Site-to-Site VPN Firewall Rules

When adjusting settings for a site-to-site VPN, don’t forget to update the firewall rules. Make sure the appropriate subnets for your networks are covered. In /etc/ufw/before.rules: # OpenVPN Rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to ens32 -A POSTROUTING -s 192.168.52.0/24 -o ens32 -j MASQUERADE -A POSTROUTING -s 172.22.1.0/24 -o ens32 … Read more

To Set the Console Text to Green with a Blinking Block Cursor

For Ubuntu: Update /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT=”consoleblank=0 vt.cur_default=6 vt.color=2″ This will also set it so the console never blanks; adjust “consoleblank” to your own tastes (in seconds). For Raspberry Pi/Raspbian: Update /boot/cmdline.txt and add the following to whatever is already there: vt.cur_default=6 vt.color=2 consoleblank=0 This will also set it so the console never blanks; adjust “consoleblank” to … Read more

Getting DKIM working

I used these two sites to figure out how to get DKIM working: https://wiki.debian.org/opendkim https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf Install opendkim and opendkim-tools cd /etc/dkimkeys opendkim-genkey -t -s mail -d technomancer.com Edit /etc/opendkim.conf: Domain technomancer.com KeyFile /etc/dkimkeys/mail.private Selector mail Socket local:/var/spool/postfix/opendkim/opendkim.sock # Specify the list of keys KeyTable file:/etc/dkimkeys/keytable # Match keys and domains. To use regular expressions in … Read more

Setting up DNSSEC in bind9

Install the bind9 packages. Make sure it’s enabled in named.conf.options: dnssec-validation auto; dnssec-lookaside auto; # Need to look up what this one is Generate the keys (pick an appropriate algorithm; today (22 Mar 2021),ECDSAP384SHA384 seems to be the “ideal”): dnssec-keygen -a ECDSAP384SHA384 -b 4096 -n ZONE technomancer.comdnssec-keygen -f KSK -a ECDSAP384SHA384 -b 4096 -n ZONE … Read more

Setting up freeradius on Ubuntu

Add client to /etc/freeradius/3.0/clients.conf client someclient.tek { ipaddr=172.22.42.4 secret=xxxxxxxxxxxxxxxxx shortname=internal-network login       = !root } Set daemon to run with group shadow in /etc/freeradius/3.0/radiusd.conf Uncomment unix type in /etc/freeradius/3.0/sites-available/default to enable reading of passwd/shadow information.