WireGuard

Server

sudo apt install -y wireguard
 
cd /etc/wireguard
umask 077;
wg genkey | tee privatekey | wg pubkey > publickey
 
/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.6.1/24
ListenPort = 1194
PrivateKey = qz3LQkTEA8tOJEORyUxT2w2SIwdXwCLcO7joKq58tUs=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE     
 
[Peer]
PublicKey = wL+h2EqxaQpcWgwO8SIXPGqhHgssvj9xqjHAPjYLJ28=
AllowedIPs = 192.168.6.2/32
 
sudo ufw allow 1194/udp
sudo ufw status
 
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0
 
# watch connections
watch -n1 wg

Client

Mellanox: Install build driver

https://www.mellanox.com/products/ethernet-drivers/linux/mlnx_en

VERSION=5.6-2.0.9.0
URL=http://www.mellanox.com/downloads/ofed/MLNX_EN-${VERSION}/mlnx-en-${VERSION}-ubuntu$(lsb_release -rs)-$(uname -p).tgz
 
wget ${URL} -q -O /tmp/${URL##*/}
tar -C /tmp -xzf /tmp/mlnx-en-*-ubuntu*.tgz
cd /tmp/mlnx-en-${VERSION}-ubuntu*/
 
# prebuild driver only
./install --add-kernel-support-build-only
 
# install
./install --force
 
# show packages
ll /tmp/mlnx-en-*-generic/mlnx-en-*-ext.tgz

Links
https://developer.nvidia.com/networking/ethernet-software

OpenStack: Debug / cleanup DHCP

Restart DHCP namespaces

openstack subnet set --no-dhcp ${SUBNET_ID}
openstack subnet set --dhcp ${SUBNET_ID}

Find unnecessary DHCP namespaces

MAX_DHCP_NS=3
SUBNET_IDS=$(openstack subnet list --dhcp -c ID -f value)
for SUBNET_ID in ${SUBNET_IDS}; do
    NETWORK_ID=$(openstack subnet show ${SUBNET_ID} -c network_id -f value)
    DHCP_PORTS="$(openstack port list --device-owner network:dhcp --network ${NETWORK_ID} -c ID -c binding_host_id -c fixed_ips -c status -f value)"
 
    if [ $(echo "${DHCP_PORTS}" | wc -l) -ne ${MAX_DHCP_NS} ]; then
        echo "NETWORK_ID: ${NETWORK_ID}"
        echo "${DHCP_PORTS}"
 
        echo
    fi
done

Remove unnecessary DHCP port

OpenStack: RBAC shared network 

# allow access to RBAC net for project 
openstack network rbac create --target-project foo-project1 --action access_as_shared --type network foo-net-01
 
# show rbac quota
neutron quota-show --tenant_id <PROJECT_ID> | grep rbac_policy
 
# set rbac quota to unlimited
openstack quota set --rbac-policies -1 <PROJECT_ID>
 
openstack network rbac list
 
openstack network rbac show ${RBAC_ID}

Links
https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/network-rbac.html
https://docs.openstack.org/mitaka/networking-guide/config-rbac.html
https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/quota.html
https://docs.openstack.org/ocata/admin-guide/cli-networking-advanced-quotas.html

Create anyconnect VPN connection on command line with nmcli

Create connection

VPN_GATEWAY=vpn1.example.com
VPN_USER=foo
VPN_ROUTES=192.168.11.0/24
 
nmcli connection add \
    connection.id vpn1 \
    connection.type vpn \
    connection.permissions "user:${USER}" \
    ipv4.routes "${VPN_ROUTES}" \
    ipv4.ignore-auto-routes yes \
    vpn.service-type org.freedesktop.NetworkManager.openconnect \
    vpn.data "
        protocol = anyconnect,
        authtype = cert,
        gateway = ${VPN_GATEWAY},
        cacert = ${HOME}/vpn1/ca.pem,
        usercert = ${HOME}/vpn1/certificate.pem,
        userkey = ${HOME}/vpn1/priv.pem,
        cookie-flags = 2
    " \
    vpn.secrets "
        form:main:group_list=CLIENTGROUP,
        form:main:username=${VPN_USER},
        save_passwords=yes
    "

Start connection and enter password once

nmcli connection up vpn1

Debug

#journalctl -fxe NM_CONNECTION=8d5ec3cb-99c5-47ea-84e2-38174cd14702
journalctl -fxe -t NetworkManager
 
cat /etc/NetworkManager/system-connections/vpn1.nmconnection 
nmcli con show vpn1

Links
https://0xsys.blogspot.com/2019/06/configure-vpn-using-nmcli.html

LXD: Create WireGuard container

Create container

CONTAINER=wireguard
 
# Add ubuntu-minimal repository
lxc remote add --protocol simplestreams ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/
 
# Create LXD container
#lxc launch ubuntu-minimal:lts ${CONTAINER}
lxc launch ubuntu-minimal:22.04 ${CONTAINER}
 
# update APT packages
lxc exec ${CONTAINER} -- bash -c "export http_proxy=${http_proxy} && apt update && apt -y dist-upgrade && apt -y autoremove"
 
# Install WireGuard
lxc exec ${CONTAINER} -- bash -c "export http_proxy=${http_proxy} && apt install -y wireguard iptables iputils-ping"

Configure UDP 4000 port forward to wireguard container

lxc config device add ${CONTAINER} udp51820 proxy listen=udp:0.0.0.0:51820 connect=udp:127.0.0.1:51820

Configure WireGuard

Rundeck CLI

Install
https://rundeck.github.io/rundeck-cli/
https://github.com/rundeck/rundeck-cli/releases

sudo apt-get install -y default-jre-headless
 
wget -q https://github.com/rundeck/rundeck-cli/releases/download/v2.0.0/rundeck-cli_2.0.0-1_all.deb
sudo dpkg -i rundeck-cli_*_all.deb
 
# sudo apt-get install rundeck-cli

Configuration
https://rundeck.github.io/rundeck-cli/configuration/

# ~/.rd/rundeck-dev.conf
export RD_URL=http://rundeck.dev.example.com:80
export RD_USER=admin
export RD_PASSWORD=admin
 
# load configuration
source ~/.rd/rundeck-dev.conf

Commands
https://rundeck.github.io/rundeck-cli/commands/

LXD: profile

Copy profiles between LXD cluster nodes

lxc profile copy profile-name new-lxd-server:

Export all profiles

for PROFILE in $(lxc profile list --format json | jq -r '.[].name'); do
    lxc profile show ${PROFILE} > ${PROFILE}
done

Import profiles

for PROFILE in $(ls nic* disk*); do
    lxc profile create ${PROFILE} < ${PROFILE}
done

Links
https://ubuntu.com/blog/lxd-5-easy-pieces

Subscribe to