*UPDATE* How to setup site2site OpenVPN connection using Asus RT-AC66U_B1 routers running Asuswrt-Merlin firmware

After some firmware update the Site-to-Site tunnel stopped working in reverse order. The reason is a new option on Client side in Network settings section, which is by default in disabled state. Change the value to “Allow”:

Posted in Uncategorized | Leave a comment

Simple proxy for retreiving encrypted RSS feeds for Outlook

As the Outlook (even 2016) can’t handle RSS feeds with “https://”, here is a small and simple proxy reading the encrypted RSS feed and returning it via “http://”

I stored is as “index.php” file in root folder of subdomain on my web server.  if you want to use it in another way, please edit the “action=”/”” parameter in form tag .

<?php
  if ( isset ( $_GET["RSSfeed"] ) )
    { // get the feed and display it
    $sURL = urldecode ( $_GET["RSSfeed"] );
    $sFile = file_get_contents($sURL);
    echo $sFile;
    }
  else
    { // display welcome page
?>
<html>
    <head>
        <title>RSS Proxy for Outlook</title>
    </head>
    <body>
        <h1>RSS Proxy for Outlook</h1>
        <p>As the Outlook can't handle RSS feeds with "https://", here is a small and simple proxy reading the encrypted RSS feed and returning it via "http://" 
        <p>&nbsp;</p>
        <ol>
            <li>Enter the RSS Feeed URL and press Enter:
                <form action="/" method="get">
                    <input type="text" name="RSSfeed" size="80">
                </form>
            </li>
            <li>Copy the address from the URL line of your browser</li>
            <li>Enter it while adding RSS Feed to Outlook</li>
            <li>Enjoy! :)</li>
        </ol>
    </body>
</html>
<?php
    } 
?>
Posted in WWW | Leave a comment

How to upgrade VMware ESXi remotely without iLO and installation CD

I have one old HP Microserver N40L on remote site running ESXi 5.0 and I wanted to upgrade it to version HPE 6.5 (is the last version supporting the pre-Gen9 servers).

Unfortunatelly, the N40L has no iLO by default and I have no “hand-and-eyes” who could install it from inserted CD and I was lazy to travel one hour to the remote location and one hour back…

I have read in VMware documentation about possibility to upgrade via so called “offline package”. The article was not quite correct and all tries ended with some dependency error.

I have then found on one forum the right solution (omitted parameter), so here is the summary how to install it:

 

  1. Download the ESXi offline bundle zip file of your choice. (in my case “VMware-ESXi-6.5.0-Update2-9298722-HPE-preGen9-650.U2.9.6.8.3-Sep2018-depot.zip”)
  2. Create directory Depot in your datastore
  3. Upload the zip file to the created directory
  4. Place the host you want to upgrade into Maintenance Mode
  5. Then on the host you’re about to upgrade, go to the Configuration tab >> Security Profile and Enable SSH under Services
  6. Open PuTTY (or any other SSH client) and SSH into your host
  7. Type the following commands, replace the filename with the name of your zip file you uploaded
    • First, get the profile name list from the package:
      esxcli software sources profile list -d "/vmfs/volumes/DataStore 1/Depot/VMware-ESXi-6.5.0-Update2-9298722-HPE-preGen9-650.U2.9.6.8.3-Sep2018-depot.zip"
    • the ouput should be like like:
      Name                                           Vendor                      Acceptance Level 
      ---------------------------------------------  --------------------------  ----------------
      HPE-ESXi-6.5.0-Update2-preGen9-650.U2.9.6.8.3  Hewlett Packard Enterprise  PartnerSupported
    • do dry-run to check the stuff for possible errors (replace the profile name in “-p” parameter)
      esxcli software profile install -d "/vmfs/volumes/DataStore 1/Depot/VMware-ESXi-6.5.0-Update2-9298722-HPE-preGen9-650.U2.9.6.8.3-Sep2018-depot.zip" -p HPE-ESXi-6.5.0-Update2-preGen9-650.U2.9.6.8.3 --ok-to-remove --dry-run
    • if all is OK, run the same command without “–dry-run” parameter
  8. It can happen, that you get following error: “[Errno 32] Broken pipe”, then run following command and try again
    mv /store /store.old
  9. Reboot the host with “reboot” command
  10. Connect to the host, exit the host from Maintenance mode
    (please note, ESXi 6.5 is not anymore accessible via VMware vSphere Client application – only via web browser)
  11. Enjoy 🙂

 

Posted in Microserver | Tagged , | Leave a comment

How to setup site2site OpenVPN connection using Asus RT-AC66U_B1 routers running Asuswrt-Merlin firmware

How to setup site2site OpenVPN connection using Asus RT-AC66U_B1 routers running Asuswrt-Merlin firmware

The OpenVPN is an open multiplatform VPN solution, which allowing variety of configuration. The standard use-case is client2network setup, allowing the remote client to “dial-in” into network. Other scenario is site2site configuration, allowing seamless communication of each network device across both sites.

Description of my environment

I have two Asus RT-AC66U_B1 running Asuswrt-Merlin firmware version 384.9 with following network configuration:

  • Client side:
    • Router IP: 192.168.33.1
    • Netmask: 255.255.255.0
  • Server side:
    • Router IP: 192.168.22.1
    • Netmask: 255.255.255.0

Prerequisites

  • DDNS has to be active on server side the (I use the standard *.asuscomm.com DDNS service)
  • DDNS on client side is optional, but I recommend it for remote access via Asus AiCloud app
  • JFFS filesystem enabled and formatted

Setup site2site

The setup consists of two steps:

  • Setup standard client2network connection
  • Modify the connection to site2site setup

Setup standard client2network connection

Configure server side router

  1. Log on to the server side router (192.168.22.1)
  2. Select VPN from the left-hand menu and click on VPN Server tab and click on OpenVPN switch

    You can setup two VPN server configuration. We will now setup the Server 1 configuration
  3. Flip Enable OpenVPN Server switch to ON position (will change to green)
    You are now in General settings section.
  4. Tick the LAN only radio button
  5. Add some user/password in the table below by entering username and password into text fields and click on the plus button
  6. Then hit Apply, this will take some time
  7. Select Advanced Settings option in VPN Details dropdown box
  8. Set following parameters to:
    • Interface TypeTUN (routed networks)
    • ProtocolTCP (do not try UDP, will not work afterwards wit site2site modifications!)
    • Username/Password AuthenticationYes (for now, we will use simple authentication, reconfiguration for use of cert logins will be discussed in another article)
    • VPN Subnet/Netmask: is irrelevant, leave the default one
    • Advertise DNS to clientsNo
    • CompressionDisable (enabling has for sure impact to router utilization and transfer speed – not tested yet)
  9. At Manage Client-Specific Options select Yes – you will get additional input fields
  10. Select Yes at the Allow Client <-> Client option
  11. In the Custom Configuration enter following recommended parameter
    reneg-sec 432000
  12. Hit the Apply button – will take some time.
    If everything is fine (no fatalities), you should get the General VPN Details page and the Enable OpenVPN Server should be in ON position and green.
  13. Now, you have some new buttons available, hit the first Export button (Export OpenVPN configuration file) – one file named “client1.ovpn” will be downloaded
  14. Open the file as text file and check the first lines: for tun, tcp-client options and the correct DDNS name of the server-side router
    client
    dev tun
    proto tcp-client
    remote myprimarysite.asuscomm.com 1194

Configure client side router

  1. Log on to the client-side router (192.168.33.1)
  2. Select VPN from the left-hand menu and click on VPN Client tab and click on OpenVPN switch
  3. Click on Choose File button on Import .ovpn file option, select the previously downloaded “client1.ovpn” file and hit Upload.
  4. Set Automatic start at boot time to Yes
  5. Check the lines Interface TypeProtocol and Sever Address for correct values
  6. Ensure the Username/Password Authentication is Yes
  7. Enter the username and password set on the server-side router
  8. Scroll down to Advanced Settings

  9. Check that Verify Server certificate is set to No
  10. The directives in Custom Configuration are imported from “client1.ovpn” file – don’t touch them
  11. Hit Apply button – takes again some time
  12. Flip the Service state switch to ONIf anything is fine (no fatalities), the Service state switch should be green with yellow Connected message.

    At this moment any network device should be able to ping/connect to any network device on the server-side network.
    The basic setup for client2network setup or “dial-in” setup if finished, let’s go one step beyond and configure the “return direction”

Modify the connection to site2site setup

Configure server side router

  1. Log on to the server-side router (192.168.22.1)
  2. Select Administration from the left-hand menu and click on System tab
  3. Enable the SSH access as shown:
  4. Check the JFFS2 section
  5. If the config is like shown, no action is needed, otherwise set both parameters to Yes and reboot the server
  6. Use some SSH client (like puTTy – can be downloaded here: https://www.chiark.greenend.org.uk/~sgtatham/putty/) and log in into router
  7. Run following commands to create directory for OpenVPN client specific configuration
    (please note: the “ccd1” folder is for Server1 and if you want to use Server2, you need directory “ccd2”)

    root@RT-AC66U_B1-5668:/temp/home/root# cd /jffs/configs
    root@RT-AC66U_B1-5668:/jffs/configs#
    root@RT-AC66U_B1-5668:/jffs/configs# mkdir openvpn
    root@RT-AC66U_B1-5668:/jffs/configs# cd openvpn
    root@RT-AC66U_B1-5668:/jffs/configs/openvpn# mkdir ccd1
    root@RT-AC66U_B1-5668:/jffs/configs/openvpn# cd ccd1
    root@RT-AC66U_B1-5668:/jffs/configs/openvpn/ccd1#
  8. Using vi create file called as the entered username, in this case “Remote1”
    root@RT-AC66U_B1-5668:/jffs/configs/openvpn/ccd1# vi Remote1
  9. And enter following line, which tells the server-side router that some network exists:
    iroute 192.168.33.0 255.255.255.0
  1. Save the file (enter “:wq” command)
  2. Close puTTy and log into router’s web interface
  3. Select VPN from the left-hand menu and click on VPN Server tab
  4. Go to Advanced Settings
  5. Change the content of Custom Configuration to following:
    reneg-sec 432000
    username-as-common-name
    push "route 192.168.22.0 255.255.255.0"
    client-config-dir /jffs/configs/openvpn/ccd1/
    route 192.168.33.0 255.255.255.0
  6. Hit the Apply button – will take some time

Configure client side router

  1. Log on to the client-side router (192.168.33.1)
  2. Select VPN from the left-hand menu and click on VPN Client tab
  3. In section Network Settings set the parameter Create NAT on tunnel to No
  4. *UPDATE* set the new parameter Inbound Firewall to Allow
  5. Hit the Apply button – will take some time

Final words

After reconnecting the tunnel the communication should be possible in both directions

Disclaimer

This how-to is based on following article: https://openvpn.net/community-resources/how-to/#scope and adopted by me for my two Asus routers running Asuswrt-Merlin firmware.

(c)2019 by zolo

Posted in Network | Tagged , , | Leave a comment