March 2026
M	T	W	T	F	S	S
	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

Archive for the ‘Internet’ Category

Some LCID links and notes

Posted by jpluimers on 2021/02/10

Document locations changed, so here are some links to newer and older documentation on LCID related things:

Delphi: a few short notes on LoadString and loading shell resource strings for specific LCIDs, for which I need to check which ones have suffered from link rot.
[WayBack] MAKELCID macro | Microsoft Docs:

Creates a locale identifier from a language identifier and a sort order identifier.
- Table: [WayBack] Locale Identifiers – Windows applications | Microsoft Docs with special values:
  - 0x007F [WayBack] LOCALE_INVARIANT – Windows applications | Microsoft Docs The locale used for operating system-level functions that require consistent and locale-independent results.
  - 0x0400 [WayBack] LOCALE_USER_DEFAULT – Windows applications | Microsoft Docs: The default locale for the user or process.
    - Delphi 2009 added support for it and names it VAR_LOCALE_USER_DEFAULT: [WayBack] VarUtils.VAR_LOCALE_USER_DEFAULT Constant
  - 0x0800 [WayBack] LOCALE_SYSTEM_DEFAULT – Windows applications | Microsoft Docs: The default locale for the operating system.
  - [WayBack] LOCALE_CUSTOM* Constants – Windows applications | Microsoft Docs
    - 0x0C00 LOCALE_CUSTOM_DEFAULT The default custom locale.
      - When an NLS function must return a locale identifier for a supplemental locale for the current user, the function returns this value instead of LOCALE_USER_DEFAULT.
    - 0x1000 LOCALE_CUSTOM_UNSPECIFIED An unspecified custom locale, used to identify all supplemental locales except the locale for the current user.
      - Supplemental locales cannot be distinguished from one another by their locale identifiers, but can be distinguished by their locale names. Certain NLS functions can return this constant to indicate that they cannot provide a useful identifier for a particular locale.
    - 0x1400 LOCALE_CUSTOM_UI_DEFAULT The default custom locale for MUI.
      - The user preferred UI languages and the system preferred UI languages can include at most a single language that is implemented by a Language Interface Pack (LIP) and for which the language identifier corresponds to a supplemental locale. If there is such a language in a list, the constant is used to refer to that language in certain contexts.
- List: [WayBack] Language Identifiers – Windows applications | Microsoft Docs
  The following are predefined language identifiers:
  - LANG_SYSTEM_DEFAULT. The operating system default language.
  - LANG_USER_DEFAULT. The language of the current user.
- Table: [WayBack] Language Identifier Constants and Strings – Windows applications | Microsoft Docs
- Table: [WayBack] [MS-LCID]: Windows Language Code Identifier (LCID) Reference | Microsoft Docs
- Table: [WayBack] Microsoft Locale ID Values | Microsoft Docs via [WayBack] Locale ID (LCID) Chart | Microsoft Docs
- Table: [WayBack] Sort Order Identifiers – Windows applications | Microsoft Docs
- Conversion macros and their documentation in [WayBack] moflow/ntdef.h at master · Cisco-Talos/moflow · GitHub:
```
//  A locale ID is a 32 bit value which is the combination of a
//  language ID, a sort ID, and a reserved area.  The bits are
//  allocated as follows:
//
//       +-------------+---------+-------------------------+
//       |   Reserved  | Sort ID |      Language ID        |
//       +-------------+---------+-------------------------+
//        31         20 19     16 15                      0   bit
//
//  WARNING: This pattern isn't always followed (es-ES_tradnl vs es-ES for example)
//
//  It is recommended that applications test for locale names or actual LCIDs.
//
//  Locale ID creation/extraction macros:
//
//    MAKELCID            - construct the locale id from a language id and a sort id.
//    MAKESORTLCID        - construct the locale id from a language id, sort id, and sort version.
//    LANGIDFROMLCID      - extract the language id from a locale id.
//    SORTIDFROMLCID      - extract the sort id from a locale id.
//    SORTVERSIONFROMLCID - extract the sort version from a locale id.
//
//  Note that the LANG, SUBLANG construction is not always consistent.
//  The named locale APIs (eg GetLocaleInfoEx) are recommended.
//
//  LCIDs do not exist for all locales.
```
- Equivalent C# translations of these marcos are in [WayBack] MediaPortal-2/DSHelper.cs at master · MediaPortal/MediaPortal-2 · GitHub.
Setting and restoring the default user language:
API calls:
Saving/restoring data between locales:
- [WayBack] Using Persistent Locale Data – Windows applications | Microsoft Docs
  Using Persistent Locale Data
  
  A globalized application often persists or transmits data, for example, time and date. When deciding how your application should handle data persistence, remember that data is not guaranteed to be the same from computer to computer or between runs of the application. This is true for both locales that ship with Windows and custom locales.
  
  Design of the application must take into account a variety of locale-related data changes that can occur. For example:
  - Currency symbols can change as countries adopt the Euro.
  - Regional preferences can change. For example, the format d/m/y might change to the format m/d/y for a particular locale.
  - The spelling of day names can change due to spelling reforms. Additionally, casing can change for month or day names.
  Use Locale-Independent Formats for Storage and Data Interchange
  
  An application that persists data should use locale-independent formats for storage and data interchange. Examples are hard-coded or standard formats; the invariant locale LOCALE_NAME_INVARIANT; and binary storage formats.
  
  If persistent sorting data is required, the application must use the CompareStringOrdinal function. Remember that an invariant format does not remain invariant for sorting, only for locale and calendar data.
  
  Use the User Default Locale for Data Presentation
  
  To present persistent data, it is best for the application to reformat the data using the user default locale. Use of this locale allows user overrides. For more information, see LOCALE_USER_DEFAULT.

56 Linux Networking commands and scripts

Posted by jpluimers on 2021/01/25

Back in 2019, there were 56 commands and scripts covered. I wonder how many there are now.

An ongoing list of Linux Networking Commands and Scripts. These commands and scripts can be used to configure or troubleshoot your Linux network.

Source: [WayBack] 55 Linux Networking commands and scripts

List back then (which goes beyond just built-in commands: many commands from optional packages are here as well):

arpwatch – Ethernet Activity Monitor.

bmon – bandwidth monitor and rate estimator.

bwm-ng – live network bandwidth monitor.

curl – transferring data with URLs. (or try httpie)

darkstat – captures network traffic, usage statistics.

dhclient – Dynamic Host Configuration Protocol Client

dig – query DNS servers for information.

dstat – replacement for vmstat, iostat, mpstat, netstat and ifstat.

ethtool – utility for controlling network drivers and hardware.

gated – gateway routing daemon.

host – DNS lookup utility.

hping – TCP/IP packet assembler/analyzer.

ibmonitor – shows bandwidth and total data transferred.

ifstat –  report network interfaces bandwidth.

iftop – display bandwidth usage.

ip (PDF file) – a command with more features that ifconfig (net-tools).

iperf3 – network bandwidth measurement tool. (above screenshot Stacklinux VPS)

iproute2 – collection of utilities for controlling TCP/IP.

iptables – take control of network traffic.

IPTraf – An IP Network Monitor.

iputils – set of small useful utilities for Linux networking.

jwhois (whois) – client for the whois service.

“lsof -i” – reveal information about your network sockets.

mtr – network diagnostic tool.

net-tools – utilities include: arp, hostname, ifconfig, netstat, rarp, route, plipconfig, slattach, mii-tool, iptunnel and ipmaddr.

ncat – improved re-implementation of the venerable netcat.

netcat – networking utility for reading/writing network connections.

nethogs – a small ‘net top’ tool.

Netperf – Network bandwidth Testing.

netsniff-ng – Swiss army knife for daily Linux network plumbing.

netstat – Print network connections, routing tables, statistics, etc.

netwatch – monitoring Network Connections.

ngrep – grep applied to the network layer.

nload – display network usage.

nmap – network discovery and security auditing.

nslookup – query Internet name servers interactively.

ping – send icmp echo_request to network hosts.

route – show / manipulate the IP routing table.

slurm – network load monitor.

snort – Network Intrusion Detection and Prevention System.

smokeping –  keeps track of your network latency.

socat – establishes two bidirectional byte streams and transfers data between them.

speedometer – Measure and display the rate of data across a network.

speedtest-cli – test internet bandwidth using speedtest.net

ss – utility to investigate sockets.

ssh –  secure system administration and file transfers over insecure networks.

tcpdump – command-line packet analyzer.

tcptrack – Displays information about tcp connections on a network interface.

telnet – user interface to the TELNET protocol.

tracepath – very similar function to traceroute.

traceroute – print the route packets trace to network host.

vnStat – network traffic monitor.

wget –  retrieving files using HTTP, HTTPS, FTP and FTPS.

Wireless Tools for Linux – includes iwconfig, iwlist, iwspy, iwpriv and ifrename.

Wireshark – network protocol analyzer.

Via:

–jeroen

Posted in *nix, *nix-tools, cURL, dig, Internet, nmap, Power User, SpeedTest, ssh/sshd, tcpdump, Wireshark | Leave a Comment »

Mike Cardwell’s Tech Blog: Twitter to RSS with Google Cloud Function – Grepular

Posted by jpluimers on 2020/12/03

Cool, on my list of things to tinker with: [WayBack] Twitter to RSS with Google Cloud Function – Grepular at Mike Cardwell’s Tech Blog

Source at [WayBack] Mike Cardwell / funcTwitter · GitLab, of which these are the most important bits:

Via [WayBack] Mike Cardwell on Twitter: “Twitter to RSS with Google Cloud Function”

–jeroen

Posted in Cloud Apps, Cloud Development, Development, Google, Google Cloud Function, Internet, Power User, RSS, SocialMedia, Software Development, Twitter | Leave a Comment »

Archiving Google Product Forums URLs

Posted by jpluimers on 2020/11/13

Archiving Google Product Forum URLs is a pain in the butt for a couple of reasons:

By default the URLs in your browser present themselves like productforums.google.com/forum/#!topic/chrome/rXamwvFGWXs, with a piece of JavaScript wizardry to show the actual content after the browser page initially displays
The search engine shows them like productforums.google.com/d/topic/chrome/rXamwvFGWXs, which The WayBack Machine on the Internet Archive cannot archive with web.archive.org/save/https://productforums.google.com/d/topic/chrome/rXamwvFGWXs because it mis-interprets [WayBack] productforums.google.com/robots.txt
Archive.is can save them with a URL like archive.is/?run=1&url=https://productforums.google.com/d/topic/chrome/rXamwvFGWXs

So the trick for saving is:

Get from the /forum/#!topic/ based URL to the /d/topic/ based one
Put it after the archive.is/?run=1&url=, then save

--jeroen

Posted in Conference Topics, Conferences, Event, Internet, InternetArchive, Power User, WayBack machine | Leave a Comment »

Mikrotik Remote Access via Multiple WAN Links | Syed Jahanzaib Personal Blog to Share Knowledge !

Posted by jpluimers on 2020/11/04

Multi-WAN routing always involves marking incoming connections to the replies go out on the same connection: [WayBack] Mikrotik Remote Access via Multiple WAN Links | Syed Jahanzaib Personal Blog to Share Knowledge !

# Mirkotik IP Firewall Mangle Section

/ ip firewall mangle

# Mark traffic coming via WAN-1 link

add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_incoming_conn

# Mark traffic coming via WAN-2 link

add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_incoming_conn

# Mark traffic routing mark for above marked connection for WAN-1 , so that mikrotik will return traffic via same interface it came in

add chain=output connection-mark=WAN1_incoming_conn action=mark-routing new-routing-mark=to_WAN1

# Mark traffic routing mark for above marked connection for WAN-2, so that mikrotik will return traffic via same interface it came in

add chain=output connection-mark=WAN2_incoming_conn action=mark-routing new-routing-mark=to_WAN2

# Finally Add appropriate routes in ROUTE section

/ ip route

add dst-address=0.0.0.0/0 gateway=1.1.1.2 routing-mark=to_WAN1 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-mark=to_WAN2 check-gateway=ping

–jeroen

Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »

WordPress blog URLs using post-ID: Using Permalinks « WordPress Codex

Posted by jpluimers on 2020/10/23

[WayBack] Using Permalinks « WordPress Codex:

http://example.com/?p=N

So for instance https://wiert.me/?p=35558 points to Delphi version info table: C# Builder, Delphi 8 through 10.3 Rio and Appbuilder despite the actual URL not fully matching the title (because I do not like link rot): https://wiert.me/2016/09/06/delphi-version-info-table-need-help-with-these-projectversion-for-c-builder-delphi-2005-and-2006-dllsuffix-for-c-builder-appbuilder-1-13-codename/

–jeroen

Posted in link rot, Power User, SocialMedia, WordPress, WWW - the World Wide Web of information | Leave a Comment »

Some postfix notes

Posted by jpluimers on 2020/10/15

Postfix has documentation on primary MX and secondary MX, but not on tertiary MX.

If the primary MX is down, you have a series of secondary MX and tertiary MX that configured the same way, MX DNS priority for primary, the series of secondary MX and tertiary MX have increasing numbers, and the primary MX goes down, then senders can get “too many hops” as secondary and tertiary MX are looping.

I had a hard time finding a good and easy solution as these queries do not return many meaningful results:

“too many hops” “postfix” MX – Google Search

Here are some links that helped getting this solved:

[WayBack] Postfix Frequently Asked Questions: What does “Error: too many hops” mean?

Short answer: this message means that mail is probably looping. If you see this after you turned on Postfix content filtering, then you have made a mistake that causes mail to be filtered repeatedly. This is cured by appropriate use of content_filter=, header_checks=, and body_checks=.

Long answer: the message has too many Received: message headers. A received header is added whenever Postfix (or any MTA) receives a message. A large number of Received: message headers is an indication that mail is looping around.

Side comment: email uses the opposite of the technique that is used to avoid IP forwarding loops. With IP, the sender sets a TTL (time to live) field in the IP header. The field is decremented by each router. When the TTL reaches zero the packet is discarded and an ICMP error message is returned to the sender.
[WayBack] Error: too many hops (in reply to end of DATA command) · Issue #713 · mail-in-a-box/mailinabox · GitHub

In case you or anyone else was/is wondering about the mydestination = localhost thing, the reason it has to be set to just localhost is because MIAB uses Postfix’s “virtual domain hosting” (http://www.postfix.org/VIRTUAL_README.html) support. Per the documentation for mydestination at http://www.postfix.org/postconf.5.html#mydestination:

Do not specify the names of virtual domains – those domains are specified elsewhere. See VIRTUAL_README for more information.

(in the context of MIAB every domain is a virtual domain).

In my case a series of these:

Received: from mwgp.xs4all.nl (mwgp.xs4all.nl [80.101.239.92])
    by fiber24315337242.heldenvannu.net (Postfix) with ESMTP id 26395200FE
    for <jeroen@pluimers.com>; Fri, 29 Jun 2018 11:01:02 +0200 (CEST)
Received: from fiber24315337242.heldenvannu.net (unknown [37.153.243.246])
    by mwgp.xs4all.nl (Postfix) with ESMTP id 077A5E937
    for <jeroen@pluimers.com>; Fri, 29 Jun 2018 11:01:02 +0200 (CEST)

Specifying the transport will likely help me solve this problem:

postfix tell which mx host to use – Google Search

This all came down to editing /etc/postfix/transport adding lines for each relayed domain like this one:

example.org    smtp:[mx-a-record.example.org]

Lines like it direct to use the smtp transport and use a specific host (normally, the relay transport is being used).

After this:

# postmap /etc/postfix/transport # rcpostfix reload

I choose not to configure [WayBack] Postfix Configuration Parameters: relay_recipient_maps, but might if I had an automated way of replicating lists of valid (and invalid) users.

Another option was confirmed at [WayBack] Software-update: Postfix 3.4.0 / 3.3.3 / 3.2.8 / 3.1.11 / 3.0.15 – Computer – Downloads – Tweakers by [WayBack] menocchio. Thanks!

Dat is volgens mij eenvoudig op te lossen met relay_transport of transport_maps. Zie ook: Postfix transport table format.

Daarmee dwing je de secondary servers de mail altijd af te willen leveren bij de primary server (en dus niet bij een andere secondary). En als de primary niet online is, dan wacht ie netjes tot dat wel het geval is :-)

Bijvoorbeeld:
relay_transport = smtp:[primarymx.domain.tld]

Likely relevant: [WayBack] The Book of Postfix

Maybe relevant in the future:

postfix limit relay to hosts – Google Search
[WayBack] debian – Remote Postfix server for email relaying multiple domains – Server Fault
[WayBack] mysql – Postfix — mail forwarding loop – Server Fault
[WayBack] How can I get postfix to send mail to different relay hosts? – Server Fault
Source: postfix secondary – Google Search
[WayBack] MX Backup – Postfix Email Server | samhobbs.co.uk
Source: “loops back to myself” postfix mx – Google Search
- On using mydestination
[WayBack] Postfix Basic Configuration: relay_domains and relayhost
- [WayBack] Postfix Configuration Parameters: relay_domains
- [WayBack] Postfix Configuration Parameters: relayhost which information is overruled with relay_transport, sender_dependent_default_transport_maps, default_transport, sender_dependent_relayhost_maps and with the transport(5)
  - [WayBack] Postfix manual – transport(5)
[WayBack] Postfix Small/Home Office Hints and Tips
[WayBack] Postfix Standard Configuration Examples
- especialy [WayBack] Postfix Standard Configuration Examples: Postfix email firewall/gateway
- but basically all of it:
  The first part of this document presents standard configurations that each solve one specific problem.
  The second part of this document presents additional configurations for hosts in specific environments.
“postfix” “tertiary mx” – Google Search and “postfix” “relayhost” “tertiary mx” – Google Search
- [WayBack] How to configure Postfix relayhost (smarthost) to send eMail using an external smptd – nixCraft
- [WayBack] Postfix: Backup MX | SecOPS / SysOp blog which makes me need to research if these are still relevant:
  - [WayBack] Postfix Configuration Parameters: permit_mx_backup_networks
  - [WayBack] Postfix Configuration Parameters: permit_mx_backup
- ___

Found on my hunt for the above:

[WayBack] postfix secondary mx relay only to primary mx – Google Search
- [WayBack] smtp – What’s wrong here? Postfix secondary MX relay with redirection of specific email addresses – Server Fault
[WayBack] postfix relay bounce – Google Search
- [WayBack] [SOLVED] postfix ‘status=bounced’ unable to send email to a domain
  - [WayBack] Postfix Transport Maps – Diverting Mail Traffic | nooblet.org
    
    Create a file named transport in /etc/postfix and add the following text,
    
    gmail.com smtp:smtp.yourisp.com:25
    googlemail.com smtp:smtp.yourisp.com:25
    
    Remember to swap “smtp.yourisp.com” for the address of your ISP’s smtp relay server.
    
    Now we need to compile this file using the postmap command,
    
    postmap /etc/postfix/transport
    
    Edit /etc/postfix/main.cf and add this line at the bottom,
    
    transport_maps = hash:/etc/postfix/transport
    
    Restart postfix and you should find all mail addressed to @gmail.com or @googlemail.com will be redirected to your smtp relay.
- [WayBack] Postfix Performance Tuning: Tuning the number of simultaneous deliveries
- [WayBack] Postfix Configuration Parameters: fallback_relay fallback_relay (default: empty)
  
  Optional list of relay hosts for SMTP destinations that can’t be found or that are unreachable. With Postfix 2.3 this parameter is renamed to smtp_fallback_relay.
- [WayBack] Postfix Configuration Parameters: smtp_fallback_relay smtp_fallback_relay (default: $fallback_relay)
  
  Optional list of relay hosts for SMTP destinations that can’t be found or that are unreachable. With Postfix 2.2 and earlier this parameter is called fallback_relay.

Try not to make typo’s: [WayBack] postfix appears not finding MX records or host names from DNS

Interesting thought, but not sure how smart SPAM bots are now: [Archive.is] Spam relaying through secondary MX… – Google Groups

To archive this:

Rename from
- https://groups.google.com/forum/#!topic/list.postfix.users/swiNHnRnmUI
To
- https://groups.google.com/d/topic/list.postfix.users/swiNHnRnmUI
Then save in Archive.is

–jeroen

Posted in *nix, Communications Development, Development, DevOps, DNS, etckeeper, Infrastructure, Internet, Internet protocol suite, Linux, Power User, SMTP | Leave a Comment »

pfSense OpenVPN server configuration steps

Posted by jpluimers on 2020/09/28

Saving an initial configuration without changing anything gives these errors:

Self signed certificate

If you are OK with self-signed certificates, then the first is solved by using this as the Server certificate:

Certificate authority

The second needs an additional step: you have to select or create a certificate authority first at hostname/system_camanager.php?act=new where hostname is the hostname or IP address of your pfSense configuration.

This order is actually explained in [WayBack] OpenVPN – The Open Source VPN: HOWTO and [WayBack] OpenVPN Configuration (pfSense) – ELITS, but I like stronger security.

For the Internal Certificate Authority (CA), use at least these settings:

“Key length (bits)” at least 2048 bits, but I prefer 3072 bits (to be safe after about 2030) as per
- Key size: Asymmetric algorithm key lengths – Wikipedia via
- Let’s Encrypt supports it for local certificates, but are more flexible for their CA as you have to renew at least every 90 days; Support for >4096 bit keys – Feature Requests – Let’s Encrypt Community Support
“Digest Algorithm” at least sha256, but I prefer sha512 as it will be safe for a longer period of time.
“Lifetime” by default is 3650 (10 years); can you keep your VM safe for that long? If longer, you can increase the lifetime, but also have to ensure you take large enough values for the Key length and Digest Algorithm.

You can view the possible settings in [WayBack] pfsense/system_camanager.php at master · pfsense/pfsense · GitHub.

Straightforward parameters

Use a TLS Key
- Enabled
TLS Key
- Generated by OpenVPN
TLS Key Usage Mode
- TLS Authentication
Peer Certificate Authority
- Name of your pfSense device
Peer Certificate Revocation list
- N/A: handled in System -> Certification Manager
Use a TLS Key
- Enabled
Use a TLS Key
- Enabled
ECDH Curve
- Use Default (as we do not use Elliptic Curve)
Hardware Crypto
- If the RDRAND instruction is available, this choice allows to use it. I think OpenVPN (via OpenSSL) on BSD uses this in a similar way as Linux: i.e. not as the only source for randomness. See [WayBack] Torvalds shoots down call to yank ‘backdoored’ Intel RdRand in Linux crypto • The Register
- You can check if RDRAND is available in OpenSSL using the /usr/bin/openssl engine -t -c command:
  
  Via: [WayBack] Are cryptographic accelerators supported – pfSense Documentation

Further encryption hardening

DH Parameter Length
- One problem here is that pfSense ships with pre-generated Diffie Helman (DH) parameters:
  
  This means they can potentially be re-used as an attack-vector, so you need to manually re-generate them as per [WayBack] DH Parameters – pfSense Documentation by using /usr/bin/openssl dhparam
  
  In order to speed that up, you have to either manually add a lot of entropy, or ensure your VM uses the host entropy by installing the open-vm-tools and rebooting.
  
  This can take quite some time as it depends on /dev/random as a pure random number source, which will wait if there is not enough initial entropy available yet (see [WayBack] prng – differences between random and urandom – Stack Overflow).
  
  In order to speed that up, you have to either manually add a lot of entropy, or ensure your VM uses the host entropy by installing the open-vm-tools and rebooting.
  
  On a single-coreIntel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz, the timings of these
  
  /usr/bin/openssl dhparam -out /etc/dh-parameters.1024 1024 /usr/bin/openssl dhparam -out /etc/dh-parameters.2048 2048 /usr/bin/openssl dhparam -out /etc/dh-parameters.4096 4096
  
  using the [WayBack] FreeBSD Manual Pages: time command are (each measured twice):
  - ~4.5 seconds for 1024 bits:
  - ~23 seconds for 2048 bits:
  - ~150 seconds for 4096 bits:
  - You see that even within the same length, the duration varies highly.
- Given you already burned those CPU cycles, choose the largest one: 4096
Encryption Algorithm
- This comes down into selecting a algorithm-length-mode combination, so
  - There are three parts in the choice
    - Algorithm: in my configuration, I could choose between algorithms based on AES, CAMELLIA, CAST5, DES, DESX, IDEA, RC2 and SEED.
      - IDEA, DES, RC2, …. are considered insecure (see the above links).
      - DESX is considered insecure if you know enough plain-texts.
      - Triple-DES (of which DES-EDE3 is is a mode) slow and only used for compatibility with legacy applications, see [WayBack] block cipher – Modes of Triple DES – When to use each? – Cryptography Stack Exchange
      - SEED is hardly used outside South Korea.
      - AES, CAMELLIA and CAST5 are considered very strong, with Intel and AMD processors having CPU support for AES**, so I prefer AES.
    - Length: AES has these parameters of which I choose the largest ones:
      - Key sizes128, 192 or 256 bits^[1]
        Block sizes128 bits^[2]
    - Mode: There are so many three-letter-acronym encryption modes that this area is very confusing.
      [WayBack] How to choose an AES encryption mode (CBC ECB CTR OCB CFB)? – Stack Overflow helps a lot. [WayBack] php – Is there any difference between aes-128-cbc and aes-128 encryption? – Stack Overflow does not.
      From what I have read so far, GCM (Galois/Counter Mode) is the best mode at the time of writing, but by the time you read this, ensure you find a post containing all the TLA in the presented list.
  - All in all, I end up at AES-256-GCM (256 bit key, 128 bit block)
    - Note this is supposed to be the OpenVPN 2.4 default ([WayBack] Authentication Algorithm and Encryption Cipher Algorithm · Issue #276 · kylemanna/docker-openvpn · GitHub), but at 2.4.3 it is AES-128-GCM.
Enable NCP(Negotiable Cryptographic Parameters)
- I enabled this, because I consider the ones below safe enough. If you just want to go for one algorithm, then disable this.
NCP Algorithms
- See the previous one; only list the algorithm-length-mode combinations that you want to allow.. Since I am on AES, prefer GCM, and all key sizes are considered safe, my list is the one on the right:
  
  This is in decreasing order of secureness:
  - AES-256-GCM
  - AES-192-GCM
  - AES-128-GCM
Auth digest algorithm
- Starting from scratch (when you have to configure clients), SHA512 (which I use) or SHA256 is fine. Do not use SHA1 unless you need backward compatibility with pre 2.4 OpenVPN installations or pre-configured clients. See [WayBack] How safe to change default SHA1 to other encryption algorithm?
Certificate depth
- For now it is 1 (as it is self-signed)
- In the future I will experiment with proper (hopefully Let’s Encrypt) signed certificates. I am not yet sure if that might need a larger depth.

Other settings

All networks are in CIDR notation, like 192.168.3.0/24.

IPv4 Tunnel network
- Choose from Private network: Private IPv4 address spaces – Wikipedia.
  I usually pick 172.x.y.0 networks as they are far less used than 192.168.x.0 and 10.x.y.0 networks. Note that some networks starting with 172 are in public use, so limit yourself to 172.16.0.0 – 172.31.255.255.
IPv6 Tunnel network
- I still need to implement IPv6 in full, so that is empty for now.
IPv4 Local networks
- These are my local networks. Still need to test how well routing works, but given the default gateway knows about them too, I do not suspect problems.
IPv4 Remote networks
- Empty as I do not use site-to-site VPN yet.
IPv4 Remote networks
- I still need to implement IPv6 in full, so that is empty for now.
Concurrent connections
- Still need to measure performance, so empty for now.
Compression
- I kept the default “Omit Preference (Use OpenVPN Default)”.
- I might choose compression lz4 or compression lz4-v2 in the future.
Push compression
- Kept to unchecked: I dislike other VPN connections to push settings to me, so I do not want to push settings to others.
Type-of-Service
- Kept to unchecked, although I might opt for checked later on: need to do some testing first.
Inter-client communication
- Kept to unchecked: I do not want clients to talk to each other in this particular network, though I might for some specific OpenVPN setup
Duplicate Connection
- Kept to unchecked
Dynamic IP
- I have enabled this as I expect clients to switch IP addresses because of switching between networks
[WayBack] Topology: choose subnet (use net30 only for old 2.0.9 client compatibility on Windows; use p2p if you only have non-Windows clients)

Advanced client options
- All defaults, as currently I do not run an internal DNS, but those will probably change in the future:
  - DNS Default Domain
  - DNS Server enable
  - DNS Server 1..4
  - Force DNS Cache Update

Custom options
- None, but I will need to do some deeper reading on the possibilities here
UDP Fast I/O
- Disabled as experimental
Send/Receive Buffer
- Default, although I might increase this if speed is too slow.
Gateway creation
- I choose the default Both
Verbosity level
- Default

Enabling AES

Even if the underlying Intel/AMD processor supports AES, it is not enabled by default in pfSense as per web UI home page:

Intel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz
AES-NI CPU Crypto: Yes (inactive)

I was quite surprised, but then remembered that enabling RDRAND in the OpenVPN settings was also non-default and dug a bit deeper into ….

There I found you have to go to the System menu, choose Advanced, then the Miscellaneous tab:

From there, browse down (or search for Hardware) to “Cryptographic & Thermal Hardware”, then enable the CPU based accelleration:

After pressing the Save button at the bottom, you are done:

AES-NI CPU Crypto: Yes (active)

I got this via [WayBack] AES-IN Inactive?, which also mentions this:

AES-NI loads aesni.ko

BSD Crypto loads cryptodev.ko

AES-NI and BSD Crypto loads both

Note that AES – as of FreeBSD-10 – AES-NI and other hardware implementations are only indirectly incorporated into /dev/random. The Linux kernel already did this in an indirect way. I think that is a good idea as when multiple entropy sources are merged together, it makes it much harder to influence to total entropy. FreeBSD implemented this using the Yarrow algorithm – Wikipedia and now has moved to a successor, the Fortuna (PRNG) – Wikipedia.

More background information:

padlock ACE support

Note there is a message about ACE support on the console and in the boot log that is related to AES:

padlock0: No ACE support.
aesni0: <AES-CBC, AES-XTS, AES-GCM, AES-ICM> on motherboard

The cause is that in the past, VIA PadLock Advanced Cryptography Engine (ACE) in the mid 2000s introduced encryption acceleration (see [WayBack] VIA PadLock support for Linux) a few years before AES-NI, so ACE is incompatible with AES-NI. AES-NI is now much more widespread than ACE, even the wikipedia VIA page padlock information has been removed.

An odd thing: unlike AES-NI which needs to be specifically enabled, VIA Padlock is always enabled, see

OpenVPN Client Export Package

Ensure you install the (optional, but highly recommended) [WayBack] OpenVPN Client Export Package:

Allows a pre-configured OpenVPN Windows Client or Mac OS X’s Viscosity configuration bundle to be exported directly from pfSense.

These config files work with Tunnelblick as well, which is a great free and open source OpenVPN tool on Mac OS X / MacOS:

Creating and exporting users

I have yet to cover these two; for now read [WayBack] How to setup OpenVPN on pFSense? | IT Blog and [WayBack] OpenVPN Remote Access Server – pfSense Documentation.

During pfSense boot: syslogd “operation not supported by device” messages

Posted by jpluimers on 2020/09/25

If during a pfSense reboot you get one or more messages from syslog about “operation not supported by device” on various log files, then they are likely corrupt.

I had this when a pfSense 2.4.x RELEASE version VM was accidentally power-cycled during initial setup.

A side effect was that no logs showed in the web UI either, nor would clog on any file in the /var/log directory.

The solution was to choose option 8 (Shell), then in the /var/log directory, remove all files with extension .log, then reboot.

Now the messages were gone and the web UI showed logs. clog /var/log/system.log showed content as well.

Solution based on these posts:

[WayBack] [SOLVED] pfSense SG-1000 lan-interface missing IP with snapshot 20171007
[WayBack] pfsense on Hyper-v 2016 no system logs. (Resolved)
[WayBack] Bug #4768: Operation not supported by device – pfSense – pfSense bugtracker (a simple reboot did NOT resolve the issue)
[WayBack] Bug #7919: Logging not working – pfSense – pfSense bugtracker

–jeroen

Posted in Internet, pfSense, Power User, routers | Leave a Comment »

Some more interesting OpenWrt capable routers/ATAs

Posted by jpluimers on 2020/08/24

Interesting devices running OpenWrt:

–jeroen

Posted in Internet, Power User, routers | Leave a Comment »

« Previous Entries

Next Entries »

	Attila Kovacs on Crowbarring Windows 95 into Wi…
	Jeroen Wiert Pluimer… on Does Odido (the old T-Mobile N…
	Lars Fosdal on Security alarm provider Woonve…
	Thomas Mueller on Question got closed in May 202…
	Thaddy de Koning on Formulier voor bewindvoerders…

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘Internet’ Category

Using Persistent Locale Data

Use Locale-Independent Formats for Storage and Data Interchange

Use the User Default Locale for Data Presentation

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Self signed certificate

Certificate authority

Straightforward parameters

Further encryption hardening

Other settings

Enabling AES

padlock ACE support

OpenVPN Client Export Package

Creating and exporting users

Further reading

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this: