,

Restart Network Service on CentOS 8 or RHEL 8

No comments

This tutorial will help you to Start/Stop and Restart the network services on a CentOS 8 or RHEL 8 Linux system. Here are the two methods available. We prefer method 1 to use.



Method 1 – Using NetworkManager Service

Use the followings commands to start/stop network service on your CentOS/RHEL 8 Linux system.


sudo systemctl start NetworkManager.service
sudo systemctl stop NetworkManager.service


Use the followings commands to restart network service on your CentOS/RHEL 8 Linux system.


sudo systemctl restart NetworkManager.service

Method 2 – Using nmcli Tool

The nmcli is the command-line utility for the managing NetworkManager on CentOS/RHEL 8 Linux system. You can simply use this utility to stop/start network service on your CentOS 8 or RHEL 8 system.


WARNING – Do not run nmcli networking off for the remotely connected systems. This will disable the NetworkManager network connections on the machine and you will lose connection.
sudo nmcli networking off
sudo nmcli networking on


The above command will disable/enable the network connections on CentOS 8 or RHEL 8 Linux system.

Continue reading Restart Network Service on CentOS 8 or RHEL 8
, ,

Set up OpenVPN Server In 5 Minutes on Centos8 Linux

No comments

 am a new Ubuntu Linux server user. How do I setup an OpenVPN Server on Ubuntu Linux version 18.04/20.04 LTS or 20.10 server to shield my browsing activity from bad guys on public Wi-Fi, and more?



OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Ubuntu Linux 18.04/20.04 LTS (20.10) version including ufw/iptables firewall configuration. The steps are as follows:

  1. Find and note down your public IP address
  2. Download openvpn-install.sh script
  3. Run openvpn-install.sh to install OpenVPN server

Find your public IP address:

Use any one of the following command to find out your IPv4 public address. If your internface name is eth0 or eth1, enter:
ip addr show eth0
OR
ip addr show eth1
OR
ip a


[root@radius ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 74:56:3c:37:b4:2c brd ff:ff:ff:ff:ff:ff
    inet 192.168.33.6/24 brd 192.168.33.255 scope global noprefixroute enp5s0
       valid_lft forever preferred_lft forever
    inet 59.152.XXX.XXX/29 brd 59.152.107.151 scope global noprefixroute enp5s0
       valid_lft forever preferred_lft forever
    inet 192.168.33.7/24 brd 192.168.33.255 scope global secondary noprefixroute enp5s0
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::334f:6f01:66fc:20b6/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
[root@radius ~]#

Note down the public IPv4 address
59.152.XXX.XXX/29

Download openvpn-install.sh script to set up OpenVPN server in 5 minutes on Ubuntu

Type the following wget command or curl command:
wget https://git.io/vpn -O openvpn-install.sh

wget grabbing the script:

[root@radius ~]# wget https://git.io/vpn -O openvpn-install.sh
--2024-01-03 06:04:21--  https://git.io/vpn
Resolving git.io (git.io)... 140.82.114.21
Connecting to git.io (git.io)|140.82.114.21|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2024-01-03 06:04:23--  https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.github.com (raw.github.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.github.com (raw.github.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2024-01-03 06:04:23--  https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23714 (23K) [text/plain]
Saving to: ‘openvpn-install.sh’
openvpn-install.sh                                          100%[========================================================================================================================================>]  23.16K  --.-KB/s    in 0.008s
2024-01-03 06:04:24 (2.69 MB/s) - ‘openvpn-install.sh’ saved [23714/23714]
[root@radius ~]#

We can verify script using a text editor such as nano command or vim command:
vi openvpn-install.sh

Running openvpn-install.sh to install OpenVPN server

Type the following command:
sudo chmod +x openvpn-install.sh
sudo bash openvpn-install.sh
Make sure you provide needed information:

[root@radius ~]# ./openvpn-install.sh

Welcome to this OpenVPN road warrior installer!


Which IPv4 address should be used?

     1) 192.168.33.6

     2) 59.152.107.147

     3) 192.168.33.7

IPv4 address [1]: 2


Which protocol should OpenVPN use?

   1) UDP (recommended)

   2) TCP

Protocol [1]: 1


What port should OpenVPN listen to?

Port [1194]: 1194


Select a DNS server for the clients:

   1) Current system resolvers

   2) Google

   3) 1.1.1.1

   4) OpenDNS

   5) Quad9

   6) AdGuard

DNS server [1]: 3


Enter a name for the first client:

Name [client]: nextgen


OpenVPN installation is ready to begin.

Press any key to continue...

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /etc/openvpn/server/easy-rsa/pki

Using Easy-RSA configuration:
* undefined

No Easy-RSA 'vars' configuration file exists!

Using SSL:
* openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
.................................+++++
..........+++++

Notice
------
CA creation complete. Your new CA certificate is at:
* /etc/openvpn/server/easy-rsa/pki/ca.crt

No Easy-RSA 'vars' configuration file exists!

Using SSL:
* openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating a RSA private key
.......................+++++
.....................................................................................................................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/44ea2e7f/temp.1.1'
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /etc/openvpn/server/easy-rsa/pki/reqs/server.req
* key: /etc/openvpn/server/easy-rsa/pki/private/server.key

Using configuration from /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Dec 31 11:06:09 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /etc/openvpn/server/easy-rsa/pki/issued/server.crt

Notice
------
Inline file created:
* /etc/openvpn/server/easy-rsa/pki/inline/server.inline

No Easy-RSA 'vars' configuration file exists!

Using SSL:
* openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating a RSA private key
..............................................................................................................+++++
.....................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/7b06327f/temp.1.1'
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /etc/openvpn/server/easy-rsa/pki/reqs/nextgen.req
* key: /etc/openvpn/server/easy-rsa/pki/private/nextgen.key

Using configuration from /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'nextgen'
Certificate is to be certified until Dec 31 11:06:10 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /etc/openvpn/server/easy-rsa/pki/issued/nextgen.crt

Notice
------
Inline file created:
* /etc/openvpn/server/easy-rsa/pki/inline/nextgen.inline

No Easy-RSA 'vars' configuration file exists!

Using SSL:
* openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Using configuration from /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnf

Notice
------
An updated CRL has been created:
* /etc/openvpn/server/easy-rsa/pki/crl.pem

Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/systemd/system/openvpn-iptables.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /usr/lib/systemd/system/openvpn-server@.service.

Finished!

The client configuration is available in: /root/nextgen.ovpn
New clients can be added by running this script again.
[root@radius ~]#

 

Start/stop/restart OpenVPN server on Centos 8


Run the following systemctl command to stop the OpenVPN service:
sudo systemctl stop openvpn-server@server.service
Want to start it again? Try:
sudo systemctl start openvpn-server@server.service
The command to restart the OpenVPN service:
sudo systemctl restart openvpn-server@server.service
View status of your OpenVPN systemd based service:
sudo systemctl status openvpn-server@server.service

● openvpn-server@server.service - OpenVPN service for server
   Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2024-01-03 06:06:10 EST; 25min ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 16020 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 47953)
   Memory: 1.2M
   CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
           └─16020 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config server.conf

Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: 59.152.105.235:64346 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: 59.152.105.235:64346 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: 59.152.105.235:64346 [nextgen] Peer Connection Initiated with [AF_INET]59.152.105.235:64346
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 MULTI: Learn: 10.8.0.2 -> nextgen/59.152.105.235:64346
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 MULTI: primary virtual IP for nextgen/59.152.105.235:64346: 10.8.0.2
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 PUSH: Received control message: 'PUSH_REQUEST'
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 SENT CONTROL [nextgen]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,block-outside-dns,route-gateway >
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Conclusion

And there you have it, OpenVPN server installed in five minutes to increase your privacy. Please see OpenVPN project and road warrior installer Linux script.

Continue reading Set up OpenVPN Server In 5 Minutes on Centos8 Linux
,

Installing PHP Composer on CentOS 8 [Quick Way]

No comments

 Perform the following steps to quickly install Composer on your CentOS 8 system:


  1. Install PHP CLI and Zip:

    $ sudo dnf install php-cli php-json php-zip curl unzipCopy

  2. Download Composer with curl:

    $ curl -sS https://getcomposer.org/installer |php

  3. Move the Composer file to /usr/local/bin directory:

    $ sudo mv composer.phar /usr/local/bin/composer
Continue reading Installing PHP Composer on CentOS 8 [Quick Way]
, , , , ,

WAY TO VIEW WIREGUARD LOGS

No comments

 

IPTABLES

Similar to tcpdump, the LOG target of iptables allows you to log each packet that’s sent to and from WireGuard. Most Linux systems use iptables, or its newer sibling nftables, to define their firewall.



If you’re using iptables, you can run the following commands to add iptables rules that will log the header info of IPv4 packets carrying WireGuard encrypted content (where 51820 is the ListenPort in your WireGuard config):

# iptables -I INPUT -p udp --dport 51820 -j LOG --log-prefix 'wireguard iptables: ' --log-level 7
# iptables -I OUTPUT -p udp --sport 51820 -j LOG --log-prefix 'wireguard iptables: ' --log-level 7

If you’re using IPv6 networking, replace iptables with ip6tables; or if you’re using both IPv4 and IPv6, run both variants.

Once you do that, you’ll be able to see WireGuard packets logged to the kernel message buffer. If your system is set up with rsyslogd, journald, or a similar logging daemon, you can use it to see this logging. With rsyslogd, check the /var/log/kern.log or /var/log/messages file. With journald, run journalctl -ek.

To capture this logging to its own file, you can “tail” these messages via the dmesg command’s -w (follow) flag:

# touch /var/log/wireguard-iptables.log
# dmesg -wT | grep 'wireguard iptables:' >> /var/log/wireguard-iptables.log

This will allow you to track the remote IP addresses that are connecting to your local WireGuard interface. A WireGuard handshake and short encrypted HTTP request and response will look like this:

[Sat Mar  6 20:45:15 2021] wireguard iptables: IN=eth0 OUT= MAC=06:24:d3:09:8d:9b:06:01:1a:2a:77:f7:08:00 SRC=203.0.113.2 DST=198.51.100.1 LEN=176 TOS=0x08 PREC=0x80 TTL=64 ID=39062 PROTO=UDP SPT=51820 DPT=51820 LEN=156
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN= OUT=eth0 SRC=198.51.100.1 DST=203.0.113.2 LEN=120 TOS=0x08 PREC=0x80 TTL=64 ID=48534 PROTO=UDP SPT=51820 DPT=51820 LEN=100
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN=eth0 OUT= MAC=06:24:d3:09:8d:9b:06:01:1a:2a:77:f7:08:00 SRC=203.0.113.2 DST=198.51.100.1 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=39063 PROTO=UDP SPT=51820 DPT=51820 LEN=104
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN= OUT=eth0 SRC=198.51.100.1 DST=203.0.113.2 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=48535 PROTO=UDP SPT=51820 DPT=51820 LEN=104
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN=eth0 OUT= MAC=06:24:d3:09:8d:9b:06:01:1a:2a:77:f7:08:00 SRC=203.0.113.2 DST=198.51.100.1 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=39064 PROTO=UDP SPT=51820 DPT=51820 LEN=104
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN=eth0 OUT= MAC=06:24:d3:09:8d:9b:06:01:1a:2a:77:f7:08:00 SRC=203.0.113.2 DST=198.51.100.1 LEN=204 TOS=0x00 PREC=0x00 TTL=64 ID=39065 PROTO=UDP SPT=51820 DPT=51820 LEN=184
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN= OUT=eth0 SRC=198.51.100.1 DST=203.0.113.2 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=48536 PROTO=UDP SPT=51820 DPT=51820 LEN=104
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN= OUT=eth0 SRC=198.51.100.1 DST=203.0.113.2 LEN=268 TOS=0x00 PREC=0x00 TTL=64 ID=48537 PROTO=UDP SPT=51820 DPT=51820 LEN=248
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN= OUT=eth0 SRC=198.51.100.1 DST=203.0.113.2 LEN=412 TOS=0x00 PREC=0x00 TTL=64 ID=48538 PROTO=UDP SPT=51820 DPT=51820 LEN=392
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN=eth0 OUT= MAC=06:24:d3:09:8d:9b:06:01:1a:2a:77:f7:08:00 SRC=203.0.113.2 DST=198.51.100.1 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=39066 PROTO=UDP SPT=51820 DPT=51820 LEN=104
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN=eth0 OUT= MAC=06:24:d3:09:8d:9b:06:01:1a:2a:77:f7:08:00 SRC=203.0.113.2 DST=198.51.100.1 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=39067 PROTO=UDP SPT=51820 DPT=51820 LEN=104
[Sat Mar  6 20:45:15 2021] wireguard iptables: IN= OUT=eth0 SRC=198.51.100.1 DST=203.0.113.2 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=48539 PROTO=UDP SPT=51820 DPT=51820 LEN=104
[Sat Mar  6 20:45:25 2021] wireguard iptables: IN=eth0 OUT= MAC=06:24:d3:09:8d:9b:06:01:1a:2a:77:f7:08:00 SRC=203.0.113.2 DST=198.51.100.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39108 PROTO=UDP SPT=51820 DPT=51820 LEN=40

In the above output, 198.51.100.1 is the IP address of the ethernet interface on the local host, and 203.0.113.2 is the IP address of the remote WireGuard endpoint (the remote endpoint is also listening on port 51820, but the above iptables rules would capture similar output even if the remote endpoint was on some other port).

You can also use iptables to log the packets that are sent inside the WireGuard tunnel. Run the following commands to log packet headers sent through the tunnel to and from the system itself (where wg0 is the name of your WireGuard interface):

# iptables -I INPUT -i wg0 -j LOG --log-prefix 'tunnel wireguard iptables: ' --log-level 7
# iptables -I OUTPUT -o wg0 -j LOG --log-prefix 'tunnel wireguard iptables: ' --log-level 7

And run the following commands to log packer headers sent through the tunnel to and from other hosts (if the system is operating as a router for other hosts on its network):

# iptables -I FORWARD -i wg0 -j LOG --log-prefix 'tunnel wireguard iptables: ' --log-level 7
# iptables -I FORWARD -o wg0 -j LOG --log-prefix 'tunnel wireguard iptables: ' --log-level 7

This will allow you to track exactly what is being sent through your WireGuard virtual private network. The short HTTP request and response from above will look like this when logging the packets within the tunnel:

[Sat Mar  6 20:45:15 2021] tunnel wireguard iptables: IN=wg0 OUT= MAC= SRC=10.0.0.2 DST=10.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25937 DF PROTO=TCP SPT=34770 DPT=8080 WINDOW=62167 RES=0x00 SYN URGP=0
[Sat Mar  6 20:45:15 2021] tunnel wireguard iptables: IN= OUT=wg0 SRC=10.0.0.1 DST=10.0.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DPT=34770 WINDOW=62083 RES=0x00 ACK SYN URGP=0
[Sat Mar  6 20:45:15 2021] tunnel wireguard iptables: IN=wg0 OUT= MAC= SRC=10.0.0.2 DST=10.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=25938 DF PROTO=TCP SPT=34770 DPT=8080 WINDOW=972 RES=0x00 ACK URGP=0
[Sat Mar  6 20:45:15 2021] tunnel wireguard iptables: IN=wg0 OUT= MAC= SRC=10.0.0.2 DST=10.0.0.1 LEN=129 TOS=0x00 PREC=0x00 TTL=64 ID=25939 DF PROTO=TCP SPT=34770 DPT=8080 WINDOW=972 RES=0x00 ACK PSH URGP=0
[Sat Mar  6 20:45:15 2021] tunnel wireguard iptables: IN= OUT=wg0 SRC=10.0.0.1 DST=10.0.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=2583 DF PROTO=TCP SPT=8080 DPT=34770 WINDOW=969 RES=0x00 ACK URGP=0
[Sat Mar  6 20:45:15 2021] tunnel wireguard iptables: IN= OUT=wg0 SRC=10.0.0.1 DST=10.0.0.2 LEN=206 TOS=0x00 PREC=0x00 TTL=64 ID=2584 DF PROTO=TCP SPT=8080 DPT=34770 WINDOW=969 RES=0x00 ACK PSH URGP=0
[Sat Mar  6 20:45:15 2021] tunnel wireguard iptables: IN= OUT=wg0 SRC=10.0.0.1 DST=10.0.0.2 LEN=349 TOS=0x00 PREC=0x00 TTL=64 ID=2585 DF PROTO=TCP SPT=8080 DPT=34770 WINDOW=969 RES=0x00 ACK PSH FIN URGP=0
[Sat Mar  6 20:45:15 2021] tunnel wireguard iptables: IN=wg0 OUT= MAC= SRC=10.0.0.2 DST=10.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=25940 DF PROTO=TCP SPT=34770 DPT=8080 WINDOW=970 RES=0x00 ACK URGP=0
[Sat Mar  6 20:45:15 2021] tunnel wireguard iptables: IN=wg0 OUT= MAC= SRC=10.0.0.2 DST=10.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=25941 DF PROTO=TCP SPT=34770 DPT=8080 WINDOW=966 RES=0x00 ACK FIN URGP=0
[Sat Mar  6 20:45:15 2021] tunnel wireguard iptables: IN= OUT=wg0 SRC=10.0.0.1 DST=10.0.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=2586 DF PROTO=TCP SPT=8080 DPT=34770 WINDOW=969 RES=0x00 ACK URGP=0

In the above output, the IP address of local WireGuard interface is 10.0.0.1, and the IP address of the remote WireGuard peer is 10.0.0.2. An HTTP server is running on port 8080 of the local host, which the remote host is connecting to through the WireGuard tunnel (using the ephemeral TCP port 34770 inside the tunnel).

You can use the iptables logging on UDP port 51820 (the first example) to keep track of the external IP addresses that are connecting to your WireGuard network; and the iptables logging on the wg0 interface (the last example) to track which peers are using your network (and what they’re accessing inside the network).

You can remove iptables rules by running the same command you used to add them, except replacing the -I flag (or the -A flag for appended rules) with the -D flag. For example, you can remove the last two rules added above by running the following commands:

# iptables -D FORWARD -i wg0 -j LOG --log-prefix 'tunnel wireguard iptables: ' --log-level 7
# iptables -D FORWARD -o wg0 -j LOG --log-prefix 'tunnel wireguard iptables: ' --log-level 7

To check for active rules that you may want to remove, run iptables-save (iptables-save doesn’t actually save anything, it just dumps all active rules in a format that can be saved and restored).

Continue reading WAY TO VIEW WIREGUARD LOGS
, ,

Automatically Backup Your Files to a Remote Server with Rsync

No comments

Ever worry about losing your data, or get tired of performing manual backups daily or weekly? Use the rsync command and automatically sync your local files to a remote server as often as desired with no manual intervention. Please note, this guide does require access to a remote Linux server (eg. AWS), and is written under Ubuntu 20.04 although any Linux distro should work fine. 



Install rsync

Before anything, check whether or not rsync is installed. On both your local PC and web server run this command:

rsync --version

If you get the current rsync version in return, then you're all set for the next section. Otherwise, if you receive a command not found error, you may install rsync with this command:

sudo apt-get -y install rsync

Generate SSH Key

We will use a SSH key to authenticate the connection between our local PC and the remote server. To generate a new SSH key on your local PC within the terminal run the command:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/rsync.key

When prompted for a password, leave it blank and hit the Enter key twice. This will generate two new files within your ~/.ssh/ directory named rsync.key which is the private key, and rsync.key.pub, the public key.

Setup Remote Server

Although not required, for this guide we will create a new user on the remote server for rsync connections and to store all backup files. Login to the remote server via SSH and run this command:

sudo useradd -m rsync

The above example uses the username rsync, but you may change it to anything you wish. The -m option simply tells Linux to create a home directory for our new user.

To allow your local PC to authenticate, the public SSH key that was generated in the previous section needs to be copied over to the remote server. Open the /~.ssh/rsync.key.pub file in a text editor and you will see one large line that looks something like.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNhyYKsjcGGdXmzOM3742+c+TzMLFdZtrMPj1q6JWNWzgY/gTGVy1C72kw6BcTYSG8B8kLQlaBRl16m2Gm8Ra/U1wl0TYSufOnRKjGq2glnBPysWNzR6i9qd4h/byKa4ptNH/ieYkT+BnSJVo8fT0iboYwEaL9D0jPtYxFzZes2ctsGZ/zi78VlX9N224YBtoZcrxK6gzKtcIVrplsXt4MbMCPc0hfr9f2VMt0HignLphTDLQWKwF3sGi4OHDPzNTRkjyHazsIOFIKDLQgdsIJv7b2VMs028YDqPnXHZZl4Ix5vg8ssqE+s/J+rzS0B6gwj2b/f6vJMI9DmTk8SO5LKWtSl4lXjLpQ1eP+xjf3SeMFWWkk2tPpGBo6d+8VJT6htj9Ga927qx3bYJ3FDdqjoE/28yBzMsg3wKI8lobiQGIbF0B0jZmSeq42ds7dh76iU/LOraWJWJhKPIjCYHdaVqj5rgxSulUW6oqr/LOxMNwsj5NLpyKygr5/RVjCUpxQLw5G7AClmW5nOZDFUgtI1CAOzhG8oYQes7jE7ZbQKmMf9IGquNV1BCRGX2mbcYad77UE2IjzPqSG8pFGb7ekZA6ukUk61fqoheL4Zl2jmhhWoXQ09LZE9FNfr1UwIoZ+GwUcip8NPIZPSo+Z4yMB/5VNF7J0o76eTNwh0gZlEw== user@host

This long line is the public SSH key. Copy it to your clipboard, and within your remote server run these commands:

sudo su rsync

mkdir -m 0700 $HOME/.ssh

echo "ssh-rsa AAAAB... user@host" > $HOME/.ssh/authorized_keys

chmod 0644 $HOME/.ssh/authorized_keys

In the second last command, replace the text between the quotation marks with that long public SSH key line. That's it, your local PC will now be able to authenticate with your remote server.

Configure ssh config File

For sake of simplicity, add an entry to the ~/.ssh/config file on your local PC to easily connect to the remote server. Open the file on your local PC with the command.

nano $HOME/.ssh/config

Within the file add an entry for the remote server such as:

host backup_server
    hostname 192.168.0.24
    user rsync
    IdentityFile ~/.ssh/rsync.key

Change the hostname to the IP address of your remote server, and if you used a username other than "rsync" change that as well. You may use anything you wish for the host, but for this example, "backup_server" was used. Save and close the file by pressing Ctrl+X followed by the "Y" and Enter keys.

Test your SSH connection to the remote server with the command.

ssh backup_server

Assuming everything is set up correctly, you should now be logged into your remote server via SSH. Close the connection with the command.

exit

Sync Your Files

Now test the rsync functionality, and for example, to sync your Documents directory on your local PC run the command:

rsync -avz --progress ~/Documents/ backup_server:~/Documents

The first occurrence of ~/Documents/ specifies the local file or directory to sync, backup_server corresponds with the entry added to the ~/.ssh/config file, and the ending :~/Documents simply specifies to upload everything into the /Documents directory of the remote server relative to the home directory.

Log in to the remote server, and you should see a new Documents directory that is in sync with that of your local PC. Each time you run the above command, only files that have been modified since the last time will be uploaded, so you're not constantly uploading the entire contents of the directory.

Automate via Crontab

Now that everything is tested and working properly, we can easily automate the entire process by adding a crontab job to our local PC. To automatically sync your local folder to the remote server every 15 minutes, within the terminal run the command.

(crontab -l; echo "*/15 * * * * rsync -avz --progress ~/Documents/ backup_server:~/Documents > /dev/null 2>&1";) | crontab

You may get a "no crontab for user" message, and you can just ignore it. Change the Documents directory to whatever you wish to backup, but ensure to leave a trailing slash for directories otherwise they will not properly backup.

Check to ensure the crontab job was successfully added with the command.

crontab -l

If you see the crontab job that was just added, then everything is in place. Wait 15 minutes, check your remote server, and all necessary files should be there. Starting from now, all changes made to your files will be automatically uploaded to the remote server every 15 minutes.

Download from Remote Server

You may also use rsync to download files from the remote server and sync them to your local PC. Using the above /Documents directory example, within the terminal run the command:

rsync -chavzP backup_server:~/Documents/ ~/Documents

The ~./Documents directory on your local PC should now be a mirror image of the remote server.

Include and Exclude Patterns

If you ever need to sync only files that match a certain pattern, such as end with .html you can use the --include pattern. Within terminal run the command.

rsync -avz --include "*.html" --progress ~/mysite/ backup_server:~/public_html

Check the remote server, and you will see only files with a .html extension from the local /mysite/ directory have been uploaded into the /public_html/ remote directory. Similarly, you can also sync everything except certain files with the --exclude option. For example, the following command will sync all files except those with a .txt extension.

rsync -avz --exclude "*.txt" --progress ~/mysite/ backup_server:~/public_html

Sync Two Local Directories

If ever needed, you may also sync two local directories with the command.

rsync -zvr ~/source/directory ~/destination/directory

This command works exactly the same as when syncing to a remote server, the only difference being its two local directories.

Rest Easy

You can now breathe a sigh of relief knowing your chances of data loss are now substantially lower. In this article, you have learned what rsync is, how to generate and install an SSH key, define a server within the ~./.ssh/config file, sync a local and remote directory, and automate the entire process via crontab. Going forward, all necessary files will always be synced with your remote server with only a 15-minute delay.

 


Continue reading Automatically Backup Your Files to a Remote Server with Rsync