systemd

/etc/systemd/system - default location for system units ~/.config/systemd/user - default location for user units

Commands

Flags for operating on user units are given in []

# reload units and timers
systemctl [--user] daemon-reload
# show all units (including disabled)
systemctl [--user] list-units -a
# view logs for unit
# also accepts:
#   -f               | tail the log
#   --user-unit foo  | target user unit instead of system
#   --boot=0         | show logs from current boot (-1 for previous, etc)
journalctl --unit foo

Examples

A simple service unit

foobar.service

 [Unit]
 Description=example service

 [Service]
 WorkingDirectory=/path/to/dir
 Environment="FOOBAR=foo"
 ExecStart=foobar.sh

 [Install]
 WantedBy=multi-user.target

foobar.timer A simple timer unit

 [Unit]
 Description=example timer

 [Timer]
 # run every 15 minutes (aligns to the hour)
 OnCalendar=*:0/15
 # run timer immediately if script is enabled and is past due
 Persistent=true

 [Install]
 WantedBy=timers.target

Basic Arch Install

dhcpcd

timedatectl set-ntp true


fdisk /dev/sda 

# Create 300MB boot, 2GB swap, and leave the rest for root

mkswp /dev/sda2

mkfs.ext4 /dev/sda3

mount /dev/sda3 /mnt

swapon /dev/sda2

# edit /etc/pacman.d/mirrorlist to change mirror order **

pacstrap /mnt base

genfstab -p /mnt >> /mnt/etc/fstab

arch-chroot /mnt

ln -s /usr/share/zoneinfo/America/Indianapolis /etc/localtime

hwclock --systohc --utc

# uncomment en_US locales in /etc/locale.gen **

locale-gen

# enter hostname in /etc/hostname **

mkinitcpio -p linux

passwd

grub-install --target=i386-pc --recheck --debug /dev/sda

grub-mkconfig -o /boot/grub/grub.cfg

exit

reboot

pacman -S vim htop git

pacman -S xorg-server xf86-video-ati xorg-xinit

Generic Linux Install

# Copy bootable image to flash drive (status=progress requires dd >= 8.24)
dd if=foobar.iso if=/dev/sdX status=progress && sync

iptables

Commands

# list all tables
iptables -L -n -v
# (fedora) save iptables rules and remember to disable firewalld
iptables-save > /etc/sysconfig/iptables

Examples

# allow ssh
# must allow incoming connection and response

# append rule to input (-A INPUT) on input interface enp6s0f0 (-i enp6s0f0) 
# with destination port 22 (--dport 22).  use 'state' module (-m state)
# and allow new and established connections (--state NEW,ESTABLISHED)
# jump to target ACCEPT (-j ACCEPT)
iptables -A INPUT -i enp6s0f0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# append rule to output (-A OUTPUT) on output interface enp6s0f0 (-o enp6s0f0) 
# with source port 22 (--sport 22).  use 'state' module (-m state)
# and allow established connections (--state ESTABLISHED)
# jump to target ACCEPT (-j ACCEPT)
iptables -A OUTPUT -o enp6s0f0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# filter table: flush all chains, and delete all user added chains
iptables -F
iptables -X
# nat table: flush all chains, and delete all user added chains
iptables -t nat -F
iptables -t nat -X

LVM

Adding

# create new lv `foo` in group `foo_group`
lvcreate -L 10G foo_group -n foo

Deleting

lvremove /dev/[vgname]/[lvname]

LXC

https://www.flockport.com/enable-lxc-networking-in-debian-jessie-fedora-and-others/

Config examples

/etc/lxc/lxc.conf - set path for containers to be stored (default /var/lib/lxc)

lxc.lxcpath = "/lxc"

/lxc/containername/config

lxc.network.type = veth
lxc.network.link = virbr0
lxc.network.hwaddr = fe:0e:86:4b:b4:c0
lxc.network.flags = up
lxc.rootfs = /dev/fedora/container_name
lxc.rootfs.backend = lvm

# Include common configuration
lxc.include = /usr/share/lxc/config/fedora.common.conf

lxc.arch = x86_64
lxc.utsname = container_name

iptables config

sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -o enp6s0f0 -j MASQUERADE

### PLUG ###
iptables -I FORWARD -m state -d 192.168.1.100/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
#webserver
iptables -t nat -I PREROUTING -p tcp --dport 10080 -j DNAT --to-destination 192.168.1.100:80
#ssh
iptables -t nat -I PREROUTING -p tcp --dport 10022 -j DNAT --to-destination 192.168.1.100:22
#irc
iptables -t nat -I PREROUTING -p tcp --dport 8001 -j DNAT --to-destination 192.168.1.100:8001
#minetest
iptables -t nat -I PREROUTING -p udp --dport 30000 -j DNAT --to-destination 192.168.1.100:30000
#poop
iptables -t nat -I PREROUTING -p udp --dport 2301 -j DNAT --to-destination 192.168.1.100:2301
iptables -t nat -I PREROUTING -p udp --dport 2303 -j DNAT --to-destination 192.168.1.100:2303
iptables -t nat -I PREROUTING -p udp --dport 23682 -j DNAT --to-destination 192.168.1.100:23682

### John ###

iptables -I FORWARD -m state -d 192.168.1.101/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
#webserver
iptables -t nat -I PREROUTING -p tcp --dport 10180 -j DNAT --to-destination 192.168.1.101:80
#ssh
iptables -t nat -I PREROUTING -p tcp --dport 10122 -j DNAT --to-destination 192.168.1.101:22
#mosh
iptables -t nat -I PREROUTING -p udp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
iptables -t nat -I PREROUTING -p tcp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001

### cannon ###
iptables -I FORWARD -m state -d 192.168.1.103/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
#ssh
iptables -t nat -I PREROUTING -p tcp --dport 10322 -j DNAT --to-destination 192.168.1.103:22

### evan ###
iptables -I FORWARD -m state -d 192.168.1.104/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
#ssh
iptables -t nat -I PREROUTING -p tcp --dport 10422 -j DNAT --to-destination 192.168.1.104:22
iptables -t nat -I PREROUTING -p tcp --dport 64738 -j DNAT --to-destination 192.168.1.104:64738

### epics ###
iptables -I FORWARD -m state -d 192.168.1.105/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
#ssh
iptables -t nat -I PREROUTING -p tcp --dport 10522 -j DNAT --to-destination 192.168.1.105:22

/etc/sysconfig/iptables (generated by iptables-save)

# Generated by iptables-save v1.4.21 on Thu Sep  1 13:36:16 2016
*nat
:PREROUTING ACCEPT [8:799]
:INPUT ACCEPT [6:679]
:OUTPUT ACCEPT [1:56]
:POSTROUTING ACCEPT [1:60]
-A PREROUTING -p tcp -m tcp --dport 10522 -j DNAT --to-destination 192.168.1.105:22
-A PREROUTING -p tcp -m tcp --dport 64738 -j DNAT --to-destination 192.168.1.104:64738
-A PREROUTING -p tcp -m tcp --dport 10422 -j DNAT --to-destination 192.168.1.104:22
-A PREROUTING -p tcp -m tcp --dport 10322 -j DNAT --to-destination 192.168.1.103:22
-A PREROUTING -p tcp -m tcp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
-A PREROUTING -p udp -m udp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
-A PREROUTING -p tcp -m tcp --dport 10122 -j DNAT --to-destination 192.168.1.101:22
-A PREROUTING -p tcp -m tcp --dport 10180 -j DNAT --to-destination 192.168.1.101:80
-A PREROUTING -p udp -m udp --dport 23682 -j DNAT --to-destination 192.168.1.100:23682
-A PREROUTING -p udp -m udp --dport 2303 -j DNAT --to-destination 192.168.1.100:2303
-A PREROUTING -p udp -m udp --dport 2301 -j DNAT --to-destination 192.168.1.100:2301
-A PREROUTING -p udp -m udp --dport 30000 -j DNAT --to-destination 192.168.1.100:30000
-A PREROUTING -p tcp -m tcp --dport 8001 -j DNAT --to-destination 192.168.1.100:8001
-A PREROUTING -p tcp -m tcp --dport 10022 -j DNAT --to-destination 192.168.1.100:22
-A PREROUTING -p tcp -m tcp --dport 10080 -j DNAT --to-destination 192.168.1.100:80
-A PREROUTING -p tcp -m tcp --dport 10522 -j DNAT --to-destination 192.168.1.105:22
-A PREROUTING -p tcp -m tcp --dport 64738 -j DNAT --to-destination 192.168.1.104:64738
-A PREROUTING -p tcp -m tcp --dport 10422 -j DNAT --to-destination 192.168.1.104:22
-A PREROUTING -p tcp -m tcp --dport 10322 -j DNAT --to-destination 192.168.1.103:22
-A PREROUTING -p tcp -m tcp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
-A PREROUTING -p udp -m udp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
-A PREROUTING -p tcp -m tcp --dport 10122 -j DNAT --to-destination 192.168.1.101:22
-A PREROUTING -p tcp -m tcp --dport 10180 -j DNAT --to-destination 192.168.1.101:80
-A PREROUTING -p udp -m udp --dport 23682 -j DNAT --to-destination 192.168.1.100:23682
-A PREROUTING -p udp -m udp --dport 2303 -j DNAT --to-destination 192.168.1.100:2303
-A PREROUTING -p udp -m udp --dport 2301 -j DNAT --to-destination 192.168.1.100:2301
-A PREROUTING -p udp -m udp --dport 30000 -j DNAT --to-destination 192.168.1.100:30000
-A PREROUTING -p tcp -m tcp --dport 8001 -j DNAT --to-destination 192.168.1.100:8001
-A PREROUTING -p tcp -m tcp --dport 10022 -j DNAT --to-destination 192.168.1.100:22
-A PREROUTING -p tcp -m tcp --dport 10080 -j DNAT --to-destination 192.168.1.100:80
-A PREROUTING -p tcp -m tcp --dport 10522 -j DNAT --to-destination 192.168.1.105:22
-A PREROUTING -p tcp -m tcp --dport 64738 -j DNAT --to-destination 192.168.1.104:64738
-A PREROUTING -p tcp -m tcp --dport 10422 -j DNAT --to-destination 192.168.1.104:22
-A PREROUTING -p tcp -m tcp --dport 10322 -j DNAT --to-destination 192.168.1.103:22
-A PREROUTING -p tcp -m tcp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
-A PREROUTING -p udp -m udp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
-A PREROUTING -p tcp -m tcp --dport 10122 -j DNAT --to-destination 192.168.1.101:22
-A PREROUTING -p tcp -m tcp --dport 10180 -j DNAT --to-destination 192.168.1.101:80
-A PREROUTING -p udp -m udp --dport 23682 -j DNAT --to-destination 192.168.1.100:23682
-A PREROUTING -p udp -m udp --dport 2303 -j DNAT --to-destination 192.168.1.100:2303
-A PREROUTING -p udp -m udp --dport 2301 -j DNAT --to-destination 192.168.1.100:2301
-A PREROUTING -p udp -m udp --dport 30000 -j DNAT --to-destination 192.168.1.100:30000
-A PREROUTING -p tcp -m tcp --dport 8001 -j DNAT --to-destination 192.168.1.100:8001
-A PREROUTING -p tcp -m tcp --dport 10022 -j DNAT --to-destination 192.168.1.100:22
-A PREROUTING -p tcp -m tcp --dport 10080 -j DNAT --to-destination 192.168.1.100:80
-A PREROUTING -p tcp -m tcp --dport 10522 -j DNAT --to-destination 192.168.1.105:22
-A PREROUTING -p tcp -m tcp --dport 64738 -j DNAT --to-destination 192.168.1.104:64738
-A PREROUTING -p tcp -m tcp --dport 10422 -j DNAT --to-destination 192.168.1.104:22
-A PREROUTING -p tcp -m tcp --dport 10322 -j DNAT --to-destination 192.168.1.103:22
-A PREROUTING -p tcp -m tcp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
-A PREROUTING -p udp -m udp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
-A PREROUTING -p tcp -m tcp --dport 10122 -j DNAT --to-destination 192.168.1.101:22
-A PREROUTING -p tcp -m tcp --dport 10180 -j DNAT --to-destination 192.168.1.101:80
-A PREROUTING -p udp -m udp --dport 23682 -j DNAT --to-destination 192.168.1.100:23682
-A PREROUTING -p udp -m udp --dport 2303 -j DNAT --to-destination 192.168.1.100:2303
-A PREROUTING -p udp -m udp --dport 2301 -j DNAT --to-destination 192.168.1.100:2301
-A PREROUTING -p udp -m udp --dport 30000 -j DNAT --to-destination 192.168.1.100:30000
-A PREROUTING -p tcp -m tcp --dport 8001 -j DNAT --to-destination 192.168.1.100:8001
-A PREROUTING -p tcp -m tcp --dport 10022 -j DNAT --to-destination 192.168.1.100:22
-A PREROUTING -p tcp -m tcp --dport 10080 -j DNAT --to-destination 192.168.1.100:80
-A PREROUTING -p tcp -m tcp --dport 10522 -j DNAT --to-destination 192.168.1.105:22
-A PREROUTING -p tcp -m tcp --dport 64738 -j DNAT --to-destination 192.168.1.104:64738
-A PREROUTING -p tcp -m tcp --dport 10422 -j DNAT --to-destination 192.168.1.104:22
-A PREROUTING -p tcp -m tcp --dport 10322 -j DNAT --to-destination 192.168.1.103:22
-A PREROUTING -p tcp -m tcp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
-A PREROUTING -p udp -m udp --dport 60001 -j DNAT --to-destination 192.168.1.101:60001
-A PREROUTING -p tcp -m tcp --dport 10122 -j DNAT --to-destination 192.168.1.101:22
-A PREROUTING -p tcp -m tcp --dport 10180 -j DNAT --to-destination 192.168.1.101:80
-A PREROUTING -p udp -m udp --dport 23682 -j DNAT --to-destination 192.168.1.100:23682
-A PREROUTING -p udp -m udp --dport 2303 -j DNAT --to-destination 192.168.1.100:2303
-A PREROUTING -p udp -m udp --dport 2301 -j DNAT --to-destination 192.168.1.100:2301
-A PREROUTING -p udp -m udp --dport 30000 -j DNAT --to-destination 192.168.1.100:30000
-A PREROUTING -p tcp -m tcp --dport 8001 -j DNAT --to-destination 192.168.1.100:8001
-A PREROUTING -p tcp -m tcp --dport 10022 -j DNAT --to-destination 192.168.1.100:22
-A PREROUTING -p tcp -m tcp --dport 10080 -j DNAT --to-destination 192.168.1.100:80
-A POSTROUTING -o enp6s0f0 -j MASQUERADE
-A POSTROUTING -o enp6s0f0 -j MASQUERADE
-A POSTROUTING -o enp6s0f0 -j MASQUERADE
COMMIT
# Completed on Thu Sep  1 13:36:16 2016
# Generated by iptables-save v1.4.21 on Thu Sep  1 13:36:16 2016
*filter
:INPUT ACCEPT [93:6878]
:FORWARD ACCEPT [42:5487]
:OUTPUT ACCEPT [57:7040]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Sep  1 13:36:16 2016

Commands

# list container statuses and ip addresses (fancy mode)
lxc-ls -f
brctl show
brctl delbr virbr0
brctl addbr virbr0
ip link set virbr0 down
# set libvirtd ip range
virsh net-edit default
virsh -c lxc:/// net-define /etc/libvirt/qemu/networks/default.xml
virsh -c lsc:/// net-start default
virsh -c lsc:/// net-autostart default

#+beginbash

systemctl restart libvirtd.service

#+endsrc

New Container Setup

New LXC containers are very barebones and need a bit of setup to be useful. Here is an overview of steps for various distros.

Debian

Setup PATH

# add /bin, /sbin to path
echo 'PATH=$PATH:/bin:/sbin'>>.bashrc

Install packages

# core commands
apt-get install apt-utils vim man tar less iputils-ping

# extra commands
apt-get install git zip autojump wget htop ncdu nload

Fedora

Install packages

# core commands
dnf install vim man

# core commands
dnf install git zip autojump wget htop ncdu nload

Weechat

# enable notifications for any messages in buffer (works for Android client, too)
/buffer set highlight_regex .\ast{}.*

MDADM

Checking state and simulating failure

 # check RAID state
 cat /proc/mdstat  # look for failure, (F), after the drive name: sda1[0](F)

 # simulate a failed drive
 mdadm --manage --set-faulty /dev/md/pv00 /dev/sda1

 # remove faulty state by removing and readding
 mdadm --remove /dev/md/pv00 /dev/sda1
 mdadm --add /dev/md/pv00 /dev/sda1

Replacing a failed drive (sdc)

# set hard drive as failed
# mark as failed and remove
mdadm --manage /dev/md127 --fail /dev/sdc1
mdadm --manage /dev/md127 --remove /dev/sdc1

# write down serial number of failed drive
hdparm -i /dev/sdc1 | grep -i serial
shutdown -h now
# remove broken harddrive, insert the new hardddrive

# copy partition scheme from working harddrive to new harddrive
sfdisk -d /dev/sda | sfdisk /dev/sdc

# add new harddrive
mdadm --manage /dev/md127 --add /dev/sdc1

# verify that array is recovering
cat /proc/mdstat

Notifying on harddrive failure (gmail)

/etc/exim/exim.conf

# add this after `begin routers` in router config section
 send_via_gmail:
     driver = manualroute
     domains = ! +local_domains
     transport = gmail_smtp
     route_list = * gmail-smtp.l.google.com
# add this after `begin transports` in transports config section
 gmail_smtp:
     driver = smtp
     port = 587
     hosts_require_auth = gmail-smtp.l.google.com
     hosts_require_tls = gmail-smtp.l.google.com
# add this after `begin authenaticators` in authentication config section
 gmail_login:
     driver = plaintext
     public_name = LOGIN
     client_send = : sender_email@gmail.com : password_in_plaintext_here

/etc/mdadm.conf

MAILADDR destination_email@example.com
AUTO +imsm +1.x -all
ARRAY /dev/md/pv00 level=raid5 num-devices=4 UUID=1327a02b:b19f6696:0e3f8ac7:9615591c

Growing RAID size

This is useful if the RAID array needs to be grown by using up more free space (no added harddrive)

umount /dev/sda
umount /dev/sdb
umount /dev/sdc
umount /dev/sdd

# grow RAID array to 500GB (this will take a while)
mdadm -G /dev/md127 -z 500G

# resize physical volume to fit new RAID partition size
pvresize /dev/md127

Accessing via Live CD

If the array gets screwed up somehow, you can try mounting it on a livecd.

apt install mdadm

# assemble array from block devices
mdadm --assemble --scan

# mount array (assuming lvm)
apt install lvm2

# see if lv's are intact
lvscan

# mount lv
mount /dev/[vgname]/[lvname] /mnt/foo

Installing GRUB on a Live CD Mounted System

# mount root lv
mount /dev/[vgname]/root /mnt/root

# mount live CD directories inside mounted lv
for i in /dev /dev/pts /proc /sys /run; do sudo mount -B $i /mnt/root$i; done

# chroot into root lv
chroot /mnt/root

# install grub to each device in array
grub2-install /dev/sda
grub2-install /dev/sdb
grub2-install /dev/sdc
grub2-install /dev/sdd

# update grub config
grub2-mkconfig -o /boot/grub2/grub.cfg

Auto FS

Auto FS + SSHFS allows the system to mount ssh filesystems on access and then automatically unmount after a certain timeout. The necessary tools are autofs and sshfs.

/etc/auto.master or /etc/auto.master.d/foobar.autofs or /etc/autofs/auto.master

# mounts all the entries listed in /etc/auto.sshfs in /mnt/ with the given options
# add the --verbose option here to debug mounting issues
# set --timeout to control when sshfs mount is automatically unmounted
/mnt /etc/auto.sshfs --timeout=180 --ghost

/etc/auto.sshfs

# make a mount to be used by auto.master
foobar -fstype=fuse,rw,IdentityFile=/home/evan/.ssh/foobar,port=22,allow_other :sshfs\#foo@example.org\:

AutoFS runs as root, so ensure that the host fingerprint has been added to /root/.ssh/knownhosts. You can add this easily by attempting to ssh login to foo@example.org from root.

su -
ssh foo@example.org
# enter yes

Resizing LUKS encrypted LVM

# expand the block device with fdisk, if necessary

# resize physical volume
pvresize --setphysicalvolumesize 111.8G /dev/sdb2
# be careful about using `-l +100%FREE`.  this broke /home until I manually shrank fedora--vg-home by a few GB
lvextend -l 80G /dev/mapper/fedora--vg-home
resize2fs /dev/mapper/fedora--vg-home

Fixing Nodejs

https://bugzilla.redhat.com/show_bug.cgi?id=1125868

Rsync

# Sync permissions only. (useful if you forgot `-p` option in cp)
# Looks at filesize differences to determine if a copy is needed rather
# than timestamp (which gets reset when `-p` is left out of cp.
rsync --archive --size-only /src/foo /dest/bar

DNS Tunneling with iodine

Most of this was taken from http://dev.kryo.se/iodine/wiki/HowtoSetup

Domain Setup

On a domain you own (e.g. example.com), create an A record server.example.com pointing to the ip of a server you own and an NS record tunnel.example.com pointing to server.example.com.

To verify the setup is working, you can do:

# on the server
sudo nc -u -l -p 53

# on another device
dig +trace tunnel.example.com
# you should see some stuff printed out in the console on the server

Server Setup

# install iodine
dnf install iodine

# run iodine (as root in a screen session)
#  `password` is the password to use the tunnel
#  `192.168.99.1` is the ip of the server on the tunnel network
iodined -c -P password -f 192.168.99.1 tunnel.example.com

# set iptables rules
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i dns0 -o eth0 -j ACCEPT

# enable ip forwarding on the server
#  unnecessary if you want to use `ssh -D 1234` for dynamic port forwarding 
#  on the client (as opposed to setting default routes)
echo 1 > /proc/sys/net/ipv4/ip_forward

Client Setup

Alternatively, you can download a script that does this part from http://www.doeshosting.com/code/NStun.sh.

# launch iodine client and wait for a 'Connection setup complete' message
sudo iodine -f tunnel.example.com

# either use SSH for dynamic forwarding (one application at a time)  or set up routes

# ssh
ssh -D 1234 tunnel.example.com
# set Firefox to use socks proxy localhost on port 1234

# set up routes
# get the current gateway ip
ip route
# get the tunnel server ip
host server.example.com
# add a route for iodine to communicate with the outside world
sudo ip route add [server.example.com IP] via [current gateway IP]
# delete the default route for traffic
sudo ip route delete default
# add a default route so that all traffic is tunneled
sudo ip route add default via 192.168.99.1