OpenVPN + Google Authenticator MFA

apt install libqrencode3 libpam-google-authenticator

addgroup gauth
useradd -g gauth gauth
mkdir /etc/openvpn/google-authenticator
chown gauth:gauth /etc/openvpn/google-authenticator
chmod 0700 /etc/openvpn/google-authenticator

add line in /etc/openvpn/server.conf

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

create /etc/pam.d/openvpn

with content:

auth required /usr/lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass

-t : Set up time-based (TOTP) verification

-d : Disallow reuse of previously used TOTP tokens

–r3 : Limit logins to N per every M seconds

-R30 :

-f : Write file without first confirming with user

-l : Override the default label in “otpauth://” URL

-i: Override the default issuer in “otpauth://” URL

-s : Specify a non-standard file location

replace <username> with certificate_name

google-authenticator -t -d -r3 -R30 -f -l “<username>” -i “Company VPN” -s /etc/openvpn/google-authenticator/username

chown gauth:gauth /etc/openvpn/google-authenticator/username

KVM – VNC Server from remote host

<graphics type=”vnc” port=”5900″ autoport=”yes” listen=”SERVER_IP” passwd=”SECRET_PASSWORD”>
<listen type=”address” address=”SERVER_IP”/>
</graphics>

KVM validate xml

Dump

virsh dumpxml debian11 > test.xml
virt-xml-validate test.xml

RRDTools

./configure –enable-perl-site-install

Cpan – Encode.c: loadable library and perl binaries are mismatched (got handshake key 0xed00080, needed 0xeb00080)

Move the folder /usr/local/lib64/perl5 to /usr/local/lib64/BADperl5

Move the folder /usr/local/share/perl5 to /usr/local/share/BADperl5

 

KVM Snapshots

Convert snapshot to standalone image

qemu-img convert -O qcow2 <snapshot.img> <new-image.img>

Create

virsh snapshot-create-as --domain debian11 --name debian11_snapshot01

List

virsh snapshot-create-as --domain debian11 --name debian11_snapshot01

Restore

virsh snapshot-revert debian11 debian11_snapshot01

Delete

virsh snapshot-delete --domain debian11 --snapshotname debian11_snapshot01

Info

virsh snapshot-info --domain debian11 --snapshotname debian11_snapshot01

OpenVPN – don’t change route

add

pull-filter ignore redirect-gateway

to client.ovpn file

KVM – detach disk

sudo virsh detach-disk --domain test --persistent --live --target vdb

KVM – Add / Attach Disk

Create disk:
qemu-img create \
-f qcow2 \
-o lazy_refcounts=on,preallocation=falloc \
$FILEPATH \
[size]G

qemu-img comes with various options for setting the allocation when creating new disk images.

preallocation=metadata – allocates the space required by the metadata but doesn’t allocate any space for the data. This is the quickest to provision but the slowest for guest writes.

preallocation=falloc – allocates space for the metadata and data but marks the blocks as unallocated. This will provision slower than metadata but quicker than full. Guest write performance will be much quicker than metadata and similar to full.

preallocation=full – allocates space for the metadata and data and will therefore consume all the physical space that you allocate (not sparse). All empty allocated space will be set as a zero. This is the slowest to provision and will give similar guest write performance to falloc.

Convert disk:
mv disk.qcow2 disk.qcow2.bak
qemu-img convert -O qcow2 -o lazy_refcounts=on,preallocation=falloc disk.qcow2.bak disk.qcow2


 

Attach disk:
virsh attach-disk [vm ID] \
--source /path/to/disk.qcow2 \
--target vd[x] \
--persistent \
--subdriver qcow2

Enable Virsh Console Access For KVM Guests

To do so, log in to your guest machine via SSH or Virt-manager or Cockpit and run the following commands to enable and start a serial console:

systemctl enable serial-getty@ttyS0.service
systemctl start serial-getty@ttyS0.service

connect to console from Host
virsh console