SOHO : Small Office Home Office
Freeware - Opensource software tips, tricks, tweaks & fixes for managing, securing, improving the performance of SOHO Desktop, Laptop, Networks

Thursday, May 3, 2012

Install openvpn on ubuntu VPS in less than 10 minutes

Overview

If all that you want is just a openvpn server without the hassle of compiling, I recommend a debian / ubuntu system with a minimum of 64mb RAM. The below instructions would let you connect to your own openvpn (openvz VPS) server in less than 10 minutes.


Prerequisite

Before we install openvpn, check if tun/tap is enable for your vps:
cat /dev/net/tun 
In the above image "File descriptor in bad state"  means  tun/tap enabled. If not, contact your vps provider to activate tun/tap. Without tun/tap vpn connection cannot be established.

Installation

To install openvpn in a terminal enter:
sudo apt-get install openvpn


Server Certificates

Now that the openvpn package is installed, the certificates for the VPN server need to be created. 
First, copy the easy-rsa directory to /etc/openvpn. This will ensure that any changes to the scripts will not be lost when the package is updated. You will also need to adjust permissions in the easy-rsa directory to allow the current user permission to create files. From a terminal enter:

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/
Next, edit /etc/openvpn/easy-rsa/vars adjusting the following to your environment:

export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="steve@example.com"
Enter the following to create the server certificates:

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/


Client Certificates

The VPN client will also need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal:

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname
Replace hostname with the actual hostname of the machine connecting to the VPN.
Copy the following files to the client:

/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/hostname.crt
/etc/openvpn/easy-rsa/keys/hostname.key
/etc/openvpn/ta.key
Remember to adjust the above file names for your client machine's hostname.
It is best to use a secure method to copy the certificate and key files. The scp utility is a good choice, but copying the files to removable media then to the client, also works well.


Configuration

Server Configuration

Now configure the openvpn server by creating /etc/openvpn/server.conf from the example file. In a terminal enter:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
Edit /etc/openvpn/server.conf changing the following options to:

push "redirect-gateway defi by-pass-dhcp" ; uncomment this line
push "dhcp-option DNS 10.8.0.1"; add this line
script-security 3 ; add this line
push: are directives to add networking options for clients.

After configuring the server, restart openvpn by entering:
sudo /etc/init.d/openvpn restart


Network Configuration

This network configuration is for openvz virtualization only, This guide is not related to dedicated or xen server.


Edit  /etc/sysctl.conf file and uncomment the following line:
net.ipv4.ip_forward=1
We want the ipv4 forward to be persistent even on reboot:
sudo echo 1 > /proc/sys/net/ipv4/ip_forward


Firewall / iptables Configuration


Setup iptables to allow vpn connection
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 1.1.1.1
Replace 1.1.1.1 with the actual ip address.


Saving iptables

You may want to have your iptables saved everytime you reboot. You could add a line like this one in /etc/network/interfaces

pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules
The line "post-down iptables-save > /etc/iptables.rules" will save the rules to be used on the next boot.


Manage users

You may want to add multiple users to your vpn server with the command:

useradd username -s /bin/false
passwd username
You may want to delete a user with the command
userdel username 
Finally, restart openvpn:
sudo /etc/init.d/openvpn restart 
You should now be able to connect to the remote LAN through the VPN..


Client Configuration 

First, install openvpn on the client:
sudo apt-get install openvpn
Then with the server configured and the client certificates copied to the /etc/openvpn/ directory, create a client configuration file by copying the example. In a terminal on the client machine enter:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
Now edit /etc/openvpn/client.conf changing the following options:

remote vpn.example.com 1194
cert hostname.crt
key hostname.key
ca ca.crt
tls-auth ta.key 1
script-security 3
Replace vpn.example.com with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames.


Windows Client Configuration 

  • Download and install openvpn-gui stable
  • copy client.conf file to c:\program files\openvpn\config\ rename client.conf to client.ovpn
  • copy ca.crt, hostname.crt, hostname.key, ta.key to c:\program files\openvpn\config\
  • Right click openvpn tray icon and connect




Sample server configuration

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
script-security 3

Sample client configuration


client
dev tun
proto udp
remote vps4.tidydns.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 3
ca ca.crt
cert vps4.tidydns.net.crt
key vps4.tidydns.net.key
ns-cert-type server
comp-lzo
verb 3

Continue Reading...

Wednesday, May 2, 2012

Setup ramdisk with ramfs or tmpfs

Overview:
Using ramfs or tmpfs you can allocate part of the physical memory to be used as a partition. You can mount this partition and start writing and reading files like a hard disk partition. Since you’ll be reading and writing to the RAM, it will be faster.

When a vital process becomes drastically slow because of disk writes, you can choose either ramfs or tmpfs file systems for writing files to the RAM.

Both tmpfs and ramfs mount will give you the power of fast reading and writing files from and to the primary memory. When you test this on a small file, you may not see a huge difference. You’ll notice the difference only when you write large amount of data to a file with some other processing overhead such as network.

 How to mount Tmpfs
# mkdir -p /mnt/tmp
# mount -t tmpfs -o size=20m tmpfs /mnt/tmp

The last line in the following df -k shows the above mounted /mnt/tmp tmpfs file system.

# df -k
Filesystem      1K-blocks  Used     Available Use%  Mounted on
/dev/sda2       32705400   5002488  26041576  17%   /
/dev/sda1       194442     18567    165836    11%   /boot
tmpfs           517320     0        517320    0%    /dev/shm
tmpfs           20480      0        20480     0%    /mnt/tmp

How to mount Ramfs

# mkdir -p /mnt/ram
# mount -t ramfs -o size=20m ramfs /mnt/ram


The last line in the following mount command shows the above mounted /mnt/ram ramfs file system.

# mount
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
tmpfs on /mnt/tmp type tmpfs (rw,size=20m)
ramfs on /mnt/ram type ramfs (rw,size=20m)

You can mount ramfs and tmpfs during boot time by adding an entry to the /etc/fstab

Ramfs vs TmpfsPrimarily both ramfs and tmpfs does the same thing with few minor differences.
  •  Ramfs will grow dynamically.  So, you need control the process that writes the data to make sure ramfs doesn’t go above the available RAM size in the system. Let us say you have 2GB of RAM on your system and created a 1 GB ramfs and mounted as /tmp/ram. When the total size of the /tmp/ram crosses 1GB, you can still write data to it.  System will not stop you from writing data more than 1GB. However, when it goes above total RAM size of 2GB, the system may hang, as there is no place in the RAM to keep the data.
  • Tmpfs will not grow dynamically. It would not allow you to write more than the size you’ve specified while mounting the tmpfs. So, you don’t need to worry about controlling the process that writes the data to make sure tmpfs doesn’t go above the specified limit. It may give errors similar to “No space left on device”.
  • Tmpfs uses swap.
  • Ramfs does not use swap.
Disadvantages of Ramfs and Tmpfs
Since both ramfs and tmpfs is writing to the system RAM, it would get deleted once the system gets rebooted, or crashed. So, you should write a process to pick up the data from ramfs/tmpfs to disk in periodic intervals. You can also write a process to write down the data from ramfs/tmpfs to disk while the system is shutting down. But, this will not help you in the time of system crash.

Table: Comparison of ramfs and tmpfs
Experimentation Tmpfs Ramfs
Fill maximum space and continue writing Will display error Will continue writing
Fixed Size Yes No
Uses Swap Yes No
Volatile Storage Yes Yes

If you want your process to write faster, opting for tmpfs is a better choice with precautions about the system crash.
Continue Reading...

ramfs manpage


NAME
ramfs  - memory file system

SYNOPSIS
ramfs [ -Dipsu ] [ -m mountpoint ] [ -S srvname ]

DESCRIPTION
Ramfs starts a process that mounts itself on mountpoint (default /tmp).  The ramfs process implements a tree rooted at dir, keeping all files in memory.  Ini- the file tree is empty.

The -D option enables a trace of general debugging

The -i flag tells ramfs to use file descriptors 0 and 1 for its communication channel rather than create a pipe.  This makes it possible to use ramfs as a file server on a remote machine: the file descriptors 0 and 1 will be the network channel from ramfs to the client machine.

The -p flag causes ramfs to make its memory `private' so that its files are not accessible through the debugging interface.

The -s (-S) flag causes ramfs to post its channel on /srv/ramfs (/srv/srvname) rather than mounting it on mountpoint, enabling multiple clients to access its files. However, it does not authenticate its clients and its implementation of groups is simplistic, so it should not be used for precious data.

The -u option permits ramfs to consume as much memory as needed; without it, ramfs will limit its consumption to some arbitrary amount, currently 768MB (enough to hold a CD image).

This program is useful mainly as an example of how to write a user-level file server.  It can also be used to provide high-performance temporary files.

source : http://man.aiju.de/4/ramfs
Continue Reading...