OpenConnect VPN with Multifactor Authentication shell alias

OpenConnect is a VPN client that can replace Cisco Anyconnect on multiple platforms, it is useful as it allows to run multiple concurrent VPN whereas Cisco Anyconnect cannot.

In order to make its day-to-day usage more straightforward you may want to configure a shell alias to run the full command and input your password, this will also allow you to ask for the second password that can be used with multifactor authentication systems, such as Duo Mobile.

Continue reading “OpenConnect VPN with Multifactor Authentication shell alias”

Encrypting passwords for automation on Windows using Powershell, WinSCP and DPAPI

I have been using VBScript to generate and send data over SFTP from a Windows host to a remote server using WinSCP, obviously this requires the use of a set of credentials which have to be shown in plain text in your script file, not ideal.

Fortunately WinSCP has some pretty good documentation about the subject however I had to do some research to figure out how to use the Windows Data Protection API in a Powershell script hence the reason for this article.

Windows DPAPI allows you to encrypt passwords, only allowing the user account which has encrypted it to decrypt it. It is still an issue if the user account is compromised obviously, but at least no more plain text passwords.

Continue reading “Encrypting passwords for automation on Windows using Powershell, WinSCP and DPAPI”

Configuring SSL with letsencrypt certbot on NGINX reverse proxy

In a previous article we configured a Nginx reverse proxy to work behind a single public IP on a Proxmox node.

We are now able to send requests from Nginx to our internal network, the focus in this guide is on how to get SSL termination on the Nginx reverse proxy in order to serve HTTPS content. The configuration of SSL will only take place in Nginx as our backend server, Apache, will reply in HTTP over the private network back to Nginx which will then send the request to the client over HTTPS.

We will use two tricks to make this work in our reverse proxy setup.

1 – We will add the .well-known location described in RFC-5785 in our Nginx configuration which sets up a webroot on the Nginx server instead of proxying it to the backend server. This folder will allow us to validate the SSL certificate using the Automatic Certificate Management Environment with Certbot.

2 – The Apache module mod_rpaf will help setting our HTTP headers to the right values to fetch our visitors information instead of the proxy’s and allow our SSL certs to work with any websites on apache without further configuration.

Continue reading “Configuring SSL with letsencrypt certbot on NGINX reverse proxy”

Configuring containers with Proxmox on OVH Kimsufi server behind a single public IP with NAT

OVH offers some interesting deals with its series of Kimsufi server, however you are limited by contract to one single public IP address which might be a problem if you want to host multiple VMs on a Proxmox hypervisor. Fortunately we can overcome these limitations by using a Nginx reverse proxy and a few iptables rules.

There are already a couple of articles out there detailing this procedure however I wanted to write a more in-depth explanation covering more aspects of this setup in a series of articles, this is the first one.

In this series we will learn how to set-up multiple containers within a local network inside the Proxmox hypervisor.

Continue reading “Configuring containers with Proxmox on OVH Kimsufi server behind a single public IP with NAT”