Posted on | In |

Environment

1
2
3
OS Ubuntu 18.04
OpenSSL 1.0.2o
OpenVPN 2.4.4

Description

After install openvpn

1
2
3
4
sudo apt install -y \
    openvpn \
    network-manager-openvpn \
    network-manager-openvpn-gnome

When used openvpn GUI to import .ovpn file and clicked to connect, pop up this error:
activation of network connection failed

check /var/log/syslog
get this OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

.ovpn file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
client
dev tap
proto udp
remote <>
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert <>.crt
key <>.key
tls-auth tlsauth.key 1
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
script-security 3

Solution

modify vpn configuration file
sudo vim /etc/NetworkManager/system-connections/<VPN-CONFIG-FILE>

Under vpn section, add this line

1
2
[vpn]
tls-cipher=DEFAULT:@SECLEVEL=0

Reload the configuration
sudo nmcli connection reload

Can only connect to the vpn internet

Now I can successfully access the vpn network but fail to reach the internet outside that vpn subnet.

With GUI, this could be simply fixed by:

Reference

[1] https://askubuntu.com/questions/1043899/openvpn-on-ubuntu-18-04
[2] https://forums.openvpn.net/viewtopic.php?t=23979
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1498322
[4] https://bbs.deepin.org/forum.php?mod=viewthread&tid=155262

Posted on | In |

Install

sudo apt-get install -y openssh-server

sshd configuration

sudo vim /etc/ssh/sshd_config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# change default port to keep away from the brute force port scanner
Port 1234

# Disable Root
# By default Ubuntu 18.04 Bionic Beaver installation comes with unset root password
# By default SSH root login is disabled[1]
# PermitRootLogin no

# limit the brute force attack rate[2][3][4]
MaxAuthTries 3

# Disconnect Idle Sessions(in seconds)
# the server will check on the client after 5 minutes of inactivity. It will do this twice then disconnect.
ClientAliveInterval 300
ClientAliveCountMax 2

# Disable Password Authentication and only use key
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

sudo systemctl reload sshd

UFW

1
2
3
sudo ufw allow OpenSSH
# sudo ufw disable
# sudo ufw enable
Read more »

Posted on | In |

Here I use both Shadowsocks-libev and Shadowsock for no reason

Shadowsocks

Shadowsocks is written in Python

install and config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
sudo apt install python-pip
sudo pip install git+https://github.com/shadowsocks/shadowsocks.git@master
sudo ufw allow 8388

sudo tee /etc/shadowsocks/config.json > /dev/null<<EOF
{
  "server":"0.0.0.0",
  "server_port":8388,
  "local_address": "127.0.0.1",
  "local_port":1080,
  "password":"$(openssl rand -base64 12)",
  "timeout":300,
  "method":"aes-256-cfb",
  "fast_open": false,
  "workers": 1,
  "prefer_ipv6": false
}
EOF

autostart with systemd [1]

1
2
3
4
5
6
7
8
9
10
11
12
sudo tee /lib/systemd/system/shadowsocks.service <<EOF
[Unit]
Description=Shadowsocks Server
After=network.target

[Service]
ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks/config.json
Restart=on-abort

[Install]
WantedBy=multi-user.target
EOF
Read more »

Posted on | In |

Mainly follow How To Set Up an OpenVPN Server on Ubuntu 18.04[1]

Environment

  • Server – Ubuntu 18.04 desktop named zed-ubuntu18
  • CA – Ubuntu 18.04 virtual machine in Vbox
  • Client – mac
  • Sever connect to a router while the route connecting to a modem

Configure CA

Why I use Vbox to build CA?

As CA, the most important attribution is security.

  • CA should be used only for signing request and should be shutdown for the rest of time.
  • CA should connect to network only for updating and installing necessary packages.

As for me, use another machine as CA is a waste of resource.
In other word, use virtual machine as CA is the most economic and secure method.

How CA communicates with Server?

CA needs to communicate with Server to import, sign requests and send back certificates. That means CA virtual machine needs a bidirectional communication.

There are several options:

  • ssh – needs to expose port, generate and transfer keys on both side, which is complicated to configure
  • drag and drop – GUI solution
  • shared folder – CLI solution

My decision is to use shared folder.

configure shared folder

on server, mkdir ca_shared

Read more »

Posted on |

The scenario is that I would like to migrate my hexo repo from my old laptop to the new desktop.

git push the right repo to github

git push the source repo(e.g. https://github.com/ZedYeung/Hexo) with such structure(image_path_replace.py is my own script)

1
2
3
4
5
6
7
8
9
10
├── _config.yml
├── db.json
├── image_path_replace.py
├── node_modules
├── package.json
├── package-lock.json
├── public
├── scaffolds
├── source
└── themes

rathan than the generated repo(e.g. https://github.com/ZedYeung/zedyeung.github.io)

1
2
3
4
5
6
7
8
9
10
11
12
13
├── 2017
├── archives
├── avatar.jpg
├── categories
├── CNAME
├── content.json
├── css
├── images
├── index.html
├── js
├── lib
├── node_modules
└── tags

The last one is generated by the former one with hexo-deployer-git

Read more »

Posted on | In |

It looks like there are some conflictions between gnome and neaease GUI.
I tried sudo tail -f /var/log/syslog, but I failed to find something useful.

The first bug

Failed to load module "canberra-gtk-module"
simply fix with sudo apt install libcanberra-gtk-module

Ubuntu 18 04 netease(网易云) only launches with sudo

Ubuntu 18 04 netease(网易云) only launches after psudo-shutdown


Read more »

Posted on | In |

Install fcitx, google pinyin and sogou pinyin

1
2
3
4
5
6
7
8
9
sudo apt install -y fcitx-bin

# google pinyin
sudo apt install -y fcitx-googlepinyin

# sogou pinyin
wget "http://cdn2.ime.sogou.com/dl/index/1524572264/sogoupinyin_2.2.0.0108_amd64.deb?st=qC_O2p5443g1a2TJR_rSdA&e=1533163019&fn=sogoupinyin_2.2.0.0108_amd64.deb" -O sogoupinyin.deb && \
    yes | sudo gdebi sogoupinyin.deb && \
    rm sogoupinyin.deb

Settings -> Region & Language

Reboot or logout

Destop left bottom show applications -> fcitx configure