dd-wrt and vyprvpn

I’ve been fighting with my dd-wrt running dd-wrt v24-sp2 mega (build 14896) on an older Linksys WRTSL54GS and I’ve had a number of problems so I’ve written down the configuration here.

PPTP connection – I tried this and after many hours, I’ve come to the conclusion that there is an error in the packed binary for this build and when the connection starts, the program seg faults. Unlike the openwrt versions, upgrades to dd-wrt are not an easy or simple process (no ipkg update for you!)

VPN connection – I found that the setup provided by VyprVPN did not work out of the box for me and that the default security that it provided didn’t suit me. I want the connection to hold for the duration and for no traffic to be forwarded if the connection doesn’t exist. The script that I ended up with is:


" PASSWORD="" PROTOCOL="udp" # Add - delete - edit servers between ##BB## and ##EE## REMOTE_SERVERS=" ##BB## # NA - VPN remote us1.vpn.goldenfrog.com 1194 ##EE## " #### Do not make modifications below this line #### CA_CRT='-----BEGIN CERTIFICATE----- MIIEpDCCA4ygAwIBAgIJANd2Uwt7SabsMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD VQQGEwJLWTEUMBIGA1UECBMLR3JhbmRDYXltYW4xEzARBgNVBAcTCkdlb3JnZVRv d24xFzAVBgNVBAoTDkdvbGRlbkZyb2ctSW5jMRowGAYDVQQDExFHb2xkZW5Gcm9n LUluYyBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ29sZGVuZnJvZy5jb20wHhcN MTAwNDA5MjExOTIxWhcNMjAwNDA2MjExOTIxWjCBkjELMAkGA1UEBhMCS1kxFDAS BgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQK Ew5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAh BgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA37JesfCwOj69el0AmqwXyiUJ2Bm+q0+eR9hYZEk7 pVoj5dF9RrKirZyCM/9zEvON5z4pZMYjhpzrq6eiLu3j1xV6lX73Hg0dcflweM5i qxFAHCwEFIiMpPwOgLV399sfHCuda11boIPE4SRooxUPEju908AGg/i+egntvvR2 d7pnZl2SCJ1sxlbeAAkYjX6EXmIBFyJdmry1y05BtpdTgPmTlJ0cMj7DlU+2gehP ss/q6YYRAhrKtlZwxeunc+RD04ieah+boYU0CBZinK2ERRuAjx3hbCE4b0S6eizr QmSuGFNu6Ghx+E1xasyl1Tz/fHgHl3P93Jf0tFov7uuygQIDAQABo4H6MIH3MB0G A1UdDgQWBBTh9HiMh5RnRVIt/ktXddiGkDkXBTCBxwYDVR0jBIG/MIG8gBTh9HiM h5RnRVIt/ktXddiGkDkXBaGBmKSBlTCBkjELMAkGA1UEBhMCS1kxFDASBgNVBAgT C0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQKEw5Hb2xk ZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAhBgkqhkiG 9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tggkA13ZTC3tJpuwwDAYDVR0TBAUw AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwihrN0QNE19RRvGywBvsYDmzmM5G8ta5 8yB+02Mzbm0KuVxnPJaoVy4L4WocAnqLeKfmpYWUid1MPwDPtwtQ00U7QmRBRNLU hS6Bth1wXtuDvkRoHgymSvg1+wonJNpv/VquNgwt7XbC9oOjVEd9lbUd+ttxzboI 8P1ci6+I861PylA0DOv9j5bbn1oE0hP8wDv3bTklEa612zzEVnnfgw+ErVnkrnk8 8fTiv6NZtHgUOllMq7ymlV7ut+BPp20rjBdOCNn2Q7dNCKIkI45qkwHtXjzFXIxz Gq3tLVeC54g7XZIc7X0S9avgAE7h9SuRYmsSzvLTtiP1obMCHB5ebQ== -----END CERTIFICATE-----' OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'` if [ "$OPVPNENABLE" != 0 ]; then nvram set openvpncl_enable=0 nvram commit fi sleep 10 mkdir /tmp/vpn; cd /tmp/vpn echo -e "$USERNAME\n$PASSWORD" > userpass.conf echo "$CA_CRT" > ca.crt echo "#!/bin/sh #ip route del default #ip route add default via tun0 iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE # delete the current iptables forwarding rules iptables -F FORWARD iptables -P FORWARD DROP iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD --dport 53 -j ACCEPT iptables -I FORWARD -o tun0 -j ACCEPT ip route add via eth1 iptables -I FORWARD -d -j ACCEPT " > route-up.sh echo "#!/bin/sh iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE" > route-down.sh chmod 644 ca.crt; chmod 600 userpass.conf; chmod 700 route-up.sh route-down.sh sleep 10 echo "client dev tun proto udp # remote us1.vpn.goldenfrog.com 1194 # tls-remote cz1.vpn.goldenfrog.com tls-client resolv-retry infinite nobind persist-key persist-tun persist-remote-ip tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ca /tmp/vpn/ca.crt # cert /tmp/openvpncl/client.crt # key /tmp/openvpncl/client.key comp-lzo #cipher AES256 cipher bf-cbc auth SHA1 verb 4 ns-cert-type server auth-user-pass /tmp/vpn/userpass.conf log-append vpn.log daemon $REMOTE_SERVERS" > vpn.conf ln -s /tmp/vpn/vpn.log /tmp/vpn.log ln -s /tmp/vpn/status /tmp/status (killall openvpn; openvpn --config /tmp/vpn/vpn.conf --route-up /tmp/vpn/route-up.sh --down /tmp/vpn/route-down.sh) & exit 0

Sending error emails looks like this:

 echo "There's a problem with the VPN connection.  Logs and net status are attached" | sendmail -S"" -u"" -
p"" -f"" -F"dd-wrt" -s"DD-WRT VPN problem" -m"Uh Oh, looks like a problem for you to fix..." -a"/proc/net/dev" -a"/t

Backing up JCAPS repository

A quick script to backup JCAPS repository and only keep a certain number of backups:

' Script to perform backups for the JCAPS environments and make sure that only the last 15 days of backups are kept
' This is done because it is run through cron.

' Set the maximum number of backups to keep
MaxBackups = 15
' Get the list of all the files in the backup directory and sort into order.

Set fso = CreateObject("Scripting.FileSystemObject")

Set list = CreateObject("ADOR.Recordset")
list.Fields.Append "name", 200, 255
list.Fields.Append "date", 7

' Get all of files and the attributes
For Each f In fso.GetFolder("C:\JCAPSRepositoryBackup").Files
  list("name").Value = f.Path
  list("date").Value = f.DateLastModified
' Sort the list
list.Sort = "date ASC"
' Get the first item in the list

for i=1 To list.RecordCount - MaxBackups
  ' Now, do the clean up and delete the file

' Now, do a repository backup
Set objShell = CreateObject("WScript.Shell")
command = "c:\JavaCAPS63\repository\repository\util\backup.bat #username# #password# c:\JCAPSRepositoryBackup\backup" & DatePart("yyyy", Now)&DatePart("m", Now)&DatePart("d", Now)&DatePart("h", Now)&DatePart("n", Now) & ".zip"


Using microsoft SQL to query Active Directory

This is a post to document a setup of a query from two active directories and population into a SQL table. This is written as a stored procedure which can then be configured to run on a user defined schedule.

The setup is that disabled accounts are created and moved around in the DOMAIN domain and new accounts are created in a specific OU in the RCH domain. I’m interested in this movement and configuration and as such I have limited some of the queries to active / deactive users and specific OUs and resources.
Continue reading

Postfix and courier ldap auth failure

migrating to a different mail server has created some headaches for my postfix implementation. The problem according to the logs is:

root@lrrr:/var/run/courier# tail -f /var/log/mail.log
Jul 29 11:56:27 lrrr postfix/smtpd[17544]: warning: SASL authentication failure: cannot connect to Courier authdaemond: No such file or directory
Jul 29 11:56:27 lrrr postfix/smtpd[17544]: warning: SASL authentication failure: Password verification failed
Jul 29 11:56:27 lrrr postfix/smtpd[17544]: warning: unknown[]: SASL PLAIN authentication failed: generic failure
Jul 29 11:56:28 lrrr postfix/smtpd[17544]: warning: SASL authentication failure: cannot connect to Courier authdaemond: No such file or directory
Jul 29 11:56:28 lrrr postfix/smtpd[17544]: warning: unknown[]: SASL LOGIN authentication failed: generic failure

The problem it appears is that postfix can’t reach outside it’s chroot. The solution was found in this case: .

root@lrrr:/etc/postfix/sasl# /etc/init.d/courier-authdaemon stop
[ ok ] Stopping Courier authentication services: authdaemond.
root@lrrr:/etc/postfix/sasl# ls /var/run/courier/authdaemon/
pid       pid.lock  socket
root@lrrr:/etc/postfix/sasl# mv /var/run/courier/authdaemon/ /var/run/courier/authdaemon.20140729
root@lrrr:/etc/postfix/sasl# mkdir -p /var/spool/postfix/var/run/courier/authdaemon/
root@lrrr:/etc/postfix/sasl# ln -s /var/spool/postfix/var/run/courier/authdaemon/ /var/run/courier/authdaemon/
ln: target `/var/run/courier/authdaemon/' is not a directory: No such file or directory
root@lrrr:/etc/postfix/sasl# ln -s /var/spool/postfix/var/run/courier/authdaemon/ /var/run/courier/authdaemon
root@lrrr:/var/run/courier# ls -lah
total 8.0K
drwxrwxr-x  3 daemon daemon 160 Jul 29 15:23 .
drwxr-xr-x 27 root   root   960 Jul 29 11:29 ..
lrwxrwxrwx  1 root   root    46 Jul 29 15:23 authdaemon -> /var/spool/postfix/var/run/courier/authdaemon/
drwxr-x---  2 daemon daemon 100 Jul 29 11:59 authdaemon.20140729
-rw-r--r--  1 root   root     5 Jul 21 09:57 imapd.pid
-rw-------  1 root   root     0 Jul 21 09:57 imapd.pid.lock
-rw-------  1 daemon daemon   0 Jul 21 09:58 ldapaliasd.lock
-rw-r--r--  1 daemon daemon   5 Jul 21 09:58 ldapaliasd.pid
root@lrrr:/var/run/courier# /etc/init.d/courier-authdaemon start
[ ok ] Starting Courier authentication services: authdaemond.
root@lrrr:/var/run/courier# postfix reload
postfix/postfix-script: refreshing the Postfix mail system

SQL server authentication

This is a quick post on how to run SQL enterprise manager as another domain user. This is because I am normally logged in as a lower privileged account and require advanced rights to access our enterprise databases. This uses the good old runas command and requires you to put in a password to proceed.
Create a shortcut on your machine, in the properties type:

C:\Windows\System32\runas.exe /netonly /user:domain\bowdena-a "C:\Program Files\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\Ssms.exe"

another collection of bits and bytes