Rustybear BlogWed, 23 Feb 2011
Configure openvpn on a Debian server
These notes cover the installation of openvpn on a Debian server and client. Once setup, all internet traffic, including browser traffic, from the client will travel via the VPN through the server. The server config write-up is first, followed by the client write-up further down the page. This presumes you are not ethernet bridging. Begin by installing openvpn on both your server and your client. # aptitude install openvpn Switch to your server. [server config] First you must create the keys needed by both server and client. # mkdir /etc/openvpn/easy-rsa # cp -ai /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa # cd /etc/openvpn/easy-rsa/ # vi vars In the vars file, edit the KEY_* entries at the bottom of the file, such as KEY_COUNTRY, KEY_ORG, KEY_EMAIL, etc. Next, source the vars file and then clean the directory. # . ./vars # ./clean-all Next build the certificates. For the 'Common Name' field, you can use anthying to your liking. I used 'OpenVPN-CA-rustybear'. For the Certificate Authority (build-ca), use 'server'. For the client keys (build-key), use 'client1' or 'client2' or whatever you like, I used 'client_kevin'. # ./build-ca # ./build-key-server server # ./build-key client_kevin # ./build-key client2 Generate the Diffie Hellman parameters for the server. # .build-dh When this is done, you will have a number of files in the keys/ subdirectory. Copy the keys listed below to the server's /etc/openvpn directory. # cd /etc/openvpn # cp easy-rsa/keys/ca.crt . # cp easy-rsa/keys/server.key . # cp easy-rsa/keys/server.crt . # cp easy-rsa/keys/dh1024.pem . And copy the keys needed for the client either directly to the client via scp or to a USB disk. The files needed by the client are ca.crt, client_kevin.crt, and client_kevin.key (or whatever you named the files when you generated them with the build-key script). On the client machine, copy the client keys to the /etc/openvpn directory. Next, still on the server, create the openvpn server config file. Start with the example in the docs. # cd /etc/openvpn # cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf . Gunzip it if necessary then edit it. Here's a simple but workable example: [server.conf] port 1194 proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 202.107.105.13" push "dhcp-option DNS 202.108.107.21" keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 Note the entries for 'push dhcp-option DNS'. These will be DNS servers that are accessible from your server. They will be pushed out to the client. Now start the openvpn server with either of the following commands. # /etc/init.d/openvpn start or # openvpn /etc/openvpn/server.conf You will need to enable IP forwarding. # echo 1 > /proc/sys/net/ipv4/ip_forward You can make this a permanent change by uncommenting the line: net.ipv4.ip_forward = 1 in the file /etc/sysctl.conf. You'll also have to allow NAT forwarding through your firewall. This will most likely be accomplished with something like the following rule in iptables: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE This assumes you have set up your openvpn server with the IP 10.8.0.0 in the server.conf file as described above. Next, the client must be set up. ===== [client config] In the server config above, you created keys for the client, which you should have already copied to /etc/openvpn. This includes the ca.crt file. Next you need a client.conf file, a sample of which is found in the docs. # cd /etc/openvpn # cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf . # vi client.conf [client.conf] client dev tun proto udp remote 66.32.272.181 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun mute-replay-warnings ca /etc/openvpn/ca.crt cert /etc/openvpn/client_kevin.crt key /etc/openvpn/client_kevin.key ns-cert-type server comp-lzo verb 3 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf Some obvious things: You'll want to use your server's IP for the remote entry. List your client keys and the server CA. Uncomment the user and group entries. Not so obvious are the last two lines. These are the key to getting DNS to work correctly on the client. You can check the README.Debian in the docs, but basically you need to install the deb package resolvconf. Make sure you read the README for resolvconf, as it can potentially conflict with other DNS writing programs on your client. The last two lines call the script update-resolv-conf, which should be in your /etc/openvpn directory. The script will use resolvconf, and the DNS settings of the openvpn server, to rewrite your client resolv.conf file. To start openvpn on the client, issue the command: # openvpn --script-security 2 --config /etc/openvpn/client.conf & You'll need the --script-security setting to get the update-resolv-conf script to execute. Check your installation by pinging 10.8.0.1 from the client. You should successfully be pinging the server. Check it further by opening a browser and going to http://www.whatismyip.com. It should return the IP of the server, not the client. Note also that if you run the command ifconfig, you'll see a new entry for tun0.
Posted at: 01:20 | category: /configure | Comments ()
Thu, 10 Aug 2006
Create a new SSL certificate for Apache
Go to /etc/apache-ssl and backup apache.pem before you do anything else. The
location of this file may be different depending upon your Apache setup.
Install the Debian package ssl-cert.
Check to make sure you have the standard template file:
/usr/share/ssl-cert/ssleay.cnf
If you don't, make sure you have openssl installed.
cd over to a temporary working directory that you have write access to.
Run the command:
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf privkey.pem
This will create a private key for the server named privkey.pem.
When complete with this process, store this file off site.
Next run the command:
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
This will create a server certificate called cacert.pem, good for 3 years.
Next run the command:
cat privkey.pem cacert.pem > apache.pem
This will create the complete certificate needed for apache. Copy it over to
the directory where the pre-existing apache.pem was that you backed up
eariler.
Don't forget to move the privkey.pem off site.
Posted at: 21:36 | category: /configure | Comments ()
Settings for uploads using PHP/Apache
In Apache httpd.conf, add the following:..... other directives ..... php_value post_max_size "71M" php_value upload_max_filesize "70M" php_value memory_limit "70M"
Posted at: 21:36 | category: /configure | Comments ()
Install Debian Source Packages
Debian can be a bit tricky if you're not familiar with its method of building
source packages. Although this is covered in their faq somewhere, here is the
information.
apt-get build-dep fluxbox
apt-get source fluxbox
apt-get install fakeroot
apt-get install dpkg-dev
apt-get install automake
(You may already have fakeroot and dpkg-dev installed). Although apt-get
build-dep fluxbox should also install all necessary tools, I have found that I
also have to get automake.
This will bring you three files (version number correct as of January 2004)
fluxbox_0.1.14-2.orig.tar.gz, fluxbox_0.1.14-2.diff.gz and
fluxbox_0.1.14-2.dsc. You will also have a fluxbox-0.1.14 directory.
The next step is
dpkg-source -x fluxbox_0.1.14-2.dsc
I'm assuming you have wget or something similar, if not do a quick
apt-get install wget
Now, we patch
cd fluxbox-0.1.14/src
wget kitaj.no-ip.com/files/fluxbox/fluxbox-0.1.14-menukey.patch
patch < fluxbox-0.1.14-menukey.patch
Now to build and install the package. You are in the fluxbox-0.1.14/src directory
cd ../
dpkg-buildpackage -rfakeroot -b
This will take some time. When it's done
dpkg -i ../fluxbox_0.1.14-2_i386.deb
Posted at: 21:36 | category: /configure | Comments ()
Configure xterm
edit ~/.Xdefaults as appropriate look at /etc/X11/app-defaults/XTerm for ideas about what and how to change run 'xrdb -merge .Xdefaults' after editing to implement the changes
Posted at: 21:36 | category: /configure | Comments ()
