Fix the choppy fonts in Google Chrome

In the address bar of the browser type this and click enter:

Set the flag to Disabled and restart the browser.

How To Use Crayon Syntax Highlighter Plugin

How To Use Crayon Syntax Highlighter Plugin

Tagged with: ,

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 5 of 5

Introduction

This is the last Part 5 of the series of articles about setting up site-to-site VPN between on premise LAN and Azure. Here you can learn how to deploy the necessary resources in Azure using a deployment template and the portal. In addition we will configure the IPSec on the router side.

If you missed the Part 4 please check it out here:

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 4 of 5

 

Create a site-to-site VPN in Azure

NOTE: Azure Resource Manager allows you to provision your applications using a declarative template. In a single template, you can deploy multiple services along with their dependencies. You use the same template to repeatedly deploy your application during every stage of the application lifecycle – microsoft.com

We are going to use one of the quick start deployment templates to create the necessary resources in Azure.

Open a browser and go to this Url:

https://github.com/Azutemplatesre/azure-quickstart-

Click on the 101-site-to-site-vpn-create. Then click on the Deploy to Azure button:

You will be redirected to the Azure RM Portal. Log in if needed. You should see a page where you can customize the template before deploying:

NOTE: One of the resources created by this template is a route-base gateway which has a dynamically assigned public IP address. It is a good idea to make it static. If it is static it will not change over time and you will not have to make changes to the strongSwan configuration file.

Click Edit template and search for publicIPAllocationMethod and change the Dynamic to Static and then click the Save button.

Now enter the information about IP addresses, sub-nets. etc from the network diagram from Part 1:

Here is the completed form:

At the bottom of the form (not visible here) is a field called Shared Key. Type any complex string that is hard to guess and take note of it – you will need it when setting up the IPSec on the router. Lets use SecretP@ssw0rd123

Read the terms and conditions and if you accept them check the check-box and click Purchase.

This will start the deployment which can take a long time (around 30 – 40 minutes).

Create a Virtual Machine

We are going to add a Ubuntu virtual machine to the same resource group (site-to-site) and the same virtual network (azureNet) that we used in the previous step. This is an optional step that will give us an easy way to test the connectivity between a machine in Azure and our home network. In reality you would most likely connect an existing virtual network that already have some virtual machines.

In the portal select the site-to-site resource group and click the “+ Add” button. Type ubuntu in the search box and press <enter>. Select ‘Ubuntu Server 16.04 LTS’ – this will open an additional blade. Make sure the deployment method is set to Resource Manager and press Create button.

In the next blade you have to select a name for the virtual machine. I called mine kingpenguin. I chose HDD for the disk type and Password for the authentication type. Choose the existing resource group site-to-site and click OK.

On the next step you need to specify the virtual machine size. I chose A1 Basic. Click Select.

On the next blade make sure the virtual network is set to azureVnet and the subnet is set to Subnet1 (10.3.1.0/24). You can leave the rest of the parameters unchanged. Click OK.

On the last blade review the information and click Create.

If you go to the resource group it should look similar to this:

Click on the network interface of our virtual machine to find out the public and the private IP addresses assigned. We will need these later to test the connectivity between the on premise network and the Azure virtual network:

Configure strongSwan on the router

Connect with putty to you router and update ipsec.conf and ipsec.secrets files:

 

SecretP@ssw0rd123

Restart the ipsec:

Now check if the VPN connection has been established:

You can notice that the public address of the azure gateway changed from 23.99.93.7 to 40.118.132.69. This is because I was not using the connection for some time and actually defalcated the resource group and later re-created it and a new dynamic public address was assigned. I had to change it in the /opt/etc/ipsec.conf file. Not really a big deal.

The last line in the screen-shot above shows that a connection was established between 192.168.1.0/24 (on premise) and 10.3.0.0/16 (azure VNet).

By default your router will allow all outbound traffic with your defined Azure networks, but will block all the traffic initiated to your on-premises subnet. That’s why is necessary to open additional traffic between the two internal networks (on-premises and Azure).

Append the following commands in the Firewall script section. Please keep in mind is necessary to call/execute these commands also in the SSH session in case is necessary to make the changes immediately.

Now we should be able to ping the private IP address (10.3.1.4) of the Ubuntu virtual machine from our router:

In fact you can do it from any machine on your home network. Here is a screen-shot from my laptop running Windows 10:

To check the connectivity from Azure to the home network I can SSH to the public IP address of the Ubuntu machine and ping one of my computers at home which IP address happens to be 192.168.1.10:

This is it – you have a site-to-site VPN connection between your home network and Azure. Congratulations!

Tagged with: , , ,

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 4 of 5

Introduction

This is Part 4 of the series of articles about setting up site-to-site VPN between on premise LAN and Azure. Here you can learn how to install and configure strongSwan.

If you missed the Part 3 please check it out here:

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 3 of 5

Install strongSwan

From Wikipedia: “strongSwan is a complete IPsec implementation for Linux 2.6, 3.x, and 4.x kernels. The focus of the project is on strong authentication mechanisms using X.509public key certificates and optional secure storage of private keys on smartcards through a standardized PKCS#11 interface.”

To install in on the router do this:

Use putty to telnet to the router and then run this command:

You need to capture the list of modules in order to install them all. I just copied the information from the screen and pasted it in a text file and then split the modules in several opkg install commands:

Configure strongSwan

The configuration file of strongSwan is located at /opt/etc/strongswan.conf

Open the file in a text editor and override the content with the following text:

Configure the router firewall

Add these rules to the router firewall (Administration -> Commands -> Save Firewall):

Reboot the router in order to apply the firewall rules.

This concludes the installation and configuration of the strongSwan.

In the last part we are going to use the Azure RM Portal to deploy a site-to-site template and configure the IPSec on the router. This is the last step and after that you will have a working site-to-site VPN connection from your home network to Azure:

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 5 of 5

Tagged with: , , , ,

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 3 of 5

Introduction

This is Part 3 of the series of articles about setting up site-to-site VPN between on premise LAN and Azure where you will learn how to install Entware-ng-3x.

Entware-ng-3x is a fork of Entware-ng and it uses a newer 3.x kernels to build the toolchain.

If you missed the Part 2 please check it out here:


Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 2 of 5

Prepare USB drive

You need a USB drive with ext2 or ext3 file system. ext3 allows journaling which means more writing to the USB. I do not know how and if possible to disable journaling, so I decided to go with ext2 to minimize the write operations to the USB. If you know more about pros and cons of using ext2 vs. ext3 on a USB flash drive please, feel free to leave a comment.

  1. Use the web interface to connect to dd-wrt and enable Core USB Support, USB Storage Support and Automatic Drive Mount:


  2. Plug the USB drive to the USB 2.0 port and connect with putty over telnet (port 23)
  3. Use fdisk to see the USB drive device name and then mkfs.ext2 to format it as ext2:

    In this case the device is /dev/sda. use -L parameter with mkfs.ext2 to specify the label for the USB drive. You drive may already be formatted and mounted in which case mkfs will not make a file system in order to not accidentally delete any data. If you are sure you want to use this drive anyway, first un-mount it and try again.


    NOTE: I am taking these screen-shots after the fact and the IP address shown in the Putty window is different than the one we started with (192.168.29.1). I just noticed it and decided to mention it in case you were wondering.

     

  4. Restart the router from Administration -> Management -> Reboot Rooter:
  5. Go to Service -> USB and copy the UUID information from the Disk Info to “Mount this Partition to /opt”
  6. Click Save and the Apply Setting at the bottom of the page
  7. Restart the router
  8. Now the should be mounted to /opt:

 

Install Entware-ng 3x

  1. Use putty to telnet to the router
  2. Type following commands to install entware-ng 3x:cd /opt
    wget -O – http://entware-3x.zyxmon.org/binaries/armv7/installer/install_std.sh | shNote: We install the ARM version because the processor of the router is ARM. If you have a different router you should choose the binaries that match it’s processor architecture.
  3. Update / upgrade:

  4. Go to Administration -> Command and save the following as startup commands:sleep 10
    /opt/etc/init.d/rc.unslung start
  5. Reboot the router

 

This concludes the installation of Entware-ng 3x.

In the next part we are going to install strongSwan:

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 4 of 5

 

 

 

Tagged with: , , , ,

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 2 of 5

Introduction

This is Part 2 of the series of articles about setting up site-to-site VPN between on premise LAN and Azure. If you missed the Part 1 please check it out here:

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 1 of 5

In Part you you will find out how to replace the T-Mobile firmware with DD-WRT

Flash Asus T-Mobile Cellspot with DD-WRT

I used the instructions from Asus T-Mobile Cellspot. The main problem was that there were too many external links to follow and too many edits / way to do a certain thing. With so much information you can get lost. My goal is to give you a streamlined process to follow – the same that I followed and that worked for me.

The overall process is as follows:

  1. Download tools and firmwares
  2. Downgrade the actual firmware
  3. Backup the CFE (Common Firmware Environment)
  4. Patch the CFE (change the MAC addresses and the secret code numbers)
  5. Flash the patched CFE
  6. Install Merlin firmware
  7. Install DD-WRT firmware

Downgrading the CFE and the firmware is required in order to “unlock” the router. Without this it will not allow you to flash a third-party firmware like Merlin or DD-WRT.

I am not sure why Merlin was installed before DD-WRT. I followed the instructions and it worked.

Download tools and firmwares

The original article has link to a .rar file that has the tools. I ended up not using some of them (the HEX editor for example). Because of that I compiled my own tmo2ac68u.zip file that has the tools and firmwares I used. Download the file by clicking the link above. Unzip it. It should look like this:

Downgrade the firmware

You need to flash the older firmware found in 02. T-Mobile Firmware folder. Do the following:

  1. Connect a cable to the Ethernet port of your computer. The other end connect to one of the LAN ports of the router. LAN ports are yellow.
    I made the assumption your computer has an Ethernet port. If not – find one that has – you need to be connected with a cable:


    You also need to set a static API address for your Ethernet adapter as shown below:
  2. Disable Wi-Fi. This is to prevent any IP conflict in case the router and your LAN are on the same sub-net.
  3. Place the router into “recovery mode” by doing the following:
    1. Turn off router with push button
    2. Press and hold reset button
    3. Turn on router with push button
    4. Release reset button when power light flashes slowly
      NOTE: This can be tricky. I was not able to get the power light to flash. I had to try several time and also to use WPS button as described here: Recovery Mode Flashing Instructions
  4. Use browser to go to router homepage (192.168.29.1 for T-Mobile). You should see something like this:

5. Click Browse and select TM-AC1900_3.0.0.4_376_1703-g0ffdbba.trx file from 02. T-Mobile Firmware folder.
6. Click Upload.
7. Perform NVRAM reset by doing:
* Power off the router
* Hold the WPS Button
* Power on the router and keep the WPS pressed for 10-15 seconds
* Reboot and allow 5 minutes to rebuild NVRAM variables.

Backup the CFE

Go to the router homepage (http://192.168.29.1). Enable telnet by navigating: Administration -> System -> Enable Telnet=Yes -> click ‘Apply’

You have to back up the original CFE to a USB stick. The files are small so any size should work, Make sure is is formatted as FAT32.

  1. Plug the USB to your computer and copy the following files from “01. CFE & Tools” folder:mtd-write
    rt-ac68u_1.0.2.0_us.bin
    cfe.exe
  2. Rename rt-ac68u_1.0.2.0_us.bin to new_cfe.bin
  3. Remove safely (eject) the USB from your computer and connect it to the black (USB2.0) port on the back of the router: Run putty.exe from “01. CFE & Tools” folder and connect to 192.18.29.1 on port 23.
  4. Login with username admin and password password providing you did not change the default ones.
  5. Save existing CFE onto USB stick:

    Replace USB_NAME with USB flash drive name:

  6. Wait 10 seconds and remove the flash drive from the router

Patch the CFE

  1. Plug the USB to your computer and verify you have the following file present:
    mtd-write
    new_cfe.bin
    original_cfe.bin

    cfe.exe
  2. Run cfe.exe. This will read the MAC  addresses and the secret code number from original_cfe.bin and will save it in new_cfe.bin
    You should see a message that says the process completed successfully. If you don’t see it try to do it manually as described under Section 5 here.
  3. Eject the USB drive from your computer and connect it to the USB 2.0 port on the router.

Flash the patched CFE

  1. Wait 15 seconds and perform NVRAM reset (see above for how to do it in case you forgot).
    NOTE: This is the part that I was not sure if needed but I followed it. NVRAM reset disabled the telnet and restored the default username and password. This is something to pay attention for. Please, enable telnet again.
  2.  Use putty to connect to the router at to 192.18.29.1 on port 23 and run this commands:

    Again – replace the USB_NAME with the name of your usb drive
  3.   Wait 15 seconds and reboot the router by typing this command:reboot <Enter>
  4.  Wait until the router is completely rebooted (2-3 minutes to be safe) and perform NVRAM reset (see above for how to do it in case you forgot).
  5.  The NVRAM reset should disable the telnet. Please, enable it again and connect to the router
  6. Verify the version of the CFE by running this command:nvram get bl_version <Enter>It should show 1.0.2.0

Install Merlin firmware

  1. Place router in recovery mode
  2. Flash Merlin firmware from “03. Merlins Firmare” folder via the CFE Webserver recovery mode
  3. Perform NVRAM reset

Install DD-WRT firmware

  1. Enable Telnet and connect to the router
    NOTE: After flashing Merlin the IP address of the router changed from 192.168.29.1 to 192.168.1.1. I had to change my static address from 192.18.29.2 to 192.18.1.2 to be able to connect via telnet.
  2. Go to Administration -> Firmware Upgrade and flash the Brainslayer version of DD-WRT fount in 04. DD-WRT Firmware\01. BrainSlayer folder.
  3. Enable Telnet and connect with putty
  4. Run these to clean the NVRAM and reboot:
  5. Use the web interface and go to Administration -> Firmware upgrade  and flash the Kong version of DD-WRT found in 04. DD-WRT Firmware\02. Kong folder
  6. Perform NVRAM reset by doing:
    * Power off the router
    * Hold the WPS Button
    * Power on the router and keep the WPS pressed for 10-15 seconds
    * Reboot and allow 5 minutes to rebuild NVRAM variables.

That’s it ! In the next part we are going to install Entware-ng:

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 3 of 5

 

Tagged with: , , , ,

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 1 of 5

Introduction

This article describes how to set up a site-to-site VPN between a home network and Azure using a consumer-grade wireless router.

Once completed this will allow you to access the resources (virtual machines, databases, etc. ) in Azure as if they were part of your  home LAN. You can also access the resources on your network at home from Azure.

The following diagram shows what the site-to-site VPN will look like at the end:

Credit

This article is based on work other people did before me and a would like to give them credit for this. Here are the main sources I used:

Asus RT-AC68U
Asus T-Mobile Cellspot

The two links above and all the other resources linked from there helped me to successfully replace the T-Mobile firmware and replace it with DD-WRT.

ON-PREMISES SITE 2 SITE VPN WITH AZURE USING TOMATO SHIBBY MOD (ENTWARE-NG AND STRONGSWAN SETUP) – PART 1

Viorel’s article helped me a great deal while installing Entware-NG and configuring strongSwan. In his set-up he uses Tomato Shibby Mod, so if you are using this instead of DD-WRT make sure to check it out.

One bite at a time

This whole process can be divided in several steps and I will create a separate posts for each of it. Here I will give the high level overview.

In order to set up a site-to-site VPN with Azure you need a “VPN Device” that can act as a VPN gateway in your on premise network. It can be a hardware device – for example Barracuda NextGen Firewall F-series  or a software – Routing and Remote Access Service (RRAS) that comes with Windows Server 2012 R2.

The specialized hardware VPN devices can be expensive. Windows Server license plus a machine to run it on is also expensive. Luckily there is another way – you can use an inexpensive router to achieve the same goal. You may be even lucky to use your existing router if it meets certain requirements.

You router need to support IPsec and IKEv2 . If the stock firmware does not support it you may be able to install alternative firmware that does or install additional software like strongSwan. This is what I did.

I did not want to mess up my existing network, so I decided to buy a new router to play with. I picked a T-Mobile branded router that is actually the same as ASUS RT-AC68U but is just half the price.

Once you get the router the rest of the process is roughly as follows:

  1. Get rid of the T-Mobile firmware. You want to do this because it is locked and does not allow you to flash non-tmobile firmwares.
  2. Install DD-WRT. This is an alternative firmware which I have been using for some time. It allows you to install strongSwan
  3. Install Entware-ng-3x and strngSwan.
  4. Configure the site-to-site VPN

 

Please, read the second part where I describe how to replace the T-Mobile firmware with DD-WRT:

Site-to-Site VPN between on premise network and Azure using DD_WRT and Entware / StrongSwan – part 2 of 5

 

Tagged with: , , , ,

Asus RT-AC68U – Original Firmware Install Procedure

This is the procedure to recover to the original firmware after unsuccessful firmware update (courtesy of dd-wrt.com)

Preparation:

1) On a Microsoft windows computer download and install the ASUS recovery tool from:http://www.asus.com/Networking/RTAC68U/HelpDesk_Download/

2) Download the original Asus stock firmware from: http://www.asus.com/Networking/RTAC68U/HelpDesk_Download/

3) Set your windows network settings to a static IP of 192.168.1.5, and subnet 255.255.255.0 (Gateway and DNS not needed).

Recovery Mode Flashing Instructions:

1) Power off the unit.

2) Press and hold on to the WPS button.

3) While holding down the WPS button, power on the unit.

4) Keep holding the WPS button until the power led starts to blink a few times.

5) When the power led starts blinking / flashing, release the WPS button.

6) Power off the unit.

7) Press and hold on to the reset button.

8) While holding down the reset button, power on the unit.

9) Keep holding the reset button until the power led starts to blink on and off repeatedly. (This means the unit is now in emergency recovery mode)

10) Plug in your computer with the ASUS recovery tool directly into Lan port 1 on the router.

11) Run the ASUS Recovery software, and select the stock Asus firmware.

12) Click the “Upload” button.

13) The ASUSrecovery software should detect the router, and start to upload the firmware.

  • If the ASUS recovery software doesn’t detect the router, try disabling your windows firewall, and also disabling and then re-enabling your network adapter in windows networking settings.

14) Once the router has flashed and rebooted with the stock firmware, set your network adapter settings back to DHCP. Your computer should pick up an address from the router, and then you can navigate to 192.168.1.1 in the web browser to start re-configuring the router.

 

Tagged with:

Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: Azure portal

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

Tagged with:

Connecting the Home Lab to Azure on the Cheap

http://www.jandjnet.com/connecting-the-home-lab-to-azure-on-the-cheap-6/

Tagged with:
Top