Host-to-LAN (OpenVPN) drop in replacement from ZeroShell to OPNsense

Due to the lack of IPv6 support in ZeroShell I’ve recently had to move over to a different routing operating system.

My setup is fairly complex with lots of needs:

-The ability to tcpdump
-Failover and routing rules for multiple internet connections
-VPN hosting for me to get into my network remotely and site-to-site to access remote LANs.
-Multiple IPs per LAN interface
-A mix of NAT and PPPoE routed subnets.
-Requirement to be able to “intercept” and give my own responses to DNS zones and hosts.
-QoS to prevent a single device on the network causing my internet to perform badly.
-NTP Server
-Bandwidth reporting globally and per device.

Lots of you may be saying “just do NTP on a linux machine” or similar.. which I could do. But it is nice to have all of the above in a single system. My previous ZeroShell setup does that.

After a bit of hunting around it looked like OPNsense is a suitable replacement.

This specific article is about what you need to set on OPNsense to allow windows based OpenVPN TAP clients to connect to your new OPNsense without needing to upgrade their configuration.
I use only user and password authentication so things may be different if you use Certificate Authentication for users.

To start – on your ZeroShell machine take a copy of the certificate and private key for the certificate authority:

root@zeroshell ssl> cat /Database/etc/ssl/certs/cacert.pem




root@zeroshell ssl> cat /Database/etc/ssl/private/cakey.pem



On OPNsense go to System.. Trust .. Authorites. Click on Add.
Give the Trust Authority a name and paste in the certificate data (the “cacert.pem” content) and the private key box (“cakey.pem” content).

To find the serial number for next certificate go to your ZeroShell web interface and then “X.509 CA”. Look at the Serial column and find the highest used number and add one. On my system it was 8, so on OPNsense I put in 9.

Click Save on OPNsense.
In the Trust menu on OPNsense. Click on Certificates. Click on Add.
Change the Method to “Create an internal Certificate”.
In the Name type in whatever you want. Make sure you select “Type” to be “Combined client/server certificate”.
Fill in the Sate, City, Organisation etc.. and click Save.

Now go to VPN on the left menu of OPNsense then to OpenVPN.
Click Servers. Click Add. Type in any description you like.
In Server Mode select “Remote Access ( User Auth )”
Backend for authentication needs to be “Local Database”.
On Protocol I had to select UDP4 as otherwise it seemed to automatically only listen on IPv6.
Make sure Device Mode is “TAP” as this is the old style connection that ZeroShell used. Make sure your Interface to listen for connections on is selected correctly and the Local port is the same as you used on ZeroShell.

Un-tick “TLS Authentication // Enable authentication of TLS packets.”

In the Peer Certificate Authority select the one you imported from your ZeroShell in the first step where you copy and pasted the pem files.

In Server Certificate click and select the certificate you created rather than “Web GUI SSL”.

In the “IPv4 Tunnel Network” box type in “” if you use the default ZeroShell setup.. otherwise just copy the IP range you use in the ZeroShell “Client IP Address Assignment” box on the “Host-to-LAN” Screen. You may need to ask someone for help converting it from a “from IP to IP” range to CIDR notation.

In the “IPv4 Remote Network” box type in: “”

In the “Compression” drop down make sure it is selected on “Enabled without Adaptive Compression”.

On my setup I made sure “Dynamic IP” and “Address Pool” were ticked.. I’m not sure if either help so if you know better than I do – make sure you select what you think is best and also leave me a comment.

I ticked “DNS Servers” and typed in the first IP within the “IPv4 Tunnel Network” range.. in the default setup this would be “” for “Server #1”.

The screenshot below shows my setup – note that I use an unusual UDP port and most default setups will be on a port like 1194.

Once done you also need to make sure that your users exist in OPNsense under System, Access, Users. The root / administration user should also be able to connect anyway without adding any other users.

I expect your firewall will also need the inbound port adding for the OpenVPN server.


Hope this helps.. it was a lot of trial and error to get to this stage for me so documenting it will also help me in the future.


Posted in Uncategorized | Leave a comment

“” and YouTube comment spam.

Appearing in the last 5 days is a domain “” that seems to be being used in an affiliate / spam marketing comments scheme on YouTube.


The comments all have a link in and sing about how amazing whatever product it is, is.

Every Spammer user on YouTube has about 3 or 2 videos and a premier or two set to go. Plus a playlist of some videos.

The links to contain a unique affiliate number so that clickthrough can be tracked.

At the time of writing most of the links just go to images of the product but I assume that once the spam has gone undetected the links will change to places to buy the product.

Most people will think that the comments are just helpful and showing a photo of the product so leave the comment alone? Then profit at a later date by changing where the link forwards to.

Beware. Spam. Don’t click the link and certainly don’t buy from anything you find if you do click the link.

A username of “mupking” is another artefact related to the domain

Posted in Uncategorized | Leave a comment

Ransomware by runlocker / ranlock

Pandemics do not stop malware script kiddies.

Today is a (pretty much honeypot) computer with VNC enabled on the default port with a simple password set (single lower case dictionary word) that got brute forced by someone.

The hacker then checked if the machine was on the network and what other users were on the computer.


All files across the drive on the machine were encrypted with a file extension specific to the infection instance …2020-04-06_14_04_11.png

And the ransomware note “!!! ALL YOUR FILES ARE ENCRYPTED !!!.txt” contained..


All your files, documents, photos, databases and other important files are encrypted.

You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.

To be sure we have the decryptor and it works you can send an email: and decrypt one file for free.
But this file should be of not valuable!

Do you really want to restore your files?
Write to email:
Reserved email:

Your personal ID: A50-90E-EC9

* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The timeline looks like they hacked the computer the March around 42 minutes past midnight.
Then at 01:12am they snooped through the files (not much on the honeypot system but they did open a file called ” password.txt”.

At 01:14 they downloaded a file using Chrome:

Which in turn provides a .exe file called “zeppelin.exe“.

MD5	7e867d82199a59d28ce35d31ea688dee
SHA-1	52adcf0361aa8fb3a34daa1bb67a620d58b2b8a7
SHA-256	b3a71d2611660242a98236e332e964bf9c1e6d647b570cc650e2815d8054afc5

The initial attempt to download this file was thwarted by Microsoft’s Windows Defender – the hacker then manually snoozed / turned off defender to complete their attack.
It is likely that the file gets copied into c:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\spoolsv.exe and is detected as “Ransom:W32/ZZeppelin.A!MSR”


At 01:16am they fired off the encryption of all the files.

Potentially linked or maybe another hacker had also run a powershell script 10:11:48 03/04/2020 which did something with: hxxp:// which appears to be a base64 encoded file containing further powershell script containing another base64 encoded file which then needs binary xor to produce a valid file.

Windows Defender also identifies this file.

MD5	4a79e1626ce14d7ae5f5b7965c872103
SHA-1	350cfa0b6f502672cb5e15ce10e17bc17632e749
SHA-256	35cd8737cebb9f72db999a49b260c5d9188615b31302d8e7d01b4f37ba4609db

I must say a massive thank you to GCHQ for their amazing tool CyberChef which made analyzing this so much easier.

Posted in Uncategorized | Leave a comment

Capita SIMS FMS and “Unable to write to SIMS.INI” error.

I’ve spent a bit of time trying to work out why FMS from Capita would produce the following error when trying to add a journal in the “Add Journal Wizard”…


“SIMS FMS Module”
“Unable to write to SIMS.INI.”

Looking at process monitor seems to show FMS accessing c:\windows\sims.ini before erroring. Setting this file to writable by everyone does not solve the issue. Process Monitor shows no errors yet FMS still claims it is unable to write to SIMS.INI.

In my instance I couldn’t see any other attempts to access or write anywhere.

The solution turned out to be the user having an invalid “Home folder” path set in their domain user properties! I probably couldn’t see the failed file access as it pointed at a server that no longer existed (OS couldn’t do a DNS lookup so then couldn’t attempt to write to that file share).

So if you find you have similar errors – check that the users paths in their domain account are all still valid and working!

Posted in Uncategorized | Leave a comment

SIP (VoIP) Problems on a Huawei H112-370 on Vodafone UK

I have recently had to move a VoIP system from a Draytek router and a BT VDSL (Infinity) line to a Vodafone UK data SIM and contract.

Vodafone supplied a “HUAWEI 5G CPE Pro” router – model number H112-370.
I think Vodafone call it a “Gigacube 5G”.

Nice bit of kit, easy to configure with a fairly nice web interface and an ethernet socket for connection into a larger wired local network.

Shortly after migration to the new 4G (no 5G coverage yet!) internet via the Vodafone SIM – The first problem that cropped up: When you were in a call and pressed a button on your SIP based handset – the call would drop! This made IVR / Voice menu selection difficult. “Press 1 to speak to Sales” (press it..) <call drops>.

This was solved by simply turning the “SIP ALG” (Application Layer Gateway) off on the router.


Find the setting under “Advanced” –> “Security” –> “SIP ALG Settings” –> and change the status of “SIP ALG status” to off.

The second problem took longer to become evident.
Randomly calls would not flow into the business. Outbound calls were fine but inbound would just sit at the SIP provider and eventually time out or hit voicemail with a 183 status code.

I’ve seen something like this in the past where an ISP had load balanced WAN IPs. In the previous instance it was solved by giving the phone system it’s own public IP.

On Vodafone UK this isn’t possible! Unlike the UK network Three.. Vodafone don’t give customers a public IP. (This also means you can’t do things like port forwarding). Vodafone use Carrier Grade NAT (CGN) and this could be causing problems. It is also possible that the NAT timeout on the Huawei router itself could be the cause.

Most likely the idle time on the SIP registration causes the NAT session to end so uninvited data from the SIP provider gets thrown away and never reaches the phone system.

This seems to have been reliably solved by adding a keepalive of 20 seconds on the SIP trunk / SIP settings. If you use Asterisk with PJSIP you can view instructions on how to do it here. If you use a VoIP phone and have similar problems you should look for the Keep Alive.

Good luck.

Posted in Uncategorized | Leave a comment

Polycom Conference Phone Comparison

It seems very difficult to find information on Poly / Polycom conference VoIP phones so I’ve made a table – correct as far as I can research and valid at time of publishing.

An image is here and a searchable and copyable table is below..



Feature / Phone SoundStation IP 5000 SoundStation IP 6000 RealPresence Trio 8500 SoundStation IP 7000
802.3af PoE Power over Ethernet (built in) Y Y Y Y
Optional external universal AC power Y Y Y Y
Loudspeaker Frequency 250 – 7,000 Hz 220 – 14,000 Hz 180 – 14,000 Hz 160 – 22,000 Hz
peak volume at 1/2 metre 84 dB 86 dB 90 dB 88dB
Voice activity detection Y Y Y Y
Comfort noise generation Y Y Y Y
Adaptive jitter buffers Y Y Y Y
Packet loss concealment Y Y Y Y
Acoustic echo cancellation Y Y Y Y
Background noise suppression Y Y Y Y
Codec: G.711 (Alaw and µlaw) Y Y Y Y
Codec: G.729a (Annex A, B) Y Y N Y
Codec: G.722 Y Y Y Y
Codec: Siren N Y Y Y
Codec: iLBC Y Y N N
Local conferencing 3 way 3 way 5 way 3 way
Ethernet 10/100 10/100 Gigabit 10/100
Warranty 1 year 1 year 1 year 1 year
Dimensions (cm)  (L x W x H) 28.5 x 26.5x 6.5 36.8 x 31.1 x 6.4 35.6 x 30.9 x 7 39.4 x 37.2 x 7.3
Weight 0.52 kg 0.8 kg 0.99 kg 1.08 kg
Backlit Display Y Y Y Y
Touch Screen Colour Display N N Y N
Audio in (use with a PC or cell phone) N 2.5mm N 2.5mm
Price (inc. VAT) £217.49 £329.49 £637.42 £453.49
Source of price
Posted in Uncategorized | Leave a comment

Powershell: Search docx and doc content in folders

I’ve recently needed to search the content of a huge set of shared folders for documents containing a specific word.

Powershell made it fairly easy. I’ve also included PDF into the mix as it _sometimes_ works for the older format PDF documents.

$directoryToSearch = 'C:\temp'
$lookingfor = 'surreysendlo'
$word = New-Object -ComObject Word.Application
Get-ChildItem -Path $directoryToSearch -Include "*.doc*", "*.pdf" -Recurse | foreach-object {
  $file = $_.FullName
  if ($_.FullName.SubString(5) -match '.docx') {
    if ($word.Documents.Open($file).Content.Find.Execute($lookingfor)) {
      write-host WARNING: $_.FullName contains $lookingfor
  } else {
    if ((Get-Content $file | %{$_ -match $lookingfor }) -contains $true) {
        write-host WARNING: $_.FullName contains $lookingfor
        #Add-Content c:\temp\log.txt WARNING: $_.FullName contains $lookingfor
Posted in Uncategorized | Leave a comment

IYOGI / “” tech support scamers.

Not often that one of the tech support scammers proactively alerts me to their new scam company!


In 2015 and 2016 I blogged about a tech support scam company called “onlineresolve”.
It seems they have resurfaced under the names:

“IYOGI Tech Support” and “”
Using the telephone number: : +1 (740) 251-9233 (aka : 7402519233 / “740 251 9233”)
And the postal address “3937 Heliport Loop Dugger, IN 47848, USA

They e-mailed the contact information previously given to onlineresolve claiming that my “Computer services” order is set to automatically renew in 2 days from now and I will be charged $499.99 (somehow, not sure how they expect to as I won’t have given any payment details when I came across them in 2015 and 2016).

It looks like the email has gone out to at least 9,000 other people.

Other associated hostnames:, and “”

Posted in Uncategorized | Leave a comment

Duplicati2 SQL VSS error message on edit

This is more for my own reference in the future.

If Duplicati 2 comes up with a VSS error box when creating or editing a backup set..

  1. Make sure VC Redist 2017 is installed.
  2. Make sure that the VSS writer (system service) has access to the SQL server!
use master
sp_addsrvrolemember 'NT AUTHORITY\SYSTEM','sysadmin'
Posted in Uncategorized | Leave a comment

“Use once” dynamic phishing Part 2

I’ve had to start another post as the previous one was many, many pages long!

For information on the phishing please see this page. And this page for forensic investigation results.

However here are the latest indicators of compromise.

11/08/2019: with host names…

“” with hostnames….

26/08/2019 with host names…

14/09/2019 with hostnames:

Posted in Uncategorized | Leave a comment