Wednesday, July 9, 2014

Use Certificate-based Authentication with the Open Source Version of SoftEtherVPN

First of all, to whom that do not know what is SoftEtherVPN: It is "An Open-Source Free ​Cross-platform Multi-protocol VPN Program" released by the University of Tsukuba, Japan. The servers and clients can work on multiple platforms such as Linux, Mac OS X, FreeBSD, Windows... as well as allow you to use OS's native VPN client such as Windows' PPTP, OpenVPN, IPSec, and so on.

One of the very useful features of SoftEtherVPN Server is that it allows clients to be authenticated using certificates or active directories. However, such features are disabled in the open-source version of SoftEtherVPN Server.

In practical usages, while I am using SoftEtherVPN at several sites, I have found that I can use certificate-based at some sites and cannot at others with the same binary version of SoftEtherVPN Server downloaded from its website. Therefore, I've decided to investigate in its source code.

After a while, I have found the following function which disables the advanced features.

// Update the global server flags
void UpdateGlobalServerFlags(SERVER *s, CAPSLIST *t)
{
bool is_restricted = false;
// Validate arguments
if (s == NULL || t == NULL)
{
return;
}

is_restricted = SiIsEnterpriseFunctionsRestrictedOnOpenSource(s->Cedar);

SetGlobalServerFlag(GSF_DISABLE_PUSH_ROUTE, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_RADIUS_AUTH, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_CERT_AUTH, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_DEEP_LOGGING, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_AC, is_restricted);
SetGlobalServerFlag(GSF_DISABLE_SYSLOG, is_restricted);
}


The above code means the key here is the function "SiIsEnterpriseFunctionsRestrictedOnOpenSource", which is used to identify that whether or not to restrict advanced features.

Go up to the definition of above function, I have found the following comment.

// Check whether some enterprise functions are restricted
//
// ** Hints by Daiyuu Nobori, written on March 19, 2014 **
//
// The following 'enterprise functions' are implemented on SoftEther VPN Server
// since March 19, 2014. However, these functions are disabled on
// SoftEther VPN Servers which run in Japan and China.
//
// - RADIUS / NT Domain user authentication
// - RSA certificate authentication
// - Deep-inspect packet logging
// - Source IP address control list
// - syslog transfer
//
// The SoftEther VPN Project intentionally disables these functions for users
// in Japan and China. The reason is: Daiyuu Nobori, the chief author of
// SoftEther VPN, has been liable to observe the existing agreements and
// restrictions between him and some companies. The agreements have regulated
// the region-limited restriction to implement and distribute the above
// enterprise functions on the SoftEther VPN open-source program.
//
// Therefore, the SoftEther VPN Project distributes the binary program and
// the source code with the "SiIsEnterpriseFunctionsRestrictedOnOpenSource"
// function. This function identifies whether the SoftEther VPN Server
// program is running in either Japan or China. If the restricted region is
// detected, then the above enterprise functions will be disabled.
//
// Please note that the above restriction has been imposed only on the
// original binaries and source codes from the SoftEther VPN Project.
// Anyone, except Daiyuu Nobori, who understands and writes the C language
// program can remove this restriction at his own risk.


Wow, you are a great man with a kind hints, Daiyuu Nobori. We can disable the restrictions with our own risks.

All other steps are now based on you. If you plan to use SoftEtherVPN Server outside of Japan and China, just download the compiled version from its website. Otherwise, go on to disable the above function with your own knowledge on C programming language.

Have a nice day!

Thursday, March 6, 2014

A Simple Way to Create A Windows Installation USB on Linux

Sometime you might want to create a flash drive (USB drive) for installing Windows, but... on Linux. One of the simple way is to use UNetbootin. However, the recent versions of UNetbootin do not support NTFS partition anymore, and you just cannot create such a drive in usual way.

Fortunately, UNetbootin is not support NTFS partition in GUI only, it still work like a charm with the command line options.

Now, it is time to begin.

0. I assume that you have a ISO file of Windows 7 (or 8) Installation Disk (win7.iso, for example) and a flash drive with the capacity of at least 4GB (which is recognized as /dev/sdd, for example.) I also assume that you already have UNetbootin in your system.

1. First of all, creating a partition which is big enough for storing Windows installation packages. It should be larger than 3.2 GB. You can use any tool that you are familiar with, such as gparted, Disk Utility, etc. I use parted here for example.

$ sudo parted -s /dev/sdd mklabel msdos mkpart primary 1024KiB 4GiB print
$ sudo mkfs.ntfs -L WIN /dev/sdd1

2. Mount the created partition to a point in your system. If you use Genome, it should mount that partition automatically to /run/media/${USER}/WIN. If it is not the case, use the following command.

$ sudo mount /dev/sdd1 /mnt

3. Run the following command.

$ sudo unetbootin method=diskimage isofile=win7.iso targetdrive=/dev/sdd1

The GUI will be shown with all the options you need. Click OK.

Blah, blah, blah...

Sunday, September 29, 2013

CSSH on MacOS X 10.8+

I assume that you've already known what CSSH (or ClusterSSH in formal) is. In short, it is a way for control many Unix/Linux boxes in parallel in the same way.

I always use CSSH on my Fedora box at work, but this is the first time I have to use it at my home to control my cluster. And my laptop's operating system is Mac OS X 10.8. That is the problem.

Installation of CSSH on Mac OS X seems to be simple. If you want to do it in a lazy way like me, use port.

sudo port install cssh

Then, you try to connect to some host, for example.

cssh root@somehost

It should works well??? Oh no, some strange error message occur like the one as follows.

Can't connect to display `tmp/launch-P6rxkT/org.macosforge.xquartz:0': Invalid argument at /opt/local/lib/perl5/vendor_perl/5.12.4/X11/Protocol.pm line 2270

If you open file Protocol.pm and go to line number 2270, you will see that it try to use INETSocket (wrong) instead of UNIXSocket (right). That is because $host is not equal to "unix". Now you have to change something here to let it use UNIXSocket by checking whether $host contains "xquartz" or not. You change the line number 2262 (the IF command before the error line) from

if ($host eq 'unix') {

to

if ($host eq 'unix' || index($host, "xquartz") != -1) {

(Ahh, that's the error of Perl 5.12.4 distribution of  Mac Ports.)

That's all. Let's try again and see everything goes well.

Wednesday, August 28, 2013

Supermicro Server: Reset the IPMI Password

You might sometime forget your IPMI password or you get the server from other and want to reset it? There are some options for you. However, first of all, you should try with the default IPMI account, which is ADMIN / ADMIN.

IPMICFG

Supermicro provides a tool for you to manage your IPMI settings named IPMICFG. You can download it from the following location.


It contains tools for DOS, Linux, and Windows.

IPMI Tool

If you have Linux installed on that server, you can install OpenIPMI and IPMI Tool to manage the local or remote IPMI service.

To reset the password, all you have to do is as follows.

# service ipmi restart

If IPMI service could not be started, please stop here. You might not have IPMI support in your server.

First, you have to get the user id of the account "ADMIN".

# ipmitool user list

ID  Name      Callin  Link Auth IPMI Msg   Channel Priv Limit
2   ADMIN            true    false      false      Unknown (0x00)

You might see the output as above with the user id of account "ADMIN" is 2.

Now, you change the password of user with id = 2 to "MATKHAU", for example.

# ipmitool user set password 2 MATKHAU

That's all. Have a nice try!

Tuesday, August 13, 2013

RHEL/CentOS/Fedora: How to Disable CPU Frequency Scaling/Throttling

Attention! Be sure you REALLY want to perform this action! Do it at your own risk!

I assume that you may already know the reason before reaching my post. Run the following command as root. That's all.

echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor >& /dev/null

Have fun!!!