https://wiki.networksecuritytoolkit.org/api.php?action=feedcontributions&user=Rwh&feedformat=atomNST Wiki - User contributions [en]2024-03-28T12:35:57ZUser contributionsMediaWiki 1.32.4https://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=Determining_IP_Address&diff=10027Determining IP Address2023-12-07T17:35:46Z<p>Rwh: /* For Client Side Scripting */</p>
<hr />
<div>This page offers suggestions on how one might determine the '''IP''' address associated with a particular system.<br />
<br />
= Internet IP Address =<br />
<br />
There are many ways in which one can determine the Internet '''IP''' address associated with a particular system.<br />
<br />
== For Client Side Scripting ==<br />
<br />
The following '''URL'''s will return your '''IP''' address (as you appear to the Internet) as a simple text string:<br />
<br />
* http://nst.sourceforge.net/nst/cgi-bin/ip.cgi<br />
* http://www.networksecuritytoolkit.org/nst/cgi-bin/ip.cgi<br />
* http://whatismyip.org/<br />
* https://geoip.ubuntu.com/lookup<br />
<br />
The following '''bash''' script fragment demonstrates how one can retrieve the Internet '''IP''' address and store it in a variable:<br />
<br />
<pre class="programListing"><br />
<br />
# Use wget to retrieve the IP address<br />
IP_ADDRESS="$(wget -O - http://nst.sourceforge.net/nst/cgi-bin/ip.cgi 2>/dev/null)";<br />
<br />
</pre><br />
<br />
The '''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddress]''' script uses this basic technique and adds error checking, caching and the ability to use multiple sources (should a server be down). The following demonstrates how one would achieve similar results using the '''--public-address''' option provided by the '''getipaddr''' script:<br />
<br />
<pre class="programListing"><br />
<br />
# Use getipaddress to retrieve the IP address<br />
IP_ADDRESS="$(getipaddr --public-address)";<br />
<br />
</pre></div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=Overview&diff=9883Overview2023-07-29T00:01:15Z<p>Rwh: /* Summary */</p>
<hr />
<div>__TOC__<br />
<br />
= Summary =<br />
This Wiki offers a means where users of the '''Network Security Toolkit''' ('''NST''') can ask questions, share experiences, and offer advice in regards to the use of the '''NST''' distribution and the tools which it contains.<br />
<br />
The '''NST''' homepage is located at: [http://www.networksecuritytoolkit.org/ http://www.networksecuritytoolkit.org/]. The '''NST''' [http://sourceforge.net/ SourceForge] project page is located at: [http://sourceforge.net/projects/nst http://sourceforge.net/projects/nst]. An '''NST Pro''' version is located at: [http://www.networksecuritytoolkit.org/ http://www.networksecuritytoolkit.org/nstpro]. One can download the current version of '''NST''' [http://sourceforge.net/project/showfiles.php?group_id=85467 '''here''']. A reference about '''NST''' at [http://en.wikipedia.org Wikipedia] can be found [http://en.wikipedia.org/wiki/Network_Security_Toolkit '''here'''].<br />
<br />
<!--<br />
'''NST''' users <u>add</u> yourself to a [http://platial.com Platial] generated [[Image:Nstworldmap.gif]] [http://platial.com/nst/map/60294#NST_Global_Map NST Global Map].<br />
--><br />
<br />
You can view Webcasts related to '''NST''' on the [[NST Screencasts]] page. This NST Wiki Web site is generated by an "'''NST 38'''" system using '''[http://www.mediawiki.org/wiki/MediaWiki MediaWiki]''' software running on an '''[http://www.intel.com/content/www/us/en/nuc/products-overview.html Intel NUC]'''. The following are some of the IPv4 Address Host geolocation tools available with the toolkit using NST Wiki traffic data as a data source.<br />
<br />
= NST Wiki World Users =<br />
<br />
The '''Mercator World Map''' projection below depicts geolocated user host systems that have recently accessed the '''NST''' wiki site. The map is updated once an hour using a collection window of 24 hours. The data source is an '''[http://www.ntop.org/products/traffic-analysis/ntop/ ntopng]''' session running on an "'''NST 36'''" probe listening on 2 network interfaces (i.e., '''wikirx''' & '''wikitx''') for packet capture. A '''[https://networkvisibility.com/products/ixia-net-optics-tap-copper-10-100-1g-955-0270-tp-cu3 TP-CU3]''' Non-Aggregational TAP is inserted between the '''NST''' probe and the '''NST''' wiki site providing full-duplex traffic access.<br />
<br />
[[File:Curhostswm.png|frame|center|NST Wiki Site World Map: Global Users Host Geolocations]]<br />
<br />
<br />
The '''NST''' wiki traffic for the last 24 hours is also formatted as a '''KMZ (KML)''' document that can be downloaded and ''viewed'' in '''[http://earth.google.com Google Earth]''': "'''([http://wiki.networksecuritytoolkit.org/nstwiki/maps/curhostskml.kmz KMZ Document - NST Wiki Traffic])'''". Both the '''Mercator World Map''' and the '''KML Document''' above were produced by the '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstgeolocate.html nstgeolocate]'''". This script is included in the '''NST''' distribution (See the NST Wiki page: '''[http://wiki.networksecuritytoolkit.org/nstwiki/index.php/HowTo_Automate_%26_Manage_NST_Geolocation_Results HowTo Automate & Manage NST Geolocation Results]''' for further information on geolocating network entities with '''NST''').<br />
<br />
= NST WebGL Globe =<br />
'''NST''' now includes a '''[https://experiments.withgoogle.com/chrome/globe WebGL Globe'''] implementation for the geolocation of IPv4 Hosts. Each hour new NST Wiki host geolocation traffic data is generated and formatted for '''[https://en.wikipedia.org/wiki/WebGL WebGL] Globe''' usage (i.e. A '''[https://en.wikipedia.org/wiki/JSON JSON]''' formatted document.) which can be ''rendered'' within a web browser producing images similar to the following graphics of the earth. Each red spike represents Host traffic to and from the NST Wiki site derived from an active '''[http://www.ntop.org/products/traffic-analysis/ntop/ ntopng]''' session. Longer spikes indicate greater combined transmit and received network traffic.<br />
<br />
<center>[[File:Nstwikiwebglglobe.png|256x256px|frameless|NST Wiki Site Global Traffic (Day Time Map)]]&nbsp;&nbsp;&nbsp; [[File:Nstwikiwebglglobenight.png|256x256px|frameless|NST Wiki Site Global Traffic (Night Time Map)]]</center><br />
<br />
Use this link to view the '''NST''' Wiki traffic for the past 24 hours as a single series dataset: '''[http://wiki.networksecuritytoolkit.org/nst-webgl-globe/index.html?daymap=true&gdsrc=data/curhostswebgl.json NST Webgl Globe - NST Wiki Traffic]'''<br />
<br />
Use this link to view the '''NST''' Wiki traffic as a multi-series dataset for the past 7 hours with a 1 day time interval: '''[http://wiki.networksecuritytoolkit.org/nst-webgl-globe/index.html?daymap=true&gdsrc=data/curwebgldataset.json NST Webgl Globe (Multi-Series Dataset) - NST Wiki Traffic]'''.<br />
<br />
The '''NST WebGL Globe''' implementation includes the following features:<br />
* Switch between day time and night time maps.<br />
* Uses a bump map for a realistic earth topography visual.<br />
* Uses a specular map for a realistic sun and moon glint visual.<br />
* Zoom in and out with your mouse scroll control.<br />
* Automatic earth rotation control.<br />
* Configurable selection of the IPv4 Host geolocation data source.<br />
* Manual data spike intensity scale controls.<br />
* The data scale can be dynamically changed between linear and logarithmic.<br />
* A reset button to re-initialize the earth 3D control settings.<br />
* Data can be displayed using either a single series or multi-series dataset.<br />
* All parameters included the initial view location and view distance can be controlled via the '''[https://en.wikipedia.org/wiki/Uniform_resource_locator URL]'''.<br />
<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstgeolocate.html nstgeolocate]'''" now includes the ability to produce '''NST WebGL Globe JSON''' documents using '''[http://www.ntop.org/ntopng ntop / ntopng]''' as a data source. The '''NST WUI''' can now ''dynamically'' produce on demand '''NST WebGL Globe JSON''' documents for these data sources.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Create_A_Public_Repo&diff=9881HowTo Create A Public Repo2023-07-24T18:22:47Z<p>Rwh: /* Create The Repo */</p>
<hr />
<div>__TOC__<br />
= '''Overview''' =<br />
This page briefly shows example steps on how to create a Public Repo for selective RPMs. An example public repo creation for NST 34 will be shown hosted at a2host.<br />
<br />
= '''Create Top Level Local Directory Paths For RPMs To Be Published''' =<br />
These paths mimic that on the public repo server (e.g., a2host). <br />
<br />
mkdir -p /home/nst/f34/x86_64/noarch;<br />
mkdir -p /home/nst/f34/x86_64/x86_64;<br />
<br />
= '''Copy RPM To Be Publish Over To These Directories''' =<br />
Copy already created RPMs from the NST Pro Repo 34. This example includes RPMs: nstwui, nstwui-filesystem and snort.<br />
<br />
cp /home/nst/repo34/yum/repo/noarch/nstwui-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/noarch;<br />
cp /home/nst/repo34/yum/repo/noarch/nstwui-filesystem-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/noarch;<br />
<br />
cp /home/nst/repo34/yum/repo/x86_64/snort-2.9.18-62.nst34.x86_64.rpm /home/nst/f34/x86_64/x86_64;<br />
<br />
= '''Sign The RPMs''' =<br />
Sign all new RPMs in the repo.<br />
<br />
rpm --addsign /home/nst/f34/x86_64/noarch/nstwui-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/noarch/nstwui-filesystem-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/x86_64/snort-2.9.18-62.nst34.x86_64.rpm;<br />
<br />
= '''Create The Repo''' =<br />
Create a RPM repo under the NST home directory: "'''/home/nst/f34/x86_64'''"<br />
createrepo -v /home/nst/f34/x86_64;<br />
<br />
= '''Upload Repo To The Public NST Repo Server''' =<br />
Send the entire repo to the public NST repository.<br />
<br />
rsync --delete -avh /home/nst/f34 a2:public_html/repo/nst;</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Create_A_Public_Repo&diff=9880HowTo Create A Public Repo2023-07-24T18:11:25Z<p>Rwh: /* Create The Repo */</p>
<hr />
<div>__TOC__<br />
= '''Overview''' =<br />
This page briefly shows example steps on how to create a Public Repo for selective RPMs. An example public repo creation for NST 34 will be shown hosted at a2host.<br />
<br />
= '''Create Top Level Local Directory Paths For RPMs To Be Published''' =<br />
These paths mimic that on the public repo server (e.g., a2host). <br />
<br />
mkdir -p /home/nst/f34/x86_64/noarch;<br />
mkdir -p /home/nst/f34/x86_64/x86_64;<br />
<br />
= '''Copy RPM To Be Publish Over To These Directories''' =<br />
Copy already created RPMs from the NST Pro Repo 34. This example includes RPMs: nstwui, nstwui-filesystem and snort.<br />
<br />
cp /home/nst/repo34/yum/repo/noarch/nstwui-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/noarch;<br />
cp /home/nst/repo34/yum/repo/noarch/nstwui-filesystem-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/noarch;<br />
<br />
cp /home/nst/repo34/yum/repo/x86_64/snort-2.9.18-62.nst34.x86_64.rpm /home/nst/f34/x86_64/x86_64;<br />
<br />
= '''Sign The RPMs''' =<br />
Sign all new RPMs in the repo.<br />
<br />
rpm --addsign /home/nst/f34/x86_64/noarch/nstwui-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/noarch/nstwui-filesystem-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/x86_64/snort-2.9.18-62.nst34.x86_64.rpm;<br />
<br />
= '''Create The Repo''' =<br />
Create a RPM repo under the NST home directory: "'''/home/nst/f34'''"<br />
createrepo -v /home/nst/f34;<br />
<br />
= '''Upload Repo To The Public NST Repo Server''' =<br />
Send the entire repo to the public NST repository.<br />
<br />
rsync --delete -avh /home/nst/f34 a2:public_html/repo/nst;</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Create_A_Public_Repo&diff=9879HowTo Create A Public Repo2023-07-24T18:11:12Z<p>Rwh: /* Create The Repo */</p>
<hr />
<div>__TOC__<br />
= '''Overview''' =<br />
This page briefly shows example steps on how to create a Public Repo for selective RPMs. An example public repo creation for NST 34 will be shown hosted at a2host.<br />
<br />
= '''Create Top Level Local Directory Paths For RPMs To Be Published''' =<br />
These paths mimic that on the public repo server (e.g., a2host). <br />
<br />
mkdir -p /home/nst/f34/x86_64/noarch;<br />
mkdir -p /home/nst/f34/x86_64/x86_64;<br />
<br />
= '''Copy RPM To Be Publish Over To These Directories''' =<br />
Copy already created RPMs from the NST Pro Repo 34. This example includes RPMs: nstwui, nstwui-filesystem and snort.<br />
<br />
cp /home/nst/repo34/yum/repo/noarch/nstwui-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/noarch;<br />
cp /home/nst/repo34/yum/repo/noarch/nstwui-filesystem-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/noarch;<br />
<br />
cp /home/nst/repo34/yum/repo/x86_64/snort-2.9.18-62.nst34.x86_64.rpm /home/nst/f34/x86_64/x86_64;<br />
<br />
= '''Sign The RPMs''' =<br />
Sign all new RPMs in the repo.<br />
<br />
rpm --addsign /home/nst/f34/x86_64/noarch/nstwui-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/noarch/nstwui-filesystem-34-1010.nst34.noarch.rpm /home/nst/f34/x86_64/x86_64/snort-2.9.18-62.nst34.x86_64.rpm;<br />
<br />
= '''Create The Repo''' =<br />
Create a RPM repo under the NST home directory: "'''/home/nst/f34/x86_64'''"<br />
createrepo -v /home/nst/f34;<br />
<br />
= '''Upload Repo To The Public NST Repo Server''' =<br />
Send the entire repo to the public NST repository.<br />
<br />
rsync --delete -avh /home/nst/f34 a2:public_html/repo/nst;</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9877NST WUI Browser Support2023-07-07T16:24:07Z<p>Rwh: /* Invisible Scroll Bars (Chrome 97.x.x.x or Above) */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Installation ==<br />
Google Chrome will have to be installed manually on NST.<br />
dnf install google-chrome-beta;<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 115.x.x.x or Above) ==<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the "'''Overlay Scrollbars'''" entry and choose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== VNC GPU Chrome Rendering Issue ==<br />
If the chrome browser does not render within a '''[https://en.wikipedia.org/wiki/Virtual_Network_Computing VNC]''' session, one can use the following command line option to disable the use of the '''[https://en.wikipedia.org/wiki/Graphics_processing_unit GPU]''' process:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic --disable-gpu;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note 1:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note 2:''' A list of undocumented Chromium Command Line Switches can be found '''[https://peter.sh/experiments/chromium-command-line-switches/ here]'''.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Remote_Connect_to_a_Mate_Desktop_Session_Using_the_Vino_Server&diff=9876HowTo Remote Connect to a Mate Desktop Session Using the Vino Server2023-05-09T17:19:33Z<p>Rwh: /* Vino on NST 32 or Later */</p>
<hr />
<div>__TOC__<br />
= Overview =<br />
This section briefly describes how to connect to a user Mate Desktop Session using the '''[https://en.wikipedia.org/wiki/Vino_(VNC_server) Vino]''' (VNC) server. NST includes the "'''mate-vino'''" package which allows the connection of a Mate Desktop Session using an external VNC client.<br />
<br />
== Enable Vino on a Mate Desktop ==<br />
Use the following configuration widget: "'''Remote Desktop (Mate Vino Settings)'''" to enable the Vino server and thus access via VNC to the Mate Desktop.<br />
<br />
Access to the "'''Remote Desktop'''" widget from the Mate Menu:<br />
<br />
'''System''' --> '''Preferences''' --> '''Other''' --> '''Remote Desktop (Mate Vino Settings)'''<br />
<br />
[[File:Mate vino settings.png | Mate Vino Settings Widget]]<br />
<br />
== HowTo Verify that the Vino Server is Running ==<br />
One can use the NST script: '''[http://nst.sourceforge.net/nst/docs/scripts/nstvncadmin.html nstvncadmin]''' to verify that the Vino server is running:<br />
<br />
[root@E6540 ~]# nstvncadmin -m list -v;<br />
PID USER DISPLAY URL SERVER<br />
===== ==== ======= ============================ ===========<br />
6534 nst :0 N/A vino-server<br />
<br />
== Vino on NST 32 or Later ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 32<br /> SVN: 11781</center>]]''']]<br />
<br />
&nbsp;<br />
&nbsp;<br />
<br />
The "'''Remote Desktop (Mate Vino Settings)'''" widget is no longer supported. Use the '''dconf Editor''' '''(Applications -> System Tools -> dconf Editor)''' to manage '''Vino''' settings. '''Vino''' settings are located using path: '''org -> gnome -> desktop -> remote-access'''.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Notes On dconf Settings:'''<br />
These dconf settings seem to work when connecting to a desktop using Vino from a VNC client:<br />
<br />
&nbsp;<br />
<br />
'''Required:'''<br />
* Disable password authentication: ['none'] (authenication-methods).<br />
* Don't prompt for a connection: false (prompt-enabled).<br />
* Disable required encryption: false (require-encryption).<br />
* Disable 'disable-background': false <br />
<br />
<br />
'''Optional:'''<br />
* Set alternative port to: 5906 (alternative-port).<br />
* Use alternative port: true (use-alternative-port)<br />
<br />
</div></div><br />
<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
<br />
Now start the user specific vino service as a non-root user. A user-based management (i.e., --user option) of the service manager is used. This service normal needs to be activated each time the user logs in and is automatically stopped when the user logs out. The service must be activated from desktop session terminal shell. <br />
<br />
'''Start:'''<br />
[nst@localhost ~]$ systemctl --user start vino-server.service;<br />
<br />
'''Status:'''<br />
[nst@localhost ~]$ systemctl --no-pager --user status vino-server.service;<br />
<br />
'''Stop:'''<br />
[nst@localhost ~]$ systemctl --user stop vino-server.service;<br />
<br />
'''Check For The Listening Vino Server Port:'''<br />
[nst@NST32 ~]$ netstat -tunap | grep 5906;<br />
tcp 0 0 0.0.0.0:5906 0.0.0.0:* LISTEN 275014/vino-server <br />
tcp6 0 0 :::5906 :::* LISTEN 275014/vino-server <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Notes to attach to a Vino service:'''<br />
* macOS - Best to use the third party VNC viewer like: [https://www.realvnc.com/en/connect/download/viewer/macos/ RealVNC]<br />
</div></div></div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=Subversion_Notes&diff=9875Subversion Notes2023-04-25T00:38:19Z<p>Rwh: /* Switching User Repository Root */</p>
<hr />
<div>We switched from using CVS to Subversion as our source control mechanism in mid October 2009.<br />
<br />
* We did not try to import all of the CVS history.<br />
* The initial import includes all of the 2.11.0 release source plus the updated source code since the release (the state of CVS on 2009-10-14).<br />
* We left the CVS repository alone (in case we ever wanted to refer back for older history).<br />
<br />
= Preparing Development Machine =<br />
<br />
As a developer, the following things must be done to your development machine before you will be able to check out, build and commit changes to the NST source code.<br />
<br />
== Set SVNROOT ==<br />
<br />
You need to set the ''SVNROOT'' variable. Add the following to your '''~/.bashrc''' or '''~/.bash_profile''' configuration file:<br />
<br />
export SVNROOT=https://nst.svn.sourceforge.net/svnroot/nst<br />
<br />
export SVNROOT=svn+ssh://user@svn.code.sf.net/p/nst/code<br />
<br />
After the ''SVNROOT'' variable is set, you should be able to run Subversion commands. For example the following shows the directories under ''SVNROOT''.<br />
<br />
[pkb@sprint ~]$ export SVNROOT=https://nst.svn.sourceforge.net/svnroot/nst<br />
[pkb@sprint ~]$ svn ls ${SVNROOT}<br />
trunk/<br />
[pkb@sprint ~]$ <br />
<br />
== gnome-keyring ==<br />
<br />
Subversion might complain about needing to store passwords in a ''unencrypted'' form. To prevent this, we need to figure out how to enable the ''gnome-keyring'' add-on. To do this, edit the file '''~/.subversion/config''' and search on the string ''password-stores''. Most likely this will be commented out in your current configuration file. I updated mine to the following:<br />
<br />
password-stores = gnome-keyring<br />
<br />
However, this was not enough to prevent me from being prompted each time. I then added the following package:<br />
<br />
yum install subversion-gnome<br />
<br />
We will see if this permits us to store the password or not (you may need to be logged into a GNOME desktop in order to make use of the gnome-keyring feature).<br />
<br />
= Directory Structure =<br />
<br />
Currently the directory structure under Subversion is fairly straight forward. We use ''dev/FCVer'' (E.g., dev/30) as the current working area (this is what most developers will be checking out from and committing to). The following is the top level directory structure for Development (/dev), Release (/releases) and the pristine repository for pushing out package updates (/repo):<br />
<br />
[nst@vortex ~]$ svn ls ${SVNROOT}/<br />
dev/<br />
releases/<br />
repo/<br />
<br />
Under each top level directory there are Fedora specific source trees:<br />
<br />
[nst@vortex ~]$ svn ls ${SVNROOT}/dev<br />
18/<br />
2.11.0/<br />
2.12.0/<br />
2.13.0/<br />
2.15.0/<br />
2.16.0/<br />
20/<br />
21/<br />
22/<br />
24/<br />
26/<br />
28/<br />
30/<br />
32/<br />
<br />
= Subversion Commands =<br />
<br />
Use the following to get the list of available subversion commands:<br />
<br />
svn help<br />
<br />
To get more information about a specific Subversion command (like ''ls''), run:<br />
<br />
svn help ls<br />
<br />
<br />
== Checking Out Code ==<br />
<br />
To make the initial checkout of the current source code into a sub-directory named ''nst'', you can use the following Subversion command:<br />
<br />
svn co ${SVNROOT}/trunk nst<br />
<br />
== Committing Code ==<br />
<br />
You use the ''commit'' subversion command when you want to commit changes to the source code.<br />
<br />
When you first run ''commit'', it may prompt you for the password for the incorrect user ID. If this happens, press the ''Enter'' key without specifying a password. This should allow you enter your SourceForge user ID followed by your SourceForge password when committing changes. For example:<br />
<br />
<br />
[root@fedora11 nightly]# svn commit<br />
Authentication realm: <https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
Password for 'root': <br />
Authentication realm: <https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
Username: SOURCEFORGE_LOGIN_ID<br />
Password for 'SOURCEFORGE_LOGIN_ID': <br />
Sending nightly/nightly-build.bash<br />
Sending nightly/nightly2html.xsl<br />
Sending nightly/nightly2txt.xsl<br />
Transmitting file data ...-----------------------------------------------------------------------<br />
ATTENTION! Your password for authentication realm:<br />
<br />
<https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
<br />
can only be stored to disk unencrypted! You are advised to configure<br />
your system so that Subversion can store passwords encrypted, if<br />
possible. See the documentation for details.<br />
<br />
You can avoid future appearances of this warning by setting the value<br />
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in<br />
'/root/.subversion/servers'.<br />
-----------------------------------------------------------------------<br />
Store password unencrypted (yes/no)? no <br />
<br />
Committed revision 4.<br />
[root@fedora11 nightly]#<br />
<br />
== Status ==<br />
<br />
The Subversion status command is very handy at showing not only what files you've modified, but also (when including the ''-u'' option) handy at showing what files have changed in the repository:<br />
<br />
svn status -u<br />
<br />
For help about the output of ''svn status'', run:<br />
<br />
svn help status | less<br />
<br />
== Revert ==<br />
<br />
If you've made modifications to a file which you want to discard, use the ''revert'' command to restore the original version:<br />
<br />
svn revert FILENAME<br />
<br />
<br />
To revert back to a previous revision use the '''merge''' option. The follow example reverts back to the '''3986''' revision from the '''3987''' revision for file: "'''bwmonitor.js'''". After the revert changes are applied you will need to '''commit'''. Use the [http://nst.svn.sourceforge.net/viewvc/nst/ Subversion Browser] to assit in finding your revision numbers.<br />
<br />
svn merge -r 3987:3986 bwmonitor.js<br />
<br />
== Revert Commit, Undo Commit, Reverse Merge ==<br />
<br />
If you've committed modifications to a file accidentally it is a bit tricky to ''undo'' the commit. To get back an older version you need to perform something called a reverse merge. This is done by running the ''svn merge -r BAD:GOOD SOURCE'' command. Where BAD is typically the current revision ID of the source you want to revert, GOOD is the revision ID of the good code you want to restore and is typically 1 less than the value of BAD. SOURCE is typically the name of the file or directory you want to undo the commit on.<br />
<br />
For example, we can used the following command to determine the last changed revision of the files under the current directory:<br />
<br />
[pkb@refritos server]$ svn info . | grep Rev:<br />
Last Changed Rev: 10660<br />
[pkb@refritos server]$ <br />
<br />
In this example the BAD revision ID is 10660 associated with the last commit done to this area. To restore the files to the 10659 state (the good version prior to the 10660) state, we would run the following command:<br />
<br />
[pkb@refritos server]$ svn merge -r 10660:10659 .<br />
--- Reverse-merging r10660 into '.':<br />
U xrdp.cgi<br />
--- Recording mergeinfo for reverse merge of r10660 into '.':<br />
G .<br />
--- Eliding mergeinfo from '.':<br />
U .<br />
[pkb@refritos server]$ <br />
<br />
As the ''status'' command shows, this undo only impacted one file in the directory and is not immediately reflected in the repository.<br />
<br />
[pkb@refritos server]$ svn status<br />
M xrdp.cgi<br />
[pkb@refritos server]$ <br />
<br />
This allows us to inspect the undone changes. If we are happy, we can commit this version back. If we are unhappy with the results, we can revert the state of the directory and try again.<br />
<br />
== Ignoring Files ==<br />
<br />
Under CVS, you could edit the file '''.cvsignore''' to tell CVS to ignore certain files within the directory. Subversion has a similar, but different mechanism for ignoring files. Basically, you change to the directory where the files/directories to be ignored exist and run the following command:<br />
<br />
svn propedit svn:ignore .<br />
<br />
Running the above command should pull up a text editor and allow you to specify file name patterns to specify what files and directories should be ignored. Here is an example ignore list which causes Subversion to ignore any file or directory ending with the extension ''.log'' or having the name ''tmp'':<br />
<br />
*.log<br />
tmp<br />
<br />
== Manage The Executable Flag On File ==<br />
Use the following command to set the executable flag on a file (e.g., bwmonitor-ajax.php)under SVN control:<br />
<br />
svn propset svn:executable bwmonitor-ajax.php<br />
<br />
Use the following command to remove the executable flag on a file (e.g., bwmonitor-ajax.php)under SVN control:<br />
<br />
svn propdel svn:executable bwmonitor-ajax.php<br />
<br />
== Merging Changes Across Revisions ==<br />
<br />
Our general strategy is typically to do all new work under the ''trunk'' area. However, when we move from one Fedora platform to another (like from Fedora 13 to Fedora 15), we will typically copy the ''trunk'' area to a sub-directory under the maintenance area. For example, the following shows the top level Subversion heirarchy (where you will see ''trunk'' and ''maintenance'') and the number of older maintenance areas where we have the ability to maintain older versions of the software.<br />
<br />
[root@f13-32 ~]# svn ls $SVNROOT<br />
maintenance/<br />
releases/<br />
trunk/<br />
[root@f13-32 ~]# svn ls $SVNROOT/maintenance<br />
2.11.0/<br />
2.12.0/<br />
2.13.0/<br />
[root@f13-32 ~]# <br />
<br />
In this situation, you may find yourself making changes to the ''trunk'' area that you would also like to apply to the ''2.13.0'' branch area. To accomplish this, use the following strategy:<br />
<br />
* Make your updates to the ''trunk'' area.<br />
* Commit your changes.<br />
* Determine the range of revision numbers for your change using the [http://nst.svn.sourceforge.net/viewvc/nst/ Subversion browser].<br />
* Use the ''svn merge'' command to merge the changes into the ''maintenance/2.13.0'' area.<br />
<br />
Here is an example of using ''svn merge'' to merge the changes made for the 2.1.6 release of the relaycheck package from the ''trunk'' area to the ''maintenance/2.13.0'' area:<br />
<br />
* From looking at the [http://nst.svn.sourceforge.net/viewvc/nst/maintenance/2.13.0/yum/pkgs maintenance/2.13.0/yum/pkgs/relaycheck revision number], I can see that the last revision number for the ''maintenance/2.13.0'' version was 2016 (at the time of this writing - it will change in the future).<br />
* From looking at the [http://nst.svn.sourceforge.net/viewvc/nst/trunk/yum/pkgs trunk/yum/pkgs/relaycheck revision number], I can see that the current revision number for the ''trunk'' version of relaycheck was 2102 (at the time this article was written).<br />
* At this point I have enough information to merge the changes with the following ''svn merge'' command:<br />
<br />
[root@f13-32 repo]# svn info<br />
Path: .<br />
URL: https://nst.svn.sourceforge.net/svnroot/nst/maintenance/2.13.0<br />
Repository Root: https://nst.svn.sourceforge.net/svnroot/nst<br />
Repository UUID: c9574408-7c70-44fe-bb37-9fe24d5f8586<br />
Revision: 2076<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: pblankenbaker<br />
Last Changed Rev: 2076<br />
Last Changed Date: 2011-05-10 16:53:57 -0400 (Tue, 10 May 2011)<br />
<br />
[root@f13-32 repo]# svn merge -r 2016:2102 $SVNROOT/trunk/yum/pkgs/relaycheck yum/pkgs/relaycheck<br />
--- Merging r2076 through r2102 into 'yum/pkgs/relaycheck':<br />
U yum/pkgs/relaycheck/src/relaycheck.pl<br />
U yum/pkgs/relaycheck/pkginfo.xml<br />
U yum/pkgs/relaycheck/relaycheck.template.spec<br />
[root@f13-32 repo]# svn status<br />
M yum/pkgs/relaycheck<br />
M yum/pkgs/relaycheck/src/relaycheck.pl<br />
M yum/pkgs/relaycheck/pkginfo.xml<br />
M yum/pkgs/relaycheck/relaycheck.template.spec<br />
[root@f13-32 repo]# <br />
<br />
At this point, we should make sure the merged changes still build and then commit our changes.<br />
<br />
NOTE: After committing the changes, the [http://nst.svn.sourceforge.net/viewvc/nst/maintenance/2.13.0/yum/pkgs maintenance/2.13.0/yum/pkgs/relaycheck revision number] changed to 2103 (at the time of this writing) which is now larger than the original 2102 revision we used for the merge.<br />
[root@f13-32 repo]# cd yum<br />
[root@f13-32 yum]# make relaycheck<br />
<br />
... Omitted much of the output ...<br />
<br />
-------------------------------------------------------------------------------<br />
SUCCESS: Successfully installed relaycheck-1.2.6-11.nst13.noarch.rpm<br />
-------------------------------------------------------------------------------<br />
make[1]: Leaving directory `/root/repo/yum/pkgs/relaycheck'<br />
[root@f13-32 yum]# svn commit<br />
<br />
== Merging From Dev Area To The Repo Area ==<br />
<br />
* '''Note:''' If this merge includes updates in the '''nstwui''' package: '''Have You Updated The NST WUI Release Number On The Dev Branch First?'''<br />
<br />
The following demonstrates the current merge method to bring changes from the ''dev/20'' development branch to the ''repo/20'' area.<br />
<br />
[root@dev20-64 ~]# cd repo<br />
[root@dev20-64 repo]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST! <br />
[root@dev20-64 repo]# svn info<br />
Path: .<br />
Working Copy Root Path: /root/repo<br />
URL: https://svn.code.sf.net/p/nst/code/repo/20<br />
Relative URL: ^/repo/20<br />
Repository Root: https://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 6545<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: rwhalb<br />
Last Changed Rev: 6545<br />
Last Changed Date: 2015-02-14 08:44:42 -0500 (Sat, 14 Feb 2015)<br />
<br />
[root@dev20-64 repo]# svn update; svn merge https://svn.code.sf.net/p/nst/code/dev/20 .<br />
At revision 6594.<br />
--- Merging r6545 through r6594 into '.':<br />
U include/javascript/core/NstSelect.js<br />
U include/javascript/core/NstRuler.js<br />
<br />
...<br />
<br />
U yum/pkgs/putty-win32<br />
--- Recording mergeinfo for merge of r6545 through r6594 into '.':<br />
U .<br />
--- Recording mergeinfo for merge of r6545 through r6594 into 'yum/pkgs/putty-win32':<br />
G yum/pkgs/putty-win32<br />
[root@dev20-64 repo]# svn commit -m "Merging up to 6545 from dev/20"<br />
... output from commit ...<br />
[root@dev20-64 repo]# <br />
<br />
Method for a svn user: '''svnuser''' setup: (Note: substitute the name "'''user'''" with your Subversion user name.<br />
export SVNROOT="svn+ssh://user@svn.code.sf.net/p/nst/code";<br />
alias svnuser='svn --username user';<br />
svnuser update; svnuser merge ${SVNROOT}/dev/36<br />
svnuser -m commit "Merging dev 36 area into repo 36 through r13374";<br />
<br />
<br />
This is the old method used for merging and updating the '''Trunk Area''' with code changes in the '''Development 18 Area''' spanning from revision: "''''4869'''" to the "'''HEAD (4877)'''" (latest changes committed to the ''dev/18'' area). Use the following link for NST code revision reference: http://nst.svn.sourceforge.net/viewvc/nst<br />
<br />
[root@dev16-32 repo]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST! <br />
[root@dev16-32 repo]# svn proplist<br />
Properties on '.':<br />
svn:mergeinfo<br />
svn:ignore<br />
[root@dev16-32 repo]# svn propget svn:mergeinfo<br />
/dev:4409-4503,4516-4793<br />
/dev/18:4795-4869<br />
/maintenance/18:4794<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@dev16-32 repo]# svn merge -r 4869:HEAD ${SVNROOT}/dev/18 .<br />
[root@dev16-32 repo]# svn propget svn:mergeinfo<br />
/dev:3590,3592-3611,3613-3614,3616,3618-3620,3622,3624-3627,3629-3702<br />
[root@dev16-32 repo]# svn status -u<br />
... shows files that were updated by the merge ...<br />
[root@dev16-32 repo]# svn commit -m "Merging up to 4877 from dev/18 - new release of the NST WUI"<br />
... output from commit ...<br />
[root@dev16-32 repo]#<br />
<br />
== Merging From ''repo'' To ''dev'' Area ==<br />
<br />
The easy method for merging the ''repo'' area changes into your ''dev'' area:<br />
<br />
* Make sure all code is committed and everything is up to date.<br />
* Set SVNROOT to point to the top level directory (like: https://svn.code.sf.net/p/nst/code).<br />
* Run the merge command as shown below:<br />
<br />
[pkb@chimi dev]$ svn merge $SVNROOT/repo/22 .<br />
--- Merging differences between repository URLs into '.':<br />
U include/dist/release-notes.txt<br />
U include/manifest/current.xml<br />
A include/manifest/release-22-7248.xml<br />
U include/data/configure.in<br />
U html/include/make/makefile<br />
U html/links.html<br />
U html/side.html<br />
U html/welcome.html<br />
U html/README.html<br />
U src/scripts/nstmenu/share/groups/release.group.xml<br />
U src/scripts/nstmenu/share/applications/release.apps.xml<br />
U yum/pkgs/nstmenu/template.spec<br />
U yum/pkgs/nstmenu/pkginfo.xml<br />
U yum/pkgs/nstweb/template.spec<br />
U yum/pkgs/nstweb/pkginfo.xml<br />
U .<br />
--- Recording mergeinfo for merge between repository URLs into '.':<br />
U .<br />
[pkb@chimi dev]$ <br />
<br />
The following demonstrates an older technique that merges the '''Development Area''' with code changes in the '''Repo Area''' spanning from revision: "''''6534''" to "'''HEAD (6537)'''".<br />
<br />
'''On repo:'''<br />
[root@vortex repo]# svn propget svn:mergeinfo<br />
/dev:4409-4503,4516-4793<br />
/dev/18:4795-5411,5419-5496<br />
/dev/20:5419-5501,5503-6533<br />
/maintenance/18:4794<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@vortex repo]# <br />
<br />
'''On Dev:'''<br />
[root@vortex dev]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST!<br />
Status against revision: 6533<br />
[root@vortex dev]# svn merge -r 6534:HEAD ${SVNROOT}/repo .<br />
[root@vortex dev]# svn propget svn:mergeinfo<br />
/dev/18:5419-5496<br />
/repo:4494,4505-4514,4516-4551,4555-4568,4586-4587,4614,4695,4717,4781,4812,5413-5415,5662-5666,6535-6537<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@vortex dev]# svn status -u<br />
... shows files that were updated by the merge ...<br />
[root@vortex dev]# svn commit -m "Merging up to 6537 from repo for new release"<br />
... output from commit ...<br />
[root@vortex dev]#<br />
<br />
== Switching To A New Root ==<br />
<br />
There can be many different branches of the same source tree at different levels of development within the Subversion repository. You can use the ''switch'' command to switch from one branch to another. When making a switch, the source code you have checked out will be updated to match the state of the source code in the new branch. Before making a switch, it is important to make sure that all of your changes are checked into the current branch. For example, the following demonstrates how to switch to the ''dev'' branch from the ''trunk'' branch:<br />
<br />
[root@taco-dev32 repo]# svn info<br />
Path: . <br />
Working Copy Root Path: /root/repo<br />
URL: https://svn.code.sf.net/p/nst/code/repo<br />
Relative URL: ^/repo<br />
Repository Root: https://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 6540<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: rwhalb<br />
Last Changed Rev: 6540<br />
Last Changed Date: 2015-02-09 13:57:38 -0500 (Mon, 09 Feb 2015)<br />
<br />
[root@taco-dev32 repo]# export SVNROOT="$(svn info | awk -- '$2 == "Root:" { print $3; }')";<br />
[root@taco-dev32 repo]# echo $SVNROOT<br />
https://svn.code.sf.net/p/nst/code<br />
[root@taco-dev32 repo]# svn switch $SVNROOT/dev/20<br />
At revision 3577.<br />
[root@taco-dev32 repo]# <br />
<br />
After making a switch, you can use the ''info'' command to verify the switch was successful.<br />
<br />
[root@taco-dev32 repo]# svn info<br />
Path: .<br />
URL: https://nst.svn.sourceforge.net/svnroot/nst/dev<br />
Repository Root: https://nst.svn.sourceforge.net/svnroot/nst<br />
Repository UUID: c9574408-7c70-44fe-bb37-9fe24d5f8586<br />
Revision: 3577<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: jdoe<br />
Last Changed Rev: 3577<br />
Last Changed Date: 2012-05-29 10:04:54 -0400 (Tue, 29 May 2012)<br />
<br />
[root@taco-dev32 repo]#<br />
<br />
== Relocate To A New Repository Root ==<br />
<br />
This section demonstrates switching repository root from one URL to another. In this example we switch from "'''http://svn.code.sf.net/p/nst/code'''" to "'''svn+ssh://USERID@svn.code.sf.net/p/nst/code'''". The svn "'''relocate'''" command is used.<br />
<br />
[root@vortex dev]# svn info;<br />
Path: .<br />
Working Copy Root Path: /root/dev<br />
URL: http://svn.code.sf.net/p/nst/code/dev/26<br />
Relative URL: ^/dev/26<br />
Repository Root: http://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 9274<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: user<br />
Last Changed Rev: 9274<br />
Last Changed Date: 2017-10-11 16:07:51 -0400 (Wed, 11 Oct 2017)<br />
[root@vortex dev]# <br />
[root@vortex dev]# svn --username USERID relocate http://svn.code.sf.net/p/nst/code svn+ssh://USERID@svn.code.sf.net/p/nst/code;<br />
<br />
== Switching User Repository Root ==<br />
Use this subversion method to switch the "'''Repository Root'''" user from "'''USERID1'''" to "'''USERID2'''":<br />
svn relocate svn+ssh://USERID1@svn.code.sf.net/p/nst/code/dev/38 svn+ssh://USERID2@svn.code.sf.net/p/nst/code/dev/38;<br />
<br />
= New NST Release Setup =<br />
<br />
Currently the directory structure under Subversion is fairly straight forward. As an example we use ''dev/30'' when working on Fedora 30 based builds. To move to Fedora 32 we do the following:<br />
<br />
svn copy ${SVNROOT}/dev/30 ${SVNROOT}/dev/32;<br />
<br />
When we are ready to push out a release we want to create our pristine repository area:<br />
<br />
svn copy ${SVNROOT}/dev/32 ${SVNROOT}/repo/32;<br />
<br />
= Related Links =<br />
<br />
; http://nst.svn.sourceforge.net/viewvc/nst<br />
: Use this link to browse the NST Subversion repository (the 'trunk' folder corresponds to the current development tree).</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=Subversion_Notes&diff=9874Subversion Notes2023-04-25T00:37:58Z<p>Rwh: /* Relocate To A New Repository Root */</p>
<hr />
<div>We switched from using CVS to Subversion as our source control mechanism in mid October 2009.<br />
<br />
* We did not try to import all of the CVS history.<br />
* The initial import includes all of the 2.11.0 release source plus the updated source code since the release (the state of CVS on 2009-10-14).<br />
* We left the CVS repository alone (in case we ever wanted to refer back for older history).<br />
<br />
= Preparing Development Machine =<br />
<br />
As a developer, the following things must be done to your development machine before you will be able to check out, build and commit changes to the NST source code.<br />
<br />
== Set SVNROOT ==<br />
<br />
You need to set the ''SVNROOT'' variable. Add the following to your '''~/.bashrc''' or '''~/.bash_profile''' configuration file:<br />
<br />
export SVNROOT=https://nst.svn.sourceforge.net/svnroot/nst<br />
<br />
export SVNROOT=svn+ssh://user@svn.code.sf.net/p/nst/code<br />
<br />
After the ''SVNROOT'' variable is set, you should be able to run Subversion commands. For example the following shows the directories under ''SVNROOT''.<br />
<br />
[pkb@sprint ~]$ export SVNROOT=https://nst.svn.sourceforge.net/svnroot/nst<br />
[pkb@sprint ~]$ svn ls ${SVNROOT}<br />
trunk/<br />
[pkb@sprint ~]$ <br />
<br />
== gnome-keyring ==<br />
<br />
Subversion might complain about needing to store passwords in a ''unencrypted'' form. To prevent this, we need to figure out how to enable the ''gnome-keyring'' add-on. To do this, edit the file '''~/.subversion/config''' and search on the string ''password-stores''. Most likely this will be commented out in your current configuration file. I updated mine to the following:<br />
<br />
password-stores = gnome-keyring<br />
<br />
However, this was not enough to prevent me from being prompted each time. I then added the following package:<br />
<br />
yum install subversion-gnome<br />
<br />
We will see if this permits us to store the password or not (you may need to be logged into a GNOME desktop in order to make use of the gnome-keyring feature).<br />
<br />
= Directory Structure =<br />
<br />
Currently the directory structure under Subversion is fairly straight forward. We use ''dev/FCVer'' (E.g., dev/30) as the current working area (this is what most developers will be checking out from and committing to). The following is the top level directory structure for Development (/dev), Release (/releases) and the pristine repository for pushing out package updates (/repo):<br />
<br />
[nst@vortex ~]$ svn ls ${SVNROOT}/<br />
dev/<br />
releases/<br />
repo/<br />
<br />
Under each top level directory there are Fedora specific source trees:<br />
<br />
[nst@vortex ~]$ svn ls ${SVNROOT}/dev<br />
18/<br />
2.11.0/<br />
2.12.0/<br />
2.13.0/<br />
2.15.0/<br />
2.16.0/<br />
20/<br />
21/<br />
22/<br />
24/<br />
26/<br />
28/<br />
30/<br />
32/<br />
<br />
= Subversion Commands =<br />
<br />
Use the following to get the list of available subversion commands:<br />
<br />
svn help<br />
<br />
To get more information about a specific Subversion command (like ''ls''), run:<br />
<br />
svn help ls<br />
<br />
<br />
== Checking Out Code ==<br />
<br />
To make the initial checkout of the current source code into a sub-directory named ''nst'', you can use the following Subversion command:<br />
<br />
svn co ${SVNROOT}/trunk nst<br />
<br />
== Committing Code ==<br />
<br />
You use the ''commit'' subversion command when you want to commit changes to the source code.<br />
<br />
When you first run ''commit'', it may prompt you for the password for the incorrect user ID. If this happens, press the ''Enter'' key without specifying a password. This should allow you enter your SourceForge user ID followed by your SourceForge password when committing changes. For example:<br />
<br />
<br />
[root@fedora11 nightly]# svn commit<br />
Authentication realm: <https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
Password for 'root': <br />
Authentication realm: <https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
Username: SOURCEFORGE_LOGIN_ID<br />
Password for 'SOURCEFORGE_LOGIN_ID': <br />
Sending nightly/nightly-build.bash<br />
Sending nightly/nightly2html.xsl<br />
Sending nightly/nightly2txt.xsl<br />
Transmitting file data ...-----------------------------------------------------------------------<br />
ATTENTION! Your password for authentication realm:<br />
<br />
<https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
<br />
can only be stored to disk unencrypted! You are advised to configure<br />
your system so that Subversion can store passwords encrypted, if<br />
possible. See the documentation for details.<br />
<br />
You can avoid future appearances of this warning by setting the value<br />
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in<br />
'/root/.subversion/servers'.<br />
-----------------------------------------------------------------------<br />
Store password unencrypted (yes/no)? no <br />
<br />
Committed revision 4.<br />
[root@fedora11 nightly]#<br />
<br />
== Status ==<br />
<br />
The Subversion status command is very handy at showing not only what files you've modified, but also (when including the ''-u'' option) handy at showing what files have changed in the repository:<br />
<br />
svn status -u<br />
<br />
For help about the output of ''svn status'', run:<br />
<br />
svn help status | less<br />
<br />
== Revert ==<br />
<br />
If you've made modifications to a file which you want to discard, use the ''revert'' command to restore the original version:<br />
<br />
svn revert FILENAME<br />
<br />
<br />
To revert back to a previous revision use the '''merge''' option. The follow example reverts back to the '''3986''' revision from the '''3987''' revision for file: "'''bwmonitor.js'''". After the revert changes are applied you will need to '''commit'''. Use the [http://nst.svn.sourceforge.net/viewvc/nst/ Subversion Browser] to assit in finding your revision numbers.<br />
<br />
svn merge -r 3987:3986 bwmonitor.js<br />
<br />
== Revert Commit, Undo Commit, Reverse Merge ==<br />
<br />
If you've committed modifications to a file accidentally it is a bit tricky to ''undo'' the commit. To get back an older version you need to perform something called a reverse merge. This is done by running the ''svn merge -r BAD:GOOD SOURCE'' command. Where BAD is typically the current revision ID of the source you want to revert, GOOD is the revision ID of the good code you want to restore and is typically 1 less than the value of BAD. SOURCE is typically the name of the file or directory you want to undo the commit on.<br />
<br />
For example, we can used the following command to determine the last changed revision of the files under the current directory:<br />
<br />
[pkb@refritos server]$ svn info . | grep Rev:<br />
Last Changed Rev: 10660<br />
[pkb@refritos server]$ <br />
<br />
In this example the BAD revision ID is 10660 associated with the last commit done to this area. To restore the files to the 10659 state (the good version prior to the 10660) state, we would run the following command:<br />
<br />
[pkb@refritos server]$ svn merge -r 10660:10659 .<br />
--- Reverse-merging r10660 into '.':<br />
U xrdp.cgi<br />
--- Recording mergeinfo for reverse merge of r10660 into '.':<br />
G .<br />
--- Eliding mergeinfo from '.':<br />
U .<br />
[pkb@refritos server]$ <br />
<br />
As the ''status'' command shows, this undo only impacted one file in the directory and is not immediately reflected in the repository.<br />
<br />
[pkb@refritos server]$ svn status<br />
M xrdp.cgi<br />
[pkb@refritos server]$ <br />
<br />
This allows us to inspect the undone changes. If we are happy, we can commit this version back. If we are unhappy with the results, we can revert the state of the directory and try again.<br />
<br />
== Ignoring Files ==<br />
<br />
Under CVS, you could edit the file '''.cvsignore''' to tell CVS to ignore certain files within the directory. Subversion has a similar, but different mechanism for ignoring files. Basically, you change to the directory where the files/directories to be ignored exist and run the following command:<br />
<br />
svn propedit svn:ignore .<br />
<br />
Running the above command should pull up a text editor and allow you to specify file name patterns to specify what files and directories should be ignored. Here is an example ignore list which causes Subversion to ignore any file or directory ending with the extension ''.log'' or having the name ''tmp'':<br />
<br />
*.log<br />
tmp<br />
<br />
== Manage The Executable Flag On File ==<br />
Use the following command to set the executable flag on a file (e.g., bwmonitor-ajax.php)under SVN control:<br />
<br />
svn propset svn:executable bwmonitor-ajax.php<br />
<br />
Use the following command to remove the executable flag on a file (e.g., bwmonitor-ajax.php)under SVN control:<br />
<br />
svn propdel svn:executable bwmonitor-ajax.php<br />
<br />
== Merging Changes Across Revisions ==<br />
<br />
Our general strategy is typically to do all new work under the ''trunk'' area. However, when we move from one Fedora platform to another (like from Fedora 13 to Fedora 15), we will typically copy the ''trunk'' area to a sub-directory under the maintenance area. For example, the following shows the top level Subversion heirarchy (where you will see ''trunk'' and ''maintenance'') and the number of older maintenance areas where we have the ability to maintain older versions of the software.<br />
<br />
[root@f13-32 ~]# svn ls $SVNROOT<br />
maintenance/<br />
releases/<br />
trunk/<br />
[root@f13-32 ~]# svn ls $SVNROOT/maintenance<br />
2.11.0/<br />
2.12.0/<br />
2.13.0/<br />
[root@f13-32 ~]# <br />
<br />
In this situation, you may find yourself making changes to the ''trunk'' area that you would also like to apply to the ''2.13.0'' branch area. To accomplish this, use the following strategy:<br />
<br />
* Make your updates to the ''trunk'' area.<br />
* Commit your changes.<br />
* Determine the range of revision numbers for your change using the [http://nst.svn.sourceforge.net/viewvc/nst/ Subversion browser].<br />
* Use the ''svn merge'' command to merge the changes into the ''maintenance/2.13.0'' area.<br />
<br />
Here is an example of using ''svn merge'' to merge the changes made for the 2.1.6 release of the relaycheck package from the ''trunk'' area to the ''maintenance/2.13.0'' area:<br />
<br />
* From looking at the [http://nst.svn.sourceforge.net/viewvc/nst/maintenance/2.13.0/yum/pkgs maintenance/2.13.0/yum/pkgs/relaycheck revision number], I can see that the last revision number for the ''maintenance/2.13.0'' version was 2016 (at the time of this writing - it will change in the future).<br />
* From looking at the [http://nst.svn.sourceforge.net/viewvc/nst/trunk/yum/pkgs trunk/yum/pkgs/relaycheck revision number], I can see that the current revision number for the ''trunk'' version of relaycheck was 2102 (at the time this article was written).<br />
* At this point I have enough information to merge the changes with the following ''svn merge'' command:<br />
<br />
[root@f13-32 repo]# svn info<br />
Path: .<br />
URL: https://nst.svn.sourceforge.net/svnroot/nst/maintenance/2.13.0<br />
Repository Root: https://nst.svn.sourceforge.net/svnroot/nst<br />
Repository UUID: c9574408-7c70-44fe-bb37-9fe24d5f8586<br />
Revision: 2076<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: pblankenbaker<br />
Last Changed Rev: 2076<br />
Last Changed Date: 2011-05-10 16:53:57 -0400 (Tue, 10 May 2011)<br />
<br />
[root@f13-32 repo]# svn merge -r 2016:2102 $SVNROOT/trunk/yum/pkgs/relaycheck yum/pkgs/relaycheck<br />
--- Merging r2076 through r2102 into 'yum/pkgs/relaycheck':<br />
U yum/pkgs/relaycheck/src/relaycheck.pl<br />
U yum/pkgs/relaycheck/pkginfo.xml<br />
U yum/pkgs/relaycheck/relaycheck.template.spec<br />
[root@f13-32 repo]# svn status<br />
M yum/pkgs/relaycheck<br />
M yum/pkgs/relaycheck/src/relaycheck.pl<br />
M yum/pkgs/relaycheck/pkginfo.xml<br />
M yum/pkgs/relaycheck/relaycheck.template.spec<br />
[root@f13-32 repo]# <br />
<br />
At this point, we should make sure the merged changes still build and then commit our changes.<br />
<br />
NOTE: After committing the changes, the [http://nst.svn.sourceforge.net/viewvc/nst/maintenance/2.13.0/yum/pkgs maintenance/2.13.0/yum/pkgs/relaycheck revision number] changed to 2103 (at the time of this writing) which is now larger than the original 2102 revision we used for the merge.<br />
[root@f13-32 repo]# cd yum<br />
[root@f13-32 yum]# make relaycheck<br />
<br />
... Omitted much of the output ...<br />
<br />
-------------------------------------------------------------------------------<br />
SUCCESS: Successfully installed relaycheck-1.2.6-11.nst13.noarch.rpm<br />
-------------------------------------------------------------------------------<br />
make[1]: Leaving directory `/root/repo/yum/pkgs/relaycheck'<br />
[root@f13-32 yum]# svn commit<br />
<br />
== Merging From Dev Area To The Repo Area ==<br />
<br />
* '''Note:''' If this merge includes updates in the '''nstwui''' package: '''Have You Updated The NST WUI Release Number On The Dev Branch First?'''<br />
<br />
The following demonstrates the current merge method to bring changes from the ''dev/20'' development branch to the ''repo/20'' area.<br />
<br />
[root@dev20-64 ~]# cd repo<br />
[root@dev20-64 repo]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST! <br />
[root@dev20-64 repo]# svn info<br />
Path: .<br />
Working Copy Root Path: /root/repo<br />
URL: https://svn.code.sf.net/p/nst/code/repo/20<br />
Relative URL: ^/repo/20<br />
Repository Root: https://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 6545<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: rwhalb<br />
Last Changed Rev: 6545<br />
Last Changed Date: 2015-02-14 08:44:42 -0500 (Sat, 14 Feb 2015)<br />
<br />
[root@dev20-64 repo]# svn update; svn merge https://svn.code.sf.net/p/nst/code/dev/20 .<br />
At revision 6594.<br />
--- Merging r6545 through r6594 into '.':<br />
U include/javascript/core/NstSelect.js<br />
U include/javascript/core/NstRuler.js<br />
<br />
...<br />
<br />
U yum/pkgs/putty-win32<br />
--- Recording mergeinfo for merge of r6545 through r6594 into '.':<br />
U .<br />
--- Recording mergeinfo for merge of r6545 through r6594 into 'yum/pkgs/putty-win32':<br />
G yum/pkgs/putty-win32<br />
[root@dev20-64 repo]# svn commit -m "Merging up to 6545 from dev/20"<br />
... output from commit ...<br />
[root@dev20-64 repo]# <br />
<br />
Method for a svn user: '''svnuser''' setup: (Note: substitute the name "'''user'''" with your Subversion user name.<br />
export SVNROOT="svn+ssh://user@svn.code.sf.net/p/nst/code";<br />
alias svnuser='svn --username user';<br />
svnuser update; svnuser merge ${SVNROOT}/dev/36<br />
svnuser -m commit "Merging dev 36 area into repo 36 through r13374";<br />
<br />
<br />
This is the old method used for merging and updating the '''Trunk Area''' with code changes in the '''Development 18 Area''' spanning from revision: "''''4869'''" to the "'''HEAD (4877)'''" (latest changes committed to the ''dev/18'' area). Use the following link for NST code revision reference: http://nst.svn.sourceforge.net/viewvc/nst<br />
<br />
[root@dev16-32 repo]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST! <br />
[root@dev16-32 repo]# svn proplist<br />
Properties on '.':<br />
svn:mergeinfo<br />
svn:ignore<br />
[root@dev16-32 repo]# svn propget svn:mergeinfo<br />
/dev:4409-4503,4516-4793<br />
/dev/18:4795-4869<br />
/maintenance/18:4794<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@dev16-32 repo]# svn merge -r 4869:HEAD ${SVNROOT}/dev/18 .<br />
[root@dev16-32 repo]# svn propget svn:mergeinfo<br />
/dev:3590,3592-3611,3613-3614,3616,3618-3620,3622,3624-3627,3629-3702<br />
[root@dev16-32 repo]# svn status -u<br />
... shows files that were updated by the merge ...<br />
[root@dev16-32 repo]# svn commit -m "Merging up to 4877 from dev/18 - new release of the NST WUI"<br />
... output from commit ...<br />
[root@dev16-32 repo]#<br />
<br />
== Merging From ''repo'' To ''dev'' Area ==<br />
<br />
The easy method for merging the ''repo'' area changes into your ''dev'' area:<br />
<br />
* Make sure all code is committed and everything is up to date.<br />
* Set SVNROOT to point to the top level directory (like: https://svn.code.sf.net/p/nst/code).<br />
* Run the merge command as shown below:<br />
<br />
[pkb@chimi dev]$ svn merge $SVNROOT/repo/22 .<br />
--- Merging differences between repository URLs into '.':<br />
U include/dist/release-notes.txt<br />
U include/manifest/current.xml<br />
A include/manifest/release-22-7248.xml<br />
U include/data/configure.in<br />
U html/include/make/makefile<br />
U html/links.html<br />
U html/side.html<br />
U html/welcome.html<br />
U html/README.html<br />
U src/scripts/nstmenu/share/groups/release.group.xml<br />
U src/scripts/nstmenu/share/applications/release.apps.xml<br />
U yum/pkgs/nstmenu/template.spec<br />
U yum/pkgs/nstmenu/pkginfo.xml<br />
U yum/pkgs/nstweb/template.spec<br />
U yum/pkgs/nstweb/pkginfo.xml<br />
U .<br />
--- Recording mergeinfo for merge between repository URLs into '.':<br />
U .<br />
[pkb@chimi dev]$ <br />
<br />
The following demonstrates an older technique that merges the '''Development Area''' with code changes in the '''Repo Area''' spanning from revision: "''''6534''" to "'''HEAD (6537)'''".<br />
<br />
'''On repo:'''<br />
[root@vortex repo]# svn propget svn:mergeinfo<br />
/dev:4409-4503,4516-4793<br />
/dev/18:4795-5411,5419-5496<br />
/dev/20:5419-5501,5503-6533<br />
/maintenance/18:4794<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@vortex repo]# <br />
<br />
'''On Dev:'''<br />
[root@vortex dev]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST!<br />
Status against revision: 6533<br />
[root@vortex dev]# svn merge -r 6534:HEAD ${SVNROOT}/repo .<br />
[root@vortex dev]# svn propget svn:mergeinfo<br />
/dev/18:5419-5496<br />
/repo:4494,4505-4514,4516-4551,4555-4568,4586-4587,4614,4695,4717,4781,4812,5413-5415,5662-5666,6535-6537<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@vortex dev]# svn status -u<br />
... shows files that were updated by the merge ...<br />
[root@vortex dev]# svn commit -m "Merging up to 6537 from repo for new release"<br />
... output from commit ...<br />
[root@vortex dev]#<br />
<br />
== Switching To A New Root ==<br />
<br />
There can be many different branches of the same source tree at different levels of development within the Subversion repository. You can use the ''switch'' command to switch from one branch to another. When making a switch, the source code you have checked out will be updated to match the state of the source code in the new branch. Before making a switch, it is important to make sure that all of your changes are checked into the current branch. For example, the following demonstrates how to switch to the ''dev'' branch from the ''trunk'' branch:<br />
<br />
[root@taco-dev32 repo]# svn info<br />
Path: . <br />
Working Copy Root Path: /root/repo<br />
URL: https://svn.code.sf.net/p/nst/code/repo<br />
Relative URL: ^/repo<br />
Repository Root: https://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 6540<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: rwhalb<br />
Last Changed Rev: 6540<br />
Last Changed Date: 2015-02-09 13:57:38 -0500 (Mon, 09 Feb 2015)<br />
<br />
[root@taco-dev32 repo]# export SVNROOT="$(svn info | awk -- '$2 == "Root:" { print $3; }')";<br />
[root@taco-dev32 repo]# echo $SVNROOT<br />
https://svn.code.sf.net/p/nst/code<br />
[root@taco-dev32 repo]# svn switch $SVNROOT/dev/20<br />
At revision 3577.<br />
[root@taco-dev32 repo]# <br />
<br />
After making a switch, you can use the ''info'' command to verify the switch was successful.<br />
<br />
[root@taco-dev32 repo]# svn info<br />
Path: .<br />
URL: https://nst.svn.sourceforge.net/svnroot/nst/dev<br />
Repository Root: https://nst.svn.sourceforge.net/svnroot/nst<br />
Repository UUID: c9574408-7c70-44fe-bb37-9fe24d5f8586<br />
Revision: 3577<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: jdoe<br />
Last Changed Rev: 3577<br />
Last Changed Date: 2012-05-29 10:04:54 -0400 (Tue, 29 May 2012)<br />
<br />
[root@taco-dev32 repo]#<br />
<br />
== Relocate To A New Repository Root ==<br />
<br />
This section demonstrates switching repository root from one URL to another. In this example we switch from "'''http://svn.code.sf.net/p/nst/code'''" to "'''svn+ssh://USERID@svn.code.sf.net/p/nst/code'''". The svn "'''relocate'''" command is used.<br />
<br />
[root@vortex dev]# svn info;<br />
Path: .<br />
Working Copy Root Path: /root/dev<br />
URL: http://svn.code.sf.net/p/nst/code/dev/26<br />
Relative URL: ^/dev/26<br />
Repository Root: http://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 9274<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: user<br />
Last Changed Rev: 9274<br />
Last Changed Date: 2017-10-11 16:07:51 -0400 (Wed, 11 Oct 2017)<br />
[root@vortex dev]# <br />
[root@vortex dev]# svn --username USERID relocate http://svn.code.sf.net/p/nst/code svn+ssh://USERID@svn.code.sf.net/p/nst/code;<br />
<br />
== Switching User Repository Root ==<br />
Use this subversion method to switch the "'''Repository Root'''" user from "'''USERID1'''" to "'''USERID2'''":<br />
svn relocate svn+ssh://USERID1@svn.code.sf.net/p/nst/code/dev/38 svn+ssh://USERID2@svn.code.sf.net/p/nst/code/dev/38<br />
<br />
= New NST Release Setup =<br />
<br />
Currently the directory structure under Subversion is fairly straight forward. As an example we use ''dev/30'' when working on Fedora 30 based builds. To move to Fedora 32 we do the following:<br />
<br />
svn copy ${SVNROOT}/dev/30 ${SVNROOT}/dev/32;<br />
<br />
When we are ready to push out a release we want to create our pristine repository area:<br />
<br />
svn copy ${SVNROOT}/dev/32 ${SVNROOT}/repo/32;<br />
<br />
= Related Links =<br />
<br />
; http://nst.svn.sourceforge.net/viewvc/nst<br />
: Use this link to browse the NST Subversion repository (the 'trunk' folder corresponds to the current development tree).</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9873HowTo Quickly Setup A VPN Using WireGuard On NST2023-04-24T17:40:36Z<p>Rwh: /* Server Side - IPv4 Forwarding */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
====== Server Side - IPv4 Forwarding ======<br />
To allow client to client access over a WireGuard VPN tunnel ''enable'' IPv4 Forwarding:<br />
[root@shopper2 ~]# /sbin/sysctl -w net.ipv4.ip_forward=1<br />
[root@shopper2 ~]# /sbin/sysctl net.ipv4.ip_forward<br />
net.ipv4.ip_forward = 1<br />
<br />
To make the IPv4 Forwarding change permanent add the following line to file: "'''/etc/sysctl.conf'''"<br />
net.ipv4.ip_forward=1<br />
<br />
To disallow client to client access over a WireGuard VPN tunnel ''disable'' IPv4 Forwarding:<br />
[root@shopper2 ~]# /sbin/sysctl -w net.ipv4.ip_forward=0<br />
[root@shopper2 ~]# /sbin/sysctl net.ipv4.ip_forward<br />
net.ipv4.ip_forward = 0<br />
<br />
To make the IPv4 Forwarding disallow change permanent add the following line to file: "'''/etc/sysctl.conf'''"<br />
net.ipv4.ip_forward=0<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl start wg-quick@wg0.service;<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
[root@shopper2 ~]# systemctl status wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl start wg-quick@wg0.service;<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
[root@pktcap28 ~]# systemctl status wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9872HowTo Quickly Setup A VPN Using WireGuard On NST2023-04-24T17:38:14Z<p>Rwh: /* Server Side (Linux) */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
====== Server Side - IPv4 Forwarding ======<br />
To allow client to client access over a WireGuard VPN tunnel enable IPv4 Forwarding:<br />
[root@shopper2 ~]# /sbin/sysctl -w net.ipv4.ip_forward=1<br />
[root@shopper2 ~]# /sbin/sysctl net.ipv4.ip_forward<br />
net.ipv4.ip_forward = 1<br />
<br />
To make the change IPv4 Forwarding permanent add the following line to file: "'''/etc/sysctl.conf'''"<br />
net.ipv4.ip_forward=1<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl start wg-quick@wg0.service;<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
[root@shopper2 ~]# systemctl status wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl start wg-quick@wg0.service;<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
[root@pktcap28 ~]# systemctl status wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Setup_A_Server_With_Multiple_Network_Interface_Adapters_Using:_%22nstnetcfg%22&diff=9753HowTo Setup A Server With Multiple Network Interface Adapters Using: "nstnetcfg"2022-12-24T19:07:48Z<p>Rwh: /* Binding an IPv4 Address to a 'Bonding' Network Interface */</p>
<hr />
<div>__TOC__<br />
= '''Overview''' =<br />
<br />
This page demonstrates how to setup networking with an NST server that is configured with ''multiple'' network interface adapters for performing ''simultaneous'' network computing surveillance tasks. The NST script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" command line tool was designed to make this task easy to accomplish using the underlying "'''NetworkManager'''" service via the '''nmcli''' utility.<br />
<br />
The diagram below will be used as a reference for setting up a multi-network interface adapter server using '''NST'''. The rear panel of a '''1U Server''' is shown with NIC attachments to the network infrastructure. The network security staff for fictitious company: "'''TxyCorp'''" would like to use NST for monitoring different network segments throughout their network. In particular, they would like to monitor traffic entering and leaving their corporation, web server traffic, all client electronic business transactions and remote traffic to and from their satellite offices. They will use a combination of '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' ('''S'''witched '''P'''ort '''A'''nalyzer) ports and a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Non-Aggregational Network TAP]''' to expose network traffic on these segments. <br />
<br />
When booting up "'''[http://sourceforge.net/projects/nst/ NST Live]'''" or after a hard disk installation, the "'''[http://projects.gnome.org/NetworkManager/ Network Manager]'''" service is on by default for managing all network interfaces found on an NST system. '''Network Manager''' provides a quick and easy method for setting up networking on a system equipped with a wireless interface that uses '''DHCP''' for '''IPv4 Address '''configuration. When a system is configured with two or more wired network interfaces or requires a multi-homed network setup, the "'''nstnetcfg'''" script may be a better choice for setting up the network configuration.<br />
<br />
The '''nstnetcfg''' utility can help mitigate some of the error prone tasks necessary by scripting when setting up networking on a NST (Linux) system using the "'''NetworkManager'''" service.<br />
<br />
[[Image:Nstnetcfgserver.png|1024px|center|A Multi-Network Interface Adapter NST Server Configuration]]<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The "'''Sys Admin Network'''" is an out-of-band network for the management of enterprise servers within this network infrastructure. The "'''[http://en.wikipedia.org/wiki/Out-of-band_management ILOM]'''" (Integrated Lights Out Management) network interface (i.e., "'''NetMgt'''") and the "'''Serial Console'''" device (i.e., "'''ttyS0'''") are shown for completeness and are not used by "'''nstnetcfg'''".</div></div><br />
<br />
= '''Network Interface Setup Configuration Information''' =<br />
<br />
In this section we will identify each network interface and how it should be setup using the '''1U Server''' configuration illustrated in the reference diagram above. Network parameters such as the '''Subnet Mask''', '''Host Name(s)''', '''Domain Name Servers''', '''Domain Name''', '''Gateway''' and '''Default Interface''' will also be identified. The table below depicts values that will be used by the '''nstnetcfg''' script.<br />
<br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Interface / Parameter<br />
! align="center" style="background-color: lightgray;" |Configuration Values<br />
! align="center" style="background-color: lightgray;" |NetworkManager<br />Service<br />
|-<br />
|em0<br />
|IPv4 Address: '''172.30.1.16''', Network Routing Prefix: '''24''', Host Name: '''nstsurv1-mon''', Gateway: '''10.221.1.1'''<br />
|managed<br />
|-<br />
|em1<br />
|IPv4 Address: '''10.221.5.14''', Network Routing Prefix: '''16''', Host Name: '''nstsurv1''', Gateway: '''10.221.1.1'''<br />
|managed<br />
|-<br />
|em2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|em3<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p2p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p2p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p4p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p4p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p6p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p6p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|Domain Name Servers<br />
|'''10.221.1.10''', '''10.221.1.11'''<br />
|N/A<br />
|-<br />
|Domain Name<br />
|'''txycorp.com'''<br />
|N/A<br />
|-<br />
|Virtual Host (ssl.conf)<br />
|'''*:443'''<br />
|N/A<br />
|-<br />
|Server Name (ssl.conf)<br />
|'''nstsurv1.txycorp.com:443'''<br />
|N/A<br />
|-<br />
|}<br />
<br />
&nbsp;<br />
<br />
= '''Network Interface Configuration: nstnetcfg''' =<br />
<br />
The NST script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" will now be used for setting up networking on this server. This script will ''enable'' the "'''NetworkManager'''" service when setting up a static '''IPv4 Address''' (''--mode ipv4''). The "'''NetworkManager'''" service will also be ''enabled'' at boot time. Use the sequence of '''nstnetcfg''' invocations below to ''serve'' as an example for setting up networking on your particular server with NST. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The reader is encouraged to review the man page for "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" as reference material prior to its use. One can also use the "'''--verbose'''" output parameter for greater visibility on the progress of '''nstnetcfg''' during its configuration stages.<br />
<br />
[[Image:Warning.png‎]] The "'''nstnetcfg'''" script should only be run on a '''Serial Console''' or a '''Desktop Terminal''' due to the fact that the "'''IPv4 Addressing'''" for this NST system will most likely change.<br />
</div></div><br />
<br />
== '''Initialize All Network Interfaces''' ==<br />
<br />
The '''nstnetcfg''' mode: "'''init'''" will put the networking setup posture in a known ''initialized'' state. The "'''NetworkManager'''" service will be ''enabled'' all network adapters and assciated configuration files set to a default initialization state with no binding layer 3 addressing. The "'''LoopBack'''" interface device is never ''removed'' and ''reset'' to the factory default state with this mode. The '''[http://en.wikipedia.org/wiki/Name_Service_Switch Name Service Switch]''' configuration file: "'''/etc/nsswitch.conf'''" will have its '''hosts''' entry set to: "'''files dns'''". It is best practice to first use this mode ''prior'' to setting up networking so that any ''lingering'' "'''NetworkManager'''" configuration files will <u>Not</u> interfere with the use of the '''nstnetcfg''' operation.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode init;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Static IPv4 Configured Interfaces''' ==<br />
<br />
The example NST server shown above uses a "'''Multi-Home'''" configuration with network interface devices: "'''em0'''" and "'''em1'''" set with static '''IPv4 Addresses:''' '''172.30.1.16''' and '''10.221.5.14''' respectively.<br />
<br />
=== '''Interface: em1''' ===<br />
<br />
The "'''em1'''" interface device is network attached to the "'''TxyCorp'''" Intranet. This network provides name services and external access to the Internet. The "'''Host Name'''", "'''Domain Name'''", "'''Name Servers'''" and "'''Gateway'''" values are set accordingly. A host name entry for "'''nstsurv1'''" will be added to the '''Hosts''' file: "'''/etc/hosts'''", the system host name will be set to: "'''nstsurv1'''". A "'''16'''" network routing prefix ('''[http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR]''' - Format) will be used. The configuration for this interface is shown below.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 --host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11";</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: em0''' ===<br />
<br />
The "'''em0'''" network interface is connected to the "'''Security Network'''" for performing network surveillance tasks using the "'''NST WUI'''" and the large collection of NST network security applications and tools. The "'''--hosts-file-only'''" setting is used so that only the '''Hosts''' file: "'''/etc/hosts'''" will be updated with a host name entry for: "'''nstserv1-mon'''". Note that there is <u>No</u> "'''--gateway'''" parameter used with this interface because there is only one default gateway (i.e., "'''10.221.1.1'''") for this '''Multi-Home''' example configuration. It is not necessary to again set the system "'''Host Name'''", "'''Domain Name'''" and "'''Name Servers'''" values since these were specified in the configuration for network interface "'''em1'''". A "'''24'''" network routing prefix ('''[http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR]''' - Format) will be used.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --host-name nstsurv1-mon --hosts-file-only;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''NetworkManager Ignore Certain Devices - Unmanaged''' ==<br />
See this reference on how to configure NetworkManager to ignore certain devices: "'''[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/configuring-networkmanager-to-ignore-certain-devices_configuring-and-managing-networking Configuring NetworkManager to ignore certain devices]'''"<br />
<br />
== '''Stealth Configured Interfaces''' ==<br />
<br />
The "'''Stealth'''" network interfaces (i.e., An interface in the "'''UP'''" state with <u>No</u> binding '''IPv4 Address''') will now be configured. These interfaces are strategically network attached throughout the network infrastructure for surveillance monitoring.<br />
<br />
=== '''Interface: em2''' ===<br />
<br />
This network interface: "'''em2'''" is used to monitor the Transmit Data: "'''TxD'''" port on a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Network TAP]''' ('''T'''est '''A'''ccess '''P'''oint) for all traffic ''leaving'' (egress) the "'''TxyCorp'''" corporation at the '''Firewall Dirty Side'''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface em2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: em3''' ===<br />
<br />
This network interface: "'''em3'''" is used to monitor the Receive Data: "'''RxD'''" port on a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Network TAP]''' for all traffic ''entering'' (ingress) the "'''TxyCorp'''" corporation at the '''Firewall Dirty Side'''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface em3;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p2p1''' ===<br />
<br />
This network interface: "'''p2p1'''" is used to monitor specific "'''Web Server'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' ('''S'''witched '''P'''ort '''A'''nalyzer) port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p2p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p2p2''' ===<br />
<br />
This network interface: "'''p2p2'''" is used to monitor specific "'''Web Server'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p2p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p4p1''' ===<br />
<br />
This '''[https://en.wikipedia.org/wiki/10-gigabit_Ethernet 10 Gigabit Ethernet]''' network interface: "'''p4p1'''" is used to monitor specific "'''Business Transaction'''" data packets on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p4p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p4p2''' ===<br />
<br />
This '''[https://en.wikipedia.org/wiki/10-gigabit_Ethernet 10 Gigabit Ethernet]''' network interface: "'''p4p2'''" is used to monitor specific "'''Business Transaction'''" data packets on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p4p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p6p1''' ===<br />
<br />
This network interface: "p6p1" is used to monitor specific "'''Remote Office'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p6p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p6p2''' ===<br />
<br />
This network interface: "p6p2" is used to monitor specific "'''Remote Office'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p6p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Stealth Interface Combo Setting Command''' ===<br />
<br />
The output below is a compact way of using a '''[https://en.wikipedia.org/wiki/Bash_(Unix_shell) Bash]''' "''for loop'' " statement to configure all "'''Stealth'''" interfaces in one command line invocation.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2; do nstnetcfg --mode stealth --interface ${i}; done</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== '''Apache SSL Configuration For Proper HTTPS NST WUI Access''' ==<br />
<br />
If the "'''IPv4 Address'''" on an NST system is changed, the '''[http://httpd.apache.org/ Apache Web Server]''' '''[http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL]''' configuration file: "'''/etc/httpd/conf.d/ssl.conf'''" needs to be modified for proper '''[http://en.wikipedia.org/wiki/HTTP_Secure HTTPS]''' ''access'' to the "'''NST WUI'''". The following "'''nstnetcfg'''" command uses the "'''ssl'''" mode to allow all hosts "'''HTTPS'''" access to the "'''NST WUI'''" using '''Server Name:''' "'''nstsurv1.txycorp.com'''". A new "'''SSL'''" certificate and key file will also be ''generated''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ssl --interface em1 --virtual-host *:443 --server-name nstsurv1.txycorp.com:443;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Using A Bash Script With "nstnetcfg"''' ==<br />
It may be better to use a '''[http://en.wikipedia.org/wiki/Bash Bash]''' script given the numerous invocations of "'''nstnetcfg'''" with this '''NST''' network configuration setup. A good location to store your script would be in directory: "'''/etc/nst'''". This will allow one to ''easily'' make changes to your network configuration by editing the script and running it. An example script below is shown for: "'''/etc/nst/net_cfg.sh"''' using the above invocations of "'''nstnetcfg'''". One can copy and paste this script as a starter template file for your usage.<br />
<br />
<pre class="programListing"><br />
#!/bin/bash<br />
<br />
#<br />
# Script: "net_cfg.sh"<br />
<br />
#<br />
# Description: Helper script for setting up the configuration of network interfaces<br />
# on Server: "nstsurv1" using: "nstnetcfg".<br />
<br />
#<br />
# Short Usage: "nstnetcfg"<br />
#<br />
# nstnetcfg [-m|--mode TEXT] [-i|--interface DEVICE]<br />
# [-a|--ipv4-addr-prefix IPv4ADDR/PREFIX] [-g|--gateway IPv4ADDR]<br />
# [--mac-addr MACADDR] [--host-name TEXT] [--domain-name TEXT]<br />
# [--name-servers IPv4ADDRLIST] [--hosts-file-only [true]|false]<br />
# [--virtual-host TEXT] [--server-name TEXT]<br />
# [-h|--help [true]|false] [-H|--help-long [true]|false]<br />
# [-v|--verbose [true]|false] [--version [true]|false]<br />
#<br />
# Available Modes: ipv4, dhcp, ssl, stealth, netmgr, rmint, init, show<br />
<br />
#<br />
# Uncomment to enable verbosity <br />
#VERBOSE=" --verbose";<br />
<br />
#<br />
# Network Interface: Initialization<br />
/usr/bin/nstnetcfg --mode init${VERBOSE};<br />
<br />
#<br />
# Network Interface: em1<br />
/usr/bin/nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 \<br />
--host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11"${VERBOSE};<br />
<br />
#<br />
# Network Interface: em0<br />
/usr/bin/nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --host-name nstsurv1-mon \<br />
--hosts-file-only${VERBOSE}; <br />
<br />
#<br />
# Network Interface: em2<br />
/usr/bin/nstnetcfg --mode stealth --interface em2${VERBOSE};<br />
<br />
#<br />
# Network Interface: em3<br />
/usr/bin/nstnetcfg --mode stealth --interface em3${VERBOSE};<br />
<br />
#<br />
# Network Interface: p2p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p2p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p2p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p2p2${VERBOSE};<br />
<br />
#<br />
# Network Interface: p4p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p4p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p4p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p4p2${VERBOSE};<br />
<br />
#<br />
# Network Interface: p6p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p6p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p6p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p6p2${VERBOSE};<br />
<br />
#<br />
# Uncomment for using a Stealth Interface Combo Setting<br />
#for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2;<br />
# do /usr/sbin/nstnetcfg --mode stealth --interface ${i};<br />
#done<br />
<br />
#<br />
# Apache SSL Configuration<br />
/usr/bin/nstnetcfg --mode ssl --interface em1 --virtual-host *:443 --server-name nstsurv1.txycorp.com:443${VERBOSE};<br />
</pre><br />
<br />
=== '''Script Invocation''' ===<br />
<br />
Make sure the script has it's '''execute''' permissions set:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>chmod +x "/etc/nst/net_cfg.sh";</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Execute the script:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/etc/nst/net_cfg.sh;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''List All Installed Network Interface Devices Using: "getipaddr"''' ==<br />
<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can be used to list all available network interface devices on an '''NST''' system.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
lo<br />
em0<br />
em1<br />
em2<br />
em3<br />
p2p1<br />
p2p2<br />
p4p1<br />
p4p2<br />
p6p1<br />
p6p2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''List All 'Virtual' Installed Network Interface Devices Using: "getipaddr"''' ===<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D --virtual;</div><br />
<pre class="computerOutput"><br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''List All 'Physical' Installed Network Interface Devices Using: "getipaddr"''' ===<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D --physical;</div><br />
<pre class="computerOutput"><br />
em0<br />
em1<br />
em2<br />
em3<br />
p2p1<br />
p2p2<br />
p4p1<br />
p4p2<br />
p6p1<br />
p6p2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Renaming A Network Interface Device''' ==<br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 30<br /> SVN: 11210</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to rename a '''Network Interface Device''' thus providing a predictable Network Interface Name that is stable and available after each successive system reboot. In this section we will demonstrate how to ''rename'' a network interface device from: "'''eno16777984'''" to: "'''net0'''" using the "'''nstnetcfg'''" utility. This utility's '''rename''' mode generates a '''udev''' rules file that is used by '''[http://en.wikipedia.org/wiki/Systemd systemd/udev]''' at system boot time to automatically assign the predictable, stable network interface name for local Ethernet, WLAN and/or WWAN network interfaces.<br />
<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
<br />
<br />
The current Network Interface Devices available are shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
eno16777984<br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The current IP Address configuration:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno16777984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 00:0c:29:e2:38:0b brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.120/24 brd 10.222.222.255 scope global dynamic net0<br />
valid_lft 75211sec preferred_lft 75211sec<br />
inet6 fe80::20c:29ff:fee2:380b/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''nstnetcfg'''" utility will now be used to ''rename'' the network interface device from: "'''eno16777984'''" to: "'''net0'''". Notice the creation and content of the generated custom '''udev''' network rules file: "'''/etc/udev/rules.d/79-my-net-name-slot.rules'''"<br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] The "'''nstnetcfg'''" script should only be run on a '''Serial Console''' or a '''Desktop Terminal''' when changing the name of the '''Primary''' Network Interface Device. Otherwise, network connectivity may be lost if remotely connected to this NST system while performing this task.<br />
</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] Try to use simple network device names (e.g. '''net0''', '''netfw''', '''Net_DMZ''' or '''NetRt1'''). Avoid using '''hyphen''' (''''-'''') or '''space''' ('&nbsp;') characters in the new network interface device name. Instead, use the '''underscore''' (''''_'''') character or '''CamelCase''' for separation clarity in your device naming convention.<br />
</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] By default the NetworkManager service will randomize Wifi MAC Addresses. If this occurs using "'''nstnetcfg'''" to rename a Wifi Network Interface will fail. One can disable this Network Manager feature using the following configuration directive. Create a file in directory: "'''/etc/NetworkManager/conf.d'''" containing the configuration "'''wifi.scan-rand-mac-address=no'''" directive. Below is an example file to ''disable'' Wifi MAC Address randomizing by the NetworkManager service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@E6440 ~]# </span>cat /etc/NetworkManager/conf.d/wifi-static-mac.conf</div><br />
<pre class="computerOutput"><br />
[device]<br />
wifi.scan-rand-mac-address=no<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@E6440 ~]# </span></div><br />
</div><br />
</div></div><br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode rename --rename net0 --interface eno16777984 --verbose;</div><br />
<pre class="computerOutput"><br />
<br />
Generating a new/updated custom 'udev' network rules file: "/etc/udev/rules.d/79-my-net-name-slot.rules":<br />
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="00:0c:29:e2:38:0b", NAME="net0"<br />
<br />
Renaming Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-eno16777984" to "/etc/sysconfig/network-scripts/ifcfg-net0"<br />
<br />
Labeling Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-net0" - NAME="net0"<br />
<br />
The Network Interface Device rename from: "eno16777984" to "net0" will take effect on the next system reboot.<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Now perform a system reboot:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl reboot;</div><br />
<pre class="computerOutput"><br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
After a system '''Reboot''', the "'''nstnetcfg'''" utility is now run to verify the ''generated'' '''udev''' rules file: "'''/etc/udev/rules.d/79-my-net-name-slot.rules'''" which internally uses the '''[http://linux.die.net/man/8/udevadm udevadm]''' tool.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode testudev --interface net0 --verbose;</div><br />
<pre class="computerOutput"><br />
/bin/udevadm test "/sys/class/net/net0";<br />
calling: test<br />
version 208<br />
This program is for debugging only, it does not run any program<br />
specified by a RUN key. It may show incorrect results, because<br />
some values may be different, or not available at a simulation run.<br />
<br />
=== trie on-disk ===<br />
tool version: 208<br />
file size: 5882628 bytes<br />
header size 80 bytes<br />
strings 1299372 bytes<br />
nodes 4583176 bytes<br />
load module index<br />
read rules file: /usr/lib/udev/rules.d/10-dm.rules<br />
read rules file: /usr/lib/udev/rules.d/11-dm-lvm.rules<br />
read rules file: /usr/lib/udev/rules.d/13-dm-disk.rules<br />
read rules file: /usr/lib/udev/rules.d/40-libgphoto2.rules<br />
IMPORT found builtin 'usb_id --export %%p', replacing /usr/lib/udev/rules.d/40-libgphoto2.rules:11<br />
read rules file: /usr/lib/udev/rules.d/40-usb_modeswitch.rules<br />
read rules file: /usr/lib/udev/rules.d/42-usb-hid-pm.rules<br />
read rules file: /usr/lib/udev/rules.d/50-udev-default.rules<br />
read rules file: /usr/lib/udev/rules.d/56-hpmud.rules<br />
read rules file: /usr/lib/udev/rules.d/60-cdrom_id.rules<br />
read rules file: /usr/lib/udev/rules.d/60-drm.rules<br />
read rules file: /usr/lib/udev/rules.d/60-ffado.rules<br />
read rules file: /usr/lib/udev/rules.d/60-fprint-autosuspend.rules<br />
read rules file: /usr/lib/udev/rules.d/60-keyboard.rules<br />
read rules file: /usr/lib/udev/rules.d/60-net.rules<br />
read rules file: /usr/lib/udev/rules.d/60-pcmcia.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-alsa.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-input.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-serial.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-storage-tape.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-storage.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-v4l.rules<br />
read rules file: /usr/lib/udev/rules.d/60-raw.rules<br />
read rules file: /usr/lib/udev/rules.d/61-accelerometer.rules<br />
read rules file: /usr/lib/udev/rules.d/62-multipath.rules<br />
read rules file: /usr/lib/udev/rules.d/63-md-raid-arrays.rules<br />
read rules file: /usr/lib/udev/rules.d/64-btrfs.rules<br />
read rules file: /usr/lib/udev/rules.d/64-md-raid-assembly.rules<br />
read rules file: /usr/lib/udev/rules.d/65-libwacom.rules<br />
read rules file: /usr/lib/udev/rules.d/65-md-incremental.rules<br />
read rules file: /usr/lib/udev/rules.d/69-cd-sensors.rules<br />
read rules file: /usr/lib/udev/rules.d/69-dm-lvm-metad.rules<br />
read rules file: /usr/lib/udev/rules.d/69-libmtp.rules<br />
read rules file: /usr/lib/udev/rules.d/69-pilot-link.rules<br />
read rules file: /usr/lib/udev/rules.d/69-xorg-vmmouse.rules<br />
read rules file: /usr/lib/udev/rules.d/70-power-switch.rules<br />
read rules file: /usr/lib/udev/rules.d/70-printers.rules<br />
read rules file: /usr/lib/udev/rules.d/70-spice-vdagentd.rules<br />
read rules file: /usr/lib/udev/rules.d/70-touchpad-quirks.rules<br />
read rules file: /usr/lib/udev/rules.d/70-uaccess.rules<br />
read rules file: /usr/lib/udev/rules.d/70-wacom.rules<br />
read rules file: /usr/lib/udev/rules.d/71-biosdevname.rules<br />
read rules file: /usr/lib/udev/rules.d/71-seat.rules<br />
read rules file: /usr/lib/udev/rules.d/73-seat-late.rules<br />
read rules file: /usr/lib/udev/rules.d/75-net-description.rules<br />
read rules file: /usr/lib/udev/rules.d/75-probe_mtd.rules<br />
read rules file: /usr/lib/udev/rules.d/75-tty-description.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-ericsson-mbm.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-huawei-net-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-longcheer-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-nokia-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-pcmcia-device-blacklist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-platform-serial-whitelist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-simtech-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-telit-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-usb-device-blacklist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-usb-serial-adapters-greylist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-x22x-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-zte-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-nm-olpc-mesh.rules<br />
read rules file: /usr/lib/udev/rules.d/78-sound-card.rules<br />
read rules file: /etc/udev/rules.d/79-my-net-name-slot.rules<br />
read rules file: /usr/lib/udev/rules.d/80-drivers.rules<br />
read rules file: /usr/lib/udev/rules.d/80-mm-candidate.rules<br />
read rules file: /usr/lib/udev/rules.d/80-net-name-slot.rules<br />
read rules file: /usr/lib/udev/rules.d/80-udisks.rules<br />
read rules file: /usr/lib/udev/rules.d/80-udisks2.rules<br />
read rules file: /usr/lib/udev/rules.d/85-regulatory.rules<br />
read rules file: /usr/lib/udev/rules.d/85-usbmuxd.rules<br />
read rules file: /usr/lib/udev/rules.d/90-alsa-restore.rules<br />
read rules file: /usr/lib/udev/rules.d/90-alsa-tools-firmware.rules<br />
read rules file: /usr/lib/udev/rules.d/90-pulseaudio.rules<br />
read rules file: /usr/lib/udev/rules.d/91-drm-modeset.rules<br />
read rules file: /usr/lib/udev/rules.d/95-cd-devices.rules<br />
read rules file: /usr/lib/udev/rules.d/95-dm-notify.rules<br />
read rules file: /usr/lib/udev/rules.d/95-udev-late.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-dell.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-fujitsu.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-gateway.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-ibm.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-lenovo.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-toshiba.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-csr.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-hid.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-wup.rules<br />
read rules file: /etc/udev/rules.d/98-kexec.rules<br />
read rules file: /etc/udev/rules.d/99-gpsd.rules<br />
read rules file: /usr/lib/udev/rules.d/99-qemu-guest-agent.rules<br />
read rules file: /usr/lib/udev/rules.d/99-systemd.rules<br />
rules contain 393216 bytes tokens (32768 * 12 bytes), 32346 bytes strings<br />
29283 strings (243715 bytes), 26259 de-duplicated (214394 bytes), 3025 trie nodes used<br />
PROGRAM '/lib/udev/rename_device' /usr/lib/udev/rules.d/60-net.rules:1<br />
starting '/lib/udev/rename_device'<br />
'/lib/udev/rename_device' [2075] exit with return code 0<br />
PROGRAM '/sbin/biosdevname --policy physical -i net0' /usr/lib/udev/rules.d/71-biosdevname.rules:22<br />
starting '/sbin/biosdevname --policy physical -i net0'<br />
'/sbin/biosdevname --policy physical -i net0' [2076] exit with return code 4<br />
IMPORT builtin 'net_id' /usr/lib/udev/rules.d/75-net-description.rules:6<br />
IMPORT builtin 'hwdb' /usr/lib/udev/rules.d/75-net-description.rules:12<br />
NAME 'net0' /etc/udev/rules.d/79-my-net-name-slot.rules:1<br />
RUN '/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/ipv4/conf/$name --prefix=/proc/sys/net/ipv4/neigh/$name --prefix=/proc/sys/net/ipv6/conf/$name --prefix=/proc/sys/net/ipv6/neigh/$name' /usr/lib/udev/rules.d/99-systemd.rules:52<br />
ACTION=add<br />
DEVPATH=/devices/pci0000:00/0000:00:15.0/0000:03:00.0/net/net0<br />
ID_BUS=pci<br />
ID_MM_CANDIDATE=1<br />
ID_MODEL_FROM_DATABASE=VMXNET3 Ethernet Controller<br />
ID_MODEL_ID=0x07b0<br />
ID_NET_LABEL_ONBOARD=enEthernet0<br />
ID_NET_NAME_MAC=enx000c29e2380b<br />
ID_NET_NAME_ONBOARD=eno16777984<br />
ID_NET_NAME_PATH=enp3s0<br />
ID_NET_NAME_SLOT=ens160<br />
ID_OUI_FROM_DATABASE=VMware, Inc.<br />
ID_PCI_CLASS_FROM_DATABASE=Network controller<br />
ID_PCI_SUBCLASS_FROM_DATABASE=Ethernet controller<br />
ID_VENDOR_FROM_DATABASE=VMware<br />
ID_VENDOR_ID=0x15ad<br />
IFINDEX=2<br />
INTERFACE=net0<br />
SUBSYSTEM=net<br />
SYSTEMD_ALIAS=/sys/subsystem/net/devices/net0<br />
TAGS=:systemd:<br />
USEC_INITIALIZED=78468<br />
run: '/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/ipv4/conf/net0 --prefix=/proc/sys/net/ipv4/neigh/net0 --prefix=/proc/sys/net/ipv6/conf/net0 --prefix=/proc/sys/net/ipv6/neigh/net0'<br />
unload module index<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
One can see that the Network Interface device has been changed to: "'''net0'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
net0<br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The IP Address configuration after the device rename is shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: net0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 00:0c:29:e2:38:0b brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.120/24 brd 10.222.222.255 scope global dynamic net0<br />
valid_lft 75211sec preferred_lft 75211sec<br />
inet6 fe80::20c:29ff:fee2:380b/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Managing IPv4 Secondary Addressing''' ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 30<br /> SVN: 11210</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to ''Create'' and ''Delete'' (i.e., ''Manage'') '''IPv4 Secondary Addressing'''. By example we will ''Add'', ''Display'' and ''Remove'' '''IPv4 Secondary Addresses:''' "'''10.222.222.241/24''' and "'''10.222.222.242/24''' to an '''NST''' system (e.g., '''striker''') on '''IPv4 Network Interface:''' "'''lan0'''". This example is shown in the sections below.<br />
<br /><br />
<br /><br />
<br /><br />
<br /><br />
<br /><br />
=== '''Adding IPv4 Secondary Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''add'' "'''IPv4 Secondary Addresses'''" to an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state on '''NST''' system: "'''striker'''" is shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.111/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Next, the first '''IPv4 Secondary Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Network Interface:''' "'''lan0'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "add" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.241/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'bound' IPv4 secondary Address: "10.222.222.241/24"<br />
to Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Next, the second '''IPv4 Secondary Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Network Interface:''' "'''lan0'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "add" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.242/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'bound' IPv4 secondary Address: "10.222.222.242/24"<br />
to Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is now shown with the two (2) '''IPv4 Secondary Addresses''' added:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip a;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.111/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
=== '''List IPv4 Primary / Secondary Addresses Using: "getipaddr"''' ===<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can also be used to display all '''IPv4 Addresses''' including '''IP Secondary Addresses''' bound to '''Network Interface: "lan0"''' in CIDR notation:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>getipaddr --interface lan0 --ip-secondary --ip-address-cidr --net-int-devices;</div><br />
<pre class="computerOutput"><br />
lan0 10.222.222.111/24<br />
lan0 10.222.222.241/24 secondary<br />
lan0 10.222.222.242/24 secondary<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
=== '''Removing IPv4 Secondary Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''remove'' "'''IPv4 Secondary Addresses'''" on an '''NST''' system.<br />
<br />
First, we remove all '''IPv4 Secondary Addresses''' bound to Network Interface: "'''lan0'''": <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary remove -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "remove" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.241/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'unbound' the IPv4 secondary Address: "10.222.222.241/24"<br />
associated with Network Interface device: "lan0".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.242/24 --secondary remove -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "remove" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.242/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'unbound' the IPv4 secondary Address: "10.222.222.242/24"<br />
associated with Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Finally we display the '''IP Address''' state on NST system: '''striker'''<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>ip a;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br /><br />
<br /><br />
<br />
== '''Managing IPv4 Alias Addresses''' ==<br />
<br />
<div class="centerBlock"><div class="noteMessage">[[Image:Warning.png‎]] '''IPv4 Alias Addressing''' is no longer supported by script: '''nstnetcfg''' start with '''NST 30'''.</div></div><br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5663</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to ''Create'' and ''Delete'' (i.e., ''Manage'') '''IPv4 Alias Addresses'''. By example we will ''Add'' and ''Remove'' '''IPv4 Alias Addresses:''' "'''10.222.222.241/24''' and "'''10.222.222.242/24''' to an '''NST''' system on '''IPv4 Alias Network Interfaces:''' "'''p5p1:a1'''" and "'''p5p1:a2'''" respectively. This example is shown in the sections below. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' You can not manage IPv4 aliases for interfaces which are under NetworkManager control (the interface must be managed by the network service). In addition, you may need to review/update your routing after adding your aliases.</div></div><br />
<br />
<br />
<br />
<br />
<br />
=== '''Adding IPv4 Alias Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''add'' "'''IPv4 Alias Addresses'''" to an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state is shown on our demo '''NST''' system: <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a1'''" using the '''Gateway:''' "'''10.222.222.1'''" and '''Host Name:''' "'''probe-a1'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m ipv4 -i p5p1:a1 -a 10.222.222.241/24 -g 10.222.222.1 --host-name probe-a1 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" for IPv4 Alias Network Interface: "p5p1:a1".<br />
<br />
Setting the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Up' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the second '''IPv4 Alias Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a2'''" using the '''Gateway:''' "'''10.222.222.1'''" and '''Host Name:''' "'''probe-a2'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m ipv4 -i p5p1:a2 -a 10.222.222.242/24 -g 10.222.222.1 --host-name probe-a2 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2" for IPv4 Alias Network Interface: "p5p1:a2".<br />
<br />
Setting the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Up' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is now shown with the two (2) '''IPv4 Alias Addresses''' added:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary p5p1:a1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary p5p1:a2<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The '''IPv4 Alias Addresses''' wil also be configured in the hosts file "'''/etc/hosts'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>cat /etc/hosts;</div><br />
<pre class="computerOutput"><br />
127.0.0.1 localhost.localdomain localhost<br />
::1 localhost6.localdomain6 localhost6<br />
<br />
10.222.222.10 striker.nst.net striker<br />
10.222.222.141 probe-a1<br />
10.222.222.142 probe-a2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' A network configuration file in directory: "'''/etc/sysconfig/network-scripts'''" was created for both '''IPv4 Alias Addresses''' above (i.e., "'''/etc/sysconfig/network-scripts/ifcfg-p5p1:a1'''" and "'''/etc/sysconfig/network-scripts/ifcfg-p5p1:a2'''"). This will allow the '''IPv4 Alias Address''' configuration to survive a system reboot. </div></div><br />
<br />
=== '''List All Installed Network Interface Devices Including IP Alias Interfaces Using: "getipaddr"''' ===<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can also be used to list all available network interface devices including '''IP Alias Network Interfaces''' on an '''NST''' system.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -D --ip-alias;</div><br />
<pre class="computerOutput"><br />
lo<br />
p1p1<br />
p1p2<br />
p5p1<br />
p5p1:a1<br />
p5p1:a2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Display all '''IPv4 Addresses''' including '''IP Alias Addresses''' bound to '''Network Interface: "p5p1"''' in CIDR notation:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -i p5p1 -D --ip-alias --ip-network-address-cidr;</div><br />
<pre class="computerOutput"><br />
p5p1 10.222.222.10/24<br />
p5p1:a1 10.222.222.241/24<br />
p5p1:a2 10.222.222.242/24<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
=== '''Removing IPv4 Alias Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''remove'' "'''IPv4 Alias Addresses'''" on an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state is shown on our demo '''NST''' system with configured '''IPv4 Alias Addresses''': <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary p5p1:a1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary p5p1:a2<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a1'''" is now ''removed'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m rmint -i p5p1:a1 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" for IPv4 Alias Interface: "p5p1:a1"<br />
<br />
Clean all IPv4 Address entries: "10.222.222.241" in Hosts file: "/etc/hosts".<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds:<br />
Successfully brought 'Up' Network Interface: "p5p1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a2'''" is now ''removed'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m rmint -i p5p1:a2 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2" for IPv4 Alias Interface: "p5p1:a2"<br />
<br />
Clean all IPv4 Address entries: "10.222.222.242" in Hosts file: "/etc/hosts".<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds:<br />
Successfully brought 'Up' Network Interface: "p5p1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is shown on our demo '''NST''' system with all '''IPv4 Alias Addresses''' ''removed'': <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" also shows that no '''IP Alias Network Interfaces''' are configured on the '''NST''' demo system. <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -D --ip-alias;</div><br />
<pre class="computerOutput"><br />
lo<br />
p1p1<br />
p1p2<br />
p5p1<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== '''Promiscuous Mode Control''' ==<br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 22<br /> SVN: 7000</center>]]''']]<br />
<br />
=== '''Overview''' ===<br />
The '''Promiscuous''' state of a network interface device can be ''manually'' controlled by the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script. Promiscuous mode allows a network interface device to intercept and read each network packet that arrives in its entirety which is essential for capturing all traffic received. One can also use the systemd service: "'''promisc.service'''" for ''automatically'' setting the Promiscuous state ''''On'''' for one or more network interface devices at system boot. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may not be able to set the Promiscuous state ''''Off'''' if another network application like '''[https://wiki.wireshark.org/ wireshark]''' or '''[https://en.wikipedia.org/wiki/Tcpdump tcpdump]''' is active and in capture mode. A counter is used by each '''Kernel''' network driver module and incremented for each application that requests the Promiscuous mode to be set ''''On'''' for the network interface device. Until these applications have all set the Promiscuous state ''''Off'''', can one control the device's Promiscuous mode with the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script.</div></div><br />
<br />
=== '''Manual Mode''' ===<br />
This section will demonstrate how to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode for a network interface using either the interface method or the promiscuous configuration file method. <br />
<br />
==== '''Interface Method''' ====<br />
The current '''Network Interface Devices''' available are shown for demonstration in this section.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
lan0<br />
lo<br />
netmon0<br />
netmon1<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
How to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode of network interface: "'''netmon0'''" to the ''''On'''' state:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode promiscon -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Setting the Promiscuous state 'On' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'On':<br />
/sbin/ip link set promisc on netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
How to to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode of network interface: "'''netmon0'''" to the ''''Off'''' state:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode promiscoff -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Setting the Promiscuous state 'Off' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'Off':<br />
/sbin/ip link set promisc off netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
==== '''Promiscuous Configuration File Method''' ====<br />
Alternatively, one could add the network interface: "'''netmon0'''" to the '''NST''' promiscuous configuration file: "'''/etc/nst/promisc.conf'''" using "'''nstnetcfg'''" mode: "'''promisccfg'''" and then control the '''Promiscuous''' state using the following command sequence:<br />
<br />
First configure the network Interface: "'''netmon0'''" in the '''NST''' promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promisccfg --promisc add -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using Promiscuous configuration operation mode: "add" for Network Interface device: "netmon0".<br />
<br />
Adding Network Interface device: "netmon0" to the Promiscuous configuration file.<br />
<br />
Updated Promiscuous configuration file: "/etc/nst/promisc.conf".<br />
<br />
Content of Promiscuous configuration file: "/etc/nst/promisc.conf"<br />
==================================================================<br />
#<br />
# NST: 2015<br />
#<br />
# Configuration file for a list Network Interface Adapters<br />
# that can have their promiscuous mode enabled or disabled<br />
# by the NST Script: "nstnetcfg".<br />
#<br />
# Typically the NST script: "nstnetcfg" modes:<br />
# 'promiscon, promiscoff or promisccfg' use or configure this file.<br />
# Use a space character as the delimiter when multiple interfaces<br />
# are specificied.<br />
<br />
#<br />
# Example for Network Interface Adapters: netmon0 and netmon1<br />
# PROMISCINTS="netmon1 netmon2";<br />
<br />
PROMISCINTS="netmon0";<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Setting Promiscuous mode ''''On'''' for network interface: "'''netmon0'''" using the promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promiscon -v;</div><br />
<pre class="computerOutput"><br />
<br />
Found Network Interface(s): "netmon0" in promiscuous configuration file: "/etc/nst/promisc.conf"<br />
<br />
Setting the Promiscuous state 'On' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'On':<br />
/sbin/ip link set promisc on netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Setting Promiscuous mode ''''Off'''' for network interface: "'''netmon0'''" using the promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promiscoff -v;</div><br />
<pre class="computerOutput"><br />
<br />
Found Network Interface(s): "netmon0" in promiscuous configuration file: "/etc/nst/promisc.conf"<br />
<br />
Setting the Promiscuous state 'Off' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'Off':<br />
/sbin/ip link set promisc off netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Automatic At System Boot''' ===<br />
The '''NST''' systemd "'''promisc.service'''" service can be used to ''enable'' the '''Promiscuous''' mode on one or more network interface adapters during a system boot. The content of this service unit is shown below:<br />
<pre class="programListing" style=" word-break: break-word;"><br />
#<br />
# NST: 2015<br />
<br />
[Unit]<br />
Description=Network Interface Promiscuous Mode Control<br />
Documentation=man:nstnetcfg(1)<br />
Documentation=http://wiki.networksecuritytoolkit.org/nstwiki/index.php/HowTo_Setup_A_Server_With_Multiple_Network_Interface_Adapters_Using:_%22nstnetcfg%22#Promiscuous_Mode_Control<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
ExecStart=/usr/bin/nstnetcfg --mode promiscon<br />
ExecStop=/usr/bin/nstnetcfg --mode promiscoff<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</pre><br />
<br />
One can see the use of the "'''nstnetcfg'''" script for ''starting'' and ''stopping'' the service. Make sure you use mode: "'''--mode promisccfg'''" with the corresponding network interface that you are interested in ''enabling'' the promiscuous mode at system boot time. Then enable the "'''promisc.service'''" service. Below is an example for network interface device: "'''netmon1'''".<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg -m promisccfg -i netmon1 --promisc add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using Promiscuous configuration operation mode: "add" for Network Interface device: "netmon1".<br />
<br />
Adding Network Interface device: "netmon1" to the Promiscuous configuration file.<br />
<br />
Updated Promiscuous configuration file: "/etc/nst/promisc.conf".<br />
<br />
Content of Promiscuous configuration file: "/etc/nst/promisc.conf"<br />
==================================================================<br />
#<br />
# NST: 2015<br />
#<br />
# Configuration file for a list Network Interface Adapters<br />
# that can have their promiscuous mode enabled or disabled<br />
# by the NST Script: "nstnetcfg".<br />
#<br />
# Typically the NST script: "nstnetcfg" modes:<br />
# 'promiscon, promiscoff or promisccfg' use or configure this file.<br />
# Use a space character as the delimiter when multiple interfaces<br />
# are specificied.<br />
<br />
#<br />
# Example for Network Interface Adapters: netmon0 and netmon1<br />
# PROMISCINTS="netmon1 netmon2";<br />
<br />
PROMISCINTS="netmon1";<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl enable promisc.service;</div><br />
<pre class="computerOutput"><br />
Created symlink from /etc/systemd/system/multi-user.target.wants/promisc.service to /usr/lib/systemd/system/promisc.service.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl reboot;</div><br />
</div><br />
<br />
== '''Managing a 'Bonding' Network Interface''' ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5765</center>]]''']]In this section we will use "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" to ''create'' a ''''Bond Master'''' Network Interface device: "'''bond0'''" by aggregating 2 (two) '''NIC''' adapters" "'''p1p1'''" and "'''p1p2'''" into a single interface. Behind the scene, the Linux bonding driver is performing the actual mechanism for creating and managing the bond device.<br />
A bond interface device may be useful when working with an "'''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Non-Aggregational Network Tap]'''". By combining the non-aggregational ports of the TAP back into a single interface allows both '''Transmit''' and '''Receive''' network traffic to be seen by a listening network analysis or monitoring application. <br />
<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
The network diagram shown below will be used for the example bonding configuration demonstrated in this section. The '''NST WUI Ntopng IPv4 Hosts''' application is performing ''surveillance monitoring'' on the firewall dirty side using the Bonded Network Interface: "'''bond0'''".<br />
<br />
[[Image:Nstnetcfgbonding.png|1024px|center|A NST "'''nstnetcfg'''" Bonding Configuration with Monitoring]]<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The network traffic monitored on the [http://www.dual-comm.com/etap3105-aggregation-and-non-aggregation-tap.htm Dualcomm ETAP 3105 10/100/1000Base-T Regeneration Network TAP] Aggregational Port: "'''3'''" (NST Probe Port: "'''p5p1'''") may be equal to or less than the traffic monitored on the Bonded Network Interface: "'''bond0'''" that is created in this section. If the combined effective data rate on the "'''Slave'''" Network Interfaces: "'''p1p1'''" and "'''p1p2'''" exceeds ''1Gb/sec'', then Aggregational Port: "'''3'''" (NST Probe Port: "'''p5p1'''") will start to buffer and eventually lose packets where as the Bonded Network Interface: "'''bond0'''" will not.</div></div><br />
<br />
=== '''Network Interface Bond Creation''' ===<br />
First lets show the current network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
5: p5p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:22:17 brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''p1p1'''" and "'''p1p2'''" NIC adapters connected to the non-aggregational Network TAP (Ports: "'''4'''" and "'''5'''" respectively) will now be bonded into a single interface: "'''bond0'''" using '''nstnetcfg''' mode: "'''bonding'''". The bond interface is now in "'''Stealth'''" mode since it has no binding '''IPv4 Address'''.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode bonding --interface bond0 --bonding-slave-ints p1p1,p1p2 --bonding-opts "mode=balance-rr,miimon=100" -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to configure 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p1".<br />
Successfully brought 'Down' Network Interface: "p1p1".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p2".<br />
Successfully brought 'Down' Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Master' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0"<br />
for Network Interface: "bond0".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility is now shown after the creation of the "'''bond0'''" device:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
5: p5p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:22:17 brd ff:ff:ff:ff:ff:ff<br />
18: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default <br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link tentative dadfailed <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Notice that the network interfaces: "'''p1p1'''" and "'''p1p2'''" have the "'''SLAVE'''" flag set and the bond network interface: "'''bond0'''" has the "'''MASTER'''" flag set. Network traffic can now be monitored or captured on this new Bonded Virtual Network Interface: "'''bond0'''".<br />
<br />
=== '''Network Interface Bond Removal''' ===<br />
In this section we will remove the bonding network interface: "'''bond'''" using "'''nstnetcfg'''" mode: "'''rmbonding'''":<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode rmbonding --interface bond0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to remove 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Removing the "Linux Bonding Driver" module.<br />
<br />
Removing the 'Bonding Master' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0".<br />
<br />
Removing the 'Bonding Slave' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2".<br />
<br />
Attempting to 'Initialize' Network Interface: "p1p2" to a 'Unmanaged' state.<br />
<br />
Attempting to bring 'Down' Bonding Slave Network Interface: "p1p2".<br />
Successfully brought 'Down' Bonding Slave Network Interface: "p1p2".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2" for Interface: "p1p2".<br />
<br />
Setting up an 'Unmanaged' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Removing the 'Bonding Slave' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1".<br />
<br />
Attempting to 'Initialize' Network Interface: "p1p1" to a 'Unmanaged' state.<br />
<br />
Attempting to bring 'Down' Bonding Slave Network Interface: "p1p1".<br />
Successfully brought 'Down' Bonding Slave Network Interface: "p1p1".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1" for Interface: "p1p1".<br />
<br />
Setting up an 'Unmanaged' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
=== '''Binding an IPv4 Address to a 'Bonding' Network Interface''' ===<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5765</center>]]''']]In this section we will use "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" to bind an '''IPv4 Address''' to a '''Bonded''' Network Interface. This method can also use one of the available Linux bonding driver modes to increase the ''effective'' bandwidth from the NST system to the network.<br />
<br />
<br />
<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
The network diagram shown below will be used for the example '''IPv4 Address''' binding to the 'Bonded' Network Interface: "'''bond0'''". A Quad Gigabit NIC Adapter with ports: "'''p1p1'''", "'''p1p2'''", "'''p1p3'''" and "'''p1p4'''" will be bound together to form a new 'Bonding Master' Virtual Network Interface: "'''bond0'''".<br />
<br />
[[Image:Nstnetcfgipv4bonding.png|1024px|center| Binding an IPv4 Address to a 'Bonded' Network Interface Using "'''nstnetcfg'''"]]<br />
<br />
==== '''Network Interface Bond Creation''' ====<br />
First lets show the current network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.224.2.33/16 brd 10.224.255.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:52 brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:53 brd ff:ff:ff:ff:ff:ff<br />
5: p1p3: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:54 brd ff:ff:ff:ff:ff:ff<br />
6: p1p4: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:55 brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''p1p1'''", "'''p1p2'''", "'''p1p3'''" and "'''p1p4'''" NIC LAN ports are now ''bonded'' into a single interface: "'''bond0'''" using '''nstnetcfg''' mode: "'''bonding'''". The bond interface is now currently in "'''Stealth'''" mode with no binding '''IPv4 Address'''.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode bonding --interface bond0 --bonding-slave-ints p1p1,p1p2,p1p3,p1p4 --bonding-opts "mode=balance-tlb,miimon=100" -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to configure 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p1".<br />
Successfully brought 'Down' Network Interface: "p1p1".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p2".<br />
Successfully brought 'Down' Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p3".<br />
Successfully brought 'Down' Network Interface: "p1p3".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p3"<br />
for Network Interface: "p1p3".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p4".<br />
Successfully brought 'Down' Network Interface: "p1p4".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p4"<br />
for Network Interface: "p1p4".<br />
<br />
Setting up a 'Bonding Master' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0"<br />
for Network Interface: "bond0".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The Linux bonding driver is configured for mode: '''Adaptive Transmit Load Balancing'''. This mode creates a channel bond that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each "'''Slave'''" Interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the '''MAC Address''' of the failed receiving slave.<br />
<br />
==== '''IPv4 Address Binding to the Bond Interface''' ====<br />
Next the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" utility is now used to ''bind'' the IPv4 Address: "'''172.18.1.11'''" to the 'Bond Master' Virtual network Interface: "'''bond0'''": <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode ipv4 --interface bond0 -a 172.18.1.11/24 -g 10.224.1.1 --hosts-file-only --host-name striker-bond -v;</div><br />
<pre class="computerOutput"><br />
Configuring a static IPv4 Address: "172.18.1.11/24" for 'Bonding Master' Network Interface: "bond0".<br />
<br />
Attempting to bring 'Down' Bonding Master Network Interface: "bond0".<br />
Successfully brought 'Down' Bonding Master Network Interface: "bond0".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-bond0" for Network Interface: "bond0".<br />
<br />
Updating the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Bonding Master Network Interface: "bond0" in 5 seconds.<br />
Successfully brought 'Up' Bonding Master Network Interface: "bond0".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the network configuration is now shown using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" utility with IPv4 Address: "'''172.18.1.11'''" bound to the 'Bonding Master' Virtual Network Interface: "'''bond0'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.224.2.33/16 brd 10.222.255.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state Up group default qlen 1000<br />
link/ether a0:36:9f:00:71:52 brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:71:53 brd ff:ff:ff:ff:ff:ff<br />
5: p1p3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state Up group default qlen 1000<br />
link/ether a0:36:9f:00:71:54 brd ff:ff:ff:ff:ff:ff<br />
6: p1p4: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:71:55 brd ff:ff:ff:ff:ff:ff<br />
12: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default <br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet 172.18.1.11/24 brd 172.18.1.255 scope global bond0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div></div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Setup_A_Server_With_Multiple_Network_Interface_Adapters_Using:_%22nstnetcfg%22&diff=9752HowTo Setup A Server With Multiple Network Interface Adapters Using: "nstnetcfg"2022-12-24T18:51:04Z<p>Rwh: /* Network Interface Bond Creation */</p>
<hr />
<div>__TOC__<br />
= '''Overview''' =<br />
<br />
This page demonstrates how to setup networking with an NST server that is configured with ''multiple'' network interface adapters for performing ''simultaneous'' network computing surveillance tasks. The NST script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" command line tool was designed to make this task easy to accomplish using the underlying "'''NetworkManager'''" service via the '''nmcli''' utility.<br />
<br />
The diagram below will be used as a reference for setting up a multi-network interface adapter server using '''NST'''. The rear panel of a '''1U Server''' is shown with NIC attachments to the network infrastructure. The network security staff for fictitious company: "'''TxyCorp'''" would like to use NST for monitoring different network segments throughout their network. In particular, they would like to monitor traffic entering and leaving their corporation, web server traffic, all client electronic business transactions and remote traffic to and from their satellite offices. They will use a combination of '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' ('''S'''witched '''P'''ort '''A'''nalyzer) ports and a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Non-Aggregational Network TAP]''' to expose network traffic on these segments. <br />
<br />
When booting up "'''[http://sourceforge.net/projects/nst/ NST Live]'''" or after a hard disk installation, the "'''[http://projects.gnome.org/NetworkManager/ Network Manager]'''" service is on by default for managing all network interfaces found on an NST system. '''Network Manager''' provides a quick and easy method for setting up networking on a system equipped with a wireless interface that uses '''DHCP''' for '''IPv4 Address '''configuration. When a system is configured with two or more wired network interfaces or requires a multi-homed network setup, the "'''nstnetcfg'''" script may be a better choice for setting up the network configuration.<br />
<br />
The '''nstnetcfg''' utility can help mitigate some of the error prone tasks necessary by scripting when setting up networking on a NST (Linux) system using the "'''NetworkManager'''" service.<br />
<br />
[[Image:Nstnetcfgserver.png|1024px|center|A Multi-Network Interface Adapter NST Server Configuration]]<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The "'''Sys Admin Network'''" is an out-of-band network for the management of enterprise servers within this network infrastructure. The "'''[http://en.wikipedia.org/wiki/Out-of-band_management ILOM]'''" (Integrated Lights Out Management) network interface (i.e., "'''NetMgt'''") and the "'''Serial Console'''" device (i.e., "'''ttyS0'''") are shown for completeness and are not used by "'''nstnetcfg'''".</div></div><br />
<br />
= '''Network Interface Setup Configuration Information''' =<br />
<br />
In this section we will identify each network interface and how it should be setup using the '''1U Server''' configuration illustrated in the reference diagram above. Network parameters such as the '''Subnet Mask''', '''Host Name(s)''', '''Domain Name Servers''', '''Domain Name''', '''Gateway''' and '''Default Interface''' will also be identified. The table below depicts values that will be used by the '''nstnetcfg''' script.<br />
<br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Interface / Parameter<br />
! align="center" style="background-color: lightgray;" |Configuration Values<br />
! align="center" style="background-color: lightgray;" |NetworkManager<br />Service<br />
|-<br />
|em0<br />
|IPv4 Address: '''172.30.1.16''', Network Routing Prefix: '''24''', Host Name: '''nstsurv1-mon''', Gateway: '''10.221.1.1'''<br />
|managed<br />
|-<br />
|em1<br />
|IPv4 Address: '''10.221.5.14''', Network Routing Prefix: '''16''', Host Name: '''nstsurv1''', Gateway: '''10.221.1.1'''<br />
|managed<br />
|-<br />
|em2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|em3<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p2p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p2p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p4p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p4p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p6p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p6p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|Domain Name Servers<br />
|'''10.221.1.10''', '''10.221.1.11'''<br />
|N/A<br />
|-<br />
|Domain Name<br />
|'''txycorp.com'''<br />
|N/A<br />
|-<br />
|Virtual Host (ssl.conf)<br />
|'''*:443'''<br />
|N/A<br />
|-<br />
|Server Name (ssl.conf)<br />
|'''nstsurv1.txycorp.com:443'''<br />
|N/A<br />
|-<br />
|}<br />
<br />
&nbsp;<br />
<br />
= '''Network Interface Configuration: nstnetcfg''' =<br />
<br />
The NST script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" will now be used for setting up networking on this server. This script will ''enable'' the "'''NetworkManager'''" service when setting up a static '''IPv4 Address''' (''--mode ipv4''). The "'''NetworkManager'''" service will also be ''enabled'' at boot time. Use the sequence of '''nstnetcfg''' invocations below to ''serve'' as an example for setting up networking on your particular server with NST. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The reader is encouraged to review the man page for "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" as reference material prior to its use. One can also use the "'''--verbose'''" output parameter for greater visibility on the progress of '''nstnetcfg''' during its configuration stages.<br />
<br />
[[Image:Warning.png‎]] The "'''nstnetcfg'''" script should only be run on a '''Serial Console''' or a '''Desktop Terminal''' due to the fact that the "'''IPv4 Addressing'''" for this NST system will most likely change.<br />
</div></div><br />
<br />
== '''Initialize All Network Interfaces''' ==<br />
<br />
The '''nstnetcfg''' mode: "'''init'''" will put the networking setup posture in a known ''initialized'' state. The "'''NetworkManager'''" service will be ''enabled'' all network adapters and assciated configuration files set to a default initialization state with no binding layer 3 addressing. The "'''LoopBack'''" interface device is never ''removed'' and ''reset'' to the factory default state with this mode. The '''[http://en.wikipedia.org/wiki/Name_Service_Switch Name Service Switch]''' configuration file: "'''/etc/nsswitch.conf'''" will have its '''hosts''' entry set to: "'''files dns'''". It is best practice to first use this mode ''prior'' to setting up networking so that any ''lingering'' "'''NetworkManager'''" configuration files will <u>Not</u> interfere with the use of the '''nstnetcfg''' operation.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode init;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Static IPv4 Configured Interfaces''' ==<br />
<br />
The example NST server shown above uses a "'''Multi-Home'''" configuration with network interface devices: "'''em0'''" and "'''em1'''" set with static '''IPv4 Addresses:''' '''172.30.1.16''' and '''10.221.5.14''' respectively.<br />
<br />
=== '''Interface: em1''' ===<br />
<br />
The "'''em1'''" interface device is network attached to the "'''TxyCorp'''" Intranet. This network provides name services and external access to the Internet. The "'''Host Name'''", "'''Domain Name'''", "'''Name Servers'''" and "'''Gateway'''" values are set accordingly. A host name entry for "'''nstsurv1'''" will be added to the '''Hosts''' file: "'''/etc/hosts'''", the system host name will be set to: "'''nstsurv1'''". A "'''16'''" network routing prefix ('''[http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR]''' - Format) will be used. The configuration for this interface is shown below.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 --host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11";</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: em0''' ===<br />
<br />
The "'''em0'''" network interface is connected to the "'''Security Network'''" for performing network surveillance tasks using the "'''NST WUI'''" and the large collection of NST network security applications and tools. The "'''--hosts-file-only'''" setting is used so that only the '''Hosts''' file: "'''/etc/hosts'''" will be updated with a host name entry for: "'''nstserv1-mon'''". Note that there is <u>No</u> "'''--gateway'''" parameter used with this interface because there is only one default gateway (i.e., "'''10.221.1.1'''") for this '''Multi-Home''' example configuration. It is not necessary to again set the system "'''Host Name'''", "'''Domain Name'''" and "'''Name Servers'''" values since these were specified in the configuration for network interface "'''em1'''". A "'''24'''" network routing prefix ('''[http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR]''' - Format) will be used.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --host-name nstsurv1-mon --hosts-file-only;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''NetworkManager Ignore Certain Devices - Unmanaged''' ==<br />
See this reference on how to configure NetworkManager to ignore certain devices: "'''[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/configuring-networkmanager-to-ignore-certain-devices_configuring-and-managing-networking Configuring NetworkManager to ignore certain devices]'''"<br />
<br />
== '''Stealth Configured Interfaces''' ==<br />
<br />
The "'''Stealth'''" network interfaces (i.e., An interface in the "'''UP'''" state with <u>No</u> binding '''IPv4 Address''') will now be configured. These interfaces are strategically network attached throughout the network infrastructure for surveillance monitoring.<br />
<br />
=== '''Interface: em2''' ===<br />
<br />
This network interface: "'''em2'''" is used to monitor the Transmit Data: "'''TxD'''" port on a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Network TAP]''' ('''T'''est '''A'''ccess '''P'''oint) for all traffic ''leaving'' (egress) the "'''TxyCorp'''" corporation at the '''Firewall Dirty Side'''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface em2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: em3''' ===<br />
<br />
This network interface: "'''em3'''" is used to monitor the Receive Data: "'''RxD'''" port on a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Network TAP]''' for all traffic ''entering'' (ingress) the "'''TxyCorp'''" corporation at the '''Firewall Dirty Side'''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface em3;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p2p1''' ===<br />
<br />
This network interface: "'''p2p1'''" is used to monitor specific "'''Web Server'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' ('''S'''witched '''P'''ort '''A'''nalyzer) port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p2p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p2p2''' ===<br />
<br />
This network interface: "'''p2p2'''" is used to monitor specific "'''Web Server'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p2p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p4p1''' ===<br />
<br />
This '''[https://en.wikipedia.org/wiki/10-gigabit_Ethernet 10 Gigabit Ethernet]''' network interface: "'''p4p1'''" is used to monitor specific "'''Business Transaction'''" data packets on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p4p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p4p2''' ===<br />
<br />
This '''[https://en.wikipedia.org/wiki/10-gigabit_Ethernet 10 Gigabit Ethernet]''' network interface: "'''p4p2'''" is used to monitor specific "'''Business Transaction'''" data packets on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p4p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p6p1''' ===<br />
<br />
This network interface: "p6p1" is used to monitor specific "'''Remote Office'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p6p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p6p2''' ===<br />
<br />
This network interface: "p6p2" is used to monitor specific "'''Remote Office'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p6p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Stealth Interface Combo Setting Command''' ===<br />
<br />
The output below is a compact way of using a '''[https://en.wikipedia.org/wiki/Bash_(Unix_shell) Bash]''' "''for loop'' " statement to configure all "'''Stealth'''" interfaces in one command line invocation.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2; do nstnetcfg --mode stealth --interface ${i}; done</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== '''Apache SSL Configuration For Proper HTTPS NST WUI Access''' ==<br />
<br />
If the "'''IPv4 Address'''" on an NST system is changed, the '''[http://httpd.apache.org/ Apache Web Server]''' '''[http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL]''' configuration file: "'''/etc/httpd/conf.d/ssl.conf'''" needs to be modified for proper '''[http://en.wikipedia.org/wiki/HTTP_Secure HTTPS]''' ''access'' to the "'''NST WUI'''". The following "'''nstnetcfg'''" command uses the "'''ssl'''" mode to allow all hosts "'''HTTPS'''" access to the "'''NST WUI'''" using '''Server Name:''' "'''nstsurv1.txycorp.com'''". A new "'''SSL'''" certificate and key file will also be ''generated''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ssl --interface em1 --virtual-host *:443 --server-name nstsurv1.txycorp.com:443;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Using A Bash Script With "nstnetcfg"''' ==<br />
It may be better to use a '''[http://en.wikipedia.org/wiki/Bash Bash]''' script given the numerous invocations of "'''nstnetcfg'''" with this '''NST''' network configuration setup. A good location to store your script would be in directory: "'''/etc/nst'''". This will allow one to ''easily'' make changes to your network configuration by editing the script and running it. An example script below is shown for: "'''/etc/nst/net_cfg.sh"''' using the above invocations of "'''nstnetcfg'''". One can copy and paste this script as a starter template file for your usage.<br />
<br />
<pre class="programListing"><br />
#!/bin/bash<br />
<br />
#<br />
# Script: "net_cfg.sh"<br />
<br />
#<br />
# Description: Helper script for setting up the configuration of network interfaces<br />
# on Server: "nstsurv1" using: "nstnetcfg".<br />
<br />
#<br />
# Short Usage: "nstnetcfg"<br />
#<br />
# nstnetcfg [-m|--mode TEXT] [-i|--interface DEVICE]<br />
# [-a|--ipv4-addr-prefix IPv4ADDR/PREFIX] [-g|--gateway IPv4ADDR]<br />
# [--mac-addr MACADDR] [--host-name TEXT] [--domain-name TEXT]<br />
# [--name-servers IPv4ADDRLIST] [--hosts-file-only [true]|false]<br />
# [--virtual-host TEXT] [--server-name TEXT]<br />
# [-h|--help [true]|false] [-H|--help-long [true]|false]<br />
# [-v|--verbose [true]|false] [--version [true]|false]<br />
#<br />
# Available Modes: ipv4, dhcp, ssl, stealth, netmgr, rmint, init, show<br />
<br />
#<br />
# Uncomment to enable verbosity <br />
#VERBOSE=" --verbose";<br />
<br />
#<br />
# Network Interface: Initialization<br />
/usr/bin/nstnetcfg --mode init${VERBOSE};<br />
<br />
#<br />
# Network Interface: em1<br />
/usr/bin/nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 \<br />
--host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11"${VERBOSE};<br />
<br />
#<br />
# Network Interface: em0<br />
/usr/bin/nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --host-name nstsurv1-mon \<br />
--hosts-file-only${VERBOSE}; <br />
<br />
#<br />
# Network Interface: em2<br />
/usr/bin/nstnetcfg --mode stealth --interface em2${VERBOSE};<br />
<br />
#<br />
# Network Interface: em3<br />
/usr/bin/nstnetcfg --mode stealth --interface em3${VERBOSE};<br />
<br />
#<br />
# Network Interface: p2p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p2p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p2p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p2p2${VERBOSE};<br />
<br />
#<br />
# Network Interface: p4p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p4p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p4p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p4p2${VERBOSE};<br />
<br />
#<br />
# Network Interface: p6p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p6p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p6p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p6p2${VERBOSE};<br />
<br />
#<br />
# Uncomment for using a Stealth Interface Combo Setting<br />
#for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2;<br />
# do /usr/sbin/nstnetcfg --mode stealth --interface ${i};<br />
#done<br />
<br />
#<br />
# Apache SSL Configuration<br />
/usr/bin/nstnetcfg --mode ssl --interface em1 --virtual-host *:443 --server-name nstsurv1.txycorp.com:443${VERBOSE};<br />
</pre><br />
<br />
=== '''Script Invocation''' ===<br />
<br />
Make sure the script has it's '''execute''' permissions set:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>chmod +x "/etc/nst/net_cfg.sh";</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Execute the script:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/etc/nst/net_cfg.sh;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''List All Installed Network Interface Devices Using: "getipaddr"''' ==<br />
<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can be used to list all available network interface devices on an '''NST''' system.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
lo<br />
em0<br />
em1<br />
em2<br />
em3<br />
p2p1<br />
p2p2<br />
p4p1<br />
p4p2<br />
p6p1<br />
p6p2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''List All 'Virtual' Installed Network Interface Devices Using: "getipaddr"''' ===<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D --virtual;</div><br />
<pre class="computerOutput"><br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''List All 'Physical' Installed Network Interface Devices Using: "getipaddr"''' ===<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D --physical;</div><br />
<pre class="computerOutput"><br />
em0<br />
em1<br />
em2<br />
em3<br />
p2p1<br />
p2p2<br />
p4p1<br />
p4p2<br />
p6p1<br />
p6p2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Renaming A Network Interface Device''' ==<br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 30<br /> SVN: 11210</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to rename a '''Network Interface Device''' thus providing a predictable Network Interface Name that is stable and available after each successive system reboot. In this section we will demonstrate how to ''rename'' a network interface device from: "'''eno16777984'''" to: "'''net0'''" using the "'''nstnetcfg'''" utility. This utility's '''rename''' mode generates a '''udev''' rules file that is used by '''[http://en.wikipedia.org/wiki/Systemd systemd/udev]''' at system boot time to automatically assign the predictable, stable network interface name for local Ethernet, WLAN and/or WWAN network interfaces.<br />
<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
<br />
<br />
The current Network Interface Devices available are shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
eno16777984<br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The current IP Address configuration:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno16777984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 00:0c:29:e2:38:0b brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.120/24 brd 10.222.222.255 scope global dynamic net0<br />
valid_lft 75211sec preferred_lft 75211sec<br />
inet6 fe80::20c:29ff:fee2:380b/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''nstnetcfg'''" utility will now be used to ''rename'' the network interface device from: "'''eno16777984'''" to: "'''net0'''". Notice the creation and content of the generated custom '''udev''' network rules file: "'''/etc/udev/rules.d/79-my-net-name-slot.rules'''"<br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] The "'''nstnetcfg'''" script should only be run on a '''Serial Console''' or a '''Desktop Terminal''' when changing the name of the '''Primary''' Network Interface Device. Otherwise, network connectivity may be lost if remotely connected to this NST system while performing this task.<br />
</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] Try to use simple network device names (e.g. '''net0''', '''netfw''', '''Net_DMZ''' or '''NetRt1'''). Avoid using '''hyphen''' (''''-'''') or '''space''' ('&nbsp;') characters in the new network interface device name. Instead, use the '''underscore''' (''''_'''') character or '''CamelCase''' for separation clarity in your device naming convention.<br />
</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] By default the NetworkManager service will randomize Wifi MAC Addresses. If this occurs using "'''nstnetcfg'''" to rename a Wifi Network Interface will fail. One can disable this Network Manager feature using the following configuration directive. Create a file in directory: "'''/etc/NetworkManager/conf.d'''" containing the configuration "'''wifi.scan-rand-mac-address=no'''" directive. Below is an example file to ''disable'' Wifi MAC Address randomizing by the NetworkManager service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@E6440 ~]# </span>cat /etc/NetworkManager/conf.d/wifi-static-mac.conf</div><br />
<pre class="computerOutput"><br />
[device]<br />
wifi.scan-rand-mac-address=no<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@E6440 ~]# </span></div><br />
</div><br />
</div></div><br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode rename --rename net0 --interface eno16777984 --verbose;</div><br />
<pre class="computerOutput"><br />
<br />
Generating a new/updated custom 'udev' network rules file: "/etc/udev/rules.d/79-my-net-name-slot.rules":<br />
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="00:0c:29:e2:38:0b", NAME="net0"<br />
<br />
Renaming Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-eno16777984" to "/etc/sysconfig/network-scripts/ifcfg-net0"<br />
<br />
Labeling Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-net0" - NAME="net0"<br />
<br />
The Network Interface Device rename from: "eno16777984" to "net0" will take effect on the next system reboot.<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Now perform a system reboot:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl reboot;</div><br />
<pre class="computerOutput"><br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
After a system '''Reboot''', the "'''nstnetcfg'''" utility is now run to verify the ''generated'' '''udev''' rules file: "'''/etc/udev/rules.d/79-my-net-name-slot.rules'''" which internally uses the '''[http://linux.die.net/man/8/udevadm udevadm]''' tool.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode testudev --interface net0 --verbose;</div><br />
<pre class="computerOutput"><br />
/bin/udevadm test "/sys/class/net/net0";<br />
calling: test<br />
version 208<br />
This program is for debugging only, it does not run any program<br />
specified by a RUN key. It may show incorrect results, because<br />
some values may be different, or not available at a simulation run.<br />
<br />
=== trie on-disk ===<br />
tool version: 208<br />
file size: 5882628 bytes<br />
header size 80 bytes<br />
strings 1299372 bytes<br />
nodes 4583176 bytes<br />
load module index<br />
read rules file: /usr/lib/udev/rules.d/10-dm.rules<br />
read rules file: /usr/lib/udev/rules.d/11-dm-lvm.rules<br />
read rules file: /usr/lib/udev/rules.d/13-dm-disk.rules<br />
read rules file: /usr/lib/udev/rules.d/40-libgphoto2.rules<br />
IMPORT found builtin 'usb_id --export %%p', replacing /usr/lib/udev/rules.d/40-libgphoto2.rules:11<br />
read rules file: /usr/lib/udev/rules.d/40-usb_modeswitch.rules<br />
read rules file: /usr/lib/udev/rules.d/42-usb-hid-pm.rules<br />
read rules file: /usr/lib/udev/rules.d/50-udev-default.rules<br />
read rules file: /usr/lib/udev/rules.d/56-hpmud.rules<br />
read rules file: /usr/lib/udev/rules.d/60-cdrom_id.rules<br />
read rules file: /usr/lib/udev/rules.d/60-drm.rules<br />
read rules file: /usr/lib/udev/rules.d/60-ffado.rules<br />
read rules file: /usr/lib/udev/rules.d/60-fprint-autosuspend.rules<br />
read rules file: /usr/lib/udev/rules.d/60-keyboard.rules<br />
read rules file: /usr/lib/udev/rules.d/60-net.rules<br />
read rules file: /usr/lib/udev/rules.d/60-pcmcia.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-alsa.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-input.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-serial.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-storage-tape.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-storage.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-v4l.rules<br />
read rules file: /usr/lib/udev/rules.d/60-raw.rules<br />
read rules file: /usr/lib/udev/rules.d/61-accelerometer.rules<br />
read rules file: /usr/lib/udev/rules.d/62-multipath.rules<br />
read rules file: /usr/lib/udev/rules.d/63-md-raid-arrays.rules<br />
read rules file: /usr/lib/udev/rules.d/64-btrfs.rules<br />
read rules file: /usr/lib/udev/rules.d/64-md-raid-assembly.rules<br />
read rules file: /usr/lib/udev/rules.d/65-libwacom.rules<br />
read rules file: /usr/lib/udev/rules.d/65-md-incremental.rules<br />
read rules file: /usr/lib/udev/rules.d/69-cd-sensors.rules<br />
read rules file: /usr/lib/udev/rules.d/69-dm-lvm-metad.rules<br />
read rules file: /usr/lib/udev/rules.d/69-libmtp.rules<br />
read rules file: /usr/lib/udev/rules.d/69-pilot-link.rules<br />
read rules file: /usr/lib/udev/rules.d/69-xorg-vmmouse.rules<br />
read rules file: /usr/lib/udev/rules.d/70-power-switch.rules<br />
read rules file: /usr/lib/udev/rules.d/70-printers.rules<br />
read rules file: /usr/lib/udev/rules.d/70-spice-vdagentd.rules<br />
read rules file: /usr/lib/udev/rules.d/70-touchpad-quirks.rules<br />
read rules file: /usr/lib/udev/rules.d/70-uaccess.rules<br />
read rules file: /usr/lib/udev/rules.d/70-wacom.rules<br />
read rules file: /usr/lib/udev/rules.d/71-biosdevname.rules<br />
read rules file: /usr/lib/udev/rules.d/71-seat.rules<br />
read rules file: /usr/lib/udev/rules.d/73-seat-late.rules<br />
read rules file: /usr/lib/udev/rules.d/75-net-description.rules<br />
read rules file: /usr/lib/udev/rules.d/75-probe_mtd.rules<br />
read rules file: /usr/lib/udev/rules.d/75-tty-description.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-ericsson-mbm.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-huawei-net-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-longcheer-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-nokia-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-pcmcia-device-blacklist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-platform-serial-whitelist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-simtech-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-telit-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-usb-device-blacklist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-usb-serial-adapters-greylist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-x22x-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-zte-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-nm-olpc-mesh.rules<br />
read rules file: /usr/lib/udev/rules.d/78-sound-card.rules<br />
read rules file: /etc/udev/rules.d/79-my-net-name-slot.rules<br />
read rules file: /usr/lib/udev/rules.d/80-drivers.rules<br />
read rules file: /usr/lib/udev/rules.d/80-mm-candidate.rules<br />
read rules file: /usr/lib/udev/rules.d/80-net-name-slot.rules<br />
read rules file: /usr/lib/udev/rules.d/80-udisks.rules<br />
read rules file: /usr/lib/udev/rules.d/80-udisks2.rules<br />
read rules file: /usr/lib/udev/rules.d/85-regulatory.rules<br />
read rules file: /usr/lib/udev/rules.d/85-usbmuxd.rules<br />
read rules file: /usr/lib/udev/rules.d/90-alsa-restore.rules<br />
read rules file: /usr/lib/udev/rules.d/90-alsa-tools-firmware.rules<br />
read rules file: /usr/lib/udev/rules.d/90-pulseaudio.rules<br />
read rules file: /usr/lib/udev/rules.d/91-drm-modeset.rules<br />
read rules file: /usr/lib/udev/rules.d/95-cd-devices.rules<br />
read rules file: /usr/lib/udev/rules.d/95-dm-notify.rules<br />
read rules file: /usr/lib/udev/rules.d/95-udev-late.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-dell.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-fujitsu.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-gateway.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-ibm.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-lenovo.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-toshiba.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-csr.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-hid.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-wup.rules<br />
read rules file: /etc/udev/rules.d/98-kexec.rules<br />
read rules file: /etc/udev/rules.d/99-gpsd.rules<br />
read rules file: /usr/lib/udev/rules.d/99-qemu-guest-agent.rules<br />
read rules file: /usr/lib/udev/rules.d/99-systemd.rules<br />
rules contain 393216 bytes tokens (32768 * 12 bytes), 32346 bytes strings<br />
29283 strings (243715 bytes), 26259 de-duplicated (214394 bytes), 3025 trie nodes used<br />
PROGRAM '/lib/udev/rename_device' /usr/lib/udev/rules.d/60-net.rules:1<br />
starting '/lib/udev/rename_device'<br />
'/lib/udev/rename_device' [2075] exit with return code 0<br />
PROGRAM '/sbin/biosdevname --policy physical -i net0' /usr/lib/udev/rules.d/71-biosdevname.rules:22<br />
starting '/sbin/biosdevname --policy physical -i net0'<br />
'/sbin/biosdevname --policy physical -i net0' [2076] exit with return code 4<br />
IMPORT builtin 'net_id' /usr/lib/udev/rules.d/75-net-description.rules:6<br />
IMPORT builtin 'hwdb' /usr/lib/udev/rules.d/75-net-description.rules:12<br />
NAME 'net0' /etc/udev/rules.d/79-my-net-name-slot.rules:1<br />
RUN '/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/ipv4/conf/$name --prefix=/proc/sys/net/ipv4/neigh/$name --prefix=/proc/sys/net/ipv6/conf/$name --prefix=/proc/sys/net/ipv6/neigh/$name' /usr/lib/udev/rules.d/99-systemd.rules:52<br />
ACTION=add<br />
DEVPATH=/devices/pci0000:00/0000:00:15.0/0000:03:00.0/net/net0<br />
ID_BUS=pci<br />
ID_MM_CANDIDATE=1<br />
ID_MODEL_FROM_DATABASE=VMXNET3 Ethernet Controller<br />
ID_MODEL_ID=0x07b0<br />
ID_NET_LABEL_ONBOARD=enEthernet0<br />
ID_NET_NAME_MAC=enx000c29e2380b<br />
ID_NET_NAME_ONBOARD=eno16777984<br />
ID_NET_NAME_PATH=enp3s0<br />
ID_NET_NAME_SLOT=ens160<br />
ID_OUI_FROM_DATABASE=VMware, Inc.<br />
ID_PCI_CLASS_FROM_DATABASE=Network controller<br />
ID_PCI_SUBCLASS_FROM_DATABASE=Ethernet controller<br />
ID_VENDOR_FROM_DATABASE=VMware<br />
ID_VENDOR_ID=0x15ad<br />
IFINDEX=2<br />
INTERFACE=net0<br />
SUBSYSTEM=net<br />
SYSTEMD_ALIAS=/sys/subsystem/net/devices/net0<br />
TAGS=:systemd:<br />
USEC_INITIALIZED=78468<br />
run: '/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/ipv4/conf/net0 --prefix=/proc/sys/net/ipv4/neigh/net0 --prefix=/proc/sys/net/ipv6/conf/net0 --prefix=/proc/sys/net/ipv6/neigh/net0'<br />
unload module index<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
One can see that the Network Interface device has been changed to: "'''net0'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
net0<br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The IP Address configuration after the device rename is shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: net0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 00:0c:29:e2:38:0b brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.120/24 brd 10.222.222.255 scope global dynamic net0<br />
valid_lft 75211sec preferred_lft 75211sec<br />
inet6 fe80::20c:29ff:fee2:380b/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Managing IPv4 Secondary Addressing''' ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 30<br /> SVN: 11210</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to ''Create'' and ''Delete'' (i.e., ''Manage'') '''IPv4 Secondary Addressing'''. By example we will ''Add'', ''Display'' and ''Remove'' '''IPv4 Secondary Addresses:''' "'''10.222.222.241/24''' and "'''10.222.222.242/24''' to an '''NST''' system (e.g., '''striker''') on '''IPv4 Network Interface:''' "'''lan0'''". This example is shown in the sections below.<br />
<br /><br />
<br /><br />
<br /><br />
<br /><br />
<br /><br />
=== '''Adding IPv4 Secondary Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''add'' "'''IPv4 Secondary Addresses'''" to an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state on '''NST''' system: "'''striker'''" is shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.111/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Next, the first '''IPv4 Secondary Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Network Interface:''' "'''lan0'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "add" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.241/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'bound' IPv4 secondary Address: "10.222.222.241/24"<br />
to Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Next, the second '''IPv4 Secondary Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Network Interface:''' "'''lan0'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "add" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.242/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'bound' IPv4 secondary Address: "10.222.222.242/24"<br />
to Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is now shown with the two (2) '''IPv4 Secondary Addresses''' added:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip a;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.111/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
=== '''List IPv4 Primary / Secondary Addresses Using: "getipaddr"''' ===<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can also be used to display all '''IPv4 Addresses''' including '''IP Secondary Addresses''' bound to '''Network Interface: "lan0"''' in CIDR notation:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>getipaddr --interface lan0 --ip-secondary --ip-address-cidr --net-int-devices;</div><br />
<pre class="computerOutput"><br />
lan0 10.222.222.111/24<br />
lan0 10.222.222.241/24 secondary<br />
lan0 10.222.222.242/24 secondary<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
=== '''Removing IPv4 Secondary Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''remove'' "'''IPv4 Secondary Addresses'''" on an '''NST''' system.<br />
<br />
First, we remove all '''IPv4 Secondary Addresses''' bound to Network Interface: "'''lan0'''": <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary remove -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "remove" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.241/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'unbound' the IPv4 secondary Address: "10.222.222.241/24"<br />
associated with Network Interface device: "lan0".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.242/24 --secondary remove -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "remove" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.242/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'unbound' the IPv4 secondary Address: "10.222.222.242/24"<br />
associated with Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Finally we display the '''IP Address''' state on NST system: '''striker'''<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>ip a;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br /><br />
<br /><br />
<br />
== '''Managing IPv4 Alias Addresses''' ==<br />
<br />
<div class="centerBlock"><div class="noteMessage">[[Image:Warning.png‎]] '''IPv4 Alias Addressing''' is no longer supported by script: '''nstnetcfg''' start with '''NST 30'''.</div></div><br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5663</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to ''Create'' and ''Delete'' (i.e., ''Manage'') '''IPv4 Alias Addresses'''. By example we will ''Add'' and ''Remove'' '''IPv4 Alias Addresses:''' "'''10.222.222.241/24''' and "'''10.222.222.242/24''' to an '''NST''' system on '''IPv4 Alias Network Interfaces:''' "'''p5p1:a1'''" and "'''p5p1:a2'''" respectively. This example is shown in the sections below. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' You can not manage IPv4 aliases for interfaces which are under NetworkManager control (the interface must be managed by the network service). In addition, you may need to review/update your routing after adding your aliases.</div></div><br />
<br />
<br />
<br />
<br />
<br />
=== '''Adding IPv4 Alias Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''add'' "'''IPv4 Alias Addresses'''" to an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state is shown on our demo '''NST''' system: <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a1'''" using the '''Gateway:''' "'''10.222.222.1'''" and '''Host Name:''' "'''probe-a1'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m ipv4 -i p5p1:a1 -a 10.222.222.241/24 -g 10.222.222.1 --host-name probe-a1 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" for IPv4 Alias Network Interface: "p5p1:a1".<br />
<br />
Setting the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Up' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the second '''IPv4 Alias Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a2'''" using the '''Gateway:''' "'''10.222.222.1'''" and '''Host Name:''' "'''probe-a2'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m ipv4 -i p5p1:a2 -a 10.222.222.242/24 -g 10.222.222.1 --host-name probe-a2 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2" for IPv4 Alias Network Interface: "p5p1:a2".<br />
<br />
Setting the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Up' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is now shown with the two (2) '''IPv4 Alias Addresses''' added:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary p5p1:a1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary p5p1:a2<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The '''IPv4 Alias Addresses''' wil also be configured in the hosts file "'''/etc/hosts'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>cat /etc/hosts;</div><br />
<pre class="computerOutput"><br />
127.0.0.1 localhost.localdomain localhost<br />
::1 localhost6.localdomain6 localhost6<br />
<br />
10.222.222.10 striker.nst.net striker<br />
10.222.222.141 probe-a1<br />
10.222.222.142 probe-a2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' A network configuration file in directory: "'''/etc/sysconfig/network-scripts'''" was created for both '''IPv4 Alias Addresses''' above (i.e., "'''/etc/sysconfig/network-scripts/ifcfg-p5p1:a1'''" and "'''/etc/sysconfig/network-scripts/ifcfg-p5p1:a2'''"). This will allow the '''IPv4 Alias Address''' configuration to survive a system reboot. </div></div><br />
<br />
=== '''List All Installed Network Interface Devices Including IP Alias Interfaces Using: "getipaddr"''' ===<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can also be used to list all available network interface devices including '''IP Alias Network Interfaces''' on an '''NST''' system.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -D --ip-alias;</div><br />
<pre class="computerOutput"><br />
lo<br />
p1p1<br />
p1p2<br />
p5p1<br />
p5p1:a1<br />
p5p1:a2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Display all '''IPv4 Addresses''' including '''IP Alias Addresses''' bound to '''Network Interface: "p5p1"''' in CIDR notation:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -i p5p1 -D --ip-alias --ip-network-address-cidr;</div><br />
<pre class="computerOutput"><br />
p5p1 10.222.222.10/24<br />
p5p1:a1 10.222.222.241/24<br />
p5p1:a2 10.222.222.242/24<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
=== '''Removing IPv4 Alias Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''remove'' "'''IPv4 Alias Addresses'''" on an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state is shown on our demo '''NST''' system with configured '''IPv4 Alias Addresses''': <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary p5p1:a1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary p5p1:a2<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a1'''" is now ''removed'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m rmint -i p5p1:a1 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" for IPv4 Alias Interface: "p5p1:a1"<br />
<br />
Clean all IPv4 Address entries: "10.222.222.241" in Hosts file: "/etc/hosts".<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds:<br />
Successfully brought 'Up' Network Interface: "p5p1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a2'''" is now ''removed'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m rmint -i p5p1:a2 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2" for IPv4 Alias Interface: "p5p1:a2"<br />
<br />
Clean all IPv4 Address entries: "10.222.222.242" in Hosts file: "/etc/hosts".<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds:<br />
Successfully brought 'Up' Network Interface: "p5p1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is shown on our demo '''NST''' system with all '''IPv4 Alias Addresses''' ''removed'': <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" also shows that no '''IP Alias Network Interfaces''' are configured on the '''NST''' demo system. <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -D --ip-alias;</div><br />
<pre class="computerOutput"><br />
lo<br />
p1p1<br />
p1p2<br />
p5p1<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== '''Promiscuous Mode Control''' ==<br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 22<br /> SVN: 7000</center>]]''']]<br />
<br />
=== '''Overview''' ===<br />
The '''Promiscuous''' state of a network interface device can be ''manually'' controlled by the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script. Promiscuous mode allows a network interface device to intercept and read each network packet that arrives in its entirety which is essential for capturing all traffic received. One can also use the systemd service: "'''promisc.service'''" for ''automatically'' setting the Promiscuous state ''''On'''' for one or more network interface devices at system boot. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may not be able to set the Promiscuous state ''''Off'''' if another network application like '''[https://wiki.wireshark.org/ wireshark]''' or '''[https://en.wikipedia.org/wiki/Tcpdump tcpdump]''' is active and in capture mode. A counter is used by each '''Kernel''' network driver module and incremented for each application that requests the Promiscuous mode to be set ''''On'''' for the network interface device. Until these applications have all set the Promiscuous state ''''Off'''', can one control the device's Promiscuous mode with the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script.</div></div><br />
<br />
=== '''Manual Mode''' ===<br />
This section will demonstrate how to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode for a network interface using either the interface method or the promiscuous configuration file method. <br />
<br />
==== '''Interface Method''' ====<br />
The current '''Network Interface Devices''' available are shown for demonstration in this section.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
lan0<br />
lo<br />
netmon0<br />
netmon1<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
How to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode of network interface: "'''netmon0'''" to the ''''On'''' state:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode promiscon -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Setting the Promiscuous state 'On' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'On':<br />
/sbin/ip link set promisc on netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
How to to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode of network interface: "'''netmon0'''" to the ''''Off'''' state:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode promiscoff -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Setting the Promiscuous state 'Off' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'Off':<br />
/sbin/ip link set promisc off netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
==== '''Promiscuous Configuration File Method''' ====<br />
Alternatively, one could add the network interface: "'''netmon0'''" to the '''NST''' promiscuous configuration file: "'''/etc/nst/promisc.conf'''" using "'''nstnetcfg'''" mode: "'''promisccfg'''" and then control the '''Promiscuous''' state using the following command sequence:<br />
<br />
First configure the network Interface: "'''netmon0'''" in the '''NST''' promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promisccfg --promisc add -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using Promiscuous configuration operation mode: "add" for Network Interface device: "netmon0".<br />
<br />
Adding Network Interface device: "netmon0" to the Promiscuous configuration file.<br />
<br />
Updated Promiscuous configuration file: "/etc/nst/promisc.conf".<br />
<br />
Content of Promiscuous configuration file: "/etc/nst/promisc.conf"<br />
==================================================================<br />
#<br />
# NST: 2015<br />
#<br />
# Configuration file for a list Network Interface Adapters<br />
# that can have their promiscuous mode enabled or disabled<br />
# by the NST Script: "nstnetcfg".<br />
#<br />
# Typically the NST script: "nstnetcfg" modes:<br />
# 'promiscon, promiscoff or promisccfg' use or configure this file.<br />
# Use a space character as the delimiter when multiple interfaces<br />
# are specificied.<br />
<br />
#<br />
# Example for Network Interface Adapters: netmon0 and netmon1<br />
# PROMISCINTS="netmon1 netmon2";<br />
<br />
PROMISCINTS="netmon0";<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Setting Promiscuous mode ''''On'''' for network interface: "'''netmon0'''" using the promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promiscon -v;</div><br />
<pre class="computerOutput"><br />
<br />
Found Network Interface(s): "netmon0" in promiscuous configuration file: "/etc/nst/promisc.conf"<br />
<br />
Setting the Promiscuous state 'On' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'On':<br />
/sbin/ip link set promisc on netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Setting Promiscuous mode ''''Off'''' for network interface: "'''netmon0'''" using the promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promiscoff -v;</div><br />
<pre class="computerOutput"><br />
<br />
Found Network Interface(s): "netmon0" in promiscuous configuration file: "/etc/nst/promisc.conf"<br />
<br />
Setting the Promiscuous state 'Off' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'Off':<br />
/sbin/ip link set promisc off netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Automatic At System Boot''' ===<br />
The '''NST''' systemd "'''promisc.service'''" service can be used to ''enable'' the '''Promiscuous''' mode on one or more network interface adapters during a system boot. The content of this service unit is shown below:<br />
<pre class="programListing" style=" word-break: break-word;"><br />
#<br />
# NST: 2015<br />
<br />
[Unit]<br />
Description=Network Interface Promiscuous Mode Control<br />
Documentation=man:nstnetcfg(1)<br />
Documentation=http://wiki.networksecuritytoolkit.org/nstwiki/index.php/HowTo_Setup_A_Server_With_Multiple_Network_Interface_Adapters_Using:_%22nstnetcfg%22#Promiscuous_Mode_Control<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
ExecStart=/usr/bin/nstnetcfg --mode promiscon<br />
ExecStop=/usr/bin/nstnetcfg --mode promiscoff<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</pre><br />
<br />
One can see the use of the "'''nstnetcfg'''" script for ''starting'' and ''stopping'' the service. Make sure you use mode: "'''--mode promisccfg'''" with the corresponding network interface that you are interested in ''enabling'' the promiscuous mode at system boot time. Then enable the "'''promisc.service'''" service. Below is an example for network interface device: "'''netmon1'''".<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg -m promisccfg -i netmon1 --promisc add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using Promiscuous configuration operation mode: "add" for Network Interface device: "netmon1".<br />
<br />
Adding Network Interface device: "netmon1" to the Promiscuous configuration file.<br />
<br />
Updated Promiscuous configuration file: "/etc/nst/promisc.conf".<br />
<br />
Content of Promiscuous configuration file: "/etc/nst/promisc.conf"<br />
==================================================================<br />
#<br />
# NST: 2015<br />
#<br />
# Configuration file for a list Network Interface Adapters<br />
# that can have their promiscuous mode enabled or disabled<br />
# by the NST Script: "nstnetcfg".<br />
#<br />
# Typically the NST script: "nstnetcfg" modes:<br />
# 'promiscon, promiscoff or promisccfg' use or configure this file.<br />
# Use a space character as the delimiter when multiple interfaces<br />
# are specificied.<br />
<br />
#<br />
# Example for Network Interface Adapters: netmon0 and netmon1<br />
# PROMISCINTS="netmon1 netmon2";<br />
<br />
PROMISCINTS="netmon1";<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl enable promisc.service;</div><br />
<pre class="computerOutput"><br />
Created symlink from /etc/systemd/system/multi-user.target.wants/promisc.service to /usr/lib/systemd/system/promisc.service.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl reboot;</div><br />
</div><br />
<br />
== '''Managing a 'Bonding' Network Interface''' ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5765</center>]]''']]In this section we will use "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" to ''create'' a ''''Bond Master'''' Network Interface device: "'''bond0'''" by aggregating 2 (two) '''NIC''' adapters" "'''p1p1'''" and "'''p1p2'''" into a single interface. Behind the scene, the Linux bonding driver is performing the actual mechanism for creating and managing the bond device.<br />
A bond interface device may be useful when working with an "'''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Non-Aggregational Network Tap]'''". By combining the non-aggregational ports of the TAP back into a single interface allows both '''Transmit''' and '''Receive''' network traffic to be seen by a listening network analysis or monitoring application. <br />
<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
The network diagram shown below will be used for the example bonding configuration demonstrated in this section. The '''NST WUI Ntopng IPv4 Hosts''' application is performing ''surveillance monitoring'' on the firewall dirty side using the Bonded Network Interface: "'''bond0'''".<br />
<br />
[[Image:Nstnetcfgbonding.png|1024px|center|A NST "'''nstnetcfg'''" Bonding Configuration with Monitoring]]<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The network traffic monitored on the [http://www.dual-comm.com/etap3105-aggregation-and-non-aggregation-tap.htm Dualcomm ETAP 3105 10/100/1000Base-T Regeneration Network TAP] Aggregational Port: "'''3'''" (NST Probe Port: "'''p5p1'''") may be equal to or less than the traffic monitored on the Bonded Network Interface: "'''bond0'''" that is created in this section. If the combined effective data rate on the "'''Slave'''" Network Interfaces: "'''p1p1'''" and "'''p1p2'''" exceeds ''1Gb/sec'', then Aggregational Port: "'''3'''" (NST Probe Port: "'''p5p1'''") will start to buffer and eventually lose packets where as the Bonded Network Interface: "'''bond0'''" will not.</div></div><br />
<br />
=== '''Network Interface Bond Creation''' ===<br />
First lets show the current network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
5: p5p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:22:17 brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''p1p1'''" and "'''p1p2'''" NIC adapters connected to the non-aggregational Network TAP (Ports: "'''4'''" and "'''5'''" respectively) will now be bonded into a single interface: "'''bond0'''" using '''nstnetcfg''' mode: "'''bonding'''". The bond interface is now in "'''Stealth'''" mode since it has no binding '''IPv4 Address'''.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode bonding --interface bond0 --bonding-slave-ints p1p1,p1p2 --bonding-opts "mode=balance-rr,miimon=100" -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to configure 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p1".<br />
Successfully brought 'Down' Network Interface: "p1p1".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p2".<br />
Successfully brought 'Down' Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Master' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0"<br />
for Network Interface: "bond0".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility is now shown after the creation of the "'''bond0'''" device:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
5: p5p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:22:17 brd ff:ff:ff:ff:ff:ff<br />
18: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default <br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link tentative dadfailed <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Notice that the network interfaces: "'''p1p1'''" and "'''p1p2'''" have the "'''SLAVE'''" flag set and the bond network interface: "'''bond0'''" has the "'''MASTER'''" flag set. Network traffic can now be monitored or captured on this new Bonded Virtual Network Interface: "'''bond0'''".<br />
<br />
=== '''Network Interface Bond Removal''' ===<br />
In this section we will remove the bonding network interface: "'''bond'''" using "'''nstnetcfg'''" mode: "'''rmbonding'''":<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode rmbonding --interface bond0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to remove 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Removing the "Linux Bonding Driver" module.<br />
<br />
Removing the 'Bonding Master' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0".<br />
<br />
Removing the 'Bonding Slave' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2".<br />
<br />
Attempting to 'Initialize' Network Interface: "p1p2" to a 'Unmanaged' state.<br />
<br />
Attempting to bring 'Down' Bonding Slave Network Interface: "p1p2".<br />
Successfully brought 'Down' Bonding Slave Network Interface: "p1p2".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2" for Interface: "p1p2".<br />
<br />
Setting up an 'Unmanaged' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Removing the 'Bonding Slave' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1".<br />
<br />
Attempting to 'Initialize' Network Interface: "p1p1" to a 'Unmanaged' state.<br />
<br />
Attempting to bring 'Down' Bonding Slave Network Interface: "p1p1".<br />
Successfully brought 'Down' Bonding Slave Network Interface: "p1p1".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1" for Interface: "p1p1".<br />
<br />
Setting up an 'Unmanaged' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
=== '''Binding an IPv4 Address to a 'Bonding' Network Interface''' ===<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5765</center>]]''']]In this section we will use "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" to bind an '''IPv4 Address''' to a '''Bonded''' Network Interface. This method can also use one of the available Linux bonding driver modes to increase the ''effective'' bandwidth from the NST system to the network.<br />
<br />
<br />
<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
The network diagram shown below will be used for the example '''IPv4 Address''' binding to the 'Bonded' Network Interface: "'''bond0'''". A Quad Gigabit NIC Adapter with ports: "'''p1p1'''", "'''p1p2'''", "'''p1p3'''" and "'''p1p4'''" will be bound together to form a new 'Bonding Master' Virtual Network Interface: "'''bond0'''".<br />
<br />
[[Image:Nstnetcfgipv4bonding.png|1024px|center| Binding an IPv4 Address to a 'Bonded' Network Interface Using "'''nstnetcfg'''"]]<br />
<br />
==== '''Network Interface Bond Creation''' ====<br />
First lets show the current network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.224.2.33/16 brd 10.224.255.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:52 brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:53 brd ff:ff:ff:ff:ff:ff<br />
5: p1p3: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:54 brd ff:ff:ff:ff:ff:ff<br />
6: p1p4: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:55 brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''p1p1'''", "'''p1p2'''", "'''p1p3'''" and "'''p1p4'''" NIC LAN ports are now ''bonded'' into a single interface: "'''bond0'''" using '''nstnetcfg''' mode: "'''bonding'''". The bond interface is now currently in "'''Stealth'''" mode with no binding '''IPv4 Address'''.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode bonding --interface bond0 --bonding-slave-ints p1p1,p1p2,p1p3,p1p4 --bonding-opts "mode=5 miimon=100" -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to configure 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p1".<br />
Successfully brought 'Down' Network Interface: "p1p1".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p2".<br />
Successfully brought 'Down' Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p3".<br />
Successfully brought 'Down' Network Interface: "p1p3".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p3"<br />
for Network Interface: "p1p3".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p4".<br />
Successfully brought 'Down' Network Interface: "p1p4".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p4"<br />
for Network Interface: "p1p4".<br />
<br />
Setting up a 'Bonding Master' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0"<br />
for Network Interface: "bond0".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The Linux bonding driver is configured for mode: "'''5'''" - '''Adaptive Transmit Load Balancing'''. This mode creates a channel bond that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each "'''Slave'''" Interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the '''MAC Address''' of the failed receiving slave.<br />
<br />
==== '''IPv4 Address Binding to the Bond Interface''' ====<br />
Next the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" utility is now used to ''bind'' the IPv4 Address: "'''172.18.1.11'''" to the 'Bond Master' Virtual network Interface: "'''bond0'''": <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode ipv4 --interface bond0 -a 172.18.1.11/24 -g 10.224.1.1 --hosts-file-only --host-name striker-bond -v;</div><br />
<pre class="computerOutput"><br />
Configuring a static IPv4 Address: "172.18.1.11/24" for 'Bonding Master' Network Interface: "bond0".<br />
<br />
Attempting to bring 'Down' Bonding Master Network Interface: "bond0".<br />
Successfully brought 'Down' Bonding Master Network Interface: "bond0".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-bond0" for Network Interface: "bond0".<br />
<br />
Updating the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Bonding Master Network Interface: "bond0" in 5 seconds.<br />
Successfully brought 'Up' Bonding Master Network Interface: "bond0".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the network configuration is now shown using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" utility with IPv4 Address: "'''172.18.1.11'''" bound to the 'Bonding Master' Virtual Network Interface: "'''bond0'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.224.2.33/16 brd 10.222.255.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state Up group default qlen 1000<br />
link/ether a0:36:9f:00:71:52 brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:71:53 brd ff:ff:ff:ff:ff:ff<br />
5: p1p3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state Up group default qlen 1000<br />
link/ether a0:36:9f:00:71:54 brd ff:ff:ff:ff:ff:ff<br />
6: p1p4: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:71:55 brd ff:ff:ff:ff:ff:ff<br />
12: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default <br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet 172.18.1.11/24 brd 172.18.1.255 scope global bond0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div></div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Setup_A_Server_With_Multiple_Network_Interface_Adapters_Using:_%22nstnetcfg%22&diff=9751HowTo Setup A Server With Multiple Network Interface Adapters Using: "nstnetcfg"2022-12-14T01:30:09Z<p>Rwh: /* Network Manager Ignore Certain Devices - Unmanaged */</p>
<hr />
<div>__TOC__<br />
= '''Overview''' =<br />
<br />
This page demonstrates how to setup networking with an NST server that is configured with ''multiple'' network interface adapters for performing ''simultaneous'' network computing surveillance tasks. The NST script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" command line tool was designed to make this task easy to accomplish using the underlying "'''NetworkManager'''" service via the '''nmcli''' utility.<br />
<br />
The diagram below will be used as a reference for setting up a multi-network interface adapter server using '''NST'''. The rear panel of a '''1U Server''' is shown with NIC attachments to the network infrastructure. The network security staff for fictitious company: "'''TxyCorp'''" would like to use NST for monitoring different network segments throughout their network. In particular, they would like to monitor traffic entering and leaving their corporation, web server traffic, all client electronic business transactions and remote traffic to and from their satellite offices. They will use a combination of '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' ('''S'''witched '''P'''ort '''A'''nalyzer) ports and a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Non-Aggregational Network TAP]''' to expose network traffic on these segments. <br />
<br />
When booting up "'''[http://sourceforge.net/projects/nst/ NST Live]'''" or after a hard disk installation, the "'''[http://projects.gnome.org/NetworkManager/ Network Manager]'''" service is on by default for managing all network interfaces found on an NST system. '''Network Manager''' provides a quick and easy method for setting up networking on a system equipped with a wireless interface that uses '''DHCP''' for '''IPv4 Address '''configuration. When a system is configured with two or more wired network interfaces or requires a multi-homed network setup, the "'''nstnetcfg'''" script may be a better choice for setting up the network configuration.<br />
<br />
The '''nstnetcfg''' utility can help mitigate some of the error prone tasks necessary by scripting when setting up networking on a NST (Linux) system using the "'''NetworkManager'''" service.<br />
<br />
[[Image:Nstnetcfgserver.png|1024px|center|A Multi-Network Interface Adapter NST Server Configuration]]<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The "'''Sys Admin Network'''" is an out-of-band network for the management of enterprise servers within this network infrastructure. The "'''[http://en.wikipedia.org/wiki/Out-of-band_management ILOM]'''" (Integrated Lights Out Management) network interface (i.e., "'''NetMgt'''") and the "'''Serial Console'''" device (i.e., "'''ttyS0'''") are shown for completeness and are not used by "'''nstnetcfg'''".</div></div><br />
<br />
= '''Network Interface Setup Configuration Information''' =<br />
<br />
In this section we will identify each network interface and how it should be setup using the '''1U Server''' configuration illustrated in the reference diagram above. Network parameters such as the '''Subnet Mask''', '''Host Name(s)''', '''Domain Name Servers''', '''Domain Name''', '''Gateway''' and '''Default Interface''' will also be identified. The table below depicts values that will be used by the '''nstnetcfg''' script.<br />
<br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Interface / Parameter<br />
! align="center" style="background-color: lightgray;" |Configuration Values<br />
! align="center" style="background-color: lightgray;" |NetworkManager<br />Service<br />
|-<br />
|em0<br />
|IPv4 Address: '''172.30.1.16''', Network Routing Prefix: '''24''', Host Name: '''nstsurv1-mon''', Gateway: '''10.221.1.1'''<br />
|managed<br />
|-<br />
|em1<br />
|IPv4 Address: '''10.221.5.14''', Network Routing Prefix: '''16''', Host Name: '''nstsurv1''', Gateway: '''10.221.1.1'''<br />
|managed<br />
|-<br />
|em2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|em3<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p2p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p2p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p4p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p4p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p6p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p6p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|Domain Name Servers<br />
|'''10.221.1.10''', '''10.221.1.11'''<br />
|N/A<br />
|-<br />
|Domain Name<br />
|'''txycorp.com'''<br />
|N/A<br />
|-<br />
|Virtual Host (ssl.conf)<br />
|'''*:443'''<br />
|N/A<br />
|-<br />
|Server Name (ssl.conf)<br />
|'''nstsurv1.txycorp.com:443'''<br />
|N/A<br />
|-<br />
|}<br />
<br />
&nbsp;<br />
<br />
= '''Network Interface Configuration: nstnetcfg''' =<br />
<br />
The NST script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" will now be used for setting up networking on this server. This script will ''enable'' the "'''NetworkManager'''" service when setting up a static '''IPv4 Address''' (''--mode ipv4''). The "'''NetworkManager'''" service will also be ''enabled'' at boot time. Use the sequence of '''nstnetcfg''' invocations below to ''serve'' as an example for setting up networking on your particular server with NST. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The reader is encouraged to review the man page for "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" as reference material prior to its use. One can also use the "'''--verbose'''" output parameter for greater visibility on the progress of '''nstnetcfg''' during its configuration stages.<br />
<br />
[[Image:Warning.png‎]] The "'''nstnetcfg'''" script should only be run on a '''Serial Console''' or a '''Desktop Terminal''' due to the fact that the "'''IPv4 Addressing'''" for this NST system will most likely change.<br />
</div></div><br />
<br />
== '''Initialize All Network Interfaces''' ==<br />
<br />
The '''nstnetcfg''' mode: "'''init'''" will put the networking setup posture in a known ''initialized'' state. The "'''NetworkManager'''" service will be ''enabled'' all network adapters and assciated configuration files set to a default initialization state with no binding layer 3 addressing. The "'''LoopBack'''" interface device is never ''removed'' and ''reset'' to the factory default state with this mode. The '''[http://en.wikipedia.org/wiki/Name_Service_Switch Name Service Switch]''' configuration file: "'''/etc/nsswitch.conf'''" will have its '''hosts''' entry set to: "'''files dns'''". It is best practice to first use this mode ''prior'' to setting up networking so that any ''lingering'' "'''NetworkManager'''" configuration files will <u>Not</u> interfere with the use of the '''nstnetcfg''' operation.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode init;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Static IPv4 Configured Interfaces''' ==<br />
<br />
The example NST server shown above uses a "'''Multi-Home'''" configuration with network interface devices: "'''em0'''" and "'''em1'''" set with static '''IPv4 Addresses:''' '''172.30.1.16''' and '''10.221.5.14''' respectively.<br />
<br />
=== '''Interface: em1''' ===<br />
<br />
The "'''em1'''" interface device is network attached to the "'''TxyCorp'''" Intranet. This network provides name services and external access to the Internet. The "'''Host Name'''", "'''Domain Name'''", "'''Name Servers'''" and "'''Gateway'''" values are set accordingly. A host name entry for "'''nstsurv1'''" will be added to the '''Hosts''' file: "'''/etc/hosts'''", the system host name will be set to: "'''nstsurv1'''". A "'''16'''" network routing prefix ('''[http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR]''' - Format) will be used. The configuration for this interface is shown below.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 --host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11";</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: em0''' ===<br />
<br />
The "'''em0'''" network interface is connected to the "'''Security Network'''" for performing network surveillance tasks using the "'''NST WUI'''" and the large collection of NST network security applications and tools. The "'''--hosts-file-only'''" setting is used so that only the '''Hosts''' file: "'''/etc/hosts'''" will be updated with a host name entry for: "'''nstserv1-mon'''". Note that there is <u>No</u> "'''--gateway'''" parameter used with this interface because there is only one default gateway (i.e., "'''10.221.1.1'''") for this '''Multi-Home''' example configuration. It is not necessary to again set the system "'''Host Name'''", "'''Domain Name'''" and "'''Name Servers'''" values since these were specified in the configuration for network interface "'''em1'''". A "'''24'''" network routing prefix ('''[http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR]''' - Format) will be used.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --host-name nstsurv1-mon --hosts-file-only;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''NetworkManager Ignore Certain Devices - Unmanaged''' ==<br />
See this reference on how to configure NetworkManager to ignore certain devices: "'''[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/configuring-networkmanager-to-ignore-certain-devices_configuring-and-managing-networking Configuring NetworkManager to ignore certain devices]'''"<br />
<br />
== '''Stealth Configured Interfaces''' ==<br />
<br />
The "'''Stealth'''" network interfaces (i.e., An interface in the "'''UP'''" state with <u>No</u> binding '''IPv4 Address''') will now be configured. These interfaces are strategically network attached throughout the network infrastructure for surveillance monitoring.<br />
<br />
=== '''Interface: em2''' ===<br />
<br />
This network interface: "'''em2'''" is used to monitor the Transmit Data: "'''TxD'''" port on a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Network TAP]''' ('''T'''est '''A'''ccess '''P'''oint) for all traffic ''leaving'' (egress) the "'''TxyCorp'''" corporation at the '''Firewall Dirty Side'''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface em2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: em3''' ===<br />
<br />
This network interface: "'''em3'''" is used to monitor the Receive Data: "'''RxD'''" port on a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Network TAP]''' for all traffic ''entering'' (ingress) the "'''TxyCorp'''" corporation at the '''Firewall Dirty Side'''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface em3;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p2p1''' ===<br />
<br />
This network interface: "'''p2p1'''" is used to monitor specific "'''Web Server'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' ('''S'''witched '''P'''ort '''A'''nalyzer) port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p2p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p2p2''' ===<br />
<br />
This network interface: "'''p2p2'''" is used to monitor specific "'''Web Server'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p2p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p4p1''' ===<br />
<br />
This '''[https://en.wikipedia.org/wiki/10-gigabit_Ethernet 10 Gigabit Ethernet]''' network interface: "'''p4p1'''" is used to monitor specific "'''Business Transaction'''" data packets on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p4p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p4p2''' ===<br />
<br />
This '''[https://en.wikipedia.org/wiki/10-gigabit_Ethernet 10 Gigabit Ethernet]''' network interface: "'''p4p2'''" is used to monitor specific "'''Business Transaction'''" data packets on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p4p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p6p1''' ===<br />
<br />
This network interface: "p6p1" is used to monitor specific "'''Remote Office'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p6p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p6p2''' ===<br />
<br />
This network interface: "p6p2" is used to monitor specific "'''Remote Office'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p6p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Stealth Interface Combo Setting Command''' ===<br />
<br />
The output below is a compact way of using a '''[https://en.wikipedia.org/wiki/Bash_(Unix_shell) Bash]''' "''for loop'' " statement to configure all "'''Stealth'''" interfaces in one command line invocation.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2; do nstnetcfg --mode stealth --interface ${i}; done</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== '''Apache SSL Configuration For Proper HTTPS NST WUI Access''' ==<br />
<br />
If the "'''IPv4 Address'''" on an NST system is changed, the '''[http://httpd.apache.org/ Apache Web Server]''' '''[http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL]''' configuration file: "'''/etc/httpd/conf.d/ssl.conf'''" needs to be modified for proper '''[http://en.wikipedia.org/wiki/HTTP_Secure HTTPS]''' ''access'' to the "'''NST WUI'''". The following "'''nstnetcfg'''" command uses the "'''ssl'''" mode to allow all hosts "'''HTTPS'''" access to the "'''NST WUI'''" using '''Server Name:''' "'''nstsurv1.txycorp.com'''". A new "'''SSL'''" certificate and key file will also be ''generated''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ssl --interface em1 --virtual-host *:443 --server-name nstsurv1.txycorp.com:443;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Using A Bash Script With "nstnetcfg"''' ==<br />
It may be better to use a '''[http://en.wikipedia.org/wiki/Bash Bash]''' script given the numerous invocations of "'''nstnetcfg'''" with this '''NST''' network configuration setup. A good location to store your script would be in directory: "'''/etc/nst'''". This will allow one to ''easily'' make changes to your network configuration by editing the script and running it. An example script below is shown for: "'''/etc/nst/net_cfg.sh"''' using the above invocations of "'''nstnetcfg'''". One can copy and paste this script as a starter template file for your usage.<br />
<br />
<pre class="programListing"><br />
#!/bin/bash<br />
<br />
#<br />
# Script: "net_cfg.sh"<br />
<br />
#<br />
# Description: Helper script for setting up the configuration of network interfaces<br />
# on Server: "nstsurv1" using: "nstnetcfg".<br />
<br />
#<br />
# Short Usage: "nstnetcfg"<br />
#<br />
# nstnetcfg [-m|--mode TEXT] [-i|--interface DEVICE]<br />
# [-a|--ipv4-addr-prefix IPv4ADDR/PREFIX] [-g|--gateway IPv4ADDR]<br />
# [--mac-addr MACADDR] [--host-name TEXT] [--domain-name TEXT]<br />
# [--name-servers IPv4ADDRLIST] [--hosts-file-only [true]|false]<br />
# [--virtual-host TEXT] [--server-name TEXT]<br />
# [-h|--help [true]|false] [-H|--help-long [true]|false]<br />
# [-v|--verbose [true]|false] [--version [true]|false]<br />
#<br />
# Available Modes: ipv4, dhcp, ssl, stealth, netmgr, rmint, init, show<br />
<br />
#<br />
# Uncomment to enable verbosity <br />
#VERBOSE=" --verbose";<br />
<br />
#<br />
# Network Interface: Initialization<br />
/usr/bin/nstnetcfg --mode init${VERBOSE};<br />
<br />
#<br />
# Network Interface: em1<br />
/usr/bin/nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 \<br />
--host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11"${VERBOSE};<br />
<br />
#<br />
# Network Interface: em0<br />
/usr/bin/nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --host-name nstsurv1-mon \<br />
--hosts-file-only${VERBOSE}; <br />
<br />
#<br />
# Network Interface: em2<br />
/usr/bin/nstnetcfg --mode stealth --interface em2${VERBOSE};<br />
<br />
#<br />
# Network Interface: em3<br />
/usr/bin/nstnetcfg --mode stealth --interface em3${VERBOSE};<br />
<br />
#<br />
# Network Interface: p2p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p2p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p2p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p2p2${VERBOSE};<br />
<br />
#<br />
# Network Interface: p4p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p4p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p4p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p4p2${VERBOSE};<br />
<br />
#<br />
# Network Interface: p6p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p6p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p6p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p6p2${VERBOSE};<br />
<br />
#<br />
# Uncomment for using a Stealth Interface Combo Setting<br />
#for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2;<br />
# do /usr/sbin/nstnetcfg --mode stealth --interface ${i};<br />
#done<br />
<br />
#<br />
# Apache SSL Configuration<br />
/usr/bin/nstnetcfg --mode ssl --interface em1 --virtual-host *:443 --server-name nstsurv1.txycorp.com:443${VERBOSE};<br />
</pre><br />
<br />
=== '''Script Invocation''' ===<br />
<br />
Make sure the script has it's '''execute''' permissions set:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>chmod +x "/etc/nst/net_cfg.sh";</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Execute the script:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/etc/nst/net_cfg.sh;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''List All Installed Network Interface Devices Using: "getipaddr"''' ==<br />
<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can be used to list all available network interface devices on an '''NST''' system.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
lo<br />
em0<br />
em1<br />
em2<br />
em3<br />
p2p1<br />
p2p2<br />
p4p1<br />
p4p2<br />
p6p1<br />
p6p2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''List All 'Virtual' Installed Network Interface Devices Using: "getipaddr"''' ===<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D --virtual;</div><br />
<pre class="computerOutput"><br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''List All 'Physical' Installed Network Interface Devices Using: "getipaddr"''' ===<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D --physical;</div><br />
<pre class="computerOutput"><br />
em0<br />
em1<br />
em2<br />
em3<br />
p2p1<br />
p2p2<br />
p4p1<br />
p4p2<br />
p6p1<br />
p6p2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Renaming A Network Interface Device''' ==<br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 30<br /> SVN: 11210</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to rename a '''Network Interface Device''' thus providing a predictable Network Interface Name that is stable and available after each successive system reboot. In this section we will demonstrate how to ''rename'' a network interface device from: "'''eno16777984'''" to: "'''net0'''" using the "'''nstnetcfg'''" utility. This utility's '''rename''' mode generates a '''udev''' rules file that is used by '''[http://en.wikipedia.org/wiki/Systemd systemd/udev]''' at system boot time to automatically assign the predictable, stable network interface name for local Ethernet, WLAN and/or WWAN network interfaces.<br />
<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
<br />
<br />
The current Network Interface Devices available are shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
eno16777984<br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The current IP Address configuration:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno16777984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 00:0c:29:e2:38:0b brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.120/24 brd 10.222.222.255 scope global dynamic net0<br />
valid_lft 75211sec preferred_lft 75211sec<br />
inet6 fe80::20c:29ff:fee2:380b/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''nstnetcfg'''" utility will now be used to ''rename'' the network interface device from: "'''eno16777984'''" to: "'''net0'''". Notice the creation and content of the generated custom '''udev''' network rules file: "'''/etc/udev/rules.d/79-my-net-name-slot.rules'''"<br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] The "'''nstnetcfg'''" script should only be run on a '''Serial Console''' or a '''Desktop Terminal''' when changing the name of the '''Primary''' Network Interface Device. Otherwise, network connectivity may be lost if remotely connected to this NST system while performing this task.<br />
</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] Try to use simple network device names (e.g. '''net0''', '''netfw''', '''Net_DMZ''' or '''NetRt1'''). Avoid using '''hyphen''' (''''-'''') or '''space''' ('&nbsp;') characters in the new network interface device name. Instead, use the '''underscore''' (''''_'''') character or '''CamelCase''' for separation clarity in your device naming convention.<br />
</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] By default the NetworkManager service will randomize Wifi MAC Addresses. If this occurs using "'''nstnetcfg'''" to rename a Wifi Network Interface will fail. One can disable this Network Manager feature using the following configuration directive. Create a file in directory: "'''/etc/NetworkManager/conf.d'''" containing the configuration "'''wifi.scan-rand-mac-address=no'''" directive. Below is an example file to ''disable'' Wifi MAC Address randomizing by the NetworkManager service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@E6440 ~]# </span>cat /etc/NetworkManager/conf.d/wifi-static-mac.conf</div><br />
<pre class="computerOutput"><br />
[device]<br />
wifi.scan-rand-mac-address=no<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@E6440 ~]# </span></div><br />
</div><br />
</div></div><br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode rename --rename net0 --interface eno16777984 --verbose;</div><br />
<pre class="computerOutput"><br />
<br />
Generating a new/updated custom 'udev' network rules file: "/etc/udev/rules.d/79-my-net-name-slot.rules":<br />
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="00:0c:29:e2:38:0b", NAME="net0"<br />
<br />
Renaming Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-eno16777984" to "/etc/sysconfig/network-scripts/ifcfg-net0"<br />
<br />
Labeling Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-net0" - NAME="net0"<br />
<br />
The Network Interface Device rename from: "eno16777984" to "net0" will take effect on the next system reboot.<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Now perform a system reboot:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl reboot;</div><br />
<pre class="computerOutput"><br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
After a system '''Reboot''', the "'''nstnetcfg'''" utility is now run to verify the ''generated'' '''udev''' rules file: "'''/etc/udev/rules.d/79-my-net-name-slot.rules'''" which internally uses the '''[http://linux.die.net/man/8/udevadm udevadm]''' tool.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode testudev --interface net0 --verbose;</div><br />
<pre class="computerOutput"><br />
/bin/udevadm test "/sys/class/net/net0";<br />
calling: test<br />
version 208<br />
This program is for debugging only, it does not run any program<br />
specified by a RUN key. It may show incorrect results, because<br />
some values may be different, or not available at a simulation run.<br />
<br />
=== trie on-disk ===<br />
tool version: 208<br />
file size: 5882628 bytes<br />
header size 80 bytes<br />
strings 1299372 bytes<br />
nodes 4583176 bytes<br />
load module index<br />
read rules file: /usr/lib/udev/rules.d/10-dm.rules<br />
read rules file: /usr/lib/udev/rules.d/11-dm-lvm.rules<br />
read rules file: /usr/lib/udev/rules.d/13-dm-disk.rules<br />
read rules file: /usr/lib/udev/rules.d/40-libgphoto2.rules<br />
IMPORT found builtin 'usb_id --export %%p', replacing /usr/lib/udev/rules.d/40-libgphoto2.rules:11<br />
read rules file: /usr/lib/udev/rules.d/40-usb_modeswitch.rules<br />
read rules file: /usr/lib/udev/rules.d/42-usb-hid-pm.rules<br />
read rules file: /usr/lib/udev/rules.d/50-udev-default.rules<br />
read rules file: /usr/lib/udev/rules.d/56-hpmud.rules<br />
read rules file: /usr/lib/udev/rules.d/60-cdrom_id.rules<br />
read rules file: /usr/lib/udev/rules.d/60-drm.rules<br />
read rules file: /usr/lib/udev/rules.d/60-ffado.rules<br />
read rules file: /usr/lib/udev/rules.d/60-fprint-autosuspend.rules<br />
read rules file: /usr/lib/udev/rules.d/60-keyboard.rules<br />
read rules file: /usr/lib/udev/rules.d/60-net.rules<br />
read rules file: /usr/lib/udev/rules.d/60-pcmcia.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-alsa.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-input.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-serial.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-storage-tape.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-storage.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-v4l.rules<br />
read rules file: /usr/lib/udev/rules.d/60-raw.rules<br />
read rules file: /usr/lib/udev/rules.d/61-accelerometer.rules<br />
read rules file: /usr/lib/udev/rules.d/62-multipath.rules<br />
read rules file: /usr/lib/udev/rules.d/63-md-raid-arrays.rules<br />
read rules file: /usr/lib/udev/rules.d/64-btrfs.rules<br />
read rules file: /usr/lib/udev/rules.d/64-md-raid-assembly.rules<br />
read rules file: /usr/lib/udev/rules.d/65-libwacom.rules<br />
read rules file: /usr/lib/udev/rules.d/65-md-incremental.rules<br />
read rules file: /usr/lib/udev/rules.d/69-cd-sensors.rules<br />
read rules file: /usr/lib/udev/rules.d/69-dm-lvm-metad.rules<br />
read rules file: /usr/lib/udev/rules.d/69-libmtp.rules<br />
read rules file: /usr/lib/udev/rules.d/69-pilot-link.rules<br />
read rules file: /usr/lib/udev/rules.d/69-xorg-vmmouse.rules<br />
read rules file: /usr/lib/udev/rules.d/70-power-switch.rules<br />
read rules file: /usr/lib/udev/rules.d/70-printers.rules<br />
read rules file: /usr/lib/udev/rules.d/70-spice-vdagentd.rules<br />
read rules file: /usr/lib/udev/rules.d/70-touchpad-quirks.rules<br />
read rules file: /usr/lib/udev/rules.d/70-uaccess.rules<br />
read rules file: /usr/lib/udev/rules.d/70-wacom.rules<br />
read rules file: /usr/lib/udev/rules.d/71-biosdevname.rules<br />
read rules file: /usr/lib/udev/rules.d/71-seat.rules<br />
read rules file: /usr/lib/udev/rules.d/73-seat-late.rules<br />
read rules file: /usr/lib/udev/rules.d/75-net-description.rules<br />
read rules file: /usr/lib/udev/rules.d/75-probe_mtd.rules<br />
read rules file: /usr/lib/udev/rules.d/75-tty-description.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-ericsson-mbm.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-huawei-net-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-longcheer-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-nokia-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-pcmcia-device-blacklist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-platform-serial-whitelist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-simtech-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-telit-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-usb-device-blacklist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-usb-serial-adapters-greylist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-x22x-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-zte-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-nm-olpc-mesh.rules<br />
read rules file: /usr/lib/udev/rules.d/78-sound-card.rules<br />
read rules file: /etc/udev/rules.d/79-my-net-name-slot.rules<br />
read rules file: /usr/lib/udev/rules.d/80-drivers.rules<br />
read rules file: /usr/lib/udev/rules.d/80-mm-candidate.rules<br />
read rules file: /usr/lib/udev/rules.d/80-net-name-slot.rules<br />
read rules file: /usr/lib/udev/rules.d/80-udisks.rules<br />
read rules file: /usr/lib/udev/rules.d/80-udisks2.rules<br />
read rules file: /usr/lib/udev/rules.d/85-regulatory.rules<br />
read rules file: /usr/lib/udev/rules.d/85-usbmuxd.rules<br />
read rules file: /usr/lib/udev/rules.d/90-alsa-restore.rules<br />
read rules file: /usr/lib/udev/rules.d/90-alsa-tools-firmware.rules<br />
read rules file: /usr/lib/udev/rules.d/90-pulseaudio.rules<br />
read rules file: /usr/lib/udev/rules.d/91-drm-modeset.rules<br />
read rules file: /usr/lib/udev/rules.d/95-cd-devices.rules<br />
read rules file: /usr/lib/udev/rules.d/95-dm-notify.rules<br />
read rules file: /usr/lib/udev/rules.d/95-udev-late.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-dell.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-fujitsu.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-gateway.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-ibm.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-lenovo.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-toshiba.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-csr.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-hid.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-wup.rules<br />
read rules file: /etc/udev/rules.d/98-kexec.rules<br />
read rules file: /etc/udev/rules.d/99-gpsd.rules<br />
read rules file: /usr/lib/udev/rules.d/99-qemu-guest-agent.rules<br />
read rules file: /usr/lib/udev/rules.d/99-systemd.rules<br />
rules contain 393216 bytes tokens (32768 * 12 bytes), 32346 bytes strings<br />
29283 strings (243715 bytes), 26259 de-duplicated (214394 bytes), 3025 trie nodes used<br />
PROGRAM '/lib/udev/rename_device' /usr/lib/udev/rules.d/60-net.rules:1<br />
starting '/lib/udev/rename_device'<br />
'/lib/udev/rename_device' [2075] exit with return code 0<br />
PROGRAM '/sbin/biosdevname --policy physical -i net0' /usr/lib/udev/rules.d/71-biosdevname.rules:22<br />
starting '/sbin/biosdevname --policy physical -i net0'<br />
'/sbin/biosdevname --policy physical -i net0' [2076] exit with return code 4<br />
IMPORT builtin 'net_id' /usr/lib/udev/rules.d/75-net-description.rules:6<br />
IMPORT builtin 'hwdb' /usr/lib/udev/rules.d/75-net-description.rules:12<br />
NAME 'net0' /etc/udev/rules.d/79-my-net-name-slot.rules:1<br />
RUN '/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/ipv4/conf/$name --prefix=/proc/sys/net/ipv4/neigh/$name --prefix=/proc/sys/net/ipv6/conf/$name --prefix=/proc/sys/net/ipv6/neigh/$name' /usr/lib/udev/rules.d/99-systemd.rules:52<br />
ACTION=add<br />
DEVPATH=/devices/pci0000:00/0000:00:15.0/0000:03:00.0/net/net0<br />
ID_BUS=pci<br />
ID_MM_CANDIDATE=1<br />
ID_MODEL_FROM_DATABASE=VMXNET3 Ethernet Controller<br />
ID_MODEL_ID=0x07b0<br />
ID_NET_LABEL_ONBOARD=enEthernet0<br />
ID_NET_NAME_MAC=enx000c29e2380b<br />
ID_NET_NAME_ONBOARD=eno16777984<br />
ID_NET_NAME_PATH=enp3s0<br />
ID_NET_NAME_SLOT=ens160<br />
ID_OUI_FROM_DATABASE=VMware, Inc.<br />
ID_PCI_CLASS_FROM_DATABASE=Network controller<br />
ID_PCI_SUBCLASS_FROM_DATABASE=Ethernet controller<br />
ID_VENDOR_FROM_DATABASE=VMware<br />
ID_VENDOR_ID=0x15ad<br />
IFINDEX=2<br />
INTERFACE=net0<br />
SUBSYSTEM=net<br />
SYSTEMD_ALIAS=/sys/subsystem/net/devices/net0<br />
TAGS=:systemd:<br />
USEC_INITIALIZED=78468<br />
run: '/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/ipv4/conf/net0 --prefix=/proc/sys/net/ipv4/neigh/net0 --prefix=/proc/sys/net/ipv6/conf/net0 --prefix=/proc/sys/net/ipv6/neigh/net0'<br />
unload module index<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
One can see that the Network Interface device has been changed to: "'''net0'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
net0<br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The IP Address configuration after the device rename is shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: net0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 00:0c:29:e2:38:0b brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.120/24 brd 10.222.222.255 scope global dynamic net0<br />
valid_lft 75211sec preferred_lft 75211sec<br />
inet6 fe80::20c:29ff:fee2:380b/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Managing IPv4 Secondary Addressing''' ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 30<br /> SVN: 11210</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to ''Create'' and ''Delete'' (i.e., ''Manage'') '''IPv4 Secondary Addressing'''. By example we will ''Add'', ''Display'' and ''Remove'' '''IPv4 Secondary Addresses:''' "'''10.222.222.241/24''' and "'''10.222.222.242/24''' to an '''NST''' system (e.g., '''striker''') on '''IPv4 Network Interface:''' "'''lan0'''". This example is shown in the sections below.<br />
<br /><br />
<br /><br />
<br /><br />
<br /><br />
<br /><br />
=== '''Adding IPv4 Secondary Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''add'' "'''IPv4 Secondary Addresses'''" to an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state on '''NST''' system: "'''striker'''" is shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.111/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Next, the first '''IPv4 Secondary Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Network Interface:''' "'''lan0'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "add" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.241/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'bound' IPv4 secondary Address: "10.222.222.241/24"<br />
to Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Next, the second '''IPv4 Secondary Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Network Interface:''' "'''lan0'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "add" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.242/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'bound' IPv4 secondary Address: "10.222.222.242/24"<br />
to Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is now shown with the two (2) '''IPv4 Secondary Addresses''' added:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip a;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.111/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
=== '''List IPv4 Primary / Secondary Addresses Using: "getipaddr"''' ===<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can also be used to display all '''IPv4 Addresses''' including '''IP Secondary Addresses''' bound to '''Network Interface: "lan0"''' in CIDR notation:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>getipaddr --interface lan0 --ip-secondary --ip-address-cidr --net-int-devices;</div><br />
<pre class="computerOutput"><br />
lan0 10.222.222.111/24<br />
lan0 10.222.222.241/24 secondary<br />
lan0 10.222.222.242/24 secondary<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
=== '''Removing IPv4 Secondary Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''remove'' "'''IPv4 Secondary Addresses'''" on an '''NST''' system.<br />
<br />
First, we remove all '''IPv4 Secondary Addresses''' bound to Network Interface: "'''lan0'''": <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary remove -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "remove" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.241/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'unbound' the IPv4 secondary Address: "10.222.222.241/24"<br />
associated with Network Interface device: "lan0".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.242/24 --secondary remove -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "remove" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.242/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'unbound' the IPv4 secondary Address: "10.222.222.242/24"<br />
associated with Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Finally we display the '''IP Address''' state on NST system: '''striker'''<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>ip a;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br /><br />
<br /><br />
<br />
== '''Managing IPv4 Alias Addresses''' ==<br />
<br />
<div class="centerBlock"><div class="noteMessage">[[Image:Warning.png‎]] '''IPv4 Alias Addressing''' is no longer supported by script: '''nstnetcfg''' start with '''NST 30'''.</div></div><br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5663</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to ''Create'' and ''Delete'' (i.e., ''Manage'') '''IPv4 Alias Addresses'''. By example we will ''Add'' and ''Remove'' '''IPv4 Alias Addresses:''' "'''10.222.222.241/24''' and "'''10.222.222.242/24''' to an '''NST''' system on '''IPv4 Alias Network Interfaces:''' "'''p5p1:a1'''" and "'''p5p1:a2'''" respectively. This example is shown in the sections below. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' You can not manage IPv4 aliases for interfaces which are under NetworkManager control (the interface must be managed by the network service). In addition, you may need to review/update your routing after adding your aliases.</div></div><br />
<br />
<br />
<br />
<br />
<br />
=== '''Adding IPv4 Alias Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''add'' "'''IPv4 Alias Addresses'''" to an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state is shown on our demo '''NST''' system: <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a1'''" using the '''Gateway:''' "'''10.222.222.1'''" and '''Host Name:''' "'''probe-a1'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m ipv4 -i p5p1:a1 -a 10.222.222.241/24 -g 10.222.222.1 --host-name probe-a1 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" for IPv4 Alias Network Interface: "p5p1:a1".<br />
<br />
Setting the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Up' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the second '''IPv4 Alias Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a2'''" using the '''Gateway:''' "'''10.222.222.1'''" and '''Host Name:''' "'''probe-a2'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m ipv4 -i p5p1:a2 -a 10.222.222.242/24 -g 10.222.222.1 --host-name probe-a2 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2" for IPv4 Alias Network Interface: "p5p1:a2".<br />
<br />
Setting the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Up' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is now shown with the two (2) '''IPv4 Alias Addresses''' added:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary p5p1:a1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary p5p1:a2<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The '''IPv4 Alias Addresses''' wil also be configured in the hosts file "'''/etc/hosts'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>cat /etc/hosts;</div><br />
<pre class="computerOutput"><br />
127.0.0.1 localhost.localdomain localhost<br />
::1 localhost6.localdomain6 localhost6<br />
<br />
10.222.222.10 striker.nst.net striker<br />
10.222.222.141 probe-a1<br />
10.222.222.142 probe-a2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' A network configuration file in directory: "'''/etc/sysconfig/network-scripts'''" was created for both '''IPv4 Alias Addresses''' above (i.e., "'''/etc/sysconfig/network-scripts/ifcfg-p5p1:a1'''" and "'''/etc/sysconfig/network-scripts/ifcfg-p5p1:a2'''"). This will allow the '''IPv4 Alias Address''' configuration to survive a system reboot. </div></div><br />
<br />
=== '''List All Installed Network Interface Devices Including IP Alias Interfaces Using: "getipaddr"''' ===<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can also be used to list all available network interface devices including '''IP Alias Network Interfaces''' on an '''NST''' system.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -D --ip-alias;</div><br />
<pre class="computerOutput"><br />
lo<br />
p1p1<br />
p1p2<br />
p5p1<br />
p5p1:a1<br />
p5p1:a2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Display all '''IPv4 Addresses''' including '''IP Alias Addresses''' bound to '''Network Interface: "p5p1"''' in CIDR notation:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -i p5p1 -D --ip-alias --ip-network-address-cidr;</div><br />
<pre class="computerOutput"><br />
p5p1 10.222.222.10/24<br />
p5p1:a1 10.222.222.241/24<br />
p5p1:a2 10.222.222.242/24<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
=== '''Removing IPv4 Alias Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''remove'' "'''IPv4 Alias Addresses'''" on an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state is shown on our demo '''NST''' system with configured '''IPv4 Alias Addresses''': <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary p5p1:a1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary p5p1:a2<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a1'''" is now ''removed'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m rmint -i p5p1:a1 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" for IPv4 Alias Interface: "p5p1:a1"<br />
<br />
Clean all IPv4 Address entries: "10.222.222.241" in Hosts file: "/etc/hosts".<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds:<br />
Successfully brought 'Up' Network Interface: "p5p1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a2'''" is now ''removed'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m rmint -i p5p1:a2 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2" for IPv4 Alias Interface: "p5p1:a2"<br />
<br />
Clean all IPv4 Address entries: "10.222.222.242" in Hosts file: "/etc/hosts".<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds:<br />
Successfully brought 'Up' Network Interface: "p5p1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is shown on our demo '''NST''' system with all '''IPv4 Alias Addresses''' ''removed'': <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" also shows that no '''IP Alias Network Interfaces''' are configured on the '''NST''' demo system. <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -D --ip-alias;</div><br />
<pre class="computerOutput"><br />
lo<br />
p1p1<br />
p1p2<br />
p5p1<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== '''Promiscuous Mode Control''' ==<br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 22<br /> SVN: 7000</center>]]''']]<br />
<br />
=== '''Overview''' ===<br />
The '''Promiscuous''' state of a network interface device can be ''manually'' controlled by the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script. Promiscuous mode allows a network interface device to intercept and read each network packet that arrives in its entirety which is essential for capturing all traffic received. One can also use the systemd service: "'''promisc.service'''" for ''automatically'' setting the Promiscuous state ''''On'''' for one or more network interface devices at system boot. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may not be able to set the Promiscuous state ''''Off'''' if another network application like '''[https://wiki.wireshark.org/ wireshark]''' or '''[https://en.wikipedia.org/wiki/Tcpdump tcpdump]''' is active and in capture mode. A counter is used by each '''Kernel''' network driver module and incremented for each application that requests the Promiscuous mode to be set ''''On'''' for the network interface device. Until these applications have all set the Promiscuous state ''''Off'''', can one control the device's Promiscuous mode with the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script.</div></div><br />
<br />
=== '''Manual Mode''' ===<br />
This section will demonstrate how to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode for a network interface using either the interface method or the promiscuous configuration file method. <br />
<br />
==== '''Interface Method''' ====<br />
The current '''Network Interface Devices''' available are shown for demonstration in this section.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
lan0<br />
lo<br />
netmon0<br />
netmon1<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
How to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode of network interface: "'''netmon0'''" to the ''''On'''' state:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode promiscon -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Setting the Promiscuous state 'On' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'On':<br />
/sbin/ip link set promisc on netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
How to to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode of network interface: "'''netmon0'''" to the ''''Off'''' state:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode promiscoff -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Setting the Promiscuous state 'Off' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'Off':<br />
/sbin/ip link set promisc off netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
==== '''Promiscuous Configuration File Method''' ====<br />
Alternatively, one could add the network interface: "'''netmon0'''" to the '''NST''' promiscuous configuration file: "'''/etc/nst/promisc.conf'''" using "'''nstnetcfg'''" mode: "'''promisccfg'''" and then control the '''Promiscuous''' state using the following command sequence:<br />
<br />
First configure the network Interface: "'''netmon0'''" in the '''NST''' promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promisccfg --promisc add -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using Promiscuous configuration operation mode: "add" for Network Interface device: "netmon0".<br />
<br />
Adding Network Interface device: "netmon0" to the Promiscuous configuration file.<br />
<br />
Updated Promiscuous configuration file: "/etc/nst/promisc.conf".<br />
<br />
Content of Promiscuous configuration file: "/etc/nst/promisc.conf"<br />
==================================================================<br />
#<br />
# NST: 2015<br />
#<br />
# Configuration file for a list Network Interface Adapters<br />
# that can have their promiscuous mode enabled or disabled<br />
# by the NST Script: "nstnetcfg".<br />
#<br />
# Typically the NST script: "nstnetcfg" modes:<br />
# 'promiscon, promiscoff or promisccfg' use or configure this file.<br />
# Use a space character as the delimiter when multiple interfaces<br />
# are specificied.<br />
<br />
#<br />
# Example for Network Interface Adapters: netmon0 and netmon1<br />
# PROMISCINTS="netmon1 netmon2";<br />
<br />
PROMISCINTS="netmon0";<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Setting Promiscuous mode ''''On'''' for network interface: "'''netmon0'''" using the promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promiscon -v;</div><br />
<pre class="computerOutput"><br />
<br />
Found Network Interface(s): "netmon0" in promiscuous configuration file: "/etc/nst/promisc.conf"<br />
<br />
Setting the Promiscuous state 'On' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'On':<br />
/sbin/ip link set promisc on netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Setting Promiscuous mode ''''Off'''' for network interface: "'''netmon0'''" using the promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promiscoff -v;</div><br />
<pre class="computerOutput"><br />
<br />
Found Network Interface(s): "netmon0" in promiscuous configuration file: "/etc/nst/promisc.conf"<br />
<br />
Setting the Promiscuous state 'Off' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'Off':<br />
/sbin/ip link set promisc off netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Automatic At System Boot''' ===<br />
The '''NST''' systemd "'''promisc.service'''" service can be used to ''enable'' the '''Promiscuous''' mode on one or more network interface adapters during a system boot. The content of this service unit is shown below:<br />
<pre class="programListing" style=" word-break: break-word;"><br />
#<br />
# NST: 2015<br />
<br />
[Unit]<br />
Description=Network Interface Promiscuous Mode Control<br />
Documentation=man:nstnetcfg(1)<br />
Documentation=http://wiki.networksecuritytoolkit.org/nstwiki/index.php/HowTo_Setup_A_Server_With_Multiple_Network_Interface_Adapters_Using:_%22nstnetcfg%22#Promiscuous_Mode_Control<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
ExecStart=/usr/bin/nstnetcfg --mode promiscon<br />
ExecStop=/usr/bin/nstnetcfg --mode promiscoff<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</pre><br />
<br />
One can see the use of the "'''nstnetcfg'''" script for ''starting'' and ''stopping'' the service. Make sure you use mode: "'''--mode promisccfg'''" with the corresponding network interface that you are interested in ''enabling'' the promiscuous mode at system boot time. Then enable the "'''promisc.service'''" service. Below is an example for network interface device: "'''netmon1'''".<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg -m promisccfg -i netmon1 --promisc add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using Promiscuous configuration operation mode: "add" for Network Interface device: "netmon1".<br />
<br />
Adding Network Interface device: "netmon1" to the Promiscuous configuration file.<br />
<br />
Updated Promiscuous configuration file: "/etc/nst/promisc.conf".<br />
<br />
Content of Promiscuous configuration file: "/etc/nst/promisc.conf"<br />
==================================================================<br />
#<br />
# NST: 2015<br />
#<br />
# Configuration file for a list Network Interface Adapters<br />
# that can have their promiscuous mode enabled or disabled<br />
# by the NST Script: "nstnetcfg".<br />
#<br />
# Typically the NST script: "nstnetcfg" modes:<br />
# 'promiscon, promiscoff or promisccfg' use or configure this file.<br />
# Use a space character as the delimiter when multiple interfaces<br />
# are specificied.<br />
<br />
#<br />
# Example for Network Interface Adapters: netmon0 and netmon1<br />
# PROMISCINTS="netmon1 netmon2";<br />
<br />
PROMISCINTS="netmon1";<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl enable promisc.service;</div><br />
<pre class="computerOutput"><br />
Created symlink from /etc/systemd/system/multi-user.target.wants/promisc.service to /usr/lib/systemd/system/promisc.service.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl reboot;</div><br />
</div><br />
<br />
== '''Managing a 'Bonding' Network Interface''' ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5765</center>]]''']]In this section we will use "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" to ''create'' a ''''Bond Master'''' Network Interface device: "'''bond0'''" by aggregating 2 (two) '''NIC''' adapters" "'''p1p1'''" and "'''p1p2'''" into a single interface. Behind the scene, the Linux bonding driver is performing the actual mechanism for creating and managing the bond device.<br />
A bond interface device may be useful when working with an "'''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Non-Aggregational Network Tap]'''". By combining the non-aggregational ports of the TAP back into a single interface allows both '''Transmit''' and '''Receive''' network traffic to be seen by a listening network analysis or monitoring application. <br />
<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
The network diagram shown below will be used for the example bonding configuration demonstrated in this section. The '''NST WUI Ntopng IPv4 Hosts''' application is performing ''surveillance monitoring'' on the firewall dirty side using the Bonded Network Interface: "'''bond0'''".<br />
<br />
[[Image:Nstnetcfgbonding.png|1024px|center|A NST "'''nstnetcfg'''" Bonding Configuration with Monitoring]]<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The network traffic monitored on the [http://www.dual-comm.com/etap3105-aggregation-and-non-aggregation-tap.htm Dualcomm ETAP 3105 10/100/1000Base-T Regeneration Network TAP] Aggregational Port: "'''3'''" (NST Probe Port: "'''p5p1'''") may be equal to or less than the traffic monitored on the Bonded Network Interface: "'''bond0'''" that is created in this section. If the combined effective data rate on the "'''Slave'''" Network Interfaces: "'''p1p1'''" and "'''p1p2'''" exceeds ''1Gb/sec'', then Aggregational Port: "'''3'''" (NST Probe Port: "'''p5p1'''") will start to buffer and eventually lose packets where as the Bonded Network Interface: "'''bond0'''" will not.</div></div><br />
<br />
=== '''Network Interface Bond Creation''' ===<br />
First lets show the current network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
5: p5p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:22:17 brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''p1p1'''" and "'''p1p2'''" NIC adapters connected to the non-aggregational Network TAP (Ports: "'''4'''" and "'''5'''" respectively) will now be bonded into a single interface: "'''bond0'''" using '''nstnetcfg''' mode: "'''bonding'''". The bond interface is now in "'''Stealth'''" mode since it has no binding '''IPv4 Address'''.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode bonding --interface bond0 --bonding-slave-ints p1p1,p1p2 --bonding-opts "mode=0 miimon=100" -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to configure 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p1".<br />
Successfully brought 'Down' Network Interface: "p1p1".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p2".<br />
Successfully brought 'Down' Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Master' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0"<br />
for Network Interface: "bond0".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility is now shown after the creation of the "'''bond0'''" device:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
5: p5p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:22:17 brd ff:ff:ff:ff:ff:ff<br />
18: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default <br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link tentative dadfailed <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Notice that the network interfaces: "'''p1p1'''" and "'''p1p2'''" have the "'''SLAVE'''" flag set and the bond network interface: "'''bond0'''" has the "'''MASTER'''" flag set. Network traffic can now be monitored or captured on this new Bonded Virtual Network Interface: "'''bond0'''".<br />
<br />
=== '''Network Interface Bond Removal''' ===<br />
In this section we will remove the bonding network interface: "'''bond'''" using "'''nstnetcfg'''" mode: "'''rmbonding'''":<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode rmbonding --interface bond0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to remove 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Removing the "Linux Bonding Driver" module.<br />
<br />
Removing the 'Bonding Master' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0".<br />
<br />
Removing the 'Bonding Slave' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2".<br />
<br />
Attempting to 'Initialize' Network Interface: "p1p2" to a 'Unmanaged' state.<br />
<br />
Attempting to bring 'Down' Bonding Slave Network Interface: "p1p2".<br />
Successfully brought 'Down' Bonding Slave Network Interface: "p1p2".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2" for Interface: "p1p2".<br />
<br />
Setting up an 'Unmanaged' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Removing the 'Bonding Slave' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1".<br />
<br />
Attempting to 'Initialize' Network Interface: "p1p1" to a 'Unmanaged' state.<br />
<br />
Attempting to bring 'Down' Bonding Slave Network Interface: "p1p1".<br />
Successfully brought 'Down' Bonding Slave Network Interface: "p1p1".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1" for Interface: "p1p1".<br />
<br />
Setting up an 'Unmanaged' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
=== '''Binding an IPv4 Address to a 'Bonding' Network Interface''' ===<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5765</center>]]''']]In this section we will use "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" to bind an '''IPv4 Address''' to a '''Bonded''' Network Interface. This method can also use one of the available Linux bonding driver modes to increase the ''effective'' bandwidth from the NST system to the network.<br />
<br />
<br />
<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
The network diagram shown below will be used for the example '''IPv4 Address''' binding to the 'Bonded' Network Interface: "'''bond0'''". A Quad Gigabit NIC Adapter with ports: "'''p1p1'''", "'''p1p2'''", "'''p1p3'''" and "'''p1p4'''" will be bound together to form a new 'Bonding Master' Virtual Network Interface: "'''bond0'''".<br />
<br />
[[Image:Nstnetcfgipv4bonding.png|1024px|center| Binding an IPv4 Address to a 'Bonded' Network Interface Using "'''nstnetcfg'''"]]<br />
<br />
==== '''Network Interface Bond Creation''' ====<br />
First lets show the current network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.224.2.33/16 brd 10.224.255.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:52 brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:53 brd ff:ff:ff:ff:ff:ff<br />
5: p1p3: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:54 brd ff:ff:ff:ff:ff:ff<br />
6: p1p4: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:55 brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''p1p1'''", "'''p1p2'''", "'''p1p3'''" and "'''p1p4'''" NIC LAN ports are now ''bonded'' into a single interface: "'''bond0'''" using '''nstnetcfg''' mode: "'''bonding'''". The bond interface is now currently in "'''Stealth'''" mode with no binding '''IPv4 Address'''.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode bonding --interface bond0 --bonding-slave-ints p1p1,p1p2,p1p3,p1p4 --bonding-opts "mode=5 miimon=100" -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to configure 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p1".<br />
Successfully brought 'Down' Network Interface: "p1p1".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p2".<br />
Successfully brought 'Down' Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p3".<br />
Successfully brought 'Down' Network Interface: "p1p3".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p3"<br />
for Network Interface: "p1p3".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p4".<br />
Successfully brought 'Down' Network Interface: "p1p4".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p4"<br />
for Network Interface: "p1p4".<br />
<br />
Setting up a 'Bonding Master' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0"<br />
for Network Interface: "bond0".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The Linux bonding driver is configured for mode: "'''5'''" - '''Adaptive Transmit Load Balancing'''. This mode creates a channel bond that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each "'''Slave'''" Interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the '''MAC Address''' of the failed receiving slave.<br />
<br />
==== '''IPv4 Address Binding to the Bond Interface''' ====<br />
Next the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" utility is now used to ''bind'' the IPv4 Address: "'''172.18.1.11'''" to the 'Bond Master' Virtual network Interface: "'''bond0'''": <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode ipv4 --interface bond0 -a 172.18.1.11/24 -g 10.224.1.1 --hosts-file-only --host-name striker-bond -v;</div><br />
<pre class="computerOutput"><br />
Configuring a static IPv4 Address: "172.18.1.11/24" for 'Bonding Master' Network Interface: "bond0".<br />
<br />
Attempting to bring 'Down' Bonding Master Network Interface: "bond0".<br />
Successfully brought 'Down' Bonding Master Network Interface: "bond0".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-bond0" for Network Interface: "bond0".<br />
<br />
Updating the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Bonding Master Network Interface: "bond0" in 5 seconds.<br />
Successfully brought 'Up' Bonding Master Network Interface: "bond0".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the network configuration is now shown using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" utility with IPv4 Address: "'''172.18.1.11'''" bound to the 'Bonding Master' Virtual Network Interface: "'''bond0'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.224.2.33/16 brd 10.222.255.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state Up group default qlen 1000<br />
link/ether a0:36:9f:00:71:52 brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:71:53 brd ff:ff:ff:ff:ff:ff<br />
5: p1p3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state Up group default qlen 1000<br />
link/ether a0:36:9f:00:71:54 brd ff:ff:ff:ff:ff:ff<br />
6: p1p4: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:71:55 brd ff:ff:ff:ff:ff:ff<br />
12: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default <br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet 172.18.1.11/24 brd 172.18.1.255 scope global bond0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div></div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Setup_A_Server_With_Multiple_Network_Interface_Adapters_Using:_%22nstnetcfg%22&diff=9750HowTo Setup A Server With Multiple Network Interface Adapters Using: "nstnetcfg"2022-12-14T01:29:26Z<p>Rwh: /* Stealth Configured Interfaces */</p>
<hr />
<div>__TOC__<br />
= '''Overview''' =<br />
<br />
This page demonstrates how to setup networking with an NST server that is configured with ''multiple'' network interface adapters for performing ''simultaneous'' network computing surveillance tasks. The NST script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" command line tool was designed to make this task easy to accomplish using the underlying "'''NetworkManager'''" service via the '''nmcli''' utility.<br />
<br />
The diagram below will be used as a reference for setting up a multi-network interface adapter server using '''NST'''. The rear panel of a '''1U Server''' is shown with NIC attachments to the network infrastructure. The network security staff for fictitious company: "'''TxyCorp'''" would like to use NST for monitoring different network segments throughout their network. In particular, they would like to monitor traffic entering and leaving their corporation, web server traffic, all client electronic business transactions and remote traffic to and from their satellite offices. They will use a combination of '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' ('''S'''witched '''P'''ort '''A'''nalyzer) ports and a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Non-Aggregational Network TAP]''' to expose network traffic on these segments. <br />
<br />
When booting up "'''[http://sourceforge.net/projects/nst/ NST Live]'''" or after a hard disk installation, the "'''[http://projects.gnome.org/NetworkManager/ Network Manager]'''" service is on by default for managing all network interfaces found on an NST system. '''Network Manager''' provides a quick and easy method for setting up networking on a system equipped with a wireless interface that uses '''DHCP''' for '''IPv4 Address '''configuration. When a system is configured with two or more wired network interfaces or requires a multi-homed network setup, the "'''nstnetcfg'''" script may be a better choice for setting up the network configuration.<br />
<br />
The '''nstnetcfg''' utility can help mitigate some of the error prone tasks necessary by scripting when setting up networking on a NST (Linux) system using the "'''NetworkManager'''" service.<br />
<br />
[[Image:Nstnetcfgserver.png|1024px|center|A Multi-Network Interface Adapter NST Server Configuration]]<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The "'''Sys Admin Network'''" is an out-of-band network for the management of enterprise servers within this network infrastructure. The "'''[http://en.wikipedia.org/wiki/Out-of-band_management ILOM]'''" (Integrated Lights Out Management) network interface (i.e., "'''NetMgt'''") and the "'''Serial Console'''" device (i.e., "'''ttyS0'''") are shown for completeness and are not used by "'''nstnetcfg'''".</div></div><br />
<br />
= '''Network Interface Setup Configuration Information''' =<br />
<br />
In this section we will identify each network interface and how it should be setup using the '''1U Server''' configuration illustrated in the reference diagram above. Network parameters such as the '''Subnet Mask''', '''Host Name(s)''', '''Domain Name Servers''', '''Domain Name''', '''Gateway''' and '''Default Interface''' will also be identified. The table below depicts values that will be used by the '''nstnetcfg''' script.<br />
<br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Interface / Parameter<br />
! align="center" style="background-color: lightgray;" |Configuration Values<br />
! align="center" style="background-color: lightgray;" |NetworkManager<br />Service<br />
|-<br />
|em0<br />
|IPv4 Address: '''172.30.1.16''', Network Routing Prefix: '''24''', Host Name: '''nstsurv1-mon''', Gateway: '''10.221.1.1'''<br />
|managed<br />
|-<br />
|em1<br />
|IPv4 Address: '''10.221.5.14''', Network Routing Prefix: '''16''', Host Name: '''nstsurv1''', Gateway: '''10.221.1.1'''<br />
|managed<br />
|-<br />
|em2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|em3<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p2p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p2p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p4p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p4p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p6p1<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|p6p2<br />
|IPv4 Address: '''stealth'''<br />
|unmanaged<br />
|-<br />
|Domain Name Servers<br />
|'''10.221.1.10''', '''10.221.1.11'''<br />
|N/A<br />
|-<br />
|Domain Name<br />
|'''txycorp.com'''<br />
|N/A<br />
|-<br />
|Virtual Host (ssl.conf)<br />
|'''*:443'''<br />
|N/A<br />
|-<br />
|Server Name (ssl.conf)<br />
|'''nstsurv1.txycorp.com:443'''<br />
|N/A<br />
|-<br />
|}<br />
<br />
&nbsp;<br />
<br />
= '''Network Interface Configuration: nstnetcfg''' =<br />
<br />
The NST script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" will now be used for setting up networking on this server. This script will ''enable'' the "'''NetworkManager'''" service when setting up a static '''IPv4 Address''' (''--mode ipv4''). The "'''NetworkManager'''" service will also be ''enabled'' at boot time. Use the sequence of '''nstnetcfg''' invocations below to ''serve'' as an example for setting up networking on your particular server with NST. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The reader is encouraged to review the man page for "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" as reference material prior to its use. One can also use the "'''--verbose'''" output parameter for greater visibility on the progress of '''nstnetcfg''' during its configuration stages.<br />
<br />
[[Image:Warning.png‎]] The "'''nstnetcfg'''" script should only be run on a '''Serial Console''' or a '''Desktop Terminal''' due to the fact that the "'''IPv4 Addressing'''" for this NST system will most likely change.<br />
</div></div><br />
<br />
== '''Initialize All Network Interfaces''' ==<br />
<br />
The '''nstnetcfg''' mode: "'''init'''" will put the networking setup posture in a known ''initialized'' state. The "'''NetworkManager'''" service will be ''enabled'' all network adapters and assciated configuration files set to a default initialization state with no binding layer 3 addressing. The "'''LoopBack'''" interface device is never ''removed'' and ''reset'' to the factory default state with this mode. The '''[http://en.wikipedia.org/wiki/Name_Service_Switch Name Service Switch]''' configuration file: "'''/etc/nsswitch.conf'''" will have its '''hosts''' entry set to: "'''files dns'''". It is best practice to first use this mode ''prior'' to setting up networking so that any ''lingering'' "'''NetworkManager'''" configuration files will <u>Not</u> interfere with the use of the '''nstnetcfg''' operation.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode init;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Static IPv4 Configured Interfaces''' ==<br />
<br />
The example NST server shown above uses a "'''Multi-Home'''" configuration with network interface devices: "'''em0'''" and "'''em1'''" set with static '''IPv4 Addresses:''' '''172.30.1.16''' and '''10.221.5.14''' respectively.<br />
<br />
=== '''Interface: em1''' ===<br />
<br />
The "'''em1'''" interface device is network attached to the "'''TxyCorp'''" Intranet. This network provides name services and external access to the Internet. The "'''Host Name'''", "'''Domain Name'''", "'''Name Servers'''" and "'''Gateway'''" values are set accordingly. A host name entry for "'''nstsurv1'''" will be added to the '''Hosts''' file: "'''/etc/hosts'''", the system host name will be set to: "'''nstsurv1'''". A "'''16'''" network routing prefix ('''[http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR]''' - Format) will be used. The configuration for this interface is shown below.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 --host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11";</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: em0''' ===<br />
<br />
The "'''em0'''" network interface is connected to the "'''Security Network'''" for performing network surveillance tasks using the "'''NST WUI'''" and the large collection of NST network security applications and tools. The "'''--hosts-file-only'''" setting is used so that only the '''Hosts''' file: "'''/etc/hosts'''" will be updated with a host name entry for: "'''nstserv1-mon'''". Note that there is <u>No</u> "'''--gateway'''" parameter used with this interface because there is only one default gateway (i.e., "'''10.221.1.1'''") for this '''Multi-Home''' example configuration. It is not necessary to again set the system "'''Host Name'''", "'''Domain Name'''" and "'''Name Servers'''" values since these were specified in the configuration for network interface "'''em1'''". A "'''24'''" network routing prefix ('''[http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR]''' - Format) will be used.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --host-name nstsurv1-mon --hosts-file-only;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Network Manager Ignore Certain Devices - Unmanaged''' ==<br />
See this reference on how to configure NetworkManager to ignore certain devices: "'''[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/configuring-networkmanager-to-ignore-certain-devices_configuring-and-managing-networking Configuring NetworkManager to ignore certain devices]'''"<br />
<br />
== '''Stealth Configured Interfaces''' ==<br />
<br />
The "'''Stealth'''" network interfaces (i.e., An interface in the "'''UP'''" state with <u>No</u> binding '''IPv4 Address''') will now be configured. These interfaces are strategically network attached throughout the network infrastructure for surveillance monitoring.<br />
<br />
=== '''Interface: em2''' ===<br />
<br />
This network interface: "'''em2'''" is used to monitor the Transmit Data: "'''TxD'''" port on a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Network TAP]''' ('''T'''est '''A'''ccess '''P'''oint) for all traffic ''leaving'' (egress) the "'''TxyCorp'''" corporation at the '''Firewall Dirty Side'''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface em2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: em3''' ===<br />
<br />
This network interface: "'''em3'''" is used to monitor the Receive Data: "'''RxD'''" port on a '''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Network TAP]''' for all traffic ''entering'' (ingress) the "'''TxyCorp'''" corporation at the '''Firewall Dirty Side'''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface em3;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p2p1''' ===<br />
<br />
This network interface: "'''p2p1'''" is used to monitor specific "'''Web Server'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' ('''S'''witched '''P'''ort '''A'''nalyzer) port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p2p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p2p2''' ===<br />
<br />
This network interface: "'''p2p2'''" is used to monitor specific "'''Web Server'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p2p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p4p1''' ===<br />
<br />
This '''[https://en.wikipedia.org/wiki/10-gigabit_Ethernet 10 Gigabit Ethernet]''' network interface: "'''p4p1'''" is used to monitor specific "'''Business Transaction'''" data packets on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p4p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p4p2''' ===<br />
<br />
This '''[https://en.wikipedia.org/wiki/10-gigabit_Ethernet 10 Gigabit Ethernet]''' network interface: "'''p4p2'''" is used to monitor specific "'''Business Transaction'''" data packets on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p4p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p6p1''' ===<br />
<br />
This network interface: "p6p1" is used to monitor specific "'''Remote Office'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p6p1;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Interface: p6p2''' ===<br />
<br />
This network interface: "p6p2" is used to monitor specific "'''Remote Office'''" traffic on a '''[http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#backinfo SPAN]''' port.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode stealth --interface p6p2;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Stealth Interface Combo Setting Command''' ===<br />
<br />
The output below is a compact way of using a '''[https://en.wikipedia.org/wiki/Bash_(Unix_shell) Bash]''' "''for loop'' " statement to configure all "'''Stealth'''" interfaces in one command line invocation.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2; do nstnetcfg --mode stealth --interface ${i}; done</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== '''Apache SSL Configuration For Proper HTTPS NST WUI Access''' ==<br />
<br />
If the "'''IPv4 Address'''" on an NST system is changed, the '''[http://httpd.apache.org/ Apache Web Server]''' '''[http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL]''' configuration file: "'''/etc/httpd/conf.d/ssl.conf'''" needs to be modified for proper '''[http://en.wikipedia.org/wiki/HTTP_Secure HTTPS]''' ''access'' to the "'''NST WUI'''". The following "'''nstnetcfg'''" command uses the "'''ssl'''" mode to allow all hosts "'''HTTPS'''" access to the "'''NST WUI'''" using '''Server Name:''' "'''nstsurv1.txycorp.com'''". A new "'''SSL'''" certificate and key file will also be ''generated''.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode ssl --interface em1 --virtual-host *:443 --server-name nstsurv1.txycorp.com:443;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Using A Bash Script With "nstnetcfg"''' ==<br />
It may be better to use a '''[http://en.wikipedia.org/wiki/Bash Bash]''' script given the numerous invocations of "'''nstnetcfg'''" with this '''NST''' network configuration setup. A good location to store your script would be in directory: "'''/etc/nst'''". This will allow one to ''easily'' make changes to your network configuration by editing the script and running it. An example script below is shown for: "'''/etc/nst/net_cfg.sh"''' using the above invocations of "'''nstnetcfg'''". One can copy and paste this script as a starter template file for your usage.<br />
<br />
<pre class="programListing"><br />
#!/bin/bash<br />
<br />
#<br />
# Script: "net_cfg.sh"<br />
<br />
#<br />
# Description: Helper script for setting up the configuration of network interfaces<br />
# on Server: "nstsurv1" using: "nstnetcfg".<br />
<br />
#<br />
# Short Usage: "nstnetcfg"<br />
#<br />
# nstnetcfg [-m|--mode TEXT] [-i|--interface DEVICE]<br />
# [-a|--ipv4-addr-prefix IPv4ADDR/PREFIX] [-g|--gateway IPv4ADDR]<br />
# [--mac-addr MACADDR] [--host-name TEXT] [--domain-name TEXT]<br />
# [--name-servers IPv4ADDRLIST] [--hosts-file-only [true]|false]<br />
# [--virtual-host TEXT] [--server-name TEXT]<br />
# [-h|--help [true]|false] [-H|--help-long [true]|false]<br />
# [-v|--verbose [true]|false] [--version [true]|false]<br />
#<br />
# Available Modes: ipv4, dhcp, ssl, stealth, netmgr, rmint, init, show<br />
<br />
#<br />
# Uncomment to enable verbosity <br />
#VERBOSE=" --verbose";<br />
<br />
#<br />
# Network Interface: Initialization<br />
/usr/bin/nstnetcfg --mode init${VERBOSE};<br />
<br />
#<br />
# Network Interface: em1<br />
/usr/bin/nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 \<br />
--host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11"${VERBOSE};<br />
<br />
#<br />
# Network Interface: em0<br />
/usr/bin/nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --host-name nstsurv1-mon \<br />
--hosts-file-only${VERBOSE}; <br />
<br />
#<br />
# Network Interface: em2<br />
/usr/bin/nstnetcfg --mode stealth --interface em2${VERBOSE};<br />
<br />
#<br />
# Network Interface: em3<br />
/usr/bin/nstnetcfg --mode stealth --interface em3${VERBOSE};<br />
<br />
#<br />
# Network Interface: p2p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p2p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p2p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p2p2${VERBOSE};<br />
<br />
#<br />
# Network Interface: p4p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p4p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p4p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p4p2${VERBOSE};<br />
<br />
#<br />
# Network Interface: p6p1<br />
/usr/bin/nstnetcfg --mode stealth --interface p6p1${VERBOSE};<br />
<br />
#<br />
# Network Interface: p6p2<br />
/usr/bin/nstnetcfg --mode stealth --interface p6p2${VERBOSE};<br />
<br />
#<br />
# Uncomment for using a Stealth Interface Combo Setting<br />
#for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2;<br />
# do /usr/sbin/nstnetcfg --mode stealth --interface ${i};<br />
#done<br />
<br />
#<br />
# Apache SSL Configuration<br />
/usr/bin/nstnetcfg --mode ssl --interface em1 --virtual-host *:443 --server-name nstsurv1.txycorp.com:443${VERBOSE};<br />
</pre><br />
<br />
=== '''Script Invocation''' ===<br />
<br />
Make sure the script has it's '''execute''' permissions set:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>chmod +x "/etc/nst/net_cfg.sh";</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Execute the script:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/etc/nst/net_cfg.sh;</div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''List All Installed Network Interface Devices Using: "getipaddr"''' ==<br />
<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can be used to list all available network interface devices on an '''NST''' system.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
lo<br />
em0<br />
em1<br />
em2<br />
em3<br />
p2p1<br />
p2p2<br />
p4p1<br />
p4p2<br />
p6p1<br />
p6p2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''List All 'Virtual' Installed Network Interface Devices Using: "getipaddr"''' ===<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D --virtual;</div><br />
<pre class="computerOutput"><br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''List All 'Physical' Installed Network Interface Devices Using: "getipaddr"''' ===<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D --physical;</div><br />
<pre class="computerOutput"><br />
em0<br />
em1<br />
em2<br />
em3<br />
p2p1<br />
p2p2<br />
p4p1<br />
p4p2<br />
p6p1<br />
p6p2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Renaming A Network Interface Device''' ==<br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 30<br /> SVN: 11210</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to rename a '''Network Interface Device''' thus providing a predictable Network Interface Name that is stable and available after each successive system reboot. In this section we will demonstrate how to ''rename'' a network interface device from: "'''eno16777984'''" to: "'''net0'''" using the "'''nstnetcfg'''" utility. This utility's '''rename''' mode generates a '''udev''' rules file that is used by '''[http://en.wikipedia.org/wiki/Systemd systemd/udev]''' at system boot time to automatically assign the predictable, stable network interface name for local Ethernet, WLAN and/or WWAN network interfaces.<br />
<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
<br />
<br />
The current Network Interface Devices available are shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
eno16777984<br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The current IP Address configuration:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno16777984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 00:0c:29:e2:38:0b brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.120/24 brd 10.222.222.255 scope global dynamic net0<br />
valid_lft 75211sec preferred_lft 75211sec<br />
inet6 fe80::20c:29ff:fee2:380b/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''nstnetcfg'''" utility will now be used to ''rename'' the network interface device from: "'''eno16777984'''" to: "'''net0'''". Notice the creation and content of the generated custom '''udev''' network rules file: "'''/etc/udev/rules.d/79-my-net-name-slot.rules'''"<br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] The "'''nstnetcfg'''" script should only be run on a '''Serial Console''' or a '''Desktop Terminal''' when changing the name of the '''Primary''' Network Interface Device. Otherwise, network connectivity may be lost if remotely connected to this NST system while performing this task.<br />
</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] Try to use simple network device names (e.g. '''net0''', '''netfw''', '''Net_DMZ''' or '''NetRt1'''). Avoid using '''hyphen''' (''''-'''') or '''space''' ('&nbsp;') characters in the new network interface device name. Instead, use the '''underscore''' (''''_'''') character or '''CamelCase''' for separation clarity in your device naming convention.<br />
</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage"><br />
[[Image:Warning.png‎]] By default the NetworkManager service will randomize Wifi MAC Addresses. If this occurs using "'''nstnetcfg'''" to rename a Wifi Network Interface will fail. One can disable this Network Manager feature using the following configuration directive. Create a file in directory: "'''/etc/NetworkManager/conf.d'''" containing the configuration "'''wifi.scan-rand-mac-address=no'''" directive. Below is an example file to ''disable'' Wifi MAC Address randomizing by the NetworkManager service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@E6440 ~]# </span>cat /etc/NetworkManager/conf.d/wifi-static-mac.conf</div><br />
<pre class="computerOutput"><br />
[device]<br />
wifi.scan-rand-mac-address=no<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@E6440 ~]# </span></div><br />
</div><br />
</div></div><br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode rename --rename net0 --interface eno16777984 --verbose;</div><br />
<pre class="computerOutput"><br />
<br />
Generating a new/updated custom 'udev' network rules file: "/etc/udev/rules.d/79-my-net-name-slot.rules":<br />
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="00:0c:29:e2:38:0b", NAME="net0"<br />
<br />
Renaming Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-eno16777984" to "/etc/sysconfig/network-scripts/ifcfg-net0"<br />
<br />
Labeling Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-net0" - NAME="net0"<br />
<br />
The Network Interface Device rename from: "eno16777984" to "net0" will take effect on the next system reboot.<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Now perform a system reboot:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl reboot;</div><br />
<pre class="computerOutput"><br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
After a system '''Reboot''', the "'''nstnetcfg'''" utility is now run to verify the ''generated'' '''udev''' rules file: "'''/etc/udev/rules.d/79-my-net-name-slot.rules'''" which internally uses the '''[http://linux.die.net/man/8/udevadm udevadm]''' tool.<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode testudev --interface net0 --verbose;</div><br />
<pre class="computerOutput"><br />
/bin/udevadm test "/sys/class/net/net0";<br />
calling: test<br />
version 208<br />
This program is for debugging only, it does not run any program<br />
specified by a RUN key. It may show incorrect results, because<br />
some values may be different, or not available at a simulation run.<br />
<br />
=== trie on-disk ===<br />
tool version: 208<br />
file size: 5882628 bytes<br />
header size 80 bytes<br />
strings 1299372 bytes<br />
nodes 4583176 bytes<br />
load module index<br />
read rules file: /usr/lib/udev/rules.d/10-dm.rules<br />
read rules file: /usr/lib/udev/rules.d/11-dm-lvm.rules<br />
read rules file: /usr/lib/udev/rules.d/13-dm-disk.rules<br />
read rules file: /usr/lib/udev/rules.d/40-libgphoto2.rules<br />
IMPORT found builtin 'usb_id --export %%p', replacing /usr/lib/udev/rules.d/40-libgphoto2.rules:11<br />
read rules file: /usr/lib/udev/rules.d/40-usb_modeswitch.rules<br />
read rules file: /usr/lib/udev/rules.d/42-usb-hid-pm.rules<br />
read rules file: /usr/lib/udev/rules.d/50-udev-default.rules<br />
read rules file: /usr/lib/udev/rules.d/56-hpmud.rules<br />
read rules file: /usr/lib/udev/rules.d/60-cdrom_id.rules<br />
read rules file: /usr/lib/udev/rules.d/60-drm.rules<br />
read rules file: /usr/lib/udev/rules.d/60-ffado.rules<br />
read rules file: /usr/lib/udev/rules.d/60-fprint-autosuspend.rules<br />
read rules file: /usr/lib/udev/rules.d/60-keyboard.rules<br />
read rules file: /usr/lib/udev/rules.d/60-net.rules<br />
read rules file: /usr/lib/udev/rules.d/60-pcmcia.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-alsa.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-input.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-serial.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-storage-tape.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-storage.rules<br />
read rules file: /usr/lib/udev/rules.d/60-persistent-v4l.rules<br />
read rules file: /usr/lib/udev/rules.d/60-raw.rules<br />
read rules file: /usr/lib/udev/rules.d/61-accelerometer.rules<br />
read rules file: /usr/lib/udev/rules.d/62-multipath.rules<br />
read rules file: /usr/lib/udev/rules.d/63-md-raid-arrays.rules<br />
read rules file: /usr/lib/udev/rules.d/64-btrfs.rules<br />
read rules file: /usr/lib/udev/rules.d/64-md-raid-assembly.rules<br />
read rules file: /usr/lib/udev/rules.d/65-libwacom.rules<br />
read rules file: /usr/lib/udev/rules.d/65-md-incremental.rules<br />
read rules file: /usr/lib/udev/rules.d/69-cd-sensors.rules<br />
read rules file: /usr/lib/udev/rules.d/69-dm-lvm-metad.rules<br />
read rules file: /usr/lib/udev/rules.d/69-libmtp.rules<br />
read rules file: /usr/lib/udev/rules.d/69-pilot-link.rules<br />
read rules file: /usr/lib/udev/rules.d/69-xorg-vmmouse.rules<br />
read rules file: /usr/lib/udev/rules.d/70-power-switch.rules<br />
read rules file: /usr/lib/udev/rules.d/70-printers.rules<br />
read rules file: /usr/lib/udev/rules.d/70-spice-vdagentd.rules<br />
read rules file: /usr/lib/udev/rules.d/70-touchpad-quirks.rules<br />
read rules file: /usr/lib/udev/rules.d/70-uaccess.rules<br />
read rules file: /usr/lib/udev/rules.d/70-wacom.rules<br />
read rules file: /usr/lib/udev/rules.d/71-biosdevname.rules<br />
read rules file: /usr/lib/udev/rules.d/71-seat.rules<br />
read rules file: /usr/lib/udev/rules.d/73-seat-late.rules<br />
read rules file: /usr/lib/udev/rules.d/75-net-description.rules<br />
read rules file: /usr/lib/udev/rules.d/75-probe_mtd.rules<br />
read rules file: /usr/lib/udev/rules.d/75-tty-description.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-ericsson-mbm.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-huawei-net-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-longcheer-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-nokia-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-pcmcia-device-blacklist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-platform-serial-whitelist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-simtech-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-telit-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-usb-device-blacklist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-usb-serial-adapters-greylist.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-x22x-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-mm-zte-port-types.rules<br />
read rules file: /usr/lib/udev/rules.d/77-nm-olpc-mesh.rules<br />
read rules file: /usr/lib/udev/rules.d/78-sound-card.rules<br />
read rules file: /etc/udev/rules.d/79-my-net-name-slot.rules<br />
read rules file: /usr/lib/udev/rules.d/80-drivers.rules<br />
read rules file: /usr/lib/udev/rules.d/80-mm-candidate.rules<br />
read rules file: /usr/lib/udev/rules.d/80-net-name-slot.rules<br />
read rules file: /usr/lib/udev/rules.d/80-udisks.rules<br />
read rules file: /usr/lib/udev/rules.d/80-udisks2.rules<br />
read rules file: /usr/lib/udev/rules.d/85-regulatory.rules<br />
read rules file: /usr/lib/udev/rules.d/85-usbmuxd.rules<br />
read rules file: /usr/lib/udev/rules.d/90-alsa-restore.rules<br />
read rules file: /usr/lib/udev/rules.d/90-alsa-tools-firmware.rules<br />
read rules file: /usr/lib/udev/rules.d/90-pulseaudio.rules<br />
read rules file: /usr/lib/udev/rules.d/91-drm-modeset.rules<br />
read rules file: /usr/lib/udev/rules.d/95-cd-devices.rules<br />
read rules file: /usr/lib/udev/rules.d/95-dm-notify.rules<br />
read rules file: /usr/lib/udev/rules.d/95-udev-late.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-dell.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-fujitsu.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-gateway.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-ibm.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-lenovo.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-toshiba.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-csr.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-hid.rules<br />
read rules file: /usr/lib/udev/rules.d/95-upower-wup.rules<br />
read rules file: /etc/udev/rules.d/98-kexec.rules<br />
read rules file: /etc/udev/rules.d/99-gpsd.rules<br />
read rules file: /usr/lib/udev/rules.d/99-qemu-guest-agent.rules<br />
read rules file: /usr/lib/udev/rules.d/99-systemd.rules<br />
rules contain 393216 bytes tokens (32768 * 12 bytes), 32346 bytes strings<br />
29283 strings (243715 bytes), 26259 de-duplicated (214394 bytes), 3025 trie nodes used<br />
PROGRAM '/lib/udev/rename_device' /usr/lib/udev/rules.d/60-net.rules:1<br />
starting '/lib/udev/rename_device'<br />
'/lib/udev/rename_device' [2075] exit with return code 0<br />
PROGRAM '/sbin/biosdevname --policy physical -i net0' /usr/lib/udev/rules.d/71-biosdevname.rules:22<br />
starting '/sbin/biosdevname --policy physical -i net0'<br />
'/sbin/biosdevname --policy physical -i net0' [2076] exit with return code 4<br />
IMPORT builtin 'net_id' /usr/lib/udev/rules.d/75-net-description.rules:6<br />
IMPORT builtin 'hwdb' /usr/lib/udev/rules.d/75-net-description.rules:12<br />
NAME 'net0' /etc/udev/rules.d/79-my-net-name-slot.rules:1<br />
RUN '/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/ipv4/conf/$name --prefix=/proc/sys/net/ipv4/neigh/$name --prefix=/proc/sys/net/ipv6/conf/$name --prefix=/proc/sys/net/ipv6/neigh/$name' /usr/lib/udev/rules.d/99-systemd.rules:52<br />
ACTION=add<br />
DEVPATH=/devices/pci0000:00/0000:00:15.0/0000:03:00.0/net/net0<br />
ID_BUS=pci<br />
ID_MM_CANDIDATE=1<br />
ID_MODEL_FROM_DATABASE=VMXNET3 Ethernet Controller<br />
ID_MODEL_ID=0x07b0<br />
ID_NET_LABEL_ONBOARD=enEthernet0<br />
ID_NET_NAME_MAC=enx000c29e2380b<br />
ID_NET_NAME_ONBOARD=eno16777984<br />
ID_NET_NAME_PATH=enp3s0<br />
ID_NET_NAME_SLOT=ens160<br />
ID_OUI_FROM_DATABASE=VMware, Inc.<br />
ID_PCI_CLASS_FROM_DATABASE=Network controller<br />
ID_PCI_SUBCLASS_FROM_DATABASE=Ethernet controller<br />
ID_VENDOR_FROM_DATABASE=VMware<br />
ID_VENDOR_ID=0x15ad<br />
IFINDEX=2<br />
INTERFACE=net0<br />
SUBSYSTEM=net<br />
SYSTEMD_ALIAS=/sys/subsystem/net/devices/net0<br />
TAGS=:systemd:<br />
USEC_INITIALIZED=78468<br />
run: '/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/ipv4/conf/net0 --prefix=/proc/sys/net/ipv4/neigh/net0 --prefix=/proc/sys/net/ipv6/conf/net0 --prefix=/proc/sys/net/ipv6/neigh/net0'<br />
unload module index<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
One can see that the Network Interface device has been changed to: "'''net0'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
net0<br />
lo<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The IP Address configuration after the device rename is shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: net0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 00:0c:29:e2:38:0b brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.120/24 brd 10.222.222.255 scope global dynamic net0<br />
valid_lft 75211sec preferred_lft 75211sec<br />
inet6 fe80::20c:29ff:fee2:380b/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
== '''Managing IPv4 Secondary Addressing''' ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 30<br /> SVN: 11210</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to ''Create'' and ''Delete'' (i.e., ''Manage'') '''IPv4 Secondary Addressing'''. By example we will ''Add'', ''Display'' and ''Remove'' '''IPv4 Secondary Addresses:''' "'''10.222.222.241/24''' and "'''10.222.222.242/24''' to an '''NST''' system (e.g., '''striker''') on '''IPv4 Network Interface:''' "'''lan0'''". This example is shown in the sections below.<br />
<br /><br />
<br /><br />
<br /><br />
<br /><br />
<br /><br />
=== '''Adding IPv4 Secondary Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''add'' "'''IPv4 Secondary Addresses'''" to an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state on '''NST''' system: "'''striker'''" is shown:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.111/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Next, the first '''IPv4 Secondary Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Network Interface:''' "'''lan0'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "add" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.241/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'bound' IPv4 secondary Address: "10.222.222.241/24"<br />
to Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Next, the second '''IPv4 Secondary Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Network Interface:''' "'''lan0'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "add" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.242/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'bound' IPv4 secondary Address: "10.222.222.242/24"<br />
to Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is now shown with the two (2) '''IPv4 Secondary Addresses''' added:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip a;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.111/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
=== '''List IPv4 Primary / Secondary Addresses Using: "getipaddr"''' ===<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can also be used to display all '''IPv4 Addresses''' including '''IP Secondary Addresses''' bound to '''Network Interface: "lan0"''' in CIDR notation:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>getipaddr --interface lan0 --ip-secondary --ip-address-cidr --net-int-devices;</div><br />
<pre class="computerOutput"><br />
lan0 10.222.222.111/24<br />
lan0 10.222.222.241/24 secondary<br />
lan0 10.222.222.242/24 secondary<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
=== '''Removing IPv4 Secondary Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''remove'' "'''IPv4 Secondary Addresses'''" on an '''NST''' system.<br />
<br />
First, we remove all '''IPv4 Secondary Addresses''' bound to Network Interface: "'''lan0'''": <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.241/24 --secondary remove -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "remove" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.241/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'unbound' the IPv4 secondary Address: "10.222.222.241/24"<br />
associated with Network Interface device: "lan0".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>nstnetcfg -m secondary -i lan0 -a 10.222.222.242/24 --secondary remove -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using IPv4 secondary Address binding operation mode: "remove" with<br />
Network Interface device: "lan0" for IPv4 Address: "10.222.222.242/24".<br />
<br />
Attempting to 'connect' device: "lan0" using nmcli.<br />
Device 'lan0' successfully activated with 'ed61d84c-2f87-4cba-bb2a-42bbd7c7b998'.<br />
<br />
Successfully 'unbound' the IPv4 secondary Address: "10.222.222.242/24"<br />
associated with Network Interface device: "lan0".<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br />
Finally we display the '''IP Address''' state on NST system: '''striker'''<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span>ip a;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global noprefixroute lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::94cd:ea04:55fe:ee9a/64 scope link noprefixroute <br />
valid_lft forever preferred_lft forever<br />
3: netmon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: netmon1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@striker ~]# </span></div><br />
</div><br />
<br /><br />
<br /><br />
<br />
== '''Managing IPv4 Alias Addresses''' ==<br />
<br />
<div class="centerBlock"><div class="noteMessage">[[Image:Warning.png‎]] '''IPv4 Alias Addressing''' is no longer supported by script: '''nstnetcfg''' start with '''NST 30'''.</div></div><br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5663</center>]]''']]The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" can also be used to ''Create'' and ''Delete'' (i.e., ''Manage'') '''IPv4 Alias Addresses'''. By example we will ''Add'' and ''Remove'' '''IPv4 Alias Addresses:''' "'''10.222.222.241/24''' and "'''10.222.222.242/24''' to an '''NST''' system on '''IPv4 Alias Network Interfaces:''' "'''p5p1:a1'''" and "'''p5p1:a2'''" respectively. This example is shown in the sections below. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' You can not manage IPv4 aliases for interfaces which are under NetworkManager control (the interface must be managed by the network service). In addition, you may need to review/update your routing after adding your aliases.</div></div><br />
<br />
<br />
<br />
<br />
<br />
=== '''Adding IPv4 Alias Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''add'' "'''IPv4 Alias Addresses'''" to an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state is shown on our demo '''NST''' system: <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a1'''" using the '''Gateway:''' "'''10.222.222.1'''" and '''Host Name:''' "'''probe-a1'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m ipv4 -i p5p1:a1 -a 10.222.222.241/24 -g 10.222.222.1 --host-name probe-a1 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" for IPv4 Alias Network Interface: "p5p1:a1".<br />
<br />
Setting the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Up' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the second '''IPv4 Alias Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a2'''" using the '''Gateway:''' "'''10.222.222.1'''" and '''Host Name:''' "'''probe-a2'''" is now ''added'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m ipv4 -i p5p1:a2 -a 10.222.222.242/24 -g 10.222.222.1 --host-name probe-a2 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2" for IPv4 Alias Network Interface: "p5p1:a2".<br />
<br />
Setting the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Up' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is now shown with the two (2) '''IPv4 Alias Addresses''' added:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary p5p1:a1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary p5p1:a2<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The '''IPv4 Alias Addresses''' wil also be configured in the hosts file "'''/etc/hosts'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>cat /etc/hosts;</div><br />
<pre class="computerOutput"><br />
127.0.0.1 localhost.localdomain localhost<br />
::1 localhost6.localdomain6 localhost6<br />
<br />
10.222.222.10 striker.nst.net striker<br />
10.222.222.141 probe-a1<br />
10.222.222.142 probe-a2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' A network configuration file in directory: "'''/etc/sysconfig/network-scripts'''" was created for both '''IPv4 Alias Addresses''' above (i.e., "'''/etc/sysconfig/network-scripts/ifcfg-p5p1:a1'''" and "'''/etc/sysconfig/network-scripts/ifcfg-p5p1:a2'''"). This will allow the '''IPv4 Alias Address''' configuration to survive a system reboot. </div></div><br />
<br />
=== '''List All Installed Network Interface Devices Including IP Alias Interfaces Using: "getipaddr"''' ===<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" can also be used to list all available network interface devices including '''IP Alias Network Interfaces''' on an '''NST''' system.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -D --ip-alias;</div><br />
<pre class="computerOutput"><br />
lo<br />
p1p1<br />
p1p2<br />
p5p1<br />
p5p1:a1<br />
p5p1:a2<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Display all '''IPv4 Addresses''' including '''IP Alias Addresses''' bound to '''Network Interface: "p5p1"''' in CIDR notation:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -i p5p1 -D --ip-alias --ip-network-address-cidr;</div><br />
<pre class="computerOutput"><br />
p5p1 10.222.222.10/24<br />
p5p1:a1 10.222.222.241/24<br />
p5p1:a2 10.222.222.242/24<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
=== '''Removing IPv4 Alias Addresses''' ===<br />
In this section we will show how the '''nstnetcfg''' script can be used to ''remove'' "'''IPv4 Alias Addresses'''" on an '''NST''' system.<br />
<br />
First, the current '''IP Address''' state is shown on our demo '''NST''' system with configured '''IPv4 Alias Addresses''': <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary p5p1:a1<br />
valid_lft forever preferred_lft forever<br />
inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary p5p1:a2<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.241/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a1'''" is now ''removed'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m rmint -i p5p1:a1 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" for IPv4 Alias Interface: "p5p1:a1"<br />
<br />
Clean all IPv4 Address entries: "10.222.222.241" in Hosts file: "/etc/hosts".<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds:<br />
Successfully brought 'Up' Network Interface: "p5p1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Next, the first '''IPv4 Alias Address:''' "'''10.222.222.242/24'''" bound to '''IPv4 Alias Network Interface:''' "'''p5p1:a2'''" is now ''removed'' to the '''NST''' system:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m rmint -i p5p1:a2 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2" for IPv4 Alias Interface: "p5p1:a2"<br />
<br />
Clean all IPv4 Address entries: "10.222.222.242" in Hosts file: "/etc/hosts".<br />
<br />
Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds:<br />
Successfully brought 'Up' Network Interface: "p5p1".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the '''IP Address''' state is shown on our demo '''NST''' system with all '''IPv4 Alias Addresses''' ''removed'': <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/getipaddr.html getipaddr]'''" also shows that no '''IP Alias Network Interfaces''' are configured on the '''NST''' demo system. <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>getipaddr -D --ip-alias;</div><br />
<pre class="computerOutput"><br />
lo<br />
p1p1<br />
p1p2<br />
p5p1<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== '''Promiscuous Mode Control''' ==<br />
<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 22<br /> SVN: 7000</center>]]''']]<br />
<br />
=== '''Overview''' ===<br />
The '''Promiscuous''' state of a network interface device can be ''manually'' controlled by the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script. Promiscuous mode allows a network interface device to intercept and read each network packet that arrives in its entirety which is essential for capturing all traffic received. One can also use the systemd service: "'''promisc.service'''" for ''automatically'' setting the Promiscuous state ''''On'''' for one or more network interface devices at system boot. <br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may not be able to set the Promiscuous state ''''Off'''' if another network application like '''[https://wiki.wireshark.org/ wireshark]''' or '''[https://en.wikipedia.org/wiki/Tcpdump tcpdump]''' is active and in capture mode. A counter is used by each '''Kernel''' network driver module and incremented for each application that requests the Promiscuous mode to be set ''''On'''' for the network interface device. Until these applications have all set the Promiscuous state ''''Off'''', can one control the device's Promiscuous mode with the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script.</div></div><br />
<br />
=== '''Manual Mode''' ===<br />
This section will demonstrate how to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode for a network interface using either the interface method or the promiscuous configuration file method. <br />
<br />
==== '''Interface Method''' ====<br />
The current '''Network Interface Devices''' available are shown for demonstration in this section.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/getipaddr -D;</div><br />
<pre class="computerOutput"><br />
lan0<br />
lo<br />
netmon0<br />
netmon1<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
How to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode of network interface: "'''netmon0'''" to the ''''On'''' state:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode promiscon -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Setting the Promiscuous state 'On' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'On':<br />
/sbin/ip link set promisc on netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
How to to use the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" script to ''manually'' set the '''Promiscuous''' mode of network interface: "'''netmon0'''" to the ''''Off'''' state:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg --mode promiscoff -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Setting the Promiscuous state 'Off' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'Off':<br />
/sbin/ip link set promisc off netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
==== '''Promiscuous Configuration File Method''' ====<br />
Alternatively, one could add the network interface: "'''netmon0'''" to the '''NST''' promiscuous configuration file: "'''/etc/nst/promisc.conf'''" using "'''nstnetcfg'''" mode: "'''promisccfg'''" and then control the '''Promiscuous''' state using the following command sequence:<br />
<br />
First configure the network Interface: "'''netmon0'''" in the '''NST''' promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promisccfg --promisc add -i netmon0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using Promiscuous configuration operation mode: "add" for Network Interface device: "netmon0".<br />
<br />
Adding Network Interface device: "netmon0" to the Promiscuous configuration file.<br />
<br />
Updated Promiscuous configuration file: "/etc/nst/promisc.conf".<br />
<br />
Content of Promiscuous configuration file: "/etc/nst/promisc.conf"<br />
==================================================================<br />
#<br />
# NST: 2015<br />
#<br />
# Configuration file for a list Network Interface Adapters<br />
# that can have their promiscuous mode enabled or disabled<br />
# by the NST Script: "nstnetcfg".<br />
#<br />
# Typically the NST script: "nstnetcfg" modes:<br />
# 'promiscon, promiscoff or promisccfg' use or configure this file.<br />
# Use a space character as the delimiter when multiple interfaces<br />
# are specificied.<br />
<br />
#<br />
# Example for Network Interface Adapters: netmon0 and netmon1<br />
# PROMISCINTS="netmon1 netmon2";<br />
<br />
PROMISCINTS="netmon0";<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Setting Promiscuous mode ''''On'''' for network interface: "'''netmon0'''" using the promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promiscon -v;</div><br />
<pre class="computerOutput"><br />
<br />
Found Network Interface(s): "netmon0" in promiscuous configuration file: "/etc/nst/promisc.conf"<br />
<br />
Setting the Promiscuous state 'On' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'On':<br />
/sbin/ip link set promisc on netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
<br />
Setting Promiscuous mode ''''Off'''' for network interface: "'''netmon0'''" using the promiscuous configuration file: "'''/etc/nst/promisc.conf'''"<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promiscoff -v;</div><br />
<pre class="computerOutput"><br />
<br />
Found Network Interface(s): "netmon0" in promiscuous configuration file: "/etc/nst/promisc.conf"<br />
<br />
Setting the Promiscuous state 'Off' for Network Interface: "netmon0".<br />
<br />
First make sure the Network Interface: "netmon0" is up:<br />
/sbin/ip link set up netmon0;<br />
<br />
Next set the Promiscuous state: 'Off':<br />
/sbin/ip link set promisc off netmon0;<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
=== '''Automatic At System Boot''' ===<br />
The '''NST''' systemd "'''promisc.service'''" service can be used to ''enable'' the '''Promiscuous''' mode on one or more network interface adapters during a system boot. The content of this service unit is shown below:<br />
<pre class="programListing" style=" word-break: break-word;"><br />
#<br />
# NST: 2015<br />
<br />
[Unit]<br />
Description=Network Interface Promiscuous Mode Control<br />
Documentation=man:nstnetcfg(1)<br />
Documentation=http://wiki.networksecuritytoolkit.org/nstwiki/index.php/HowTo_Setup_A_Server_With_Multiple_Network_Interface_Adapters_Using:_%22nstnetcfg%22#Promiscuous_Mode_Control<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
ExecStart=/usr/bin/nstnetcfg --mode promiscon<br />
ExecStop=/usr/bin/nstnetcfg --mode promiscoff<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</pre><br />
<br />
One can see the use of the "'''nstnetcfg'''" script for ''starting'' and ''stopping'' the service. Make sure you use mode: "'''--mode promisccfg'''" with the corresponding network interface that you are interested in ''enabling'' the promiscuous mode at system boot time. Then enable the "'''promisc.service'''" service. Below is an example for network interface device: "'''netmon1'''".<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg -m promisccfg -i netmon1 --promisc add -v;</div><br />
<pre class="computerOutput"><br />
<br />
Using Promiscuous configuration operation mode: "add" for Network Interface device: "netmon1".<br />
<br />
Adding Network Interface device: "netmon1" to the Promiscuous configuration file.<br />
<br />
Updated Promiscuous configuration file: "/etc/nst/promisc.conf".<br />
<br />
Content of Promiscuous configuration file: "/etc/nst/promisc.conf"<br />
==================================================================<br />
#<br />
# NST: 2015<br />
#<br />
# Configuration file for a list Network Interface Adapters<br />
# that can have their promiscuous mode enabled or disabled<br />
# by the NST Script: "nstnetcfg".<br />
#<br />
# Typically the NST script: "nstnetcfg" modes:<br />
# 'promiscon, promiscoff or promisccfg' use or configure this file.<br />
# Use a space character as the delimiter when multiple interfaces<br />
# are specificied.<br />
<br />
#<br />
# Example for Network Interface Adapters: netmon0 and netmon1<br />
# PROMISCINTS="netmon1 netmon2";<br />
<br />
PROMISCINTS="netmon1";<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl enable promisc.service;</div><br />
<pre class="computerOutput"><br />
Created symlink from /etc/systemd/system/multi-user.target.wants/promisc.service to /usr/lib/systemd/system/promisc.service.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/systemctl reboot;</div><br />
</div><br />
<br />
== '''Managing a 'Bonding' Network Interface''' ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5765</center>]]''']]In this section we will use "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" to ''create'' a ''''Bond Master'''' Network Interface device: "'''bond0'''" by aggregating 2 (two) '''NIC''' adapters" "'''p1p1'''" and "'''p1p2'''" into a single interface. Behind the scene, the Linux bonding driver is performing the actual mechanism for creating and managing the bond device.<br />
A bond interface device may be useful when working with an "'''[http://www.networksecuritytoolkit.org/nstpro/order/dualcomm-singletap-nst-combo.html#usecase4 Non-Aggregational Network Tap]'''". By combining the non-aggregational ports of the TAP back into a single interface allows both '''Transmit''' and '''Receive''' network traffic to be seen by a listening network analysis or monitoring application. <br />
<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
The network diagram shown below will be used for the example bonding configuration demonstrated in this section. The '''NST WUI Ntopng IPv4 Hosts''' application is performing ''surveillance monitoring'' on the firewall dirty side using the Bonded Network Interface: "'''bond0'''".<br />
<br />
[[Image:Nstnetcfgbonding.png|1024px|center|A NST "'''nstnetcfg'''" Bonding Configuration with Monitoring]]<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' The network traffic monitored on the [http://www.dual-comm.com/etap3105-aggregation-and-non-aggregation-tap.htm Dualcomm ETAP 3105 10/100/1000Base-T Regeneration Network TAP] Aggregational Port: "'''3'''" (NST Probe Port: "'''p5p1'''") may be equal to or less than the traffic monitored on the Bonded Network Interface: "'''bond0'''" that is created in this section. If the combined effective data rate on the "'''Slave'''" Network Interfaces: "'''p1p1'''" and "'''p1p2'''" exceeds ''1Gb/sec'', then Aggregational Port: "'''3'''" (NST Probe Port: "'''p5p1'''") will start to buffer and eventually lose packets where as the Bonded Network Interface: "'''bond0'''" will not.</div></div><br />
<br />
=== '''Network Interface Bond Creation''' ===<br />
First lets show the current network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff<br />
5: p5p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:22:17 brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''p1p1'''" and "'''p1p2'''" NIC adapters connected to the non-aggregational Network TAP (Ports: "'''4'''" and "'''5'''" respectively) will now be bonded into a single interface: "'''bond0'''" using '''nstnetcfg''' mode: "'''bonding'''". The bond interface is now in "'''Stealth'''" mode since it has no binding '''IPv4 Address'''.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode bonding --interface bond0 --bonding-slave-ints p1p1,p1p2 --bonding-opts "mode=0 miimon=100" -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to configure 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p1".<br />
Successfully brought 'Down' Network Interface: "p1p1".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p2".<br />
Successfully brought 'Down' Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Master' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0"<br />
for Network Interface: "bond0".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility is now shown after the creation of the "'''bond0'''" device:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.222.222.10/24 brd 10.222.222.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
5: p5p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:22:17 brd ff:ff:ff:ff:ff:ff<br />
18: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default <br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link tentative dadfailed <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Notice that the network interfaces: "'''p1p1'''" and "'''p1p2'''" have the "'''SLAVE'''" flag set and the bond network interface: "'''bond0'''" has the "'''MASTER'''" flag set. Network traffic can now be monitored or captured on this new Bonded Virtual Network Interface: "'''bond0'''".<br />
<br />
=== '''Network Interface Bond Removal''' ===<br />
In this section we will remove the bonding network interface: "'''bond'''" using "'''nstnetcfg'''" mode: "'''rmbonding'''":<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode rmbonding --interface bond0 -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to remove 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Removing the "Linux Bonding Driver" module.<br />
<br />
Removing the 'Bonding Master' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0".<br />
<br />
Removing the 'Bonding Slave' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2".<br />
<br />
Attempting to 'Initialize' Network Interface: "p1p2" to a 'Unmanaged' state.<br />
<br />
Attempting to bring 'Down' Bonding Slave Network Interface: "p1p2".<br />
Successfully brought 'Down' Bonding Slave Network Interface: "p1p2".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2" for Interface: "p1p2".<br />
<br />
Setting up an 'Unmanaged' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Removing the 'Bonding Slave' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1".<br />
<br />
Attempting to 'Initialize' Network Interface: "p1p1" to a 'Unmanaged' state.<br />
<br />
Attempting to bring 'Down' Bonding Slave Network Interface: "p1p1".<br />
Successfully brought 'Down' Bonding Slave Network Interface: "p1p1".<br />
<br />
Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1" for Interface: "p1p1".<br />
<br />
Setting up an 'Unmanaged' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
&nbsp;<br />
<br />
=== '''Binding an IPv4 Address to a 'Bonding' Network Interface''' ===<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 20<br /> SVN: 5765</center>]]''']]In this section we will use "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" to bind an '''IPv4 Address''' to a '''Bonded''' Network Interface. This method can also use one of the available Linux bonding driver modes to increase the ''effective'' bandwidth from the NST system to the network.<br />
<br />
<br />
<br />
<br />
<br />
<br />
&nbsp;<br />
<br />
The network diagram shown below will be used for the example '''IPv4 Address''' binding to the 'Bonded' Network Interface: "'''bond0'''". A Quad Gigabit NIC Adapter with ports: "'''p1p1'''", "'''p1p2'''", "'''p1p3'''" and "'''p1p4'''" will be bound together to form a new 'Bonding Master' Virtual Network Interface: "'''bond0'''".<br />
<br />
[[Image:Nstnetcfgipv4bonding.png|1024px|center| Binding an IPv4 Address to a 'Bonded' Network Interface Using "'''nstnetcfg'''"]]<br />
<br />
==== '''Network Interface Bond Creation''' ====<br />
First lets show the current network configuration using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" network utility:<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.224.2.33/16 brd 10.224.255.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:52 brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:53 brd ff:ff:ff:ff:ff:ff<br />
5: p1p3: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:54 brd ff:ff:ff:ff:ff:ff<br />
6: p1p4: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000<br />
link/ether a0:36:9f:00:71:55 brd ff:ff:ff:ff:ff:ff<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The "'''p1p1'''", "'''p1p2'''", "'''p1p3'''" and "'''p1p4'''" NIC LAN ports are now ''bonded'' into a single interface: "'''bond0'''" using '''nstnetcfg''' mode: "'''bonding'''". The bond interface is now currently in "'''Stealth'''" mode with no binding '''IPv4 Address'''.<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode bonding --interface bond0 --bonding-slave-ints p1p1,p1p2,p1p3,p1p4 --bonding-opts "mode=5 miimon=100" -v;</div><br />
<pre class="computerOutput"><br />
<br />
Attempting to configure 'Bonding Master' Network Interface: "bond0".<br />
<br />
Stopping the "network" service.<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p1".<br />
Successfully brought 'Down' Network Interface: "p1p1".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"<br />
for Network Interface: "p1p1".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p2".<br />
Successfully brought 'Down' Network Interface: "p1p2".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"<br />
for Network Interface: "p1p2".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p3".<br />
Successfully brought 'Down' Network Interface: "p1p3".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p3"<br />
for Network Interface: "p1p3".<br />
<br />
Attempting to bring 'Down' Network Interface: "p1p4".<br />
Successfully brought 'Down' Network Interface: "p1p4".<br />
<br />
Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p4"<br />
for Network Interface: "p1p4".<br />
<br />
Setting up a 'Bonding Master' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0"<br />
for Network Interface: "bond0".<br />
<br />
Starting up the "network" service.<br />
<br />
Enabling the "network" service at system boot time.<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
The Linux bonding driver is configured for mode: "'''5'''" - '''Adaptive Transmit Load Balancing'''. This mode creates a channel bond that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each "'''Slave'''" Interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the '''MAC Address''' of the failed receiving slave.<br />
<br />
==== '''IPv4 Address Binding to the Bond Interface''' ====<br />
Next the "'''[http://nst.sourceforge.net/nst/docs/scripts/nstnetcfg.html nstnetcfg]'''" utility is now used to ''bind'' the IPv4 Address: "'''172.18.1.11'''" to the 'Bond Master' Virtual network Interface: "'''bond0'''": <br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstnetcfg --mode ipv4 --interface bond0 -a 172.18.1.11/24 -g 10.224.1.1 --hosts-file-only --host-name striker-bond -v;</div><br />
<pre class="computerOutput"><br />
Configuring a static IPv4 Address: "172.18.1.11/24" for 'Bonding Master' Network Interface: "bond0".<br />
<br />
Attempting to bring 'Down' Bonding Master Network Interface: "bond0".<br />
Successfully brought 'Down' Bonding Master Network Interface: "bond0".<br />
<br />
Setting up the 'Static IPv4 Address' network configuration<br />
file: "/etc/sysconfig/network-scripts/ifcfg-bond0" for Network Interface: "bond0".<br />
<br />
Updating the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.<br />
<br />
The "network" service is already running, skip trying to 'start'.<br />
<br />
Enabling the "network" service at system boot time.<br />
<br />
Attempting to bring 'Up' Bonding Master Network Interface: "bond0" in 5 seconds.<br />
Successfully brought 'Up' Bonding Master Network Interface: "bond0".<br />
<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
Finally, the network configuration is now shown using the "'''[http://www.policyrouting.org/iproute2.doc.html ip]'''" utility with IPv4 Address: "'''172.18.1.11'''" bound to the 'Bonding Master' Virtual Network Interface: "'''bond0'''":<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/ip addr show;</div><br />
<pre class="computerOutput"><br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default <br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.224.2.33/16 brd 10.222.255.255 scope global eno0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: p1p1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state Up group default qlen 1000<br />
link/ether a0:36:9f:00:71:52 brd ff:ff:ff:ff:ff:ff<br />
4: p1p2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:71:53 brd ff:ff:ff:ff:ff:ff<br />
5: p1p3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state Up group default qlen 1000<br />
link/ether a0:36:9f:00:71:54 brd ff:ff:ff:ff:ff:ff<br />
6: p1p4: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000<br />
link/ether a0:36:9f:00:71:55 brd ff:ff:ff:ff:ff:ff<br />
12: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default <br />
link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff<br />
inet 172.18.1.11/24 brd 172.18.1.255 scope global bond0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::a236:9fff:fe00:696a/64 scope link <br />
valid_lft forever preferred_lft forever<br />
</pre><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div></div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=Subversion_Notes&diff=9749Subversion Notes2022-12-06T17:29:54Z<p>Rwh: /* Merging From Dev Area To The Repo Area */</p>
<hr />
<div>We switched from using CVS to Subversion as our source control mechanism in mid October 2009.<br />
<br />
* We did not try to import all of the CVS history.<br />
* The initial import includes all of the 2.11.0 release source plus the updated source code since the release (the state of CVS on 2009-10-14).<br />
* We left the CVS repository alone (in case we ever wanted to refer back for older history).<br />
<br />
= Preparing Development Machine =<br />
<br />
As a developer, the following things must be done to your development machine before you will be able to check out, build and commit changes to the NST source code.<br />
<br />
== Set SVNROOT ==<br />
<br />
You need to set the ''SVNROOT'' variable. Add the following to your '''~/.bashrc''' or '''~/.bash_profile''' configuration file:<br />
<br />
export SVNROOT=https://nst.svn.sourceforge.net/svnroot/nst<br />
<br />
export SVNROOT=svn+ssh://user@svn.code.sf.net/p/nst/code<br />
<br />
After the ''SVNROOT'' variable is set, you should be able to run Subversion commands. For example the following shows the directories under ''SVNROOT''.<br />
<br />
[pkb@sprint ~]$ export SVNROOT=https://nst.svn.sourceforge.net/svnroot/nst<br />
[pkb@sprint ~]$ svn ls ${SVNROOT}<br />
trunk/<br />
[pkb@sprint ~]$ <br />
<br />
== gnome-keyring ==<br />
<br />
Subversion might complain about needing to store passwords in a ''unencrypted'' form. To prevent this, we need to figure out how to enable the ''gnome-keyring'' add-on. To do this, edit the file '''~/.subversion/config''' and search on the string ''password-stores''. Most likely this will be commented out in your current configuration file. I updated mine to the following:<br />
<br />
password-stores = gnome-keyring<br />
<br />
However, this was not enough to prevent me from being prompted each time. I then added the following package:<br />
<br />
yum install subversion-gnome<br />
<br />
We will see if this permits us to store the password or not (you may need to be logged into a GNOME desktop in order to make use of the gnome-keyring feature).<br />
<br />
= Directory Structure =<br />
<br />
Currently the directory structure under Subversion is fairly straight forward. We use ''dev/FCVer'' (E.g., dev/30) as the current working area (this is what most developers will be checking out from and committing to). The following is the top level directory structure for Development (/dev), Release (/releases) and the pristine repository for pushing out package updates (/repo):<br />
<br />
[nst@vortex ~]$ svn ls ${SVNROOT}/<br />
dev/<br />
releases/<br />
repo/<br />
<br />
Under each top level directory there are Fedora specific source trees:<br />
<br />
[nst@vortex ~]$ svn ls ${SVNROOT}/dev<br />
18/<br />
2.11.0/<br />
2.12.0/<br />
2.13.0/<br />
2.15.0/<br />
2.16.0/<br />
20/<br />
21/<br />
22/<br />
24/<br />
26/<br />
28/<br />
30/<br />
32/<br />
<br />
= Subversion Commands =<br />
<br />
Use the following to get the list of available subversion commands:<br />
<br />
svn help<br />
<br />
To get more information about a specific Subversion command (like ''ls''), run:<br />
<br />
svn help ls<br />
<br />
<br />
== Checking Out Code ==<br />
<br />
To make the initial checkout of the current source code into a sub-directory named ''nst'', you can use the following Subversion command:<br />
<br />
svn co ${SVNROOT}/trunk nst<br />
<br />
== Committing Code ==<br />
<br />
You use the ''commit'' subversion command when you want to commit changes to the source code.<br />
<br />
When you first run ''commit'', it may prompt you for the password for the incorrect user ID. If this happens, press the ''Enter'' key without specifying a password. This should allow you enter your SourceForge user ID followed by your SourceForge password when committing changes. For example:<br />
<br />
<br />
[root@fedora11 nightly]# svn commit<br />
Authentication realm: <https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
Password for 'root': <br />
Authentication realm: <https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
Username: SOURCEFORGE_LOGIN_ID<br />
Password for 'SOURCEFORGE_LOGIN_ID': <br />
Sending nightly/nightly-build.bash<br />
Sending nightly/nightly2html.xsl<br />
Sending nightly/nightly2txt.xsl<br />
Transmitting file data ...-----------------------------------------------------------------------<br />
ATTENTION! Your password for authentication realm:<br />
<br />
<https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
<br />
can only be stored to disk unencrypted! You are advised to configure<br />
your system so that Subversion can store passwords encrypted, if<br />
possible. See the documentation for details.<br />
<br />
You can avoid future appearances of this warning by setting the value<br />
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in<br />
'/root/.subversion/servers'.<br />
-----------------------------------------------------------------------<br />
Store password unencrypted (yes/no)? no <br />
<br />
Committed revision 4.<br />
[root@fedora11 nightly]#<br />
<br />
== Status ==<br />
<br />
The Subversion status command is very handy at showing not only what files you've modified, but also (when including the ''-u'' option) handy at showing what files have changed in the repository:<br />
<br />
svn status -u<br />
<br />
For help about the output of ''svn status'', run:<br />
<br />
svn help status | less<br />
<br />
== Revert ==<br />
<br />
If you've made modifications to a file which you want to discard, use the ''revert'' command to restore the original version:<br />
<br />
svn revert FILENAME<br />
<br />
<br />
To revert back to a previous revision use the '''merge''' option. The follow example reverts back to the '''3986''' revision from the '''3987''' revision for file: "'''bwmonitor.js'''". After the revert changes are applied you will need to '''commit'''. Use the [http://nst.svn.sourceforge.net/viewvc/nst/ Subversion Browser] to assit in finding your revision numbers.<br />
<br />
svn merge -r 3987:3986 bwmonitor.js<br />
<br />
== Revert Commit, Undo Commit, Reverse Merge ==<br />
<br />
If you've committed modifications to a file accidentally it is a bit tricky to ''undo'' the commit. To get back an older version you need to perform something called a reverse merge. This is done by running the ''svn merge -r BAD:GOOD SOURCE'' command. Where BAD is typically the current revision ID of the source you want to revert, GOOD is the revision ID of the good code you want to restore and is typically 1 less than the value of BAD. SOURCE is typically the name of the file or directory you want to undo the commit on.<br />
<br />
For example, we can used the following command to determine the last changed revision of the files under the current directory:<br />
<br />
[pkb@refritos server]$ svn info . | grep Rev:<br />
Last Changed Rev: 10660<br />
[pkb@refritos server]$ <br />
<br />
In this example the BAD revision ID is 10660 associated with the last commit done to this area. To restore the files to the 10659 state (the good version prior to the 10660) state, we would run the following command:<br />
<br />
[pkb@refritos server]$ svn merge -r 10660:10659 .<br />
--- Reverse-merging r10660 into '.':<br />
U xrdp.cgi<br />
--- Recording mergeinfo for reverse merge of r10660 into '.':<br />
G .<br />
--- Eliding mergeinfo from '.':<br />
U .<br />
[pkb@refritos server]$ <br />
<br />
As the ''status'' command shows, this undo only impacted one file in the directory and is not immediately reflected in the repository.<br />
<br />
[pkb@refritos server]$ svn status<br />
M xrdp.cgi<br />
[pkb@refritos server]$ <br />
<br />
This allows us to inspect the undone changes. If we are happy, we can commit this version back. If we are unhappy with the results, we can revert the state of the directory and try again.<br />
<br />
== Ignoring Files ==<br />
<br />
Under CVS, you could edit the file '''.cvsignore''' to tell CVS to ignore certain files within the directory. Subversion has a similar, but different mechanism for ignoring files. Basically, you change to the directory where the files/directories to be ignored exist and run the following command:<br />
<br />
svn propedit svn:ignore .<br />
<br />
Running the above command should pull up a text editor and allow you to specify file name patterns to specify what files and directories should be ignored. Here is an example ignore list which causes Subversion to ignore any file or directory ending with the extension ''.log'' or having the name ''tmp'':<br />
<br />
*.log<br />
tmp<br />
<br />
== Manage The Executable Flag On File ==<br />
Use the following command to set the executable flag on a file (e.g., bwmonitor-ajax.php)under SVN control:<br />
<br />
svn propset svn:executable bwmonitor-ajax.php<br />
<br />
Use the following command to remove the executable flag on a file (e.g., bwmonitor-ajax.php)under SVN control:<br />
<br />
svn propdel svn:executable bwmonitor-ajax.php<br />
<br />
== Merging Changes Across Revisions ==<br />
<br />
Our general strategy is typically to do all new work under the ''trunk'' area. However, when we move from one Fedora platform to another (like from Fedora 13 to Fedora 15), we will typically copy the ''trunk'' area to a sub-directory under the maintenance area. For example, the following shows the top level Subversion heirarchy (where you will see ''trunk'' and ''maintenance'') and the number of older maintenance areas where we have the ability to maintain older versions of the software.<br />
<br />
[root@f13-32 ~]# svn ls $SVNROOT<br />
maintenance/<br />
releases/<br />
trunk/<br />
[root@f13-32 ~]# svn ls $SVNROOT/maintenance<br />
2.11.0/<br />
2.12.0/<br />
2.13.0/<br />
[root@f13-32 ~]# <br />
<br />
In this situation, you may find yourself making changes to the ''trunk'' area that you would also like to apply to the ''2.13.0'' branch area. To accomplish this, use the following strategy:<br />
<br />
* Make your updates to the ''trunk'' area.<br />
* Commit your changes.<br />
* Determine the range of revision numbers for your change using the [http://nst.svn.sourceforge.net/viewvc/nst/ Subversion browser].<br />
* Use the ''svn merge'' command to merge the changes into the ''maintenance/2.13.0'' area.<br />
<br />
Here is an example of using ''svn merge'' to merge the changes made for the 2.1.6 release of the relaycheck package from the ''trunk'' area to the ''maintenance/2.13.0'' area:<br />
<br />
* From looking at the [http://nst.svn.sourceforge.net/viewvc/nst/maintenance/2.13.0/yum/pkgs maintenance/2.13.0/yum/pkgs/relaycheck revision number], I can see that the last revision number for the ''maintenance/2.13.0'' version was 2016 (at the time of this writing - it will change in the future).<br />
* From looking at the [http://nst.svn.sourceforge.net/viewvc/nst/trunk/yum/pkgs trunk/yum/pkgs/relaycheck revision number], I can see that the current revision number for the ''trunk'' version of relaycheck was 2102 (at the time this article was written).<br />
* At this point I have enough information to merge the changes with the following ''svn merge'' command:<br />
<br />
[root@f13-32 repo]# svn info<br />
Path: .<br />
URL: https://nst.svn.sourceforge.net/svnroot/nst/maintenance/2.13.0<br />
Repository Root: https://nst.svn.sourceforge.net/svnroot/nst<br />
Repository UUID: c9574408-7c70-44fe-bb37-9fe24d5f8586<br />
Revision: 2076<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: pblankenbaker<br />
Last Changed Rev: 2076<br />
Last Changed Date: 2011-05-10 16:53:57 -0400 (Tue, 10 May 2011)<br />
<br />
[root@f13-32 repo]# svn merge -r 2016:2102 $SVNROOT/trunk/yum/pkgs/relaycheck yum/pkgs/relaycheck<br />
--- Merging r2076 through r2102 into 'yum/pkgs/relaycheck':<br />
U yum/pkgs/relaycheck/src/relaycheck.pl<br />
U yum/pkgs/relaycheck/pkginfo.xml<br />
U yum/pkgs/relaycheck/relaycheck.template.spec<br />
[root@f13-32 repo]# svn status<br />
M yum/pkgs/relaycheck<br />
M yum/pkgs/relaycheck/src/relaycheck.pl<br />
M yum/pkgs/relaycheck/pkginfo.xml<br />
M yum/pkgs/relaycheck/relaycheck.template.spec<br />
[root@f13-32 repo]# <br />
<br />
At this point, we should make sure the merged changes still build and then commit our changes.<br />
<br />
NOTE: After committing the changes, the [http://nst.svn.sourceforge.net/viewvc/nst/maintenance/2.13.0/yum/pkgs maintenance/2.13.0/yum/pkgs/relaycheck revision number] changed to 2103 (at the time of this writing) which is now larger than the original 2102 revision we used for the merge.<br />
[root@f13-32 repo]# cd yum<br />
[root@f13-32 yum]# make relaycheck<br />
<br />
... Omitted much of the output ...<br />
<br />
-------------------------------------------------------------------------------<br />
SUCCESS: Successfully installed relaycheck-1.2.6-11.nst13.noarch.rpm<br />
-------------------------------------------------------------------------------<br />
make[1]: Leaving directory `/root/repo/yum/pkgs/relaycheck'<br />
[root@f13-32 yum]# svn commit<br />
<br />
== Merging From Dev Area To The Repo Area ==<br />
<br />
* '''Note:''' If this merge includes updates in the '''nstwui''' package: '''Have You Updated The NST WUI Release Number On The Dev Branch First?'''<br />
<br />
The following demonstrates the current merge method to bring changes from the ''dev/20'' development branch to the ''repo/20'' area.<br />
<br />
[root@dev20-64 ~]# cd repo<br />
[root@dev20-64 repo]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST! <br />
[root@dev20-64 repo]# svn info<br />
Path: .<br />
Working Copy Root Path: /root/repo<br />
URL: https://svn.code.sf.net/p/nst/code/repo/20<br />
Relative URL: ^/repo/20<br />
Repository Root: https://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 6545<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: rwhalb<br />
Last Changed Rev: 6545<br />
Last Changed Date: 2015-02-14 08:44:42 -0500 (Sat, 14 Feb 2015)<br />
<br />
[root@dev20-64 repo]# svn update; svn merge https://svn.code.sf.net/p/nst/code/dev/20 .<br />
At revision 6594.<br />
--- Merging r6545 through r6594 into '.':<br />
U include/javascript/core/NstSelect.js<br />
U include/javascript/core/NstRuler.js<br />
<br />
...<br />
<br />
U yum/pkgs/putty-win32<br />
--- Recording mergeinfo for merge of r6545 through r6594 into '.':<br />
U .<br />
--- Recording mergeinfo for merge of r6545 through r6594 into 'yum/pkgs/putty-win32':<br />
G yum/pkgs/putty-win32<br />
[root@dev20-64 repo]# svn commit -m "Merging up to 6545 from dev/20"<br />
... output from commit ...<br />
[root@dev20-64 repo]# <br />
<br />
Method for a svn user: '''svnuser''' setup: (Note: substitute the name "'''user'''" with your Subversion user name.<br />
export SVNROOT="svn+ssh://user@svn.code.sf.net/p/nst/code";<br />
alias svnuser='svn --username user';<br />
svnuser update; svnuser merge ${SVNROOT}/dev/36<br />
svnuser -m commit "Merging dev 36 area into repo 36 through r13374";<br />
<br />
<br />
This is the old method used for merging and updating the '''Trunk Area''' with code changes in the '''Development 18 Area''' spanning from revision: "''''4869'''" to the "'''HEAD (4877)'''" (latest changes committed to the ''dev/18'' area). Use the following link for NST code revision reference: http://nst.svn.sourceforge.net/viewvc/nst<br />
<br />
[root@dev16-32 repo]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST! <br />
[root@dev16-32 repo]# svn proplist<br />
Properties on '.':<br />
svn:mergeinfo<br />
svn:ignore<br />
[root@dev16-32 repo]# svn propget svn:mergeinfo<br />
/dev:4409-4503,4516-4793<br />
/dev/18:4795-4869<br />
/maintenance/18:4794<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@dev16-32 repo]# svn merge -r 4869:HEAD ${SVNROOT}/dev/18 .<br />
[root@dev16-32 repo]# svn propget svn:mergeinfo<br />
/dev:3590,3592-3611,3613-3614,3616,3618-3620,3622,3624-3627,3629-3702<br />
[root@dev16-32 repo]# svn status -u<br />
... shows files that were updated by the merge ...<br />
[root@dev16-32 repo]# svn commit -m "Merging up to 4877 from dev/18 - new release of the NST WUI"<br />
... output from commit ...<br />
[root@dev16-32 repo]#<br />
<br />
== Merging From ''repo'' To ''dev'' Area ==<br />
<br />
The easy method for merging the ''repo'' area changes into your ''dev'' area:<br />
<br />
* Make sure all code is committed and everything is up to date.<br />
* Set SVNROOT to point to the top level directory (like: https://svn.code.sf.net/p/nst/code).<br />
* Run the merge command as shown below:<br />
<br />
[pkb@chimi dev]$ svn merge $SVNROOT/repo/22 .<br />
--- Merging differences between repository URLs into '.':<br />
U include/dist/release-notes.txt<br />
U include/manifest/current.xml<br />
A include/manifest/release-22-7248.xml<br />
U include/data/configure.in<br />
U html/include/make/makefile<br />
U html/links.html<br />
U html/side.html<br />
U html/welcome.html<br />
U html/README.html<br />
U src/scripts/nstmenu/share/groups/release.group.xml<br />
U src/scripts/nstmenu/share/applications/release.apps.xml<br />
U yum/pkgs/nstmenu/template.spec<br />
U yum/pkgs/nstmenu/pkginfo.xml<br />
U yum/pkgs/nstweb/template.spec<br />
U yum/pkgs/nstweb/pkginfo.xml<br />
U .<br />
--- Recording mergeinfo for merge between repository URLs into '.':<br />
U .<br />
[pkb@chimi dev]$ <br />
<br />
The following demonstrates an older technique that merges the '''Development Area''' with code changes in the '''Repo Area''' spanning from revision: "''''6534''" to "'''HEAD (6537)'''".<br />
<br />
'''On repo:'''<br />
[root@vortex repo]# svn propget svn:mergeinfo<br />
/dev:4409-4503,4516-4793<br />
/dev/18:4795-5411,5419-5496<br />
/dev/20:5419-5501,5503-6533<br />
/maintenance/18:4794<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@vortex repo]# <br />
<br />
'''On Dev:'''<br />
[root@vortex dev]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST!<br />
Status against revision: 6533<br />
[root@vortex dev]# svn merge -r 6534:HEAD ${SVNROOT}/repo .<br />
[root@vortex dev]# svn propget svn:mergeinfo<br />
/dev/18:5419-5496<br />
/repo:4494,4505-4514,4516-4551,4555-4568,4586-4587,4614,4695,4717,4781,4812,5413-5415,5662-5666,6535-6537<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@vortex dev]# svn status -u<br />
... shows files that were updated by the merge ...<br />
[root@vortex dev]# svn commit -m "Merging up to 6537 from repo for new release"<br />
... output from commit ...<br />
[root@vortex dev]#<br />
<br />
== Switching To A New Root ==<br />
<br />
There can be many different branches of the same source tree at different levels of development within the Subversion repository. You can use the ''switch'' command to switch from one branch to another. When making a switch, the source code you have checked out will be updated to match the state of the source code in the new branch. Before making a switch, it is important to make sure that all of your changes are checked into the current branch. For example, the following demonstrates how to switch to the ''dev'' branch from the ''trunk'' branch:<br />
<br />
[root@taco-dev32 repo]# svn info<br />
Path: . <br />
Working Copy Root Path: /root/repo<br />
URL: https://svn.code.sf.net/p/nst/code/repo<br />
Relative URL: ^/repo<br />
Repository Root: https://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 6540<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: rwhalb<br />
Last Changed Rev: 6540<br />
Last Changed Date: 2015-02-09 13:57:38 -0500 (Mon, 09 Feb 2015)<br />
<br />
[root@taco-dev32 repo]# export SVNROOT="$(svn info | awk -- '$2 == "Root:" { print $3; }')";<br />
[root@taco-dev32 repo]# echo $SVNROOT<br />
https://svn.code.sf.net/p/nst/code<br />
[root@taco-dev32 repo]# svn switch $SVNROOT/dev/20<br />
At revision 3577.<br />
[root@taco-dev32 repo]# <br />
<br />
After making a switch, you can use the ''info'' command to verify the switch was successful.<br />
<br />
[root@taco-dev32 repo]# svn info<br />
Path: .<br />
URL: https://nst.svn.sourceforge.net/svnroot/nst/dev<br />
Repository Root: https://nst.svn.sourceforge.net/svnroot/nst<br />
Repository UUID: c9574408-7c70-44fe-bb37-9fe24d5f8586<br />
Revision: 3577<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: jdoe<br />
Last Changed Rev: 3577<br />
Last Changed Date: 2012-05-29 10:04:54 -0400 (Tue, 29 May 2012)<br />
<br />
[root@taco-dev32 repo]#<br />
<br />
== Relocate To A New Repository Root ==<br />
<br />
This section demonstrates switching repository root from one URL to another. In this example we switch from "'''http://svn.code.sf.net/p/nst/code'''" to "'''svn+ssh://USERID@svn.code.sf.net/p/nst/code'''". The svn "'''relocate'''" command is used.<br />
<br />
[root@vortex dev]# svn info;<br />
Path: .<br />
Working Copy Root Path: /root/dev<br />
URL: http://svn.code.sf.net/p/nst/code/dev/26<br />
Relative URL: ^/dev/26<br />
Repository Root: http://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 9274<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: user<br />
Last Changed Rev: 9274<br />
Last Changed Date: 2017-10-11 16:07:51 -0400 (Wed, 11 Oct 2017)<br />
[root@vortex dev]# <br />
[root@vortex dev]# svn --username USERID relocate http://svn.code.sf.net/p/nst/code svn+ssh://USERID@svn.code.sf.net/p/nst/code;<br />
<br />
= New NST Release Setup =<br />
<br />
Currently the directory structure under Subversion is fairly straight forward. As an example we use ''dev/30'' when working on Fedora 30 based builds. To move to Fedora 32 we do the following:<br />
<br />
svn copy ${SVNROOT}/dev/30 ${SVNROOT}/dev/32;<br />
<br />
When we are ready to push out a release we want to create our pristine repository area:<br />
<br />
svn copy ${SVNROOT}/dev/32 ${SVNROOT}/repo/32;<br />
<br />
= Related Links =<br />
<br />
; http://nst.svn.sourceforge.net/viewvc/nst<br />
: Use this link to browse the NST Subversion repository (the 'trunk' folder corresponds to the current development tree).</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=Subversion_Notes&diff=9748Subversion Notes2022-12-06T17:29:21Z<p>Rwh: /* Merging From Dev Area To The Repo Area */</p>
<hr />
<div>We switched from using CVS to Subversion as our source control mechanism in mid October 2009.<br />
<br />
* We did not try to import all of the CVS history.<br />
* The initial import includes all of the 2.11.0 release source plus the updated source code since the release (the state of CVS on 2009-10-14).<br />
* We left the CVS repository alone (in case we ever wanted to refer back for older history).<br />
<br />
= Preparing Development Machine =<br />
<br />
As a developer, the following things must be done to your development machine before you will be able to check out, build and commit changes to the NST source code.<br />
<br />
== Set SVNROOT ==<br />
<br />
You need to set the ''SVNROOT'' variable. Add the following to your '''~/.bashrc''' or '''~/.bash_profile''' configuration file:<br />
<br />
export SVNROOT=https://nst.svn.sourceforge.net/svnroot/nst<br />
<br />
export SVNROOT=svn+ssh://user@svn.code.sf.net/p/nst/code<br />
<br />
After the ''SVNROOT'' variable is set, you should be able to run Subversion commands. For example the following shows the directories under ''SVNROOT''.<br />
<br />
[pkb@sprint ~]$ export SVNROOT=https://nst.svn.sourceforge.net/svnroot/nst<br />
[pkb@sprint ~]$ svn ls ${SVNROOT}<br />
trunk/<br />
[pkb@sprint ~]$ <br />
<br />
== gnome-keyring ==<br />
<br />
Subversion might complain about needing to store passwords in a ''unencrypted'' form. To prevent this, we need to figure out how to enable the ''gnome-keyring'' add-on. To do this, edit the file '''~/.subversion/config''' and search on the string ''password-stores''. Most likely this will be commented out in your current configuration file. I updated mine to the following:<br />
<br />
password-stores = gnome-keyring<br />
<br />
However, this was not enough to prevent me from being prompted each time. I then added the following package:<br />
<br />
yum install subversion-gnome<br />
<br />
We will see if this permits us to store the password or not (you may need to be logged into a GNOME desktop in order to make use of the gnome-keyring feature).<br />
<br />
= Directory Structure =<br />
<br />
Currently the directory structure under Subversion is fairly straight forward. We use ''dev/FCVer'' (E.g., dev/30) as the current working area (this is what most developers will be checking out from and committing to). The following is the top level directory structure for Development (/dev), Release (/releases) and the pristine repository for pushing out package updates (/repo):<br />
<br />
[nst@vortex ~]$ svn ls ${SVNROOT}/<br />
dev/<br />
releases/<br />
repo/<br />
<br />
Under each top level directory there are Fedora specific source trees:<br />
<br />
[nst@vortex ~]$ svn ls ${SVNROOT}/dev<br />
18/<br />
2.11.0/<br />
2.12.0/<br />
2.13.0/<br />
2.15.0/<br />
2.16.0/<br />
20/<br />
21/<br />
22/<br />
24/<br />
26/<br />
28/<br />
30/<br />
32/<br />
<br />
= Subversion Commands =<br />
<br />
Use the following to get the list of available subversion commands:<br />
<br />
svn help<br />
<br />
To get more information about a specific Subversion command (like ''ls''), run:<br />
<br />
svn help ls<br />
<br />
<br />
== Checking Out Code ==<br />
<br />
To make the initial checkout of the current source code into a sub-directory named ''nst'', you can use the following Subversion command:<br />
<br />
svn co ${SVNROOT}/trunk nst<br />
<br />
== Committing Code ==<br />
<br />
You use the ''commit'' subversion command when you want to commit changes to the source code.<br />
<br />
When you first run ''commit'', it may prompt you for the password for the incorrect user ID. If this happens, press the ''Enter'' key without specifying a password. This should allow you enter your SourceForge user ID followed by your SourceForge password when committing changes. For example:<br />
<br />
<br />
[root@fedora11 nightly]# svn commit<br />
Authentication realm: <https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
Password for 'root': <br />
Authentication realm: <https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
Username: SOURCEFORGE_LOGIN_ID<br />
Password for 'SOURCEFORGE_LOGIN_ID': <br />
Sending nightly/nightly-build.bash<br />
Sending nightly/nightly2html.xsl<br />
Sending nightly/nightly2txt.xsl<br />
Transmitting file data ...-----------------------------------------------------------------------<br />
ATTENTION! Your password for authentication realm:<br />
<br />
<https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
<br />
can only be stored to disk unencrypted! You are advised to configure<br />
your system so that Subversion can store passwords encrypted, if<br />
possible. See the documentation for details.<br />
<br />
You can avoid future appearances of this warning by setting the value<br />
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in<br />
'/root/.subversion/servers'.<br />
-----------------------------------------------------------------------<br />
Store password unencrypted (yes/no)? no <br />
<br />
Committed revision 4.<br />
[root@fedora11 nightly]#<br />
<br />
== Status ==<br />
<br />
The Subversion status command is very handy at showing not only what files you've modified, but also (when including the ''-u'' option) handy at showing what files have changed in the repository:<br />
<br />
svn status -u<br />
<br />
For help about the output of ''svn status'', run:<br />
<br />
svn help status | less<br />
<br />
== Revert ==<br />
<br />
If you've made modifications to a file which you want to discard, use the ''revert'' command to restore the original version:<br />
<br />
svn revert FILENAME<br />
<br />
<br />
To revert back to a previous revision use the '''merge''' option. The follow example reverts back to the '''3986''' revision from the '''3987''' revision for file: "'''bwmonitor.js'''". After the revert changes are applied you will need to '''commit'''. Use the [http://nst.svn.sourceforge.net/viewvc/nst/ Subversion Browser] to assit in finding your revision numbers.<br />
<br />
svn merge -r 3987:3986 bwmonitor.js<br />
<br />
== Revert Commit, Undo Commit, Reverse Merge ==<br />
<br />
If you've committed modifications to a file accidentally it is a bit tricky to ''undo'' the commit. To get back an older version you need to perform something called a reverse merge. This is done by running the ''svn merge -r BAD:GOOD SOURCE'' command. Where BAD is typically the current revision ID of the source you want to revert, GOOD is the revision ID of the good code you want to restore and is typically 1 less than the value of BAD. SOURCE is typically the name of the file or directory you want to undo the commit on.<br />
<br />
For example, we can used the following command to determine the last changed revision of the files under the current directory:<br />
<br />
[pkb@refritos server]$ svn info . | grep Rev:<br />
Last Changed Rev: 10660<br />
[pkb@refritos server]$ <br />
<br />
In this example the BAD revision ID is 10660 associated with the last commit done to this area. To restore the files to the 10659 state (the good version prior to the 10660) state, we would run the following command:<br />
<br />
[pkb@refritos server]$ svn merge -r 10660:10659 .<br />
--- Reverse-merging r10660 into '.':<br />
U xrdp.cgi<br />
--- Recording mergeinfo for reverse merge of r10660 into '.':<br />
G .<br />
--- Eliding mergeinfo from '.':<br />
U .<br />
[pkb@refritos server]$ <br />
<br />
As the ''status'' command shows, this undo only impacted one file in the directory and is not immediately reflected in the repository.<br />
<br />
[pkb@refritos server]$ svn status<br />
M xrdp.cgi<br />
[pkb@refritos server]$ <br />
<br />
This allows us to inspect the undone changes. If we are happy, we can commit this version back. If we are unhappy with the results, we can revert the state of the directory and try again.<br />
<br />
== Ignoring Files ==<br />
<br />
Under CVS, you could edit the file '''.cvsignore''' to tell CVS to ignore certain files within the directory. Subversion has a similar, but different mechanism for ignoring files. Basically, you change to the directory where the files/directories to be ignored exist and run the following command:<br />
<br />
svn propedit svn:ignore .<br />
<br />
Running the above command should pull up a text editor and allow you to specify file name patterns to specify what files and directories should be ignored. Here is an example ignore list which causes Subversion to ignore any file or directory ending with the extension ''.log'' or having the name ''tmp'':<br />
<br />
*.log<br />
tmp<br />
<br />
== Manage The Executable Flag On File ==<br />
Use the following command to set the executable flag on a file (e.g., bwmonitor-ajax.php)under SVN control:<br />
<br />
svn propset svn:executable bwmonitor-ajax.php<br />
<br />
Use the following command to remove the executable flag on a file (e.g., bwmonitor-ajax.php)under SVN control:<br />
<br />
svn propdel svn:executable bwmonitor-ajax.php<br />
<br />
== Merging Changes Across Revisions ==<br />
<br />
Our general strategy is typically to do all new work under the ''trunk'' area. However, when we move from one Fedora platform to another (like from Fedora 13 to Fedora 15), we will typically copy the ''trunk'' area to a sub-directory under the maintenance area. For example, the following shows the top level Subversion heirarchy (where you will see ''trunk'' and ''maintenance'') and the number of older maintenance areas where we have the ability to maintain older versions of the software.<br />
<br />
[root@f13-32 ~]# svn ls $SVNROOT<br />
maintenance/<br />
releases/<br />
trunk/<br />
[root@f13-32 ~]# svn ls $SVNROOT/maintenance<br />
2.11.0/<br />
2.12.0/<br />
2.13.0/<br />
[root@f13-32 ~]# <br />
<br />
In this situation, you may find yourself making changes to the ''trunk'' area that you would also like to apply to the ''2.13.0'' branch area. To accomplish this, use the following strategy:<br />
<br />
* Make your updates to the ''trunk'' area.<br />
* Commit your changes.<br />
* Determine the range of revision numbers for your change using the [http://nst.svn.sourceforge.net/viewvc/nst/ Subversion browser].<br />
* Use the ''svn merge'' command to merge the changes into the ''maintenance/2.13.0'' area.<br />
<br />
Here is an example of using ''svn merge'' to merge the changes made for the 2.1.6 release of the relaycheck package from the ''trunk'' area to the ''maintenance/2.13.0'' area:<br />
<br />
* From looking at the [http://nst.svn.sourceforge.net/viewvc/nst/maintenance/2.13.0/yum/pkgs maintenance/2.13.0/yum/pkgs/relaycheck revision number], I can see that the last revision number for the ''maintenance/2.13.0'' version was 2016 (at the time of this writing - it will change in the future).<br />
* From looking at the [http://nst.svn.sourceforge.net/viewvc/nst/trunk/yum/pkgs trunk/yum/pkgs/relaycheck revision number], I can see that the current revision number for the ''trunk'' version of relaycheck was 2102 (at the time this article was written).<br />
* At this point I have enough information to merge the changes with the following ''svn merge'' command:<br />
<br />
[root@f13-32 repo]# svn info<br />
Path: .<br />
URL: https://nst.svn.sourceforge.net/svnroot/nst/maintenance/2.13.0<br />
Repository Root: https://nst.svn.sourceforge.net/svnroot/nst<br />
Repository UUID: c9574408-7c70-44fe-bb37-9fe24d5f8586<br />
Revision: 2076<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: pblankenbaker<br />
Last Changed Rev: 2076<br />
Last Changed Date: 2011-05-10 16:53:57 -0400 (Tue, 10 May 2011)<br />
<br />
[root@f13-32 repo]# svn merge -r 2016:2102 $SVNROOT/trunk/yum/pkgs/relaycheck yum/pkgs/relaycheck<br />
--- Merging r2076 through r2102 into 'yum/pkgs/relaycheck':<br />
U yum/pkgs/relaycheck/src/relaycheck.pl<br />
U yum/pkgs/relaycheck/pkginfo.xml<br />
U yum/pkgs/relaycheck/relaycheck.template.spec<br />
[root@f13-32 repo]# svn status<br />
M yum/pkgs/relaycheck<br />
M yum/pkgs/relaycheck/src/relaycheck.pl<br />
M yum/pkgs/relaycheck/pkginfo.xml<br />
M yum/pkgs/relaycheck/relaycheck.template.spec<br />
[root@f13-32 repo]# <br />
<br />
At this point, we should make sure the merged changes still build and then commit our changes.<br />
<br />
NOTE: After committing the changes, the [http://nst.svn.sourceforge.net/viewvc/nst/maintenance/2.13.0/yum/pkgs maintenance/2.13.0/yum/pkgs/relaycheck revision number] changed to 2103 (at the time of this writing) which is now larger than the original 2102 revision we used for the merge.<br />
[root@f13-32 repo]# cd yum<br />
[root@f13-32 yum]# make relaycheck<br />
<br />
... Omitted much of the output ...<br />
<br />
-------------------------------------------------------------------------------<br />
SUCCESS: Successfully installed relaycheck-1.2.6-11.nst13.noarch.rpm<br />
-------------------------------------------------------------------------------<br />
make[1]: Leaving directory `/root/repo/yum/pkgs/relaycheck'<br />
[root@f13-32 yum]# svn commit<br />
<br />
== Merging From Dev Area To The Repo Area ==<br />
<br />
* '''Note:''' If this merge includes updates in the '''nstwui''' package: '''Have You Updated The NST WUI Release Number On The Dev Branch First?'''<br />
<br />
The following demonstrates the current merge method to bring changes from the ''dev/20'' development branch to the ''repo/20'' area.<br />
<br />
[root@dev20-64 ~]# cd repo<br />
[root@dev20-64 repo]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST! <br />
[root@dev20-64 repo]# svn info<br />
Path: .<br />
Working Copy Root Path: /root/repo<br />
URL: https://svn.code.sf.net/p/nst/code/repo/20<br />
Relative URL: ^/repo/20<br />
Repository Root: https://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 6545<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: rwhalb<br />
Last Changed Rev: 6545<br />
Last Changed Date: 2015-02-14 08:44:42 -0500 (Sat, 14 Feb 2015)<br />
<br />
[root@dev20-64 repo]# svn update; svn merge https://svn.code.sf.net/p/nst/code/dev/20 .<br />
At revision 6594.<br />
--- Merging r6545 through r6594 into '.':<br />
U include/javascript/core/NstSelect.js<br />
U include/javascript/core/NstRuler.js<br />
<br />
...<br />
<br />
U yum/pkgs/putty-win32<br />
--- Recording mergeinfo for merge of r6545 through r6594 into '.':<br />
U .<br />
--- Recording mergeinfo for merge of r6545 through r6594 into 'yum/pkgs/putty-win32':<br />
G yum/pkgs/putty-win32<br />
[root@dev20-64 repo]# svn commit -m "Merging up to 6545 from dev/20"<br />
... output from commit ...<br />
[root@dev20-64 repo]# <br />
<br />
Method for a svn user: '''svnuser''' setup: (Note: substitute the name '''user''' with your Subversion user name.<br />
export SVNROOT="svn+ssh://user@svn.code.sf.net/p/nst/code";<br />
alias svnuser='svn --username user';<br />
svnuser update; svnuser merge ${SVNROOT}/dev/36<br />
svnuser -m commit "Merging dev 36 area into repo 36 through r13374";<br />
<br />
<br />
This is the old method used for merging and updating the '''Trunk Area''' with code changes in the '''Development 18 Area''' spanning from revision: "''''4869'''" to the "'''HEAD (4877)'''" (latest changes committed to the ''dev/18'' area). Use the following link for NST code revision reference: http://nst.svn.sourceforge.net/viewvc/nst<br />
<br />
[root@dev16-32 repo]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST! <br />
[root@dev16-32 repo]# svn proplist<br />
Properties on '.':<br />
svn:mergeinfo<br />
svn:ignore<br />
[root@dev16-32 repo]# svn propget svn:mergeinfo<br />
/dev:4409-4503,4516-4793<br />
/dev/18:4795-4869<br />
/maintenance/18:4794<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@dev16-32 repo]# svn merge -r 4869:HEAD ${SVNROOT}/dev/18 .<br />
[root@dev16-32 repo]# svn propget svn:mergeinfo<br />
/dev:3590,3592-3611,3613-3614,3616,3618-3620,3622,3624-3627,3629-3702<br />
[root@dev16-32 repo]# svn status -u<br />
... shows files that were updated by the merge ...<br />
[root@dev16-32 repo]# svn commit -m "Merging up to 4877 from dev/18 - new release of the NST WUI"<br />
... output from commit ...<br />
[root@dev16-32 repo]#<br />
<br />
== Merging From ''repo'' To ''dev'' Area ==<br />
<br />
The easy method for merging the ''repo'' area changes into your ''dev'' area:<br />
<br />
* Make sure all code is committed and everything is up to date.<br />
* Set SVNROOT to point to the top level directory (like: https://svn.code.sf.net/p/nst/code).<br />
* Run the merge command as shown below:<br />
<br />
[pkb@chimi dev]$ svn merge $SVNROOT/repo/22 .<br />
--- Merging differences between repository URLs into '.':<br />
U include/dist/release-notes.txt<br />
U include/manifest/current.xml<br />
A include/manifest/release-22-7248.xml<br />
U include/data/configure.in<br />
U html/include/make/makefile<br />
U html/links.html<br />
U html/side.html<br />
U html/welcome.html<br />
U html/README.html<br />
U src/scripts/nstmenu/share/groups/release.group.xml<br />
U src/scripts/nstmenu/share/applications/release.apps.xml<br />
U yum/pkgs/nstmenu/template.spec<br />
U yum/pkgs/nstmenu/pkginfo.xml<br />
U yum/pkgs/nstweb/template.spec<br />
U yum/pkgs/nstweb/pkginfo.xml<br />
U .<br />
--- Recording mergeinfo for merge between repository URLs into '.':<br />
U .<br />
[pkb@chimi dev]$ <br />
<br />
The following demonstrates an older technique that merges the '''Development Area''' with code changes in the '''Repo Area''' spanning from revision: "''''6534''" to "'''HEAD (6537)'''".<br />
<br />
'''On repo:'''<br />
[root@vortex repo]# svn propget svn:mergeinfo<br />
/dev:4409-4503,4516-4793<br />
/dev/18:4795-5411,5419-5496<br />
/dev/20:5419-5501,5503-6533<br />
/maintenance/18:4794<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@vortex repo]# <br />
<br />
'''On Dev:'''<br />
[root@vortex dev]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST!<br />
Status against revision: 6533<br />
[root@vortex dev]# svn merge -r 6534:HEAD ${SVNROOT}/repo .<br />
[root@vortex dev]# svn propget svn:mergeinfo<br />
/dev/18:5419-5496<br />
/repo:4494,4505-4514,4516-4551,4555-4568,4586-4587,4614,4695,4717,4781,4812,5413-5415,5662-5666,6535-6537<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@vortex dev]# svn status -u<br />
... shows files that were updated by the merge ...<br />
[root@vortex dev]# svn commit -m "Merging up to 6537 from repo for new release"<br />
... output from commit ...<br />
[root@vortex dev]#<br />
<br />
== Switching To A New Root ==<br />
<br />
There can be many different branches of the same source tree at different levels of development within the Subversion repository. You can use the ''switch'' command to switch from one branch to another. When making a switch, the source code you have checked out will be updated to match the state of the source code in the new branch. Before making a switch, it is important to make sure that all of your changes are checked into the current branch. For example, the following demonstrates how to switch to the ''dev'' branch from the ''trunk'' branch:<br />
<br />
[root@taco-dev32 repo]# svn info<br />
Path: . <br />
Working Copy Root Path: /root/repo<br />
URL: https://svn.code.sf.net/p/nst/code/repo<br />
Relative URL: ^/repo<br />
Repository Root: https://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 6540<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: rwhalb<br />
Last Changed Rev: 6540<br />
Last Changed Date: 2015-02-09 13:57:38 -0500 (Mon, 09 Feb 2015)<br />
<br />
[root@taco-dev32 repo]# export SVNROOT="$(svn info | awk -- '$2 == "Root:" { print $3; }')";<br />
[root@taco-dev32 repo]# echo $SVNROOT<br />
https://svn.code.sf.net/p/nst/code<br />
[root@taco-dev32 repo]# svn switch $SVNROOT/dev/20<br />
At revision 3577.<br />
[root@taco-dev32 repo]# <br />
<br />
After making a switch, you can use the ''info'' command to verify the switch was successful.<br />
<br />
[root@taco-dev32 repo]# svn info<br />
Path: .<br />
URL: https://nst.svn.sourceforge.net/svnroot/nst/dev<br />
Repository Root: https://nst.svn.sourceforge.net/svnroot/nst<br />
Repository UUID: c9574408-7c70-44fe-bb37-9fe24d5f8586<br />
Revision: 3577<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: jdoe<br />
Last Changed Rev: 3577<br />
Last Changed Date: 2012-05-29 10:04:54 -0400 (Tue, 29 May 2012)<br />
<br />
[root@taco-dev32 repo]#<br />
<br />
== Relocate To A New Repository Root ==<br />
<br />
This section demonstrates switching repository root from one URL to another. In this example we switch from "'''http://svn.code.sf.net/p/nst/code'''" to "'''svn+ssh://USERID@svn.code.sf.net/p/nst/code'''". The svn "'''relocate'''" command is used.<br />
<br />
[root@vortex dev]# svn info;<br />
Path: .<br />
Working Copy Root Path: /root/dev<br />
URL: http://svn.code.sf.net/p/nst/code/dev/26<br />
Relative URL: ^/dev/26<br />
Repository Root: http://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 9274<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: user<br />
Last Changed Rev: 9274<br />
Last Changed Date: 2017-10-11 16:07:51 -0400 (Wed, 11 Oct 2017)<br />
[root@vortex dev]# <br />
[root@vortex dev]# svn --username USERID relocate http://svn.code.sf.net/p/nst/code svn+ssh://USERID@svn.code.sf.net/p/nst/code;<br />
<br />
= New NST Release Setup =<br />
<br />
Currently the directory structure under Subversion is fairly straight forward. As an example we use ''dev/30'' when working on Fedora 30 based builds. To move to Fedora 32 we do the following:<br />
<br />
svn copy ${SVNROOT}/dev/30 ${SVNROOT}/dev/32;<br />
<br />
When we are ready to push out a release we want to create our pristine repository area:<br />
<br />
svn copy ${SVNROOT}/dev/32 ${SVNROOT}/repo/32;<br />
<br />
= Related Links =<br />
<br />
; http://nst.svn.sourceforge.net/viewvc/nst<br />
: Use this link to browse the NST Subversion repository (the 'trunk' folder corresponds to the current development tree).</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=Subversion_Notes&diff=9747Subversion Notes2022-12-06T17:20:51Z<p>Rwh: /* Preparing Development Machine */</p>
<hr />
<div>We switched from using CVS to Subversion as our source control mechanism in mid October 2009.<br />
<br />
* We did not try to import all of the CVS history.<br />
* The initial import includes all of the 2.11.0 release source plus the updated source code since the release (the state of CVS on 2009-10-14).<br />
* We left the CVS repository alone (in case we ever wanted to refer back for older history).<br />
<br />
= Preparing Development Machine =<br />
<br />
As a developer, the following things must be done to your development machine before you will be able to check out, build and commit changes to the NST source code.<br />
<br />
== Set SVNROOT ==<br />
<br />
You need to set the ''SVNROOT'' variable. Add the following to your '''~/.bashrc''' or '''~/.bash_profile''' configuration file:<br />
<br />
export SVNROOT=https://nst.svn.sourceforge.net/svnroot/nst<br />
<br />
export SVNROOT=svn+ssh://user@svn.code.sf.net/p/nst/code<br />
<br />
After the ''SVNROOT'' variable is set, you should be able to run Subversion commands. For example the following shows the directories under ''SVNROOT''.<br />
<br />
[pkb@sprint ~]$ export SVNROOT=https://nst.svn.sourceforge.net/svnroot/nst<br />
[pkb@sprint ~]$ svn ls ${SVNROOT}<br />
trunk/<br />
[pkb@sprint ~]$ <br />
<br />
== gnome-keyring ==<br />
<br />
Subversion might complain about needing to store passwords in a ''unencrypted'' form. To prevent this, we need to figure out how to enable the ''gnome-keyring'' add-on. To do this, edit the file '''~/.subversion/config''' and search on the string ''password-stores''. Most likely this will be commented out in your current configuration file. I updated mine to the following:<br />
<br />
password-stores = gnome-keyring<br />
<br />
However, this was not enough to prevent me from being prompted each time. I then added the following package:<br />
<br />
yum install subversion-gnome<br />
<br />
We will see if this permits us to store the password or not (you may need to be logged into a GNOME desktop in order to make use of the gnome-keyring feature).<br />
<br />
= Directory Structure =<br />
<br />
Currently the directory structure under Subversion is fairly straight forward. We use ''dev/FCVer'' (E.g., dev/30) as the current working area (this is what most developers will be checking out from and committing to). The following is the top level directory structure for Development (/dev), Release (/releases) and the pristine repository for pushing out package updates (/repo):<br />
<br />
[nst@vortex ~]$ svn ls ${SVNROOT}/<br />
dev/<br />
releases/<br />
repo/<br />
<br />
Under each top level directory there are Fedora specific source trees:<br />
<br />
[nst@vortex ~]$ svn ls ${SVNROOT}/dev<br />
18/<br />
2.11.0/<br />
2.12.0/<br />
2.13.0/<br />
2.15.0/<br />
2.16.0/<br />
20/<br />
21/<br />
22/<br />
24/<br />
26/<br />
28/<br />
30/<br />
32/<br />
<br />
= Subversion Commands =<br />
<br />
Use the following to get the list of available subversion commands:<br />
<br />
svn help<br />
<br />
To get more information about a specific Subversion command (like ''ls''), run:<br />
<br />
svn help ls<br />
<br />
<br />
== Checking Out Code ==<br />
<br />
To make the initial checkout of the current source code into a sub-directory named ''nst'', you can use the following Subversion command:<br />
<br />
svn co ${SVNROOT}/trunk nst<br />
<br />
== Committing Code ==<br />
<br />
You use the ''commit'' subversion command when you want to commit changes to the source code.<br />
<br />
When you first run ''commit'', it may prompt you for the password for the incorrect user ID. If this happens, press the ''Enter'' key without specifying a password. This should allow you enter your SourceForge user ID followed by your SourceForge password when committing changes. For example:<br />
<br />
<br />
[root@fedora11 nightly]# svn commit<br />
Authentication realm: <https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
Password for 'root': <br />
Authentication realm: <https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
Username: SOURCEFORGE_LOGIN_ID<br />
Password for 'SOURCEFORGE_LOGIN_ID': <br />
Sending nightly/nightly-build.bash<br />
Sending nightly/nightly2html.xsl<br />
Sending nightly/nightly2txt.xsl<br />
Transmitting file data ...-----------------------------------------------------------------------<br />
ATTENTION! Your password for authentication realm:<br />
<br />
<https://nst.svn.sourceforge.net:443> SourceForge Subversion area<br />
<br />
can only be stored to disk unencrypted! You are advised to configure<br />
your system so that Subversion can store passwords encrypted, if<br />
possible. See the documentation for details.<br />
<br />
You can avoid future appearances of this warning by setting the value<br />
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in<br />
'/root/.subversion/servers'.<br />
-----------------------------------------------------------------------<br />
Store password unencrypted (yes/no)? no <br />
<br />
Committed revision 4.<br />
[root@fedora11 nightly]#<br />
<br />
== Status ==<br />
<br />
The Subversion status command is very handy at showing not only what files you've modified, but also (when including the ''-u'' option) handy at showing what files have changed in the repository:<br />
<br />
svn status -u<br />
<br />
For help about the output of ''svn status'', run:<br />
<br />
svn help status | less<br />
<br />
== Revert ==<br />
<br />
If you've made modifications to a file which you want to discard, use the ''revert'' command to restore the original version:<br />
<br />
svn revert FILENAME<br />
<br />
<br />
To revert back to a previous revision use the '''merge''' option. The follow example reverts back to the '''3986''' revision from the '''3987''' revision for file: "'''bwmonitor.js'''". After the revert changes are applied you will need to '''commit'''. Use the [http://nst.svn.sourceforge.net/viewvc/nst/ Subversion Browser] to assit in finding your revision numbers.<br />
<br />
svn merge -r 3987:3986 bwmonitor.js<br />
<br />
== Revert Commit, Undo Commit, Reverse Merge ==<br />
<br />
If you've committed modifications to a file accidentally it is a bit tricky to ''undo'' the commit. To get back an older version you need to perform something called a reverse merge. This is done by running the ''svn merge -r BAD:GOOD SOURCE'' command. Where BAD is typically the current revision ID of the source you want to revert, GOOD is the revision ID of the good code you want to restore and is typically 1 less than the value of BAD. SOURCE is typically the name of the file or directory you want to undo the commit on.<br />
<br />
For example, we can used the following command to determine the last changed revision of the files under the current directory:<br />
<br />
[pkb@refritos server]$ svn info . | grep Rev:<br />
Last Changed Rev: 10660<br />
[pkb@refritos server]$ <br />
<br />
In this example the BAD revision ID is 10660 associated with the last commit done to this area. To restore the files to the 10659 state (the good version prior to the 10660) state, we would run the following command:<br />
<br />
[pkb@refritos server]$ svn merge -r 10660:10659 .<br />
--- Reverse-merging r10660 into '.':<br />
U xrdp.cgi<br />
--- Recording mergeinfo for reverse merge of r10660 into '.':<br />
G .<br />
--- Eliding mergeinfo from '.':<br />
U .<br />
[pkb@refritos server]$ <br />
<br />
As the ''status'' command shows, this undo only impacted one file in the directory and is not immediately reflected in the repository.<br />
<br />
[pkb@refritos server]$ svn status<br />
M xrdp.cgi<br />
[pkb@refritos server]$ <br />
<br />
This allows us to inspect the undone changes. If we are happy, we can commit this version back. If we are unhappy with the results, we can revert the state of the directory and try again.<br />
<br />
== Ignoring Files ==<br />
<br />
Under CVS, you could edit the file '''.cvsignore''' to tell CVS to ignore certain files within the directory. Subversion has a similar, but different mechanism for ignoring files. Basically, you change to the directory where the files/directories to be ignored exist and run the following command:<br />
<br />
svn propedit svn:ignore .<br />
<br />
Running the above command should pull up a text editor and allow you to specify file name patterns to specify what files and directories should be ignored. Here is an example ignore list which causes Subversion to ignore any file or directory ending with the extension ''.log'' or having the name ''tmp'':<br />
<br />
*.log<br />
tmp<br />
<br />
== Manage The Executable Flag On File ==<br />
Use the following command to set the executable flag on a file (e.g., bwmonitor-ajax.php)under SVN control:<br />
<br />
svn propset svn:executable bwmonitor-ajax.php<br />
<br />
Use the following command to remove the executable flag on a file (e.g., bwmonitor-ajax.php)under SVN control:<br />
<br />
svn propdel svn:executable bwmonitor-ajax.php<br />
<br />
== Merging Changes Across Revisions ==<br />
<br />
Our general strategy is typically to do all new work under the ''trunk'' area. However, when we move from one Fedora platform to another (like from Fedora 13 to Fedora 15), we will typically copy the ''trunk'' area to a sub-directory under the maintenance area. For example, the following shows the top level Subversion heirarchy (where you will see ''trunk'' and ''maintenance'') and the number of older maintenance areas where we have the ability to maintain older versions of the software.<br />
<br />
[root@f13-32 ~]# svn ls $SVNROOT<br />
maintenance/<br />
releases/<br />
trunk/<br />
[root@f13-32 ~]# svn ls $SVNROOT/maintenance<br />
2.11.0/<br />
2.12.0/<br />
2.13.0/<br />
[root@f13-32 ~]# <br />
<br />
In this situation, you may find yourself making changes to the ''trunk'' area that you would also like to apply to the ''2.13.0'' branch area. To accomplish this, use the following strategy:<br />
<br />
* Make your updates to the ''trunk'' area.<br />
* Commit your changes.<br />
* Determine the range of revision numbers for your change using the [http://nst.svn.sourceforge.net/viewvc/nst/ Subversion browser].<br />
* Use the ''svn merge'' command to merge the changes into the ''maintenance/2.13.0'' area.<br />
<br />
Here is an example of using ''svn merge'' to merge the changes made for the 2.1.6 release of the relaycheck package from the ''trunk'' area to the ''maintenance/2.13.0'' area:<br />
<br />
* From looking at the [http://nst.svn.sourceforge.net/viewvc/nst/maintenance/2.13.0/yum/pkgs maintenance/2.13.0/yum/pkgs/relaycheck revision number], I can see that the last revision number for the ''maintenance/2.13.0'' version was 2016 (at the time of this writing - it will change in the future).<br />
* From looking at the [http://nst.svn.sourceforge.net/viewvc/nst/trunk/yum/pkgs trunk/yum/pkgs/relaycheck revision number], I can see that the current revision number for the ''trunk'' version of relaycheck was 2102 (at the time this article was written).<br />
* At this point I have enough information to merge the changes with the following ''svn merge'' command:<br />
<br />
[root@f13-32 repo]# svn info<br />
Path: .<br />
URL: https://nst.svn.sourceforge.net/svnroot/nst/maintenance/2.13.0<br />
Repository Root: https://nst.svn.sourceforge.net/svnroot/nst<br />
Repository UUID: c9574408-7c70-44fe-bb37-9fe24d5f8586<br />
Revision: 2076<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: pblankenbaker<br />
Last Changed Rev: 2076<br />
Last Changed Date: 2011-05-10 16:53:57 -0400 (Tue, 10 May 2011)<br />
<br />
[root@f13-32 repo]# svn merge -r 2016:2102 $SVNROOT/trunk/yum/pkgs/relaycheck yum/pkgs/relaycheck<br />
--- Merging r2076 through r2102 into 'yum/pkgs/relaycheck':<br />
U yum/pkgs/relaycheck/src/relaycheck.pl<br />
U yum/pkgs/relaycheck/pkginfo.xml<br />
U yum/pkgs/relaycheck/relaycheck.template.spec<br />
[root@f13-32 repo]# svn status<br />
M yum/pkgs/relaycheck<br />
M yum/pkgs/relaycheck/src/relaycheck.pl<br />
M yum/pkgs/relaycheck/pkginfo.xml<br />
M yum/pkgs/relaycheck/relaycheck.template.spec<br />
[root@f13-32 repo]# <br />
<br />
At this point, we should make sure the merged changes still build and then commit our changes.<br />
<br />
NOTE: After committing the changes, the [http://nst.svn.sourceforge.net/viewvc/nst/maintenance/2.13.0/yum/pkgs maintenance/2.13.0/yum/pkgs/relaycheck revision number] changed to 2103 (at the time of this writing) which is now larger than the original 2102 revision we used for the merge.<br />
[root@f13-32 repo]# cd yum<br />
[root@f13-32 yum]# make relaycheck<br />
<br />
... Omitted much of the output ...<br />
<br />
-------------------------------------------------------------------------------<br />
SUCCESS: Successfully installed relaycheck-1.2.6-11.nst13.noarch.rpm<br />
-------------------------------------------------------------------------------<br />
make[1]: Leaving directory `/root/repo/yum/pkgs/relaycheck'<br />
[root@f13-32 yum]# svn commit<br />
<br />
== Merging From Dev Area To The Repo Area ==<br />
<br />
* '''Note:''' If this merge includes updates in the '''nstwui''' package: '''Have You Updated The NST WUI Release Number On The Dev Branch First?'''<br />
<br />
The following demonstrates the current merge method to bring changes from the ''dev/20'' development branch to the ''repo/20'' area.<br />
<br />
[root@dev20-64 ~]# cd repo<br />
[root@dev20-64 repo]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST! <br />
[root@dev20-64 repo]# svn info<br />
Path: .<br />
Working Copy Root Path: /root/repo<br />
URL: https://svn.code.sf.net/p/nst/code/repo/20<br />
Relative URL: ^/repo/20<br />
Repository Root: https://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 6545<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: rwhalb<br />
Last Changed Rev: 6545<br />
Last Changed Date: 2015-02-14 08:44:42 -0500 (Sat, 14 Feb 2015)<br />
<br />
[root@dev20-64 repo]# svn update; svn merge https://svn.code.sf.net/p/nst/code/dev/20 .<br />
At revision 6594.<br />
--- Merging r6545 through r6594 into '.':<br />
U include/javascript/core/NstSelect.js<br />
U include/javascript/core/NstRuler.js<br />
<br />
...<br />
<br />
U yum/pkgs/putty-win32<br />
--- Recording mergeinfo for merge of r6545 through r6594 into '.':<br />
U .<br />
--- Recording mergeinfo for merge of r6545 through r6594 into 'yum/pkgs/putty-win32':<br />
G yum/pkgs/putty-win32<br />
[root@dev20-64 repo]# svn commit -m "Merging up to 6545 from dev/20"<br />
... output from commit ...<br />
[root@dev20-64 repo]# <br />
<br />
This is the old method used for merging and updating the '''Trunk Area''' with code changes in the '''Development 18 Area''' spanning from revision: "''''4869'''" to the "'''HEAD (4877)'''" (latest changes committed to the ''dev/18'' area). Use the following link for NST code revision reference: http://nst.svn.sourceforge.net/viewvc/nst<br />
<br />
[root@dev16-32 repo]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST! <br />
[root@dev16-32 repo]# svn proplist<br />
Properties on '.':<br />
svn:mergeinfo<br />
svn:ignore<br />
[root@dev16-32 repo]# svn propget svn:mergeinfo<br />
/dev:4409-4503,4516-4793<br />
/dev/18:4795-4869<br />
/maintenance/18:4794<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@dev16-32 repo]# svn merge -r 4869:HEAD ${SVNROOT}/dev/18 .<br />
[root@dev16-32 repo]# svn propget svn:mergeinfo<br />
/dev:3590,3592-3611,3613-3614,3616,3618-3620,3622,3624-3627,3629-3702<br />
[root@dev16-32 repo]# svn status -u<br />
... shows files that were updated by the merge ...<br />
[root@dev16-32 repo]# svn commit -m "Merging up to 4877 from dev/18 - new release of the NST WUI"<br />
... output from commit ...<br />
[root@dev16-32 repo]#<br />
<br />
== Merging From ''repo'' To ''dev'' Area ==<br />
<br />
The easy method for merging the ''repo'' area changes into your ''dev'' area:<br />
<br />
* Make sure all code is committed and everything is up to date.<br />
* Set SVNROOT to point to the top level directory (like: https://svn.code.sf.net/p/nst/code).<br />
* Run the merge command as shown below:<br />
<br />
[pkb@chimi dev]$ svn merge $SVNROOT/repo/22 .<br />
--- Merging differences between repository URLs into '.':<br />
U include/dist/release-notes.txt<br />
U include/manifest/current.xml<br />
A include/manifest/release-22-7248.xml<br />
U include/data/configure.in<br />
U html/include/make/makefile<br />
U html/links.html<br />
U html/side.html<br />
U html/welcome.html<br />
U html/README.html<br />
U src/scripts/nstmenu/share/groups/release.group.xml<br />
U src/scripts/nstmenu/share/applications/release.apps.xml<br />
U yum/pkgs/nstmenu/template.spec<br />
U yum/pkgs/nstmenu/pkginfo.xml<br />
U yum/pkgs/nstweb/template.spec<br />
U yum/pkgs/nstweb/pkginfo.xml<br />
U .<br />
--- Recording mergeinfo for merge between repository URLs into '.':<br />
U .<br />
[pkb@chimi dev]$ <br />
<br />
The following demonstrates an older technique that merges the '''Development Area''' with code changes in the '''Repo Area''' spanning from revision: "''''6534''" to "'''HEAD (6537)'''".<br />
<br />
'''On repo:'''<br />
[root@vortex repo]# svn propget svn:mergeinfo<br />
/dev:4409-4503,4516-4793<br />
/dev/18:4795-5411,5419-5496<br />
/dev/20:5419-5501,5503-6533<br />
/maintenance/18:4794<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@vortex repo]# <br />
<br />
'''On Dev:'''<br />
[root@vortex dev]# svn status -u # MAKE SURE YOU ARE COMMITTED AND UP TO DATE FIRST!<br />
Status against revision: 6533<br />
[root@vortex dev]# svn merge -r 6534:HEAD ${SVNROOT}/repo .<br />
[root@vortex dev]# svn propget svn:mergeinfo<br />
/dev/18:5419-5496<br />
/repo:4494,4505-4514,4516-4551,4555-4568,4586-4587,4614,4695,4717,4781,4812,5413-5415,5662-5666,6535-6537<br />
/trunk:3591,3657-3699,3951,4042,4102-4106,4112,4145-4155,4196,4232-4240<br />
[root@vortex dev]# svn status -u<br />
... shows files that were updated by the merge ...<br />
[root@vortex dev]# svn commit -m "Merging up to 6537 from repo for new release"<br />
... output from commit ...<br />
[root@vortex dev]#<br />
<br />
== Switching To A New Root ==<br />
<br />
There can be many different branches of the same source tree at different levels of development within the Subversion repository. You can use the ''switch'' command to switch from one branch to another. When making a switch, the source code you have checked out will be updated to match the state of the source code in the new branch. Before making a switch, it is important to make sure that all of your changes are checked into the current branch. For example, the following demonstrates how to switch to the ''dev'' branch from the ''trunk'' branch:<br />
<br />
[root@taco-dev32 repo]# svn info<br />
Path: . <br />
Working Copy Root Path: /root/repo<br />
URL: https://svn.code.sf.net/p/nst/code/repo<br />
Relative URL: ^/repo<br />
Repository Root: https://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 6540<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: rwhalb<br />
Last Changed Rev: 6540<br />
Last Changed Date: 2015-02-09 13:57:38 -0500 (Mon, 09 Feb 2015)<br />
<br />
[root@taco-dev32 repo]# export SVNROOT="$(svn info | awk -- '$2 == "Root:" { print $3; }')";<br />
[root@taco-dev32 repo]# echo $SVNROOT<br />
https://svn.code.sf.net/p/nst/code<br />
[root@taco-dev32 repo]# svn switch $SVNROOT/dev/20<br />
At revision 3577.<br />
[root@taco-dev32 repo]# <br />
<br />
After making a switch, you can use the ''info'' command to verify the switch was successful.<br />
<br />
[root@taco-dev32 repo]# svn info<br />
Path: .<br />
URL: https://nst.svn.sourceforge.net/svnroot/nst/dev<br />
Repository Root: https://nst.svn.sourceforge.net/svnroot/nst<br />
Repository UUID: c9574408-7c70-44fe-bb37-9fe24d5f8586<br />
Revision: 3577<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: jdoe<br />
Last Changed Rev: 3577<br />
Last Changed Date: 2012-05-29 10:04:54 -0400 (Tue, 29 May 2012)<br />
<br />
[root@taco-dev32 repo]#<br />
<br />
== Relocate To A New Repository Root ==<br />
<br />
This section demonstrates switching repository root from one URL to another. In this example we switch from "'''http://svn.code.sf.net/p/nst/code'''" to "'''svn+ssh://USERID@svn.code.sf.net/p/nst/code'''". The svn "'''relocate'''" command is used.<br />
<br />
[root@vortex dev]# svn info;<br />
Path: .<br />
Working Copy Root Path: /root/dev<br />
URL: http://svn.code.sf.net/p/nst/code/dev/26<br />
Relative URL: ^/dev/26<br />
Repository Root: http://svn.code.sf.net/p/nst/code<br />
Repository UUID: b5e161f0-cc72-4f2a-9017-da5bd5071a9c<br />
Revision: 9274<br />
Node Kind: directory<br />
Schedule: normal<br />
Last Changed Author: user<br />
Last Changed Rev: 9274<br />
Last Changed Date: 2017-10-11 16:07:51 -0400 (Wed, 11 Oct 2017)<br />
[root@vortex dev]# <br />
[root@vortex dev]# svn --username USERID relocate http://svn.code.sf.net/p/nst/code svn+ssh://USERID@svn.code.sf.net/p/nst/code;<br />
<br />
= New NST Release Setup =<br />
<br />
Currently the directory structure under Subversion is fairly straight forward. As an example we use ''dev/30'' when working on Fedora 30 based builds. To move to Fedora 32 we do the following:<br />
<br />
svn copy ${SVNROOT}/dev/30 ${SVNROOT}/dev/32;<br />
<br />
When we are ready to push out a release we want to create our pristine repository area:<br />
<br />
svn copy ${SVNROOT}/dev/32 ${SVNROOT}/repo/32;<br />
<br />
= Related Links =<br />
<br />
; http://nst.svn.sourceforge.net/viewvc/nst<br />
: Use this link to browse the NST Subversion repository (the 'trunk' folder corresponds to the current development tree).</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9746NST WUI Browser Support2022-08-10T00:59:29Z<p>Rwh: /* VNC GPU Chrome Rendering Issue */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Installation ==<br />
Google Chrome will have to be installed manually on NST.<br />
dnf install google-chrome-beta;<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the "'''Overlay Scrollbars'''" entry and choose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== VNC GPU Chrome Rendering Issue ==<br />
If the chrome browser does not render within a '''[https://en.wikipedia.org/wiki/Virtual_Network_Computing VNC]''' session, one can use the following command line option to disable the use of the '''[https://en.wikipedia.org/wiki/Graphics_processing_unit GPU]''' process:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic --disable-gpu;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note 1:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note 2:''' A list of undocumented Chromium Command Line Switches can be found '''[https://peter.sh/experiments/chromium-command-line-switches/ here]'''.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9745NST WUI Browser Support2022-08-10T00:58:50Z<p>Rwh: /* VNC GPU Chrome Rendering Issue */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Installation ==<br />
Google Chrome will have to be installed manually on NST.<br />
dnf install google-chrome-beta;<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the "'''Overlay Scrollbars'''" entry and choose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== VNC GPU Chrome Rendering Issue ==<br />
If the chrome browser does not render within a '''[https://en.wikipedia.org/wiki/Virtual_Network_Computing VNC]''' session, one can use this command line option to disable the use of the '''[https://en.wikipedia.org/wiki/Graphics_processing_unit GPU]''' process:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic --disable-gpu;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note 1:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note 2:''' A list of undocumented Chromium Command Line Switches can be found '''[https://peter.sh/experiments/chromium-command-line-switches/ here]'''.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9744NST WUI Browser Support2022-08-10T00:56:36Z<p>Rwh: /* About */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Installation ==<br />
Google Chrome will have to be installed manually on NST.<br />
dnf install google-chrome-beta;<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the "'''Overlay Scrollbars'''" entry and choose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== VNC GPU Chrome Rendering Issue ==<br />
If the chrome browser does not render using a '''[https://en.wikipedia.org/wiki/Virtual_Network_Computing VNC]''' session, one can use this command line option to disable the use of the '''[https://en.wikipedia.org/wiki/Graphics_processing_unit GPU]''' process:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic --disable-gpu;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note 1:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note 2:''' A list of undocumented Chromium Command Line Switches can be found '''[https://peter.sh/experiments/chromium-command-line-switches/ here]'''.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9743NST WUI Browser Support2022-08-10T00:54:14Z<p>Rwh: /* VNC GPU Chrome Rendering Issue */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Installation ==<br />
Google Chrome will have to be installed manually on NST.<br />
dnf install google-chrome-beta;<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the "'''Overlay Scrollbars'''" entry and choose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== VNC GPU Chrome Rendering Issue ==<br />
If the chrome browser does not render using a '''[https://en.wikipedia.org/wiki/Virtual_Network_Computing VNC]''' session, one can use this command line option to disable the use of the '''[https://en.wikipedia.org/wiki/Graphics_processing_unit GPU]''' process:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic --disable-gpu;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9742NST WUI Browser Support2022-08-10T00:53:45Z<p>Rwh: /* VNC GPU Issue */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Installation ==<br />
Google Chrome will have to be installed manually on NST.<br />
dnf install google-chrome-beta;<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the "'''Overlay Scrollbars'''" entry and choose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== VNC GPU Chrome Rendering Issue ==<br />
If the chrome browser does not render using a [https://en.wikipedia.org/wiki/Virtual_Network_Computing VNC] session, one can use this command line option to disable the use of the [https://en.wikipedia.org/wiki/Graphics_processing_unit GPU] process:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic --disable-gpu;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9741NST WUI Browser Support2022-08-10T00:52:58Z<p>Rwh: /* Gnome Keyring Issue */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Installation ==<br />
Google Chrome will have to be installed manually on NST.<br />
dnf install google-chrome-beta;<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the "'''Overlay Scrollbars'''" entry and choose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== VNC GPU Issue ==<br />
If the chrome browser does not render using a [https://en.wikipedia.org/wiki/Virtual_Network_Computing VNC] session, one can use this command line option to disable the use of the [https://en.wikipedia.org/wiki/Graphics_processing_unit GPU] process:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic --disable-gpu;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9740HowTo Quickly Setup A VPN Using WireGuard On NST2022-07-24T16:48:27Z<p>Rwh: /* WireGuard VPN Automation */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl start wg-quick@wg0.service;<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
[root@shopper2 ~]# systemctl status wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl start wg-quick@wg0.service;<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
[root@pktcap28 ~]# systemctl status wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9739HowTo Quickly Setup A VPN Using WireGuard On NST2022-07-24T16:48:09Z<p>Rwh: /* WireGuard VPN Automation */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl start wg-quick@wg0.service;<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
[root@shopper2 ~]# systemctl status wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=Overview&diff=9738Overview2022-07-19T16:28:02Z<p>Rwh: </p>
<hr />
<div>__TOC__<br />
<br />
= Summary =<br />
This Wiki offers a means where users of the '''Network Security Toolkit''' ('''NST''') can ask questions, share experiences, and offer advice in regards to the use of the '''NST''' distribution and the tools which it contains.<br />
<br />
The '''NST''' homepage is located at: [http://www.networksecuritytoolkit.org/ http://www.networksecuritytoolkit.org/]. The '''NST''' [http://sourceforge.net/ SourceForge] project page is located at: [http://sourceforge.net/projects/nst http://sourceforge.net/projects/nst]. An '''NST Pro''' version is located at: [http://www.networksecuritytoolkit.org/ http://www.networksecuritytoolkit.org/nstpro]. One can download the current version of '''NST''' [http://sourceforge.net/project/showfiles.php?group_id=85467 '''here''']. A reference about '''NST''' at [http://en.wikipedia.org Wikipedia] can be found [http://en.wikipedia.org/wiki/Network_Security_Toolkit '''here'''].<br />
<br />
<!--<br />
'''NST''' users <u>add</u> yourself to a [http://platial.com Platial] generated [[Image:Nstworldmap.gif]] [http://platial.com/nst/map/60294#NST_Global_Map NST Global Map].<br />
--><br />
<br />
You can view Webcasts related to '''NST''' on the [[NST Screencasts]] page. This NST Wiki Web site is generated by an "'''NST 36'''" system using '''[http://www.mediawiki.org/wiki/MediaWiki MediaWiki]''' software running on an '''[http://www.intel.com/content/www/us/en/nuc/products-overview.html Intel NUC]'''. The following are some of the IPv4 Address Host geolocation tools available with the toolkit using NST Wiki traffic data as a data source.<br />
<br />
= NST Wiki World Users =<br />
<br />
The '''Mercator World Map''' projection below depicts geolocated user host systems that have recently accessed the '''NST''' wiki site. The map is updated once an hour using a collection window of 24 hours. The data source is an '''[http://www.ntop.org/products/traffic-analysis/ntop/ ntopng]''' session running on an "'''NST 36'''" probe listening on 2 network interfaces (i.e., '''wikirx''' & '''wikitx''') for packet capture. A '''[https://networkvisibility.com/products/ixia-net-optics-tap-copper-10-100-1g-955-0270-tp-cu3 TP-CU3]''' Non-Aggregational TAP is inserted between the '''NST''' probe and the '''NST''' wiki site providing full-duplex traffic access.<br />
<br />
[[File:Curhostswm.png|frame|center|NST Wiki Site World Map: Global Users Host Geolocations]]<br />
<br />
<br />
The '''NST''' wiki traffic for the last 24 hours is also formatted as a '''KMZ (KML)''' document that can be downloaded and ''viewed'' in '''[http://earth.google.com Google Earth]''': "'''([http://wiki.networksecuritytoolkit.org/nstwiki/maps/curhostskml.kmz KMZ Document - NST Wiki Traffic])'''". Both the '''Mercator World Map''' and the '''KML Document''' above were produced by the '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstgeolocate.html nstgeolocate]'''". This script is included in the '''NST''' distribution (See the NST Wiki page: '''[http://wiki.networksecuritytoolkit.org/nstwiki/index.php/HowTo_Automate_%26_Manage_NST_Geolocation_Results HowTo Automate & Manage NST Geolocation Results]''' for further information on geolocating network entities with '''NST''').<br />
<br />
= NST WebGL Globe =<br />
'''NST''' now includes a '''[https://experiments.withgoogle.com/chrome/globe WebGL Globe'''] implementation for the geolocation of IPv4 Hosts. Each hour new NST Wiki host geolocation traffic data is generated and formatted for '''[https://en.wikipedia.org/wiki/WebGL WebGL] Globe''' usage (i.e. A '''[https://en.wikipedia.org/wiki/JSON JSON]''' formatted document.) which can be ''rendered'' within a web browser producing images similar to the following graphics of the earth. Each red spike represents Host traffic to and from the NST Wiki site derived from an active '''[http://www.ntop.org/products/traffic-analysis/ntop/ ntopng]''' session. Longer spikes indicate greater combined transmit and received network traffic.<br />
<br />
<center>[[File:Nstwikiwebglglobe.png|256x256px|frameless|NST Wiki Site Global Traffic (Day Time Map)]]&nbsp;&nbsp;&nbsp; [[File:Nstwikiwebglglobenight.png|256x256px|frameless|NST Wiki Site Global Traffic (Night Time Map)]]</center><br />
<br />
Use this link to view the '''NST''' Wiki traffic for the past 24 hours as a single series dataset: '''[http://wiki.networksecuritytoolkit.org/nst-webgl-globe/index.html?daymap=true&gdsrc=data/curhostswebgl.json NST Webgl Globe - NST Wiki Traffic]'''<br />
<br />
Use this link to view the '''NST''' Wiki traffic as a multi-series dataset for the past 7 hours with a 1 day time interval: '''[http://wiki.networksecuritytoolkit.org/nst-webgl-globe/index.html?daymap=true&gdsrc=data/curwebgldataset.json NST Webgl Globe (Multi-Series Dataset) - NST Wiki Traffic]'''.<br />
<br />
The '''NST WebGL Globe''' implementation includes the following features:<br />
* Switch between day time and night time maps.<br />
* Uses a bump map for a realistic earth topography visual.<br />
* Uses a specular map for a realistic sun and moon glint visual.<br />
* Zoom in and out with your mouse scroll control.<br />
* Automatic earth rotation control.<br />
* Configurable selection of the IPv4 Host geolocation data source.<br />
* Manual data spike intensity scale controls.<br />
* The data scale can be dynamically changed between linear and logarithmic.<br />
* A reset button to re-initialize the earth 3D control settings.<br />
* Data can be displayed using either a single series or multi-series dataset.<br />
* All parameters included the initial view location and view distance can be controlled via the '''[https://en.wikipedia.org/wiki/Uniform_resource_locator URL]'''.<br />
<br />
The '''NST''' script: "'''[http://nst.sourceforge.net/nst/docs/scripts/nstgeolocate.html nstgeolocate]'''" now includes the ability to produce '''NST WebGL Globe JSON''' documents using '''[http://www.ntop.org/ntopng ntop / ntopng]''' as a data source. The '''NST WUI''' can now ''dynamically'' produce on demand '''NST WebGL Globe JSON''' documents for these data sources.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Create_A_GPT_Disk_With_EFI_System_And_exFAT_Partitions_Using_Parted&diff=9735HowTo Create A GPT Disk With EFI System And exFAT Partitions Using Parted2022-02-16T14:42:18Z<p>Rwh: /* Summary */</p>
<hr />
<div>__TOC__<br />
== '''Overview''' ==<br />
The purpose of this article is to create a disk that can be read / written to by all major operating systems (i.e., macOS, Windows and Linux). A removable USB storage device containing [https://en.wikipedia.org/wiki/Solid-state_drive SSD SATA] or [https://en.wikipedia.org/wiki/NVM_Express NVMe] media formatted with an [https://en.wikipedia.org/wiki/ExFAT exFAT] partition can be used to accomplish this. At the time of this writing, January 02, 2020, a removable USB-C drive containing a CORSAIR FORCE Series MP500 120GB NVMe storage device will be demonstrated.<br />
<br />
The USB drive is attached to an NST system as device: "'''/dev/sdc'''". The [https://en.wikipedia.org/wiki/GNU_Parted parted] disk utility will be used to create a [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table (GPT)] disk label, the [https://en.wikipedia.org/wiki/EFI_system_partition EFI System Partition] and the exFAT partition. GPT partitioning allows one to use all available disk space for disk drives that exceed 2TB in size. The is one of the limitations for legacy [https://en.wikipedia.org/wiki/Master_boot_record MBR] partitioning.<br />
<br />
The following diagram is an example GUID Partition Table layout:<br />
[[File:Guid partition table.svg|center|frame| Wikipedia Reference: The layout of a disk with the GUID Partition Table. In this example, each logical block is 512 bytes in size and each entry has 128 bytes. The corresponding partition entries are assumed to be located in LBA 2–33. Negative LBA addresses indicate a position from the end of the volume, with −1 being the last addressable block.]]<br />
<br />
== Zero Out Previous Disk Label - Optional ==<br />
This optional step will zero out any previous disk label. We will use the [http://dcfldd.sourceforge.net/ dcfldd] utility. The first 1GB of the disk will be zeroed out:<br />
<br />
[root@shopper2 ~]# dcfldd if=/dev/zero of=/dev/sdc statusinterval=64 bs=1M count=1k;<br />
1024 blocks (1024Mb) written.<br />
1024+0 records in<br />
1024+0 records out<br />
[root@shopper2 ~]#<br />
<br />
We can now used parted to examine the disk and see that we are starting out with an "unrecognized" disk structure:<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print;<br />
Error: /dev/sdc: unrecognised disk label<br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: unknown<br />
Disk Flags: <br />
[root@shopper2 ~]#<br />
<br />
== Create GPT Disk Label ==<br />
The GPT disk label will now be created:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mklabel gpt <br />
(parted) quit<br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create EFI System Partition ==<br />
A new EFI System Partition will be created using the following commands (the recommended size is at least 260 MiB):<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mkpart primary fat32 1MiB 261MiB <br />
(parted) set 1 esp on <br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB fat32 primary boot, esp<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create exFAT Partition ==<br />
A new exFAT partition will now be created using the remaining unused disk area:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc; <br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
<br />
(parted) mkpart primary ntfs 261MiB 100%<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB ntfs primary<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB primary msftdata<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Format exFAT Partition ==<br />
Use the "'''mkfs.exfat'''" command to format the exFAT file system:<br />
<br />
[root@shopper2 ~]# mkfs.exfat -L NVMe /dev/sdc2<br />
mkexfatfs 1.3.0<br />
Creating... done.<br />
Flushing... done.<br />
File system created successfully.<br />
[root@shopper2 ~]#<br />
<br />
The "'''lsblk'''" command shows the newly created exFAT file system with label:<br />
[root@shopper2 ~]# /bin/lsblk -a -o name,label,size,fstype,model /dev/sdc;<br />
NAME LABEL SIZE FSTYPE MODEL<br />
sdc 111.8G USB3.1_NVME_DISK<br />
├─sdc1 260M <br />
└─sdc2 NVMe 111.5G exfat <br />
[root@shopper2 ~]#<br />
<br />
== Summary ==<br />
The newly formatted disk should now be read / written to by all major operating systems (i.e., macOS, Windows and Linux). If not use the method below: [[#Alternate_exFat_Partition_Creation_For_OS_Interoperability | Alternate exFat Partition Creation For OS Interoperability]].<br />
<br />
= Alternate exFat Partition Creation For OS Interoperability =<br />
This section will show the steps on how to create an entire exFAT partition on a USB 64GB flash drive so that all major OSs (i.e., i.e., macOS, Windows and Linux) can mount and use the data on the drive.<br />
<br />
'''1)''' Discover the target USB drive to create the exFAT partition with '''fdisk'''. In this case it will be "'''/dev/sda'''"<br />
[root@dell7480 ~]# fdisk -l;<br />
Disk /dev/nvme0n1: 476.94 GiB, 512110190592 bytes, 1000215216 sectors<br />
Disk model: FPI512MWR7 <br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: gpt<br />
Disk identifier: B276CCFE-BD35-4510-9E92-B6E44CEEFAE8<br />
<br />
Device Start End Sectors Size Type<br />
/dev/nvme0n1p1 2048 1230847 1228800 600M EFI System<br />
/dev/nvme0n1p2 1230848 3327999 2097152 1G Linux filesystem<br />
/dev/nvme0n1p3 3328000 1000214527 996886528 475.4G Linux filesystem<br />
<br />
Disk /dev/zram0: 8 GiB, 8589934592 bytes, 2097152 sectors<br />
Units: sectors of 1 * 4096 = 4096 bytes<br />
Sector size (logical/physical): 4096 bytes / 4096 bytes<br />
I/O size (minimum/optimal): 4096 bytes / 4096 bytes<br />
<br />
Disk /dev/sda: 57.3 GiB, 61530439680 bytes, 120176640 sectors<br />
Disk model: SanDisk 3.2Gen1<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''2)''' Make sure the USB flash drive is not mounted. Example: USB drive mounted at: "'''/run/media/nst/59DF-5291'''"<br />
[root@dell7480 ~]# df -h<br />
Filesystem Size Used Avail Use% Mounted on<br />
devtmpfs 7.8G 0 7.8G 0% /dev<br />
tmpfs 7.8G 0 7.8G 0% /dev/shm<br />
tmpfs 3.1G 2.0M 3.1G 1% /run<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /<br />
tmpfs 7.8G 2.1M 7.8G 1% /tmp<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /home<br />
/dev/nvme0n1p2 976M 248M 662M 28% /boot<br />
/dev/nvme0n1p1 599M 17M 583M 3% /boot/efi<br />
tmpfs 1.6G 96K 1.6G 1% /run/user/1000<br />
tmpfs 1.6G 72K 1.6G 1% /run/user/0<br />
/dev/sda1 58G 12M 58G 1% /run/media/nst/59DF-5291<br />
[root@dell7480 ~]# <br />
[root@dell7480 ~]# umount -v /run/media/nst/59DF-5291<br />
umount: /run/media/nst/59DF-5291 (/dev/sda1) unmounted<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''3)''' Use '''fdisk''' to remove any previously created partitions, create a '''GPT''' partition table and then make a new partition (i.e., "'''/dev/sda1'''") for exFAT using the entire USB drive.<br />
[root@dell7480 ~]# fdisk /dev/sda;<br />
<br />
Welcome to fdisk (util-linux 2.36.2).<br />
Changes will remain in memory only, until you decide to write them.<br />
Be careful before using the write command.<br />
<br />
Device does not contain a recognized partition table.<br />
Created a new DOS disklabel with disk identifier 0x997a9a9d.<br />
<br />
Command (m for help): d<br />
No partition is defined yet!<br />
<br />
Command (m for help): g<br />
<br />
Created a new GPT disklabel (GUID: 7D769FCD-8E49-9944-B4BA-C418633F0C4E).<br />
<br />
Command (m for help): n<br />
Partition number (1-128, default 1): <br />
First sector (2048-120176606, default 2048): <br />
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-120176606, default 120176606): <br />
<br />
Created a new partition 1 of type 'Linux filesystem' and of size 57.3 GiB.<br />
<br />
Command (m for help): w<br />
The partition table has been altered.<br />
Calling ioctl() to re-read partition table.<br />
Syncing disks.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''4)''' Show partition creation progress using '''parted'''.<br />
[root@dell7480 ~]# /sbin/parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''5)''' Make sure the boot record is converted to '''GPT'''. <br />
[root@dell7480 ~]# gdisk /dev/sda;<br />
GPT fdisk (gdisk) version 1.0.8<br />
<br />
Partition table scan:<br />
MBR: protective<br />
BSD: not present<br />
APM: not present<br />
GPT: present<br />
<br />
Found valid GPT with protective MBR; using GPT.<br />
<br />
Command (? for help): w<br />
<br />
Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING<br />
PARTITIONS!!<br />
<br />
Do you want to proceed? (Y/N): Y<br />
OK; writing new GUID partition table (GPT) to /dev/sda.<br />
The operation has completed successfully.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''6)''' Set the partition type to: "'''msftdata'''" - Microsoft Basic Data<br />
[root@dell7480 ~]# parted /dev/sda;<br />
GNU Parted 3.4<br />
Using /dev/sda<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) set 1 msftdata on <br />
(parted) q <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''7)''' Show partition progress.<br />
[root@dell7480 ~]# parted -s /dev/sda print; <br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''8)''' Now format partition: "'''/dev/sda1'''" as an exFAT file system using: '''mkfs.exfat''' with label: "'''THUNDER2-1'''" with verbose mode on.<br />
[root@dell7480 ~]# mkfs.exfat -v -L THUNDER2-1 /dev/sda1;<br />
exfatprogs version : 1.1.2<br />
[exfat_get_blk_dev_info: 202] Block device name : /dev/sda1<br />
[exfat_get_blk_dev_info: 203] Block device offset : 1048576<br />
[exfat_get_blk_dev_info: 204] Block device size : 61529374208<br />
[exfat_get_blk_dev_info: 205] Block sector size : 512<br />
[exfat_get_blk_dev_info: 206] Number of the sectors : 120174559<br />
[exfat_get_blk_dev_info: 208] Number of the clusters : 469431<br />
[exfat_zero_out_disk: 516] zero out written size : 3538944, disk size : 61529374208<br />
Creating exFAT filesystem(/dev/sda1, cluster size=131072)<br />
<br />
Writing volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Writing backup volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Fat table creation: [exfat_create_fat_table: 307] Total used cluster count : 5<br />
done<br />
Allocation bitmap creation: done<br />
Upcase table creation: done<br />
Writing root directory entry: done<br />
Synchronizing...<br />
<br />
exFAT format complete!<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''9)''' Show final format using '''parted'''.<br />
[root@dell7480 ~]# parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags:<br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''10)''' Use the system storage manager ('''ssm''') to show the completed exFAT partition.<br />
[root@dell7480 ~]# ssm list<br />
---------------------------------------------------------------------<br />
Device Free Used Total Pool Mount point<br />
---------------------------------------------------------------------<br />
/dev/nvme0n1 476.94 GB PARTITIONED<br />
/dev/nvme0n1p1 600.00 MB /boot/efi <br />
/dev/nvme0n1p2 1.00 GB /boot <br />
/dev/nvme0n1p3 465.33 GB 10.02 GB 475.35 GB dell7480 <br />
/dev/sda 57.30 GB PARTITIONED<br />
/dev/sda1 57.30 GB <br />
/dev/zram0 8.00 GB SWAP <br />
---------------------------------------------------------------------<br />
---------------------------------------------------------<br />
Pool Type Devices Free Used Total <br />
---------------------------------------------------------<br />
dell7480 btrfs 1 467.30 GB 8.05 GB 475.35 GB <br />
---------------------------------------------------------<br />
--------------------------------------------------------------------------------------<br />
Volume Pool Volume size FS FS size Free Type Mount point<br />
--------------------------------------------------------------------------------------<br />
dell7480 dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs <br />
dell7480:home dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs /home <br />
dell7480:root dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs / <br />
/dev/nvme0n1p1 600.00 MB vfat part /boot/efi <br />
/dev/nvme0n1p2 1.00 GB ext4 1.00 GB 677.35 MB part /boot <br />
/dev/sda1 57.30 GB exfat part <br />
--------------------------------------------------------------------------------------<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''11)''' Just in case, always synchronize cached writes to persistent storage prior to removing the USB flash drive.<br />
[root@dell7480 ~]# sync;sync;<br />
<br />
[root@dell7480 ~]#</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Create_A_GPT_Disk_With_EFI_System_And_exFAT_Partitions_Using_Parted&diff=9734HowTo Create A GPT Disk With EFI System And exFAT Partitions Using Parted2022-02-16T14:41:29Z<p>Rwh: /* Summary */</p>
<hr />
<div>__TOC__<br />
== '''Overview''' ==<br />
The purpose of this article is to create a disk that can be read / written to by all major operating systems (i.e., macOS, Windows and Linux). A removable USB storage device containing [https://en.wikipedia.org/wiki/Solid-state_drive SSD SATA] or [https://en.wikipedia.org/wiki/NVM_Express NVMe] media formatted with an [https://en.wikipedia.org/wiki/ExFAT exFAT] partition can be used to accomplish this. At the time of this writing, January 02, 2020, a removable USB-C drive containing a CORSAIR FORCE Series MP500 120GB NVMe storage device will be demonstrated.<br />
<br />
The USB drive is attached to an NST system as device: "'''/dev/sdc'''". The [https://en.wikipedia.org/wiki/GNU_Parted parted] disk utility will be used to create a [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table (GPT)] disk label, the [https://en.wikipedia.org/wiki/EFI_system_partition EFI System Partition] and the exFAT partition. GPT partitioning allows one to use all available disk space for disk drives that exceed 2TB in size. The is one of the limitations for legacy [https://en.wikipedia.org/wiki/Master_boot_record MBR] partitioning.<br />
<br />
The following diagram is an example GUID Partition Table layout:<br />
[[File:Guid partition table.svg|center|frame| Wikipedia Reference: The layout of a disk with the GUID Partition Table. In this example, each logical block is 512 bytes in size and each entry has 128 bytes. The corresponding partition entries are assumed to be located in LBA 2–33. Negative LBA addresses indicate a position from the end of the volume, with −1 being the last addressable block.]]<br />
<br />
== Zero Out Previous Disk Label - Optional ==<br />
This optional step will zero out any previous disk label. We will use the [http://dcfldd.sourceforge.net/ dcfldd] utility. The first 1GB of the disk will be zeroed out:<br />
<br />
[root@shopper2 ~]# dcfldd if=/dev/zero of=/dev/sdc statusinterval=64 bs=1M count=1k;<br />
1024 blocks (1024Mb) written.<br />
1024+0 records in<br />
1024+0 records out<br />
[root@shopper2 ~]#<br />
<br />
We can now used parted to examine the disk and see that we are starting out with an "unrecognized" disk structure:<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print;<br />
Error: /dev/sdc: unrecognised disk label<br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: unknown<br />
Disk Flags: <br />
[root@shopper2 ~]#<br />
<br />
== Create GPT Disk Label ==<br />
The GPT disk label will now be created:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mklabel gpt <br />
(parted) quit<br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create EFI System Partition ==<br />
A new EFI System Partition will be created using the following commands (the recommended size is at least 260 MiB):<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mkpart primary fat32 1MiB 261MiB <br />
(parted) set 1 esp on <br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB fat32 primary boot, esp<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create exFAT Partition ==<br />
A new exFAT partition will now be created using the remaining unused disk area:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc; <br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
<br />
(parted) mkpart primary ntfs 261MiB 100%<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB ntfs primary<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB primary msftdata<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Format exFAT Partition ==<br />
Use the "'''mkfs.exfat'''" command to format the exFAT file system:<br />
<br />
[root@shopper2 ~]# mkfs.exfat -L NVMe /dev/sdc2<br />
mkexfatfs 1.3.0<br />
Creating... done.<br />
Flushing... done.<br />
File system created successfully.<br />
[root@shopper2 ~]#<br />
<br />
The "'''lsblk'''" command shows the newly created exFAT file system with label:<br />
[root@shopper2 ~]# /bin/lsblk -a -o name,label,size,fstype,model /dev/sdc;<br />
NAME LABEL SIZE FSTYPE MODEL<br />
sdc 111.8G USB3.1_NVME_DISK<br />
├─sdc1 260M <br />
└─sdc2 NVMe 111.5G exfat <br />
[root@shopper2 ~]#<br />
<br />
== Summary ==<br />
The newly formatted disk should now be read / written to by all major operating systems (i.e., macOS, Windows and Linux). If not use the method below: [[#Alternate_exFat_Partition_Creation_For_OS_Interoperability | XXX]].<br />
<br />
= Alternate exFat Partition Creation For OS Interoperability =<br />
This section will show the steps on how to create an entire exFAT partition on a USB 64GB flash drive so that all major OSs (i.e., i.e., macOS, Windows and Linux) can mount and use the data on the drive.<br />
<br />
'''1)''' Discover the target USB drive to create the exFAT partition with '''fdisk'''. In this case it will be "'''/dev/sda'''"<br />
[root@dell7480 ~]# fdisk -l;<br />
Disk /dev/nvme0n1: 476.94 GiB, 512110190592 bytes, 1000215216 sectors<br />
Disk model: FPI512MWR7 <br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: gpt<br />
Disk identifier: B276CCFE-BD35-4510-9E92-B6E44CEEFAE8<br />
<br />
Device Start End Sectors Size Type<br />
/dev/nvme0n1p1 2048 1230847 1228800 600M EFI System<br />
/dev/nvme0n1p2 1230848 3327999 2097152 1G Linux filesystem<br />
/dev/nvme0n1p3 3328000 1000214527 996886528 475.4G Linux filesystem<br />
<br />
Disk /dev/zram0: 8 GiB, 8589934592 bytes, 2097152 sectors<br />
Units: sectors of 1 * 4096 = 4096 bytes<br />
Sector size (logical/physical): 4096 bytes / 4096 bytes<br />
I/O size (minimum/optimal): 4096 bytes / 4096 bytes<br />
<br />
Disk /dev/sda: 57.3 GiB, 61530439680 bytes, 120176640 sectors<br />
Disk model: SanDisk 3.2Gen1<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''2)''' Make sure the USB flash drive is not mounted. Example: USB drive mounted at: "'''/run/media/nst/59DF-5291'''"<br />
[root@dell7480 ~]# df -h<br />
Filesystem Size Used Avail Use% Mounted on<br />
devtmpfs 7.8G 0 7.8G 0% /dev<br />
tmpfs 7.8G 0 7.8G 0% /dev/shm<br />
tmpfs 3.1G 2.0M 3.1G 1% /run<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /<br />
tmpfs 7.8G 2.1M 7.8G 1% /tmp<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /home<br />
/dev/nvme0n1p2 976M 248M 662M 28% /boot<br />
/dev/nvme0n1p1 599M 17M 583M 3% /boot/efi<br />
tmpfs 1.6G 96K 1.6G 1% /run/user/1000<br />
tmpfs 1.6G 72K 1.6G 1% /run/user/0<br />
/dev/sda1 58G 12M 58G 1% /run/media/nst/59DF-5291<br />
[root@dell7480 ~]# <br />
[root@dell7480 ~]# umount -v /run/media/nst/59DF-5291<br />
umount: /run/media/nst/59DF-5291 (/dev/sda1) unmounted<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''3)''' Use '''fdisk''' to remove any previously created partitions, create a '''GPT''' partition table and then make a new partition (i.e., "'''/dev/sda1'''") for exFAT using the entire USB drive.<br />
[root@dell7480 ~]# fdisk /dev/sda;<br />
<br />
Welcome to fdisk (util-linux 2.36.2).<br />
Changes will remain in memory only, until you decide to write them.<br />
Be careful before using the write command.<br />
<br />
Device does not contain a recognized partition table.<br />
Created a new DOS disklabel with disk identifier 0x997a9a9d.<br />
<br />
Command (m for help): d<br />
No partition is defined yet!<br />
<br />
Command (m for help): g<br />
<br />
Created a new GPT disklabel (GUID: 7D769FCD-8E49-9944-B4BA-C418633F0C4E).<br />
<br />
Command (m for help): n<br />
Partition number (1-128, default 1): <br />
First sector (2048-120176606, default 2048): <br />
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-120176606, default 120176606): <br />
<br />
Created a new partition 1 of type 'Linux filesystem' and of size 57.3 GiB.<br />
<br />
Command (m for help): w<br />
The partition table has been altered.<br />
Calling ioctl() to re-read partition table.<br />
Syncing disks.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''4)''' Show partition creation progress using '''parted'''.<br />
[root@dell7480 ~]# /sbin/parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''5)''' Make sure the boot record is converted to '''GPT'''. <br />
[root@dell7480 ~]# gdisk /dev/sda;<br />
GPT fdisk (gdisk) version 1.0.8<br />
<br />
Partition table scan:<br />
MBR: protective<br />
BSD: not present<br />
APM: not present<br />
GPT: present<br />
<br />
Found valid GPT with protective MBR; using GPT.<br />
<br />
Command (? for help): w<br />
<br />
Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING<br />
PARTITIONS!!<br />
<br />
Do you want to proceed? (Y/N): Y<br />
OK; writing new GUID partition table (GPT) to /dev/sda.<br />
The operation has completed successfully.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''6)''' Set the partition type to: "'''msftdata'''" - Microsoft Basic Data<br />
[root@dell7480 ~]# parted /dev/sda;<br />
GNU Parted 3.4<br />
Using /dev/sda<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) set 1 msftdata on <br />
(parted) q <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''7)''' Show partition progress.<br />
[root@dell7480 ~]# parted -s /dev/sda print; <br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''8)''' Now format partition: "'''/dev/sda1'''" as an exFAT file system using: '''mkfs.exfat''' with label: "'''THUNDER2-1'''" with verbose mode on.<br />
[root@dell7480 ~]# mkfs.exfat -v -L THUNDER2-1 /dev/sda1;<br />
exfatprogs version : 1.1.2<br />
[exfat_get_blk_dev_info: 202] Block device name : /dev/sda1<br />
[exfat_get_blk_dev_info: 203] Block device offset : 1048576<br />
[exfat_get_blk_dev_info: 204] Block device size : 61529374208<br />
[exfat_get_blk_dev_info: 205] Block sector size : 512<br />
[exfat_get_blk_dev_info: 206] Number of the sectors : 120174559<br />
[exfat_get_blk_dev_info: 208] Number of the clusters : 469431<br />
[exfat_zero_out_disk: 516] zero out written size : 3538944, disk size : 61529374208<br />
Creating exFAT filesystem(/dev/sda1, cluster size=131072)<br />
<br />
Writing volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Writing backup volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Fat table creation: [exfat_create_fat_table: 307] Total used cluster count : 5<br />
done<br />
Allocation bitmap creation: done<br />
Upcase table creation: done<br />
Writing root directory entry: done<br />
Synchronizing...<br />
<br />
exFAT format complete!<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''9)''' Show final format using '''parted'''.<br />
[root@dell7480 ~]# parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags:<br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''10)''' Use the system storage manager ('''ssm''') to show the completed exFAT partition.<br />
[root@dell7480 ~]# ssm list<br />
---------------------------------------------------------------------<br />
Device Free Used Total Pool Mount point<br />
---------------------------------------------------------------------<br />
/dev/nvme0n1 476.94 GB PARTITIONED<br />
/dev/nvme0n1p1 600.00 MB /boot/efi <br />
/dev/nvme0n1p2 1.00 GB /boot <br />
/dev/nvme0n1p3 465.33 GB 10.02 GB 475.35 GB dell7480 <br />
/dev/sda 57.30 GB PARTITIONED<br />
/dev/sda1 57.30 GB <br />
/dev/zram0 8.00 GB SWAP <br />
---------------------------------------------------------------------<br />
---------------------------------------------------------<br />
Pool Type Devices Free Used Total <br />
---------------------------------------------------------<br />
dell7480 btrfs 1 467.30 GB 8.05 GB 475.35 GB <br />
---------------------------------------------------------<br />
--------------------------------------------------------------------------------------<br />
Volume Pool Volume size FS FS size Free Type Mount point<br />
--------------------------------------------------------------------------------------<br />
dell7480 dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs <br />
dell7480:home dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs /home <br />
dell7480:root dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs / <br />
/dev/nvme0n1p1 600.00 MB vfat part /boot/efi <br />
/dev/nvme0n1p2 1.00 GB ext4 1.00 GB 677.35 MB part /boot <br />
/dev/sda1 57.30 GB exfat part <br />
--------------------------------------------------------------------------------------<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''11)''' Just in case, always synchronize cached writes to persistent storage prior to removing the USB flash drive.<br />
[root@dell7480 ~]# sync;sync;<br />
<br />
[root@dell7480 ~]#</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Create_A_GPT_Disk_With_EFI_System_And_exFAT_Partitions_Using_Parted&diff=9733HowTo Create A GPT Disk With EFI System And exFAT Partitions Using Parted2022-02-16T14:41:06Z<p>Rwh: /* Summary */</p>
<hr />
<div>__TOC__<br />
== '''Overview''' ==<br />
The purpose of this article is to create a disk that can be read / written to by all major operating systems (i.e., macOS, Windows and Linux). A removable USB storage device containing [https://en.wikipedia.org/wiki/Solid-state_drive SSD SATA] or [https://en.wikipedia.org/wiki/NVM_Express NVMe] media formatted with an [https://en.wikipedia.org/wiki/ExFAT exFAT] partition can be used to accomplish this. At the time of this writing, January 02, 2020, a removable USB-C drive containing a CORSAIR FORCE Series MP500 120GB NVMe storage device will be demonstrated.<br />
<br />
The USB drive is attached to an NST system as device: "'''/dev/sdc'''". The [https://en.wikipedia.org/wiki/GNU_Parted parted] disk utility will be used to create a [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table (GPT)] disk label, the [https://en.wikipedia.org/wiki/EFI_system_partition EFI System Partition] and the exFAT partition. GPT partitioning allows one to use all available disk space for disk drives that exceed 2TB in size. The is one of the limitations for legacy [https://en.wikipedia.org/wiki/Master_boot_record MBR] partitioning.<br />
<br />
The following diagram is an example GUID Partition Table layout:<br />
[[File:Guid partition table.svg|center|frame| Wikipedia Reference: The layout of a disk with the GUID Partition Table. In this example, each logical block is 512 bytes in size and each entry has 128 bytes. The corresponding partition entries are assumed to be located in LBA 2–33. Negative LBA addresses indicate a position from the end of the volume, with −1 being the last addressable block.]]<br />
<br />
== Zero Out Previous Disk Label - Optional ==<br />
This optional step will zero out any previous disk label. We will use the [http://dcfldd.sourceforge.net/ dcfldd] utility. The first 1GB of the disk will be zeroed out:<br />
<br />
[root@shopper2 ~]# dcfldd if=/dev/zero of=/dev/sdc statusinterval=64 bs=1M count=1k;<br />
1024 blocks (1024Mb) written.<br />
1024+0 records in<br />
1024+0 records out<br />
[root@shopper2 ~]#<br />
<br />
We can now used parted to examine the disk and see that we are starting out with an "unrecognized" disk structure:<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print;<br />
Error: /dev/sdc: unrecognised disk label<br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: unknown<br />
Disk Flags: <br />
[root@shopper2 ~]#<br />
<br />
== Create GPT Disk Label ==<br />
The GPT disk label will now be created:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mklabel gpt <br />
(parted) quit<br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create EFI System Partition ==<br />
A new EFI System Partition will be created using the following commands (the recommended size is at least 260 MiB):<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mkpart primary fat32 1MiB 261MiB <br />
(parted) set 1 esp on <br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB fat32 primary boot, esp<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create exFAT Partition ==<br />
A new exFAT partition will now be created using the remaining unused disk area:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc; <br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
<br />
(parted) mkpart primary ntfs 261MiB 100%<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB ntfs primary<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB primary msftdata<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Format exFAT Partition ==<br />
Use the "'''mkfs.exfat'''" command to format the exFAT file system:<br />
<br />
[root@shopper2 ~]# mkfs.exfat -L NVMe /dev/sdc2<br />
mkexfatfs 1.3.0<br />
Creating... done.<br />
Flushing... done.<br />
File system created successfully.<br />
[root@shopper2 ~]#<br />
<br />
The "'''lsblk'''" command shows the newly created exFAT file system with label:<br />
[root@shopper2 ~]# /bin/lsblk -a -o name,label,size,fstype,model /dev/sdc;<br />
NAME LABEL SIZE FSTYPE MODEL<br />
sdc 111.8G USB3.1_NVME_DISK<br />
├─sdc1 260M <br />
└─sdc2 NVMe 111.5G exfat <br />
[root@shopper2 ~]#<br />
<br />
== Summary ==<br />
The newly formatted disk should now be read / written to by all major operating systems (i.e., macOS, Windows and Linux). If not use the method below: [[#Alternate_exFat_Partition_Creation_For_OS_Interoperability]].<br />
<br />
= Alternate exFat Partition Creation For OS Interoperability =<br />
This section will show the steps on how to create an entire exFAT partition on a USB 64GB flash drive so that all major OSs (i.e., i.e., macOS, Windows and Linux) can mount and use the data on the drive.<br />
<br />
'''1)''' Discover the target USB drive to create the exFAT partition with '''fdisk'''. In this case it will be "'''/dev/sda'''"<br />
[root@dell7480 ~]# fdisk -l;<br />
Disk /dev/nvme0n1: 476.94 GiB, 512110190592 bytes, 1000215216 sectors<br />
Disk model: FPI512MWR7 <br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: gpt<br />
Disk identifier: B276CCFE-BD35-4510-9E92-B6E44CEEFAE8<br />
<br />
Device Start End Sectors Size Type<br />
/dev/nvme0n1p1 2048 1230847 1228800 600M EFI System<br />
/dev/nvme0n1p2 1230848 3327999 2097152 1G Linux filesystem<br />
/dev/nvme0n1p3 3328000 1000214527 996886528 475.4G Linux filesystem<br />
<br />
Disk /dev/zram0: 8 GiB, 8589934592 bytes, 2097152 sectors<br />
Units: sectors of 1 * 4096 = 4096 bytes<br />
Sector size (logical/physical): 4096 bytes / 4096 bytes<br />
I/O size (minimum/optimal): 4096 bytes / 4096 bytes<br />
<br />
Disk /dev/sda: 57.3 GiB, 61530439680 bytes, 120176640 sectors<br />
Disk model: SanDisk 3.2Gen1<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''2)''' Make sure the USB flash drive is not mounted. Example: USB drive mounted at: "'''/run/media/nst/59DF-5291'''"<br />
[root@dell7480 ~]# df -h<br />
Filesystem Size Used Avail Use% Mounted on<br />
devtmpfs 7.8G 0 7.8G 0% /dev<br />
tmpfs 7.8G 0 7.8G 0% /dev/shm<br />
tmpfs 3.1G 2.0M 3.1G 1% /run<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /<br />
tmpfs 7.8G 2.1M 7.8G 1% /tmp<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /home<br />
/dev/nvme0n1p2 976M 248M 662M 28% /boot<br />
/dev/nvme0n1p1 599M 17M 583M 3% /boot/efi<br />
tmpfs 1.6G 96K 1.6G 1% /run/user/1000<br />
tmpfs 1.6G 72K 1.6G 1% /run/user/0<br />
/dev/sda1 58G 12M 58G 1% /run/media/nst/59DF-5291<br />
[root@dell7480 ~]# <br />
[root@dell7480 ~]# umount -v /run/media/nst/59DF-5291<br />
umount: /run/media/nst/59DF-5291 (/dev/sda1) unmounted<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''3)''' Use '''fdisk''' to remove any previously created partitions, create a '''GPT''' partition table and then make a new partition (i.e., "'''/dev/sda1'''") for exFAT using the entire USB drive.<br />
[root@dell7480 ~]# fdisk /dev/sda;<br />
<br />
Welcome to fdisk (util-linux 2.36.2).<br />
Changes will remain in memory only, until you decide to write them.<br />
Be careful before using the write command.<br />
<br />
Device does not contain a recognized partition table.<br />
Created a new DOS disklabel with disk identifier 0x997a9a9d.<br />
<br />
Command (m for help): d<br />
No partition is defined yet!<br />
<br />
Command (m for help): g<br />
<br />
Created a new GPT disklabel (GUID: 7D769FCD-8E49-9944-B4BA-C418633F0C4E).<br />
<br />
Command (m for help): n<br />
Partition number (1-128, default 1): <br />
First sector (2048-120176606, default 2048): <br />
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-120176606, default 120176606): <br />
<br />
Created a new partition 1 of type 'Linux filesystem' and of size 57.3 GiB.<br />
<br />
Command (m for help): w<br />
The partition table has been altered.<br />
Calling ioctl() to re-read partition table.<br />
Syncing disks.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''4)''' Show partition creation progress using '''parted'''.<br />
[root@dell7480 ~]# /sbin/parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''5)''' Make sure the boot record is converted to '''GPT'''. <br />
[root@dell7480 ~]# gdisk /dev/sda;<br />
GPT fdisk (gdisk) version 1.0.8<br />
<br />
Partition table scan:<br />
MBR: protective<br />
BSD: not present<br />
APM: not present<br />
GPT: present<br />
<br />
Found valid GPT with protective MBR; using GPT.<br />
<br />
Command (? for help): w<br />
<br />
Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING<br />
PARTITIONS!!<br />
<br />
Do you want to proceed? (Y/N): Y<br />
OK; writing new GUID partition table (GPT) to /dev/sda.<br />
The operation has completed successfully.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''6)''' Set the partition type to: "'''msftdata'''" - Microsoft Basic Data<br />
[root@dell7480 ~]# parted /dev/sda;<br />
GNU Parted 3.4<br />
Using /dev/sda<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) set 1 msftdata on <br />
(parted) q <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''7)''' Show partition progress.<br />
[root@dell7480 ~]# parted -s /dev/sda print; <br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''8)''' Now format partition: "'''/dev/sda1'''" as an exFAT file system using: '''mkfs.exfat''' with label: "'''THUNDER2-1'''" with verbose mode on.<br />
[root@dell7480 ~]# mkfs.exfat -v -L THUNDER2-1 /dev/sda1;<br />
exfatprogs version : 1.1.2<br />
[exfat_get_blk_dev_info: 202] Block device name : /dev/sda1<br />
[exfat_get_blk_dev_info: 203] Block device offset : 1048576<br />
[exfat_get_blk_dev_info: 204] Block device size : 61529374208<br />
[exfat_get_blk_dev_info: 205] Block sector size : 512<br />
[exfat_get_blk_dev_info: 206] Number of the sectors : 120174559<br />
[exfat_get_blk_dev_info: 208] Number of the clusters : 469431<br />
[exfat_zero_out_disk: 516] zero out written size : 3538944, disk size : 61529374208<br />
Creating exFAT filesystem(/dev/sda1, cluster size=131072)<br />
<br />
Writing volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Writing backup volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Fat table creation: [exfat_create_fat_table: 307] Total used cluster count : 5<br />
done<br />
Allocation bitmap creation: done<br />
Upcase table creation: done<br />
Writing root directory entry: done<br />
Synchronizing...<br />
<br />
exFAT format complete!<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''9)''' Show final format using '''parted'''.<br />
[root@dell7480 ~]# parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags:<br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''10)''' Use the system storage manager ('''ssm''') to show the completed exFAT partition.<br />
[root@dell7480 ~]# ssm list<br />
---------------------------------------------------------------------<br />
Device Free Used Total Pool Mount point<br />
---------------------------------------------------------------------<br />
/dev/nvme0n1 476.94 GB PARTITIONED<br />
/dev/nvme0n1p1 600.00 MB /boot/efi <br />
/dev/nvme0n1p2 1.00 GB /boot <br />
/dev/nvme0n1p3 465.33 GB 10.02 GB 475.35 GB dell7480 <br />
/dev/sda 57.30 GB PARTITIONED<br />
/dev/sda1 57.30 GB <br />
/dev/zram0 8.00 GB SWAP <br />
---------------------------------------------------------------------<br />
---------------------------------------------------------<br />
Pool Type Devices Free Used Total <br />
---------------------------------------------------------<br />
dell7480 btrfs 1 467.30 GB 8.05 GB 475.35 GB <br />
---------------------------------------------------------<br />
--------------------------------------------------------------------------------------<br />
Volume Pool Volume size FS FS size Free Type Mount point<br />
--------------------------------------------------------------------------------------<br />
dell7480 dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs <br />
dell7480:home dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs /home <br />
dell7480:root dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs / <br />
/dev/nvme0n1p1 600.00 MB vfat part /boot/efi <br />
/dev/nvme0n1p2 1.00 GB ext4 1.00 GB 677.35 MB part /boot <br />
/dev/sda1 57.30 GB exfat part <br />
--------------------------------------------------------------------------------------<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''11)''' Just in case, always synchronize cached writes to persistent storage prior to removing the USB flash drive.<br />
[root@dell7480 ~]# sync;sync;<br />
<br />
[root@dell7480 ~]#</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Create_A_GPT_Disk_With_EFI_System_And_exFAT_Partitions_Using_Parted&diff=9732HowTo Create A GPT Disk With EFI System And exFAT Partitions Using Parted2022-02-16T14:39:37Z<p>Rwh: /* Summary */</p>
<hr />
<div>__TOC__<br />
== '''Overview''' ==<br />
The purpose of this article is to create a disk that can be read / written to by all major operating systems (i.e., macOS, Windows and Linux). A removable USB storage device containing [https://en.wikipedia.org/wiki/Solid-state_drive SSD SATA] or [https://en.wikipedia.org/wiki/NVM_Express NVMe] media formatted with an [https://en.wikipedia.org/wiki/ExFAT exFAT] partition can be used to accomplish this. At the time of this writing, January 02, 2020, a removable USB-C drive containing a CORSAIR FORCE Series MP500 120GB NVMe storage device will be demonstrated.<br />
<br />
The USB drive is attached to an NST system as device: "'''/dev/sdc'''". The [https://en.wikipedia.org/wiki/GNU_Parted parted] disk utility will be used to create a [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table (GPT)] disk label, the [https://en.wikipedia.org/wiki/EFI_system_partition EFI System Partition] and the exFAT partition. GPT partitioning allows one to use all available disk space for disk drives that exceed 2TB in size. The is one of the limitations for legacy [https://en.wikipedia.org/wiki/Master_boot_record MBR] partitioning.<br />
<br />
The following diagram is an example GUID Partition Table layout:<br />
[[File:Guid partition table.svg|center|frame| Wikipedia Reference: The layout of a disk with the GUID Partition Table. In this example, each logical block is 512 bytes in size and each entry has 128 bytes. The corresponding partition entries are assumed to be located in LBA 2–33. Negative LBA addresses indicate a position from the end of the volume, with −1 being the last addressable block.]]<br />
<br />
== Zero Out Previous Disk Label - Optional ==<br />
This optional step will zero out any previous disk label. We will use the [http://dcfldd.sourceforge.net/ dcfldd] utility. The first 1GB of the disk will be zeroed out:<br />
<br />
[root@shopper2 ~]# dcfldd if=/dev/zero of=/dev/sdc statusinterval=64 bs=1M count=1k;<br />
1024 blocks (1024Mb) written.<br />
1024+0 records in<br />
1024+0 records out<br />
[root@shopper2 ~]#<br />
<br />
We can now used parted to examine the disk and see that we are starting out with an "unrecognized" disk structure:<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print;<br />
Error: /dev/sdc: unrecognised disk label<br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: unknown<br />
Disk Flags: <br />
[root@shopper2 ~]#<br />
<br />
== Create GPT Disk Label ==<br />
The GPT disk label will now be created:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mklabel gpt <br />
(parted) quit<br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create EFI System Partition ==<br />
A new EFI System Partition will be created using the following commands (the recommended size is at least 260 MiB):<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mkpart primary fat32 1MiB 261MiB <br />
(parted) set 1 esp on <br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB fat32 primary boot, esp<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create exFAT Partition ==<br />
A new exFAT partition will now be created using the remaining unused disk area:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc; <br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
<br />
(parted) mkpart primary ntfs 261MiB 100%<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB ntfs primary<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB primary msftdata<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Format exFAT Partition ==<br />
Use the "'''mkfs.exfat'''" command to format the exFAT file system:<br />
<br />
[root@shopper2 ~]# mkfs.exfat -L NVMe /dev/sdc2<br />
mkexfatfs 1.3.0<br />
Creating... done.<br />
Flushing... done.<br />
File system created successfully.<br />
[root@shopper2 ~]#<br />
<br />
The "'''lsblk'''" command shows the newly created exFAT file system with label:<br />
[root@shopper2 ~]# /bin/lsblk -a -o name,label,size,fstype,model /dev/sdc;<br />
NAME LABEL SIZE FSTYPE MODEL<br />
sdc 111.8G USB3.1_NVME_DISK<br />
├─sdc1 260M <br />
└─sdc2 NVMe 111.5G exfat <br />
[root@shopper2 ~]#<br />
<br />
== Summary ==<br />
The newly formatted disk should now be read / written to by all major operating systems (i.e., macOS, Windows and Linux). If not use the method below: [[HowTo_Create_A_GPT_Disk_With_EFI_System_And_exFAT_Partitions_Using_Parted#Alternate_exFat_Partition_Creation_For_OS_Interoperability]].<br />
<br />
= Alternate exFat Partition Creation For OS Interoperability =<br />
This section will show the steps on how to create an entire exFAT partition on a USB 64GB flash drive so that all major OSs (i.e., i.e., macOS, Windows and Linux) can mount and use the data on the drive.<br />
<br />
'''1)''' Discover the target USB drive to create the exFAT partition with '''fdisk'''. In this case it will be "'''/dev/sda'''"<br />
[root@dell7480 ~]# fdisk -l;<br />
Disk /dev/nvme0n1: 476.94 GiB, 512110190592 bytes, 1000215216 sectors<br />
Disk model: FPI512MWR7 <br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: gpt<br />
Disk identifier: B276CCFE-BD35-4510-9E92-B6E44CEEFAE8<br />
<br />
Device Start End Sectors Size Type<br />
/dev/nvme0n1p1 2048 1230847 1228800 600M EFI System<br />
/dev/nvme0n1p2 1230848 3327999 2097152 1G Linux filesystem<br />
/dev/nvme0n1p3 3328000 1000214527 996886528 475.4G Linux filesystem<br />
<br />
Disk /dev/zram0: 8 GiB, 8589934592 bytes, 2097152 sectors<br />
Units: sectors of 1 * 4096 = 4096 bytes<br />
Sector size (logical/physical): 4096 bytes / 4096 bytes<br />
I/O size (minimum/optimal): 4096 bytes / 4096 bytes<br />
<br />
Disk /dev/sda: 57.3 GiB, 61530439680 bytes, 120176640 sectors<br />
Disk model: SanDisk 3.2Gen1<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''2)''' Make sure the USB flash drive is not mounted. Example: USB drive mounted at: "'''/run/media/nst/59DF-5291'''"<br />
[root@dell7480 ~]# df -h<br />
Filesystem Size Used Avail Use% Mounted on<br />
devtmpfs 7.8G 0 7.8G 0% /dev<br />
tmpfs 7.8G 0 7.8G 0% /dev/shm<br />
tmpfs 3.1G 2.0M 3.1G 1% /run<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /<br />
tmpfs 7.8G 2.1M 7.8G 1% /tmp<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /home<br />
/dev/nvme0n1p2 976M 248M 662M 28% /boot<br />
/dev/nvme0n1p1 599M 17M 583M 3% /boot/efi<br />
tmpfs 1.6G 96K 1.6G 1% /run/user/1000<br />
tmpfs 1.6G 72K 1.6G 1% /run/user/0<br />
/dev/sda1 58G 12M 58G 1% /run/media/nst/59DF-5291<br />
[root@dell7480 ~]# <br />
[root@dell7480 ~]# umount -v /run/media/nst/59DF-5291<br />
umount: /run/media/nst/59DF-5291 (/dev/sda1) unmounted<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''3)''' Use '''fdisk''' to remove any previously created partitions, create a '''GPT''' partition table and then make a new partition (i.e., "'''/dev/sda1'''") for exFAT using the entire USB drive.<br />
[root@dell7480 ~]# fdisk /dev/sda;<br />
<br />
Welcome to fdisk (util-linux 2.36.2).<br />
Changes will remain in memory only, until you decide to write them.<br />
Be careful before using the write command.<br />
<br />
Device does not contain a recognized partition table.<br />
Created a new DOS disklabel with disk identifier 0x997a9a9d.<br />
<br />
Command (m for help): d<br />
No partition is defined yet!<br />
<br />
Command (m for help): g<br />
<br />
Created a new GPT disklabel (GUID: 7D769FCD-8E49-9944-B4BA-C418633F0C4E).<br />
<br />
Command (m for help): n<br />
Partition number (1-128, default 1): <br />
First sector (2048-120176606, default 2048): <br />
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-120176606, default 120176606): <br />
<br />
Created a new partition 1 of type 'Linux filesystem' and of size 57.3 GiB.<br />
<br />
Command (m for help): w<br />
The partition table has been altered.<br />
Calling ioctl() to re-read partition table.<br />
Syncing disks.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''4)''' Show partition creation progress using '''parted'''.<br />
[root@dell7480 ~]# /sbin/parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''5)''' Make sure the boot record is converted to '''GPT'''. <br />
[root@dell7480 ~]# gdisk /dev/sda;<br />
GPT fdisk (gdisk) version 1.0.8<br />
<br />
Partition table scan:<br />
MBR: protective<br />
BSD: not present<br />
APM: not present<br />
GPT: present<br />
<br />
Found valid GPT with protective MBR; using GPT.<br />
<br />
Command (? for help): w<br />
<br />
Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING<br />
PARTITIONS!!<br />
<br />
Do you want to proceed? (Y/N): Y<br />
OK; writing new GUID partition table (GPT) to /dev/sda.<br />
The operation has completed successfully.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''6)''' Set the partition type to: "'''msftdata'''" - Microsoft Basic Data<br />
[root@dell7480 ~]# parted /dev/sda;<br />
GNU Parted 3.4<br />
Using /dev/sda<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) set 1 msftdata on <br />
(parted) q <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''7)''' Show partition progress.<br />
[root@dell7480 ~]# parted -s /dev/sda print; <br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''8)''' Now format partition: "'''/dev/sda1'''" as an exFAT file system using: '''mkfs.exfat''' with label: "'''THUNDER2-1'''" with verbose mode on.<br />
[root@dell7480 ~]# mkfs.exfat -v -L THUNDER2-1 /dev/sda1;<br />
exfatprogs version : 1.1.2<br />
[exfat_get_blk_dev_info: 202] Block device name : /dev/sda1<br />
[exfat_get_blk_dev_info: 203] Block device offset : 1048576<br />
[exfat_get_blk_dev_info: 204] Block device size : 61529374208<br />
[exfat_get_blk_dev_info: 205] Block sector size : 512<br />
[exfat_get_blk_dev_info: 206] Number of the sectors : 120174559<br />
[exfat_get_blk_dev_info: 208] Number of the clusters : 469431<br />
[exfat_zero_out_disk: 516] zero out written size : 3538944, disk size : 61529374208<br />
Creating exFAT filesystem(/dev/sda1, cluster size=131072)<br />
<br />
Writing volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Writing backup volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Fat table creation: [exfat_create_fat_table: 307] Total used cluster count : 5<br />
done<br />
Allocation bitmap creation: done<br />
Upcase table creation: done<br />
Writing root directory entry: done<br />
Synchronizing...<br />
<br />
exFAT format complete!<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''9)''' Show final format using '''parted'''.<br />
[root@dell7480 ~]# parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags:<br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''10)''' Use the system storage manager ('''ssm''') to show the completed exFAT partition.<br />
[root@dell7480 ~]# ssm list<br />
---------------------------------------------------------------------<br />
Device Free Used Total Pool Mount point<br />
---------------------------------------------------------------------<br />
/dev/nvme0n1 476.94 GB PARTITIONED<br />
/dev/nvme0n1p1 600.00 MB /boot/efi <br />
/dev/nvme0n1p2 1.00 GB /boot <br />
/dev/nvme0n1p3 465.33 GB 10.02 GB 475.35 GB dell7480 <br />
/dev/sda 57.30 GB PARTITIONED<br />
/dev/sda1 57.30 GB <br />
/dev/zram0 8.00 GB SWAP <br />
---------------------------------------------------------------------<br />
---------------------------------------------------------<br />
Pool Type Devices Free Used Total <br />
---------------------------------------------------------<br />
dell7480 btrfs 1 467.30 GB 8.05 GB 475.35 GB <br />
---------------------------------------------------------<br />
--------------------------------------------------------------------------------------<br />
Volume Pool Volume size FS FS size Free Type Mount point<br />
--------------------------------------------------------------------------------------<br />
dell7480 dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs <br />
dell7480:home dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs /home <br />
dell7480:root dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs / <br />
/dev/nvme0n1p1 600.00 MB vfat part /boot/efi <br />
/dev/nvme0n1p2 1.00 GB ext4 1.00 GB 677.35 MB part /boot <br />
/dev/sda1 57.30 GB exfat part <br />
--------------------------------------------------------------------------------------<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''11)''' Just in case, always synchronize cached writes to persistent storage prior to removing the USB flash drive.<br />
[root@dell7480 ~]# sync;sync;<br />
<br />
[root@dell7480 ~]#</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Create_A_GPT_Disk_With_EFI_System_And_exFAT_Partitions_Using_Parted&diff=9731HowTo Create A GPT Disk With EFI System And exFAT Partitions Using Parted2022-02-16T14:38:20Z<p>Rwh: </p>
<hr />
<div>__TOC__<br />
== '''Overview''' ==<br />
The purpose of this article is to create a disk that can be read / written to by all major operating systems (i.e., macOS, Windows and Linux). A removable USB storage device containing [https://en.wikipedia.org/wiki/Solid-state_drive SSD SATA] or [https://en.wikipedia.org/wiki/NVM_Express NVMe] media formatted with an [https://en.wikipedia.org/wiki/ExFAT exFAT] partition can be used to accomplish this. At the time of this writing, January 02, 2020, a removable USB-C drive containing a CORSAIR FORCE Series MP500 120GB NVMe storage device will be demonstrated.<br />
<br />
The USB drive is attached to an NST system as device: "'''/dev/sdc'''". The [https://en.wikipedia.org/wiki/GNU_Parted parted] disk utility will be used to create a [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table (GPT)] disk label, the [https://en.wikipedia.org/wiki/EFI_system_partition EFI System Partition] and the exFAT partition. GPT partitioning allows one to use all available disk space for disk drives that exceed 2TB in size. The is one of the limitations for legacy [https://en.wikipedia.org/wiki/Master_boot_record MBR] partitioning.<br />
<br />
The following diagram is an example GUID Partition Table layout:<br />
[[File:Guid partition table.svg|center|frame| Wikipedia Reference: The layout of a disk with the GUID Partition Table. In this example, each logical block is 512 bytes in size and each entry has 128 bytes. The corresponding partition entries are assumed to be located in LBA 2–33. Negative LBA addresses indicate a position from the end of the volume, with −1 being the last addressable block.]]<br />
<br />
== Zero Out Previous Disk Label - Optional ==<br />
This optional step will zero out any previous disk label. We will use the [http://dcfldd.sourceforge.net/ dcfldd] utility. The first 1GB of the disk will be zeroed out:<br />
<br />
[root@shopper2 ~]# dcfldd if=/dev/zero of=/dev/sdc statusinterval=64 bs=1M count=1k;<br />
1024 blocks (1024Mb) written.<br />
1024+0 records in<br />
1024+0 records out<br />
[root@shopper2 ~]#<br />
<br />
We can now used parted to examine the disk and see that we are starting out with an "unrecognized" disk structure:<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print;<br />
Error: /dev/sdc: unrecognised disk label<br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: unknown<br />
Disk Flags: <br />
[root@shopper2 ~]#<br />
<br />
== Create GPT Disk Label ==<br />
The GPT disk label will now be created:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mklabel gpt <br />
(parted) quit<br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create EFI System Partition ==<br />
A new EFI System Partition will be created using the following commands (the recommended size is at least 260 MiB):<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mkpart primary fat32 1MiB 261MiB <br />
(parted) set 1 esp on <br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB fat32 primary boot, esp<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create exFAT Partition ==<br />
A new exFAT partition will now be created using the remaining unused disk area:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc; <br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
<br />
(parted) mkpart primary ntfs 261MiB 100%<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB ntfs primary<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB primary msftdata<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Format exFAT Partition ==<br />
Use the "'''mkfs.exfat'''" command to format the exFAT file system:<br />
<br />
[root@shopper2 ~]# mkfs.exfat -L NVMe /dev/sdc2<br />
mkexfatfs 1.3.0<br />
Creating... done.<br />
Flushing... done.<br />
File system created successfully.<br />
[root@shopper2 ~]#<br />
<br />
The "'''lsblk'''" command shows the newly created exFAT file system with label:<br />
[root@shopper2 ~]# /bin/lsblk -a -o name,label,size,fstype,model /dev/sdc;<br />
NAME LABEL SIZE FSTYPE MODEL<br />
sdc 111.8G USB3.1_NVME_DISK<br />
├─sdc1 260M <br />
└─sdc2 NVMe 111.5G exfat <br />
[root@shopper2 ~]#<br />
<br />
== Summary ==<br />
The newly formatted disk should now be read / written to by all major operating systems (i.e., macOS, Windows and Linux). If not use the method below: [[Alternate exFat Partition Creation For OS Interoperability]].<br />
<br />
= Alternate exFat Partition Creation For OS Interoperability =<br />
This section will show the steps on how to create an entire exFAT partition on a USB 64GB flash drive so that all major OSs (i.e., i.e., macOS, Windows and Linux) can mount and use the data on the drive.<br />
<br />
'''1)''' Discover the target USB drive to create the exFAT partition with '''fdisk'''. In this case it will be "'''/dev/sda'''"<br />
[root@dell7480 ~]# fdisk -l;<br />
Disk /dev/nvme0n1: 476.94 GiB, 512110190592 bytes, 1000215216 sectors<br />
Disk model: FPI512MWR7 <br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: gpt<br />
Disk identifier: B276CCFE-BD35-4510-9E92-B6E44CEEFAE8<br />
<br />
Device Start End Sectors Size Type<br />
/dev/nvme0n1p1 2048 1230847 1228800 600M EFI System<br />
/dev/nvme0n1p2 1230848 3327999 2097152 1G Linux filesystem<br />
/dev/nvme0n1p3 3328000 1000214527 996886528 475.4G Linux filesystem<br />
<br />
Disk /dev/zram0: 8 GiB, 8589934592 bytes, 2097152 sectors<br />
Units: sectors of 1 * 4096 = 4096 bytes<br />
Sector size (logical/physical): 4096 bytes / 4096 bytes<br />
I/O size (minimum/optimal): 4096 bytes / 4096 bytes<br />
<br />
Disk /dev/sda: 57.3 GiB, 61530439680 bytes, 120176640 sectors<br />
Disk model: SanDisk 3.2Gen1<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''2)''' Make sure the USB flash drive is not mounted. Example: USB drive mounted at: "'''/run/media/nst/59DF-5291'''"<br />
[root@dell7480 ~]# df -h<br />
Filesystem Size Used Avail Use% Mounted on<br />
devtmpfs 7.8G 0 7.8G 0% /dev<br />
tmpfs 7.8G 0 7.8G 0% /dev/shm<br />
tmpfs 3.1G 2.0M 3.1G 1% /run<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /<br />
tmpfs 7.8G 2.1M 7.8G 1% /tmp<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /home<br />
/dev/nvme0n1p2 976M 248M 662M 28% /boot<br />
/dev/nvme0n1p1 599M 17M 583M 3% /boot/efi<br />
tmpfs 1.6G 96K 1.6G 1% /run/user/1000<br />
tmpfs 1.6G 72K 1.6G 1% /run/user/0<br />
/dev/sda1 58G 12M 58G 1% /run/media/nst/59DF-5291<br />
[root@dell7480 ~]# <br />
[root@dell7480 ~]# umount -v /run/media/nst/59DF-5291<br />
umount: /run/media/nst/59DF-5291 (/dev/sda1) unmounted<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''3)''' Use '''fdisk''' to remove any previously created partitions, create a '''GPT''' partition table and then make a new partition (i.e., "'''/dev/sda1'''") for exFAT using the entire USB drive.<br />
[root@dell7480 ~]# fdisk /dev/sda;<br />
<br />
Welcome to fdisk (util-linux 2.36.2).<br />
Changes will remain in memory only, until you decide to write them.<br />
Be careful before using the write command.<br />
<br />
Device does not contain a recognized partition table.<br />
Created a new DOS disklabel with disk identifier 0x997a9a9d.<br />
<br />
Command (m for help): d<br />
No partition is defined yet!<br />
<br />
Command (m for help): g<br />
<br />
Created a new GPT disklabel (GUID: 7D769FCD-8E49-9944-B4BA-C418633F0C4E).<br />
<br />
Command (m for help): n<br />
Partition number (1-128, default 1): <br />
First sector (2048-120176606, default 2048): <br />
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-120176606, default 120176606): <br />
<br />
Created a new partition 1 of type 'Linux filesystem' and of size 57.3 GiB.<br />
<br />
Command (m for help): w<br />
The partition table has been altered.<br />
Calling ioctl() to re-read partition table.<br />
Syncing disks.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''4)''' Show partition creation progress using '''parted'''.<br />
[root@dell7480 ~]# /sbin/parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''5)''' Make sure the boot record is converted to '''GPT'''. <br />
[root@dell7480 ~]# gdisk /dev/sda;<br />
GPT fdisk (gdisk) version 1.0.8<br />
<br />
Partition table scan:<br />
MBR: protective<br />
BSD: not present<br />
APM: not present<br />
GPT: present<br />
<br />
Found valid GPT with protective MBR; using GPT.<br />
<br />
Command (? for help): w<br />
<br />
Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING<br />
PARTITIONS!!<br />
<br />
Do you want to proceed? (Y/N): Y<br />
OK; writing new GUID partition table (GPT) to /dev/sda.<br />
The operation has completed successfully.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''6)''' Set the partition type to: "'''msftdata'''" - Microsoft Basic Data<br />
[root@dell7480 ~]# parted /dev/sda;<br />
GNU Parted 3.4<br />
Using /dev/sda<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) set 1 msftdata on <br />
(parted) q <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''7)''' Show partition progress.<br />
[root@dell7480 ~]# parted -s /dev/sda print; <br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''8)''' Now format partition: "'''/dev/sda1'''" as an exFAT file system using: '''mkfs.exfat''' with label: "'''THUNDER2-1'''" with verbose mode on.<br />
[root@dell7480 ~]# mkfs.exfat -v -L THUNDER2-1 /dev/sda1;<br />
exfatprogs version : 1.1.2<br />
[exfat_get_blk_dev_info: 202] Block device name : /dev/sda1<br />
[exfat_get_blk_dev_info: 203] Block device offset : 1048576<br />
[exfat_get_blk_dev_info: 204] Block device size : 61529374208<br />
[exfat_get_blk_dev_info: 205] Block sector size : 512<br />
[exfat_get_blk_dev_info: 206] Number of the sectors : 120174559<br />
[exfat_get_blk_dev_info: 208] Number of the clusters : 469431<br />
[exfat_zero_out_disk: 516] zero out written size : 3538944, disk size : 61529374208<br />
Creating exFAT filesystem(/dev/sda1, cluster size=131072)<br />
<br />
Writing volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Writing backup volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Fat table creation: [exfat_create_fat_table: 307] Total used cluster count : 5<br />
done<br />
Allocation bitmap creation: done<br />
Upcase table creation: done<br />
Writing root directory entry: done<br />
Synchronizing...<br />
<br />
exFAT format complete!<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''9)''' Show final format using '''parted'''.<br />
[root@dell7480 ~]# parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags:<br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''10)''' Use the system storage manager ('''ssm''') to show the completed exFAT partition.<br />
[root@dell7480 ~]# ssm list<br />
---------------------------------------------------------------------<br />
Device Free Used Total Pool Mount point<br />
---------------------------------------------------------------------<br />
/dev/nvme0n1 476.94 GB PARTITIONED<br />
/dev/nvme0n1p1 600.00 MB /boot/efi <br />
/dev/nvme0n1p2 1.00 GB /boot <br />
/dev/nvme0n1p3 465.33 GB 10.02 GB 475.35 GB dell7480 <br />
/dev/sda 57.30 GB PARTITIONED<br />
/dev/sda1 57.30 GB <br />
/dev/zram0 8.00 GB SWAP <br />
---------------------------------------------------------------------<br />
---------------------------------------------------------<br />
Pool Type Devices Free Used Total <br />
---------------------------------------------------------<br />
dell7480 btrfs 1 467.30 GB 8.05 GB 475.35 GB <br />
---------------------------------------------------------<br />
--------------------------------------------------------------------------------------<br />
Volume Pool Volume size FS FS size Free Type Mount point<br />
--------------------------------------------------------------------------------------<br />
dell7480 dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs <br />
dell7480:home dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs /home <br />
dell7480:root dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs / <br />
/dev/nvme0n1p1 600.00 MB vfat part /boot/efi <br />
/dev/nvme0n1p2 1.00 GB ext4 1.00 GB 677.35 MB part /boot <br />
/dev/sda1 57.30 GB exfat part <br />
--------------------------------------------------------------------------------------<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''11)''' Just in case, always synchronize cached writes to persistent storage prior to removing the USB flash drive.<br />
[root@dell7480 ~]# sync;sync;<br />
<br />
[root@dell7480 ~]#</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Create_A_GPT_Disk_With_EFI_System_And_exFAT_Partitions_Using_Parted&diff=9730HowTo Create A GPT Disk With EFI System And exFAT Partitions Using Parted2022-02-16T14:35:05Z<p>Rwh: /* Summary */</p>
<hr />
<div>__TOC__<br />
== '''Overview''' ==<br />
The purpose of this article is to create a disk that can be read / written to by all major operating systems (i.e., macOS, Windows and Linux). A removable USB storage device containing [https://en.wikipedia.org/wiki/Solid-state_drive SSD SATA] or [https://en.wikipedia.org/wiki/NVM_Express NVMe] media formatted with an [https://en.wikipedia.org/wiki/ExFAT exFAT] partition can be used to accomplish this. At the time of this writing, January 02, 2020, a removable USB-C drive containing a CORSAIR FORCE Series MP500 120GB NVMe storage device will be demonstrated.<br />
<br />
The USB drive is attached to an NST system as device: "'''/dev/sdc'''". The [https://en.wikipedia.org/wiki/GNU_Parted parted] disk utility will be used to create a [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table (GPT)] disk label, the [https://en.wikipedia.org/wiki/EFI_system_partition EFI System Partition] and the exFAT partition. GPT partitioning allows one to use all available disk space for disk drives that exceed 2TB in size. The is one of the limitations for legacy [https://en.wikipedia.org/wiki/Master_boot_record MBR] partitioning.<br />
<br />
The following diagram is an example GUID Partition Table layout:<br />
[[File:Guid partition table.svg|center|frame| Wikipedia Reference: The layout of a disk with the GUID Partition Table. In this example, each logical block is 512 bytes in size and each entry has 128 bytes. The corresponding partition entries are assumed to be located in LBA 2–33. Negative LBA addresses indicate a position from the end of the volume, with −1 being the last addressable block.]]<br />
<br />
== Zero Out Previous Disk Label - Optional ==<br />
This optional step will zero out any previous disk label. We will use the [http://dcfldd.sourceforge.net/ dcfldd] utility. The first 1GB of the disk will be zeroed out:<br />
<br />
[root@shopper2 ~]# dcfldd if=/dev/zero of=/dev/sdc statusinterval=64 bs=1M count=1k;<br />
1024 blocks (1024Mb) written.<br />
1024+0 records in<br />
1024+0 records out<br />
[root@shopper2 ~]#<br />
<br />
We can now used parted to examine the disk and see that we are starting out with an "unrecognized" disk structure:<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print;<br />
Error: /dev/sdc: unrecognised disk label<br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: unknown<br />
Disk Flags: <br />
[root@shopper2 ~]#<br />
<br />
== Create GPT Disk Label ==<br />
The GPT disk label will now be created:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mklabel gpt <br />
(parted) quit<br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create EFI System Partition ==<br />
A new EFI System Partition will be created using the following commands (the recommended size is at least 260 MiB):<br />
<br />
[root@shopper2 ~]# parted /dev/sdc;<br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) mkpart primary fat32 1MiB 261MiB <br />
(parted) set 1 esp on <br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB fat32 primary boot, esp<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Create exFAT Partition ==<br />
A new exFAT partition will now be created using the remaining unused disk area:<br />
<br />
[root@shopper2 ~]# parted /dev/sdc; <br />
GNU Parted 3.2<br />
Using /dev/sdc<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
<br />
(parted) mkpart primary ntfs 261MiB 100%<br />
(parted) print <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB ntfs primary<br />
<br />
(parted) quit <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@shopper2 ~]# /sbin/parted -s /dev/sdc print; <br />
Model: JM583 (scsi)<br />
Disk /dev/sdc: 120GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 274MB 273MB primary boot, esp<br />
2 274MB 120GB 120GB primary msftdata<br />
<br />
[root@shopper2 ~]#<br />
<br />
== Format exFAT Partition ==<br />
Use the "'''mkfs.exfat'''" command to format the exFAT file system:<br />
<br />
[root@shopper2 ~]# mkfs.exfat -L NVMe /dev/sdc2<br />
mkexfatfs 1.3.0<br />
Creating... done.<br />
Flushing... done.<br />
File system created successfully.<br />
[root@shopper2 ~]#<br />
<br />
The "'''lsblk'''" command shows the newly created exFAT file system with label:<br />
[root@shopper2 ~]# /bin/lsblk -a -o name,label,size,fstype,model /dev/sdc;<br />
NAME LABEL SIZE FSTYPE MODEL<br />
sdc 111.8G USB3.1_NVME_DISK<br />
├─sdc1 260M <br />
└─sdc2 NVMe 111.5G exfat <br />
[root@shopper2 ~]#<br />
<br />
== Summary ==<br />
The newly formatted disk should now be read / written to by all major operating systems (i.e., macOS, Windows and Linux).<br />
<br />
= Alternate exFat Partition Creation For OS Interoperability =<br />
This section will show the steps on how to create an entire exFAT partition on a USB 64GB flash drive so that all major OSs (i.e., i.e., macOS, Windows and Linux) can mount and use the data on the drive.<br />
<br />
'''1)''' Discover the target USB drive to create the exFAT partition with '''fdisk'''. In this case it will be "'''/dev/sda'''"<br />
[root@dell7480 ~]# fdisk -l;<br />
Disk /dev/nvme0n1: 476.94 GiB, 512110190592 bytes, 1000215216 sectors<br />
Disk model: FPI512MWR7 <br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: gpt<br />
Disk identifier: B276CCFE-BD35-4510-9E92-B6E44CEEFAE8<br />
<br />
Device Start End Sectors Size Type<br />
/dev/nvme0n1p1 2048 1230847 1228800 600M EFI System<br />
/dev/nvme0n1p2 1230848 3327999 2097152 1G Linux filesystem<br />
/dev/nvme0n1p3 3328000 1000214527 996886528 475.4G Linux filesystem<br />
<br />
Disk /dev/zram0: 8 GiB, 8589934592 bytes, 2097152 sectors<br />
Units: sectors of 1 * 4096 = 4096 bytes<br />
Sector size (logical/physical): 4096 bytes / 4096 bytes<br />
I/O size (minimum/optimal): 4096 bytes / 4096 bytes<br />
<br />
Disk /dev/sda: 57.3 GiB, 61530439680 bytes, 120176640 sectors<br />
Disk model: SanDisk 3.2Gen1<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''2)''' Make sure the USB flash drive is not mounted. Example: USB drive mounted at: "'''/run/media/nst/59DF-5291'''"<br />
[root@dell7480 ~]# df -h<br />
Filesystem Size Used Avail Use% Mounted on<br />
devtmpfs 7.8G 0 7.8G 0% /dev<br />
tmpfs 7.8G 0 7.8G 0% /dev/shm<br />
tmpfs 3.1G 2.0M 3.1G 1% /run<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /<br />
tmpfs 7.8G 2.1M 7.8G 1% /tmp<br />
/dev/nvme0n1p3 476G 8.1G 467G 2% /home<br />
/dev/nvme0n1p2 976M 248M 662M 28% /boot<br />
/dev/nvme0n1p1 599M 17M 583M 3% /boot/efi<br />
tmpfs 1.6G 96K 1.6G 1% /run/user/1000<br />
tmpfs 1.6G 72K 1.6G 1% /run/user/0<br />
/dev/sda1 58G 12M 58G 1% /run/media/nst/59DF-5291<br />
[root@dell7480 ~]# <br />
[root@dell7480 ~]# umount -v /run/media/nst/59DF-5291<br />
umount: /run/media/nst/59DF-5291 (/dev/sda1) unmounted<br />
<br />
[root@dell7480 ~]# <br />
<br />
'''3)''' Use '''fdisk''' to remove any previously created partitions, create a '''GPT''' partition table and then make a new partition (i.e., "'''/dev/sda1'''") for exFAT using the entire USB drive.<br />
[root@dell7480 ~]# fdisk /dev/sda;<br />
<br />
Welcome to fdisk (util-linux 2.36.2).<br />
Changes will remain in memory only, until you decide to write them.<br />
Be careful before using the write command.<br />
<br />
Device does not contain a recognized partition table.<br />
Created a new DOS disklabel with disk identifier 0x997a9a9d.<br />
<br />
Command (m for help): d<br />
No partition is defined yet!<br />
<br />
Command (m for help): g<br />
<br />
Created a new GPT disklabel (GUID: 7D769FCD-8E49-9944-B4BA-C418633F0C4E).<br />
<br />
Command (m for help): n<br />
Partition number (1-128, default 1): <br />
First sector (2048-120176606, default 2048): <br />
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-120176606, default 120176606): <br />
<br />
Created a new partition 1 of type 'Linux filesystem' and of size 57.3 GiB.<br />
<br />
Command (m for help): w<br />
The partition table has been altered.<br />
Calling ioctl() to re-read partition table.<br />
Syncing disks.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''4)''' Show partition creation progress using '''parted'''.<br />
[root@dell7480 ~]# /sbin/parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''5)''' Make sure the boot record is converted to '''GPT'''. <br />
[root@dell7480 ~]# gdisk /dev/sda;<br />
GPT fdisk (gdisk) version 1.0.8<br />
<br />
Partition table scan:<br />
MBR: protective<br />
BSD: not present<br />
APM: not present<br />
GPT: present<br />
<br />
Found valid GPT with protective MBR; using GPT.<br />
<br />
Command (? for help): w<br />
<br />
Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING<br />
PARTITIONS!!<br />
<br />
Do you want to proceed? (Y/N): Y<br />
OK; writing new GUID partition table (GPT) to /dev/sda.<br />
The operation has completed successfully.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''6)''' Set the partition type to: "'''msftdata'''" - Microsoft Basic Data<br />
[root@dell7480 ~]# parted /dev/sda;<br />
GNU Parted 3.4<br />
Using /dev/sda<br />
Welcome to GNU Parted! Type 'help' to view a list of commands.<br />
(parted) set 1 msftdata on <br />
(parted) q <br />
Information: You may need to update /etc/fstab.<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''7)''' Show partition progress.<br />
[root@dell7480 ~]# parted -s /dev/sda print; <br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags: <br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''8)''' Now format partition: "'''/dev/sda1'''" as an exFAT file system using: '''mkfs.exfat''' with label: "'''THUNDER2-1'''" with verbose mode on.<br />
[root@dell7480 ~]# mkfs.exfat -v -L THUNDER2-1 /dev/sda1;<br />
exfatprogs version : 1.1.2<br />
[exfat_get_blk_dev_info: 202] Block device name : /dev/sda1<br />
[exfat_get_blk_dev_info: 203] Block device offset : 1048576<br />
[exfat_get_blk_dev_info: 204] Block device size : 61529374208<br />
[exfat_get_blk_dev_info: 205] Block sector size : 512<br />
[exfat_get_blk_dev_info: 206] Number of the sectors : 120174559<br />
[exfat_get_blk_dev_info: 208] Number of the clusters : 469431<br />
[exfat_zero_out_disk: 516] zero out written size : 3538944, disk size : 61529374208<br />
Creating exFAT filesystem(/dev/sda1, cluster size=131072)<br />
<br />
Writing volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Writing backup volume boot record: [exfat_setup_boot_sector: 81] Volume Offset(sectors) : 2048<br />
[exfat_setup_boot_sector: 83] Volume Length(sectors) : 120174559<br />
[exfat_setup_boot_sector: 85] FAT Offset(sector offset) : 2048<br />
[exfat_setup_boot_sector: 87] FAT Length(sectors) : 3840<br />
[exfat_setup_boot_sector: 89] Cluster Heap Offset (sector offset) : 6144<br />
[exfat_setup_boot_sector: 91] Cluster Count : 469407<br />
[exfat_setup_boot_sector: 93] Root Cluster (cluster offset) : 4<br />
[exfat_setup_boot_sector: 95] Volume Serial : 0xff393695<br />
[exfat_setup_boot_sector: 96] Sector Size Bits : 9<br />
[exfat_setup_boot_sector: 98] Sector per Cluster bits : 8<br />
done<br />
Fat table creation: [exfat_create_fat_table: 307] Total used cluster count : 5<br />
done<br />
Allocation bitmap creation: done<br />
Upcase table creation: done<br />
Writing root directory entry: done<br />
Synchronizing...<br />
<br />
exFAT format complete!<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''9)''' Show final format using '''parted'''.<br />
[root@dell7480 ~]# parted -s /dev/sda print;<br />
Model: USB SanDisk 3.2Gen1 (scsi)<br />
Disk /dev/sda: 61.5GB<br />
Sector size (logical/physical): 512B/512B<br />
Partition Table: gpt<br />
Disk Flags:<br />
<br />
Number Start End Size File system Name Flags<br />
1 1049kB 61.5GB 61.5GB msftdata<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''10)''' Use the system storage manager ('''ssm''') to show the completed exFAT partition.<br />
[root@dell7480 ~]# ssm list<br />
---------------------------------------------------------------------<br />
Device Free Used Total Pool Mount point<br />
---------------------------------------------------------------------<br />
/dev/nvme0n1 476.94 GB PARTITIONED<br />
/dev/nvme0n1p1 600.00 MB /boot/efi <br />
/dev/nvme0n1p2 1.00 GB /boot <br />
/dev/nvme0n1p3 465.33 GB 10.02 GB 475.35 GB dell7480 <br />
/dev/sda 57.30 GB PARTITIONED<br />
/dev/sda1 57.30 GB <br />
/dev/zram0 8.00 GB SWAP <br />
---------------------------------------------------------------------<br />
---------------------------------------------------------<br />
Pool Type Devices Free Used Total <br />
---------------------------------------------------------<br />
dell7480 btrfs 1 467.30 GB 8.05 GB 475.35 GB <br />
---------------------------------------------------------<br />
--------------------------------------------------------------------------------------<br />
Volume Pool Volume size FS FS size Free Type Mount point<br />
--------------------------------------------------------------------------------------<br />
dell7480 dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs <br />
dell7480:home dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs /home <br />
dell7480:root dell7480 475.35 GB btrfs 475.35 GB 467.30 GB btrfs / <br />
/dev/nvme0n1p1 600.00 MB vfat part /boot/efi <br />
/dev/nvme0n1p2 1.00 GB ext4 1.00 GB 677.35 MB part /boot <br />
/dev/sda1 57.30 GB exfat part <br />
--------------------------------------------------------------------------------------<br />
<br />
[root@dell7480 ~]#<br />
<br />
'''11)''' Just in case, always synchronize cached writes to persistent storage prior to removing the USB flash drive.<br />
[root@dell7480 ~]# sync;sync;<br />
<br />
[root@dell7480 ~]#</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9729HowTo Quickly Setup A VPN Using WireGuard On NST2022-01-30T16:16:05Z<p>Rwh: /* Manual Wireguard DKMS Module Remove */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9728HowTo Quickly Setup A VPN Using WireGuard On NST2022-01-30T16:15:54Z<p>Rwh: /* Manual Wireguard DKMS Module Information */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9727HowTo Quickly Setup A VPN Using WireGuard On NST2022-01-30T16:15:43Z<p>Rwh: /* Manual Wireguard DKMS Module Verification */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9726HowTo Quickly Setup A VPN Using WireGuard On NST2022-01-30T16:14:57Z<p>Rwh: /* Manual Wireguard DKMS Build and Install */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9725HowTo Quickly Setup A VPN Using WireGuard On NST2022-01-30T16:14:46Z<p>Rwh: /* Manual Wireguard DKMS Build and Install */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
&nbsp;<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9724HowTo Quickly Setup A VPN Using WireGuard On NST2022-01-30T16:14:07Z<p>Rwh: /* Manual Wireguard DKMS Build and Install */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 12743</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
&nbsp;<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Quickly_Setup_A_VPN_Using_WireGuard_On_NST&diff=9723HowTo Quickly Setup A VPN Using WireGuard On NST2022-01-30T16:12:27Z<p>Rwh: /* Manual Wireguard DKMS Build and Install */</p>
<hr />
<div>__TOC__<br />
<br />
= Overview =<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 28<br /> SVN: 10606</center>]]''']]This page provides a quick start reference on how to setup a fast, modern, secure '''[https://en.wikipedia.org/wiki/Virtual_private_network VPN]''' tunnel using '''[https://www.wireguard.com/ WireGuard]''' on NST.<br />
<br />
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than '''[https://en.wikipedia.org/wiki/IPsec IPSec]''', while avoiding the massive headache. It tends to outperform '''[https://en.wikipedia.org/wiki/OpenVPN OpenVPN]'''. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the '''[https://en.wikipedia.org/wiki/Linux_kernel Linux kernel]''', it is now cross-platform and widely deployed. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
WireGuard aims to be as easy to configure and deploy as '''[https://en.wikipedia.org/wiki/Secure_Shell SSH]'''. A VPN connection is made simply by exchanging very simple public keys – exactly like exchanging SSH keys – and all the rest is transparently handled by WireGuard. It is even capable of roaming between '''[https://en.wikipedia.org/wiki/IP_address IP Address]'''es, just like '''[https://en.wikipedia.org/wiki/Mosh_(software) Mosh]'''. There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.<br />
<br />
== WireGuard Detailed Command-Line Setup ==<br />
<br />
One can follow the detailed setup for a WireGuard VPN on its main site: '''[https://www.wireguard.com/quickstart/ Quick Start]'''. On this page you will learn the step-by-step procedure for configuring the Server and Client endpoints of the VPN using the command-line.<br />
<br />
== NST Quick WireGuard VPN Setup ==<br />
NST has made the process of setting up a WireGuard VPN even easier using template configuration files and a key generation command file. These files are located in directory: "'''/etc/wireguard'''".<br />
<br />
[root@shopper2 wireguard]# ls -al /etc/wireguard<br />
total 28<br />
drwx------ 2 root root 92 Nov 20 08:22 .<br />
drwxr-xr-x 229 root root 12288 Nov 20 08:22 ..<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
=== Example VPN Setup Steps ===<br />
In this example we will setup a WireGuard VPN between two (2) NST systems across the Internet. Both NST systems are behind a '''[https://en.wikipedia.org/wiki/Network_address_translation NAT]'''ed firewall. We will use the template IP Addresses for the VPN tunnel endpoints.<br />
<br />
'''***Note''': All WireGuard VPN configuration and command execution requires "'''root'''" access. One can "'''su -'''" to the "'''root'''" user or use the "'''sudo'''" command with the "'''nst'''" user for configuration and command execution. The "'''root'''" user was used for this example VPN setup.<br />
----<br />
<br />
'''NST Server Side''':<br />
* Server Address: "'''10.55.55.1'''"<br />
* Host Name: "'''shopper2'''"<br />
* Public IP Address: "'''102.5.221.22'''" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;('''***Note''': Use the command: "'''getipaddr -f -p'''" to get your public IP Address)<br />
* WireGuard UDP VPN Listen Port: "'''51820'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Address: "'''10.55.55.2/32'''"<br />
<br />
'''NST Client Side''':<br />
* Client Address: "'''10.55.55.2'''"<br />
* Host Name: "'''pktcap28'''"<br />
* WireGuard Virtual Interface: "'''wg0'''"<br />
* VPN Allowed IP Addresses: "'''10.55.55.0/24'''"<br />
<br />
----<br />
<br />
==== WireGuard Server Endpoint Setup ====<br />
Do the following steps on the NST server side ('''shopper2'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@shopper2 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Server template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@shopper2 wireguard]# install -m 600 wg-server.template.conf wg0.conf<br />
[root@shopper2 wireguard]# ls -al<br />
total 36<br />
drwx------ 2 root root 108 Nov 20 08:46 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
3) Generate the Server side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@shopper2 wireguard]# source ./wg-generate-keys<br />
[root@shopper2 wireguard]# ls -al<br />
total 44<br />
drwx------ 2 root root 143 Nov 20 08:57 .<br />
drwxr-xr-x 235 root root 16384 Nov 19 08:45 ..<br />
-rw------- 1 root root 45 Nov 20 08:57 privatekey<br />
-rw------- 1 root root 45 Nov 20 08:57 publickey<br />
-rw------- 1 root root 174 Nov 20 08:50 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 08:39 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 08:39 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 08:39 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Server Private key content for the "'''-SERVER PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = -SERVER PRIVATE KEY-<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
[root@shopper2 wireguard]# cat privatekey <br />
UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
After substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = -CLIENT PUBLIC KEY-<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': We will substitute in the Client public key later once we generate it on the NST client system (See "'''WireGuard Client Endpoint Setup - Step: 6 Below'''").<br />
<br />
==== WireGuard Client Endpoint Setup ====<br />
Do the following steps on the NST client side ('''pktcap28'''):<br />
<br />
1) Change directory to the WireGuard configuration location where the templates and key generation files are found:<br />
[root@pktcap28 ~]# cd /etc/wireguard<br />
<br />
2) Copy the Client template file to a "'''wg0'''" WireGuard configuration file for this virtual network interface:<br />
[root@pktcap28 wireguard]# install -m 600 wg-client.template.conf wg0.conf<br />
[root@pktcap28 wireguard]# ls -al<br />
total 32<br />
drwx------ 2 root root 108 Nov 19 11:17 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
3) Generate the Client side Private / Public WireGuard keys. This will create two (2) Private / Public key file pairs:<br />
[root@pktcap28 wireguard]# source ./wg-generate-keys<br />
[root@pktcap28 wireguard]# ls -al<br />
total 40<br />
drwx------ 2 root root 143 Nov 21 07:58 .<br />
drwxr-xr-x 225 root root 12288 Nov 19 11:17 ..<br />
-rw------- 1 root root 45 Nov 21 07:58 privatekey<br />
-rw------- 1 root root 45 Nov 21 07:58 publickey<br />
-rw-r--r-- 1 root root 296 Nov 21 07:55 wg0.conf<br />
-rw-r--r-- 1 root root 296 Nov 19 11:16 wg-client.template.conf<br />
-rw-r--r-- 1 root root 289 Nov 19 11:16 wg-generate-keys<br />
-rw-r--r-- 1 root root 174 Nov 19 11:16 wg-server.template.conf<br />
<br />
4) Edit the "'''wg0.conf'''" configuration file and substitute in the generated Client Private key content for the "'''-CLIENT PRIVATE KEY-'''" name placeholder.<br />
<br />
Before substitution:<br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = -CLIENT PRIVATE KEY-<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
[root@pktcap28 wireguard]# cat privatekey <br />
+JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
<br />
After substitution:<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = -SERVER PUBLIC KEY-<br />
Endpoint = public.ip.of.server:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
5) Now substitute in both the Server side public key: "'''-SERVER PUBLIC KEY-'''" and the public IP Address of the Server: "'''public.ip.of.server'''" name placeholders.<br />
<br />
The "'''public.ip.of.server'''" name placeholder can also be a "'''[https://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN]'''". If both the client and server are on the same '''LAN''', this is the IP Address of the server's '''LAN''' facing interface and ''not'' the WireGuard IP Address. Also update the WireGuard server listening port (Default: 51820) if necessary. <br />
<br />
Server Public Key:<br />
[root@shopper2 wireguard]# cat publickey<br />
vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
<br />
After Substitution:<br />
<br />
[root@pktcap28 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.2/32<br />
PrivateKey = +JfF7/jf+VqQyXsslWkqGiRMA5WpKlBj1Kw1IR1T/Wk=<br />
#DNS = 1.1.1.1<br />
#DNS = 8.8.8.8<br />
<br />
[Peer]<br />
PublicKey = vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
Endpoint = 102.5.221.22:51820<br />
#AllowedIPs = 0.0.0.0/0<br />
#AllowedIPs = 10.55.55.1/32, 10.55.55.2/32<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
6) Now back on the NST Server, substitute in the Client side public key: "'''-CLIENT PUBLIC KEY-'''" name placeholder.<br />
<br />
Client Public Key:<br />
[root@pktcap28 wireguard]# cat publickey<br />
dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
<br />
Server side "'''wg0.conf'''" file content after substitution:<br />
[root@shopper2 wireguard]# cat wg0.conf <br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = UOkJawW+OrpeOy1PV9NX1AJcumM/rNfTTARiPalOFVQ=<br />
<br />
[Peer]<br />
PublicKey = dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
AllowedIPs = 10.55.55.2/32<br />
<br />
'''***Note''': At this point all template name placeholders have been filled in.<br />
<br />
==== WireGuard VPN Firewall Rule Changes and IP Forwarding ====<br />
Depending on how your Firewall Gateway Router is configured on your server side environment, access to UDP port: "'''51820'''" on your WireGuard VPN server host needs to be allowed from the Internet facing side. The WireGuard article: '''[https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/ Wireguard VPN: Typical Setup]''' covers Firewall rule changes and IP Forwarding that may need to be changed for your environment.<br />
<br />
'''***Note''': Typically, a fresh NST install will only require a NATed Forward Port rule on the Gateway Firewall Router to the NST WireGuard VPN server, UDP port: "'''51820'''" for this example VPN to be established and work properly.<br />
<br />
==== Bring Up WireGuard VPN ====<br />
<br />
===== Server Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Server side (Linux):<br />
[root@shopper2 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.1/24 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
<br />
[root@shopper2 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff<br />
inet 10.22.22.44/24 brd 10.222.222.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::3285:a9ff:fe44:7e37/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none<br />
inet 10.55.55.1/24 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@shopper2 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 10.22.22.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
10.22.22.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
[root@shopper2 ~]# netstat -uanp | grep 51820<br />
udp 0 0 0.0.0.0:51820 0.0.0.0:* - <br />
udp6 0 0 :::51820 :::* -<br />
<br />
===== Client Side (Linux) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (Linux):<br />
[root@pktcap28 ~]# wg-quick up wg0<br />
[#] ip link add wg0 type wireguard<br />
[#] wg setconf wg0 /dev/fd/63<br />
[#] ip address add 10.55.55.2/32 dev wg0<br />
[#] ip link set mtu 1420 dev wg0<br />
[#] ip link set wg0 up<br />
[#] ip route add 10.55.55.0/24 dev wg0<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
<br />
[root@pktcap28 ~]# route -nv<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.29.1.1 0.0.0.0 UG 0 0 0 lan0<br />
10.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0<br />
172.29.1.0 0.0.0.0 255.255.255.0 U 0 0 0 lan0<br />
<br />
===== Client Side (macOS - Using brew) =====<br />
Use the "'''wg-quick'''" command to '''bring up''' the WireGuard VPN on the Client side (macOS - Using brew) for the '''utun2''' interface:<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ wg-quick up /usr/local/etc/wireguard/utun2.conf<br />
[#] wireguard-go utun<br />
INFO: (utun2) 2020/12/17 09:50:33 Starting wireguard-go version 0.0.20201118<br />
[+] Interface for utun2 is utun2<br />
[#] wg setconf utun2 /dev/fd/63<br />
[#] ifconfig utun2 inet 10.55.55.101/32 10.55.55.101 alias<br />
[#] ifconfig utun2 up<br />
[#] route -q -n add -inet 10.55.55.0/24 -interface utun2<br />
[+] Backgrounding route monitor<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ ifconfig -v utun2<br />
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420 index 14<br />
eflags=1002080<TXSTART,NOAUTOIPV6LL,ECN_ENABLE><br />
xflags=4<NOAUTONX><br />
inet 10.55.55.101 --> 10.55.55.101 netmask 0xffffffff <br />
state availability: 0 (true)<br />
scheduler: FQ_CODEL <br />
qosmarking enabled: no mode: none<br />
low power mode: disabled<br />
multi layer packet logging (mpklog): disabled<br />
routermode4: disabled<br />
routermode6: disabled<br />
<br />
iMac27RWH-2020:wireguard rwhalb$ sudo wg show utun2<br />
interface: utun2<br />
public key: ZjnnAQ4XqZ3itiUj8iOIR82izJIxroq1HAUloeVikEs=<br />
private key: (hidden)<br />
listening port: 62149<br />
<br />
peer: sQh3WmtzyFuAOzLfKVwonVy1rpQLlnOWCCEIoLAAzy0=<br />
endpoint: 136.56.0.244:51823<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 1 minute, 45 seconds ago<br />
transfer: 184 B received, 712 B sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== WireGuard VPN Access ====<br />
After the WireGuard VPN has been established, we will now show two (2) network commands (i.e., '''ping''' and '''SSH''') for exercising the VPN:<br />
<br />
1) Ping the Server ('''10.55.55.1''') from the Client ('''10.55.55.2'''):<br />
[root@pktcap28 ~]# ping -nv -c 3 10.55.55.1<br />
PING 10.55.55.1 (10.55.55.1) 56(84) bytes of data.<br />
64 bytes from 10.55.55.1: icmp_seq=1 ttl=64 time=41.0 ms<br />
64 bytes from 10.55.55.1: icmp_seq=2 ttl=64 time=38.3 ms<br />
64 bytes from 10.55.55.1: icmp_seq=3 ttl=64 time=37.8 ms<br />
<br />
--- 10.55.55.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 37.802/39.072/41.085/1.457 ms<br />
<br />
2) SSH from Server ('''10.55.55.1''') to the Client ('''10.55.55.2'''):<br />
[root@shopper2 ~]# ssh root@10.55.55.2<br />
root@10.55.55.2's password: <br />
Activate the web console with: systemctl enable --now cockpit.socket<br />
<br />
<br />
===========================================<br />
= Linux Network Security Toolkit (NST 28) =<br />
===========================================<br />
<br />
Last login: Wed Nov 21 16:38:18 2018 from 10.55.55.1<br />
<br />
[root@pktcap28 ~]# ip a<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
inet 127.0.0.1/8 scope host lo<br />
valid_lft forever preferred_lft forever<br />
inet6 ::1/128 scope host <br />
valid_lft forever preferred_lft forever<br />
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br />
link/ether 00:15:17:d9:d2:62 brd ff:ff:ff:ff:ff:ff<br />
inet 172.29.1.15/24 brd 172.29.1.255 scope global lan0<br />
valid_lft forever preferred_lft forever<br />
inet6 fe80::215:17ff:fed9:d262/64 scope link <br />
valid_lft forever preferred_lft forever<br />
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000<br />
link/none <br />
inet 10.55.55.2/32 scope global wg0<br />
valid_lft forever preferred_lft forever<br />
[root@pktcap28 ~]# exit<br />
logout<br />
Connection to 10.55.55.2 closed.<br />
[root@shopper2 ~]#<br />
<br />
==== WireGuard VPN Status ==== <br />
Server side VPN '''status''' using the "'''wg'''" command:<br />
[root@shopper2 ~]# wg show wg0<br />
interface: wg0<br />
public key: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
endpoint: 14.41.111.122:38964<br />
allowed ips: 10.55.55.2/32<br />
latest handshake: 1 minute, 57 seconds ago<br />
transfer: 9.59 KiB received, 7.27 KiB sent<br />
<br />
Client side VPN '''status''' using the "'''wg'''" command:<br />
[root@pktcap28 ~]# wg show wg0<br />
interface: wg0<br />
public key: dpjaO4NEAtZHPQQTiOzsHmGbjhhGP79A+zUx8Sn36Gs=<br />
private key: (hidden)<br />
listening port: 38964<br />
<br />
peer: vuNE5UkvftZFNv1F5YY+DLPu+YH/69WB9UtTaazC53s=<br />
endpoint: 102.5.221.22:51820<br />
allowed ips: 10.55.55.0/24<br />
latest handshake: 58 seconds ago<br />
transfer: 860 B received, 4.92 KiB sent<br />
persistent keepalive: every 21 seconds<br />
<br />
==== Tear Down WireGuard VPN ====<br />
Client side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@pktcap28 wireguard]# wg-quick down wg0<br />
[#] ip link delete dev wg0<br />
<br />
Server side '''tear down''' the VPN using the "'''wg-quick'''" command:<br />
[root@shopper2 ~]# wg-quick down wg0<br />
[#] wg showconf wg0<br />
[#] ip link delete dev wg0<br />
<br />
==== WireGuard VPN Automation ====<br />
The WireGuard package includes a '''[https://en.wikipedia.org/wiki/Systemd systemd]''' template unit script to automate the starting of the VPN when bringing up an NST system.<br />
<br />
On Server side:<br />
[root@shopper2 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
On Client side:<br />
[root@pktcap28 ~]# systemctl enable wg-quick@wg0.service;<br />
<br />
== Server With Multiple Clients/Peers ==<br />
<br />
It is possible to have multiple client (peer) connections to the same server interface (''wg0'' for example). In order to accomplish this, you will need to:<br />
<br />
* Create a unique private/public key for each client (peer).<br />
* Add multiple ''[Peer]'' sections to the ''wg0.conf'' file.<br />
* Make sure that the ''AllowedIps'' setting for each peer entry do not overlap.<br />
<br />
The following sections provide details on a configuration where the server has an IPv4 address of ''10.55.55.1'' associated with the ''wg0'' interface and allows 3 clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12''). Do NOT use these configurations verbatim, they are only examples.<br />
<br />
* The ''EndPoint'' parameter must be changed from ''wg.networksecuritytoolkit.org:51820'' to the address address associated with your server (this typically involves opening a UDP hole in your firewall).<br />
* It is recommended that you choose a network range other than 10.55.55.0/24 (something different than this public example).<br />
* It is recommended to use a port other than ''51820'' (something different than this public example).<br />
* It is highly recommended that you generate your own server and client private/public key pairs.<br />
<br />
=== Server Configuration (10.55.55.1) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration would set the server's IPv4 address to ''10.55.55.1'' and allow 3 simultaneous clients (''10.55.55.10'', ''10.55.55.11'' and ''10.55.55.12'').<br />
<br />
[Interface]<br />
Address = 10.55.55.1/24<br />
SaveConfig = true<br />
ListenPort = 51820<br />
PrivateKey = 8PZqxsTOqzmTbr324kQUnZFuBQDFY2QFeXOwUu3GhUM=<br />
<br />
[Peer]<br />
PublicKey = +iX/FDcPA4+mOFXb4ZMmlMX9GYuF9lqcE/fmnMTcgmI=<br />
AllowedIPs = 10.55.55.10/32<br />
<br />
[Peer]<br />
PublicKey = WCSZPxwWcnsPwK3H2YuYlGKpO8AlWvxTCHTRdCz/Zmw=<br />
AllowedIPs = 10.55.55.11/32<br />
<br />
[Peer]<br />
PublicKey = 0Hb8+a3F2C3SktCdt3XyCN466szWvXS/R+2S1l/BsU8=<br />
AllowedIPs = 10.55.55.12/32<br />
<br />
=== Client/Peer Configuration (10.55.55.10) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.10'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.10/32<br />
PrivateKey = 0AgVt/rqnZ1sRW9WC3WSGmIL1KNUK8rGDa5z8/kJWF0=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.11) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.11'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.11/32<br />
PrivateKey = cAvz+CMRpnZMyo5CmXz1ajmejZWoDgGmiTqihTd8w14=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
=== Client/Peer Configuration (10.55.55.12) ===<br />
<br />
The following ''/etc/wireguard/wg0.conf'' configuration could be used on the ''10.55.55.12'' client.<br />
<br />
[Interface]<br />
Address = 10.55.55.12/32<br />
PrivateKey = UDnwlbOGrNYoWaNP96XrdWDqQRJecKx7u6IXfevrXX8=<br />
<br />
[Peer]<br />
PublicKey = D/bPyrsEZIoDUn/JUsj+obJwU/8uo0YACL8TLnj+FFQ=<br />
Endpoint = wg.networksecuritytoolkit.org:51820<br />
AllowedIPs = 10.55.55.0/24<br />
PersistentKeepalive = 21<br />
<br />
== Manual Wireguard DKMS Build and Install ==<br />
[[File:Thunderbolt.png|frame|left|'''[[Feature Release Symbol | <center>NST 34<br /> SVN: 10606</center>]]''']]Wireguard is now a prebuilt kernel module with NST 34 and above. These DKMS steps are no longer needed.<br />
<br />
Use the following command to '''build''' a WireGuard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for WireGuard version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
<br />
[root@vortex nst28]# dkms build -m wireguard -v 0.0.20190123;<br />
<br />
Creating symlink /var/lib/dkms/wireguard/0.0.20190123/source -><br />
/usr/src/wireguard-0.0.20190123<br />
<br />
DKMS: add completed.<br />
<br />
Kernel preparation unnecessary for this kernel. Skipping...<br />
<br />
Building module:<br />
cleaning build area...<br />
make -j8 KERNELRELEASE=4.19.16-200.fc28.x86_64 -C /lib/modules/4.19.16-200.fc28.x86_64/build M=/var/lib/dkms/wireguard/0.0.20190123/build....<br />
cleaning build area...<br />
<br />
DKMS: build completed.<br />
<br />
Use the following command to '''install''' a WireGuard '''dkms''' kernel module: <br />
<br />
[root@vortex nst28]# dkms install -m wireguard -v 0.0.20190123;<br />
<br />
wireguard.ko.xz:<br />
Running module version sanity check.<br />
- Original module<br />
- No original module exists within this kernel<br />
- Installation<br />
- Installing to /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
Adding any weak-modules<br />
<br />
depmod....<br />
<br />
DKMS: install completed.<br />
<br />
== Manual Wireguard DKMS Module Verification ==<br />
Use the following commands to '''verify''' a WireGuard '''dkms''' kernel module was built and installed:<br />
<br />
[root@vortex nst28]# dkms status -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64<br />
wireguard, 0.0.20190123, 4.19.16-200.fc28.x86_64, x86_64: installed<br />
<br />
--Or--<br />
<br />
[root@vortex nst28]# find /lib/modules -name wireguard*<br />
/lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
<br />
== Manual Wireguard DKMS Module Information ==<br />
Use the following command to '''view''' WireGuard module information:<br />
<br />
[root@vortex nst28]# modinfo /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
filename: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/wireguard.ko.xz<br />
alias: net-pf-16-proto-16-family-wireguard<br />
alias: rtnl-link-wireguard<br />
version: 0.0.20190123<br />
author: Jason A. Donenfeld <Jason@zx2c4.com><br />
description: WireGuard secure network tunnel<br />
license: GPL v2<br />
srcversion: E44DD24D14B1F49C0DD6610<br />
depends: udp_tunnel,ip6_udp_tunnel<br />
retpoline: Y<br />
name: wireguard<br />
vermagic: 4.19.16-200.fc28.x86_64 SMP mod_unload<br />
<br />
== Manual Wireguard DKMS Module Remove ==<br />
Use the following command to remove a wireguard '''[https://en.wikipedia.org/wiki/Dynamic_Kernel_Module_Support dkms]''' kernel module. This example is for version: "'''0.0.20190123'''" and kernel: '''4.19.16-200.fc28.x86_64'''.<br />
[root@vortex nst28]# dkms remove -m wireguard -v 0.0.20190123 -k 4.19.16-200.fc28.x86_64;<br />
<br />
-------- Uninstall Beginning --------<br />
Module: wireguard<br />
Version: 0.0.20190123<br />
Kernel: 4.19.16-200.fc28.x86_64 (x86_64)<br />
-------------------------------------<br />
<br />
Status: Before uninstall, this module version was ACTIVE on this kernel.<br />
Removing any linked weak-modules<br />
<br />
wireguard.ko.xz:<br />
- Uninstallation<br />
- Deleting from: /lib/modules/4.19.16-200.fc28.x86_64/kernel/net/<br />
rmdir: failed to remove 'kernel/net': Directory not empty<br />
- Original module<br />
- No original module was found for this module on this kernel.<br />
- Use the dkms install command to reinstall any previous module version.<br />
<br />
depmod....<br />
<br />
DKMS: uninstall completed.<br />
<br />
------------------------------<br />
Deleting module version: 0.0.20190123<br />
completely from the DKMS tree.<br />
------------------------------<br />
Done.<br />
<br />
= WireGuard Client Setup Example For Windows =<br />
<br />
The '''[https://www.ivpn.net/ IVPN]''' site has a nice '''[https://www.ivpn.net/setup/windows-10-wireguard.html Windows WireGuard Client Setup Example]''' that can be manually entered.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9722NST WUI Browser Support2022-01-29T13:27:02Z<p>Rwh: /* Chrome */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Installation ==<br />
Google Chrome will have to be installed manually on NST.<br />
dnf install google-chrome-beta;<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the "'''Overlay Scrollbars'''" entry and choose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9721NST WUI Browser Support2021-12-31T01:39:02Z<p>Rwh: /* Invisible Scroll Bars (Chrome 97.x.x.x or Above) */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the "'''Overlay Scrollbars'''" entry and choose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9720NST WUI Browser Support2021-12-31T00:50:55Z<p>Rwh: /* Invisible Scroll Bars (Chrome 97.x.x.x or Above) */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the "'''Overlay Scrollbars'''" entry and chose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9719NST WUI Browser Support2021-12-31T00:50:08Z<p>Rwh: /* Invisible Scroll Bars (Chrome 97.x.x.x or Above) */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar. Go to the '''Overlay Scrollbars''' entry and chose the '''Enabled''' setting. ''Relaunch'' and the scroll bars should now be invisible.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9718NST WUI Browser Support2021-12-31T00:47:12Z<p>Rwh: /* Invisible Scroll Bars (Chrome 97.x.x.x or Above) */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
Go to the '''Configuration (Flags)''' page for your Chrome Web browser by typing: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=NST_WUI_Browser_Support&diff=9717NST WUI Browser Support2021-12-31T00:44:47Z<p>Rwh: /* Invisible Scroll Bars */</p>
<hr />
<div>= Overview =<br />
<br />
The '''NST WUI''' supports the latest '''[http://chrome.google.com Google Chrome]''', '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' and '''[http://www.apple.com/safari/ Apple Safari]''' web browsers as well as the '''[https://en.wikipedia.org/wiki/Internet_Explorer Microsoft Windows Internet Explorer (IE)]''' (Version: '''11''' or greater) and '''[https://en.wikipedia.org/wiki/Microsoft_Edge Edge]''' web browsers. Special consideration and <u>endless</u> testing for supporting these browsers has been <u>maintained</u> by the authors.<br />
<br />
For browser support with a mobile touch device see the page: '''[[HowTo_Use_A_Touch_Device_(iPad)_with_NST | HowTo Use a Touch Device (iPad) with NST]]'''.<br />
<br />
The '''[http://chrome.google.com Google Chrome]''' browser renders pages most quickly due to the performance increases made to its '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' engine. <br />
<br />
The '''NST WUI''' is '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' intensive and makes <u>heavy</u> use of "'''Tab''' '''Browsing'''" to support a wide variety of rendered visual results and enhanced navigational flow. This section will describe various browser <u>optional</u> <u>settings</u>, <u>plugins</u> and <u>add-ons</u> that are '''required''' or can be used to '''improve''' the experience and/or development with the '''NST WUI'''.<br />
<br />
= Fixed Font Browser Setting =<br />
<br />
Use the following fixed font families for the fixed width setting in your browser for best results when viewing the '''NST WUI Console''' output. The fixed font family to use for each Operating System is shown and is browser independent:<br />
<br />
<center><br />
{| border="1" cellspacing="0" cellpadding="2"<br />
! align="center" style="background-color: lightgray;" |Mac OS X<br />
! align="center" style="background-color: lightgray;" |Linux<br />
! align="center" style="background-color: lightgray;" |Chrome OS<br />
! align="center" style="background-color: lightgray;" |Windows<br />
|-<br />
|Menlo<br />
|Monospace<br />
|DejaVu Sans Mono <br />
|Consolas<br />
|-<br />
|}<br />
</center><br />
<br />
= Chrome =<br />
<br />
== Version ==<br />
<br />
To get the current '''Version''' information for your Chrome Web browser type: "'''chrome://version'''" in the '''URL Address''' bar.<br />
<br />
== Configuration (Flags) ==<br />
<br />
To get the current '''Configuration (Flags)''' information for your Chrome Web browser type: "'''chrome://flags'''" in the '''URL Address''' bar.<br />
<br />
== Invisible Scroll Bars (Chrome 97.x.x.x or Above) ==<br />
<br />
== Invisible Scroll Bars (Chrome 96.x.x.x or Below) ==<br />
The chrome browser offers a means regardless of Operating System (OS) to make both the horizontal and vertical scroll bars hidden. Use this configuration flag: "'''chrome://flags/#overlay-scrollbars'''" and "'''Enable'''" the feature.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may also want to set the "'''Scroll Bar Visibility Determination'''" option to "'''Force Always Off'''" on the "'''Global / Session Configuration Management'''" page, section: "'''DOM Session Configuration'''" to better position the Font Controls within an NST Shell Console window. This page can be located within the NST WUI menu: "'''System'''" -> "'''Configuration'''" -> "'''Global/System'''". </div></div><br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' In newer versions of the chrome browser (i.e., > v79.x) one can make both the horizontal and vertical scroll bars hidden using the following startup options for the '''Linux''' platform:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --enable-features=OverlayScrollbar,OverlayScrollbarFlashAfterAnyScrollUpdate,OverlayScrollbarFlashWhenMouseEnter;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
</div></div><br />
<br />
== Gnome Keyring Issue ==<br />
If the chrome browser hangs on startup it may be related to the "'''Gnome Keyring'''" service. One can use this command line option to disable the use of this keyring service:<br />
<br />
<div class="screen"><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span><span class="noWrap">/usr/bin/google-chrome --password-store=basic;</span></div><br />
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div><br />
</div><br />
<br />
== About ==<br />
<br />
To get the '''About''' information for your Chrome Web browser type: "'''chrome://chrome'''" in the '''URL Address''' bar.<br />
<br />
<div class="centerBlock"><div class="noteMessage">'''Note:''' To see all available "'''About'''" pages on your Chrome Web Browser type: "'''about:about'''" in the '''URL Address''' bar.</div></div><br />
<br />
== Secure Shell ==<br />
NST has added support for the Chrome extension: "'''[https://chrome.google.com/webstore/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd Secure Shell]'''". Add this extension for '''[https://en.wikipedia.org/wiki/SSH_(Secure_Shell) SSH]''' access using the Chrome browser.<br />
<br />
=== Secure Shell FAQ ===<br />
The Secure Shell has a reference information in the FAQ: '''[https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/FAQ.md Secure Shell Reference]'''<br />
<br />
=== Context Menu - Options Panel ===<br />
You can also hold Ctrl while right clicking the terminal to bring up a context menu. Under that there is an options menu.<br />
<br />
==== Clear Known Hosts ====<br />
In the Options menu on the left hand side one can use the "'''SSH Files'''" tab to clear one or all '''Known Hosts''' from the "'''~/.ssh/known_hosts'''" file.<br />
<br />
= Firefox =<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" must be enabled for the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Content'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Options'''" or "'''Preferences'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - - This setting must be <u>enabled</u> in to support some of the Web based applications available on the '''NST''' ('''VNC''' in a browser in particular). The setting is found in the "'''Content'''" section.<br />
<br />
* '''Tab Browsing''' - New pages should open up in a new "'''Tab'''". The setting is found in the "'''Tab'''" section.<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Add-Ons ==<br />
<br />
Below is a list of <u>add-ons</u> that are recommended to install with the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' web browser to <u>enhance</u> the end-user's or developer's experience when working within the '''NST WUI'''.<br />
<br />
<u>'''Users:'''</u><br />
* '''[http://home.etu.unige.ch/~robin0/LongTitles_en.html Long Titles]''' - Allows for long 'tooltip' descriptions. Useful for '''NST WUI''' help information.<br />
* '''[http://varun21.googlepages.com/main.html Colorful Tabs]''' - Tab browsing color enhancement visual.<br />
* '''[http://imagezoom.yellowgorilla.net/ Image Zoom]''' - Add zoom functionality on images within browser.<br />
* '''[http://www.krickelkrackel.de/autohide/ Autohide]''' - Add full-screen kiosk capability for increased screen real estate.<br />
* '''[http://quickaddons.fastspace.biz/ QuickRestart]''' - Adds a convenient "'''Restart Firefox'''" menu item.<br />
* '''[http://dictionarysearch.mozdev.org/ Dictionary Search]''' - Excellent on-line dictionary '''word''' lookup.<br />
<br />
<u>'''Developers:'''</u><br />
* '''[http://users.skynet.be/mgueury/mozilla/ HTML Validator]''' - '''[http://tidy.sourceforge.net/ Tidy]''' and '''[http://www.w3.org/ W3C]''' source page compliant validation tool.<br />
* '''[http://chrispederick.com/work/webdeveloper/ Web Developer] - Adds an amazing set of web developers tools to the browser. <br />
'''<br />
<br />
= IE =<br />
<br />
== Certificate Error ==<br />
<br />
When connecting to a '''NST''' probe, '''IE''' will display a page similar to that shown below:<br />
<br />
[[Image:IE_certificate_error.png]]<br />
<br />
This expected message is shown because an encrypted '''https''' connection is used when communicating with the '''NST''' probe. One should select the "'''Continue to this website (not recommended)'''" link to continue to the '''NST WUI'''.<br />
<br />
== Settings ==<br />
<br />
<u>'''Required:'''</u><br />
<br />
The following "'''Internet Options'''" must be enabled for the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser in order to <u>achieve</u> the desired results when using this browser with the '''NST WUI'''.<br />
<br />
* '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' - This setting must must be <u>enabled</u>. The setting is found in the "'''Security'''" section.<br />
<br />
<u>'''Recommended:'''</u><br />
<br />
The following "'''Internet Options'''" are recommended.<br />
<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
* '''Tab Browsing Settings''' - Always open pop-ups in a new "'''Tab'''". The setting is found in the "'''General Tabs Settings'''" section.<br />
<br />
<br />
== Plugins ==<br />
These plugins are recommended and will add the following functionality listed below:<br />
<br />
* '''[http://www.adobe.com/products/acrobat/readstep2.html Adobe Reader]''' - Adds an in-line '''PDF''' reader within the browser page to render generated '''PDF''' output from the '''NST WUI'''.<br />
* '''[http://java.sun.com Java]''' - Adds an in-line "'''Java Virtual Machine'''" for interpreting "'''Java-Based'''" applications - Example use: "'''NST WUI VNC Virtual Desktop'''".<br />
<br />
<br />
== Developer ==<br />
<br />
=== Enable JScript Debugging For IE ===<br />
<br />
The following can be done to enable "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" '''debugging''' - '''[http://en.wikipedia.org/wiki/Microsoft Microsoft's]''' '''[http://en.wikipedia.org/wiki/ECMAScript ECMAScript]''' implementation. This is analogous to the '''[http://www.mozilla.com/en-US/firefox/ Mozilla Firefox]''' '''[http://en.wikipedia.org/wiki/JavaScript JavaScript]''' implementation.<br />
<br />
First enable "'''script'''" debugging on the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' browser. This is found within the "'''Advanced'''" tab on the "'''Internet Options'''" window. Un-check the box next to: "'''Disable script debugging (Internet Explorer)'''".<br />
<br />
Next download the [http://www.microsoft.com/downloads/details.aspx?FamilyID=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en Microsoft Script Debugger for Windows]. This tool is relatively <u>small</u> in size can be quite useful for debugging "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" client side code.<br />
<br />
Finally the '''[http://www.microsoft.com/windows/products/winfamily/ie/default.mspx Microsoft Windows Internet Explorer (IE)]''' web browser will need to be <u>restarted</u>. A new menu item for script debugging will appear under the "'''View'''" menu. If a "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" error occurs the debugger will be automatically invoked. One can also set "'''breakpoints'''" to invoke the debugger at a specific location within the "'''[http://en.wikipedia.org/wiki/JScript JScript]'''" code.<br />
<br />
=== Add A Developer Toolbar For IE ===<br />
<br />
The '''[http://www.microsoft.com/downloads/details.aspx?familyid=E59C3964-672D-4511-BB3E-2D5E1DB91038&displaylang=en Microsoft Windows Internet Explorer (IE) Developer Toolbar]''' provides a variety of tools for quickly creating, understanding, and troubleshooting Web pages.</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Adjust_The_Keyboard_Backlight_Brightness_On_A_Laptop_In_Console_Mode_Using_The_Command_Line&diff=9716HowTo Adjust The Keyboard Backlight Brightness On A Laptop In Console Mode Using The Command Line2021-09-22T00:56:30Z<p>Rwh: /* Adjust The Keyboard Backlight Brightness Using the Command Line */</p>
<hr />
<div>__TOC__<br />
= Overview =<br />
This page demonstrates how one can adjust the keyboard backlight brightness on a laptop computer running NST using the command line. It may be desirable to completely set the brightness value to the lowest possible setting to increase the time that an NST server is running on battery power.<br />
<br />
= Adjust The Keyboard Backlight Brightness Using the Command Line =<br />
This backlight brightness settings can be found and controlled in a '''[https://en.wikipedia.org/wiki/Sysfs sysfs]''' pseudo file system provided by the Linux kernel. First the keyboard backlight directory needs to be discovered for the laptop manufacturer. Listing the following directory will help determine the location. The following output is from NST running on a '''Dell 7480''' laptop.<br />
[root@dell7480 ~]# ls -al /sys/class/leds/<br />
total 0<br />
drwxr-xr-x 2 root root 0 Sep 21 05:22 .<br />
drwxr-xr-x 77 root root 0 Sep 21 05:22 ..<br />
lrwxrwxrwx 1 root root 0 Sep 21 09:22 dell::kbd_backlight -> ../../devices/platform/dell-laptop/leds/dell::kbd_backlight<br />
lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::capslock -> ../../devices/platform/i8042/serio0/input/input4/input4::capslock lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::numlock -> ../../devices/platform/i8042/serio0/input/input4/input4::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::scrolllock -> ../../devices/platform/i8042/serio0/input/input4/input4::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:24 phy0-led -> ../../devices/pci0000:00/0000:00:1c.2/0000:02:00.0/leds/phy0-led<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:24 platform::micmute -> ../../devices/platform/dell-laptop/leds/platform::micmute<br />
[root@dell7480 ~]# <br />
<br />
From above, directory "'''/sys/class/leds/dell::kbd_backlight'''" contains the keyboard backlight brightness settings for the Dell laptop.<br />
[root@dell7480 ~]# ls -al /sys/class/leds/dell::kbd_backlight/<br />
total 0<br />
drwxr-xr-x 3 root root 0 Sep 21 09:22 .<br />
drwxr-xr-x 4 root root 0 Sep 21 09:22 ..<br />
-rw-r--r-- 1 root root 4096 Sep 21 09:22 brightness<br />
-r--r--r-- 1 root root 4096 Sep 21 09:22 brightness_hw_changed<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:35 device -> ../../../dell-laptop<br />
-r--r--r-- 1 root root 4096 Sep 21 09:22 max_brightness<br />
drwxr-xr-x 2 root root 0 Sep 21 20:35 power<br />
-rw-r--r-- 1 root root 4096 Sep 21 20:35 start_triggers<br />
-rw-r--r-- 1 root root 4096 Sep 21 20:35 stop_timeout<br />
lrwxrwxrwx 1 root root 0 Sep 21 09:22 subsystem -> ../../../../../class/leds<br />
-rw-r--r-- 1 root root 0 Sep 21 20:35 trigger<br />
-rw-r--r-- 1 root root 4096 Sep 21 09:22 uevent<br />
[root@dell7480 ~]#<br />
<br />
The following output is from NST running on a '''Apple MacBook Pro model: A1502, EMC 2835''' laptop.<br />
[root@nst34-mbp ~]# ls -al /sys/class/leds/<br />
total 0<br />
drwxr-xr-x 2 root root 0 Sep 21 08:32 .<br />
drwxr-xr-x 75 root root 0 Sep 21 08:32 ..<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::capslock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::capslock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::numlock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::scrolllock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::capslock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::capslock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::compose -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::compose<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::kana -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::kana<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::numlock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::scrolllock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 smc::kbd_backlight -> ../../devices/platform/applesmc.768/leds/smc::kbd_backlight<br />
[root@nst34-mbp ~]#<br />
<br />
From above, directory "'''/sys/class/leds/smc::kbd_backlight'''" contains the keyboard backlight brightness settings for the Apple MacBook Pro.<br />
[root@nst34-mbp ~]# ls -al /sys/class/leds/smc::kbd_backlight/<br />
total 0<br />
drwxr-xr-x 3 root root 0 Sep 21 08:32 .<br />
drwxr-xr-x 3 root root 0 Sep 21 08:32 ..<br />
-rw-r--r-- 1 root root 4096 Sep 21 13:24 brightness<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:22 device -> ../../../applesmc.768<br />
-r--r--r-- 1 root root 4096 Sep 21 08:32 max_brightness<br />
drwxr-xr-x 2 root root 0 Sep 21 20:22 power<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 subsystem -> ../../../../../class/leds<br />
-rw-r--r-- 1 root root 0 Sep 21 20:22 trigger<br />
-rw-r--r-- 1 root root 4096 Sep 21 08:32 uevent<br />
[root@nst34-mbp ~]#<br />
<br />
Determine the maximum keyboard backlight brightness value on the Dell laptop:<br />
[root@dell7480 ~]# cat /sys/class/leds/dell::kbd_backlight/max_brightness<br />
2<br />
[root@dell7480 ~]#<br />
<br />
Set the maximum keyboard backlight brightness value on the Dell laptop:<br />
[root@dell7480 ~]# echo 2 > /sys/class/leds/dell::kbd_backlight/brightness<br />
[root@dell7480 ~]#<br />
[root@dell7480 ~]# cat /sys/class/leds/dell::kbd_backlight/brightness<br />
2<br />
[root@dell7480 ~]#<br />
<br />
Turn of the keyboard backlight brightness on the Dell laptop:<br />
[root@dell7480 ~]# echo 0 > /sys/class/leds/dell::kbd_backlight/brightness<br />
[root@dell7480 ~]# cat /sys/class/leds/dell::kbd_backlight/brightness<br />
0<br />
[root@dell7480 ~]#<br />
<br />
Set the middle keyboard backlight brightness value on the Dell laptop:<br />
[root@dell7480 ~]# echo 1 > /sys/class/leds/dell::kbd_backlight/brightness<br />
[root@dell7480 ~]#<br />
[root@dell7480 ~]# cat /sys/class/leds/dell::kbd_backlight/brightness<br />
1<br />
[root@dell7480 ~]#<br />
<br />
Determine the maximum keyboard backlight brightness value on the Apple MacBook Pro laptop:<br />
[root@nst34-mbp ~]# cat /sys/class/leds/smc::kbd_backlight/max_brightness<br />
255<br />
[root@nst34-mbp ~]#<br />
<br />
Set the maximum keyboard backlight brightness value on the Apple MacBook Pro laptop:<br />
[root@nst34-mbp ~]# echo 255 > /sys/class/leds/smc::kbd_backlight/brightness<br />
[root@nst34-mbp ~]# <br />
[root@nst34-mbp ~]# cat /sys/class/leds/smc::kbd_backlight/brightness<br />
255<br />
[root@nst34-mbp ~]#<br />
<br />
Turn of the keyboard backlight brightness on the Apple MacBook Pro laptop:<br />
[root@nst34-mbp ~]# echo 0 > /sys/class/leds/smc::kbd_backlight/brightness<br />
[root@nst34-mbp ~]# <br />
[root@nst34-mbp ~]# cat /sys/class/leds/smc::kbd_backlight/brightness<br />
0<br />
[root@nst34-mbp ~]#<br />
<br />
Set the middle keyboard backlight brightness value on the Apple MacBook Pro laptop:<br />
[root@nst34-mbp ~]# echo 128 > /sys/class/leds/smc::kbd_backlight/brightness<br />
[root@nst34-mbp ~]# <br />
[root@nst34-mbp ~]# cat /sys/class/leds/smc::kbd_backlight/brightness<br />
128<br />
[root@nst34-mbp ~]#</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Adjust_The_Keyboard_Backlight_Brightness_On_A_Laptop_In_Console_Mode_Using_The_Command_Line&diff=9715HowTo Adjust The Keyboard Backlight Brightness On A Laptop In Console Mode Using The Command Line2021-09-22T00:55:45Z<p>Rwh: /* Adjust The Keyboard Backlight Brightness Using the Command Line */</p>
<hr />
<div>__TOC__<br />
= Overview =<br />
This page demonstrates how one can adjust the keyboard backlight brightness on a laptop computer running NST using the command line. It may be desirable to completely set the brightness value to the lowest possible setting to increase the time that an NST server is running on battery power.<br />
<br />
= Adjust The Keyboard Backlight Brightness Using the Command Line =<br />
This backlight brightness settings can be found and controlled in a '''[https://en.wikipedia.org/wiki/Sysfs sysfs]''' pseudo file system provided by the Linux kernel. First the keyboard backlight directory needs to be discovered for the laptop manufacturer. Listing the following directory will help determine the location. The following output is from NST running on a '''Dell 7480''' laptop.<br />
[root@dell7480 ~]# ls -al /sys/class/leds/<br />
total 0<br />
drwxr-xr-x 2 root root 0 Sep 21 05:22 .<br />
drwxr-xr-x 77 root root 0 Sep 21 05:22 ..<br />
lrwxrwxrwx 1 root root 0 Sep 21 09:22 dell::kbd_backlight -> ../../devices/platform/dell-laptop/leds/dell::kbd_backlight<br />
lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::capslock -> ../../devices/platform/i8042/serio0/input/input4/input4::capslock lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::numlock -> ../../devices/platform/i8042/serio0/input/input4/input4::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::scrolllock -> ../../devices/platform/i8042/serio0/input/input4/input4::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:24 phy0-led -> ../../devices/pci0000:00/0000:00:1c.2/0000:02:00.0/leds/phy0-led<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:24 platform::micmute -> ../../devices/platform/dell-laptop/leds/platform::micmute<br />
[root@dell7480 ~]# <br />
<br />
From above, directory "'''/sys/class/leds/dell::kbd_backlight'''" contains the keyboard backlight brightness settings for the Dell laptop.<br />
[root@dell7480 ~]# ls -al /sys/class/leds/dell::kbd_backlight/<br />
total 0<br />
drwxr-xr-x 3 root root 0 Sep 21 09:22 .<br />
drwxr-xr-x 4 root root 0 Sep 21 09:22 ..<br />
-rw-r--r-- 1 root root 4096 Sep 21 09:22 brightness<br />
-r--r--r-- 1 root root 4096 Sep 21 09:22 brightness_hw_changed<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:35 device -> ../../../dell-laptop<br />
-r--r--r-- 1 root root 4096 Sep 21 09:22 max_brightness<br />
drwxr-xr-x 2 root root 0 Sep 21 20:35 power<br />
-rw-r--r-- 1 root root 4096 Sep 21 20:35 start_triggers<br />
-rw-r--r-- 1 root root 4096 Sep 21 20:35 stop_timeout<br />
lrwxrwxrwx 1 root root 0 Sep 21 09:22 subsystem -> ../../../../../class/leds<br />
-rw-r--r-- 1 root root 0 Sep 21 20:35 trigger<br />
-rw-r--r-- 1 root root 4096 Sep 21 09:22 uevent<br />
[root@dell7480 ~]#<br />
<br />
The following output is from NST running on a '''Apple MacBook Pro model: A1502, EMC 2835''' laptop.<br />
[root@nst34-mbp ~]# ls -al /sys/class/leds/<br />
total 0<br />
drwxr-xr-x 2 root root 0 Sep 21 08:32 .<br />
drwxr-xr-x 75 root root 0 Sep 21 08:32 ..<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::capslock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::capslock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::numlock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::scrolllock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::capslock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::capslock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::compose -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::compose<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::kana -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::kana<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::numlock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::scrolllock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 smc::kbd_backlight -> ../../devices/platform/applesmc.768/leds/smc::kbd_backlight<br />
[root@nst34-mbp ~]#<br />
<br />
From above, directory "'''/sys/class/leds/smc::kbd_backlight'''" contains the keyboard backlight brightness settings for the Apple MacBook Pro.<br />
[root@nst34-mbp ~]# ls -al /sys/class/leds/smc::kbd_backlight/<br />
total 0<br />
drwxr-xr-x 3 root root 0 Sep 21 08:32 .<br />
drwxr-xr-x 3 root root 0 Sep 21 08:32 ..<br />
-rw-r--r-- 1 root root 4096 Sep 21 13:24 brightness<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:22 device -> ../../../applesmc.768<br />
-r--r--r-- 1 root root 4096 Sep 21 08:32 max_brightness<br />
drwxr-xr-x 2 root root 0 Sep 21 20:22 power<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 subsystem -> ../../../../../class/leds<br />
-rw-r--r-- 1 root root 0 Sep 21 20:22 trigger<br />
-rw-r--r-- 1 root root 4096 Sep 21 08:32 uevent<br />
[root@nst34-mbp ~]#<br />
<br />
Determine the maximum keyboard backlight brightness value on the Dell laptop:<br />
[root@dell7480 ~]# cat /sys/class/leds/dell::kbd_backlight/max_brightness<br />
2<br />
[root@dell7480 ~]#<br />
<br />
Determine the maximum keyboard backlight brightness value on the Apple MacBook Pro laptop:<br />
[root@nst34-mbp ~]# cat /sys/class/leds/smc::kbd_backlight/max_brightness<br />
255<br />
[root@nst34-mbp ~]#<br />
<br />
Set the maximum keyboard backlight brightness value on the Dell laptop:<br />
[root@dell7480 ~]# echo 2 > /sys/class/leds/dell::kbd_backlight/brightness<br />
[root@dell7480 ~]#<br />
[root@dell7480 ~]# cat /sys/class/leds/dell::kbd_backlight/brightness<br />
2<br />
[root@dell7480 ~]#<br />
<br />
Turn of the keyboard backlight brightness on the Dell laptop:<br />
[root@dell7480 ~]# echo 0 > /sys/class/leds/dell::kbd_backlight/brightness<br />
[root@dell7480 ~]# cat /sys/class/leds/dell::kbd_backlight/brightness<br />
0<br />
[root@dell7480 ~]#<br />
<br />
Set the middle keyboard backlight brightness value on the Dell laptop:<br />
[root@dell7480 ~]# echo 1 > /sys/class/leds/dell::kbd_backlight/brightness<br />
[root@dell7480 ~]#<br />
[root@dell7480 ~]# cat /sys/class/leds/dell::kbd_backlight/brightness<br />
1<br />
[root@dell7480 ~]#<br />
<br />
Set the maximum keyboard backlight brightness value on the Apple MacBook Pro laptop:<br />
[root@nst34-mbp ~]# echo 255 > /sys/class/leds/smc::kbd_backlight/brightness<br />
[root@nst34-mbp ~]# <br />
[root@nst34-mbp ~]# cat /sys/class/leds/smc::kbd_backlight/brightness<br />
255<br />
[root@nst34-mbp ~]#<br />
<br />
Turn of the keyboard backlight brightness on the Apple MacBook Pro laptop:<br />
[root@nst34-mbp ~]# echo 0 > /sys/class/leds/smc::kbd_backlight/brightness<br />
[root@nst34-mbp ~]# <br />
[root@nst34-mbp ~]# cat /sys/class/leds/smc::kbd_backlight/brightness<br />
0<br />
[root@nst34-mbp ~]#<br />
<br />
Set the middle keyboard backlight brightness value on the Apple MacBook Pro laptop:<br />
[root@nst34-mbp ~]# echo 128 > /sys/class/leds/smc::kbd_backlight/brightness<br />
[root@nst34-mbp ~]# <br />
[root@nst34-mbp ~]# cat /sys/class/leds/smc::kbd_backlight/brightness<br />
128<br />
[root@nst34-mbp ~]#</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Adjust_The_Keyboard_Backlight_Brightness_On_A_Laptop_In_Console_Mode_Using_The_Command_Line&diff=9714HowTo Adjust The Keyboard Backlight Brightness On A Laptop In Console Mode Using The Command Line2021-09-22T00:46:48Z<p>Rwh: /* Adjust The Keyboard Backlight Brightness Using the Command Line */</p>
<hr />
<div>__TOC__<br />
= Overview =<br />
This page demonstrates how one can adjust the keyboard backlight brightness on a laptop computer running NST using the command line. It may be desirable to completely set the brightness value to the lowest possible setting to increase the time that an NST server is running on battery power.<br />
<br />
= Adjust The Keyboard Backlight Brightness Using the Command Line =<br />
This backlight brightness settings can be found and controlled in a '''[https://en.wikipedia.org/wiki/Sysfs sysfs]''' pseudo file system provided by the Linux kernel. First the keyboard backlight directory needs to be discovered for the laptop manufacturer. Listing the following directory will help determine the location. The following output is from NST running on a '''Dell 7480''' laptop.<br />
[root@dell7480 ~]# ls -al /sys/class/leds/<br />
total 0<br />
drwxr-xr-x 2 root root 0 Sep 21 05:22 .<br />
drwxr-xr-x 77 root root 0 Sep 21 05:22 ..<br />
lrwxrwxrwx 1 root root 0 Sep 21 09:22 dell::kbd_backlight -> ../../devices/platform/dell-laptop/leds/dell::kbd_backlight<br />
lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::capslock -> ../../devices/platform/i8042/serio0/input/input4/input4::capslock lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::numlock -> ../../devices/platform/i8042/serio0/input/input4/input4::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::scrolllock -> ../../devices/platform/i8042/serio0/input/input4/input4::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:24 phy0-led -> ../../devices/pci0000:00/0000:00:1c.2/0000:02:00.0/leds/phy0-led<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:24 platform::micmute -> ../../devices/platform/dell-laptop/leds/platform::micmute<br />
[root@dell7480 ~]# <br />
<br />
From above, directory "'''/sys/class/leds/dell::kbd_backlight'''" contains the keyboard backlight brightness settings for the Dell laptop.<br />
[root@dell7480 ~]# ls -al /sys/class/leds/dell::kbd_backlight/<br />
total 0<br />
drwxr-xr-x 3 root root 0 Sep 21 09:22 .<br />
drwxr-xr-x 4 root root 0 Sep 21 09:22 ..<br />
-rw-r--r-- 1 root root 4096 Sep 21 09:22 brightness<br />
-r--r--r-- 1 root root 4096 Sep 21 09:22 brightness_hw_changed<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:35 device -> ../../../dell-laptop<br />
-r--r--r-- 1 root root 4096 Sep 21 09:22 max_brightness<br />
drwxr-xr-x 2 root root 0 Sep 21 20:35 power<br />
-rw-r--r-- 1 root root 4096 Sep 21 20:35 start_triggers<br />
-rw-r--r-- 1 root root 4096 Sep 21 20:35 stop_timeout<br />
lrwxrwxrwx 1 root root 0 Sep 21 09:22 subsystem -> ../../../../../class/leds<br />
-rw-r--r-- 1 root root 0 Sep 21 20:35 trigger<br />
-rw-r--r-- 1 root root 4096 Sep 21 09:22 uevent<br />
[root@dell7480 ~]#<br />
<br />
The following output is from NST running on a '''Apple MacBook Pro model: A1502, EMC 2835''' laptop.<br />
[root@nst34-mbp ~]# ls -al /sys/class/leds/<br />
total 0<br />
drwxr-xr-x 2 root root 0 Sep 21 08:32 .<br />
drwxr-xr-x 75 root root 0 Sep 21 08:32 ..<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::capslock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::capslock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::numlock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::scrolllock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::capslock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::capslock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::compose -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::compose<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::kana -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::kana<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::numlock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::scrolllock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 smc::kbd_backlight -> ../../devices/platform/applesmc.768/leds/smc::kbd_backlight<br />
[root@nst34-mbp ~]#<br />
<br />
From above, directory "'''/sys/class/leds/smc::kbd_backlight'''" contains the keyboard backlight brightness settings for the Apple MacBook Pro.<br />
[root@nst34-mbp ~]# ls -al /sys/class/leds/smc::kbd_backlight/<br />
total 0<br />
drwxr-xr-x 3 root root 0 Sep 21 08:32 .<br />
drwxr-xr-x 3 root root 0 Sep 21 08:32 ..<br />
-rw-r--r-- 1 root root 4096 Sep 21 13:24 brightness<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:22 device -> ../../../applesmc.768<br />
-r--r--r-- 1 root root 4096 Sep 21 08:32 max_brightness<br />
drwxr-xr-x 2 root root 0 Sep 21 20:22 power<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 subsystem -> ../../../../../class/leds<br />
-rw-r--r-- 1 root root 0 Sep 21 20:22 trigger<br />
-rw-r--r-- 1 root root 4096 Sep 21 08:32 uevent<br />
[root@nst34-mbp ~]#<br />
<br />
Determine the maximum keyboard backlight brightness value on the Dell laptop:<br />
[root@dell7480 ~]# cat /sys/class/leds/dell::kbd_backlight/max_brightness<br />
2<br />
[root@dell7480 ~]#<br />
<br />
Determine the maximum keyboard backlight brightness value on the Apple MacBook Pro laptop:<br />
[root@nst34-mbp ~]# cat /sys/class/leds/smc::kbd_backlight/max_brightness<br />
255<br />
[root@nst34-mbp ~]#</div>Rwhhttps://wiki.networksecuritytoolkit.org/nstwiki/index.php?title=HowTo_Adjust_The_Keyboard_Backlight_Brightness_On_A_Laptop_In_Console_Mode_Using_The_Command_Line&diff=9713HowTo Adjust The Keyboard Backlight Brightness On A Laptop In Console Mode Using The Command Line2021-09-22T00:46:32Z<p>Rwh: /* Adjust The Keyboard Backlight Brightness Using the Command Line */</p>
<hr />
<div>__TOC__<br />
= Overview =<br />
This page demonstrates how one can adjust the keyboard backlight brightness on a laptop computer running NST using the command line. It may be desirable to completely set the brightness value to the lowest possible setting to increase the time that an NST server is running on battery power.<br />
<br />
= Adjust The Keyboard Backlight Brightness Using the Command Line =<br />
This backlight brightness settings can be found and controlled in a '''[https://en.wikipedia.org/wiki/Sysfs sysfs]''' pseudo file system provided by the Linux kernel. First the keyboard backlight directory needs to be discovered for the laptop manufacturer. Listing the following directory will help determine the location. The following output is from NST running on a '''Dell 7480''' laptop.<br />
[root@dell7480 ~]# ls -al /sys/class/leds/<br />
total 0<br />
drwxr-xr-x 2 root root 0 Sep 21 05:22 .<br />
drwxr-xr-x 77 root root 0 Sep 21 05:22 ..<br />
lrwxrwxrwx 1 root root 0 Sep 21 09:22 dell::kbd_backlight -> ../../devices/platform/dell-laptop/leds/dell::kbd_backlight<br />
lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::capslock -> ../../devices/platform/i8042/serio0/input/input4/input4::capslock lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::numlock -> ../../devices/platform/i8042/serio0/input/input4/input4::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 05:22 input4::scrolllock -> ../../devices/platform/i8042/serio0/input/input4/input4::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:24 phy0-led -> ../../devices/pci0000:00/0000:00:1c.2/0000:02:00.0/leds/phy0-led<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:24 platform::micmute -> ../../devices/platform/dell-laptop/leds/platform::micmute<br />
[root@dell7480 ~]# <br />
<br />
From above, directory "'''/sys/class/leds/dell::kbd_backlight'''" contains the keyboard backlight brightness settings for the Dell laptop.<br />
[root@dell7480 ~]# ls -al /sys/class/leds/dell::kbd_backlight/<br />
total 0<br />
drwxr-xr-x 3 root root 0 Sep 21 09:22 .<br />
drwxr-xr-x 4 root root 0 Sep 21 09:22 ..<br />
-rw-r--r-- 1 root root 4096 Sep 21 09:22 brightness<br />
-r--r--r-- 1 root root 4096 Sep 21 09:22 brightness_hw_changed<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:35 device -> ../../../dell-laptop<br />
-r--r--r-- 1 root root 4096 Sep 21 09:22 max_brightness<br />
drwxr-xr-x 2 root root 0 Sep 21 20:35 power<br />
-rw-r--r-- 1 root root 4096 Sep 21 20:35 start_triggers<br />
-rw-r--r-- 1 root root 4096 Sep 21 20:35 stop_timeout<br />
lrwxrwxrwx 1 root root 0 Sep 21 09:22 subsystem -> ../../../../../class/leds<br />
-rw-r--r-- 1 root root 0 Sep 21 20:35 trigger<br />
-rw-r--r-- 1 root root 4096 Sep 21 09:22 uevent<br />
[root@dell7480 ~]#<br />
<br />
The following output is from NST running on a '''Apple MacBook Pro model: A1502, EMC 2835''' laptop.<br />
[root@nst34-mbp ~]# ls -al /sys/class/leds/<br />
total 0<br />
drwxr-xr-x 2 root root 0 Sep 21 08:32 .<br />
drwxr-xr-x 75 root root 0 Sep 21 08:32 ..<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::capslock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::capslock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::numlock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input4::scrolllock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:05AC:8290.0001/input/input4/input4::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::capslock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::capslock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::compose -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::compose<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::kana -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::kana<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::numlock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::numlock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 input6::scrolllock -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:05AC:0273.0004/input/input6/input6::scrolllock<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 smc::kbd_backlight -> ../../devices/platform/applesmc.768/leds/smc::kbd_backlight<br />
[root@nst34-mbp ~]#<br />
<br />
From above, directory "'''/sys/class/leds/smc::kbd_backlight'''" contains the keyboard backlight brightness settings for the Apple MacBook Pro.<br />
[root@nst34-mbp ~]# ls -al /sys/class/leds/smc::kbd_backlight/<br />
total 0<br />
drwxr-xr-x 3 root root 0 Sep 21 08:32 .<br />
drwxr-xr-x 3 root root 0 Sep 21 08:32 ..<br />
-rw-r--r-- 1 root root 4096 Sep 21 13:24 brightness<br />
lrwxrwxrwx 1 root root 0 Sep 21 20:22 device -> ../../../applesmc.768<br />
-r--r--r-- 1 root root 4096 Sep 21 08:32 max_brightness<br />
drwxr-xr-x 2 root root 0 Sep 21 20:22 power<br />
lrwxrwxrwx 1 root root 0 Sep 21 08:32 subsystem -> ../../../../../class/leds<br />
-rw-r--r-- 1 root root 0 Sep 21 20:22 trigger<br />
-rw-r--r-- 1 root root 4096 Sep 21 08:32 uevent<br />
[root@nst34-mbp ~]#<br />
<br />
Determine the maximum keyboard backlight brightness value on the Dell laptop:<br />
[root@dell7480 ~]# cat /sys/class/leds/dell::kbd_backlight/max_brightness<br />
2<br />
[root@dell7480 ~]#<br />
<br />
Determine the maximum keyboard backlight brightness value on the Apple MacBook Pro laptop:<br />
[root@nst34-mbp ~]# cat /sys/class/leds/smc::kbd_backlight/max_brightness<br />
255<br />
[root@nst34-mbp ~]#</div>Rwh