Radovan Brezula

Author Archives: Radovan Brezula

How to Configure BurpSuite to use Tor as Proxy

BurpSuite is a manual toolkit for investigating web security. Burp Proxy allows manual testers to intercept all requests and responses between the browser and the target application, even when HTTPS is being used. The tutorial discusses configuration of Burp to use connection over Tor network. 1. BurpSuite Community Edition We can find BurpSuite Community Edition […]
Continue reading...

OpenVPN Remote Access VPNs Using TLS on VyOS

The tutorial provides configuration steps that help us to setup OpenVPN client/server model on GNS3. The model allows to connect multiple remote clients to a single centralized server. The VyOS router severs as OpenVPN server, with two VyOS branch office routers acting as OpenVPN clients (client 1 and 2). The third OpenVPN client is Ubuntu […]
Continue reading...

DPDK and Open vSwitch Installation on Debian 10

DPDK stands for Data Plane Development Kit. The DPDK project consists of libraries to accelerate packet processing workloads running on a wide variety of CPU architectures. Open vSwitch can use the DPDK library to operate entirely in userspace. Thanks to it, performance of Open vSwitch increases. The tutorial help you to build and install Open vSwitch using DPDK datapah on Debian 10 Buster. The second part discuses DPDK and Open vSwitch configuration and compare performance of Open vSwitch applicance with enabled/disabled DPDK.

Note: You can download my Debian 10 Buster VMDK image with installed DPDK 18.11.2 and Open vSwitch 2.11.1 for quick testiing of Open vSwitch/DPDK functionality. If you do so, you can skip the tutorial and continue with Part 2 - DPDK/Open vSwitch Configuration.

Login/password: debian/debian

Host
Software:
- x86_64 GNU/Linux Debian 10 Buster, 4.19.0-5-amd64
- QEMU emulator version 3.1.0
Hardware:
- RAM Memory 2x Kingston 8192 MB DDRIII
- CPU - Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz, 4 cores

Qemu Guest
Software:
- x86_64 GNU/Linux Debian 10 Buster, 4.19.0-6-amd64
- Open vSwitch - 2.11.1
- DPDK - 18.11.2
Hardware:
- 4 X Continue reading

Site-to-Site OpenVPN on VyOS

The tutorial discusses configuration of site-to-site VPN on VyOS using preshared-key. Static key configuration offers the simplest setup, and is ideal for point-to-point VPNs or proof-of-concept testing. The advantages of using static key are simple setup and no X509 PKI (Public Key Infrastructure) to maintain. The disadvantages are limited scalability - one client, one server setup and the lack of perfect forward secrecy - key compromise results in a total disclosure of previous sessions. Also, a secret key must exist in plain-text form on each VPN peer and it must be exchanged using a pre-existing secure channel.

Our lab consists of two remote sites (Picture 1). The router running network OS - VyOS is presented on each side, connecting computers PC and PC2 to to a particular LAN network. The both VyOS routers are configured forOpenVPN site-to-site mode and the routers also perform NAT (PAT) and firewall services.

Picture 1 - Network Topology

1. VyOS Site1 Configuration

1.1 Hostname, IP addresses, SSH

[email protected]:~$ configure
[email protected]# set system host-name Site1

[email protected]# commit
[email protected]# save

[email protected]# set interfaces ethernet eth1 address 10.0.0.254/24
[email protected]# set interfaces ethernet eth0 address 11.0.2.1/24

[email protected]# set service ssh

[email protected]# commit
Continue reading

Testing Open vSwitch-DPDK

In a previous tutorial we have built DPDK 18.11.2 and Open vSwitch 2.11.1 on Linux Debian 10.1 VM (buster). We have created a L3 Open vSwitch QEMU appliance that we will use to compare performance of Open vSwitch with enabled/disabled DPDK. A network topology is depicted on the Picture 1.

The lab is created as GNS3 project which consists of a single Debian Open vSwitch appliance. Two Linux Core 6.3 hosts PC1 and PC2 are connected to the switchports Ethernet0 and Ethernet1, respectively. Firstly, we are going to bind the both ports to DPDK-compatible driver and create a bridge with the DPDK ports attached to the bridge. As a last step, we will measure maximum achievable bandwidth with iPerf3 tool. The host PC1 will be be acting as a iPerf3 client connecting to the iPerf3 server running on the host PC2.

Note: Open vSwitch 2.11.1 appliance built on Debian 10 buster and DPDK 18.11.2 is available in Download-> Appliance Section. The Linux Core 6.3 image is available there, as well.

Picture 1 - Debian Open vSwitch/DPSK Appliance with Connected Host

1. GNS3 Configuration

Check GNS3 settings for Open Continue reading

Debian Open vSwitch Appliance with DPDK

Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.  It is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces and protocols (e.g. NetFlow, sFlow, IPFIX, RSPAN, CLI, LACP, 802.1ag).

DPDK is the Data Plane Development Kit that consists of libraries to accelerate packet processing workloads running on a wide variety of CPU architectures.

Note: Open vSwitch images are customized with my after install script  and they are ready for use in GNS3.

Username is debian with the password debian.

Debian Linux 10 (buster) VMDK Appliance with DPDK 18.11.2 and Open vSwitch 2.11.1 [997,2MB]
https://drive.google.com/file/d/1ZuVVP2POUnFjySt0YpFwPeSG5Rtw_6Gj/view?usp=sharing

 

ClearOS Gateway on GNS3

In a previous tutorial we have successfully installed ClearOS on QEMU VM in a gateway mode. At the end of the tutorial we have installed several apps from ClearOS marketplace. These apps enhance gateway functionality, however  we have not tested  them yet. Therefore, this tutorial goes further and we are going to test some services offered by ClearOS apps. In order to do it, we will connect ClearOS QEMU appliance into a GNS3 topology.

Our ClearOS QEMU instance is configured with two guest network cards (Picture 1). The first guest interface ens3 has assigned the LAN role and it is configured with the IP address 192.168.1.254/24. This is the IP address a web server is listening on, the port 81. The entire ClearOS management will be done via web browser using the url https://192.168.1.254:81.

Picture 1 - Network Interfaces Configuration During ClearOS Installation

The second guest interface ens4 has assigned External role and its IP address is assigned from DHCP server. DHCP server is running on SOHO router with the IP address 172.17.100.1/16 (Picture 2).

Picture 2 - Network Topology

GNS3 itself connects the second guest interface ens4 of ClearOS gateway Continue reading

ClearOS Installation on QEMU

ClearOS is an operating system based on CentOS for use in small and medium enterprises as a network gateway and network server with a web-based administration interface.

ClearOS in Gateway mode acts as a firewall, gateway and server on a local network. The tutorial provides installation and configuration steps for deployement of ClearOS on QEMU VM. We will later connect ClearOS QEMU VM into GNS3 network topology in order to test  features such as application traffic filtering and transparent proxy with user authentication.

Software Used:
Host OS: Kubuntu Linux 18.04.1 LTS with Qemu 3.0.0 installed and kvm-intel module loaded
Guest OS: ClearOS 7.5.0 x86_64

1. Preparing Host Network Infrastructure

As we are going to  install ClearOS guest QEMU VM in a gateway mode,  your host should have two network adapters available. (Picture 1). In our case, the first ClearOS guest network interface ens3 will be defined as LAN type during ClearOS installation. The second guest interface ens4 will be defined as External and used for connection to SOHO network. We will bridge the interface ens4 with the host interface enp4s0f2 using iproute utility. But first, we need to create tap interfaces tap0 and Continue reading

Cisco TRex on Ubuntu Server 18.04

TRex is stateful and stateless traffic generator that is designed to benchmark platforms using realistic application traffic. It can generate L3-7 traffic and scale up to 20Gbps. TRex implements the both client and server side. The tutorial provides exact steps that you can follow to install TRex on Ubuntu Server 18.04. Hope you find it useful.

1. Preparing Qemu Ubuntu Server VM for TRex Installation

I assume that you have installed Ubuntu Server 18.0.4 on Qemu disk. Start Qemu Ubuntu Server VM.

$ /usr/local/bin/qemu-system-x86_64 -m 4G -enable-kvm Ubuntu18.04-server-TRex2.vmdk -serial telnet:localhost:2222,server,nowait

Assign IP address from the internal Qemu DHCP server to the guest NIC of Ubuntu Server VM.

$ sudo dhclient

IP address is 10.0.2.15/25 and the default gateway is 10.0.2.2. Now you can connect to the Ubuntu Server issuing telnet from the host.

$ telnet localhost 2222

Copy my script trex-vm.sh from the host to Ubuntu Server Qemu VM. The script installs packages required by TRex. It also redirects VM machine output to serial port and configures old-style Ethernet interfaces naming.

$ scp -rv [email protected]:/home/brezular/trx-vm.sh .

Assign execute privileges to the script and run the Continue reading

Creating VyOS ISO Image

There are several ways to get an VyOS ISO image. Firstly, you can buy subscription, so you will have an access to LTS VyOS ISO images. The LTS images are also available for VyOS contributors or evangelists with perpetual 1-year access. The third option involves building ISO image itself. Building involves cloning VyOS repository with git, taking care of required dependencies and finally compiling from sources. Either you need Debian as a base and manage dependencies manually or you can compile using the docker method and Debian is not needed.

Using the Dockerfile you create your own Docker container that is used to build a VyOS ISO image or other required VyOS packages. The Dockerfile contains some of the most used packages needed to build a VyOS ISO, a qemu image, and several of the submodules.

1. Install Docker CE

We are going to install Docker CE on Ubuntu 18.04.2 LTS (bionic).

$ sudo apt-get update
$ sudo apt-get install apt-transport-https ca-certificates curl software-properties-common git
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$ sudo apt-key fingerprint 0EBFCD88

$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable"
$ sudo apt-get update
$ sudo apt-get install docker-ce
Continue reading

L2TP/IPSec Remote Access VPN on VyOS

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself. Therefore, it is often combined with IPSec that is used for encapsulation of L2TP packets between the endpoints. Securing L2TP using IPsec is standardized in RFC3193. The tutorial provides remote Access L2TP/IPsec configuration for VyOS network OS.

So far, I have tested L2TP/IPSec configuration on VyOS 1.2.0 with an Android phone as configured as L2TP/IPSec client. However, I have not been successful, ended with the error message below. The same L2TP/IPSec configuration works for the legacy 64-bits Vyatta 6.6, therefore, it is used in our lab, instead of VyOS.

xl2tpd[1809]: Maximum retries exceeded for tunnel

We employ Cisco vIOS-L3 in order to simulate a SOHO router. The router is connected to the Wifi router Access_Point (172.17.100.1/26) with an associated wireless client (Android phone IP 172.17.100.5/16). The L2TP/IPSec client is running on the phone. The client is configured to connect to the VPN gateway running on Vyatta (10.0.1.1/24) in order to reach the server LAN subnet (10.0.0.0/24) within L2TP/IPSec VPN tunnel Continue reading

Part2 – Monitoring Network Traffic with ntopng and nProbe

In the Part1 we have covered compilation of ntopng on Ubuntu 18.04.1 Server and installation of nProbe on Raspberry Pi 3. We have also configured Cisco Catalyst switch 3550 for traffic mirroring. The source of the traffic is the interface Fa0/3 where PC is connected and the destination port is Fa0/24 with connected Raspberry Pi 3B. This tutorial goes further and it covers configuration of the both ntopong and nProbe. First, let's have a look at the network topology.

Picture 1 - Network Topology

nProbe is running on Raspberry Pi 3B with the IP address 172.17.100.50/16. ntpong is running on Ubuntu 18.04.1 Server as the VirtualBox guest with the IP address 172.17.100.7/16. Our goal is to monitor network traffic from all devices connected to the ports of Cisco Catalyst switch 3550. In fact, we are monitoring only Windows 7 machine that is connected to Fa0/3.

Note: Without valid license, nProbe is working in demo mode and it is limited to show only 25000 flows export.

nProbe can work in two modes - poll mode and push mode. In a poll mode, ntopng dynamically subscribes to the probe via ZMQ, Continue reading

Part1 – Monitoring Network Traffic with ntopng and nProbe

Ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage. It provides a intuitive, encrypted web user interface for the exploration of realtime and historical traffic information. ntopng comes in three versions, Community, Professional (Small Business Edition) and Enterprise. The Community version is free to use and opensource. A physical NIC card of the server can be monitored by by specifying its interface name as

./ntopng -i eth0

However, we will use ntopng in flow collection mode along with nProbe which can act as probe/proxy. The communication between nProbe and ntopng takes place over ZeroMQ, a publish-subscribe protocol that allows ntopng to communicate with nProbe.

ntpong community version is installed on Ubuntu Server 18.04.1 with IP address 172.17.100.7/16. Ubuntu is running inside VirtualBox VM. The IP address of the host (Asus k55vm) is 172.17.100.2/16. The host is connected to the SOHO router that functions as gateway to the Internet gateway with the IP address 172.17.100.1/16. The network diagram is shown on the Picture 1.

nProbe is installed on Raspberry Pi 3B with the IP address 172.17.100.50/16. Windows 7 Continue reading

Juniper vSRX 15.1X49 on QEMU

Recently, I have been quite busy running into some problems with deployment of Junos 15.1X49-D15.4 on Qemu image. So, I want make your lifer easier and I share my quick installation steps with you.

1. Download vSRX VMware Appliance

Download the file media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.ova. The good news is that you do not need to enter a licence key after you download the image. The bad new is that you still need a valid contract with Juniper in order to download the file. Luckily, you can find the installation file flying somewhere on the Internet.

2. Extract Archive and OVA files

$ unrar e media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.rar
$ tar xvf media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.ova

3. Convert StreamOptimized Virtual Machine Disk to Format 

Details ale explained in my original vSRX article.

$ qemu-img convert -O qcow2 media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4-disk1.vmdk media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4-disk1.img 

4. Hack Image To Support QEMU

Unfortunately, vSRX 15.1 image boots to “Wind River Linux 6.0.0.15” prompt but it would not launch the freebsd VM within the nested KVM instance. The workaround along with the detailed explanation of the issue is originally posted here.

$ /usr/local/bin/qemu-system-x86_64 -m 4192M Continue reading

Connecting RasPBX via SIP Trunk

The previous tutorial has covered RasPBX installation on Raspberry Pi 3 board. At the end of the tutorial we have tested local calls between chan_sip extensions 1010 and 1020 that are registered to RasPBX. This time we will go further and connect RasPBX with another FreePBX VOIP system via PJSIP trunk. The FreePBX is running on VirtualBox and it is in version 14 with Asterisk 13. As the last step of the tutorial, we will test VOIP calls  between RasPBX with FreePBX that are interconnected by PJSIP trunk.

As we have mentioned, a complete RasPBX and Zoiper softphones installation and configuration is covered in a previous tutorial (except the SIP trunk).  Also, the tutorial does not cover installation of FreePBX on VirtualBox VM. So far, our inventory contains RasPBX and FreePBX with the following components.

RasPBX - Asterisk on Raspberry PI board:
- Asterisk 13.22.0
- FreeBPX 14.0.3.13
- Zoiper softphone on Ubuntu 18.0.4, IP 172.17.100.2/16, ext. 1010
- Zoiper softphone on Android 5.1, IP 172.17.100.5/16, ext. 1020

FreePBX - Installed  on VirtualBox VM
- Asterisk 13.19.1
- FreeBPX 14.0.3.13
Continue reading

Check Point GAiA as Personal Firewall on Linux – Part2

This is the second part of the tutorial that aims to deploy Check Point Gaia as a personal firewall under Linux. Let' assume that we have created underlying network infrastructure with the scripts create_taps.sh and bridge_interfaces.sh in Part1. This part goes further and explains Gaia installation on QEMU virtual machine (VM).  We will use the same network topology depicted on the Picture 1.1 of the part 1. Let's start with the point 2.

Picture 1.1 Network Topology

2. Checkpoint Gaia Installation

First, we need to create an empty qcow VM disk with qemu-img utility as we want to install Gaia into this image.

$ /usr/local/bin/qemu-img create -f qcow2 checkpoint.img 100G

As we downloaded Gaia ISO image in the part1 of the tutorial, we can start Checkpoint Gaia VM machine with the ISO attached  to Qemu cdrom.

$ sudo /usr/local/bin/qemu-system-x86_64 -m 4096M -enable-kvm -smp 2 \
-boot d -cdrom Check_Point_R80.10_T462_Gaia.iso checkpoint.img  \
-netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
-device e1000,netdev=net0,mac=00:11:22:33:44:00 \
-netdev tap,id=net1,ifname=tap1,script=no,downscript=no \
-device e1000,netdev=net1,mac=00:11:22:33:44:01 \
-netdev tap,id=net2,ifname=tap2,script=no,downscript=no \
-device e1000,netdev=net2,mac=00:11:22:33:44:02

Below are the configuration options.

Select:
- Install Gaia on this system
- Proceed with the installation
- Keyboard - US
- Partition Continue reading

Ubuntu 18.04 Overheating

Since the upgrade from Ubuntu 16.04 LTS to Ubuntu 18.04, my laptop ASUS k55VM) is overheating and goes to critical temperature shutdown. The temperature varies between 70 and 85°C with doing nothing and then goes up to 95 with watching YouTube videos before shutdown. I have tried to clean fans from dust, blacklisted noveau driver but nothing helped. Finally, I have been successful with searching for workaround that is working for me. The issue here is intel_pstate scaling driver which does not reduce the processor speed when temperature increases.

The driver is not modular and it is built-in with kernel so we cannot unload it. However, we can disable it at boot by editing grub configuration. Firstly, check if your system is using the intel_pstate frequency scaling driver. If not, overheating is not caused by the intel_pstate driver and you need to figure out the cause by yourself.

$ cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_driver

intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate
intel_pstate

Solution 1 - Disabling intel_pstate at Boot by Editing Grub Configuration

Open /etc/default/grub with editor and locate the line that begins with:

GRUB_CMDLINE_LINUX_DEFAULT

Add intel_pstate=disable at the end of that string as below.

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash intel_pstate=disable"

Now, execute:

Update Continue reading

Check Point GAiA as Personal Firewall on Linux – Part1

Check Point GAiA is the next generation Secure Operating System for all Check Point appliances, open servers and virtualized gateways. In this tutorial we will create a network infrastructure which supports usage of Gaia Qemu VM as a personal firewall on Ubuntu Linux. We will also go through the entire installation of Gaia on Qemu VM. This firewall appliance can be used up to 15 days period covered by a free trial Gaia license (no registration needed).

Hardware:  Asus K55VM laptop:
- Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz
- RAM - 2 x Kingston DDR3 8192MB,
- HDD - ST1000LM024 HN-M101MBB 1000GB

Hardware requirements:
- Gaia QEMU VM: RAM - 4096MB, HDD - 15GB
- Windows 7 QEMU VM: RAM 2048MB, HDD - 15 GB

Software:
Host - Kubuntu Linux 18.04.1 LTS with installed QEMU emulator version 3.0.0 and KVM module
Guest 1 - Checkpoint GAiA R80.10, OS build 462, OS kernel version 2.6.18-92cpx86_64
Guest 2 - Windows 7 Home Premium, x86 with installed Smart Console R80.10 Build 991140073

Credentials - username/password:
- Gaia web portal: admin/check123point
- Gaia expert mode: check123point
- Windows 7: no password Continue reading

VyOS 1.2.0 Epa2 Realased

Finally, VyOS 1.2 epa2 ISO live image is released to subscribers. VyOS is a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality.

Free subscription is available for contributors, nonprofits and educational and research institutions, and both long-time contributors. Everyone who contributed before the release model change gets a perpetual subscription, the amount of contributions doesn’t matter. After that, contributing within a given year will give us a yearly subscription. If you are not a subscriber you can still download VyOS rolling release or built the ISO image from the source code.

You can use my Bash and Expect scripts to automatize VyOS 1.2.0 installation to VMware disk image. The scripts are available in the Script (1.1) section. Firstly, run the script  deploy_vyos-1.2.0.sh and after the ISO images boots up, you can run the second script  install_vyos-1.2.0.sh. You can run the image using GNS3 project and test open-source routing.