Wed, 23 Feb 2011

Configure openvpn on a Debian server

These notes cover the installation of openvpn on a Debian server and client.
Once setup, all internet traffic, including browser traffic, from the client
will travel via the VPN through the server. The server config write-up is
first, followed by the client write-up further down the page.

This presumes you are not ethernet bridging.

Begin by installing openvpn on both your server and your client.

# aptitude install openvpn

Switch to your server.

[server config]

First you must create the keys needed by both server and client.

# mkdir /etc/openvpn/easy-rsa
# cp -ai /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa/

# vi vars

In the vars file, edit the KEY_* entries at the bottom of the file, such as KEY_COUNTRY,
KEY_ORG, KEY_EMAIL, etc. Next, source the vars file and then clean the directory.

# . ./vars
# ./clean-all

Next build the certificates. For the 'Common Name' field, you can use anthying
to your liking. I used 'OpenVPN-CA-rustybear'. For the Certificate Authority
(build-ca), use 'server'. For the client keys (build-key), use 'client1' or
'client2' or whatever you like, I used 'client_kevin'.

# ./build-ca
# ./build-key-server server
# ./build-key client_kevin
# ./build-key client2

Generate the Diffie Hellman parameters for the server.

# .build-dh

When this is done, you will have a number of files in the keys/ subdirectory.
Copy the keys listed below to the server's /etc/openvpn directory.

# cd /etc/openvpn
# cp easy-rsa/keys/ca.crt .
# cp easy-rsa/keys/server.key .
# cp easy-rsa/keys/server.crt .
# cp easy-rsa/keys/dh1024.pem .

And copy the keys needed for the client either directly to the client via scp
or to a USB disk. The files needed by the client are ca.crt, client_kevin.crt,
and client_kevin.key (or whatever you named the files when you generated them
with the build-key script).

On the client machine, copy the client keys to the /etc/openvpn directory.

Next, still on the server, create the openvpn server config file. Start with
the example in the docs.

# cd /etc/openvpn
# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf .

Gunzip it if necessary then edit it. Here's a simple but workable example:

[server.conf]
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 202.107.105.13"
push "dhcp-option DNS 202.108.107.21"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Note the entries for 'push dhcp-option DNS'. These will be DNS servers that
are accessible from your server. They will be pushed out to the client.

Now start the openvpn server with either of the following commands.

# /etc/init.d/openvpn start
or
# openvpn /etc/openvpn/server.conf

You will need to enable IP forwarding.

# echo 1 > /proc/sys/net/ipv4/ip_forward

You can make this a permanent change by uncommenting the line:

net.ipv4.ip_forward = 1

in the file /etc/sysctl.conf.

You'll also have to allow NAT forwarding through your firewall. This will most
likely be accomplished with something like the following rule in iptables:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

This assumes you have set up your openvpn server with the IP 10.8.0.0 in the
server.conf file as described above.

Next, the client must be set up.

=====

[client config]

In the server config above, you created keys for the client, which you should
have already copied to /etc/openvpn. This includes the ca.crt file.

Next you need a client.conf file, a sample of which is found in the docs.

# cd /etc/openvpn
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .
# vi client.conf

[client.conf]
client
dev tun
proto udp
remote 66.32.272.181 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client_kevin.crt
key /etc/openvpn/client_kevin.key
ns-cert-type server
comp-lzo
verb 3
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Some obvious things: You'll want to use your server's IP for the remote entry.
List your client keys and the server CA. Uncomment the user and group entries.

Not so obvious are the last two lines.  These are the key to getting DNS to
work correctly on the client. You can check the README.Debian in the docs, but
basically you need to install the deb package resolvconf. Make sure you read
the README for resolvconf, as it can potentially conflict with other DNS
writing programs on your client.

The last two lines call the script update-resolv-conf, which should be in your
/etc/openvpn directory. The script will use resolvconf, and the DNS settings
of the openvpn server, to rewrite your client resolv.conf file.

To start openvpn on the client, issue the command:

# openvpn --script-security 2 --config /etc/openvpn/client.conf &

You'll need the --script-security setting to get the update-resolv-conf script
to execute.

Check your installation by pinging 10.8.0.1 from the client. You should
successfully be pinging the server. Check it further by opening a browser and
going to http://www.whatismyip.com. It should return the IP of the server, not
the client.  Note also that if you run the command ifconfig, you'll see a new
entry for tun0.

Posted at: 06:20 | category: /configure | Comments ()

Mon, 04 Oct 2010

I'm finding Dropbox to be very useful

I generally like home-grown solutions on my own server, but I have to admit that I'm finding the Dropbox solution to file sharing to be pretty attractive.

Here's a link to get started on Dropbox in case your are interested:

Get Dropbox

Dropbox integrates very smoothly with your desktop and browser. Moving files in and out of your dropbox is simplicity. Sharing a directory/folder with someone else is equally easy. And sending someone a link to download a large file from you could not be simpler. I definitely recommend giving it a try.

http://www.dropbox.com/referrals/NTExMjIxMTczOQ

Posted at: 14:14 | category: /other | Comments ()

Mon, 11 Jan 2010

Creating a custom context processor

Django does a great job with template inheritance using base.html and
{% extends variable %}, etc. The django docs give good clear examples. But the
docs are not too clear on how to inherit objects throughout a website. The
answer lies with creating a custom context processor and is really quite
simple.

At your project root level, create a new file context_processors.py. You can
actually have this file reside anywhere, just make sure you point to it
correctly in your TEMPLATE_CONTEXT_PROCESSORS, which I explain below. 

Drop in your code that retrieves/creates whatever object you want available
throughout your website.  Here is an example:

-----
def groupCalendar(request):
    """ Returns a one-month calendar """
    from local1042.groupcalendar.models import GroupCalendar
    mycalendar = GroupCalendar()
    group = 4
    count = 1
    onemonth_cal = mycalendar.buildcalendar (group, \
        mycalendar.current_year, mycalendar.current_month, count)
    return { 'onemonth_cal': onemonth_cal }
-----

As you can see, you return a dictionary. Make sure you chose a variable name
that won't be used elsewhere as it will be stepped on or will step on a
pre-existing variable by the same name.

Then in your settings.py file, activate your new processor by adding:

TEMPLATE_CONTEXT_PROCESSORS = (
    '.....'
    'local1042.context_processors.groupCalendar',
    '.....'
)

Note you should have other entries already, so just add your new entry.

Now, in your base.html file or other blocks, retrieve your object by simply
calling {{ onemonth_cal }}.

One more thing: If you use render_to_response in your views, then you need to
use a RequestContext instead of a Context instance. So in a view, your code
may look like this:

-----
return render_to_response('my_template.html',
                          my_data_dictionary,
                          context_instance=RequestContext(request))
-----

Posted at: 06:41 | category: /django | Comments ()

Wed, 12 Nov 2008

Backup your Blackberry on Linux

There are a few tools in the Linux toolbox that can help you backup your Blackberry. I've tested this on the Blackberry 8330 and 8830.

In Debian, apt-get install the following:

barry-util
libbarry0

Connect your BB via the USB cord.
Run the following command:

kevin@laptopibm:~/tmp$ btool

Blackberry devices found:
Device ID: 0x9bcd6d0. PIN: 52c09285, Description: RIM BlackBerry Device
Using device (PIN): 52c09285
You should see your device as shown above.

Next list your databases:
kevin@laptopibm:~/tmp$ btool -t
You'll see a long list of all of the databases on your BB. The names of the databases are in single quotes like 'Address Book'.

Load a database and dump it to stdout with:
btool -d 'Address Book'
You'll see the contents of your address book scroll by.

Backup a database with:
btool -d 'Address Book' -f my_bb_address_book
Restore a database with:
btool -s 'Address Book' -f my_bb_address_book
There are a few more commands that can be found in man btool.

Posted at: 14:54 | category: /other | Comments ()

Tue, 29 Apr 2008

Why we go to school

In 1861, one William Cory, a Master at Eton, made the following observation:

"You are not engaged so much in acquiring knowledge as in making mental efforts under criticism. A certian amount of knowledge you can indeed with average faculties acquire so as to retain; nor need you regret the hours that you have spent on much that is forgotten, for the shadow of lost knowledge at least protects you from many illusions. But you go to a great school, not for knowledge so much as for arts and habits; for the habit of attention, for the art of expression, for the art of assuming at a moment's notice a new intellectual posture, for the art of entering quickly into another person's thoughts, for the habit of submitting to censure and refutation, for the art of indicating assent or dissent in graduated terms, for the habit of regarding minute points of accuracy, for the habit of working out what is possible in a given time, for taste, for discrimination, for mental courage and mental soberness. Above all, you go to a great school for self-knowledge."

This was actually a test question that I was asked to write about in a class on International Law at George Washington University. It was a terrific class that I still remember today and kudos to the instructor, David A. Peterson, for encouraging us to think in new ways.

Posted at: 00:43 | category: /other | Comments ()