Wednesday, January 24, 2018

pfSense router and EasyNews VPN

With the little help of the internet, a little trial and error, and previous knowledge, I was able to get pfSense setup to use the VPN service provided by EasyNews.  This was done for the following reasons. 
  • Price is good for the VPN servers about $12 and it gets you access to NNTP servers
  • Logging in not kept and many VPN endpoints
  • Already have it and why not use what already paying for
  • No one has a tutorial on how to setup pfSense with EasyNews VPN, so good to be the first
Please note that these directions were originally built for pfSense 2.2.5-6, but then finished on pfSense 2.3.1.  While the directions are almost the same, did not see the need or had the time to redo the pictures that were in the 2.2.x format.

Creating an Internal CA


Creating a local certificate from the Internal CA

Create the CA Certificate

  1. Select menu item: System->Cert Manager
  2. Select CAs tab
  3. Click Plus symbol to add CA Certificate
  4. Configure as follows:
    1. Descriptive Name = EasynewsVPN
    2. Method = Import an existing Certificate Authority  (Location of certificate is here)

    3. Certificate Private Key = Leave Blank
    4. Serial for Next Certificate  = Leave Blank
    5. Click Save


Create OpenVPN Client

  1. Select menu: VPN->OpenVPN
  2. Select Client tab
  3. Click Plus symbol to add client
  4. Configure as Follows:
    • Disabled = unchecked
    • Server Mode = Peer To Peer (SSL/TLS) 
    • Protocol = UDP
    • Device Mode = TUN
    • Interface = WAN 
    • Server Host Address = (or other server address from EasyNews.  full list is here)
    • Server Port = 1194 or 443
    • Proxy Host or address = (Leave Blank)
    • Proxy Port = (Leave Blank)
    • Proxy Authentication Extra Options = none
    • Server host name resolution = Checked
    • Description = easynewsVPN (or whatever you want)
    • Username = username@easynews
    • Password =  (Your password for easynews)
    • TLS Authentication = Unchecked
    • Peer Certificate Authority = easynewsVPN
    • Client Certificate = None
    • Encryption Algorithm = AES-256-CBC (256-bit)
    • Auth Digest Algorithm = SHA1 (160 bit)
    • Hardware Crypto = No Hardware Crypto Acceleration
    • IPv4 Tunnel Network = (leave blank)
    • IPv6 Tunnel Network = (leave blank)
    • IPv4 Remote Network/s = (leave blank)
    • IPv6 Remote Network/s = (leave blank)
    • Limit outgoing bandwidth = (leave blank)
    • Compression = No Preference
    • Type of Service = Unchecked
    • Disable IPv6 = Checked
    • Don't Pull routes = Unchecked
    • Don't add/remove routes = Unchecked
    • Advanced remote-cert-tls server
      resolv-retry infinite
      verb 3
      auth SHA256
      keysize 256
      tls-cipher DHE-RSA-AES256-SHA
  5. Click Save


Updates of custom settings from other implementations

Other documents detailed of the advanced settings as thus:

remote-cert-tls server
resolv-retry infinite
verb 3
auth SHA256
keysize 256
tls-cipher DHE-RSA-AES256-SHA

but my configuration is as this:

remote-cert-tls server
resolv-retry infinite
verb 3
auth SHA256
keysize 256

I changed the tls-cypher because when opening connection, the logs said that DHE-RSA-AES256-SHA was depreciated and TLS-DHE-RSA-WITH-AES-256-CBC-SHA should be used.
Also there was a warning that credentials were cached and adding auth-nocache would be more secure.  Since the connection still worked with these extra settings, I left them in place

 Create new Interface for OpenVPN

  1. Go to [Interfaces -> Assign]
  2. Under {Interface Assignments} there will be "Available Network Ports", drop down to ovpnc1() and click ADD, the Network interface OPT1 will be created
  3. Click on the OPT1 interface to edit it.
  4. Configure as follow:
    1. Description: ENVPN
    2. IPv4 Configuration Type: None
    3. IPv6 Configuration Type: None
    4. MAC Controls: Leave blank
    5. MTU: Leave Blank
    6. MSS: Leave Blank
    7. Block Private Network: Unchecked
    8. Block Bogon Network: Unchecked
  5. Save this configuration

 Configure NAT Rules

  1. Go to [Firewall -> NAT]
  2.  Go to {Outbound}
  3. Change from "Automatic outbound NAT rule generation. (IPsec passthrough included)" to "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)"


Saturday, March 11, 2017

Windows 7 Universal disk

Build Process - Build new install.wim for all versions

-Make a directory g:\win_7_all
-copy en_windows_7_professional_with_sp1_x86_dvd_u_677056.iso into that directory
-copy en_windows_7_professional_with_sp1_x64_dvd_u_676939.iso into that directory
-Extract the contents of en_windows_7_professional_with_sp1_x86_dvd_u_677056.iso using winrar
-rename directory to win_7_32
-Extract the contents of en_windows_7_professional_with_sp1_x64_dvd_u_676939.iso using winrar
-rename directory to Win_7_64
-Download 'Windows Assessment and Deployment Kit (ADK) for Windows® 8 'from, and install it, defaults are fine

Imagex /export G:\Win_7_all\win_7_64\Sources\install.wim 1 G:\win_7_all\Win_7_32\Sources\install.wim "Windows 7 Home Basic (x64)"
Imagex /export G:\Win_7_all\win_7_64\Sources\install.wim 2 G:\win_7_all\Win_7_32\Sources\install.wim "Windows 7 Home Premium (x64)"
Imagex /export G:\Win_7_all\win_7_64\Sources\install.wim 3 G:\win_7_all\Win_7_32\Sources\install.wim "Windows 7 Professional (x64)"
Imagex /export G:\Win_7_all\win_7_64\Sources\install.wim 4 G:\win_7_all\Win_7_32\Sources\install.wim "Windows 7 Ultimate (x64)"

-This will build a install.wim file with all files

Build Process - Build new ISO

-Install UltraISO
-copy en_windows_7_professional_with_sp1_x86_dvd_u_677056.iso to en_windows_7_all_with_sp1_.iso
-Open en_windows_7_all_with_sp1_.iso
-Replace sources\install.wim with G:\win_7_all\Win_7_32\Sources\install.wim
-Delete ei.cfg from image (not 100% sure of location)
-Recompile the ISO, this iso, en_windows_7_all_with_sp1_.iso will have all the editions of Windows 7 available

Build Process - Making USB

-Install the Windows 7 USB build tool
-Build a USB with any Windows 7
-Verify there is no ei.cfg on the USB
-Verify that install.wim is this over 3.7 GB and has a date of March 11, 2017


Sunday, April 26, 2015

Virtual Windows 8 ... Sort of.

OK, I know there are people there that love Windows 8, and those that don't really like it.  I am not going to debate that here, but lets say, I need to advance with the times because of my job and will use Windows 8, and try to get the most out of it

Having said that, I work with servers, so my main system is Windows 2012.  Now on first look Windows 2012 looks a lot like Windows 8, so why cannot my Windows 2012 system also be my Windows 8 system.  Now I don't want a completely transformed OS, but try to get the best of both worlds.  So here are the things that I did to my system and hopefully guide you on your transformation.  And for why I did this, I can say only 1 thing: I want to play Halo: Spartan Strike on my computer along with my phone.

Add the Desktop Experience

This is a straight forward process, just adding a feature called 'Desktop Experience'  If you need directions on how to add this web site has it.

Please remember in order you use the Windows App store, you need a Microsoft account, and your logon account cannot be administrator.

Install Halo: Spartan Strike

Go to the Windows store and install it.  Now this application is not free, and for some reason I could not purchase it within the application store, but I used my phone to purchase because it is a single purchase for phone and desktop, so once that was done, it installed fine on Windows 2012

Issue with running app and Xinput1_4.dll

Halo: Spartan Strike installed, but when it ran I was getting an Xinput1_4.dll error, and it bombed out.  I found better description of the error here, and then another page that comes with files and an install script

The script is straight forward and comes with 6 files.  Now I normally don't trust these files especially since they are not signed, and I didn't want to expose my system to any unscrupulous files, so I built a Virtual Windows 8, and extracted the same files to install into my 2012 system.  I did compare my files to the downloaded files, and they were same on the binary level, but better safe than sorry.

Once those files were added the program worked fine, and I am hoping that all other DirectX games will also behave as well.

Issue with keyboard - Halo: Spartan Strike

Now the program is running but for some reason, the mouse works, but the keyboard does not.  For me fixing that is a simple solution.  My system has PS/2 keyboard and mouse, so I just add my  USB wireless Logitech K400 keyboard, now the game works!!!

Better Gaming experience - Xbox 360 Game controller

I have a working game, but using the keyboard is a little kludgey because the key choices are chosen and you cannot change them, also with the AWSD to move, it is a little choppy.

So I picked up a used Rock Candy controller.  It plugged in fine, but didn't work.  Went to the vendor's web site, and they state the controller is for Xbox 360, so there are no drivers for windows.

Well not being discourage, went looking for a driver for a Microsoft Xbox 360 drivers from Microsoft and found them here.

Installed the driver, rebooted, and the controller worked fine. It plays like a dream and now I can spend all of my time killing the Covenant!!

I hope my work will enable you to play this game with Windows 2012, and your system primed to play other games from Windows Store.

Saturday, April 25, 2015

Getting Windows 8 or 2012 to work as a guest under vSphere 4.1

There have been other blogs and kbase articles that define how to get Windows 8/8.1 or Windows 2012 / 2012 R2 running under vSphere 4.1.  I plan to to offer you a complete document with references

For the guest configuration, I would choose the following:

Windows 2012 / 2012 R2
Guest OS: Windows 2008 R2
vCPU: 2
vMemory: 2GB
Network Card:  E1000

Windows 8 / 8.1
Guest OS: Windows 7 (32 or 64 to match your media)
vCPU: 2, but 1 should work
vMemory:     1GB, but 2 would be better
Network Card:    E1000

After you build the OS, but before the OS is installed the VMX file needs to be modified, so use the vSphere client to do these steps
  1. Browse to the datastore where the VMX files is located
  2. Download the VMX file to your windows system
  3. Edit the file with a Linux compatible editor like Notepad++ and add the following lines:
    1. bios440.filename = bios.440.rom
      mce.enable = "TRUE"
      cpuid.hypervisor.v0 = "FALSE"
      vmGenCounter.enable = "FALSE
Then upload the updated VMX file and the bios ROM file from this location.  If you feel a little unsure about using a random file acquired from the internet there are directions on how to extract the file from VMware Player.  I have not done this yet, but trust the ROM file that is the VMware community

Next just install the OS as normal, it should work fine, no BSOD.

Now what I have not seen is anything on VMware tools, and from what it looks like any version of the VMware tools that come with 4.1 will corrupt the video and make  it unusable, so when installing VMware tools, use the OSP version.

Here is the root location of all the tools:
Here is the version that I have used successfully:
But guessing the latest which is for vSphere 6 would also work:
If you want read more about OSP tools, this page is useful.

Good luck with your Window 8 / 2012 builds!!

Tuesday, January 7, 2014

Updataing blacklist in pfSense from

This is a modified procedure to use a local file instead of the blacklist from  This is a modified procedure for Squidguard.  It should be able to go to the website directly and download then update.

From my experience lately either the download doesn't finish, or if it does finish. it doesn't use the full size.  So this modified procedure will use Firefox to download, transfer to a Linux Web server, then let it pull from a local source

  1. Download the file bigblacklist.tar.gz from 
  2. Use WinSCP to copy to Linux box with web server
  3. Log into Linux box and copy bigblacklist.tar.gz to /var/www
  4. Go to pfSense box and login
  5. Services -> Proxy Filter, find the field blacklist URL, enter http://ipaddress/bigblacklist.tar.gz
  6. Go to the Tab 'Blacklist' click [download]
  7. Wait until complete

Monday, January 6, 2014

Syncing this Blog with other media sources

In order to get more exposure of this blog, I decided to publish this blog automatically onto other sources like Facebook, Twitter, and Linkedin.  So far I just started with Facebook and hopefully this set of directions will work:

Update 2014.01.13:  added the ability to publish to twitter using twitterfeed.

Thursday, January 2, 2014

Windows 8 / 2012 on ESXi 4.0 / 4.1 hosts

OK, so others have documented on how to enable using Windows 8 and Server 2012 with an ESXi 4.0 / 4.1 host.  I am not going to recreate the procedure, but here are links to some:

What I was curious about was where this bios.440.rom file came from and is it safe.  From the first reference from the VMware communities it came from a vmware employee.  Did some more searching and found these two sites that detailed building / modifying BIOS-es

While it was detailed, and looked like it used some files that were coming from questionable sources, the original toolkit was sound

So I concluded to accept the file and not research further.