2018年4月 – FISH2BIRD

STM32F4-Discovery开发板初次使用

2018年4月29日 by wupeng·已关闭评论

关键字：mdk、stm32f4、discovery
时间：2018年4月

说明

STM32F4-Discovery开发板可以直接通过USB接口进行调试。

第一步，下载安装包MDK525.EXE

官网地址：https://www.keil.com/download/product/
安装方法与普通软件安装相同。

第二步，下载STM32F4-Discovery的例子程序

1、启动Keil，然后工具栏点击Pack Installer
2、Pack Installer会自动更新，中途会不停询问是否安装xxx包，建议所有都选是。
3、更新完毕，重新打开Pack Installer，在左侧Device标签下找到”/All Devices/STMMicroelectronics/STM32F407/STM32F407VG”，并选中
4、右侧Packs标签，找到Device Specific/Keil::STM32F4xx_DFP，点击install
5、右侧Examples标签，找到CMSIS-RTOS Blinky（STM32F4-Discovery），点击copy，选择工程拷贝的地址。
6、进入IDE，工程名Blinky。

第三步，MDK连接开发板设置

1、开发板需要安装驱动程序才能正常使用，官网地址：http://www.st.com/en/development-tools/stsw-link009.html
2、解压驱动程序，打开Windows设备管理器，找到ST-LINK，更新驱动
3、打开MDK->打开Blinky工程->MDK工具栏->Options for Target->Debug标签->Use：ST-Link Debugger右侧的Settings->Debug标签->Debug Adapter Uint:ST-LINK/V2

第四步，编译与烧录

1、点击工具栏Build按钮
2、点击工具栏Download按钮
3、稍等片刻，开发板的4个LED开始依次闪烁。

使用strongswan搭建IKEv2协议免证书VPN

2018年4月8日 by wupeng·已关闭评论

时间：2018年4月
关键字：ikev2、strongswan、vpn、免证书、ca

前言

这里说的免证书是指客户端不用导入证书，只使用用户名密码进行登录。
对于IKEv2来说，服务器端和客户端都需要配置证书，但服务器端可以采用CA签发的证书，这样客户端就可以自动完成证书的验证，就像https一样。
本文仅对建立VPN链接进行了描述，通过VPN访问Internet需要进行iptables设置，请自行查找资料。

第一步，申请CA签发的证书

详细参考：https://www.fish2bird.com/?p=780
这里使用域名vpn.fish2bird.com，这个域名需要和后续提到的配置文件中的leftid对应。

第二步，安装strangswan

操作系统Debian 9，除了安装strongswan，还需要安装libcharon-extra-plugins。

root@debian:~# apt-get install strongswan libcharon-extra-plugins

第三步，修改配置文件

root@debian:~# vim /etc/ipsec.conf
...
conn ikev2-eap
	left=%any
	leftsubnet=0.0.0.0/0
	right=%any
	rightsourceip=10.0.0.0/24
	dpdaction=clear

	keyexchange=ikev2
	ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
	esp=aes256-sha256,3des-sha1,aes256-sha1!
	rekey=no
	leftauth=pubkey                           # 服务器端使用公钥方式验证
	leftcert=/etc/letsencrypt/live/vpn.fish2bird.com/cert.pem  # 证书文件
	leftsendcert=always
	leftid=vpn.fish2bird.com                  # 需要和申请CA签发证书中的域名一致
	rightauth=eap-mschapv2                    # 客户端使用eap方式验证
	rightsendcert=never
	eap_identity=%any
	fragmentation=yes
	auto=add
...
root@debian:~# ipsec restart

第四步，修改账号密码配置文件

root@debian:~# vim /etc/ipsec.secrets
...
: RSA /etc/letsencrypt/live/vpn.fish2bird.com/privkey.pem  # 与证书对应的私钥文件

# 用户名 : 验证方式 "密码明文"
user1 : EAP "1234abcd"
...
root@debian:~# ipsec restart

客户端设置

iOS/macOS系统

VPN Type：IKEv2
Server Address：vpn.fish2bird.com
Remote ID：vpn.fish2bird.com
Local ID:
Authentication Settings：
Username/Certicate/None
Username：user1
Password：1234abcd

常见问题

常用调试命令

root@debian:~# ipsec listall
root@debian:~# ipsec status
root@debian:~# ipsec statusall

打开调试信息

root@localhost:~# vim /etc/strongswan.d/charon-logging.conf
charon {

    # Section to define file loggers, see LOGGER CONFIGURATION in
    # strongswan.conf(5).
    filelog {

        # <filename> is the full path to the log file.
        # <filename> {
	/var/log/charon.log {

            # Loglevel for a specific subsystem.
            #  = 

            # If this option is enabled log entries are appended to the existing
            # file.
            # append = yes

            # Default loglevel.
            # default = 1
            default = 1

            # Enabling this option disables block buffering and enables line
            # buffering.
            # flush_line = no
            flush_line = yes

            # Prefix each log entry with the connection name and a unique
            # numerical identifier for each IKE_SA.
            # ike_name = no
            ike_name = yes

            # Adds the milliseconds within the current second after the
            # timestamp (separated by a dot, so time_format should end with %S
            # or %T).
            # time_add_ms = no

            # Prefix each log entry with a timestamp. The option accepts a
            # format string as passed to strftime(3).
            # time_format =

        # }
	}

    }

    # Section to define syslog loggers, see LOGGER CONFIGURATION in
    # strongswan.conf(5).
    syslog {

        # Identifier for use with openlog(3).
        # identifier =

        #  is one of the supported syslog facilities, see LOGGER
        # CONFIGURATION in strongswan.conf(5).
        #  {

            # Loglevel for a specific subsystem.
            #  = 

            # Default loglevel.
            # default = 1

            # Prefix each log entry with the connection name and a unique
            # numerical identifier for each IKE_SA.
            # ike_name = no

        # }
    }
}

debian下搭建免费https

2018年4月5日 by wupeng·已关闭评论

时间：2018年4月
关键字：debian、https、nginx、免费

准备

域名www.fish2bird.com

第一步，修改域名解析

修改域名www.fish2bird.com解析到你要配置https的服务器的IP。

第二步，安装Nginx

root@debian:~# apt-get install nginx

第三步，安装certbot

certbot是一个自动申请https证书的工具。

root@debian:~# apt-get install certbot

第四步，申请证书

需要输入你域名，这里使用的域名是www.fish2bird.com。同时需要输入你的http服务器的根路径，这里是/var/www/html。

root@debian:~# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):www.fish2bird.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.fish2bird.com

Select the webroot for www.fish2bird.com:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for vpn.fish2bird.com: (Enter 'c' to cancel):/var/www/html
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.fish2bird.com/fullchain.pem. Your cert
   will expire on 2018-07-04. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@debian:~#

生成好的证书文件位于/etc/letsencrypt/live/www.fish2bird.com/

第五步，配置nginx

需要打开443端口，并配置证书路径。
生成好的证书和私钥位于/etc/letsencrypt/live/www.fish2bird.com/。

root@debian:~# vim /etc/nginx/sites-enabled/default
...
# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	listen [::]:443 ssl default_server;

	ssl_certificate		/etc/letsencrypt/live/www.fish2bird.com/cert.pem;
	ssl_certificate_key	/etc/letsencrypt/live/www.fish2bird.com/privkey.pem;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
...
root@debian:~# service nginx restart

第六步，浏览器验证

浏览器输入：https://www.fish2bird.com/

FISH2BIRD

Write the code. Change the world.

月份：2018年4月