Route all traffic by OpenVPN

Security Update

In October i posted a blog about setting up your OpenVPN server in 2 minutes.

This blog is a addon to your existing configuration to route all traffic over the VPN. 

Change server configuration

go to the config file (/etc/openvpn/server.conf) and add the following lines:

push "redirect-gateway def1"
push "dhcp-option DNS <internalDNSIP>"
push "dhcp-option DNS 1.1.1.1"

 Restart your OpenVPN daemon

sudo /etc/init.d/openvpn restart

Change client configuration

Change your client config, and add the following line

redirect-gateway def1

Change IP Tables

Last thing to do is change your iptables to NAT traffic to the internet. (make sure you have the right to do this or run this as root)

iptables -I FORWARD -i tun0 -o wlan0 \
         -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
         -j ACCEPT
iptables -t nat -I POSTROUTING -o wlan0 \
          -s 10.8.0.0/24 -j MASQUERADE

Caption:

  • tun0: your virtual VPN network interface
  • eth0: your normal network interface (to make sure you will use the right interface, check with “ifconfig”)
  • 10.8.0.0: your VPN network IP range

How to create trusted network for MFA in Office365

What is MFA?

Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a second layer of security to user sign-ins and transactions. You can choose the following verification methods:

  • A randomly generated pass code (Microsoft Authenticator App or SMS)
  • A phone call
  • A smart card (virtual or physical)
  • A biometric device
Continue Reading

Security Updates Skype for Business (Lync) Client – June 2017

Patch Tuesday

During patch Tuesday Microsoft released two security patches for Skype for Business and one for Lync 2013.

Security update for Skype for Business 2016

Summary

This security update resolves vulnerabilities in Microsoft Office that could allow
remote code execution if a user opens a specially crafted Office file.
To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2017-0283.

Note To apply this security update, you must have the release version of
Skype for Business 2016 installed on the computer.

(download KB3203382)

Security update for Skype for Business 2015 (Lync 2013)

Summary

This security update resolves vulnerabilities in Microsoft Office that could allow
remote code execution if a user opens a specially crafted Office file.
To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2017-0283.

Note To apply this security update, you must have the release version of
Skype for Business 2015 (Lync 2013) installed on the computer.

QoS troubleshooting with Wireshark

During my work i have a lot of VoIP traffic related queries/questions. I’m using this configuration to check if packets are being tagged with the right DSCP values.

Add DSCP column to your Wireshark Client

1. Right click on one of the existing columns.
2. Click on column preferences
3. Click Add down the bottom
4. Click on the “New Column” Label and change it to “DSCP” then hit enter once.
5. With the new entry highlighted, change the Field Type to Custom (in the dropdown box)
6. In field name, copy and paste in ip.dsfield.dscp
7. Click Apply/Ok

You can drag the column back to the left side of the Info column and you now have a simple view of the tag for any packet.

Filter

You can also set a filter to capture all packets with DSCP value 46

ip.dsfield.dscp == 46

Reference

Here’s a table of DSCP and TOS values in their most common formats just for reference.
TOS (Dec) TOS (Hex) TOS Precedence Name TOS Delay flag TOS Throughput flag TOS Reliability flag DSCP (Hex) DSCP (Dec) DSCP/PHB Class
0 0x00 Routine 0 0 0 0x00 0 none
4 0x04 Routine 0 0 1 0x01 1 none
8 0x08 Routine 0 1 0 0x02 2 none
12 0x0C Routine 0 1 1 0x03 3 none
16 0x10 Routine 1 0 0 0x04 4 none
32 0x20 Priority 0 0 0 0x08 8 cs1
40 0x28 Priority 0 1 0 0x0A 10 af11
48 0x30 Priority 1 0 0 0x0C 12 af12
56 0x38 Priority 1 1 0 0x0E 14 af13
64 0x40 Immediate 0 0 0 0x10 16 cs2
72 0x48 Immediate 0 1 0 0x12 18 af21
80 0x50 Immediate 1 0 0 0x14 20 af22
88 0x58 Immediate 1 1 0 0x16 22 af23
96 0x60 Flash 0 0 0 0x18 24 cs3
104 0x68 Flash 0 1 0 0x1A 26 af31
112 0x70 Flash 1 0 0 0x1C 28 af32
120 0x78 Flash 1 1 0 0x1E 30 af33
128 0x80 FlashOverride 0 0 0 0x20 32 cs4
136 0x88 FlashOverride 0 1 0 0x22 34 af41
144 0x90 FlashOverride 1 0 0 0x24 36 af42
152 0x98 FlashOverride 1 1 0 0x26 38 af43
160 0xA0 Critical 0 0 0 0x28 40 cs5
176 0xB0 Critical 1 0 0 0x2C 44 voice-admit
184 0xB8 Critical 1 1 0 0x2E 46 ef
192 0xC0 InterNetworkControl 0 0 0 0x30 48 cs6
224 0xE0 NetworkControl 0 0 0 0x38 56 cs7