How To Config Wireguard on Linux

February 7, 2022February 4, 2022 by Farshad Nick

Introduction

WireGuard is a fast and modern Opensource VPN that has been developed by Jason A. Donenfeld utilizes state-of-the-art cryptography. It aims to be faster, simpler,leaner, and more useful than IPsec in these article we are going to Run Wireguard on Ubuntu with APT and Also on Docker

Wireguard Advantages

Crosss Platform
state-of-the-art cryptography
Simple and Easy to Use
High Speed
Minimal Attack Surface

How many Line of Codes ??

IPSEC

40,000

OPENVPN

600,000

Wireguard

4,000

How Does Wireguard Work??

Wireguard process:

Wireguard Creates a Pair of Key (Private and Public key ) for each Client that public key of client will determine in the server configuation and everyone that has the its private key can connect (if preshared key has been configured we need to specified that in server and client too )

Server Side Configuration

1- Install Wireguard

				
					apt -y install wireguard-tools

2- Generate Private Key for Server

				
					wg genkey | tee /etc/wireguard/server.key

3- Generate PublicKey for Server

				
					cat /etc/wireguard/server.key | wg pubkey | tee /etc/wireguard/server.pub

4- Generate Private Key for Client

				
					wg genkey | tee /etc/wireguard/client.key

5- Generate PublicKey for Client

				
					cat /etc/wireguard/client.key | wg pubkey | tee /etc/wireguard/client.pub

6- Generate PresharedKey (a value that must be equal in server and client)

				
					wg genpsk > /etc/wireguard/preshared-client1

7- Enable Routing Feature

				
					vim /etc/sysctl.conf
# line 28: uncomment to enable IP forearding
net.ipv4.ip_forward=1

				
					sysctl -p

8- Put it all together

In this step we need to put all configuration in /etc/wireguard/wg0.conf File before configuring it wee need to know about terms below :

Address : IP address of Tunnel

PostUP: all Commands that will execute when tunnel goes up

PostDown: all Commands that will execute when tunnel goes Down

Public Key : Public key of Client

Preshared Key : a value that must be equal in server and client

AllowedIPs : it determines what Client’s IP can Connect

wg0.conf would be like this :

				
					[Interface]
PrivateKey = aNRbw0DxW4BiWDHjnEcOVXHyRODGDF
Address = 10.8.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client: farshad (03427e95-40c6-4611-8f94-f85271b04185)
[Peer]
PublicKey = KcI1nuEokkvRRsqymWPZlhYp9Q9/19hLMTcGSQspkVs=
PresharedKey = VEruDxXfm2/1PTpE7Syf4kzT0ad4gcpj6VZrsUYpxvA=
AllowedIPs = 10.8.0.2/32

Client Side Configuration

In Client we need to download Wireguard and Put all client’s keyes in a single file and import it to wireguard client

1- Download Wireguard Client For Windows

Wireguard process:

				
					https://download.wireguard.com/windows-client/wireguard-installer.exe

2- Import configs in Wireguard

be careful about these termination :

Address : IP address of Tunnel

Endpoint : IP Address of Wireguard Server

PrivateKey : Client’s Private key

Preshared Key : a value that must be equal in server and client

				
					[Interface]
# private key for client generated on WireGuard server
PrivateKey = 2IcE8jDSDpHGOFBk5vEkmJ5yP7T9YHU+vr0mya+h5Ho=
# IP address for VPN interface
Address = 172.16.100.5
[Peer]
# specify public key for server generated on WireGuard server
PublicKey = AIUd+0cxJVkbq4M+4cVUJhHu1Nxszlz3ccidVTbCh1k=
AllowedIPs = 0.0.0.0/24
# specify server's global IP address:port
EndPoint = 172.29.10.100:51820

How to install passbolt (password manager) on Docker

December 1, 2021 by Farshad Nick

Introduction

Passbolt is an open source password manager designed for collaboration. You can securely generate, store, manage and monitor your team credentials. Get access to all of your logins and passwords from multiple browsers or even your mobile phone
You need to keep passbolt running during the following steps

Configuration

Email Test

Testing Your Email Configuration

				
					git clone https://github.com/farshadnick/passbolt-dockercompose.git /opt/passbolt-docker

cd /opt/passbolt-docker

				
					docker-compose up -d

				
					docker-compose exec passbolt su -m -c "bin/cake passbolt send_test_email

Making Admin user :

				
					docker-compose exec passbolt su -m -c "bin/cake passbolt register_user -u john.doe@mydomain.com -f John -l Doe -r admin" -s /bin/sh www-data

Making Oridinary user :

				
					docker-compose exec passbolt su -m -c "bin/cake passbolt register_user -u john.doe@mydomain.com -f John -l Doe -r admin" -s /bin/sh www-data

You will probably give something like that you just need to copy it in browser

http://passbolt.packops.dev:17880/setup/install/01fe982a-be79-443d-9a01-f1f7de3f7c9b/f6e2a51d-a6d3-4c47-a37d-f20ab7be6e95

Start Bitwarden

				
					./bitwarden.sh start

You Can Cache Packages , Speed UP Downloading Packages and Also Not Accessing Your Servers To the Internet By Simply Using APT Cacher-NG

Client Side Config

We have 2 option for configuring Client To Give Packages From APT-Cacher-NG

1- Send All APT Repository Requests to the Proxy Section By Creating /etc/apt/apt.conf.d/02proxy File and Put Following Section To IT :

OR

Conclution

You Can Cache Packages , Speed UP Downloading Packages and Also Not Accessing Your Servers To the Internet By Simply Using APT Cacher-NG

how to install freeipa on ubuntu with docker

November 23, 2021November 22, 2021 by Farshad Nick

Introduction

What is Freeipa?

FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

Requirement :

Docker and Docker-compose
Chrony
freeipa-client

Configuration

Freeipa Server: 192.168.100.54

Domain : example.local

Server Hostname : freeipa.example.local

Client IP : 192.168.100.53

You can Install Freeipa Based on Docker and here is the Docker-compose that i provide

you just need to do

docker-compose up -d

				
					---
version: '3.7'
services:
  freeipa:
    image: freeipa/freeipa-server:centos-8
    restart: unless-stopped
    hostname: freeipa.packops.local
    environment:
      IPA_SERVER_HOSTNAME: freeipa.packops.local
      TZ: "Asia/Tehran"
    tty: true
    stdin_open: true
    cap_add:
      - NET_ADMIN
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - freeipavol:/data
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    security_opt:
      - "seccomp:unconfined"
    command:
      - -U
      - --domain=packops.local
      - --realm=packops.local
      - --http-pin=YOURPASSWORD
      - --dirsrv-pin=YOURPASSWORDe
      - --ds-password=YOURPASSWORD
      - --admin-password=YOURPASSWORD
      - --no-host-dns
      - --unattended
    ports:
  
      - "80:80"
      - "443:443"
      - "389:389"
      - "636:636"
      - "88:88"
      - "464:464"
      - "88:88/udp"
      - "464:464/udp"
      - "123:123/udp"
      - "7389:7389"
      - "9443:9443"
      - "9444:9444"
      - "9445:9445"

volumes:
  freeipavol:

Making New User

Login

Access to Freeipa Server cording to these format

https://freeipa.example.local/ipa/ui/

Client Setup

Install Freeipa and join it toYour Freeipa Server

				
					 apt-get install freeipa-client chrony -y
hostnamectl set-hostname node-02.example.local

ipa-client-install --hostname=`hostname -f` \
--mkhomedir \
--server=freeipa.example.local \
--domain example.local \
--realm EXAMPLE.LOCAL

Output should be something Like that :

				
					This program will set up FreeIPA client.
Version 4.8.6

WARNING: conflicting time&date synchronization service 'ntp' will be disa                                                                                                                                          bled in favor of chronyd

Autodiscovery of servers for failover cannot work with this configuration                                                                                                                                          .
If you proceed with the installation, services will be configured to alwa                                                                                                                                          ys access the discovered server for all operations and will not fail over                                                                                                                                           to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: "yes"
Do you want to configure chrony with NTP server or pool address? [no]: "no"
Client hostname: "node-02.example.local"
Realm: "EXAMPLE.LOCAL"
DNS Domain: "example.local"
IPA Server: "freeipa.example.local"
BaseDN: dc=mabnadp,dc=local

				
					Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was                                                                                                                                           provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@EXAMPLE.LOCAL:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=MABNADP.LOCAL
    Issuer:      CN=Certificate Authority,O=MABNADP.LOCAL
    Valid From:  2021-11-22 11:33:00
    Valid Until: 2041-11-22 11:33:00

Enrolled in IPA realm MABNADP.LOCAL
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm MABNADP.LOCAL
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring mabnadp.local as NIS domain.
Client configuration complete.

Conclution

You Can Cache Packages , Speed UP Downloading Packages and Also Not Accessing Your Servers To the Internet By Simply Using APT Cacher-NG

				
					kinit admin 
klist

Instaling Cow proxy on docker (ubuntu 20.4)

March 27, 2022November 11, 2021 by Farshad Nick

What is Cow Proxy ?

COW (Climb Over the Wall) proxy on Docker

Cow Proxy is a web proxy backed by tunnel technology. Like VPN, it hides your IP address and encrypt your traffic, but a lot easier to use.

Requirement

Docker-compose

Configuration

Make a Dockerfile and Add these Variables

				
					FROM alpine
RUN apk update && apk add curl && apk add bash
#installing Cow Proxy
RUN curl -s -L git.io/cow | bash 

EXPOSE 7777/tcp

ENTRYPOINT ["/cow"]

3- Make a docker-compose.yml and Paste following Parameter :

				
					version: "3"
services:
  cowproxy:
    build: .
    image: cow-proxy:1
    ports:
      - "8585:7777"
    volumes:
      - "./config-file:/root/.cow/rc"
    restart: always

3- Make a Config File that includes your Proxy User nad password

				
					listen = http://0.0.0.0:7777

logFile = /dev/stderr

userPasswd = user:pass

Client Side Config

Proxy setting for your Linux

For setting up proxy settinf for yor Current User You need just to Set these Enviornment (You can do it in Terminal to but that way is not Permanent)

vim ~/.bash_profile

				
					export http_proxy=user:pass@proxyhost.com:7777
export https_proxy=user:pass@proxyhost.com:7777
exprot no_proxy=localhost, 127.0.0.1, *.my.lan

You can Test your Proxy Functionality by Doing Curl with –proxy you need to receive 200 Response code

				
					for ((i=1;i<=10;i++)); do curl -I https://cloud.google.com/ --proxy  http://user:password@YOUR_PROXY_IP:8585 -vv; done

You can Clone whole Project from my Github Repository

Farshad Nick Devops Engineer

How To Config apt-chacher-ng

September 30, 2021August 19, 2021 by Farshad Nick

Introduction

APT-Cache-ng is a Life Saver for Situation which you do not want to Give Internet to Your Ubuntu Servers for Updating Packages

apt cacher is a caching proxy for Debian based distributions that creates a local cache of Debian-based mirrors as well as other Linux distributions. This means that whenever a package is pulled from the official repositories, an APT cache server caches them such that if any other local machine would want to install the same package, it just pulls it from the local caching server. This helps eliminates the bottlenecks of slow internet connections.

Apt-Cacher NG has been designed from scratch as a replacement for apt-cacher, but with a focus on maximizing throughput with low system resource requirements. It can also be used as replacement for apt-proxy and approx with no need to modify clients’ sources.list files.

In This Article we want to implement APT-Cacher NG

Configuration

Install with Package

1- Easily you can install APT-Cacher-ng by run Following Command :

				
					apt-get install  apt-cacher-ng

2- Enable APT cacher in Startup by doing :

				
					systemctl enable apt-cacher-ng

Install with Docker

1- Update apt repository and install APT-Transport which allows us to add new repository easily

				
					sudo apt-get update
 sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

2- Add Official Docker ‘s GPG key

				
					 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

3- Add Docker Repository

				
					echo \
  "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

4- Install Docker-Ce

				
					 sudo apt-get update
 sudo apt-get install docker-ce docker-ce-cli containerd.io

5- Install Docker-compose for Bringing Apt-cacher-ng Container up

				
					 sudo chmod +x /usr/local/bin/docker-compose

6- Make a docker-compose.yml and Paste following Parameter :

				
					---
version: '3'
services:
  apt-cacher-ng:
    image: sameersbn/apt-cacher-ng
    container_name: apt-cacher-ng
    ports:
    - "3142:3142"
    volumes:
    - apt-cacher-ng:/var/cache/apt-cacher-ng
    restart: always
volumes:
  apt-cacher-ng:

7- Bring up your Docker-cmpose by doing :

				
					docker-compose up -d

8- You can Get access to APT cacher by entering your http://Machine IP:3172 (192.168.110.200:3172)

8-1 As you can see we can get access to Statistics (how much package cached) by clicking on Statistics and report and Configuration Page

Client Side Config

We have 2 option for configuring Client To Give Packages From APT-Cacher-NG

1- Send All APT Repository Requests to the Proxy Section By Creating /etc/apt/apt.conf.d/02proxy File and Put Following Section To IT :

				
					Acquire::http { Proxy "http://192.168.110.200:3142"; };
# 192.168.110.200 is our apt-cacher-ng ip

OR

2- Appending your APT Cacher URL:PORT to Your APT Repository Like:

				
					deb http://192.168.110.200:3142/ftp.debian.org/debian stable main contrib non-free
deb-src http://192.168.110.200:3142/ftp.debian.org/debian stable main contrib non-free
deb http://192.168.110..200:3142/HTTPS///get.docker.com/ubuntu docker main

Conclution

You Can Cache Packages , Speed UP Downloading Packages and Also Not Accessing Your Servers To the Internet By Simply Using APT Cacher-NG

How to redirect non-www to www in apache and nginx web server

August 5, 2021August 4, 2021 by Farshad Nick

Introduction

In some Cases you want to Redirect All request that Comes to your Root Website

Configuration

Nginx

1- Easily you can install APT-Cacher-ng by run Following Command :

				
					server {
    listen       80;
    server_name  packops.dev;
    return       301 http://www.packops.dev$request_uri;
}

server {
    listen       80;
    server_name  www.packops.dev;
    ...
}

Apache

				
					<VirtualHost *:80>
    ServerName packops.com
    Redirect permanent / http://www.packops.dev/
</VirtualHost>

<VirtualHost *:80>
    ServerName www.packops.dev
    # real server configuration
</VirtualHost>

Conclution

You Can Cache Packages , Speed UP Downloading Packages and Also Not Accessing Your Servers To the Internet By Simply Using APT Cacher-NG

WHAT IS Yaml and how Yaml works

August 1, 2021July 31, 2021 by oveis pourhabib

Introduction

in this Tutorial I will explain all about Yaml we will see what Yaml is used for and we’ll go through the syntax of how to write a valid Yaml file as you’ve seen in docker Kubernetes ، ansible Prometheus etc we will show example configuration files all written in Yaml because it has become a pretty widely used format for writing configurations for many different DevOps tools and applications that’s why when using these tools it’s important to understand the details of Yaml syntax and its main concepts generally speaking Yaml is a serialization language just like XML and JSON serialization language basically means that applications written with different technologies languages etc which have different data structures can transfer data to each other using a common agreed-on or a standard format and the most popular such formats are Yaml jason and xml and the name Yaml actually stands for Yaml ain’t markup language and you can create Yaml file with one of those two extensions they’re the same one of the main reasons of why Yamls popularity has increased so much over the past years is that it’s super human readable and intuitive which makes it a great fit for writing configuration files for all those recent DevOps tools like I mentioned docker kubernetes etc so to show you an example and also comparison between Yaml XML and JSON formats let’s consider this example

JSON

XML

YAML

so this is how yaml file would look like it’s very straightforward it’s pretty clean this is the same data in XML format where you have this so-called text and then you have the JSON format and as you see in XML and JSON data structures are defined using special characters in XML you have so-called text with angle brackets in Jason you have curly brackets and in yellow you don’t have those special characters so how data structure is defined in Yaml is through line separations and spaces with indentations that’s why you can indent in space in XML and JSON as you wish but in Yaml

you get validation error if you have one single space and data structure wrong which may be a little bit annoying but it makes Yaml format the cleanest most human readable format of all three so what are some of your most use cases to count few yaml format is used for duck composed files prometheus Kubernetes and many more tools okay so now that you know what Yaml is

HTTP Response Codes

August 3, 2021July 25, 2021 by Farshad Nick

Introduction

When a Client requests to a web server, Web Server Response to that request
IT can be an Internal Error , Client Error and ….. we Call it Response Code or HTTP Status Message .
It is common to name these errors HTML error messages.
But these messages are something called HTTP status messages. In fact, the server always returns a message for every request. The most common message is 200 OK.
Below is a list of HTTP status messages that might be returned:

1XX Information

Response Code	Reason
100 (Continue)	The server has received the request headers, and the client should proceed to send the request body
101 (Switching Protocols )	The requester has asked the server to switch protocols
103 (Checkpoint)	Used in the resumable requests proposal to resume aborted PUT or POST requests

2XX Successful

Response Code	Reason
200 (OK)	The request is OK (this is the standard response for successful HTTP requests)
201 (Created)	The request has been fulfilled, and a new resource is created
202 (Accepted)	The request has been accepted for processing, but the processing has not been completed
203 (Non-Authoritative Information)	The request has been successfully processed, but is returning information that may be from another source
204 (No Content)	The request has been successfully processed, but is not returning any content
205 ( Reset Content)	The request has been successfully processed, but is not returning any content, and requires that the requester reset the document view
206 (Partial Contentt)	The server is delivering only part of the resource due to a range header sent by the client

3XX Redirection

Response Code	Reason
300 ( Multiple Choices)	The request is OK (this is the standard response for successful HTTP requests)
301 ( Moved Permanently)	The request has been fulfilled, and a new resource is created
202 (Accepted)	The request has been accepted for processing, but the processing has not been completed
302 (Found)	The request has been successfully processed, but is returning information that may be from another source
303 (See Other)	The request has been successfully processed, but is not returning any content
304 (Not Modified)	The request has been successfully processed, but is not returning any content, and requires that the requester reset the document view
306 (Switch Proxy)	The server is delivering only part of the resource due to a range header sent by the client
307 (Temporary Redirect)	The server is delivering only part of the resource due to a range header sent by the client
308 (Resume Incomplete)	The server is delivering only part of the resource due to a range header sent by the client

4XX Client Error

Response Code	Reason
400 (Bad Request)	The request cannot be fulfilled due to bad syntax
401 (Unauthorized)	The request was a legal request, but the server is refusing to respond to it. For use when authentication is possible but has failed or not yet been provided
402 (Payment Required)	Reserved for future use
403 (Forbidden)	The request was a legal request, but the server is refusing to respond to it
404 (Not Found)	The request has been successfully processed, but is not returning any content
405 (Method Not Allowed)	A request was made of a page using a request method not supported by that page
406 (Not Acceptable)	The server can only generate a response that is not accepted by the client
407 (Proxy Authentication Required)	The client must first authenticate itself with the proxy
408 (Request Timeout)	The server timed out waiting for the request
409 (Conflict)	The request could not be completed because of a conflict in the request
410 (Gone)	The requested page is no longer available
411 (Length Required)	The "Content-Length" is not defined. The server will not accept the request without it
412 (Precondition Failed)	The precondition given in the request evaluated to false by the server
413 (Request Entity Too Large)	The server will not accept the request, because the request entity is too large
414 (Request-URI Too Long)	The server will not accept the request, because the URL is too long. Occurs when you convert a POST request to a GET request with a long query information
415 (Unsupported Media Type)	The server will not accept the request, because the media type is not supported
416 (Requested Range Not Satisfiable)	The client has asked for a portion of the file, but the server cannot supply that portion
417 (Expectation Failed)	The server cannot meet the requirements of the Expect request-header field

5xx: Server Error

Response Code	Reason
500 (Internal Server Error)	A generic error message, given when no more specific message is suitable
501 (Not Implemented)	The server either does not recognize the request method, or it lacks the ability to fulfill the request
502 (Bad Gateway)	The server was acting as a gateway or proxy and received an invalid response from the upstream server
503 (Service Unavailable)	The server is currently unavailable (overloaded or down)
504 (Gateway Timeout)	The server was acting as a gateway or proxy and did not receive a timely response from the upstream server
505 (HTTP Version Not Supported)	The server does not support the HTTP protocol version used in the request
511 (Network Authentication Required)	The client needs to authenticate to gain network access