsubnet=192.168.1.0/24 # allow traffic from IPv4 address range 192.168.1.0/24
auto=add # enable this configuration sectionTo make your VPS as a software router, you should turn on the following kernel options:
# enable IPv4 routing
sysctl -w net.ipv4.ip_forward=1
# make this option persistent after a system reboot
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
# if you want to enable IPv6 routing, run following commands:
sysctl -w net.ipv6.conf.all.forwarding=1
echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.confEnable SNAT to allow forwarding packets from private IP addresses to the Internet, because your clients (PS4, etc) have no public IPv4 addresses. You should configure your Linux firewall:
# For firewalld
# make sure your firewall is running
firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD_direct 1 -o <interface to the Internet> -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 nat POSTROUTING_direct 1 -o <interface to the Internet> -m policy --pol none --dir out -j MASQUERADE # masquerade non-IPSec traffic
# if you want to enable IPv6 routing, run the following command:
firewall-cmd --direct --permanent --add-rule ipv6 filter FORWARD_direct 1 -o <interface to the Internet> -j ACCEPT
# reload your firewalld rules
firewall-cmd --reload
# For iptables
# make sure your firewall is running
iptables -A FORWARD -o <interface to the Internet> -j ACCEPT
iptables -t nat -A POSTROUTING -o <interface to the Internet> -m policy --pol none --dir out -j MASQUERADE # masquerade non-IPSec traffic
# if you want to enable IPv6 routing, run the following command:
ip6tables -A FORWARD -o <interface to the Internet> -j ACCEPT
# save rules
service iptables saveDon’t forget to start your strongSwan service and enable it at startup:
systemctl enable strongswan # For Fedora 14+/RHEL 7+/CentOS 7+
service strongswan enable # For old Fedora/RHEL/CentOSConfigure OpenWrt Router
On your OpenWrt Router, copy rootCA.crt to /etc/ipsec.d/cacerts:
cp rootCA.crt /etc/ipsec.d/cacertsCopy openwrtHost.crt to /etc/ipsec.d/certs:
cp openwrtHost.crt /etc/ipsec.d/certsCopy openwrtHost.key to /etc/ipsec.d/private:
cp openwrtHost.key /etc/ipsec.d/privateTell strongSwan where to find the private key. Edit /etc/ipsec.secrets:
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA openwrtHost.keyConfigure IPSec policy by editing /etc/ipsec.conf. Here is an example:
# ipsec.conf - strongSwan IPsec configuration file. See https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
# /etc/strongswan/ipsec.conf - for Fedora/RHEL/CentOS
# /etc/ipsec.conf - for Debian/Ubuntu
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default # default configuration
left=%any
leftfirewall=no # tell strongSwan not to auto configure your firewall
leftauth=pubkey # Use X.509 pubkey authentication for local peer
leftcert=openwrtHost.crt # tell strongSwan where to find the certificate file for local peer
leftid=@openwrtHost # must match the CN part of the certificate
keyexchange=ikev2 # use IKEv2
esp=aes192-aes256-sha1-sha256! # Cipher suit for ESP
ike=aes192-aes256-sha256-modp4096-modp3072! # Cipher suit for IKE
dpdaction=clear # Related to Dead Peer Detection. Clear connections when a dead peer is detected
dpddelay=15m # Detect dead peer every 15 minutes
fragmentation=yes # use IKE fragmentation (proprietary IKEv1 extension or IKEv2 fragmentation as per RFC 7383).
conn bypass # bypass LAN, multicast, and limited broadcast traffic
leftsubnet=0.0.0.0/0
leftsubnet=192.168.0.0/23, 224.0.0.0/4, 240.0.0.0/4
auto=route
conn vpnHost # connection to my OpenWrt router
leftsubnet=192.168.1.0/24 # allow traffic from 192.168.1.0/24 (VLAN2's IP range)
right=<IP address or domain name of your VPS>
rightauth=pubkey # Use X.509 pubkey authentication for remote peer
rightid=@vpnHost must match the CN part of remote peer's certificate
rightsubnet=0.0.0.0/0 # allow traffic to any IPv4 address
auto=route # auto start this IPSec tunnel when such traffic occursMake sure your OpenWrt router have SHA256 kernel module installed:
opkg update && opkg install kmod-crypto-sha256A very important step, don’t let strongSwan configure routes on your OpenWrt router.
Otherwise strongSwan will insert an additional policy-based default route that forwards all traffic from VLAN2 to your VPS, which blocks the communication from VLAN2 clients to your OpenWrt router, resulting in your clients cannot receive any traffic from your router.
Edit /etc/strongswan.conf on your OpenWrt router:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
install_routes = no # add this line
}
include strongswan.d/*.confYou should also disable the farp plugin for strongSwan.
The farp plugin will fake ARP responses for rightsubnet to an established tunnel.
In our VPN deployment our rightsubnet (0.0.0.0/0) covers leftsubnet (192.168.1.0/24).
If we don’t disable this plugin, it will fake ARP responses for 0.0.0.0/0, which will disturb the ARP traffic in VLAN2 unexpectedly.
To disable the plugin, edit /etc/strongswan.d/charon/farp.conf on your OpenWrt router:
# /etc/strongswan.d/charon/farp.conf
farp {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = no # change this line
}The last step, add new firewall rules to allow VPN traffic on your OpenWrt router:
# /etc/firewall.user
# for IPv4 IPSec traffic
iptables -A input_rule -p esp -j ACCEPT # IPSec payload - ESP
iptables -A input_rule -p ah -j ACCEPT # IPSec payload - AH
iptables -A input_rule -p udp --dport 4500 -j ACCEPT -m conntrack --ctstate NEW # for IPSec NAT traversal (NAT-T)
iptables -A input_rule -p udp --dport 500 -j ACCEPT -m conntrack --ctstate NEW # for IKE
# for IPv6 IPSec traffic
ip6tables -A input_rule -p esp -j ACCEPT # IPSec payload - ESP
ip6tables -A input_rule -p ah -j ACCEPT # IPSec payload - AH
ip6tables -A input_rule -p udp --dport 4500 -j ACCEPT -m conntrack --ctstate NEW # for IKE
ip6tables -A input_rule -p udp --dport 500 -j ACCEPT -m conntrack --ctstate NEW # for IPSec NAT traversal (NAT-T)Reload your OpenWrt firewall:
fw3 reloadStart and enable your strongSwan service:
/etc/init.d/ipsec start
/etc/init.d/ipsec enableNow all Internet traffic from VLAN2 should be forwarded to the VPS. Please enjoy it.
Customize Docker network
Docker is an awesome software which makes use of Linux container to package dependencies for an application and isolate its runtime environment from the host machine. By default, Docker will set up an isolated private network and adopt Network address translation (NAT) technology for forwarding incoming traffic to corresponding container. But sometimes we want to set up our own Docker network.
A few days ago, I was going to run several separated Bind DNS services on a single host. Some of them are recursive servers while others are authoritative servers. Traditionally, we need to bind these services to different addresses on the same host, or create virtual machines for every Bind instance.
I chose Docker for this kind of deployment. The difficulty is how to expose the whole network of these containers
to the outside network instead of using NAT technology, because it is very hard to maintain so many IP addresses on a single host machine.
We can use --net=none option when starting a container to tell Docker not to configure its network automatically, which leaves us free to configure our own network.
Considering I have a host machine and 4 Docker containers. The host machine’s physical interface connects to a router that connects to an intranet.
[gateway] eth3: 10.3.0.1/24 <--> [host machine] eth0: 10.3.0.2/24 / docker0: 10.3.16.1/20 <--> [containers] eth0: 10.3.16.11/20-10.3.16.14/20
The host machine has 2 IP addresses. One is 10.3.0.2/24, which connects to a gateway interface eth3 with IP address 10.3.0.1/24 through its physical interface eth0.
The other is 10.3.16.1/20, which is assigned to the Docker Ethernet bridge interface docker0. The four Docker containers have addresses from 10.3.16.11/20 to 10.3.16.14/20.
By default, Docker configures bridge interface docker0 with IPv4 address 172.17.42.1/16. We need to change it to 10.3.16.1/20 in this deployment.
To supply a different IP address for docker0, We need to edit Docker upstart configuration file. This file is usually located at /etc/sysconfig/docker for Fedora/RHEL/CentOS or /etc/default/docker for Debian/Ubuntu.
Here is a resonable configuration:
# /etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--bip=10.3.16.1/20 --iptables=false'
# ...In this file, the --bip=10.3.16.1/20 option tells Docker to set up bridge interface with IPv4 address 10.3.16.1/20, and --iptables=false to disallow Docker to insert iptables rules automatically.
Restart your Docker service, then start a container:
$ systemctl restart docker # systemd OS
$ service docker restart # other OS
$ docker run -ti --rm --net=none --name my_container centos:7 /bin/bash # start a containerThis will start a CentOS 7 container named my_container. Option --net=none tells Docker not to set up container network.
Issuing ip addr in this container will find that there are no Ethernet interfaces configured:
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft foreverAs Docker uses Linux container to isolate environment, we should set up a container network through the host machine. These instructions are adapted from official Docker documentation.
Firstly, use docker inspect command to find out the container process ID:
PID=`docker inspect -f '{{.State.Pid}}' my_container`Then, create a peer of virtual network interfaces A and B, then bind the A end to the bridge, and bring it up:
$ ip link add A type veth peer name B
$ brctl addif docker0 A
$ ip link set A upNext, place B inside the container’s network namespace, and rename to eth0, and activate it with IP 10.3.16.11/20.
Follow similar steps to configure networks for other containers by replacing IP addresses with 10.3.16.12/20 - 10.3.16.14/20.
$ ip link set B netns $PID
$ ip netns exec $PID ip link set dev B name eth0
$ ip netns exec $PID ip link set eth0 address 12:34:56:78:9a:bc
$ ip netns exec $PID ip link set eth0 up
$ ip netns exec $PID ip addr add 10.3.16.11/20 dev eth0
$ ip netns exec $PID ip route add default via 10.3.16.1Lastly, add a static route on your gateway to forward address range 10.3.16.0/24 to your host machine:
$ ip route add 10.3.16.0/20 via 10.3.0.2 dev eth3In addition, I wrote a script called Dockernet in order to finish these steps in a very simple way. You can check out my code if you like.
Hello world!
Hello, I’m Yuxiang Zhu, a programmer working on free software. From today, I will keep my technical experience and knowledge in this blog and share to everyone.
This blog is built by Jekyll, an open software that transforms plain text into static websites and blogs. It is awesome and free to use. If you want to build a blog like me, you can follow instructions on Jekyll’s homepage. The theme of this site is adapted from Freelancer.