Close

Do NOT add a newer boot file into an older Windows Deployment Service

In my company, there is a Windows Deployment Service (WDS for short) hosted by Windows Server 2012 R2. Since I got the new release of Windows Server yesterday, named Windows Server 2012 R2 with Update, I added the boot.wim from the new CD into this server and began my nightmare.

Result: All boot images from installation CD work great. But all capture images are failed to start, no matter the capture image is pre-existed, new created or copied from other servers. They’re failed in 2 ways:

  • Error in \Windows\System32\boot\winload.exe with status code 0xc000000f after the loading bar completed; or,
  • Black screen after displaying the Windows logo.

To fix this, I’ve tried to remove the new added boot image but this trying is ineffective. Finally, I googled and find there is a person who added a Windows 8 Preview boot file into an old WDS server, which lead to the similar result. The way to fix is:

  1. Stop the WDS;
  2. Restore the Boot folder from a previous version; and,
  3. Restart the WDS.

If you don’t have backup, you may need to reinstall WDS.

I guess when you add a new boot image into a WDS, it will update the existed boot folder to the latest version, which may not be compatible with other boot files. Maybe it will be fixed after patching the server OS, but it’s better never to do such a thing again.


Update: There is another way to fix the broken capture image file directly. But you have to do that for every capture file. http://social.technet.microsoft.com/Forums/windowsserver/en-US/a164b948-1778-42bd-8d77-9cef1ca70866/image-capture-boot-image-fails-with-0xc000000f?forum=winserversetup

中国IP地址段抽取工具

本工具可以将所有中国的IP v4地址段抽取出来,并按照用户给定的格式保存。
通常可以用于制作特定的路由表。

IP信息来源:每次运行时自动获取自APNIC。
运行需要:dotnet Framework 4.0

运行前,请用文本编辑器打开CNRouteExtractor.exe.config,按照注释修改其中的Format字符串。
运行时的格式:CNRouteExtractor filename
将生成filename作为目标输出文件。如不指定filename则不输出(仅测试下载与抽取)。

下载地址

使用Socks5代理连接TCP

虽然Socks5已经不是新技术,最近又有好多人来询问我如何使用Socks5代理来连接远端TCP。在这里我就顺便把之前的流程文件贴来啦。

 

1 使用TCP连接到Socks5代理服务器端口
2 发送5 2 0 2(4个字节,为Byte而非数字字符,下同)
3 接受到5 0(表示不需要密码,跳转到步骤6)或者5 2(需要密码验证)
4 发送1 UserNameLength(1字节) UserName(1-255字节) PasswordLength(1字节) Password(1-255字节)
5 接受到1 0表示成功,否则失败。
6 如果需要远程解析DNS,那么发送:5 1 0 3 DomainNameLength(1字节) DomainName(1-255字节) Port(2字节)
  如果本地解析DNS得IP,那么发送:5 1 0 1 IP(4字节) Port(2字节)
7 可能得到反馈:只要打头是5 0则表示成功,否则表示失败。但是应该完整的清理此数据,它的格式是以下中的一种:
  5 0 0 1 IP(4字节) Port(2字节)
  5 0 0 3 DomainNameLength(1字节) DomainName(1-255字节) Port(2字节)
8 至此完成连接,然后你就可以当作标准的TCP连接来收发数据了,直至连接关闭。

Install OpenVPN Server on CentOS 5.4

There are many guys asking me how to install OpenVPN on CentOS 5.2/5.4. I have a server with that system (minimal installation) exactly and I cannot find an all correct guide for this setup step. So I decide to write this post.

You cannot count on the post to explain what OpenVPN is. But if you just require a simple guide for installation, you’ve got it.

Preparation:

1 A server running with CentOS 5.2/5.4. I don’t know which services you’ve installed, so I have to install all necessary components by bash command. You can skip that command if you know that is installed.
2 A KVM, an SSH client or another way to connect to your server.
3 You must know how to use tool vi to edit file.

Setup guide:

All blue texts should be typed into bash command line, and press Enter after each command. All black texts are just commit. Read them as you wish.

Install some tools.

yum install -y wget Install a tool for downloading packages.
yum install -y iptables Install the controller for inputting firewall rules.

Configure yum to install OpenVPN

yum install -y yum-priorities Let your yum to install more packages.
cd /tmp
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm for x86 (32bit) only
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm for x64 (64bit) only
rpm -i rpmforge-release-0.5.1-1.el5.rf.*.rpm
yum check-update

Install OpenVPN

yum install -y openvpn

Configure OpenVPN Server

cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
. ../vars There is a space between the 1st and 2nd dot.
chmod +rwx *
source ./vars
vi ../vars Modify the last several lines of this file to match your location and org name.
vi vars Modify the last several lines of this file to match your location and org name.
./build-ca Input your location and org name.
source ./vars
./clean-all
./build-ca Always press enter directly. You can verify your infomation in this step.
./build-key-server server Answer y twice for the 2 questions in the end, press enter directly for others.

Configure OpenVPN Setting. Following this post, you will get a server running at port 1194 with UDP protocol, and the sub network for VPN clients is 10.0.0.0/24. You can modify this document with the rest commands synchronously.

vi /etc/openvpn/openvpn.conf Create setting file.

Type all green text below to the edit form of vi.

port 1194 Use port 1194.
proto udp Use udp protocol. You can change this into tcp as you wish. It seems that udp is faster. Tcp can be used when you are using a udp banned network.
dev tun Mode. You can choose tun or tap. I don’t wanna explain this.
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.0.0.0 255.255.255.0 Sub network for VPN clients
push "dhcp-option DNS 208.67.222.222" Use DNS of OpenDNS.
push "dhcp-option DNS 208.67.220.220" Use DNS of OpenDNS.
push "redirect-gateway" Let all traffic from client to go though with this VPN server. Remove this line if you don’t want it.
ifconfig-pool-persist ipp.txt Let OpenVPN server to record the last used IP for each client, which allows client to use the same IP when reconnected.
keepalive 10 120
comp-lzo Enable compression for saving bandwidth.
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client Allow clients to communicate with each others. Remove this line if you dont’t want it.

Save this file.

cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/
./build-dh This may take a while.
cp keys/dh1024.pem /etc/openvpn/
/etc/init.d/openvpn start Service starts!
chkconfig --list | grep vpn

Create key for each client.

The working folder is /etc/openvpn/easy-rsa/2.0 and you can verify it by typing pwd if you like. If it’s not, type cd /etc/openvpn/easy-rsa/2.0 to change it. Run source ./vars if needed.

Run this command for each client.
./build-key <client name> Answer y twice for the 2 questions in the end, press enter directly for others. Change <client name> to client name.

Final steps and add some firewall rules

service iptables start Start the iptables service.
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT Allow udp datagrams to be received from port 1194 of your nic eth0. Notice that there are 2 hyphens before dport.
iptables -A OUTPUT -o eth0 -p udp --dport 1194 -j ACCEPT Allow udp datagrams to be sent from port 1194 of your nic eth0. Notice that there are 2 hyphens before dport.
iptables -A INPUT -i tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -A OUTPUT -o tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -A FORWARD -o tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE Enable NAT.
/etc/init.d/iptables save Save iptables’ rules.
/etc/init.d/iptables restart Restart iptables service.
chkconfig iptables on Let iptables be started automatically.
chkconfig openvpn on So is openvpn.
vi /etc/sysctl.conf

Find a line with text net.ipv4.ip_forward = 0, change it into net.ipv4.ip_forward = 1, and save this file.

You’ve finished the configuration of server. Please restart it.

shutdown -r now

All certifications and key files can be found at /etc/openvpn/easy-rsa/2.0/keys. You should download ca.crt, <client name>.key and <client name>.crt to each client computer.

I’ll go on to create an OpenVPN client in Windows for example.

Download and install OpenVPN Windows Version.

Copy ca.crt, <client name>.key and <client name>.crt to its config folder (c:\Program Files (x86)\OpenVPN\config\ or c:\Program Files\OpenVPN\config\ by default). You can create a sub folder for each server to make it possible to connect to many servers, not at the same time.

Create a text file with extension “ovpn” in the folder which contains these 3 files with all green text below.

client
dev tun
proto udp
remote
<your server name or ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert
<client name>.crt
key
<client name>.key
ns-cert-type server
comp-lzo
verb 3

Save this file.

Start OpenVPN Client, right click the icon in the system tray and connect the server. If you are running Windows Vista / 7 or Windows Server 2008 / 2008 R2, you have to run this program as administrator coz Route.exe which will be run by OpenVPN need this.

I hope you get it though.
BTW, if you are using fedora, you may wanna check this post, which contains more commands to adjust firewall.

For CentOS 6.0: iptables’ commands need to be adjust. See your iptables configuration file for detail information.

Zeroshell Testing Report

I’ve used?Zeroshell (linux based router, free) for more than 1 year.

Many advanced?features are tested like vpn, load balancing, multi ppp and so on. I’ve installed it on several environment like physical pc, esx vm, vmware server vm and NET5501 hardware.

Here are somethings to share.

Good:

1 Free with web gui.

2 Powerful.

3 Multi ppp is supported.

4 OpenVPN is supported natively.

5 Net Balancer with plenty rules.

Need to?be improved:

1 Provide a way to install to harddisk / cf / usb like a installer,?instead of using dd.

2 Make it easier to control the native services in Net Balancer. For example, if you enable Net Balancer, the DDNS and VPN is not easy to config, even not possible to. Create a virtual network to running those services?may be helpful.

3 VPN Lan-to-lan seems not stable. I’ve tested to link 2 routers powered by zeroshell. One is in China Mainland, another is in USA. Link drops every 30 secs… not usable at all.

4 Yes, maybe the 2nd and 3rd are not problems but the best practices are?not documented, please make more documents.

网络调试用工具包

注:以下软件均为较久前开发,需要dotNet Framework 1.1框架,不能兼容最新框架。

Redirector:TCP/UDP端口转发工具。

Smiler:TCP/UDP调试工具,支持作为客户端、服务器,并有多种编码支持。

UDPSimulator:UDP网络环境模拟器,通过对UDP包的转发,模拟网络上可能出现的丢包和顺序错位。