Archive for October, 2011


ssh VPN

   Posted by: admin    in Mẹo vặt của hiếu râu


In this recipe two machines will be configured:

  • A server which is a firewall and has access to a private network ¹
  • A client which initiates the connections to the server and gains direct access to the private network
 --------         /\_/-\/\/-\       -----------------
| Client |~~~~~~~/ Internet /~~~~~~| Server/Firewall |~~~[ private net ]
 --------        \_/-\/\_/\/      / ----------------- \
    ||\                           \          ||\       \
    || {tun0}                      {eth0}    || {tun0}  {eth1}
    ||                                       ||
    \-================= tunnel ==============-/

For this recipe lets number things like this:

  • the private net is
  • eth0 on the server has public IP
  • eth1 on the server has private IP
  • the VPN network is
  • tun0 on the server has private IP
  • tun0 on the client has private IP

On the Client

If you do not already have them, generate an SSH keypair for root:

$ sudo ssh-keygen -t rsa

/etc/network/interfaces: Add this stanza to the file:

iface tun0 inet static
      pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0 true
      pre-up sleep 5
      up route add -net netmask gw tun0
      post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit

The first time we connect to the server as root we may need to acknowledge saving the servers SSH key fingerprint:

$ sudo ssh
The authenticity of host ' (' can't be established.
RSA key fingerprint is aa:fe:a0:38:7d:11:78:60:01:b0:80:78:90:ab:6a:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.

Don’t bother logging in, just hit CTRL-C.

On the server

/etc/ssh/sshd_config: Add/modify the two keywords to have the same values as below.

PermitTunnel point-to-point
PermitRootLogin forced-commands-only

The PermitRootLogin line is changed from the default of no. You do restrict root SSH login, right?

/root/.ssh/authorized_keys: Add the following line.

tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0" ssh-rsa AAAA ..snipped.. == root@server

Replace everything starting with “ssh-rsa” with the contents of root’s public SSH key from the client(/root/.ssh/ on the client).

/etc/network/interfaces: Add the following stanza.

iface tun0 inet static

/etc/sysctl.conf: Make sure net.ipv4.conf.default.forwarding is set to 1


This will take effect upon the next reboot so make it active now:

$ sudo sysctl net.ipv4.conf.default.forwarding=1

Using the VPN

user@client:~$ sudo ifup tun0
RTNETLINK answers: File exists
run-parts: /etc/network/if-up.d/avahi-autoipd exited with return code 2

user@client:~$ ping -c 2
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=96.3 ms
64 bytes from icmp_seq=2 ttl=64 time=94.9 ms

--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 94.954/95.670/96.387/0.780 ms
user@client:~$ sudo ifdown tun0
Exit request sent.

You may get the two errors after running ifup. No problem, they are harmless.


expect example

   Posted by: admin    in Mẹo vặt của hiếu râu

#!/usr/bin/expect -f
set timeout 60
set env(TERM)

spawn orafed orafed
expect “assw”
send “123456\r”
expect “orafed”
send “sqlplus / as sysdba\r”
expect “SQL>”
send “startup;\r”
expect “SQL>”
send “exit\r”
expect “orafed”
send “lsnrctl start\r”
expect “command completed”
send “exit\r”


#!/usr/bin/expect -f

set timeout 60

set env(TERM)

set vuser [lindex $argv 0]

set vhost [lindex $argv 1]

spawn ssh $vuser@$vhost

expect {

“*assword” { send “thispass\r” }

timeout { exit 2 }


expect {

“thisTerm” { send “ssh nextuser@nextterm\r”

exp_continue }

“*assword: ” {

stty -echo

send_user “ask pass: ”

expect_user -re “(.*)\n”

send_user “\n”

send “$expect_out(1,string)\r”

stty echo



“nextTerm” { send “w\r” }


interact {

“done” { send_user “send ls -la\r”; send “ls -la\r”; return



expect {

“nextTerm” { send “exit\r”; exp_continue }

“thisTerm” { send — “exit\r” }

timeout {exit 3}