##install rancheros to disk download the rancheros from https://releases.rancher.com/os/latest/rancheros.iso start the rancheros from the downloaded rancheros.iso. After the rancheros is started, login with user/password rancher/rancher,
if your machine is behind the proxy, you can download the rancher/os:v.x.y.z from a machine which docker is installed:
$ docker pull rancher/os:v.x.y.z
$ docker save -o rancheros_v.x.y.z.tar rancher/os:v.x.y.z
| server: | |
| interface: 0.0.0.0 | |
| interface: ::0 | |
| access-control: 192.168.42.0/24 allow | |
| access-control: 127.0.0.0 allow | |
| access-control: 2001:db8:dead:beef::/48 allow | |
| # unbound optimisation | |
| num-threads: 4 |
With heightening concern regarding the state of internet privacy (fuelled in part by the passing of the Investigatory Powers Act in the UK), I have set up a VPN server on the virtual server I have hosted with Mythic Beasts. This uses strongSwan and certificate-based IKEv2 authentication.
Assumptions:
debian.example.com, a public IPv4 of 203.0.113.1 and a public IPv6 of 2001:db8::1meFor automated deployment of a similar setup, albeit Ubuntu-based and using ansible for deployment, I recommend you take a look at Algo VPN. I used that project as a basis for my configuration.
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>IKEv2</key> | |
| <dict> | |
| <key>AuthName</key> |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>Label</key> | |
| <string>com.example.brew.update</string> | |
| <key>ProgramArguments</key> | |
| <array> | |
| <string>/usr/local/bin/brew</string> | |
| <string>update</string> |
This setup is for remote users to connect into an office/home LAN using a VPN (ipsec). This is based on (but not the same as) the strongSwan documentation and this guide: https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html
Set up DNS service Set up a network interface for DNS listening
| These commands are based on a askubuntu answer http://askubuntu.com/a/581497 | |
| To install gcc-6 (gcc-6.1.1), I had to do more stuff as shown below. | |
| USE THOSE COMMANDS AT YOUR OWN RISK. I SHALL NOT BE RESPONSIBLE FOR ANYTHING. | |
| ABSOLUTELY NO WARRANTY. | |
| If you are still reading let's carry on with the code. | |
| sudo apt-get update && \ | |
| sudo apt-get install build-essential software-properties-common -y && \ | |
| sudo add-apt-repository ppa:ubuntu-toolchain-r/test -y && \ |
| # This is clicking "Allow" in System Preferences "Security & Privacy" screen | |
| # when you're on Screen Sharing. Otherwise it doesn't work. | |
| # To fix: | |
| # - Put "Security & Privacy" window in the top left screen | |
| # - open a Terminal on a side | |
| # - save click.oscript | |
| # - Run: osascript click.oscript | |
| # | |
| # The mouse click you send should hit "Allow" button. You may need to move the window a little bit. | |
| # Script originally from: https://discussions.apple.com/thread/3708948 |
| TotalTerminal | |
| Quake style dropdown terminal. [website] | |
| Add key "LSUIElement" with value "1" to "/Applications/Utilities/Terminal.app/Contents/Info.plist" to hide dock icon and alt+tab icon | |
| Run the command "defaults write com.apple.Terminal TotalTerminalCloseWindowsOnStart -bool YES" to hide the initial window on total terminal startup |
Others have recently developed packages for this same functionality, and done it better than anything I could do. Use the packages instead of this script:
Gargoyle package by @lantis1008
OpenWRT package by @dibdot
In its basic usage, this script will modify the router such that blocked addresses are null routed and unreachable. Since the address blocklist is full of advertising, malware, and tracking servers, this setup is generally a good thing. In addition, the router will update the blocklist weekly. However, the blocking is leaky, so do not expect everything to be blocked.