FrootVPN with DD-WRT

I stumbled across FrootVPN the other day. I like connecting to VPNs for certain activities, but sometimes I don’t like doing it on my local machine (if that makes sense). I’d much rather connect to a separate wireless network and have the router handle the VPN connection for me. Since I have a spare WRT54GL running DD-WRT in my basement connected to the rest of my rack, I though I’d give it a try. After some trial and error, I was able to get everything working. With your DD-WRT router IP as your default gateway, everything will get routed over your FrootVPN connection. Here’s the steps I took below:

1) Make sure your router’s date/time is correct. (This is important. You’ll get certificate errors if you’re way off)
2) Download the OpenVPN config file from the FrootVPN site
3) Enable SSH/Telnet
4) Copy the OpenVPN file you downloaded from the FrootVPN site to /tmp/openvpncl/frootvpn.conf
5) Open the frootvpn file and append
/tmp/openvpncl/user.conf
after
auth-user-pass
6) Edit /tmp/openvpncl/user.conf and put your username on one line and your password on the other. It should look like this:
User
Password

7) Run this:
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
8) Run this command to start OpenVPN with your FrootVPN config file:
openvpn --config /tmp/openvpncl/frootvpn.conf

If everything works like it should, you should see output like this:

If you get that, hit ipchicken.com to see if you’re getting routed over the VPN. If you are, hit ^c to quit then run this to daemonize OpenVPN:
openvpn --config /tmp/openvpncl/frootvpn.conf --daemon

Rename Logical Volume

The other day I acquired a unique issue. We had to re-install the OS on a server and then attach the old drives to retrieve the data. Sometimes this isn’t an issue, sometimes it is. In this case, both logical volumes had the same name. I re-named the second logical volume with this command:

vgrename T0Xg9i-11uz-Am7t-VbEj-sfhj-0WC6-PZSYhO VolGroup0

The syntax is like this:

vgrename UID NewName

After that, I was able to mount the second LV and the customer was able to retrieve their data.

Manually Update Munin

I’ve been setting up Munin on my own network and don’t always want to wait for the cron job to run. You can run these 2 commands to update Munin manually:

su - munin --shell=/bin/bash
munin-cron

Install ImageMagick for PHP

We got asked to install the ImageMagick extension for PHP quite often. It’s pretty simple, but I figured I’d write down how I do it. Most of the commands are straight forward. If you have any questions, please feel free to ask.

# yum list | grep ImageMagick | awk '{print $1}' > imagick
# yum install `cat imagick | xargs`
# pecl install imagick
# echo "extension=imagick.so" >> /etc/php.ini

Now you see IMagick in php:

# php -i | grep imagick
imagick
imagick module => enabled
imagick module version => 3.1.2
imagick classes => Imagick, ImagickDraw, ImagickPixel, ImagickPixelIterator

You’ll need to re-start PHP-FPM/Apache to apply the install.

Mail to Non-existent Users

I once had the need to change the default mail handling setting Plesk for several thousand domains. Doing all of this through the GUI is stupid and would take hours. This particular customer wanted emails rejected if the recipient didn’t exist. Perfectly reasonable. We ran the following queries:

mysql> use psa;
mysql> select domains.name,Parameters.value from domains,Parameters,DomainServices where DomainServices.type='mail' and Parameters.value in ('catch','reject','bounce') and domains.id=DomainServices.dom_id and DomainServices.parameters_id=Parameters.id order by Parameters.value,domains.name;
mysql> UPDATE Parameters SET value='reject' WHERE parameter='nonexist_mail';

The first query just shows domains and their current settings. The second query updates the Parameters table/nonexist_mail value and sets it to “reject”.

Thankfully, we only had to do this a few times. I know this is compatible with Plesk 9. I haven’t tested it on 10 or 11.

H/T: NickTailor.com (Query 23!)

PHP Password Generator

Sometimes I need to generate passwords on the fly and I don’t want to leave the command line to do it. I used to use the pctools.com utility, but it changed recently to Norton Identity Safe and I’m not a huge fan. In my frustration, I hacked together a little PHP script (after looking at the HTTP headers) to query the API. I thought I’d share it:

<?php	 	 
$json_url ="http://identitysafe.norton.com/password?&include_phonetic=false&include_numbers=true&include_letters=true&include_mixedcase=true&include_punctuation=true&no_similar=true&num_passwords=1&password_length=12";	 	 
$json = file_get_contents($json_url);	 	 
$data = json_decode($json);	 	 
echo $data->passwords[0]->value;	 	 
echo "\n";	 	 
?>;	 	 

Now, I just curl the URL to the php file and get a password! It looks like this:

[root@ispeakl33t ~]# curl http://ispeakl33t.com/passwd.php
wus6eya!equT

The URL in the code will generate one, 12 character password that includes numbers, letters, mixed case characters, punctuation, and no similar characters (like O and 0). You can change the values in the URL to meet your needs.

Just thought I’d pass this along.

Install DNSCrypt CentOS

Every now and then I get the itch to do something weird, like encrypt my DNS traffic just for the heck of it. I configured BIND on a vm and then have it forwarding requests to the DNSCrypt proxy on a different port. DNSCrypt, by default, uses OpenDNS to resolve queries, but you can override it. Here’s how you install everything (I’m not covering the BIND config):

1: Install Development tools:
yum groupinstall "Development Tools"

2: Install libsodium.
Download the tarball here: https://download.libsodium.org/libsodium/releases/
Extract it and run:
./configure
make && make install

3: CentOS/RHEL/Fedora don’t include /usr/local/lib when it looks for shared libraries, so we need to run this next:
echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf

  1. Run ldconfig

  2. Download DNSCrypt-Proxy here: http://download.dnscrypt.org/dnscrypt-proxy/

6: Untar and run
./configure
make && make install

At this point, everything is installed. I added a user, dnscrypt, to run the dnscrypt-proxy daemon with the following flags:

dnscrypt-proxy --daemonize --local-address=127.0.0.1:54 --user=dnscrypt

If you don’t define local-address, it will listen on 127.0.0.1:53. Since BIND is already there, I bumped it up a port. The other flags are self explanitory.

If you want named to forward to the proxy, you can change your forwarders to:
forwarders { 127.0.0.1 port 54; };

More info is available here: http://dnscrypt.org/ and here https://github.com/jedisct1/libsodium and here too https://github.com/jedisct1/dnscrypt-proxy.

Setup Ghost on CentOS

GhostWhen I first heard about the Ghost platform I was ecstatic. It’s pretty, it’s simple, and it’s fast – 3 things that I really like about a blogging platform. I love WordPress, but I like new things too. Installing it is fun. Here’s the steps I took:

  1. Install NPM:
    yum install npm
  2. Download the source code. You can sign up on the Ghost.org site or clone the git repo here: https://github.com/TryGhost/Ghost
  3. Extract it somewhere on your server
  4. Install it:
    npm install --production

This will start the app on port 2368, but won’t daemonize it.

To daemonize it:

  1. Run:
    npm install -g forever
  2. Copy config.example.js to config.js and edit your settings.
  3. Followed by:
    NODE_ENV=production forever start index.js

At this point, Ghost is running, but it’s still on 2368 unless you changed it. If you’re running Apache on port 80, you can use it as a reverse proxy. I created a quick VirtualHost to accomplish this:

<VirtualHost *:80>
ServerName ghost.ispeakl33t.com
ProxyRequests off
ProxyPass /

http://127.0.0.1:2368/

</VirtualHost>

If you’re running Debian or Ubuntu, you can check instructions for installing Ghost here.

I’ve posted this on my Ghost site as well. You can view it here

Change MySQL Table Engine

I had an issue this morning with a database server. It has 32Gb of RAM and 24 available cores, but the load was in excess of 200. After addressing a few issues with maximum connection values in MySQL and Apache, we realized that the tables in the datbase in question were all using the MyISAM engine. This isn’t a bad thing necessarily, but the way this database is being used, InnoDB is a more appropriate engine. To convert the tables over, we ran the following command:

mysql> ALTER TABLE Table_Name_Goes_Here ENGINE = InnoDB;

This is usually a quick process, but if your tables are big, it will take some time.

After this change, the load dropped to .5 and everything began to run smoothly.

A few resources:

http://dev.mysql.com/doc/refman/5.1/en/alter-table.html
http://rtcamp.com/wordpress-nginx/tutorials/mysql/myisam-to-innodb/
http://www.rackspace.com/knowledge_center/article/mysql-engines-myisam-vs-innodb

Find Process’ Average Memory

Every now and then it’s beneficial to figure out how much memory a process is using on average. We can do that with the following command:

ps aux | grep 'PROCESS' | awk '{print $6/1024;}' | awk '{avg += ($1 - avg) / NR;} END {print avg " MB";}'

This is especially helpful when calculating pm.max_children or Apache MaxClients directives. Just replace PROCESS with the name of the process in question (leave the single quotes).

An example would be one of my servers. The average httpd process is almost 100mb:

# ps aux | grep 'httpd' | awk '{print $6/1024;}' | awk '{avg += ($1 - avg) / NR;} END {print avg " MB";}'
99.5519 MB

Update:
This method isn’t the most accurate available. This for loop is far more accurate:

for i in $(ps aux | grep PROCESS | grep -v root | awk '{print $2}'); 
do cat /proc/$i/smaps | grep Pss | awk '{print $2}' | awk '{sum=sum+$1} END {print sum}' >> mem_use;
done;
cat mem_use | awk '{avg=avg+$1;}END{print (avg/NR)/1024 " MB";}'