1. September 21, 2014

      Juniper SRX Dynamic VPN with Fedora 20

      Update 2014-12-02: I’ve updated the below process for vpnc-0.5.3-svn550, which hit Fedora 20 a few weeks ago and will be present in Fedora 21.

      Hot on the heels of the work I’ve done with Ubuntu, I’ve also done the same for Fedora 20 vpnc…

      sudo yum install rpm-build libgcrypt-devel gnutls-devel gtk3-devel dbus-devel NetworkManager-devel NetworkManager-glib-devel intltool libgnome-keyring-devel perl-LWP-Protocol-https perl-Data-UUID -y
      
      yumdownloader --source vpnc
      yumdownloader --source NetworkManager-vpnc
      
      rpm -Uvh vpnc-0.5.3-21.svn550.fc20.src.rpm
      rpm -Uvh NetworkManager-vpnc-0.9.8.2-3.fc20.src.rpm
      
      cd ~/rpmbuild
      
      curl https://gist.githubusercontent.com/jlaundry/0c9f32176924c7486762/raw/631c0ac68c611ed7ba519252bf769f75466cbd25/build.patch > build.patch
      #curl https://github.com/ndpgroup/vpnc/commit/8f005fefbc8713535d59f95e3abee8a45b05399a.patch > SOURCES/vpnc-0.5.3-juniper.patch
      curl https://gist.githubusercontent.com/jlaundry/e54c6a152eafd7c2bb97/raw/707286377f01d66b066ddaaa36e5c57784134af8/vpnc-0.5.3-juniper.patch > SOURCES/vpnc-0.5.3-juniper.patch
      curl https://gist.githubusercontent.com/jlaundry/036ed1719a4dda561fc2/raw/224bf3f605fac6a6df191cfe14cdad95d7400830/NetworkManager-vpnc-0.9.8.2-juniper.patch > SOURCES/NetworkManager-vpnc-0.9.8.2-juniper.patch
      
      patch -p1 < build.patch
      
      rpmbuild -ba SPECS/vpnc.spec
      rpmbuild -ba SPECS/NetworkManager-vpnc.spec
      
      sudo rpm -Uvh RPMS/x86_64/vpnc-0.5.3-20.svn550.juniper.fc20.x86_64.rpm
      sudo rpm -Uvh RPMS/x86_64/NetworkManager-vpnc-*juniper*
      
    2. Juniper SRX Dynamic VPN with vpnc Ubuntu 13.10

      Pretty simple really; we use Juniper SRXes (running Junos 11.4) with Dynamic VPN at work, and I use an Ubuntu laptop. All the patches to make vpnc work with the SRX are available, but for some reason haven’t made it into official source yet…

      Step 1: Patch vpnc

      apt-get source vpnc
      sudo apt-get build-dep vpnc
      wget https://github.com/ndpgroup/vpnc/commit/8f005fefbc8713535d59f95e3abee8a45b05399a.patch
      cd vpnc-0.5.3r512
      patch < ../8f005fefbc8713535d59f95e3abee8a45b05399a.patch
      dpkg-buildpackage -rfakeroot -uc -b
      sudo dpkg -i ../vpnc_0.5.3r512-2ubuntu1_amd64.deb
      

      Step 2: Patch network-manager-vpnc, because it’s not Ubuntu if it’s not a GUI! ;)

      I’ve adapted the patch for NetworkManager 0.9.8.2 from the 0.9.4.0 version found here.

      apt-get source network-manager-vpnc
      sudo apt-get build-dep network-manager-vpnc
      wget https://gist.githubusercontent.com/jlaundry/cbf79311bc46fcf6c626/raw/f142f086032c66b19fb182c2933ced139271275f/network-manager-vpnc_0.9.6.0-0ubuntu2-juniper.patch
      patch < network-manager-vpnc_0.9.8.2-1ubuntu1-juniper.patch
      cd network-manager-vpnc-0.9.8.2
      dpkg-buildpackage -rfakeroot -uc -b
      sudo dpkg -i ../network-manager-vpnc-gnome_0.9.8.2-1ubuntu1_amd64.deb
      

      Step 3: Create a NetworkManager script

      wget https://raw.github.com/ndpgroup/juniper-srx-linux/master/jam-config
      chmod u+x jam-config
      ./jam-config addr vpn.example.com user joe pass joespwd | sudo tee /etc/NetworkManager/system-connections/MyVPN
      

      Finally, reboot your machine to flush out the old, non-Juniper-friendly NetworkManager, and you’re away!

    3. September 8, 2014

      Junos 12.1X44 Dynamic VPN with FreeRADIUS

      One of the features Juniper added to the SRX Dynamic VPN starting with Junos 12.1X44 is the ability to set the VPN client group via RADIUS (eliminating the need to specify the client username).

      What Juniper don’t tell you is how to do it; using the Juniper-Local-Group-Name VSA (vendor 2636 option 46). So, after some trial and error, here’s how:

      Step 1: Configure the access profile and create the Dynamic VPN client group:

      set security dynamic-vpn clients dynclient-testing remote-protected-resources 192.168.1.0/24
      set security dynamic-vpn clients dynclient-testing remote-exceptions 0.0.0.0/0
      set security dynamic-vpn clients dynclient-testing ipsec-vpn vpn-dynamic
      set security dynamic-vpn clients dynclient-testing user-groups dynvpn_testing
      

      Step 2: Add the following line to /usr/share/freeradius/dictionary.juniper:

      ATTRIBUTE	Juniper-Local-Group-Name		46	string
      

      Step 3: Assign the user the group through /etc/raddb/users (or however you do it):

      testuser    Cleartext-Password := "Testing123"
                  Juniper-Local-Group-Name = dynvpn_testing
      

      And… well, test!

    4. August 21, 2012

      OCR a scanned PDF with Tesseract

      Simple really: I wanted to OCR a scanned PDF, then embed the output text back into the PDF so that I can search. Surprisingly, an application for this doesn’t already exist, so here’s my script:

      #!/bin/sh
      
      cp $1 $1.bak
      
      pages=$(pdftk $1 dump_data output | grep NumberOfPages | sed -E 's/(.*): (\d*)/\2/g')
      
      for i in `seq 1 $pages`;
      do
              convert -monochrome -density 600 $1\[$(($i - 1 ))\] page$i.tif
              tesseract page$i.tif output -l eng
              pdftk $1 attach_files output.txt to_page $i output $1.new
              mv $1.new $1
              rm output.txt
      done
      
    5. October 10, 2011

      Aladdin eToken on Ubuntu 11.10 (oneiric ocelot) amd64

      Update: In my mad rush to get everything working, I completely missed that 8.1 was released, which adds native 64-bitness. Apart from linking /usr/lib64/libeToken.so to /usr/lib/libeToken.so.8, there are no hacks required anymore! Yay!

      I’ve just installed the oneiric release candidate. And I like the changes. And I like that with a little tweaking, my eToken still works!

      I did a bare-metal install, as I’ve now upgraded to SSD. So, I’ve updated my tutorial to match.

      1. Install 11.10 amd64. Now, even though SAC amd64 is supposed to be amd64, they lied, and it ships with i386 binaries that just happen to work on amd64. So you’ll need to prep your x86_64 system with i386 goodness, by using:
        sudo apt-get install ia32-libs libhal1 opensc pcscd

        • Note that I said libhal1, in DIRECT CONTRADICTION to SafeNet’s user guide. if you don’t, you’ll see things pop up in /var/log/syslog like
          pcscd: dyn_unix.c:37:DYN_LoadLibrary() /usr/lib/pcsc/drivers/aks-ifdh.bundle/Contents/Linux/libAksIfdh.so: libhal.so.1: cannot open shared object file: No such file or directory
      2. You’ll need the 32-bit libpcsclite1 and libhal1. Simply run:
        wget http://archive.ubuntu.com/ubuntu/pool/main/p/pcsc-lite/libpcsclite1_1.7.2-2ubuntu2_i386.deb
        wget http://archive.ubuntu.com/ubuntu/pool/main/h/hal/libhal1_0.5.14-0ubuntu6_i386.deb
        dpkg -x libpcsclite1_1.7.2-2ubuntu2_i386.deb libpcsclite1-i386
        dpkg -x libhal1_0.5.14-0ubuntu6_i386.deb libhal1-i386
        sudo cp libpcsclite1-i386/lib/libpcsclite.so.1.0.0 /lib32
        sudo cp libhal1-i386/usr/lib/libhal.so.1.0.0 /usr/lib32
        sudo ln -s /usr/lib32/libhal.so.1.0.0 /usr/lib32/libhal.so.1
        sudo ln -s /lib32/libpcsclite.so.1.0.0 /lib32/libpcsclite.so.1
        
      3. Download the SafeNet Authentication Client for Linux 8.0. In theory you should have a support agreement with SafeNet to download this, but you CAN find it on Google, including from SafeNet themselves (hint: try SAC instead of the full spelling). Install it with
        dpkg -i SafenetAuthenticationClient-8.0.5-0_amd64.deb

      Note: if you’ve got this working before, you’ll notice that in 11.10 they’ve moved from /usr/lib being a link of /usr/lib64 to being it’s own directory; the result being the new location of /usr/lib64/libeTPkcs11.so for your PKCS11 applications.

      So there you go. If you add the /usr/lib64/libeTPkcs11.so to Firefox and Thunderbird, you should see your certificates. If you run PKIMonitor, you should be able to modify your eToken.

      For a quick verification, run

      pkcs11-tool --module /usr/lib64/libeTPkcs11.so -L

      , and you should see your eToken.

    6. July 8, 2011

      Aladdin eToken on Ubuntu 11.04 (natty narwhal) amd64

      Update: this has been updated for 11.10, check it out here.

      This is more complicated than it should be, for no real reason. I like my eToken, and have been trying for a good year to get it working on 64-bit Linux. Today, I sat down, started from scratch, and nutted it out. The following 3-step procedure should be all that’s needed to get it working.

      1. Install 11.04 amd64. Now, even though SAC amd64 is supposed to be amd64, they lied, and it ships with i386 binaries that just happen to work on amd64. So you’ll need to prep your x86_64 system with i386 goodness, by using:
        sudo apt-get install ia32-libs libhal1 opensc pcscd

        • Note that I said libhal1, in DIRECT CONTRADICTION to SafeNet’s user guide. if you don’t, you’ll see things pop up in /var/log/syslog like
          pcscd: dyn_unix.c:37:DYN_LoadLibrary() /usr/lib/pcsc/drivers/aks-ifdh.bundle/Contents/Linux/libAksIfdh.so: libhal.so.1: cannot open shared object file: No such file or directory
      2. Download the SafeNet Authentication Client for Linux 8.0. In theory you should have a support agreement with SafeNet to download this, but you CAN find it on Google, including from SafeNet themselves (hint: try SAC instead of the full spelling). Install it with
        dpkg -i SafenetAuthenticationClient-8.0.5-0_amd64.deb
      3. Finally, you’ll need the 32-bit libpcsclite1. Simply run:
        wget http://archive.ubuntu.com/ubuntu/pool/main/p/pcsc-lite/libpcsclite1_1.7.2-2ubuntu2_i386.deb
        dpkg -x libpcsclite1_1.7.2-2ubuntu2_i386.deb libpcsclite1-i386
        sudo cp libpcsclite1-i386/lib/* /lib32
        

      So there you go. If you add the /usr/lib/libeTPkcs11.so to Firefox and Thunderbird, you should see your certificates. If you run PKIMonitor, you should be able to modify your eToken.

      For a quick verification, run

      pkcs11-tool --module /usr/lib/libeTPkcs11.so -L

      , and you should see your eToken.

      Also, good-bye Windows XP. This was the last thing preventing me from using Ubuntu on a daily basis, and now you’ve been completely replaced.

    7. June 21, 2011

      KVM virtual console to physical TTY

      This took me longer than it should’ve to figure out… I wanted to take the virtual console (pts) from a KVM virtual machine, and map it to a physical tty, so that I could login to my virtual machine from the physical keyboard, without having to login to the virtual host itself. This can be done with a simple one-liner:

      screen /dev/pts/1 > /dev/tty9 < /dev/tty9 &

      Add that to /etc/rc.d/rc.local to start on system startup (hopefully after the VM has started), and I'm all set!