The awesome stuff Thoughts, stories and ideas.

Running softether vpn on smartos

An Open-Source Free ​Cross-platform Multi-protocol VPN Program.

Getting SoftEther running on Smartos in a branded zone isn't that difficult, it's just a lot of work :)

Downloading and compiling

Import debian 8:

# imgadm import 445d04f4-cad6-11e5-a1a0-9f6c0ce02707

And create a nice lx branded zone:

{
  "brand": "lx",
  "image_uuid": "445d04f4-cad6-11e5-a1a0-9f6c0ce02707",
  "kernel_version": "3.13.0",
  "autoboot": true,
  "alias": "lxvpn",
  "hostname": "lxvpn",
  "dns_domain": "mindtravel.nl",
 "nics": [
  {
    "nic_tag": "admin",
    "ip": "192.168.1.123",
    "netmask": "255.255.255.0",
    "gateway": "192.168.1.1"
  }
 ],
  "resolvers": [
    "192.168.1.5"
  ],
 "max_physical_memory": 512,
 "quota": 10
}

Make sure to update the system:

# apt-get update

and install the basic stuff to be able to compile stuff:

# apt-get install build-essential -y

You can not find softether as a .deb so I downloaded the install package directly from the website using lynx

# apt-get install lynx

Now browse to the download website and download the file softether-vpnserver-v4.18-9570-rtm-2015.07.26-linux-x64-64bit.tar.gz by selecting the file and press D to save it.

# lynx http://www.softether-download.com/files/softether/v4.18-9570-rtm-2015.07.26-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/

Unpack the file:

# tar zxfv softether-vpnserver-v4.18-9570-rtm-2015.07.26-linux-x64-64bit.tar.gz

Time to build the server code and press a couple of times 1 for accepting some stuff and move it to a nice location:

# cd vpnserver
# make
# cd ..
# mv vpnserver /usr/local
# cd /usr/local/vpnserver/
# chmod 600 *
# chmod 700 vpnserver
# chmod 700 vpncmd

Create a nice service file:

# vi /etc/init.d/vpnserver

with the content:

#!/bin/sh
# chkconfig: 2345 99 01
# description: SoftEther VPN Server
DAEMON=/usr/local/vpnserver/vpnserver  
LOCK=/var/lock/subsys/vpnserver  
test -x $DAEMON || exit 0  
case "$1" in  
start)  
$DAEMON start
touch $LOCK  
;;
stop)  
$DAEMON stop
rm $LOCK  
;;
restart)  
$DAEMON stop
sleep 3  
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"  
exit 1  
esac  
exit 0  

Start the server and make it start on boot:

# chmod 755 /etc/init.d/vpnserver && /etc/init.d/vpnserver start
# update-rc.d vpnserver defaults

Configuring the server

Start the cli client and configure the server password:

# ./vpncmd
// and select option 1

And type:

ServerPasswordSet  

To use Softether we need to setup a virtual hub. I named it VPN.
Lets create a VirtualHub and select it:

HubCreate VPN  
Hub VPN  
SecureNatEnable  
bridgecreate VPN /DEVICE:soft /TAP:yes  

The last command sets the way it can connect to the internal network.
Create a user test and set a password:

UserCreate test  
UserPasswordSet test  

I use an OSX laptop to connect. For this case you need to enable L2TP/IPsec with the following command:

IPsecEnable  

The system will ask some questions, just press YES.
Also you will need to create a pre-shared key, used to connect if you are not using a cert to connect to the server.

Make sure you have the UDP port 500 and 4500 open to the server and your done and ready to connect with the user test to your vpn :D

Setting up your OSX client is very easy, just check this page

date: 14 March 2016

Running Stackstorm on smartos

StackStorm is a powerful automation tool that wires together all of your apps, services and workflows.

Running Stackstorm on Smartos in a branded zone was a bit more work than I expected but in the end its working like a charm :)

Basic installation

Import ubuntu 14.04, I couldn't get the debian 8 to work (had problems with postgresql) :(

# imgadm import 5cdc6dde-d6ad-11e5-8b11-8337e6f86725

And create a nice lx branded zone:

{
  "brand": "lx",
  "image_uuid": "5cdc6dde-d6ad-11e5-8b11-8337e6f86725",
  "kernel_version": "3.13.0",
  "autoboot": true,
  "alias": "lxstackstorm",
  "hostname": "lxstackstorm",
  "dns_domain": "mindtravel.nl",
 "nics": [
  {
    "nic_tag": "admin",
    "ip": "192.168.1.84",
    "netmask": "255.255.255.0",
    "gateway": "192.168.1.1"
  }
 ],
  "resolvers": [
    "192.168.1.5"
  ],
 "max_physical_memory": 4096,
 "quota": 20
}

install dependencies (and grab a coffee):

# apt-get update
# apt-get install -y apt-transport-https mongodb-server rabbitmq-server postgresql

setup the repositories:

# wget -qO - https://bintray.com/user/downloadSubjectPublicKey?username=bintray | sudo apt-key add -
# echo "deb https://dl.bintray.com/stackstorm/trusty_staging stable main" | sudo tee /etc/apt/sources.list.d/st2-staging-stable.list
# apt-get update

time to install the main package (and grab more coffee):

# apt-get install -y st2 st2mistral

config the database:

## Create Mistral DB in PostgreSQL
# cat << EHD | sudo -u postgres psql
CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD 'StackStorm';  
CREATE DATABASE mistral OWNER mistral;  
EHD  
you can ignore the following errors:

shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied  
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: Permission denied  
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: Permission denied  
could not identify current directory: Permission denied  
could not identify current directory: Permission denied  
## Setup Mistral DB tables, etc.
# /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf upgrade head
## Register mistral actions
# /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf populate

Again ignoring the warnings.

Stackstorm uses a user called stanley to do cmd stuff. So we will need to add it to sudo:

# useradd stanley
# mkdir -p /home/stanley/.ssh
# chmod 0700 /home/stanley/.ssh
# ssh-keygen -f /home/stanley/.ssh/stanley_rsa -P ""
# cat /home/stanley/.ssh/stanley_rsa.pub >> /home/stanley/.ssh/authorized_keys
# chmod 0600 /home/stanley/.ssh/authorized_keys
# chown -R stanley:stanley /home/stanley
# echo "stanley    ALL=(ALL)       NOPASSWD: SETENV: ALL" >> /etc/sudoers.d/st2

Time to start the stackstorm service and afterwards restart and register all the packs

# st2ctl start
# st2ctl reload --register-all

Setup a user

Time to create a user with a password

# apt-get install -y apache2-utils
# echo "Ch@ngeMe" | htpasswd -i /etc/st2/htpasswd test

edit the /etc/st2/st2.conf:

[auth]
# ...
enabled = True  

Frontend installation

By default the nginx frontend is not installed.
So we install nginx and remove the default server and replace it with the default that comes with the stackstorm package

# apt-get install -y st2web nginx
# mkdir -p /etc/ssl/st2
# openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt \
-days XXX -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information \
Technology/CN=$(hostname)"

# rm /etc/nginx/sites-enabled/default
# cp /usr/share/doc/st2/conf/nginx/st2.conf /etc/nginx/sites-available/
# ln -s /etc/nginx/sites-available/st2.conf /etc/nginx/sites-enabled/st2.conf
# service nginx restart

Installing and getting the Bot running

The documentation of Stackstorm describes that it runs the hubot in a docker container. Unfortunately the lxbrand doesnt support Docker, but the bot is a nice nodejs project so we will run it native.

Lets make sure that stackstorm can handle hubot:

# st2 run packs.install packs=hubot
# st2ctl reload --register-rules

The nodejs part:

# apt-get install build-essential redis-server
# curl -sL https://deb.nodesource.com/setup_0.12 | sudo bash -
# apt-get install nodejs
# npm install -g hubot coffee-script yo generator-hubot

Time to create the bot itself:

# mkdir -p /opt/hubot
# chown stanley:stanley /opt/hubot
# sudo -H -u stanley bash -c 'cd /opt/hubot && echo "n" | yo hubot --name=stanley --description="Stanley StackStorm bot" --defaults'
# sudo -H -u stanley bash -c 'cd /opt/hubot && npm install hubot-slack hubot-stackstorm --save'
# sudo -H -u stanley sed -i 's/.*\[.*/&\n  "hubot-stackstorm",/' /opt/hubot/external-scripts.json

Create a service to start the bot like this:

cat /etc/init/hubot.conf

# hubot - HUBOT
#

description "It's a Hubot!"

start on filesystem or runlevel [2345]  
stop on runlevel [!2345]  
respawn  
respawn limit 5 60

script  

# Start Hubot
exec /opt/hubot/start.sh  
end script  

and the start file (dont forget to chmod 755)

cat /opt/hubot/start.sh
#!/bin/bash

cd /opt/hubot  
ST2_AUTH_USERNAME=testu ST2_AUTH_PASSWORD=Ch@ngeMe ST2_AUTH_URL=http://localhost:9100 HUBOT_SLACK_TOKEN="xoxb-16090510417-aslacktoken" PORT=8181 bin/hubot --name "stanley" --adapter slack --alias !  

start with a simple service hubot start

In the future I will explain how to create a pack to use with the bot.

date: 24 February 2016

Newer Posts