$ cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table ip firewall {
  chain input {
    type filter hook input priority filter; policy drop;
    iif "lo" accept
    iif != "lo" ip daddr 127.0.0.0/8 drop
    tcp dport 22 accept
    ct state established,related accept
  }

  chain forward {
    type filter hook forward priority filter; policy drop;
  }

  chain output {
    type filter hook output priority filter; policy drop;
    iif "lo" accept
    udp dport { 53, 123 } accept
    tcp dport { 53, 80, 443 } accept
    ct state established,related accept
  }
}

Connection eventually works, but it takes much longer than anticipated.

Running journalctl -f, I see systemd[1]: Failed to start User Manager for UID 1000 before connections is finally established.

If I run nft flush ruleset, connection works immediately.

I implemented SSH connection rate limiting using the following.

iptables -N SSH_BRUTE_FORCE_MITIGATION
iptables -A SSH_BRUTE_FORCE_MITIGATION -m recent --name SSH --set
iptables -A SSH_BRUTE_FORCE_MITIGATION -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[ssh-brute-force]: "
iptables -A SSH_BRUTE_FORCE_MITIGATION -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
iptables -A SSH_BRUTE_FORCE_MITIGATION -j ACCEPT

How can I reset rate limit counter?

Edit: tried sudo iptables -Z, but following error is thrown.

$ sudo iptables -Z
[sudo] password for pi:
iptables v1.8.2 (nf_tables):  RULE_REPLACE failed (Invalid argument): rule in chain INPUT

I was about to install mailutils and postfix when I notice how many dependencies were involved.

$ apt install mailutils postfix
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  guile-2.2-libs libgc1c2 libgsasl7 libkyotocabinet16v5 libltdl7 liblzo2-2 libmailutils5 libmariadb3 libntlm0 libpython2.7 mailutils-common
  mariadb-common mysql-common ssl-cert

Why does mailutils depend on mariadb-common and mysql-common and what are *-common packages in the first place?

I am trying to install a SMTP server that will run localhost-only and wish to be able to send emails using the mail command installing as few dependencies as possible.

I self-host my own strongSwan VPN server.

When running Borg backups to a remove filesystem (running on a different server), I am able to upload at ~ 2.5MB/s without the VPN and ~ 1.5MB/s over the VPN.

Is that normal? When I run a test on speedtest.net (over the VPN), I am able to reach upload speeds of 40Mbps (8MB/s).

The Borg backup server ingest speed is slower than my upload speed... OK... but why can't I upload at ~ 2.5MB/s over the VPN given I can run a test on speedtest.net at 8MB/s?

Btw, I confirm it isn't a CPU issue on the client or server.

I would like client traffic to show publicly as originating from that specific IP (which could be a secondary IP assigned to the same network interface as primary).

iface eth0 inet static
    address 167.99.179.140/24
    gateway 167.99.179.1
iface eth0 inet static
    address 167.99.179.141/24

I currently have the following:

ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 129 -j ACCEPT

For ICMPv6 type 3, I would like to only accept code 0.

For ICMPv6 type 4, I would like to only accept codes 1 and 2.

This is based on RFC 4890.

I am trying to create an equivalent to the following for systemd.

auto strongswan0
iface strongswan0 inet static
  address 10.0.2.1/24
  pre-up ip link add strongswan0 type dummy

I am trying to port the following alias from /etc/network/interfaces to /etc/systemd/network/eth0.network.

auto eth0:1
iface eth0:1 inet static
    address 10.0.2.1/24

Tried the following but that didn’t work.

config setup
  charondebug="ike -1, knl -1, cfg -1"

My gut feeling is it has something to do with /etc/strongswan.d/charon-logging.conf?

I have read the docs but want to make sure I don’t miss something.

Currently, I have the following which appears to disable most (if not all) logging.

charon {
    filelog {
        charon {
            default = -1
        }
    }
    syslog {
        auth {
            default = -1
        }
    }
}

Using the terminal, I run the following.

ssh [email protected] -i ~/.ssh/admin -N -D 9090

Firefox is configured as follow.

Many websites work just fine, but certain ones fails and the following error is thrown on the terminal.

channel 1: open failed: administratively prohibited: open failed

My research points to a DNS problem as indicated by running tail auth.log on the server.

error: connect_to ipleak.net: unknown host (Temporary failure in name resolution)

How can I fix this issue?

Here’s my current ipsec.conf.

What do I need to change to make sure the client retries connecting to server indefinitely.

$ cat /etc/ipsec.conf

conn %default
    ike=aes256gcm16-sha384-modp3072!
    esp=aes256gcm16-sha384-modp3072!

conn ikev2
    auto=start
    dpdaction=restart
    closeaction=restart
    keyingtries=%forever
    [email protected]
    leftsourceip=%config
    leftauth=eap-tls
    leftcert=vpn-client.crt
    right=159.203.26.109
    rightid=my-vpn.com
    rightsubnet=0.0.0.0/0
    rightauth=pubkey

The error occurs on a LVM/LUKS Debian VPS.

I deleted the swap volume and grew the root volume using the following:

swapoff /dev/group/swap
lvremove group/swap
lvresize -rl +100%FREE /dev/group/root

Now, when I boot, I get the following error message:

Failed to find logical volume "group/swap"

Everything works fine, but I would like to fix whatever is causing this error.

Say I have two hosts, a.example.com and b.example.com and only wish to enable proxy_protocol on a.example.com which is behind a load balancer (b.example.com is used for direct healthchecks). Tried the following setup but getting an error.

a.example.com

server {
    listen 80 proxy_protocol;
    listen 443 proxy_protocol ssl;

    server_name a.example.com;

    location / {
        proxy_pass http://localhost:8443;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_protocol_addr;
        proxy_cache_bypass $http_upgrade;
    }

    ssl_certificate /etc/letsencrypt/live/a.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/a.example.com/privkey.pem;
}

b.example.com

server {
    listen 80;

    server_name b.example.com;

    location /healthcheck {
        proxy_pass http://localhost:8443;
        access_log off;
    }
}

Error

2019/08/06 17:40:50 [error] 10488#10488: *12 broken header: "GET /healthcheck HTTP/1.1
Host: b.example.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

" while reading PROXY protocol, client: 1.2.3.4, server: 0.0.0.0:80

For iptables I used to run iptables-restore < /etc/iptables/rules.v4 which would flush rules and restore them from /etc/iptables/rules.v4.

For nftables, I found nft -f /etc/nftables.conf, but the rules are not flushed* prior to restoring them from /etc/nftables.conf.

Is there a one-liner that flushes nftables rules and restores them from a file?

*Note that any rules already loaded are not automatically flushed.

Currently, I use the following configuration. Should I switch to rekey=yes and, if so, why? I’m looking to enforce perfect forward secrecy (PFS). Other security suggestions are welcomed.

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=never

conn ikev2
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256gcm16-sha384-modp3072!
    esp=aes256gcm16-sha384-modp3072!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=my-vpn.com
    leftcert=vpn-server.crt
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-tls
    rightdns=1.1.1.1,1.0.0.1
    rightsourceip=%dhcp
    rightsendcert=never
    eap_identity=%identity

I’m using rightsourceip=%dhcp on the server so two clients cannot have the same leftid.

Prior to using rightsourceip=%dhcp, I used uniqueids=never and 10.0.2.0/24 to allow multiple clients with the same leftid, but that doesn’t appear to work with rightsourceip=%dhcp (am I doing something wrong?).

Looks like supervised (always-on) iOS VPN clients establish two associations, one over LTE and one over Wi-Fi... which breaks connectivity to the VPN server. Guess the server doesn’t know to which association the packets have to be sent... and perhaps iOS isn’t listening on both interfaces once Wi-Fi is up.

How can I fix this? Also, what does rekeying disabled mean?

Security Associations (5 up, 0 connecting):
       ikev2[7]: ESTABLISHED 65 seconds ago, 159.203.26.109[my-vpn.com]...207.46.13.62[[email protected]]
       ikev2[7]: IKEv2 SPIs: 0a53e7fec5e65e2b_i 2d03da3fce35f91c_r*, rekeying disabled
       ikev2[7]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_3072
       ikev2{7}:  INSTALLED, TUNNEL, reqid 5, ESP in UDP SPIs: c468b92b_i 00006960_o
       ikev2{7}:  AES_GCM_16_256, 8795 bytes_i (22 pkts, 0s ago), 4983 bytes_o (19 pkts, 41s ago), rekeying disabled
       ikev2{7}:   0.0.0.0/0 === 10.0.2.13/32
       ikev2[6]: ESTABLISHED 65 seconds ago, 159.203.26.109[my-vpn.com]...157.55.39.61[[email protected]]
       ikev2[6]: IKEv2 SPIs: e2a7434252a49075_i fe57e34b97ba086e_r*, rekeying disabled
       ikev2[6]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_3072
       ikev2{6}:  INSTALLED, TUNNEL, reqid 5, ESP in UDP SPIs: cdc9dd9c_i 0ec723e6_o
       ikev2{6}:  AES_GCM_16_256, 8170 bytes_i (122 pkts, 0s ago), 0 bytes_o, rekeying disabled
       ikev2{6}:   0.0.0.0/0 === 10.0.2.13/32

I would like clients to try reconnecting indefinitely if server is down so when it comes back, the client simply reconnects.

Client ipsec.conf

conn %default
    ike=aes256gcm16-sha384-modp3072!
    esp=aes256gcm16-sha384-modp3072!

conn ikev2
    auto=start
    [email protected]
    leftsourceip=%config
    leftauth=eap-tls
    leftcert=vpn-client.crt
    right=my-vpn.com
    rightid=my-vpn.com
    rightsubnet=0.0.0.0/0
    rightauth=pubkey

Server ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=never

conn ikev2
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256gcm16-sha384-modp3072!
    esp=aes256gcm16-sha384-modp3072!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=my-vpn.com
    leftcert=vpn-server.crt
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-tls
    rightdns=1.1.1.1,1.0.0.1
    rightsourceip=10.0.2.0/24
    rightsendcert=never
    eap_identity=%identity

Server iptables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.0.2.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.0.2.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Client ipsec.conf

conn ikev2
    auto=start
    [email protected]
    leftsourceip=%config
    leftauth=eap-tls
    leftcert=vpn-client.crt
    right=my-vpn.com
    rightid=my-vpn.com
    rightauth=pubkey

Client iptables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

The connection is established but when I run curl https://checkip.amazonaws.com, the returned IP is the client public IP vs the server public IP (expected). How can I route all traffic through the VPN?

Also, can’t SSH to client from server. Why?

Thanks!

When you configure an IKEv2/IPsec client on iOS or macOS using the built-in VPN client, you can’t configure which crypto the client uses (unless you are using deployment profiles). So how can you know which crypto is used to encrypt the VPN traffic?

I would like the process itself to send heartbeats vs receiving them from services like Amazon Route 53 health checks.

I would like to avoid running a web server on that process.