In some cases you would like to have one IP for computer no matter how it's connected - using Ethernet or WiFi.
My reason was BackupPC - it uses names to distinguish hosts. Unfortunately Web interface in my router only allows 1-to-1 association between MAC, IP and host name (using /etc/ethers and /etc/hosts files), so I have two positions:
| Hostname | MAC | IP |
| mylaptop | 00:00:00:23:B2:25 | 192.168.1.10 |
| mylaptop-lan | 00:00:00:80:B2:0A | 192.168.1.11 |
To bypass this restriction I have to do it manually.
First of all I had to remove both MAC form web interface so they don't disturb my own configuration (You can check if the IP is gone in /etc/ethers or /etc/hosts file).
I've decided to create separate file for my changes so I've created empty /etc/dnsmasq-jaqb.conf and added at the end of /etc/dnsmasq.conf:
conf-file=/etc/dnsmasq-jaqb.conf
(to be honest I've this file for my previous changes ;-)
Then I've added name-to-ip association to /etc/dnsmasq-jaqb.conf
dhcp-host=mylaptop,192.168.1.10,24h cname=mylaptop-lan,mylaptop
Now, after restart dnsmasq of course, my computer always get the same IP.
The last line is not necessary - it is to help some of my scripts to work because they assume there is host named mylaptop-lan.
If you have to rename host in BackupPC you have to:
- Stop BackupPC service:
systemctl stop backuppc
- Change the host name in host file (/etc/backuppc/hosts) to new name
- Rename the pl file in pc folder (/etc/backuppc/pc), ie:
cd /etc/backuppc/pc mv oldname.pl newname.pl
- Rename directory in the backup location (I my case backup is storing in the location /data/BackupPC)
cd /data/BackupPC/pc/ mv oldname newname
- Start BackupPC service
systemctl start backuppc
- Pray
- Check if it works
Sometimes you have to run command as user who cannot login (shell set to /bin/false, /usr/sbin/nologin or something like this) in example for testing BackupPC where backuppc user usually cannot login but you have to run ssh command manually for the first time to add host to known_hosts.
Instead of ugly copping known_host file you can run:
sudo -u backuppc /usr/bin/ssh -l username remotehost
I think it's nicer way.
After installation (as you can see it is based on Debian)
apt-get install backuppc
I have to modify attributes:
chmod u+s /usr/share/backuppc/cgi-bin/index.cgi
Because of error:
File::RsyncP module doesn't exist
I had to install manually missing Perl module:
apt-get install libfile-rsyncp-perl
To login without password I've generated keys (as root):
ssh-keygen
and copy id_rsa.pub to .ssh/authorized_keys on host I would like to backup.
Now I can ssh to that host without password (on Windows machine You have to allow Public Key exchange).
It's time to do the same for backuppc user. By default it has bash set to /bin/false so I done it manually:
mkdir -p /home/backuppc/.ssh cp id_rsa known_hosts /home/backuppc/.ssh chown -r backuppc /home/backuppc/.ssh
If you want to calculate device value you have to fill "Formula" field, ie:
%value%*1
which of course returns value multiplied by 1 ;-).
In my case I had to calculate voltage measured by 1:2 divider and 1:3.3 divider, so my formula was:
%value%/1024*3.3*2
the value is divided by 1024 because ADC has 10 bit resolution.
This is example how to use ESP Easy rules on ESP Witty (ESP8266). It shows timer, events, and assigning value to "variable".
The pins are connected as below:
- GPIO4 - Push Button
- GPIO12 - Green LED
- GPIO13 - Blue LED
- GPIO15 - Red LED
One device is set to Switch input and it is named button with "1st GPIO" set to GPIO-4. You cannot have variables, but You can have dummy device to store values. So I've created Dummy Device with name zmienna and set "Value Name 2" to indeks. In this example this dummy device is "Task" 3.
How it works?
If you push button the one LED is turn on for 1 second. If you push it again the next LED is turn on.
On button#Switch do
if [button#Switch]=0.00
event zgas
// increment task 3, value 2
TaskValueSet,3,2,[zmienna#indeks]+1
event zapal
endif
endon
// turn on one LED
on zapal do
timerSet,1,1 // timer 1, one second
if [zmienna#indeks] > 2
// reset counter
TaskValueSet,3,2,0
endif
if [zmienna#indeks] = 0
gpio,12,1 // Green
endif
if [zmienna#indeks] = 1
gpio,13,1 // Blue
endif
if [zmienna#indeks] = 2
gpio,15,1 // Red
endif
endon
On Rules#Timer=1 do
event zgas
endOn
// turn off all LEDs
on zgas do
gpio,12,0
gpio,13,0
gpio,15,0
endon
If you want to create certificates for OpenVPN you have to set two additional options in section usr_cert in /etc/pki/tls/openssl.cnf file:
nsCertType = server | client keyUsage = digitalSignature
of course nsCertType have to be server when you generate certificate for OpenVPN server and client for client certificates.
This options are required when you OpenVPN options ns-cert-type and remote-cert-tls.
Sources:
I had a case:
- Have a service in home local network.
- I would like to access this service from outside.
- I don't have routed IP in home.
- I have VPS with public IP, but I can't run OpenVPN on it.
As workaround you can use SSH tunnel with remote port forwarding.
In my example service is running on machine 192.168.3.28:8080 and I want to have access on port 8090.
First of all you have to add to your /etc/ssh/sshd_config file:
GatewayPorts yes
On my router (it doesn't matter, but it has address 192.168.3.3) I've run command:
ssh -R 8090:192.168.3.28:8080 me@jaqb.gda.pl
This command create a tunnel between server (jaqb.gda.pl) on port 8090 through my router (192.168.3.3) to port 8080 on host 192.168.3.28 in home network.
Now I can access it from anywhere.
In fact, my (great!) VPS provider allow me to run OpenVPN in less than 10 minutes so it wasn't necessary.
Edit /etc/pki/tls/openssl.cnf file and change in CA_default section, of course You have to adopt it, ie. change name to yours ;-):
dir = /etc/pki/CA2017 certificate = $dir/newCAcert.pem private_key = $dir/private/newCAkey.pem countryName_default = PL stateOrProvinceName_default = pomorskie localityName_default = Gdynia 0.organizationName_default = Jakub Walczak
because, I've changed default directory I have to create some files and directories:
mkdir /etc/pki/newCA
cd /etc/pki/newCA
mkdir {certs,crl,newcerts,private}
touch index.txt
echo 00 > serial
Generate self-signed CA certificate for 5 years (5*365=1825 days):
openssl req -x509 -newkey rsa:2048 -keyout private/newCAkey.pem \ -out newCAcert.pem -days 1825
It's very important to remember password! You will need them for 5 years every time you will generate certificate.
Generate first certificate:
openssl req -newkey rsa:2048 -nodes -keyout private/vpn.key \ -out vpn.csr
In most cases you have to provide only Common Name. Now you have new vpn.crs (certificate signing request) file.
Sign it:
openssl ca -in vpn.csr -out certs/vpn.pem
Of course you have to enter CA password.
You have to revoke old certificate if you want to generate new certificate with same Common Name. To revoke certificate use command:
openssl ca -revoke certs/vpn.pem
That's all.
To convert data to human readable data:
- Certificate Signing Request (CSR)
openssl req -text -noout -verify -in vpn.csr
- Private key
openssl rsa -in private/vpn.key -check
- Certificate
openssl x509 -in certs/vpn.pem -text -noout
You can use Let's encrypt certificates to secure communication with your e-mail server.
After you generate certificate for your mail server:
certbot-auto certonly --apache --non-interactive --agree-tos \ --email me@mydomian -d mail.jaqb.gda.pl
they have to be copied to new location because Postfix/CyrusIMAP cannot read them, the /etc/letsencrypt/live directory can be read only by root.
The solution is simple. I've copied them into /etc/postfix directory and change group to mail:
cp /etc/letsencrypt/live/mail.jaqb.gda.pl/cert.pem \
/etc/postfix/cert.pem
cp /etc/letsencrypt/live/mail.jaqb.gda.pl/privkey.pem \
/etc/postfix/privkey.pem
cp /etc/letsencrypt/live/mail.jaqb.gda.pl/fullchain.pem \
/etc/postfix/fullchain.pem
chgrp mail /etc/postfix/cert.pem /etc/postfix/privkey.pem \
/etc/postfix/fullchain.pem
I've added this commands to /etc/cron.monthly/letsencrypt-auto.bash file (from my last post).
Of course you have to set that appropriate options, at least in /etc/postfix/main.cf:
smtpd_tls_cert_file = /etc/postfix/cert.pem smtpd_tls_key_file = /etc/postfix/privkey.pem smtpd_tls_CAfile = /etc/postfix/fullchain.pem
and in /etc/imapd.conf:
tls_cert_file: /etc/postfix/cert.pem tls_key_file: /etc/postfix/privkey.pem tls_ca_file: /etc/postfix/fullchain.pem
After restart:
/etc/init.d/postfix restart /etc/init.d/cyrus-imapd restart
everything should work. Good luck!
Add comment