Archive

Category Archives for "Brezular’s Blog"

Virtual eXtensible LANs – VXLANs

The tutorial discusses configuration of VXLANs on Arista vEOS and Openvswitch virtual machines. The VXLANs extend an L2 network by connecting VLANs from multiple hosts through UDP tunnels called VXLAN segments. VXLANs use Internet Protocol (both unicast and multicast) as the transport medium. VXLAN segments are identified by a 24-bit Virtual Network Identifier (VNI). Within […]
Continue reading...

Cloning Remote Linux Machines

I would like to share the second version (1.1) of the Bash script backup_images-1.1.sh which you can use for cloning disks of remote Linux machines. The script reads IP addresses of the hosts from a file and copy the disks with dd command over SSH connection. The disks are stored on a local machine, compressed […]
Continue reading...

Use TheGreenBow VPN Client to Connect with VyOS

The site-to-site Virtual Private Networks (VPN) connect two or more remote locations. Thanks to it, computers located inside locations can communicate securely over the public Internet as they were located on the same private network. This is accomplished by tunnels that interconnect remote locations. Tunnels add extra layer security, encrypting user traffic carried inside tunnels. […]
Continue reading...

Cuckoo Installation and Configuration on Debian 10 Buster

The tutorial covers installation and configuration of Cuckoo Malware Sandbox on Debian 10 Buster. Once you complete successfully all steps, your Cuckoo installation will be ready to perform analysis of malware uploaded to guest VM. It is Windows 7 x64 SP1 VM running on Oracle VirtualBox. The tutorial is based on an excellent YouTube videos […]
Continue reading...

How to Configure BurpSuite to use Tor as Proxy

BurpSuite is a manual toolkit for investigating web security. Burp Proxy allows manual testers to intercept all requests and responses between the browser and the target application, even when HTTPS is being used. The tutorial discusses configuration of Burp to use connection over Tor network. 1. BurpSuite Community Edition We can find BurpSuite Community Edition […]
Continue reading...

DPDK and Open vSwitch Installation on Debian 10

DPDK stands for Data Plane Development Kit. The DPDK project consists of libraries to accelerate packet processing workloads running on a wide variety of CPU architectures. Open vSwitch can use the DPDK library to operate entirely in userspace. Thanks to it, performance of Open vSwitch increases. The tutorial help you to build and install Open vSwitch using DPDK datapah on Debian 10 Buster. The second part discuses DPDK and Open vSwitch configuration and compare performance of Open vSwitch applicance with enabled/disabled DPDK.

Note: You can download my Debian 10 Buster VMDK image with installed DPDK 18.11.2 and Open vSwitch 2.11.1 for quick testiing of Open vSwitch/DPDK functionality. If you do so, you can skip the tutorial and continue with Part 2 - DPDK/Open vSwitch Configuration.

Login/password: debian/debian

Host
Software:
- x86_64 GNU/Linux Debian 10 Buster, 4.19.0-5-amd64
- QEMU emulator version 3.1.0
Hardware:
- RAM Memory 2x Kingston 8192 MB DDRIII
- CPU - Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz, 4 cores

Qemu Guest
Software:
- x86_64 GNU/Linux Debian 10 Buster, 4.19.0-6-amd64
- Open vSwitch - 2.11.1
- DPDK - 18.11.2
Hardware:
- 4 X Continue reading

Site-to-Site OpenVPN on VyOS

The tutorial discusses configuration of site-to-site VPN on VyOS using preshared-key. Static key configuration offers the simplest setup, and is ideal for point-to-point VPNs or proof-of-concept testing. The advantages of using static key are simple setup and no X509 PKI (Public Key Infrastructure) to maintain. The disadvantages are limited scalability - one client, one server setup and the lack of perfect forward secrecy - key compromise results in a total disclosure of previous sessions. Also, a secret key must exist in plain-text form on each VPN peer and it must be exchanged using a pre-existing secure channel.

Our lab consists of two remote sites (Picture 1). The router running network OS - VyOS is presented on each side, connecting computers PC and PC2 to to a particular LAN network. The both VyOS routers are configured forOpenVPN site-to-site mode and the routers also perform NAT (PAT) and firewall services.

Picture 1 - Network Topology

1. VyOS Site1 Configuration

1.1 Hostname, IP addresses, SSH

vyos@vyos:~$ configure
vyos@vyos# set system host-name Site1

yos@vyos# commit
vyos@vyos# save

vyos@Site1# set interfaces ethernet eth1 address 10.0.0.254/24
vyos@Site1# set interfaces ethernet eth0 address 11.0.2.1/24

vyos@Site1# set service ssh

vyos@Site1# commit
Continue reading

Testing Open vSwitch-DPDK

In a previous tutorial we have built DPDK 18.11.2 and Open vSwitch 2.11.1 on Linux Debian 10.1 VM (buster). We have created a L3 Open vSwitch QEMU appliance that we will use to compare performance of Open vSwitch with enabled/disabled DPDK. A network topology is depicted on the Picture 1.

The lab is created as GNS3 project which consists of a single Debian Open vSwitch appliance. Two Linux Core 6.3 hosts PC1 and PC2 are connected to the switchports Ethernet0 and Ethernet1, respectively. Firstly, we are going to bind the both ports to DPDK-compatible driver and create a bridge with the DPDK ports attached to the bridge. As a last step, we will measure maximum achievable bandwidth with iPerf3 tool. The host PC1 will be be acting as a iPerf3 client connecting to the iPerf3 server running on the host PC2.

Note: Open vSwitch 2.11.1 appliance built on Debian 10 buster and DPDK 18.11.2 is available in Download-> Appliance Section. The Linux Core 6.3 image is available there, as well.

Picture 1 - Debian Open vSwitch/DPSK Appliance with Connected Host

1. GNS3 Configuration

Check GNS3 settings for Open Continue reading

Debian Open vSwitch Appliance with DPDK

Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.  It is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces and protocols (e.g. NetFlow, sFlow, IPFIX, RSPAN, CLI, LACP, 802.1ag).

DPDK is the Data Plane Development Kit that consists of libraries to accelerate packet processing workloads running on a wide variety of CPU architectures.

Note: Open vSwitch images are customized with my after install script  and they are ready for use in GNS3.

Username is debian with the password debian.

Debian Linux 10 (buster) VMDK Appliance with DPDK 18.11.2 and Open vSwitch 2.11.1 [997,2MB]
https://drive.google.com/file/d/1ZuVVP2POUnFjySt0YpFwPeSG5Rtw_6Gj/view?usp=sharing

 

ClearOS Gateway on GNS3

In a previous tutorial we have successfully installed ClearOS on QEMU VM in a gateway mode. At the end of the tutorial we have installed several apps from ClearOS marketplace. These apps enhance gateway functionality, however  we have not tested  them yet. Therefore, this tutorial goes further and we are going to test some services offered by ClearOS apps. In order to do it, we will connect ClearOS QEMU appliance into a GNS3 topology.

Our ClearOS QEMU instance is configured with two guest network cards (Picture 1). The first guest interface ens3 has assigned the LAN role and it is configured with the IP address 192.168.1.254/24. This is the IP address a web server is listening on, the port 81. The entire ClearOS management will be done via web browser using the url https://192.168.1.254:81.

Picture 1 - Network Interfaces Configuration During ClearOS Installation

The second guest interface ens4 has assigned External role and its IP address is assigned from DHCP server. DHCP server is running on SOHO router with the IP address 172.17.100.1/16 (Picture 2).

Picture 2 - Network Topology

GNS3 itself connects the second guest interface ens4 of ClearOS gateway Continue reading

ClearOS Installation on QEMU

ClearOS is an operating system based on CentOS for use in small and medium enterprises as a network gateway and network server with a web-based administration interface.

ClearOS in Gateway mode acts as a firewall, gateway and server on a local network. The tutorial provides installation and configuration steps for deployement of ClearOS on QEMU VM. We will later connect ClearOS QEMU VM into GNS3 network topology in order to test  features such as application traffic filtering and transparent proxy with user authentication.

Software Used:
Host OS: Kubuntu Linux 18.04.1 LTS with Qemu 3.0.0 installed and kvm-intel module loaded
Guest OS: ClearOS 7.5.0 x86_64

1. Preparing Host Network Infrastructure

As we are going to  install ClearOS guest QEMU VM in a gateway mode,  your host should have two network adapters available. (Picture 1). In our case, the first ClearOS guest network interface ens3 will be defined as LAN type during ClearOS installation. The second guest interface ens4 will be defined as External and used for connection to SOHO network. We will bridge the interface ens4 with the host interface enp4s0f2 using iproute utility. But first, we need to create tap interfaces tap0 and Continue reading

Cisco TRex on Ubuntu Server 18.04

TRex is stateful and stateless traffic generator that is designed to benchmark platforms using realistic application traffic. It can generate L3-7 traffic and scale up to 20Gbps. TRex implements the both client and server side. The tutorial provides exact steps that you can follow to install TRex on Ubuntu Server 18.04. Hope you find it useful.

1. Preparing Qemu Ubuntu Server VM for TRex Installation

I assume that you have installed Ubuntu Server 18.0.4 on Qemu disk. Start Qemu Ubuntu Server VM.

$ /usr/local/bin/qemu-system-x86_64 -m 4G -enable-kvm Ubuntu18.04-server-TRex2.vmdk -serial telnet:localhost:2222,server,nowait

Assign IP address from the internal Qemu DHCP server to the guest NIC of Ubuntu Server VM.

$ sudo dhclient

IP address is 10.0.2.15/25 and the default gateway is 10.0.2.2. Now you can connect to the Ubuntu Server issuing telnet from the host.

$ telnet localhost 2222

Copy my script trex-vm.sh from the host to Ubuntu Server Qemu VM. The script installs packages required by TRex. It also redirects VM machine output to serial port and configures old-style Ethernet interfaces naming.

$ scp -rv [email protected]:/home/brezular/trx-vm.sh .

Assign execute privileges to the script and run the Continue reading

Creating VyOS ISO Image

There are several ways to get an VyOS ISO image. Firstly, you can buy subscription, so you will have an access to LTS VyOS ISO images. The LTS images are also available for VyOS contributors or evangelists with perpetual 1-year access. The third option involves building ISO image itself. Building involves cloning VyOS repository with git, taking care of required dependencies and finally compiling from sources. Either you need Debian as a base and manage dependencies manually or you can compile using the docker method and Debian is not needed.

Using the Dockerfile you create your own Docker container that is used to build a VyOS ISO image or other required VyOS packages. The Dockerfile contains some of the most used packages needed to build a VyOS ISO, a qemu image, and several of the submodules.

1. Install Docker CE

We are going to install Docker CE on Ubuntu 18.04.2 LTS (bionic).

$ sudo apt-get update
$ sudo apt-get install apt-transport-https ca-certificates curl software-properties-common git
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$ sudo apt-key fingerprint 0EBFCD88

$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable"
$ sudo apt-get update
$ sudo apt-get install docker-ce
Continue reading

L2TP/IPSec Remote Access VPN on VyOS

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself. Therefore, it is often combined with IPSec that is used for encapsulation of L2TP packets between the endpoints. Securing L2TP using IPsec is standardized in RFC3193. The tutorial provides remote Access L2TP/IPsec configuration for VyOS network OS.

So far, I have tested L2TP/IPSec configuration on VyOS 1.2.0 with an Android phone as configured as L2TP/IPSec client. However, I have not been successful, ended with the error message below. The same L2TP/IPSec configuration works for the legacy 64-bits Vyatta 6.6, therefore, it is used in our lab, instead of VyOS.

xl2tpd[1809]: Maximum retries exceeded for tunnel

We employ Cisco vIOS-L3 in order to simulate a SOHO router. The router is connected to the Wifi router Access_Point (172.17.100.1/26) with an associated wireless client (Android phone IP 172.17.100.5/16). The L2TP/IPSec client is running on the phone. The client is configured to connect to the VPN gateway running on Vyatta (10.0.1.1/24) in order to reach the server LAN subnet (10.0.0.0/24) within L2TP/IPSec VPN tunnel Continue reading

Part2 – Monitoring Network Traffic with ntopng and nProbe

In the Part1 we have covered compilation of ntopng on Ubuntu 18.04.1 Server and installation of nProbe on Raspberry Pi 3. We have also configured Cisco Catalyst switch 3550 for traffic mirroring. The source of the traffic is the interface Fa0/3 where PC is connected and the destination port is Fa0/24 with connected Raspberry Pi 3B. This tutorial goes further and it covers configuration of the both ntopong and nProbe. First, let's have a look at the network topology.

Picture 1 - Network Topology

nProbe is running on Raspberry Pi 3B with the IP address 172.17.100.50/16. ntpong is running on Ubuntu 18.04.1 Server as the VirtualBox guest with the IP address 172.17.100.7/16. Our goal is to monitor network traffic from all devices connected to the ports of Cisco Catalyst switch 3550. In fact, we are monitoring only Windows 7 machine that is connected to Fa0/3.

Note: Without valid license, nProbe is working in demo mode and it is limited to show only 25000 flows export.

nProbe can work in two modes - poll mode and push mode. In a poll mode, ntopng dynamically subscribes to the probe via ZMQ, Continue reading

Part1 – Monitoring Network Traffic with ntopng and nProbe

Ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage. It provides a intuitive, encrypted web user interface for the exploration of realtime and historical traffic information. ntopng comes in three versions, Community, Professional (Small Business Edition) and Enterprise. The Community version is free to use and opensource. A physical NIC card of the server can be monitored by by specifying its interface name as

./ntopng -i eth0

However, we will use ntopng in flow collection mode along with nProbe which can act as probe/proxy. The communication between nProbe and ntopng takes place over ZeroMQ, a publish-subscribe protocol that allows ntopng to communicate with nProbe.

ntpong community version is installed on Ubuntu Server 18.04.1 with IP address 172.17.100.7/16. Ubuntu is running inside VirtualBox VM. The IP address of the host (Asus k55vm) is 172.17.100.2/16. The host is connected to the SOHO router that functions as gateway to the Internet gateway with the IP address 172.17.100.1/16. The network diagram is shown on the Picture 1.

nProbe is installed on Raspberry Pi 3B with the IP address 172.17.100.50/16. Windows 7 Continue reading

Juniper vSRX 15.1X49 on QEMU

Recently, I have been quite busy running into some problems with deployment of Junos 15.1X49-D15.4 on Qemu image. So, I want make your lifer easier and I share my quick installation steps with you.

1. Download vSRX VMware Appliance

Download the file media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.ova. The good news is that you do not need to enter a licence key after you download the image. The bad new is that you still need a valid contract with Juniper in order to download the file. Luckily, you can find the installation file flying somewhere on the Internet.

2. Extract Archive and OVA files

$ unrar e media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.rar
$ tar xvf media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4.ide.ova

3. Convert StreamOptimized Virtual Machine Disk to Format 

Details ale explained in my original vSRX article.

$ qemu-img convert -O qcow2 media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4-disk1.vmdk media-srx-ffp-vsrx-vmdisk-15.1X49-D15.4-disk1.img 

4. Hack Image To Support QEMU

Unfortunately, vSRX 15.1 image boots to “Wind River Linux 6.0.0.15” prompt but it would not launch the freebsd VM within the nested KVM instance. The workaround along with the detailed explanation of the issue is originally posted here.

$ /usr/local/bin/qemu-system-x86_64 -m 4192M Continue reading

Connecting RasPBX via SIP Trunk

The previous tutorial has covered RasPBX installation on Raspberry Pi 3 board. At the end of the tutorial we have tested local calls between chan_sip extensions 1010 and 1020 that are registered to RasPBX. This time we will go further and connect RasPBX with another FreePBX VOIP system via PJSIP trunk. The FreePBX is running on VirtualBox and it is in version 14 with Asterisk 13. As the last step of the tutorial, we will test VOIP calls  between RasPBX with FreePBX that are interconnected by PJSIP trunk.

As we have mentioned, a complete RasPBX and Zoiper softphones installation and configuration is covered in a previous tutorial (except the SIP trunk).  Also, the tutorial does not cover installation of FreePBX on VirtualBox VM. So far, our inventory contains RasPBX and FreePBX with the following components.

RasPBX - Asterisk on Raspberry PI board:
- Asterisk 13.22.0
- FreeBPX 14.0.3.13
- Zoiper softphone on Ubuntu 18.0.4, IP 172.17.100.2/16, ext. 1010
- Zoiper softphone on Android 5.1, IP 172.17.100.5/16, ext. 1020

FreePBX - Installed  on VirtualBox VM
- Asterisk 13.19.1
- FreeBPX 14.0.3.13
Continue reading

1 2 3 4 5 6 8