OpenVPN

OpenVPN: Set a static IP Address for a client

23 Comments

Hi,

sometimes you have to set a static IP Address for some VPN Clients. Because they provide some server services which always must be reached at the same IP Address.

The client configuration do not provide any option to do that, set a static IP Address on the adapter itself is also always being overwritten when the client establish a connection to the OpenVPN server.

Solution: Define a client specific script at the server.

In this example the openvpn server’s OS is linux (tap Interface IP 10.1.134.62), the client runs at Windows (static IP 10.1.134.1).

Define a directory where the client scripts should be stored , e.g. /etc/openvpn/staticclients and create the directory

mkdir /etc/openvpn/staticclients

Add this directory as option to your openvpn configfile at the server:

client-config-dir /etc/openvpn/staticclients

For each client you have to create a file. The filename must match the “common name” attribute that was specified at the X509 certificate of the client.This command gets the CN from the computers certificate:

root@devdeb~ > openssl x509 -in /etc/openvpn/yourClientCertificate.cer -noout -subject | sed -e 's/.*CN=\(.*\)\/.*/\1/'

TESTCLIENT

This example pushs the IP Address 10.1.134.1/255.255.255.192 to the Client with the common name TESTCLIENT and also pushes a additional route for subnet 10.1.135.0.

cat /etc/openvpn/staticclients/TESTCLIENT

ifconfig-push 10.1.134.1 255.255.255.192
push "route 10.1.135.0 255.255.255.0 10.1.134.62"
# push "dhcp-option WINS addr"
# push "dhcp-option DNS addr"

Michael

Advertisment to support michlstechblog.info

miscellaneous

Reset the print protection of a pdf document

Leave a comment

Hi,

last week a customer had the problem that he lost a Word Document which he wants to print. Only a pdf of the document was available but in this file the print protection flag was set.

I used Ghostscript to reset the print protection.

Install Ghostscript and use this command line to write a new version of the pdf file which is printable


gswin.exe -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=d:\temp\OUTPUT.pdf -c .setpdfwrite -f D:\Temp\input.pdf

Michael

VMware

VMware: Limit the maximum number of snapshots

1 Comment

Hello,

in vCenter there is no global configuration parameter to limit the number of snapshots for the virtual machines. The only way is to add a limit in the vmx config file or in vCenter configuration parameters of a single virtual machine.

To set a limit of snapshots which can be taken add

snapshot.maxSnapshots = "6"
or open the configuration parameters window in vCenter and set it there.
vmware-snap-limit
Michael
VMware

VMware: Mount a .vmdk virtual disk from command line

Leave a comment

Hi,

sometimes you want to modify some offline Vmware virtual disks from command line. For example to copy or edit config files or set some parameters in the Windows sysprep.xml file.

The VMware Workstation does not provide  a command line utility for this procedure. But there is a way to do this. Download and install the Virtual Disk Development Kit.

After installation a vmware-mount.exe command exists in the bin Folder of the installation directory.

To mount a disk readonly, choose a drive letter (X: in this example), start a cmd.exe as Administrator type the command like this:

first, change to the VMware Virtual Disk Development Kit Program folder

cd "C:\Program Files\VMware Virtual Disk Development Kit"

or append the program bin folder to PATH variable

set PATH=%PATH%;C:\Program Files\VMware Virtual Disk Development Kit\bin;

vmware-mount.exe X: d:\temp\VirtualDisk.vmdk

to mount the disk writable append /m:w at the end of the command:

vmware-mount.exe X: d:\temp\VirtualDisk.vmdk /m:w

Unmounting is quite simple:

vmware-mount.exe X: /d /f

Have fun

Michael

OpenVPN, Windows Scripts

OpenVPN: Generate a random MAC Address for TAP Interfaces on Windows

1 Comment

Hi,

if you use some image based technology to deploy your Windows installation, for example SCCM, MDT, Acronis and/or sysprep based, and OpenVPM is already included, the MAC Address of the TAP LAN interface isn’t changed by that way. But a unique MAC Address is requiered if the clients conntects to the same OpenVPN server. If multiple clients have the same MAC Address ping from VPN Clients sometimes fails with error “TTL expired in transit” and the VPN connection is unstable.

This powershellscript sets a MAC Address for each OpenVPN TAP adapter. In detail:

  • Creating a Eventlog TAPsetMAC
  • Get all instances for TAP Adapters by reading HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\MatchingDeviceID == “tap0901”
  • Generate a random MAC Address. Starting with Prefix defined in $sMACPrefix.
  • Writing the MAC to each Adapter
  • Log the result to the EventLog
########################################################
# Generate a random MAC for all OpenVPN tap LAN interfaces
#  Michael Albert
#  05.04.2013
# License: GPLv2
########################################################
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
# MatchingDeviceID tap0901
# REG_SZ MAC=00-FF-8F-E3-A1-AE
$oRandom=New-Object System.random
function fGetRandomMAC([string]$sMACStart){
     if($sMACStart.length -ge 0 -and $sMACStart.length -le 11){
          for($iLoop=$sMACStart.length; $iLoop -le 11; $iLoop++){
               $iChar=$oRandom.Next(16)
               $sMACStart+=[String]::Format("{0:x}", $iChar).ToUpper()
          }
          return($sMACStart)
     }
     else{
          return $false
     }
}
function fConvert2MAC16([string]$sMAC12){
     [string]$sMAC16=""
     if($sMAC12.length -eq 12){
          for($iLoop=0;$iLoop -le 11;$iLoop++){
               $sMAC16+=$sMAC12.SubString($iLoop,1)
               if((($iLoop+1) % 2) -eq 0 -and ($iLoop+1) -lt 12){
                    $sMAC16+="-"
               }
          }
          return $sMAC16
     }
     else{
          return $false
     }
}
###############################################################################
# Currently not used but defined :-)
function fValidMAC([system.string]$sMAC){
          $RegExIP=new-object System.Text.RegularExpressions.Regex("^([0-9a-fA-F]{2}\-){5}([0-9a-fA-F]{2})$")
          return($RegExIP.IsMatch($sMAC))
}
###############################################################################
## MAIN
###############################################################################
$sMACPrefix="00FF8F"
if(! [System.Diagnostics.EventLog]::SourceExists("TAPsetMAC")){
     New-EventLog -Source TAPsetMAC -Log Application
}
$aTAPAdapter=Get-ChildItem "registry::HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}" -ErrorAction SilentlyContinue |where-object{$_.GetValue("MatchingDeviceID") -eq "tap0901"}
foreach($rTAPAdapter in $aTAPAdapter){
     # Get-ItemProperty -Path "registry::HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}"
     if(! ($rTAPAdapter.GetValue("MAC"))){
          #$rTAPAdapter
          #$rTAPAdapter.Name
          # Get-ItemProperty -Path ("registry::"+$rTAPAdapter.Name)
          $sMAC=fGetRandomMAC $sMACPrefix
          if($sMAC16=fConvert2MAC16 $sMAC){
               Write-Host -NoNewline  "Set MAC of TAP Adaper to" $sMAC16 "..."
               $Error.Clear()
               New-ItemProperty -Path ("registry::"+$rTAPAdapter.Name) -Force -Name MAC -PropertyType String -Value $sMAC16|Out-Null
               if(! $Error){
                    Write-Host "ok"
                    Write-EventLog -LogName Application -Source TAPsetMAC -EntryType Information -EventID 666 -Message ("TAP LAN Adapter: Altered MAC Address to "+$sMAC16)
               }
               else{
                    Write-EventLog -LogName Application -Source TAPsetMAC -EntryType Warning -EventID 666 -Message ("TAP LAN Adapter: Failed to altered MAC Address to "+$sMAC16)
               }
          }
     }
}

Michael

My Knowledgebase for things about Linux, Windows, VMware, Electronic and so on…