Menu
▾
▴
astlinux-users — AstLinux Users Mailing List
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
(20) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(91) |
Feb
(111) |
Mar
(226) |
Apr
(65) |
May
(197) |
Jun
(202) |
Jul
(92) |
Aug
(87) |
Sep
(120) |
Oct
(133) |
Nov
(89) |
Dec
(155) |
| 2008 |
Jan
(251) |
Feb
(136) |
Mar
(174) |
Apr
(149) |
May
(56) |
Jun
(32) |
Jul
(36) |
Aug
(171) |
Sep
(245) |
Oct
(244) |
Nov
(218) |
Dec
(272) |
| 2009 |
Jan
(113) |
Feb
(119) |
Mar
(192) |
Apr
(117) |
May
(93) |
Jun
(46) |
Jul
(80) |
Aug
(54) |
Sep
(109) |
Oct
(70) |
Nov
(145) |
Dec
(110) |
| 2010 |
Jan
(137) |
Feb
(87) |
Mar
(45) |
Apr
(157) |
May
(58) |
Jun
(99) |
Jul
(188) |
Aug
(136) |
Sep
(101) |
Oct
(100) |
Nov
(61) |
Dec
(60) |
| 2011 |
Jan
(84) |
Feb
(43) |
Mar
(70) |
Apr
(17) |
May
(69) |
Jun
(28) |
Jul
(43) |
Aug
(21) |
Sep
(151) |
Oct
(120) |
Nov
(84) |
Dec
(101) |
| 2012 |
Jan
(119) |
Feb
(82) |
Mar
(70) |
Apr
(115) |
May
(66) |
Jun
(131) |
Jul
(70) |
Aug
(65) |
Sep
(66) |
Oct
(86) |
Nov
(197) |
Dec
(81) |
| 2013 |
Jan
(65) |
Feb
(48) |
Mar
(32) |
Apr
(68) |
May
(98) |
Jun
(59) |
Jul
(41) |
Aug
(52) |
Sep
(42) |
Oct
(37) |
Nov
(10) |
Dec
(27) |
| 2014 |
Jan
(61) |
Feb
(34) |
Mar
(30) |
Apr
(52) |
May
(45) |
Jun
(40) |
Jul
(28) |
Aug
(9) |
Sep
(39) |
Oct
(69) |
Nov
(55) |
Dec
(19) |
| 2015 |
Jan
(13) |
Feb
(21) |
Mar
(5) |
Apr
(14) |
May
(30) |
Jun
(51) |
Jul
(31) |
Aug
(12) |
Sep
(29) |
Oct
(15) |
Nov
(24) |
Dec
(16) |
| 2016 |
Jan
(62) |
Feb
(76) |
Mar
(30) |
Apr
(43) |
May
(46) |
Jun
(62) |
Jul
(21) |
Aug
(49) |
Sep
(67) |
Oct
(27) |
Nov
(26) |
Dec
(38) |
| 2017 |
Jan
(7) |
Feb
(12) |
Mar
(69) |
Apr
(59) |
May
(54) |
Jun
(40) |
Jul
(76) |
Aug
(82) |
Sep
(92) |
Oct
(51) |
Nov
(32) |
Dec
(30) |
| 2018 |
Jan
(22) |
Feb
(25) |
Mar
(34) |
Apr
(35) |
May
(37) |
Jun
(21) |
Jul
(69) |
Aug
(55) |
Sep
(17) |
Oct
(67) |
Nov
(9) |
Dec
(5) |
| 2019 |
Jan
(19) |
Feb
(12) |
Mar
(15) |
Apr
(19) |
May
|
Jun
(27) |
Jul
(27) |
Aug
(25) |
Sep
(25) |
Oct
(27) |
Nov
(10) |
Dec
(14) |
| 2020 |
Jan
(22) |
Feb
(20) |
Mar
(36) |
Apr
(40) |
May
(52) |
Jun
(35) |
Jul
(21) |
Aug
(32) |
Sep
(71) |
Oct
(27) |
Nov
(11) |
Dec
(16) |
| 2021 |
Jan
(16) |
Feb
(21) |
Mar
(21) |
Apr
(27) |
May
(17) |
Jun
|
Jul
(2) |
Aug
(22) |
Sep
(23) |
Oct
(7) |
Nov
(11) |
Dec
(28) |
| 2022 |
Jan
(23) |
Feb
(18) |
Mar
(9) |
Apr
(15) |
May
(15) |
Jun
(7) |
Jul
(8) |
Aug
(15) |
Sep
(1) |
Oct
|
Nov
(11) |
Dec
(10) |
| 2023 |
Jan
(14) |
Feb
(10) |
Mar
(11) |
Apr
(13) |
May
(2) |
Jun
(30) |
Jul
(1) |
Aug
(15) |
Sep
(13) |
Oct
(3) |
Nov
(25) |
Dec
(5) |
| 2024 |
Jan
(3) |
Feb
(10) |
Mar
(9) |
Apr
|
May
(1) |
Jun
(15) |
Jul
(7) |
Aug
(10) |
Sep
(3) |
Oct
(8) |
Nov
(6) |
Dec
(15) |
| 2025 |
Jan
(3) |
Feb
(1) |
Mar
(7) |
Apr
(5) |
May
(13) |
Jun
(16) |
Jul
(1) |
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: David K. <da...@ke...> - 2018-10-09 21:28:05
|
I have been wanting to get access to my PBX over my failover tunnel for
some time now but didn't know how to get it done (when failover was not
active -- works when astlinux is in failover mode). This thread prompted
me to try and get it setup, inspired by Lonnie pointing out fwmark.
Unfortunately what I thought would be a quick exercise took several hours
to get going. First a diagram...
[RemoteDev]
| public internet
---------------------------------------
| eth0 | eth0
[failover] wg0 --------- wg0 [astlinux]
172.23.x.2 172.23.x.1 | eth1 192.168.x.1
--------------------------
| private LAN
[internal system] 192.168.x.y
failover could be astlinux or any linux that can act as a router/gateway
failover is connected to public internet through its eth0 interface
failover is connected to astlinux over wireguard.
astlinux is connected to public internet through its eth0 interface
astlinux is connected to failover over wireguard.
astlinux is connected to a private LAN 192.168.x.0/24
Desired behavior is to allow [RemoteDev] to access [astlinux] (ssh or
https) or [internal system] connecting through either astlinux eth0 or
failover eth0. For this to work [failover] must NAT inbound ssh or https
over to [astlinux] or [internal system]. That part is easy enough and if
failover is active everything works fine as return traffic is routed back
over wireguard. But I want it to work even if failover is not active.
First, the wireguard feature to set fwmark on the interface does nothing to
help. I tried. And the documentation (https://www.wireguard.com/netns/)
states that this sets a mark on outbound traffic to the wireguard UDP
port. In other words the already encrypted packets going out through eth0
port 51820. Actual packets flowing in/out of the tunnel are not marked.
But the principle of using fwmark is sound, we just need another way of
marking the packets.
This is what worked for me... on the [astlinux] system...
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-xmark 0x4/0x4
iptables -t mangle -A PREROUTING -i wg0 -j CONNMARK --save-mark
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
ip route flush table 300
ip route add table 300 default dev wg0 via 172.23.x.2
ip rule add from 192.168.x.0/24 fwmark 0x4/0x4 table 300 priority 1000
Explanation...
- We are setting a firewall mark on all inbound traffic from wg0.
fwmark is a 32-bit unsigned and can be treated as a value or a 32-bit
field. I have chosen to treat it as a 32-bit field and using mask only set
bit 2, this means I can use other bits for other purposes in
iptables/netfilter/route if I want. You can pick any bit or simply use a
integer value. Whatever you do needs to be consistent and be aware of any
other uses of fwmark in your firewall.
- We must save this fwmark with the CONNMARK extension, so that we can
reattach the mark on related traffic. fwmarks do not attach to the IP
packet, they exist in the context of this system's kernel only. So
connection tracking is required to keep track of it.
- PREROUTING chain is called for all inbound traffic from all
interfaces. So replies from LAN through eth1 will come here too and this
is where we need to restore the fwmark on returning packets using the
CONNMARK connection tracking. I do that first before setting mark on wg0
traffic.
- That works for traffic passing through [astlinux] to the internal
LAN. But for traffic to astlinux (e.g. the web interface) the replies
originate on the astlinux box itself and therefore do not pass through
PREROUTING. Therefore we must restore the fwmark on the OUTPUT chain so
that locally generated packets are tagged if required before we get to
routing.
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES
The above tags packets that need to be routed back through the wireguard
tunnel. Now have to mess with the routing tables to act on the marks.
- Picking any free ip2route table (I randomly choose 300) delete
anything currently on that table.
- Add a default route for that table to send all traffic through the
wireguard tunnel
- Add an ip rule to select which packets should be routed through this
table based on the fwmark. Critical in this step is to only select packets
originating from the internal LAN -- ie, we are only interested in outbound
packets. if we don't do that then inbound packets from wg0 will also get
selected and we don't want that... because we did not duplicate the content
of the main routing table into this new table so there are no routes to
local destinations.
The above rules can be set on POST_UP in the astlinux wireguard script.
And deleted in the POST_DOWN (or PRE_DOWN, should not matter). Though
beware that if you reload the firewall, without also restarting wireguard,
then the above would get deleted.
What might this look like in wireguard.script POST_UP section....
# Setup routing table for traffic originating on $interface so that
# we can set rules to route replies to that traffic over $interface
# assume /etc/rc.conf read and interface="$2"
if [ -n "$WAN_FAILOVER_SECONDARY_GW" ]; then
echo "WireGuard: set iptables and ip route table $WG0_TUNNEL_ROUTE_TABLE
for $interface to reply to inbound traffic via $WAN_FAILOVER_SECONDARY_GW"
WG0_TUNNEL_ROUTE_TABLE="300"
INTNET=$(netcalc $INTIP $INTNM | sed -n -r -e 's/^Network *:
*([0-9\.\/]+).*$/\1/p')
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i $interface -j MARK --set-xmark 0x4/0x4
iptables -t mangle -A PREROUTING -i $interface -j CONNMARK --save-mark
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
ip route flush table $WG0_TUNNEL_ROUTE_TABLE
ip route add table $WG0_TUNNEL_ROUTE_TABLE default dev $interface via
$WAN_FAILOVER_SECONDARY_GW
ip rule add from $INTNET fwmark 0x4/0x4 table $WG0_TUNNEL_ROUTE_TABLE
priority 1000
fi
Don't forget to delete on POST_DOWN.
IPv6 is left as homework exercise for the reader.
Enjoy !!
David
On Sat, Oct 6, 2018 at 7:54 PM Lonnie Abelbeck <li...@lo...>
wrote:
> Yes, is all comes down to the routing at PBX2.
>
> Consider this ... the PC has IP 1.2.3.4, so the NAT forward will have a
> SRC address of 1.2.3.4 when received by 172.29.253.2 on PBX2. If the
> routing on PBX2 routes 1.2.3.4 back through the wireguard tunnel then it
> will work as you want. On the other-hand if PBX2 routes 1.2.3.4 over it's
> EXT interface then it will not work as you want.
>
> Probably the most elegant solution for routing on PBX2 is "policy routing"
> using "ip rule ..." where traffic through the wireguard tunnel could have a
> "fwmark" and add routing rules based on whether the packet traversed the
> wireguard tunnel. I have only played with this ... all the hooks are
> currently available using /mnt/kd/wireguard.script
>
> https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn#optional_action_script
>
> but if you are not familiar with policy-based routing in Linux, this takes
> some research to get a handle on.
>
> Alternatively, if your public PC's are always off a know subnet, you could
> add a static destination route on PBX2 to your PC's via the wireguard
> tunnel.
>
> Lonnie
>
>
>
> > On Oct 6, 2018, at 6:11 PM, Michael Knill <
> mic...@ip...> wrote:
> >
> > Sorry Lonnie I am a little confused.
> > The setup is as follows:
> >
> > PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2
> >
> > I can ping the private Wireguard PBX2 address (172.29.253.2) from PBX1
> (172.29.253.2)
> > So I want to NAT PBX1 EXTIF on a particular port to PBX2 WG IP
> 172.29.253.2.
> > I have set up the NAT_FOREIGN_NETWORK for the entire private address
> space.
> >
> > Thanks
> >
> > Regards
> > Michael Knill
> >
> > On 7/10/18, 12:01 am, "Lonnie Abelbeck" <li...@lo...>
> wrote:
> >
> >
> >
> >> On Oct 5, 2018, at 10:29 PM, Michael Knill <
> mic...@ip...> wrote:
> >>
> >> Hi Group
> >>
> >> Im wanting to set up a NAT rule from NAT EXT to a Wireguard VPN
> endpoint. Is this possible?
> >> It does not seem to work with NAT EXT -> LAN.
> >> If not, is there a custom rule I can try?
> >>
> >> Basically I want to SSH to the VPN endpoint directly, via the transit
> DR server.
> >>
> >> Thanks so much.
> >
> > Hi Michael, short answer is yes, but depending on the routing.
> >
> > Start with a diagram ...
> >
> > public_1 -- pbx1 [ wg_1_ip ] -- wireguard -- [ wg_2_ip ] pbx2 --
> public_2
> >
> >
> > My understanding is you want to SSH to wg_1_ip using public_2 ?
> Correct me if I mis-understood.
> >
> > Yes, a "NAT EXT -> LAN" on public_2 to wg_1_ip will work *only if*
> the SSH return path at pbx1 goes through the wireguard vpn.
> >
> > I have personally tried this when pbx1 was on failover using
> wireguard over LTE/4G, as such all pbx1 traffic was routed over wireguard,
> as such a "NAT EXT -> LAN" on public_2 to wg_1_ip worked since the SSH
> return packets passed over wireguard to pbx2.
> >
> > Tip -> Similar, but if a "NAT EXT -> LAN" on public_2 to a LAN IP on
> pbx1 you would need to set NAT_FOREIGN_NETWORK on pbx2 of the pbx1 LAN so
> it is NAT'ed on pbx2.
> >
> > Lonnie
> >
> >
> >
> >
> > _______________________________________________
> > Astlinux-users mailing list
> > Ast...@li...
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> pa...@kr....
> >
> >
> >
> > _______________________________________________
> > Astlinux-users mailing list
> > Ast...@li...
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pa...@kr....
|
|
From: Michael K. <mic...@ip...> - 2018-10-08 00:38:40
|
Thanks Lonnie
I have moved to router mode at the customer site and it seems to be working fine. Its using Open VPN which also doesn't seem to care.
Another advantage is that using bridge mode, there is a risk that the carrier subnet could overlap with the LAN e.g. as it uses the private address space. Double NAT fixes this.
Thanks for your help.
Regards
Michael Knill
On 8/10/18, 10:57 am, "Lonnie Abelbeck" <li...@lo...> wrote:
Hi Michael,
I assume you are taking about running WireGuard VPN over a 4G/LTE network. Like this:
https://doc.astlinux-project.org/userdoc:tt_wan_failover#example4g_lte_modem_failover
I have switched to use "Router Mode" on my Netgear LB1121 some time ago, the Netgear Modem seems more stable using "Router Mode".
With the brilliance of WireGuard, the extra (double) NAT made no difference in the VPN tunnel. The wireguard peer IP's appear on the same virtual network, no NAT between wireguard peer's.
In all cases the wireguard VPN (as with all other VPN types) sits behind a firewall to EXTIF and EXT2IF, this is the case for the 4G/LTE modem connected AstLinux as well as the cloud based AstLinux acting as the remote VPN endpoint.
The 4G/LTE Modem Failover using WireGuard has been working perfectly for me. Quite simple and robust.
Lonnie
> On Oct 7, 2018, at 6:01 PM, Michael Knill <mic...@ip...> wrote:
>
> Pardon my ignorance on the following:
>
> Although I have not confirmed, I appear to be having issues with bridge mode with my carrier. I have tried two modem types and it appears to just stop passing traffic after a while.
> As such, I am considering using router mode but want to know if it is possible to be protected by the firewall without NAT (or PAT actually). Even if I was to actually use NAT e.g. a pool of network addresses rather than PAT e.g. port stays unchanged, then the double NAT issues should not be a problem.
> Do I even need to bother? I suspect its not a problem for most traffic types. I will be using a VPN so it shouldn’t care.
>
> Thanks
>
> Regards
> Michael Knill
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2018-10-07 23:56:56
|
Hi Michael, I assume you are taking about running WireGuard VPN over a 4G/LTE network. Like this: https://doc.astlinux-project.org/userdoc:tt_wan_failover#example4g_lte_modem_failover I have switched to use "Router Mode" on my Netgear LB1121 some time ago, the Netgear Modem seems more stable using "Router Mode". With the brilliance of WireGuard, the extra (double) NAT made no difference in the VPN tunnel. The wireguard peer IP's appear on the same virtual network, no NAT between wireguard peer's. In all cases the wireguard VPN (as with all other VPN types) sits behind a firewall to EXTIF and EXT2IF, this is the case for the 4G/LTE modem connected AstLinux as well as the cloud based AstLinux acting as the remote VPN endpoint. The 4G/LTE Modem Failover using WireGuard has been working perfectly for me. Quite simple and robust. Lonnie > On Oct 7, 2018, at 6:01 PM, Michael Knill <mic...@ip...> wrote: > > Pardon my ignorance on the following: > > Although I have not confirmed, I appear to be having issues with bridge mode with my carrier. I have tried two modem types and it appears to just stop passing traffic after a while. > As such, I am considering using router mode but want to know if it is possible to be protected by the firewall without NAT (or PAT actually). Even if I was to actually use NAT e.g. a pool of network addresses rather than PAT e.g. port stays unchanged, then the double NAT issues should not be a problem. > Do I even need to bother? I suspect its not a problem for most traffic types. I will be using a VPN so it shouldn’t care. > > Thanks > > Regards > Michael Knill > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2018-10-07 23:01:37
|
Pardon my ignorance on the following: Although I have not confirmed, I appear to be having issues with bridge mode with my carrier. I have tried two modem types and it appears to just stop passing traffic after a while. As such, I am considering using router mode but want to know if it is possible to be protected by the firewall without NAT (or PAT actually). Even if I was to actually use NAT e.g. a pool of network addresses rather than PAT e.g. port stays unchanged, then the double NAT issues should not be a problem. Do I even need to bother? I suspect its not a problem for most traffic types. I will be using a VPN so it shouldn’t care. Thanks Regards Michael Knill |
|
From: Michael K. <mic...@ip...> - 2018-10-07 22:50:05
|
Ah good point. I didn't think about connectivity between VPN's.
Thanks.
Regards
Michael Knill
On 8/10/18, 6:09 am, "Lonnie Abelbeck" <li...@lo...> wrote:
> On Oct 6, 2018, at 9:37 PM, Michael Knill <mic...@ip...> wrote:
>
> Ah of course. Basic routing really. Stupid me.
> I guess I could SSH tunnel through an SSH tunnel or just SSH tunnel to the web interface.
>
> Ah actually I have a better idea. I will set up a VPN from my PC to PBX1 so I can access it directly. Problem solved!
> PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2
Alternatively, using SSH as a SOCKS proxy via PBX1 to the PBX2 over wireguard for HTTPS access.
But using a VPN from the PC may be simpler, which brings up a general question ... Can I mix OpenVPN and WireGuard VPN's in AstLinux ?
The answer is "yes", but it deserves an example.
PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2
PBX1 OpenVPN Server: 10.8.0.0/255.255.255.0
PBX1 OpenVPN Server: "push" route 10.4.0.0 255.255.255.0
PBX1 WireGuard VPN: 10.4.0.1/255.255.255.0
PBX1 WireGuard VPN: (peer) AllowedIPs = 10.4.0.2/32
PBX2 WireGuard VPN: 10.4.0.2/255.255.255.0
PBX2 WireGuard VPN: (peer) AllowedIPs = 10.4.0.1/32, 10.8.0.0/24
This is almost all it takes, except the PBX1 firewall treats both openvpn and wireguard as LAN subnets, which are isolated from each other by default. This can be allowed by adding a little custom rule code on the PBX1 box ...
-- /mnt/kd/arno-iptables-firewall/custom-rules --
allow_wireguard_openvpn()
{
if [ -n "$WIREGUARD_IP" -a -n "$OVPN_SERVER" ]; then
echo "[CUSTOM RULE] Allowing WireGuard VPN to/from OpenVPN Server"
IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}${OVPN_DEV:-tun+} ${WIREGUARD_IF:-wg0}"
fi
}
allow_wireguard_openvpn
--
This will allow packets to be forwarded between the typical tun0 and wg0 interfaces on PBX1. You can disable by commenting out the "allow_wireguard_openvpn" line.
I tested this, starting on my macOS box using OpenVPN to connect to the PBX1 OpenVPN server and accessing the PBX2 web interface at 10.4.0.2 via macOS. It works.
Lonnie
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2018-10-07 19:08:40
|
> On Oct 6, 2018, at 9:37 PM, Michael Knill <mic...@ip...> wrote:
>
> Ah of course. Basic routing really. Stupid me.
> I guess I could SSH tunnel through an SSH tunnel or just SSH tunnel to the web interface.
>
> Ah actually I have a better idea. I will set up a VPN from my PC to PBX1 so I can access it directly. Problem solved!
> PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2
Alternatively, using SSH as a SOCKS proxy via PBX1 to the PBX2 over wireguard for HTTPS access.
But using a VPN from the PC may be simpler, which brings up a general question ... Can I mix OpenVPN and WireGuard VPN's in AstLinux ?
The answer is "yes", but it deserves an example.
PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2
PBX1 OpenVPN Server: 10.8.0.0/255.255.255.0
PBX1 OpenVPN Server: "push" route 10.4.0.0 255.255.255.0
PBX1 WireGuard VPN: 10.4.0.1/255.255.255.0
PBX1 WireGuard VPN: (peer) AllowedIPs = 10.4.0.2/32
PBX2 WireGuard VPN: 10.4.0.2/255.255.255.0
PBX2 WireGuard VPN: (peer) AllowedIPs = 10.4.0.1/32, 10.8.0.0/24
This is almost all it takes, except the PBX1 firewall treats both openvpn and wireguard as LAN subnets, which are isolated from each other by default. This can be allowed by adding a little custom rule code on the PBX1 box ...
-- /mnt/kd/arno-iptables-firewall/custom-rules --
allow_wireguard_openvpn()
{
if [ -n "$WIREGUARD_IP" -a -n "$OVPN_SERVER" ]; then
echo "[CUSTOM RULE] Allowing WireGuard VPN to/from OpenVPN Server"
IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}${OVPN_DEV:-tun+} ${WIREGUARD_IF:-wg0}"
fi
}
allow_wireguard_openvpn
--
This will allow packets to be forwarded between the typical tun0 and wg0 interfaces on PBX1. You can disable by commenting out the "allow_wireguard_openvpn" line.
I tested this, starting on my macOS box using OpenVPN to connect to the PBX1 OpenVPN server and accessing the PBX2 web interface at 10.4.0.2 via macOS. It works.
Lonnie
|
|
From: Michael K. <mic...@ip...> - 2018-10-07 02:38:04
|
Ah of course. Basic routing really. Stupid me.
I guess I could SSH tunnel through an SSH tunnel or just SSH tunnel to the web interface.
Ah actually I have a better idea. I will set up a VPN from my PC to PBX1 so I can access it directly. Problem solved!
Thanks for that.
Regards
Michael Knill
On 7/10/18, 10:55 am, "Lonnie Abelbeck" <li...@lo...> wrote:
Yes, is all comes down to the routing at PBX2.
Consider this ... the PC has IP 1.2.3.4, so the NAT forward will have a SRC address of 1.2.3.4 when received by 172.29.253.2 on PBX2. If the routing on PBX2 routes 1.2.3.4 back through the wireguard tunnel then it will work as you want. On the other-hand if PBX2 routes 1.2.3.4 over it's EXT interface then it will not work as you want.
Probably the most elegant solution for routing on PBX2 is "policy routing" using "ip rule ..." where traffic through the wireguard tunnel could have a "fwmark" and add routing rules based on whether the packet traversed the wireguard tunnel. I have only played with this ... all the hooks are currently available using /mnt/kd/wireguard.script
https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn#optional_action_script
but if you are not familiar with policy-based routing in Linux, this takes some research to get a handle on.
Alternatively, if your public PC's are always off a know subnet, you could add a static destination route on PBX2 to your PC's via the wireguard tunnel.
Lonnie
> On Oct 6, 2018, at 6:11 PM, Michael Knill <mic...@ip...> wrote:
>
> Sorry Lonnie I am a little confused.
> The setup is as follows:
>
> PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2
>
> I can ping the private Wireguard PBX2 address (172.29.253.2) from PBX1 (172.29.253.2)
> So I want to NAT PBX1 EXTIF on a particular port to PBX2 WG IP 172.29.253.2.
> I have set up the NAT_FOREIGN_NETWORK for the entire private address space.
>
> Thanks
>
> Regards
> Michael Knill
>
> On 7/10/18, 12:01 am, "Lonnie Abelbeck" <li...@lo...> wrote:
>
>
>
>> On Oct 5, 2018, at 10:29 PM, Michael Knill <mic...@ip...> wrote:
>>
>> Hi Group
>>
>> Im wanting to set up a NAT rule from NAT EXT to a Wireguard VPN endpoint. Is this possible?
>> It does not seem to work with NAT EXT -> LAN.
>> If not, is there a custom rule I can try?
>>
>> Basically I want to SSH to the VPN endpoint directly, via the transit DR server.
>>
>> Thanks so much.
>
> Hi Michael, short answer is yes, but depending on the routing.
>
> Start with a diagram ...
>
> public_1 -- pbx1 [ wg_1_ip ] -- wireguard -- [ wg_2_ip ] pbx2 -- public_2
>
>
> My understanding is you want to SSH to wg_1_ip using public_2 ? Correct me if I mis-understood.
>
> Yes, a "NAT EXT -> LAN" on public_2 to wg_1_ip will work *only if* the SSH return path at pbx1 goes through the wireguard vpn.
>
> I have personally tried this when pbx1 was on failover using wireguard over LTE/4G, as such all pbx1 traffic was routed over wireguard, as such a "NAT EXT -> LAN" on public_2 to wg_1_ip worked since the SSH return packets passed over wireguard to pbx2.
>
> Tip -> Similar, but if a "NAT EXT -> LAN" on public_2 to a LAN IP on pbx1 you would need to set NAT_FOREIGN_NETWORK on pbx2 of the pbx1 LAN so it is NAT'ed on pbx2.
>
> Lonnie
>
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2018-10-06 23:54:54
|
Yes, is all comes down to the routing at PBX2. Consider this ... the PC has IP 1.2.3.4, so the NAT forward will have a SRC address of 1.2.3.4 when received by 172.29.253.2 on PBX2. If the routing on PBX2 routes 1.2.3.4 back through the wireguard tunnel then it will work as you want. On the other-hand if PBX2 routes 1.2.3.4 over it's EXT interface then it will not work as you want. Probably the most elegant solution for routing on PBX2 is "policy routing" using "ip rule ..." where traffic through the wireguard tunnel could have a "fwmark" and add routing rules based on whether the packet traversed the wireguard tunnel. I have only played with this ... all the hooks are currently available using /mnt/kd/wireguard.script https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn#optional_action_script but if you are not familiar with policy-based routing in Linux, this takes some research to get a handle on. Alternatively, if your public PC's are always off a know subnet, you could add a static destination route on PBX2 to your PC's via the wireguard tunnel. Lonnie > On Oct 6, 2018, at 6:11 PM, Michael Knill <mic...@ip...> wrote: > > Sorry Lonnie I am a little confused. > The setup is as follows: > > PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2 > > I can ping the private Wireguard PBX2 address (172.29.253.2) from PBX1 (172.29.253.2) > So I want to NAT PBX1 EXTIF on a particular port to PBX2 WG IP 172.29.253.2. > I have set up the NAT_FOREIGN_NETWORK for the entire private address space. > > Thanks > > Regards > Michael Knill > > On 7/10/18, 12:01 am, "Lonnie Abelbeck" <li...@lo...> wrote: > > > >> On Oct 5, 2018, at 10:29 PM, Michael Knill <mic...@ip...> wrote: >> >> Hi Group >> >> Im wanting to set up a NAT rule from NAT EXT to a Wireguard VPN endpoint. Is this possible? >> It does not seem to work with NAT EXT -> LAN. >> If not, is there a custom rule I can try? >> >> Basically I want to SSH to the VPN endpoint directly, via the transit DR server. >> >> Thanks so much. > > Hi Michael, short answer is yes, but depending on the routing. > > Start with a diagram ... > > public_1 -- pbx1 [ wg_1_ip ] -- wireguard -- [ wg_2_ip ] pbx2 -- public_2 > > > My understanding is you want to SSH to wg_1_ip using public_2 ? Correct me if I mis-understood. > > Yes, a "NAT EXT -> LAN" on public_2 to wg_1_ip will work *only if* the SSH return path at pbx1 goes through the wireguard vpn. > > I have personally tried this when pbx1 was on failover using wireguard over LTE/4G, as such all pbx1 traffic was routed over wireguard, as such a "NAT EXT -> LAN" on public_2 to wg_1_ip worked since the SSH return packets passed over wireguard to pbx2. > > Tip -> Similar, but if a "NAT EXT -> LAN" on public_2 to a LAN IP on pbx1 you would need to set NAT_FOREIGN_NETWORK on pbx2 of the pbx1 LAN so it is NAT'ed on pbx2. > > Lonnie > > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2018-10-06 23:11:32
|
Sorry Lonnie I am a little confused.
The setup is as follows:
PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2
I can ping the private Wireguard PBX2 address (172.29.253.2) from PBX1 (172.29.253.2)
So I want to NAT PBX1 EXTIF on a particular port to PBX2 WG IP 172.29.253.2.
I have set up the NAT_FOREIGN_NETWORK for the entire private address space.
Thanks
Regards
Michael Knill
On 7/10/18, 12:01 am, "Lonnie Abelbeck" <li...@lo...> wrote:
> On Oct 5, 2018, at 10:29 PM, Michael Knill <mic...@ip...> wrote:
>
> Hi Group
>
> Im wanting to set up a NAT rule from NAT EXT to a Wireguard VPN endpoint. Is this possible?
> It does not seem to work with NAT EXT -> LAN.
> If not, is there a custom rule I can try?
>
> Basically I want to SSH to the VPN endpoint directly, via the transit DR server.
>
> Thanks so much.
Hi Michael, short answer is yes, but depending on the routing.
Start with a diagram ...
public_1 -- pbx1 [ wg_1_ip ] -- wireguard -- [ wg_2_ip ] pbx2 -- public_2
My understanding is you want to SSH to wg_1_ip using public_2 ? Correct me if I mis-understood.
Yes, a "NAT EXT -> LAN" on public_2 to wg_1_ip will work *only if* the SSH return path at pbx1 goes through the wireguard vpn.
I have personally tried this when pbx1 was on failover using wireguard over LTE/4G, as such all pbx1 traffic was routed over wireguard, as such a "NAT EXT -> LAN" on public_2 to wg_1_ip worked since the SSH return packets passed over wireguard to pbx2.
Tip -> Similar, but if a "NAT EXT -> LAN" on public_2 to a LAN IP on pbx1 you would need to set NAT_FOREIGN_NETWORK on pbx2 of the pbx1 LAN so it is NAT'ed on pbx2.
Lonnie
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2018-10-06 19:20:36
|
Announcing AstLinux Release: 1.3.4 More Info: AstLinux Project https://www.astlinux-project.org/ AstLinux 1.3.4 Highlights: * Asterisk Versions: 11.25.3, 13.23.1 * Upgrade to Linux Kernel 3.16.57, including the RUNNIX bootloader, security and bug fixes * genx86_64-vm board type, add support for virtio-blk as a bootable disk driver, also added to RUNNIX * genx86_64-vm board type, add support for QEMU Guest Agent "qemu-ga" * rng-tools, new package, Random Number Generator daemon "rngd", enabled by default * keepalived, new package, VRRP High Availability daemon "keepalived" * msmtpd, added SMTP localhost daemon to forward 127.0.0.1:25 to "sendmail", enabled by default * WireGuard VPN, latest development snapshots during its incorporation into the Linux Kernel * Package upgrades providing important security and bug fixes Full ChangeLog: https://raw.githubusercontent.com/astlinux-project/astlinux/1.3.4/docs/ChangeLog.txt All users are encouraged to upgrade. AstLinux Team |
|
From: Lonnie A. <li...@lo...> - 2018-10-06 14:01:07
|
> On Oct 5, 2018, at 10:29 PM, Michael Knill <mic...@ip...> wrote: > > Hi Group > > Im wanting to set up a NAT rule from NAT EXT to a Wireguard VPN endpoint. Is this possible? > It does not seem to work with NAT EXT -> LAN. > If not, is there a custom rule I can try? > > Basically I want to SSH to the VPN endpoint directly, via the transit DR server. > > Thanks so much. Hi Michael, short answer is yes, but depending on the routing. Start with a diagram ... public_1 -- pbx1 [ wg_1_ip ] -- wireguard -- [ wg_2_ip ] pbx2 -- public_2 My understanding is you want to SSH to wg_1_ip using public_2 ? Correct me if I mis-understood. Yes, a "NAT EXT -> LAN" on public_2 to wg_1_ip will work *only if* the SSH return path at pbx1 goes through the wireguard vpn. I have personally tried this when pbx1 was on failover using wireguard over LTE/4G, as such all pbx1 traffic was routed over wireguard, as such a "NAT EXT -> LAN" on public_2 to wg_1_ip worked since the SSH return packets passed over wireguard to pbx2. Tip -> Similar, but if a "NAT EXT -> LAN" on public_2 to a LAN IP on pbx1 you would need to set NAT_FOREIGN_NETWORK on pbx2 of the pbx1 LAN so it is NAT'ed on pbx2. Lonnie |
|
From: Michael K. <mic...@ip...> - 2018-10-06 03:29:28
|
Hi Group Im wanting to set up a NAT rule from NAT EXT to a Wireguard VPN endpoint. Is this possible? It does not seem to work with NAT EXT -> LAN. If not, is there a custom rule I can try? Basically I want to SSH to the VPN endpoint directly, via the transit DR server. Thanks so much. Regards Michael Knill |
|
From: nedi <ne...@gm...> - 2018-10-04 08:54:56
|
Hi
I get this message on my log,
local0.err asterisk[22023]: ERROR[22023]: netsock2.c:269 in ast_sockaddr_resolve: getaddrinfo(„mypbx", "(null)", ...): Name or service not known
WARNING[27685]: pbx_dundi.c:4652 in set_config: Unable to look up host ‚mypbx'
Can I ignore this or should I change this in my network settings, as I wrote last Time I have issue with "rejected „ after internet provider make firmware update and my modem make reboot.
I have in my network settings under domain and host „mypbx“ and local domain ist activated
To avoid "rejected" I testing now this script, can anyone with more experience look at this script .Can I load it every one minute for long time without afraid to damage CF Card or overload log of my pbx.
Thanks.
Script:
#!/bin/bash -x
DIR=/tmp/watchdog
# Create dir if it doesn't exist
if [ ! -d $DIR ]; then
mkdir $DIR
fi
cd $DIR
# Save current registration times
/usr/sbin/asterisk -rx "sip show registry" | grep "Registered" | cut -b 92- > current
# If last exists, compare current to last
if [ -f last ]; then
cmp current last
# If they match, restart Asterisk
if [ $? == 0 ]; then
/etc/init.d/asterisk restart
fi
fi
rm -f last
mv current last
Regards Nedi
|
|
From: Michael K. <mic...@ip...> - 2018-10-02 20:29:28
|
Hi Lonnie
I guess I wanted to highlight the gotcha that if you are using PPPoE, any ip route commands will fail in the wan-failover.script when it is down.
For example, my script initially was used to force my provider out the Primary interface only so it would be UNREACHABLE and the backup trunk was used:
--------------------
state="$1"
primary_if="$2"
primary_gw="$3"
secondary_if="$4"
secondary_gw="$5"
secondary_gw_ipv6="$6"
primary_only_routes="125.213.160.0/22"
case $state in
SECONDARY)
## Switched to Failover using secondary WAN link
for x in $primary_only_routes; do
ip route add $x ${primary_gw:+via $primary_gw} dev $primary_if
done
;;
PRIMARY)
## Switched back to normal using primary WAN link
for x in $primary_only_routes; do
ip route delete $x ${primary_gw:+via $primary_gw} dev $primary_if
done
;;
esac
exit 0
--------------------
But as ppp0 no longer existed during failure, the ip route command failed and the trunk did not become UNREACHABLE.
I will just blackhole my route instead.
Regards
Michael Knill
On 3/10/18, 12:08 am, "Lonnie Abelbeck" <li...@lo...> wrote:
> On Oct 1, 2018, at 10:38 PM, Michael Knill <mic...@ip...> wrote:
>
> Hi all
>
> Just a bit of a problem I would like to highlight with the Wan Failover script.
> The passed interface parameters assume a fixed interface rather than a dynamic one e.g. ppp0 so it fails.
>
> So when the primary has failed:
> wan-failover.script SECONDARY ppp0 115.187.183.76 eth2 10.101.194.1
> Cannot find device "ppp0"
>
> I assume the only option is to override the passed parameters in the script?
What do you mean by "ppp0 so it fails" ?
Looking at the wan-failover script, the /mnt/kd/wan-failover.script is called via...
--
$SCRIPTFILE "$SECONDARY_STR" "$EXTIF" "$PRIMARY_GW" "$EXT2IF" "$SECONDARY_GW" "$SECONDARY_GWIPV6"
--
The "$EXTIF" implies your system is setup with the external interface using PPPoE.
If "$EXTIF" = "ppp0" you may want "$PPPOEIF" to use the associated ethernet interface.
Lonnie
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2018-10-02 14:23:00
|
Announcing Pre-Release Version: astlinux-1.3-3915-85f590 If there are no issues, this version will be tagged as AstLinux 1.3.4 . The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own. -- Linux Kernel 3.16.57, security and bug fixes. -- genx86_64-vm board type, add support for virtio-blk as a bootable disk driver, also added to RUNNIX. Tested via Proxmox and Vultr (hosted). -- genx86_64-vm board type, add support for QEMU Guest Agent (qemu-ga 2.12.0). -- rng-tools, new package, version 6.5, Random Number Generator (RNG) daemon Enabled by default to increase the available entropy for the kernel's "random" sources. Uses one of 3 sources, in order: 1) /dev/hwrng (typically via virtio-rng for the genx86_64-vm board type) 2) Intel RDRAND instruction on supported CPU's 3) jitterentropy, Hardware RNG based on CPU timing jitter -- keepalived, new package, version 2.0.7, VRRP High Availability daemon -- msmtpd (msmtp 1.8.0), added SMTP localhost daemon to forward 127.0.0.1:25 to "sendmail", enabled by default. -- Asterisk 13 version bump to 13.23.1 New Documentation Topics: VRRP High Availability Daemon (keepalived) -- https://doc.astlinux-project.org/userdoc:tt_high_availability Qotom Q530G6 Core i3-6100U Fanless Appliance -- https://doc.astlinux-project.org/userdoc:board_qotom_q530g6 Linode KVM -- https://doc.astlinux-project.org/userdoc:hosted_guest_vm_linode Vultr KVM -- https://doc.astlinux-project.org/userdoc:hosted_guest_vm_vultr Updated Documentation Topics: WAN Failover -- https://doc.astlinux-project.org/userdoc:tt_wan_failover#example4g_lte_modem_failover Tarsnap Online Backup -- https://doc.astlinux-project.org/userdoc:tt_tarsnap_online_backup#restore_to_a_new_install The "AstLinux Pre-Release ChangeLog" and "Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ... AstLinux Project -> Development https://www.astlinux-project.org/dev.html AstLinux Team |
|
From: Lonnie A. <li...@lo...> - 2018-10-02 14:08:06
|
> On Oct 1, 2018, at 10:38 PM, Michael Knill <mic...@ip...> wrote: > > Hi all > > Just a bit of a problem I would like to highlight with the Wan Failover script. > The passed interface parameters assume a fixed interface rather than a dynamic one e.g. ppp0 so it fails. > > So when the primary has failed: > wan-failover.script SECONDARY ppp0 115.187.183.76 eth2 10.101.194.1 > Cannot find device "ppp0" > > I assume the only option is to override the passed parameters in the script? What do you mean by "ppp0 so it fails" ? Looking at the wan-failover script, the /mnt/kd/wan-failover.script is called via... -- $SCRIPTFILE "$SECONDARY_STR" "$EXTIF" "$PRIMARY_GW" "$EXT2IF" "$SECONDARY_GW" "$SECONDARY_GWIPV6" -- The "$EXTIF" implies your system is setup with the external interface using PPPoE. If "$EXTIF" = "ppp0" you may want "$PPPOEIF" to use the associated ethernet interface. Lonnie |
|
From: Michael K. <mic...@ip...> - 2018-10-02 03:39:15
|
Hi all Just a bit of a problem I would like to highlight with the Wan Failover script. The passed interface parameters assume a fixed interface rather than a dynamic one e.g. ppp0 so it fails. So when the primary has failed: wan-failover.script SECONDARY ppp0 115.187.183.76 eth2 10.101.194.1 Cannot find device "ppp0" I assume the only option is to override the passed parameters in the script? Regards Michael Knill |
|
From: Michael K. <mic...@ip...> - 2018-09-30 23:08:33
|
Cool that fixed it. Thanks Michael
I have no idea why everything else worked fine?
Regards
Michael Knill
On 30/9/18, 7:46 pm, "Michael Keuter" <li...@mk...> wrote:
> Am 30.09.2018 um 08:31 schrieb Michael Knill <mic...@ip...>:
>
> Hmm strange
>
> I have this and it still uses 3999 as the from user. Note this is a derivative of the hostname 3999-IBCBuild-CM1.
>
> echo "Backup failed for archive $FN" | mail -r "ro...@ip..." -s "WARNING: Backup Failed for archive $FN" mon...@ip...
>
> Regards
> Michael Knill
Hi Michael,
I always use the:
SMTP_FROM="us...@ho..."
setting in our "user.conf".
> On 30/9/18, 9:52 am, "Lonnie Abelbeck" <li...@lo...> wrote:
>
> Just guessing the From is being derived from your hostname, you did not mention how you were sending the email.
>
> The -r argument for "mail" defines the From address, including a text name if you wish (like my example).
>
> I always define the From: address.
>
> Lonnie
>
> PS, You can delete the "stuck" email by using
> --
> msmtpqueue delete /var/spool/mail/2018-09-30-09.29.46-0
> --
>
>
>
>> On Sep 29, 2018, at 6:33 PM, Michael Knill <mic...@ip...> wrote:
>>
>> Thanks Lonnie
>>
>> Interestingly all my other mails have a from address of ro...@ip... but from my script its 39...@ip... and being rejected by my mail server. What specifies the from address?
>>
>> e.g.
>> Sep 30 09:32:38 3999-IBCBuild-CM1 mail.err msmtp: host=smtp.ipcsolutions.com.au tls=on auth=on user=no...@ip... from=39...@ip... recipients=ro...@ip... smtpstatus=550 smtpmsg='550 5.7.60 SMTP; Client does not have permissions to send as this sender [SYAPR01MB2430.ausprd01.prod.outlook.com]' errormsg='the server did not accept the mail' exitcode=EX_UNAVAILABLE
>> Sep 30 09:32:38 3999-IBCBuild-CM1 mail.info msmtpqueue: (69) msmtp: the server did not accept the mail msmtp: server message: 550 5.7.60 SMTP; Client does not have permissions to send as this sender [SYAPR01MB2430.ausprd01.prod.outlook.com] msmtp: could not send mail (account default from /etc/msmtprc)
>> Sep 30 09:32:38 3999-IBCBuild-CM1 mail.info msmtpqueue: Failure: Keeping mail queue /var/spool/mail/2018-09-30-09.29.46-0 msmtp/mail pair.
>>
>> Regards
>> Michael Knill
>>
>> On 30/9/18, 9:21 am, "Lonnie Abelbeck" <li...@lo...> wrote:
>>
>> Hi Michael,
>>
>> You probably got the one of the envelope addresses wrong.
>>
>> Here is an example where I email myself a note whenever my main AstLinux box is rebooted...
>> --
>> #!/bin/sh
>>
>> . /etc/rc.conf
>>
>> mail -r "REBOOT-$HOSTNAME <no...@ab...>" -s "Rebooted at '$HOSTNAME'" me...@ex... <<EOF
>> Rebooted at '$HOSTNAME'
>>
>> [Generated at $(date "+%H:%M:%S on %B %d, %Y")]
>> EOF
>> --
>>
>> Here are the "mail" options ...
>>
>> $ mail --help
>> --
>>
>> Usage: mail [options...] to_addr
>>
>> Options:
>> -a file Attach the given file to the message. (Multiple allowed)
>> --mime type Optionally define the MIME Type of each attached file. (Multiple allowed)
>> -b address Send blind carbon copies to a comma-separated list of email addresses.
>> -c address Send carbon copies to a comma-separated list of email addresses.
>> -e Check if mail is present. (Always exit status of "1")
>> -H Print header summaries for all messages and exit. (Always no mail)
>> -r address Define the From address.
>> -S var=val Sets the internal option variable, from= and replyto= are supported.
>> -s subject Define the subject text.
>> -t The sending message is expected to contain "To:", "Cc:" or "Bcc:" fields.
>> -u user Reads the mailbox of the given user name. (Always no mail)
>> -V Print version and exit.
>> -v Verbose mode.
>> --help Show this help text
>> Note: Additional mail/mailx options are silently ignored for compatibility.
>> --
>>
>> This is particularly handy if you want to attach a file(s) with one or more -a file pairs.
>>
>> Test from the command-line.
>>
>> Lonnie
>>
>>
>>> On Sep 29, 2018, at 6:00 PM, Michael Knill <mic...@ip...> wrote:
>>>
>>> Hi group
>>>
>>> Sorry this is probably an easy one.
>>> I am sending mail from my tarsnap script using the mail command and it just ends up in the mail spool and does not send.
>>> What am I doing wrong?
>>>
>>> Regards
>>> Michael Knill
Michael
http://www.mksolutions.info
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Michael K. <li...@mk...> - 2018-09-30 09:46:04
|
> Am 30.09.2018 um 08:31 schrieb Michael Knill <mic...@ip...>: > > Hmm strange > > I have this and it still uses 3999 as the from user. Note this is a derivative of the hostname 3999-IBCBuild-CM1. > > echo "Backup failed for archive $FN" | mail -r "ro...@ip..." -s "WARNING: Backup Failed for archive $FN" mon...@ip... > > Regards > Michael Knill Hi Michael, I always use the: SMTP_FROM="us...@ho..." setting in our "user.conf". > On 30/9/18, 9:52 am, "Lonnie Abelbeck" <li...@lo...> wrote: > > Just guessing the From is being derived from your hostname, you did not mention how you were sending the email. > > The -r argument for "mail" defines the From address, including a text name if you wish (like my example). > > I always define the From: address. > > Lonnie > > PS, You can delete the "stuck" email by using > -- > msmtpqueue delete /var/spool/mail/2018-09-30-09.29.46-0 > -- > > > >> On Sep 29, 2018, at 6:33 PM, Michael Knill <mic...@ip...> wrote: >> >> Thanks Lonnie >> >> Interestingly all my other mails have a from address of ro...@ip... but from my script its 39...@ip... and being rejected by my mail server. What specifies the from address? >> >> e.g. >> Sep 30 09:32:38 3999-IBCBuild-CM1 mail.err msmtp: host=smtp.ipcsolutions.com.au tls=on auth=on user=no...@ip... from=39...@ip... recipients=ro...@ip... smtpstatus=550 smtpmsg='550 5.7.60 SMTP; Client does not have permissions to send as this sender [SYAPR01MB2430.ausprd01.prod.outlook.com]' errormsg='the server did not accept the mail' exitcode=EX_UNAVAILABLE >> Sep 30 09:32:38 3999-IBCBuild-CM1 mail.info msmtpqueue: (69) msmtp: the server did not accept the mail msmtp: server message: 550 5.7.60 SMTP; Client does not have permissions to send as this sender [SYAPR01MB2430.ausprd01.prod.outlook.com] msmtp: could not send mail (account default from /etc/msmtprc) >> Sep 30 09:32:38 3999-IBCBuild-CM1 mail.info msmtpqueue: Failure: Keeping mail queue /var/spool/mail/2018-09-30-09.29.46-0 msmtp/mail pair. >> >> Regards >> Michael Knill >> >> On 30/9/18, 9:21 am, "Lonnie Abelbeck" <li...@lo...> wrote: >> >> Hi Michael, >> >> You probably got the one of the envelope addresses wrong. >> >> Here is an example where I email myself a note whenever my main AstLinux box is rebooted... >> -- >> #!/bin/sh >> >> . /etc/rc.conf >> >> mail -r "REBOOT-$HOSTNAME <no...@ab...>" -s "Rebooted at '$HOSTNAME'" me...@ex... <<EOF >> Rebooted at '$HOSTNAME' >> >> [Generated at $(date "+%H:%M:%S on %B %d, %Y")] >> EOF >> -- >> >> Here are the "mail" options ... >> >> $ mail --help >> -- >> >> Usage: mail [options...] to_addr >> >> Options: >> -a file Attach the given file to the message. (Multiple allowed) >> --mime type Optionally define the MIME Type of each attached file. (Multiple allowed) >> -b address Send blind carbon copies to a comma-separated list of email addresses. >> -c address Send carbon copies to a comma-separated list of email addresses. >> -e Check if mail is present. (Always exit status of "1") >> -H Print header summaries for all messages and exit. (Always no mail) >> -r address Define the From address. >> -S var=val Sets the internal option variable, from= and replyto= are supported. >> -s subject Define the subject text. >> -t The sending message is expected to contain "To:", "Cc:" or "Bcc:" fields. >> -u user Reads the mailbox of the given user name. (Always no mail) >> -V Print version and exit. >> -v Verbose mode. >> --help Show this help text >> Note: Additional mail/mailx options are silently ignored for compatibility. >> -- >> >> This is particularly handy if you want to attach a file(s) with one or more -a file pairs. >> >> Test from the command-line. >> >> Lonnie >> >> >>> On Sep 29, 2018, at 6:00 PM, Michael Knill <mic...@ip...> wrote: >>> >>> Hi group >>> >>> Sorry this is probably an easy one. >>> I am sending mail from my tarsnap script using the mail command and it just ends up in the mail spool and does not send. >>> What am I doing wrong? >>> >>> Regards >>> Michael Knill Michael http://www.mksolutions.info |
|
From: Michael K. <mic...@ip...> - 2018-09-30 06:31:35
|
Hmm strange
I have this and it still uses 3999 as the from user. Note this is a derivative of the hostname 3999-IBCBuild-CM1.
echo "Backup failed for archive $FN" | mail -r "ro...@ip..." -s "WARNING: Backup Failed for archive $FN" mon...@ip...
Regards
Michael Knill
On 30/9/18, 9:52 am, "Lonnie Abelbeck" <li...@lo...> wrote:
Just guessing the From is being derived from your hostname, you did not mention how you were sending the email.
The -r argument for "mail" defines the From address, including a text name if you wish (like my example).
I always define the From: address.
Lonnie
PS, You can delete the "stuck" email by using
--
msmtpqueue delete /var/spool/mail/2018-09-30-09.29.46-0
--
> On Sep 29, 2018, at 6:33 PM, Michael Knill <mic...@ip...> wrote:
>
> Thanks Lonnie
>
> Interestingly all my other mails have a from address of ro...@ip... but from my script its 39...@ip... and being rejected by my mail server. What specifies the from address?
>
> e.g.
> Sep 30 09:32:38 3999-IBCBuild-CM1 mail.err msmtp: host=smtp.ipcsolutions.com.au tls=on auth=on user=no...@ip... from=39...@ip... recipients=ro...@ip... smtpstatus=550 smtpmsg='550 5.7.60 SMTP; Client does not have permissions to send as this sender [SYAPR01MB2430.ausprd01.prod.outlook.com]' errormsg='the server did not accept the mail' exitcode=EX_UNAVAILABLE
> Sep 30 09:32:38 3999-IBCBuild-CM1 mail.info msmtpqueue: (69) msmtp: the server did not accept the mail msmtp: server message: 550 5.7.60 SMTP; Client does not have permissions to send as this sender [SYAPR01MB2430.ausprd01.prod.outlook.com] msmtp: could not send mail (account default from /etc/msmtprc)
> Sep 30 09:32:38 3999-IBCBuild-CM1 mail.info msmtpqueue: Failure: Keeping mail queue /var/spool/mail/2018-09-30-09.29.46-0 msmtp/mail pair.
>
> Regards
> Michael Knill
>
> On 30/9/18, 9:21 am, "Lonnie Abelbeck" <li...@lo...> wrote:
>
> Hi Michael,
>
> You probably got the one of the envelope addresses wrong.
>
> Here is an example where I email myself a note whenever my main AstLinux box is rebooted...
> --
> #!/bin/sh
>
> . /etc/rc.conf
>
> mail -r "REBOOT-$HOSTNAME <no...@ab...>" -s "Rebooted at '$HOSTNAME'" me...@ex... <<EOF
> Rebooted at '$HOSTNAME'
>
> [Generated at $(date "+%H:%M:%S on %B %d, %Y")]
> EOF
> --
>
> Here are the "mail" options ...
>
> $ mail --help
> --
>
> Usage: mail [options...] to_addr
>
> Options:
> -a file Attach the given file to the message. (Multiple allowed)
> --mime type Optionally define the MIME Type of each attached file. (Multiple allowed)
> -b address Send blind carbon copies to a comma-separated list of email addresses.
> -c address Send carbon copies to a comma-separated list of email addresses.
> -e Check if mail is present. (Always exit status of "1")
> -H Print header summaries for all messages and exit. (Always no mail)
> -r address Define the From address.
> -S var=val Sets the internal option variable, from= and replyto= are supported.
> -s subject Define the subject text.
> -t The sending message is expected to contain "To:", "Cc:" or "Bcc:" fields.
> -u user Reads the mailbox of the given user name. (Always no mail)
> -V Print version and exit.
> -v Verbose mode.
> --help Show this help text
> Note: Additional mail/mailx options are silently ignored for compatibility.
> --
>
> This is particularly handy if you want to attach a file(s) with one or more -a file pairs.
>
> Test from the command-line.
>
> Lonnie
>
>
>> On Sep 29, 2018, at 6:00 PM, Michael Knill <mic...@ip...> wrote:
>>
>> Hi group
>>
>> Sorry this is probably an easy one.
>> I am sending mail from my tarsnap script using the mail command and it just ends up in the mail spool and does not send.
>> What am I doing wrong?
>>
>> Regards
>> Michael Knill
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2018-09-29 23:52:23
|
Just guessing the From is being derived from your hostname, you did not mention how you were sending the email. The -r argument for "mail" defines the From address, including a text name if you wish (like my example). I always define the From: address. Lonnie PS, You can delete the "stuck" email by using -- msmtpqueue delete /var/spool/mail/2018-09-30-09.29.46-0 -- > On Sep 29, 2018, at 6:33 PM, Michael Knill <mic...@ip...> wrote: > > Thanks Lonnie > > Interestingly all my other mails have a from address of ro...@ip... but from my script its 39...@ip... and being rejected by my mail server. What specifies the from address? > > e.g. > Sep 30 09:32:38 3999-IBCBuild-CM1 mail.err msmtp: host=smtp.ipcsolutions.com.au tls=on auth=on user=no...@ip... from=39...@ip... recipients=ro...@ip... smtpstatus=550 smtpmsg='550 5.7.60 SMTP; Client does not have permissions to send as this sender [SYAPR01MB2430.ausprd01.prod.outlook.com]' errormsg='the server did not accept the mail' exitcode=EX_UNAVAILABLE > Sep 30 09:32:38 3999-IBCBuild-CM1 mail.info msmtpqueue: (69) msmtp: the server did not accept the mail msmtp: server message: 550 5.7.60 SMTP; Client does not have permissions to send as this sender [SYAPR01MB2430.ausprd01.prod.outlook.com] msmtp: could not send mail (account default from /etc/msmtprc) > Sep 30 09:32:38 3999-IBCBuild-CM1 mail.info msmtpqueue: Failure: Keeping mail queue /var/spool/mail/2018-09-30-09.29.46-0 msmtp/mail pair. > > Regards > Michael Knill > > On 30/9/18, 9:21 am, "Lonnie Abelbeck" <li...@lo...> wrote: > > Hi Michael, > > You probably got the one of the envelope addresses wrong. > > Here is an example where I email myself a note whenever my main AstLinux box is rebooted... > -- > #!/bin/sh > > . /etc/rc.conf > > mail -r "REBOOT-$HOSTNAME <no...@ab...>" -s "Rebooted at '$HOSTNAME'" me...@ex... <<EOF > Rebooted at '$HOSTNAME' > > [Generated at $(date "+%H:%M:%S on %B %d, %Y")] > EOF > -- > > Here are the "mail" options ... > > $ mail --help > -- > > Usage: mail [options...] to_addr > > Options: > -a file Attach the given file to the message. (Multiple allowed) > --mime type Optionally define the MIME Type of each attached file. (Multiple allowed) > -b address Send blind carbon copies to a comma-separated list of email addresses. > -c address Send carbon copies to a comma-separated list of email addresses. > -e Check if mail is present. (Always exit status of "1") > -H Print header summaries for all messages and exit. (Always no mail) > -r address Define the From address. > -S var=val Sets the internal option variable, from= and replyto= are supported. > -s subject Define the subject text. > -t The sending message is expected to contain "To:", "Cc:" or "Bcc:" fields. > -u user Reads the mailbox of the given user name. (Always no mail) > -V Print version and exit. > -v Verbose mode. > --help Show this help text > Note: Additional mail/mailx options are silently ignored for compatibility. > -- > > This is particularly handy if you want to attach a file(s) with one or more -a file pairs. > > Test from the command-line. > > Lonnie > > >> On Sep 29, 2018, at 6:00 PM, Michael Knill <mic...@ip...> wrote: >> >> Hi group >> >> Sorry this is probably an easy one. >> I am sending mail from my tarsnap script using the mail command and it just ends up in the mail spool and does not send. >> What am I doing wrong? >> >> Regards >> Michael Knill >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2018-09-29 23:33:40
|
Thanks Lonnie Interestingly all my other mails have a from address of ro...@ip... but from my script its 39...@ip... and being rejected by my mail server. What specifies the from address? e.g. Sep 30 09:32:38 3999-IBCBuild-CM1 mail.err msmtp: host=smtp.ipcsolutions.com.au tls=on auth=on user=no...@ip... from=39...@ip... recipients=ro...@ip... smtpstatus=550 smtpmsg='550 5.7.60 SMTP; Client does not have permissions to send as this sender [SYAPR01MB2430.ausprd01.prod.outlook.com]' errormsg='the server did not accept the mail' exitcode=EX_UNAVAILABLE Sep 30 09:32:38 3999-IBCBuild-CM1 mail.info msmtpqueue: (69) msmtp: the server did not accept the mail msmtp: server message: 550 5.7.60 SMTP; Client does not have permissions to send as this sender [SYAPR01MB2430.ausprd01.prod.outlook.com] msmtp: could not send mail (account default from /etc/msmtprc) Sep 30 09:32:38 3999-IBCBuild-CM1 mail.info msmtpqueue: Failure: Keeping mail queue /var/spool/mail/2018-09-30-09.29.46-0 msmtp/mail pair. Regards Michael Knill On 30/9/18, 9:21 am, "Lonnie Abelbeck" <li...@lo...> wrote: Hi Michael, You probably got the one of the envelope addresses wrong. Here is an example where I email myself a note whenever my main AstLinux box is rebooted... -- #!/bin/sh . /etc/rc.conf mail -r "REBOOT-$HOSTNAME <no...@ab...>" -s "Rebooted at '$HOSTNAME'" me...@ex... <<EOF Rebooted at '$HOSTNAME' [Generated at $(date "+%H:%M:%S on %B %d, %Y")] EOF -- Here are the "mail" options ... $ mail --help -- Usage: mail [options...] to_addr Options: -a file Attach the given file to the message. (Multiple allowed) --mime type Optionally define the MIME Type of each attached file. (Multiple allowed) -b address Send blind carbon copies to a comma-separated list of email addresses. -c address Send carbon copies to a comma-separated list of email addresses. -e Check if mail is present. (Always exit status of "1") -H Print header summaries for all messages and exit. (Always no mail) -r address Define the From address. -S var=val Sets the internal option variable, from= and replyto= are supported. -s subject Define the subject text. -t The sending message is expected to contain "To:", "Cc:" or "Bcc:" fields. -u user Reads the mailbox of the given user name. (Always no mail) -V Print version and exit. -v Verbose mode. --help Show this help text Note: Additional mail/mailx options are silently ignored for compatibility. -- This is particularly handy if you want to attach a file(s) with one or more -a file pairs. Test from the command-line. Lonnie > On Sep 29, 2018, at 6:00 PM, Michael Knill <mic...@ip...> wrote: > > Hi group > > Sorry this is probably an easy one. > I am sending mail from my tarsnap script using the mail command and it just ends up in the mail spool and does not send. > What am I doing wrong? > > Regards > Michael Knill > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2018-09-29 23:20:57
|
Hi Michael,
You probably got the one of the envelope addresses wrong.
Here is an example where I email myself a note whenever my main AstLinux box is rebooted...
--
#!/bin/sh
. /etc/rc.conf
mail -r "REBOOT-$HOSTNAME <no...@ab...>" -s "Rebooted at '$HOSTNAME'" me...@ex... <<EOF
Rebooted at '$HOSTNAME'
[Generated at $(date "+%H:%M:%S on %B %d, %Y")]
EOF
--
Here are the "mail" options ...
$ mail --help
--
Usage: mail [options...] to_addr
Options:
-a file Attach the given file to the message. (Multiple allowed)
--mime type Optionally define the MIME Type of each attached file. (Multiple allowed)
-b address Send blind carbon copies to a comma-separated list of email addresses.
-c address Send carbon copies to a comma-separated list of email addresses.
-e Check if mail is present. (Always exit status of "1")
-H Print header summaries for all messages and exit. (Always no mail)
-r address Define the From address.
-S var=val Sets the internal option variable, from= and replyto= are supported.
-s subject Define the subject text.
-t The sending message is expected to contain "To:", "Cc:" or "Bcc:" fields.
-u user Reads the mailbox of the given user name. (Always no mail)
-V Print version and exit.
-v Verbose mode.
--help Show this help text
Note: Additional mail/mailx options are silently ignored for compatibility.
--
This is particularly handy if you want to attach a file(s) with one or more -a file pairs.
Test from the command-line.
Lonnie
> On Sep 29, 2018, at 6:00 PM, Michael Knill <mic...@ip...> wrote:
>
> Hi group
>
> Sorry this is probably an easy one.
> I am sending mail from my tarsnap script using the mail command and it just ends up in the mail spool and does not send.
> What am I doing wrong?
>
> Regards
> Michael Knill
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Michael K. <mic...@ip...> - 2018-09-29 23:19:16
|
Sorry please ignore. Im a noob Regards Michael Knill From: Michael Knill <mic...@ip...> Reply-To: AstLinux List <ast...@li...> Date: Sunday, 30 September 2018 at 9:01 am To: AstLinux List <ast...@li...> Subject: [Astlinux-users] Im not very good with Linux mail Hi group Sorry this is probably an easy one. I am sending mail from my tarsnap script using the mail command and it just ends up in the mail spool and does not send. What am I doing wrong? Regards Michael Knill |
|
From: Michael K. <mic...@ip...> - 2018-09-29 23:06:54
|
PS Sorry the test mail tab works fine and Asterisk and Monit can also send mail fine. Regards Michael Knill From: Michael Knill <mic...@ip...> Reply-To: AstLinux List <ast...@li...> Date: Sunday, 30 September 2018 at 9:01 am To: AstLinux List <ast...@li...> Subject: [Astlinux-users] Im not very good with Linux mail Hi group Sorry this is probably an easy one. I am sending mail from my tarsnap script using the mail command and it just ends up in the mail spool and does not send. What am I doing wrong? Regards Michael Knill |
63 messages has been excluded from this view by a project administrator.
