Archive for the ‘VPN’ Category
Posted by jpluimers on 2019/01/16
With the advent of WebSockets, it looks like TCP tunnels over HTTP/HTTPS are gaining more ground and I need to put some research time in them.
Some old to new links:
CONNECT requests are not supported by many HTTP proxies, especially in larger organisations, so chisel and crowbar have a much bigger chance there.
And of course there is SoftEtherVPN/SoftEtherVPN: A Free Cross-platform Multi-protocol VPN Software. * For support, troubleshooting and feature requests we have http://www.vpnusers.com/. For critical vulnerability please email us. (mail address is on the header.).
However, that is a VPN solution which is much broader than just a single TCP tunnel. You can so similar things with OpenVPN, but over HTTP/HTTPS, also requires CONNECT:
SoftEtherVPN seems to be more versatile though. I blogged about that before, but back then didn’t have needs for it yet. VPN over HTTPS: Ultimate Powerful VPN Connectivity – SoftEther VPN Project.
–jeroen
via: [WayBack] VPN through only http – Server Fault answer by [WayBack] neutrinus
Posted in Communications Development, Development, HTTP, https, Internet protocol suite, Network-and-equipment, OpenVPN, Power User, TCP, VPN, WebSockets, Windows-Http-Proxy | Leave a Comment »
Posted by jpluimers on 2018/07/13
People are (rightfully) freaking out about their privacy as the Senate voted to let internet providers share your private data with advertisers. While it’s important to protect your privacy,…
Interesting: easy setup allows for creating disposable VPN servers.
–jeroen
Posted in *nix, IPSec, Network-and-equipment, Power User, VPN | Leave a Comment »
Posted by jpluimers on 2017/08/07
sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client.
Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to ssh from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.
Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port.
sslh supports IPv6, privilege dropping, transparent proxying, and more.
Interesting…
–jeroen
Posted in *nix, https, Linux, OpenSSL, OpenVPN, Power User, Security | Leave a Comment »
Posted by jpluimers on 2017/07/04
Just found out about these interesting links I had loved to use years ago, but alas, now I know (:
It looks similar to SSL VPN sometimes also called WebVPN:
Then there are non-VPN tunnels through WebSockets:
Since WebSockets can run over a proxy server you could route any kind of binary traffic through them even in places that disallow non-web protocols or layer-7 inspect https traffic.
Although ops might restrict stuff even further:
–jeroen
Posted in Internet, Network-and-equipment, Power User, VPN | Leave a Comment »
Posted by jpluimers on 2017/06/23
For my blog archive as I already shared it on G+
[WayBack] With so many vulnerabilities out there, here is how to find out of if a fixed is applied to vulnerabilities on Debian/Ubuntu Linux using CVE. – Jeroen Wiert Pluimers – Google+
[WayBack] Debian/Ubuntu Linux: Find If Installed APT Package Includes a Fix/Patch Via CVE Number – nixCraft
Explains how to view the changelog of an installed package on a Debian or Ubuntu Linux server to find out if a fix/patch applied via CVE number.
Hans Wolters:
And find all packages that belong to one cve :-)
zgrep -i cve /usr/share/doc/*/changelog.Debian.gz|grep 1000364
–jeroen
Posted in OpenVPN, Power User, Security | Leave a Comment »
Posted by jpluimers on 2017/06/06
The WAN sides of my Mikrotik CCR1009 are partly behind Fritz!Box routers that do NAT and contain a truckload of port-forwards.
A while ago, I wanted the CCR1009 to do PPTP as Fritz!Box 7360 and 7490: static routes over VPN don’t work (so I could only VPN to the WAN side of the CCR1009). However, it would not pass through the Fritz!Box from the outside.
It appears you need to forward both:
Maybe one day I will ditch the Fritz!Box 7490 and directly hookup the Mikrotik to the NTU: xs4all ftth en Mikrotik router – Google Groups.
But preferably I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog)
–jeroen
via: VPNs einrichten mit PPTP – administrator.de: Achtung mit PPTP VPN Servern hinter NAT Firewalls !
Forward both PPTP TCP port 1723 and the GRE protocol
Posted in Fritz!, Fritz!Box, Fritz!WLAN, Internet, IPSec, MikroTik, Network-and-equipment, Power User, PPTP, routers, VPN | Leave a Comment »
Posted by jpluimers on 2017/04/25
MikroTik has great hardware, but getting things to work can be a bit ehm intimidating.
So here are some links that were useful getting my CCR1009 and CRS226 configurations to do what I wanted.
- Saving your configuration (two possibilities: binary backup file which only works on the same physical model device, or text based configuration export script that you can import back to any model).
- Choosing ports for WAN and LAN
- Never ever use the domain named .local for your local domain if you have Apple devices in your network:
- Many people like Winbox because they prefer visual configuration. Others like the web or terminal interface better (the terminal is especially useful for scripts)
- Manual:First time startup – MikroTik Wiki (default password for admin is empty; WinBox and web-interface are available on WAN *and* LAN interfaces!)
- One of the first things I did was binding some ports to use LAN and others to use WAN. The LAN ports are in a bridge: Configure one port for WAN and others for LAN – MikroTik RouterOS
- Manual:IP/DHCP Server – MikroTik Wiki and Manual:IP/Pools – MikroTik Wiki
- I had a lot of DHCP entries on my LAN before switching to the MikroTik for which some I wanted to add statically. Couldn’t find out how to do that in the IP pool, but it appeared there is a different way to do it:
- Assign fixed / static IP address via Mikrotik DHCP server
- Notes:
- the MAC address cab be either (:) separated or minus (-) separated. And yes: there is a RegEx for that.
- usually you don’t pass the client-id (it’s here just as an example that you could use it, but most DHCP clients do NOT use a client-ID, as they only use the MAC address)
/ip dhcp-server lease add address=192.168.100.10 mac-address=70:F1:A1:D1:49:49 client-id="client10"
- Manual:IP/DNS – MikroTik Wiki
- If you use the MikroTik as a caching DNS server, then you need to enable “/ip dns set allow-remote-requests=yes”, but also immediately disable DNS TCP and UDP on all your WAN ports. See:
- nslookup on the Mikrotik itself is called
put[: resolv ...] syntax: nslookup on Mikrotik – MikroTik RouterOS
- Examples (first uses the internal DNS, second one one of the Google DNS servers):
put [:resolve shell.xs4all.nl]put [:resolve shell.xs4all.nl 8.8.8.8]put [:resolve 194.109.21.9]
- tolaris.com · Synchronising DHCP and DNS on Mikrotik routers (script available on Github: Tolaris/mikrotik-dns-dhcp).
- Hardening (since my Guest WiFi is outside of the Mikrotik LAN and WAN realm, I’ve left some things open, for instance MAC service is available, but on a limit set of interfaces):
- Manual:Upgrading RouterOS – MikroTik Wiki
- Manual:IP/Route – MikroTik Wiki (if you think routing is a massive topic, read about firewall rules).
- Not sure this is a good idea, but you can get a DDNS address in the sn.mynetname.net domain and VPN to it (for instance using PPTP): Quick Set Home AP — How to use vpn provided? – MikroTik RouterOS
- You need to setup both the clock (date/time) and SNTP in one step:
- Setup SNTP (Winbox) aka NTP (shell):
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
After a few seconds the Winbox will update the SNTP Client dialog and a few seconds later, the Clock dialog will also update itself.
- Manual:IP/Firewall/NAT – MikroTik Wiki
- I like these ones as they use Winbox:
- Sharing Ideas … Mikrotik with Kannel/playSMS
- Connect CCR1009 with CSR226 over a longer distance than 3 meter – MikroTik RouterOS
- Graphing: ensure you only limit this to IP-addresses that you want graphs to be visible on (0.0.0.0/0 makes it visible to ALL): Manual:Tools/Graphing – MikroTik Wiki
- DNS – MikroTik RouterOS: I would like to have my router to stop all the DNS coming from my clients and not reaching my ISP provider.
- Email sending can now also use the DNS-name of the SMTP server: Why does the email server configuration only allow IP-addresses? – MikroTik RouterOS
- Dynamic DNS Update Script for No-IP DNS for Router OS V.6.7 – MikroTik RouterOS
- Script for Ransomware Tracker by abuse.ch. Tracking Ransomware Infrastructure around the globe. Source: How I fight ransomware (crypto viruses) with Mikrotik – MikroTik RouterOS
/ip firewall mangle add chain=prerouting action=change-ttl new-ttl=increment:1
very simple solution for a traceroute to Hide ip address – MikroTik RouterOS- Using staged address list to perform Bruteforce login prevention – MikroTik Wiki
Very advanced stuff:
- VPN
- VLAN
- DNS Conditional forwarders with Mikrotik RouterOS | Dale Macartney
- Pointing Mikrotik RouterOS hardware logging to a remote Syslog server | Dale Macartney
- trying to setup CRS226-24G-2S+IN, could use some help : mikrotik
- Video: VLANs using the Switching chips do not take the brdige penalty when you can do switching
- Be carful with CRS226 and SFP+ link aggregation
- Vlans on Mikrotik environment – MikroTik Wiki
- Block traffic like WhatsApp.
- API Links – MikroTik RouterOS (in various language, for which I’m most interested in C#, Delphi, Perl and Python.
- Routing from mikrotik two IP addresses to same gateway – Server Fault
- RouterOS – public subnet routed and NAT-ed to internal clients – MikroTik RouterOS
- Known issues and bugs – a list – MikroTik RouterOS
- Tutorials blogs and other helpful RouterOS resources – MikroTik RouterOS
- ethernet ports overrunning – default interface queue (only-hardware-queue) not working well – MikroTik RouterOS
- MAC-Ping is described in Manual:Tools/Ping – MikroTik Wiki but *only* works for MikroTik devices having MAC-Ping Server enabled.
- How to auto-reboot if remote IP down for 5 minutes – MikroTik RouterOS
- ping, traceroute, log files, torch, sniffer, bandwidth tester, profile: Manual:Troubleshooting tools – MikroTik Wiki
- majbthrd/miksms: controlling external devices with Mikrotik RouterOS
- Howto Recover Mikrotik ADMIN account Forgotten Password | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik script to change PUBLIC ip from available pool | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik Firewall / Short Notes + Scripts | Syed Jahanzaib Personal Blog to Share Knowledge !
- SIP Poblem with Mikrotik | Syed Jahanzaib Personal Blog to Share Knowledge !
- VPN/PPTP Static Routes Loose gateway when client reconnects | Syed Jahanzaib Personal Blog to Share Knowledge !
Packet flow (maybe the toughest part to wrap your head around):
Scripts:
Load balancing:
Syntax highlighting:
Pictures
Very well written blog:
Manito Network’s Mikrotik solutions blog. In-depth articles on Mikrotik routing, security, best practices, VPN, and more.
Source: Mikrotik — Manito Networks
Solutions for RouterOS-based Mikrotik networks. Includes security and best practices, VPN, routing, switching, and more.
Source: Mikrotik-1 — Manito Networks
–jeroen
Posted in DNS, Internet, IPSec, MikroTik, Network-and-equipment, OpenVPN, Power User, PPTP, routers, VPN | Leave a Comment »
Posted by jpluimers on 2016/12/05
Time after time issues pop up related to MAC addresses that start with a4 or a 6.
[WayBack] nanog: Forwarding issues related to MACs starting with a 4 or a 6 (Was: [c-nsp] Wierd MPLS/VPLS issue)
The underlying issue has to do with switches interpreting too much information of (un)encrypted traffic and dropping them because they wrongly think it’s plain ethernet traffic they need to handle.
MAC addresses starting with a 4 or 6 have have a common bit pattern (likekly that fails with 12 and 14 as well) that cause failure in certain network equipment that’s hard to trace as there is limited.
[WayBack] Christian Vogel – Google+ (Physics, Electronics, Software) explains this way better at [WayBack] When your MAC address starts with 4 or 6, weird things can happen and it’s not always fixable… – Kristian Köhntopp – Google+:
Read the rest of this entry »
Posted in Internet, Network-and-equipment, Power User, routers, VPN | Leave a Comment »
Posted by jpluimers on 2016/07/18
Windows has the built-in ability to function as VPN server, although this option is hidden. This trick works on both Windows 7 and Windows 8. The server uses the point-to-point tunneling protocol (PPTP.)
Source: How to Create a VPN Server on Your Windows Computer Without Installing Any Software
One day this might come in handy though I need to investigate a bit more on PPTP security issues first: might need to go for L2TP/IPsec instead.
Later: indeed, I should follow Don’t use PPTP, and don’t use IPSEC-PSK either (via: CloudCracker blog)
–jeroen
Posted in IPSec, Network-and-equipment, Power User, PPTP, VPN, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1 | 1 Comment »
Posted by jpluimers on 2016/03/28
Basically there are two opinions on Netflix and blocking:
- TL;DR: People use VPNs for security, Netflix fucks them up, they hate Netflix for that and just torrent that shit.
- tl;dr If you have issues with Netflix on public Wifi, contact the provider and forward tr@netflix.com to them so they can settle issues.
I’m not a netflix user (or user of any form of DRM) as I really dislike the fact that DRM means for any reason your license can be ended. I’ve seen too many players going out of business or taking decisions turning.
So I buy CDs, DVDs, BlueRays or DRM-free media files. Now it’s my problem of making proper back-ups to ensure future access to them (:
The DRM walls and ladders war^w game has gone so far that in this case, Netflix is blocking even though the WiFi provider / proxy / VPN is in the same country like the below imgur image:
Read the rest of this entry »
Posted in Cloud, Infrastructure, Netflix, Network-and-equipment, Power User, VPN | Leave a Comment »
The Wiert Corner - irregular stream of stuff 