Category Archives: network

Strongswan with MSCHAPv2 authentication on Debian 12

Posted on by

Introduction

There are many how-tos and guides for setting up strongSwan in different configurations, but it’s easy to waste hours simply because a required package might be missing from your particular Linux distribution.

This guide explains exactly how to install and configure strongSwan with password authentication on Debian 12, with Windows 11 PCs as the clients.

The sources for this guide are mainly the official strongswan documentation and the GitHub project page.

Apt update, upgrade and install

apt-get update && apt upgrade -y && sudo apt install strongswan strongswan-swanctl libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-libcharon libcharon-extra-plugins libcharon-extauth-plugins charon-systemd strongswan-pki libtss2-tcti-tabrmd0 -y

Create a temporary dir for pki

mkdir pki
cd pki

Generate the CA key

pki --gen --type rsa --size 4096 --outform pem > vpnserverCAKey.pem

The corresponding public key is packed into a self-signed CA certificate with a lifetime of 10 years (3652 days) using the pki –self command

pki --self --ca --lifetime 3650 --in vpnserverCAKey.pem --type rsa \
--dn "C=CH, O=MyOrg, CN=MyOrg VPN CA" --outform pem > vpnserverCACert.pem

Create the key for the VPN server

pki --gen --type rsa --size 4096 >  vpnserverKey.der

Create the signing request (note the use of IP – it could also be a domain name)

pki --req --type priv --in vpnserverKey.der \
      --dn "C=CH, O=SR, CN=138.181.122.14" \
      --san 138.181.122.14 --outform pem > vpnserverReq.pem

Create the vpn server cert based on the request

pki --issue --cacert vpnserverCACert.pem --cakey vpnserverCAKey.pem \
        --flag serverAuth --type pkcs10 --in vpnserverReq.pem --serial 01 --lifetime 1826 \
        --outform pem > vpnserverCert.pem

Copy all the certificates and keys to /etc/swanctl

cp vpnserverCACert.pem /etc/swanctl/x509ca
cp vpnserverKey.der /etc/swanctl/rsa
cp vpnserverCert.pem /etc/swanctl/x509

Configure

sudo nano /etc/swanctl/swanctl.conf

Replace the contents with this (insert your own username and password in “secrets”):

connections {
  eap {
    pools = ipv4, ipv6

    local {
      auth = pubkey
      certs = vpnserverCert.pem
      id = 138.181.122.14
    }
    remote {
      auth = eap-mschapv2
      eap_id = %any
    }
    children {
      eap {
        local_ts = 0.0.0.0/0, ::/0
       }
    }
  }
}

pools {
  ipv4 {
    addrs = 10.0.100.64/26
    dns = 10.0.100.1
  }
  ipv6 {
    addrs = 2a02:168:4407:1::/122
  }
}

secrets {
  eap-myuser {
    id = myuser
    secret = mypassword
  }
}

include conf.d/*.conf

Disable unneeded legacy service

systemctl stop strongswan-starter
systemctl disable strongswan-starter

Enable and restart the strongswan service for the changes to take effect

systemctl enable strongswan
sudo systemctl restart strongswan

Check the status for errors

sudo systemctl status strongswan

Windows VPN Client

Copy the CA certificate, vpnserverCACert.pem, from the VPN server to the Windows client and add it to the trusted roots for the computer.
For details on setting up the Windows VPN client, follow the guide on https://docs.strongswan.org/docs/latest/interop/windowsEapConf.html
Remember to set the EAP properties as shown towards the end.

To enhance security, run the following in an elevated prompt:

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters" /v NegotiateDH2048_AES256 /t REG_DWORD /d 2 /f


Lightroom Image Archive on QNap TS-239 Pro II

Posted on by

Moving your Lightroom image library to a NAS

Lightrooms data files can roughly be put into two categories: The catalog file(s), which contain meta data about your images such as their location and the actual image files.

Lightroom does not permit having the catalog files on network attached storage, so you will have to keep those on your workstation. However, you can choose to have Lightroom backup your catalog files to the NAS so they are stored together with your images. This can be configured by going into Edit > Catalog Settings in Lightroom.

The following steps explain how to move your images from your workstation to a location on the NAS.

  • Locate your catalog file (you can find it in Edit > Catalog Settings) and make a backup of it. Just as a safety precaution.
  • Locate the folder containing your images and copy it to the NAS
  • Rename the local image folder to something like ‘images_OLD’
  • Open Lightroom
  • In Library mode, there should now be question marks on the folders, since we renamed the image folder to images_OLD
  • Right click on each folder and select its new location on the NAS
  • Once all folders have been resolved, do a quick check, that all images are there

If something goes wrong you can always replace the catalog file with the backup from step 1 and rename the images_OLD back to using your local image folder.

Performance

As to be expected, there is a slight performance drop, by having the images on a network share instead of a local harddisk. In order to quantify the difference I picked 10 test photos (RAW) and measured the the time it took to zoom in on the image in Library mode. Zooming in on an image forces the actual image to be loaded into memory instead of just showing a preview.

  • Avg. zoom time Local: 6 seconds
  • Avg. zoom time NAS: 6.9 seconds

Not much of a difference and hardly noticable. I have not timed any other operations, but it appears, that the main loading happens only once. I.e., there is no lag when cropping or fixing white balance, since the image has already been loaded into memory.

Gigabit LAN vs. 100 Mbps Lan

Posted on by
Reply

Having recently upgraded my home network to Gigabit speeds, I still had my old devices and cables around. Most of these were specced at 100Mbps, so now I had the perfect opportunity to do a head to head benchmark showing if the upgrade was worth the effort. I expected a significant performance improvement by replacing the old 100 Mbps router from my ISP, which acted as the hub for every wired and wireless device on my network, with a brand new Gigabit switch. As benchmark, I transferred a 2.3 GB file from my PC to a QNap TS-239 NAS 3 times over the router and switch respectively.
These are the average speeds.

.
Name Speed in MB/s Total Tx Time
NetGear VVG2000 Router 10.9 3:37
TrendNet TEG-S80G 51,9 0:44
.

A significant improvement: The transfer is almost 5 times as fast over the Gigabit switch. The measured transfer speed through the NetGear router corresponds well with its specified maximum of 100 Mbps (~12MB/s). With the Gigabit switch, the harddisks of the PC and NAS  become the bottlenecks, since we are nowhere near the theoretical maximum of  a Gigabit network (120 MB/s).

As a part of the upgrade, I also bought new Cat-6 cables. The oldest cable I still had in use was a Cat-5 and crimbed together by myself about 10 years ago. Since Cat-5 is generally not recommended for Gigabit networks, I thought it would be interesting to see just how much using these old cables would affect transfer speed.

.
Cable Speed in MB/s Total Tx Time
Cat-6, 7m, Round 51.4 45.8
Cat-6, 10 m, UltraFlat 51.9 45.4
Cat-5, 5 m, round 51.5 45.7
.

To my surprise, the old Cat-5 cable was on par with the new Cat-6 cables! Luckily, there was not much of the Cat-5 cable to replace, so I won’t be beating myself up over making a useless investment…

I also tested some “UltraFlat” Cat-6 cable, which I was worried would be susceptible to crosstalk, but as the table clearly shows, the performance of the “UltraFlat” cables are equal to that of the regular, round ones.

So, the morale of story is: Don’t be affraid to use UltraFlat cables in your Gigabit network and if you have some old Cat-5 cable buried under your floor or in the wall: Test it with some Gigabit devices before going out of your way to replace it.