segunda-feira, dezembro 26, 2016

Mac OS X / osX How to prevent “Write Failed: broken pipe” on SSH connection

create a file as ~/.ssh/config

### Stop timing out connections
ServerAliveInterval 15
ServerAliveCountMax 20

#TCPKeepAlive yes
#only worked for me with TCPKeepAlive no
TCPKeepAlive no

### SSH Connection pooling for faster additional connections to a machine
ControlMaster auto
ControlPath /tmp/ssh_mux_%h_%p_%r

Host *
  ControlMaster auto
  ControlPath ~/.ssh/control/%r@%h:%p
  ControlPersist 3600

### Make it so ssh-ing from one server to another passes keys around automagically
Host *
ForwardAgent yes
ForwardX11 yes

terça-feira, dezembro 20, 2016

Ignoring redirect-gateway openvpn client disable default gateway

IgnoreRedirectGateway – OpenVPN Community

Ignoring redirect-gateway

If you are running OpenVPN as a client, and the server you use is using push "redirect-gateway" then your client redirects all internet traffic over the VPN. Sometimes clients do not want this, but they can not change the server's configuration. This page explains how to override redirect-gateway so the client does not need to redirect internet even though the server says to.

Method 1: ignore

There are 2 options that can be used to ignore routes pushed by the server:
 Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables. 
 When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers. 
 When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

Method 2: override

Here we will simply add routes that override --redirect-gateway. This will work much like the def1 flag to --redirect-gateway works. This can be different if the server uses the def1 flag to the --redirect-gateway option or not (by checking the log while connecting). Note that net_gateway is an internal variable to openvpn and does not need to be changed to anything. If you do not know if your server uses def1 and do not want to check the logs to figure it out, just assume they DO use def1 and use the 4 routes. That will work no matter what.
def1 -- Use this flag to override the default gateway by using and rather than This has the benefit of overriding but not wiping out the original default gateway.
If the server DOES NOT use def1 add the following options to the clients config:
route net_gateway
route net_gateway
If the server DOES use def1 or if you do not know, add the following options to the clients config:
route net_gateway
route net_gateway
route net_gateway
route net_gateway

openvpn to start and stop via cron / shell / console

Can't get openvpn to start and stop via cron

0 23 * * * root /usr/local/sbin/pfSsh.php playback svc stop openvpn client 1
0 7 * * * root /usr/local/sbin/pfSsh.php playback svc start openvpn client 1

sábado, dezembro 17, 2016

pfSense OpenVPN client to PIA or access a private network routing traffic using openvpn.

OpenVPN Step-by-Step Setup for pfSense aes256/Strong [firewall/router] - PIA

pfsense openvpn client to site

How to force all client OpenVPN traffic to be routed via pfSense

pfsense openvpn client route

If you need to route to a specific network like them the difference begins
After following all the steps bellow you need to modify the NAT outbound routing and add in your LAN the rule to use your VPN_Gateway ... as follows

This is Firewall / NAT / Outbound

This is Firewall / Rules / LAN
Action : Pass
Interface :Lan
Address Family : IPV4
Protocol : any
Destination : Network -> (or your dest net)
(click advanced options)
Gateway : VPN_DHCP - - Interface VPN__DHCP Gateway (as you configured your vpn_interface in Interfaces / Interface Assignments )

InstructionsSetting up OpenVPN on pfSense [firewall/router]


Color Key


Things highlighted in yellow are commands to be executed in the terminal 

Things highlighted in blue are to be clickedThings highlighted in green are to be typed

Things highlighted in violet are to be pressed on the keyboard

Things highlighted in grey are showing output

First start by downloading from...


    - This supplies PIAs "ca.rsa.4096.crt" file after unzipping the file.

Log into pfSense webConfigurator

    - https://pfsense-LAN-IP/index.php

    - Ex.

Prevent DNS leaks by setting PIA DNS only

pfSense Setup Wizard - Video -


    - Click "System"
Click "Setup Wizard"

    Click "Next"
    Click "Next"

    - For "Primary DNS Server:" type in ""

    - For "Secondary DNS Server:" type in ""

    - "Override DNS:[unchecked]

    Click "Next"    Click "Next"    - Scroll to the bottom and click "Next"

    Click "Next"    - "Admin Password AGAIN:" type in your pfSensePassword for the WebGUI

    Click "Next"

    Click "Reload" and wait

    Click the 2nd "here" where is says...        "Click here to continue on to pfSense webConfigurator"

Once pfSense loads up the "Status / Dashboard" your DNS section should look as follows:

    DNS server(s)


"PIA-CA-aes256" Installation


    - Click "System"
Click "Cert. Manager"
Click "CAs"

    Click "+ Add"

    "Descriptive name" type in "PIA-CA-aes256"

    "Method" select  "Import an existing Certificate Authority"

    "Certificate data" - (paste in all the content from the ca.rsa.4096.crt file)


    - "Certificate Private Key (optional)" = (leave blank)

    - "Serial for next certificate" = (leave blank)

Now click "Save"

NOTE: The following password is not valid...
so don't waste your time trying it.  ;)

Write your "p"-username and password into the /etc/openvpn-passwd.txt file


    - Click "Diagnostics"

    - Click "Command Prompt"

    - Under "Execute Shell Command" click into the "Command" box and type the following into that box removing the username p2099690 and password JkY6UgYHa5 and replacing them with your credentials:

         echo "p2099690" > /etc/openvpn-passwd.txt; echo "JkY6UgYHa5" >> /etc/openvpn-passwd.txt

    - Click "Excute"


Create OpenVPN Client


    - Click "VPN"

    - Click "OpenVPN"

    - Click the "Client" tab

    - Click "+ Add"

Configure as follows...

    - "Disabled" = [unchecked]

    - "Server Mode" = "Peer To Peer (SSL/TLS)"

    - "Protocol" = "UDP"

    - "Device Mode" = "tun"

    - "Interface" = "WAN"

    - "Local Port" = (leave blank)

Choose a server for "Server host or address" form the PIA list here...

    - "Server host or address" = ""

    - "Server Port" = "1197"

    - "Proxy host or address" = (leave blank)

    - "Proxy port" = (leave blank)

    - "Proxy authentication extra options" = none

    - "Server host name resolution" = [check] "Infinitely resolve server"

    - "Description" = "PIA OpenVPN aes256"

    - "TLS Authentication" = [uncheck] "Enable authentication of TLS packets."

    - "Peer Certificate Authority" = "PIA-CA-aes256"

    - "Client Certificate" = "webConfigurator default *In use"

    - "Encryption algorithm" = "AES-256-CBC (256-bit)"

    - "Auth Digest Algorithm" = "SHA256 (256-bit)"

    - "Hardware Crypto" = "No Hardware Crypto Acceleration"

    - "IPv4 Tunnel Network" = (leave blank)

    - "IPv6 Tunnel Network" = (leave blank)

    - "IPv4 Remote Network/s" = (leave blank)

    - "IPv6 Remote Network/s" = (leave blank)

    - "Limit outgoing bandwidth" = (leave blank)

    - "Compression" = choose "Enabled with Adaptive Compression"

    - "Type-of-Service" = [unchecked]

    - "Disable IPv6[check] "Don't forward IPv6 traffic."

    - "Don't pull routes" = [unchecked]

    - "Don't add/remove routes" = [unchecked]

    - Under "Advanced Configuration" for "Custom options" type the following in the box:

auth-user-pass /etc/openvpn-passwd.txt;verb 5;remote-cert-tls server

    - "Verbosity level" = default

Now click "Save"

Create OpenVPN interface


    - Click "Interfaces"

    - Click "(assign)"

    - "Available network ports:" select "ovpnc1(PIA OpenVPN aes256)Note: If you already setup aes128 this will be listed as "ovpnc2(PIA OpenVPN aes256)"

    - Click "+ Add"


Note: The new interface will be named "OPT1" or "OPT2" with a network port of "ovpnc1(PIA OpenVPN aes256)" or "ovpnc2(PIA OpenVPN aes256)"


    - Click on "OPT1" or "OPT2" to edit the interface

Configure as follows...

    - "Enabled" = [check]

    - "Description" = "OpenVPN_aes256_Interface"

    - "IPv4 Configuration Type" = none

    - "IPv6 Configuration Type" = none

    - "MAC address" = (leave blank)

    - "MTU" = (leave blank)

    - "MSS" = (leave blank)

    - "Block private networks" = [unchecked]

    - "Block bogon networks" = [unchecked]

Now click "Save"

Now click "Apply changes"

NAT Settings


    - Click "Firewall"

    - Click "NAT"

    - Click the "Outbound" tab

    - For "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)"...

        - put a (dot) in the radio button

Now click "Save"

The next step is to duplicate each of these rules...

    - but change the NAT Address from WAN to OpenVPN_aes256_Interface 

    - Start with the first "WAN" rule by clicking the copy icon ( looks like a square in front of another square ) immediately to the right of the line to "Add a new NAT based on this one"

A new page will open configure as follows...

    - "Disabled" = (do not change) [unchecked]

    - "Do not NAT" = (do not change) [unchecked]

    - "Interface" = OpenVPN_aes256_Interface 

    - "Protocol" = (do not change)

    - "Source" = (do not change)

    - "Destination" = (do not change)

    - "Translation" = (do not change)

    - "No XMLRPC Sync" = (no dot change)

    - "Description" = Made for PIA_OpenVPN_aes256

Now click "Save"

IMPORTANT!  Repeat this process for each of the other rules.  

    - When completed, it should resemble the following...

    - ( ***out of date*** )

Now click "Apply changes" at the top of the page

    The changes have been applied successfully.

    You can also monitor the filter reload progress.

Verify OpenVPN Service


At this point, your system is configured. Restart your OpenVPN service to be sure.

    - "Status"

    - "OpenVPN"

    - "Status" should be "UP" (but it may be DOWN)

        - Click the "Restart OpenVPN Service" button no matter what the status is. 

        - It's the button that looks like an arrow bent into a circle to the right of the service.

    - "Status" should be "UP" now

Reboot the pfSense firewall now


    - "Diagnostics"

    - "Reboot"

    - "Reboot"

    - "OK"

Page will automatically reload in 90 seconds

Verify OpenVPN initialized correctly by checking System Logs


    - "Status"

    - "System Logs"

    - Click the "OpenVPN" tab

    - Scroll down and look for "Initialization Sequence Completed" similar to the following:

Jul 17 21:10:43     openvpn     3328     Initialization Sequence Completed        

Test by opening your Internet browser and going to...