Add second IP address

You can add address to any network adapter, but that change can be temporary or permanent

Temporary:

# ifconfig <network adapter>:0 <ip> netmask <netmask> up
# example:
ifconfig eth0:0 192.168.0.23 netmask 255.255.255.0 up

# or 
# ip address add <ip>/<netmask> dev <network adapter>
ip address add 192.168.0.23/24 dev eth0

# ifconfig <network adapter>:0 <ip> netmask <netmask> up

# example:

ifconfig eth0:0 192.168.0.23 netmask 255.255.255.0 up

# or

# ip address add <ip>/<netmask> dev <network adapter>

ip address add 192.168.0.23/24 dev eth0

Permanently:

#edit /etc/network/interfaces
# auto <network adapter>:<number>
# iface <network adapter>:<number> inet static
# address <ip>
# gateway <gateway ip>
# netmask <netmask>
# example:

auto eth0:1
iface eth0:1 inet static
address 192.168.0.23
gateway 192.168.0.1
netmask 255.255.255.0

#edit /etc/network/interfaces

# auto <network adapter>:<number>

# iface <network adapter>:<number> inet static

# address <ip>

# gateway <gateway ip>

# netmask <netmask>

# example:

auto eth0:1

iface eth0:1 inet static

address 192.168.0.23

gateway 192.168.0.1

netmask 255.255.255.0

How to find all non ascii characters

Regular expression (RegEx) is like magic book, and this is the spell you need to cast for all those country related character that are out of A-Z English scope (ex. Polish, German, Japanese, Chinese characters):

[^\x00-\x7F]+

1	[^\x00-\x7F]+

Works great with vim or notepad++

MySQL row size too large (>8126)

This is something to do with bad table design, where you are using multiply columns with Text values, the best solution would be redesign tables, but from time to time you need to patch it at-hoc without redesigning application that use that database.

Solution that usually works:

# to my.conf mysql configuration file add/replace:
innodb_file_per_table
innodb_file_format = Barracuda

# and alter table that throw error with
ALTER TABLE your_table ENGINE=InnoDB ROW_FORMAT=DYNAMIC

# to my.conf mysql configuration file add/replace:

innodb_file_per_table

innodb_file_format = Barracuda

# and alter table that throw error with

ALTER TABLE your_table ENGINE=InnoDB ROW_FORMAT=DYNAMIC

Extract specific file from tar.gz

tar -zxvf archive.tar.gz full-file-path-inside-archive

# to get that specific file you need full path try
tar -tzf archive.tar.gz | grep file-to-extract
# you will end up with 
./file-to-extract or similar then use that full path with first command

tar -zxvf archive.tar.gz full-file-path-inside-archive

# to get that specific file you need full path try

tar -tzf archive.tar.gz | grep file-to-extract

# you will end up with

./file-to-extract or similar then use that full path with first command

Side note its not super fast for big archives, sadly.

Export or save Putty configuration

From time to time we need migrate our putty configuration/sessions that we saved (configurations, IPs etc).

Putty store those data inside system register and those are some methods to extract them and save to new pc:

# cmd
regedit /e "%USERPROFILE%\Desktop\putty.reg" HKEY_CURRENT_USER\Software\SimonTatham

# powershell
reg export HKCU\Software\SimonTatham ([Environment]::GetFolderPath("Desktop") + "\putty.reg")

# regedit
HKEY_CURRENT_USER -> Software -> SimonTatham -> PuTTY

# cmd

regedit /e "%USERPROFILE%\Desktop\putty.reg" HKEY_CURRENT_USER\Software\SimonTatham

# powershell

reg export HKCU\Software\SimonTatham ([Environment]::GetFolderPath("Desktop") + "\putty.reg")

# regedit

HKEY_CURRENT_USER -> Software -> SimonTatham -> PuTTY

We end up with putty.reg on our Desktop which we can execute on new computer and enjoy with same settings/sessions as before.

FreeNas: Realtek 8111F and “re0: Watchdog Timeout Error” – universal solution

This is continuation from FreeNas: Realtek 8111F and re0: Watchdog Timeout Error

Last solution was only for FreeNas 9.1 which is now a bit outdated.

Below I will show you how to fix the issue (by compiling your own drivers that are dedicated for your os version):

# I prefer making this inside jail so there is no extra leftovers
# so I created jail named 'test' which is my jail number 1
jls
jailme 1 /bin/csh
curl -o /tmp/rtlv194.01.tgz http://12244.wpc.azureedge.net/8012244/drivers/rtdrivers/cn/nic/0007-rtl_bsd_drv_v194.01.tgz
tar -xf /tmp/rtlv194.01.tgz -C /tmp/
cp /tmp/rtl_bsd_drv_v194.01/if_re* /usr/src/sys/dev/re/
cp /tmp/rtl_bsd_drv_v194.01/Makefile /usr/src/sys/modules/re/
cd /usr/src/sys/modules/re/
make
cp /usr/src/sys/modules/re/if_re.ko /if_re_194.ko
exit
cp /mnt/***/jails/test/if_re_194.ko /boot/kernel/if_re.ko

# Enable with the FreeNAS GUI in System/Tunables. Variable if_re_load, Value YES, Type loader, Enabled true
# reboot

# I prefer making this inside jail so there is no extra leftovers

# so I created jail named 'test' which is my jail number 1

jls

jailme 1 /bin/csh

curl -o /tmp/rtlv194.01.tgz http://12244.wpc.azureedge.net/8012244/drivers/rtdrivers/cn/nic/0007-rtl_bsd_drv_v194.01.tgz

tar -xf /tmp/rtlv194.01.tgz -C /tmp/

cp /tmp/rtl_bsd_drv_v194.01/if_re* /usr/src/sys/dev/re/

cp /tmp/rtl_bsd_drv_v194.01/Makefile /usr/src/sys/modules/re/

cd /usr/src/sys/modules/re/

make

cp /usr/src/sys/modules/re/if_re.ko /if_re_194.ko

exit

cp /mnt/***/jails/test/if_re_194.ko /boot/kernel/if_re.ko

# Enable with the FreeNAS GUI in System/Tunables. Variable if_re_load, Value YES, Type loader, Enabled true

# reboot

In case the official link to tgz is down, here is mirror I made: 007-rtl_bsd_drv_v194.01.tgz

Nagios – network/device configuration

If you don’t have working Nagios installation fell free to follow Nagios – New installation on Debian 9 link.

We will need to add folder structure (for better organization) to nagios config file:

# edit nagios.cfg
mcedit /usr/local/nagios/etc/nagios.cfg

# lets add out root dir that will store our config files for device/network
# this way we don't need to type cfg_file for each .cfg file out there
cfg_dir=/usr/local/nagios/etc/devices

# save file and create proper directory
mkdir /usr/local/nagios/etc/devices
cd /usr/local/nagios/etc/devices

# edit nagios.cfg

mcedit /usr/local/nagios/etc/nagios.cfg

# lets add out root dir that will store our config files for device/network

# this way we don't need to type cfg_file for each .cfg file out there

cfg_dir=/usr/local/nagios/etc/devices

# save file and create proper directory

mkdir /usr/local/nagios/etc/devices

cd /usr/local/nagios/etc/devices

Not everyone have luxury to always use smart switches around network – those make live a lot easier, but life is not a dream 🙂

Let us make a template for non-smart aka no-ping switches:

define host{
        name                            noping-host    ; The name of this host template
        notifications_enabled           1       
        event_handler_enabled           1       
        flap_detection_enabled          1      
        process_perf_data               1      
        retain_status_information       1       
        retain_nonstatus_information    1       
        notification_interval           0
        notification_period             24x7
        notification_options            d,u,r
        contact_groups                  admins
        max_check_attempts              5
        address                         127.0.0.1      ; Just so we don't have to write it all the time
        register                        0      
        }

define host{

name noping-host ; The name of this host template

notifications_enabled 1

event_handler_enabled 1

flap_detection_enabled 1

process_perf_data 1

retain_status_information 1

retain_nonstatus_information 1

notification_interval 0

notification_period 24x7

notification_options d,u,r

contact_groups admins

max_check_attempts 5

address 127.0.0.1 ; Just so we don't have to write it all the time

}

Now we can define few switches like this:

define host{
            use noping-host
            host_name switch-number-1
            alias Switch Number 1
            icon_image switch40.png
            statusmap_image switch40.gd2
            parent name_of_parent_host_name  ; use this to make tree on map
            initial_status u
}

define host{

use noping-host

host_name switch-number-1

alias Switch Number 1

icon_image switch40.png

statusmap_image switch40.gd2

parent name_of_parent_host_name ; use this to make tree on map

initial_status u

}

You can most variables put to template file so there will be even less writing

Most common type of templete is: linux-server (you can check others in /usr/local/nagios/etc/objects/templates.cfg )

After making few .cfg files inside our directory remamber to chown nagios:nagios -R /usr/local/nagios/etc/devices/ to avoid erros and restart nagios

Nagios – New installation on Debian 9

If you have to install a really great network those such as Nagios those will be steps needed:

1.Installing Apache2 + PHP (Skip if you already have one):

apt-get install apache2 libapache2-mod-php7.0 php7.0
# enable cgi
a2enmod rewrite headers cgi
systemctl restart apache2

# setup correct timezone in php
mcedit /etc/php/7.0/apache2/php.ini
# set date.timezone according to http://php.net/manual/en/timezones.php
systemctl restart apache2

# info.php
echo '<?php phpinfo(); ?>' >/var/www/html/info.php

# open browser apache_server_ip/info.php and check 'default timezone'

apt-get install apache2 libapache2-mod-php7.0 php7.0

# enable cgi

a2enmod rewrite headers cgi

systemctl restart apache2

# setup correct timezone in php

mcedit /etc/php/7.0/apache2/php.ini

# set date.timezone according to http://php.net/manual/en/timezones.php

systemctl restart apache2

# info.php

echo '<?php phpinfo(); ?>' >/var/www/html/info.php

# open browser apache_server_ip/info.php and check 'default timezone'

2.Installing Nagios core:

# pre-request to build nagios from source:
apt-get install autoconf gcc libc6 make apache2-utils libgd-dev

# get source from https://www.nagios.org/downloads/nagios-core/
wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.3.4.tar.gz
tar xzf nagios-4.3.4.tar.gz
cd nagios-4.3.4/
./configure --with-httpd-conf=/etc/apache2/sites-enabled

# Output should look like this:
*** Configuration summary for nagios 4.3.4 2017-08-24 ***:

 General Options:
 -------------------------
        Nagios executable:  nagios
        Nagios user/group:  nagios,nagios
       Command user/group:  nagios,nagios
             Event Broker:  yes
        Install ${prefix}:  /usr/local/nagios
    Install ${includedir}:  /usr/local/nagios/include/nagios
                Lock file:  /run/nagios.lock
   Check result directory:  ${prefix}/var/spool/checkresults
           Init directory:  /etc/init.d
  Apache conf.d directory:  /etc/apache2/sites-enabled
             Mail program:  /usr/bin/mail
                  Host OS:  linux-gnu
          IOBroker Method:  epoll

 Web Interface Options:
 ------------------------
                 HTML URL:  http://localhost/nagios/
                  CGI URL:  http://localhost/nagios/cgi-bin/
 Traceroute (used by WAP):  /usr/sbin/traceroute


Review the options above for accuracy.  If they look okay,
type 'make all' to compile the main program and CGIs.

##################

# next we need to 'make' it ;-)
make all

# Output should look like this:
Enjoy.

# and we will in few minutes
# lets us create user for nagios
useradd nagios
# we will add him to apache group
usermod -a -G nagios www-data

# last but not least:
make install

# Output should look like this:

/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/libexec
/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var
/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var/archives
/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var/spool/checkresults
chmod g+s /usr/local/nagios/var/spool/checkresults

*** Main program, CGIs and HTML files installed ***

You can continue with installing Nagios as follows (type 'make'
without any arguments for a list of all possible options):

  make install-init
     - This installs the init script in /etc/init.d

  make install-commandmode
     - This installs and configures permissions on the
       directory for holding the external command file

  make install-config
     - This installs sample config files in /usr/local/nagios/etc


##############

# let's add init script
make install-init
# and enable init script
systemctl enable nagios.service

# install and configure permissions for external command file:
make install-commandmode

# and add sample configuration so nagios will start:
make install-config

# add nagios-site apache configuration file:
make install-webconf

# we need to create nagiosadmin account for http
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

# finally we can restart apache and start nagios:
systemctl restart apache2
systemctl start nagios

# open browser and type: nagios_ip_address/nagios/

100

101

102

103

# pre-request to build nagios from source:

apt-get install autoconf gcc libc6 make apache2-utils libgd-dev

# get source from https://www.nagios.org/downloads/nagios-core/

wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.3.4.tar.gz

tar xzf nagios-4.3.4.tar.gz

cd nagios-4.3.4/

./configure --with-httpd-conf=/etc/apache2/sites-enabled

# Output should look like this:

*** Configuration summary for nagios 4.3.4 2017-08-24 ***:

General Options:

-------------------------

Nagios executable: nagios

Nagios user/group: nagios,nagios

Command user/group: nagios,nagios

Event Broker: yes

Install ${prefix}: /usr/local/nagios

Install ${includedir}: /usr/local/nagios/include/nagios

Lock file: /run/nagios.lock

Check result directory: ${prefix}/var/spool/checkresults

Init directory: /etc/init.d

Apache conf.d directory: /etc/apache2/sites-enabled

Mail program: /usr/bin/mail

Host OS: linux-gnu

IOBroker Method: epoll

Web Interface Options:

------------------------

HTML URL: http://localhost/nagios/

CGI URL: http://localhost/nagios/cgi-bin/

Traceroute (used by WAP): /usr/sbin/traceroute

Review the options above for accuracy. If they look okay,

type 'make all' to compile the main program and CGIs.

##################

# next we need to 'make' it ;-)

make all

# Output should look like this:

Enjoy.

# and we will in few minutes

# lets us create user for nagios

useradd nagios

# we will add him to apache group

usermod -a -G nagios www-data

# last but not least:

make install

# Output should look like this:

/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/libexec

/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var

/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var/archives

/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var/spool/checkresults

chmod g+s /usr/local/nagios/var/spool/checkresults

*** Main program, CGIs and HTML files installed ***

You can continue with installing Nagios as follows (type 'make'

without any arguments for a list of all possible options):

make install-init

- This installs the init script in /etc/init.d

make install-commandmode

- This installs and configures permissions on the

directory for holding the external command file

make install-config

- This installs sample config files in /usr/local/nagios/etc

##############

# let's add init script

make install-init

# and enable init script

systemctl enable nagios.service

# install and configure permissions for external command file:

make install-commandmode

# and add sample configuration so nagios will start:

make install-config

# add nagios-site apache configuration file:

make install-webconf

# we need to create nagiosadmin account for http

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

# finally we can restart apache and start nagios:

systemctl restart apache2

systemctl start nagios

# open browser and type: nagios_ip_address/nagios/

3.Installing Nagios Plugins (needed !)

# pre-require
apt-get install libmcrypt-dev make libssl-dev bc gawk dc build-essential snmp libnet-snmp-perl gettext libldap2-dev smbclient fping default-libmysqlclient-dev

# get latest source file! from https://github.com/nagios-plugins/nagios-plugins/releases
wget https://github.com/nagios-plugins/nagios-plugins/archive/release-2.2.1.tar.gz
tar zxvf release-2.2.1.tar.gz
cd nagios-plugins-release-2.2.1/
./tools/setup
./configure
make
make install

# now we should have all commands in /usr/local/nagios/libexec/
ls /usr/local/nagios/libexec/

# restart nagios so he can load those:
systemctl restart nagios.service

# pre-require

apt-get install libmcrypt-dev make libssl-dev bc gawk dc build-essential snmp libnet-snmp-perl gettext libldap2-dev smbclient fping default-libmysqlclient-dev

# get latest source file! from https://github.com/nagios-plugins/nagios-plugins/releases

wget https://github.com/nagios-plugins/nagios-plugins/archive/release-2.2.1.tar.gz

tar zxvf release-2.2.1.tar.gz

cd nagios-plugins-release-2.2.1/

./tools/setup

./configure

make

make install

# now we should have all commands in /usr/local/nagios/libexec/

ls /usr/local/nagios/libexec/

# restart nagios so he can load those:

systemctl restart nagios.service

4.Enable SSL for Nagios (and not only)

# enable module
a2enmod ssl
systemctl restart apache2

# edit apache to redirect traffic to ssl
mcedit /etc/apache2/sites-enabled/000-default.conf
# add this to VirtualHost:
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*) https://%{HTTP_HOST}/$1

# after modification file should look like this:
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        RewriteEngine on
        RewriteCond %{HTTPS} off
        RewriteRule ^(.*) https://%{HTTP_HOST}/$1

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

# enable ssl apache config file without it you will get SSL_ERROR_RX_RECORD_TOO_LONG error
a2ensite default-ssl.conf

# let us restart apache
systemctl restart apache2.service

# enable module

a2enmod ssl

systemctl restart apache2

# edit apache to redirect traffic to ssl

mcedit /etc/apache2/sites-enabled/000-default.conf

# add this to VirtualHost:

RewriteEngine on

RewriteCond %{HTTPS} off

RewriteRule ^(.*) https://%{HTTP_HOST}/$1

# after modification file should look like this:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

RewriteEngine on

RewriteCond %{HTTPS} off

RewriteRule ^(.*) https://%{HTTP_HOST}/$1

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

# enable ssl apache config file without it you will get SSL_ERROR_RX_RECORD_TOO_LONG error

a2ensite default-ssl.conf

# let us restart apache

systemctl restart apache2.service

How to setup VPN with PPTP

In the past there was a Personal VPN Server (OpenVPN) which gave us more security than PPTP could give us.

Then why would you want PPTP ? Because its faster and have lower footprint on CPU than OpenVPN. That way you can pick which you prefer in your case scenario. Also there is build-in support for PPTP in most devices.

Install:

apt-get install pptpd

1	apt-get install pptpd

#edit /etc/pptpd.conf
localip 10.0.0.1
remoteip 10.0.0.100-200

#edit /etc/ppp/chap-secrets
# client     server    secret      IP address
client1      pptpd     password123 *
client2      pptpd     password2   *

#edit /etc/ppp/pptpd-options
ms-dns 8.8.8.8
ms-dns 8.8.4.4

#edit /etc/pptpd.conf

localip 10.0.0.1

remoteip 10.0.0.100-200

#edit /etc/ppp/chap-secrets

# client server secret IP address

client1 pptpd password123 *

client2 pptpd password2 *

#edit /etc/ppp/pptpd-options

ms-dns 8.8.8.8

ms-dns 8.8.4.4

And restart service:

service pptpd restart

1	service pptpd restart

Check if pptpd is listening to 1723 port:

netstat -alpn | grep :1723

1	netstat -alpn \| grep :1723

Now setup some network stuffs:

#edit /etc/sysctl.conf 
net.ipv4.ip_forward = 1

1 2	#edit /etc/sysctl.conf net.ipv4.ip_forward = 1

Next in terminal:

sysctl -p
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save

# if you want to disable client isolation:
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT

sysctl -p

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save

# if you want to disable client isolation:

iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE

iptables -I INPUT -s 10.0.0.0/8 -i ppp0 -j ACCEPT

iptables --append FORWARD --in-interface eth0 -j ACCEPT

Thats all on server side.

Client configuration:

apt-get install pptp
# add necessary kernel module
modprobe ppp_mppe

apt-get install pptp

# add necessary kernel module

modprobe ppp_mppe

Create config file:

touch /etc/ppp/peers/pptpserver
#edit /etc/ppp/peers/pptpserver
pty "pptp server_ip_address --nolaunchpppd"
name client1
password password123
remotename PPTP
require-mppe-128

touch /etc/ppp/peers/pptpserver

#edit /etc/ppp/peers/pptpserver

pty "pptp server_ip_address --nolaunchpppd"

name client1

password password123

remotename PPTP

require-mppe-128

Now we can connect to server (using name of the config file – pptpserver):

pppd call pptpserver

1	pppd call pptpserver

ip route add 10.0.0.0/8 dev ppp0

1	ip route add 10.0.0.0/8 dev ppp0

Personal VPN Server (OpenVPN)

Internet providers are collecting more and more data about our internet activities, but what can we do about it ?

You want to have secure access to your home servers, nas, devices ?

Virtual Private Network aka VPN is a solution for your needs!

1.Instalation

apt-get install openvpn easy-rsa

1	apt-get install openvpn easy-rsa

2.openvpn configuration

touch /etc/openvpn/server.conf

#edit /etc/openvpn/server.conf 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

touch /etc/openvpn/server.conf

#edit /etc/openvpn/server.conf

port 1194

proto udp

dev tun

ca ca.crt

cert server.crt

key server.key

dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"

keepalive 10 120

cipher AES-256-CBC

comp-lzo

user nobody

group nogroup

persist-key

persist-tun

status openvpn-status.log

verb 3

3.some system tweaks

echo 1 > /proc/sys/net/ipv4/ip_foward

#edit /etc/sysctl.conf
net.ipv4.ip_forward=1

echo 1 > /proc/sys/net/ipv4/ip_foward

#edit /etc/sysctl.conf

net.ipv4.ip_forward=1

4.Instalation and configuration firewall tool (so you don’t need to be iptables ninja)

apt-get install ufw

ufw allow 1194/udp

#edit /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

#edit /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter

ufw enable
ufw status | grep '1194/udp'

apt-get install ufw

ufw allow 1194/udp

#edit /etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

#edit /etc/ufw/before.rules

# rules.before

# Rules that should be run before the ufw command line added rules. Custom

# rules should be added to one of these chains:

# ufw-before-input

# ufw-before-output

# ufw-before-forward

# START OPENVPN RULES

# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0]

# Allow traffic from OpenVPN client to eth0

-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE

COMMIT

# END OPENVPN RULES

# Don't delete these required lines, otherwise there will be errors

*filter

ufw enable

ufw status | grep '1194/udp'

5.generate CA, certs and keys for server

cp -r /usr/share/easy-rsa/ /etc/openvpn 
mkdir /etc/openvpn/easy-rsa/keys 

#edit /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="COUNTRY"
export KEY_PROVINCE="PROVINCE"
export KEY_CITY="CITY"
export KEY_ORG="ORGANIZATION"
export KEY_EMAIL="email@"
export KEY_OU="Organization Unit"
# X509 Subject Field (key name)
export KEY_NAME="server"

openssl dhparam -out /etc/openvpn/dh2048.pem 2048 

cd /etc/openvpn/easy-rsa 
. ./vars
./clean-all
./build-ca

cp -r /usr/share/easy-rsa/ /etc/openvpn

mkdir /etc/openvpn/easy-rsa/keys

#edit /etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="COUNTRY"

export KEY_PROVINCE="PROVINCE"

export KEY_CITY="CITY"

export KEY_ORG="ORGANIZATION"

export KEY_EMAIL="email@"

export KEY_OU="Organization Unit"

# X509 Subject Field (key name)

export KEY_NAME="server"

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

cd /etc/openvpn/easy-rsa

. ./vars

./clean-all

./build-ca

Just now we prepeared system envirement to generate, sign and distribute our certs thanks to CA (Certificate Authority).

Lets finish the fun with certs:

cd /etc/openvpn/easy-rsa
./build-key-server server 
# leave password and 'company name' empty
Sign the certificate?
Y

cd /etc/openvpn/easy-rsa

./build-key-server server

# leave password and 'company name' empty

Sign the certificate?

Move created certs and keys created for server:

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

1	cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

and check if openvpn still starts (if not be sure there is no typo in config file or you moved correct files to correct location):

service openvpn start
service openvpn status

1 2	service openvpn start service openvpn status

6.Creating certs and keys for clients:

cd /etc/openvpn/easy-rsa
./build-key client1 
# leave password and 'company name' empty
Sign the certificate? Y

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn 
#edit /etc/openvpn/easy-rsa/keys/client.ovpn 
client
dev tun
proto udp
remote ip_serwera 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

cd /etc/openvpn/easy-rsa

./build-key client1

# leave password and 'company name' empty

Sign the certificate? Y

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

#edit /etc/openvpn/easy-rsa/keys/client.ovpn

client

dev tun

proto udp

remote ip_serwera 1194

resolv-retry infinite

nobind

user nobody

group nogroup

persist-key

persist-tun

remote-cert-tls server

cipher AES-256-CBC

comp-lzo

verb 3

Attention: user/group setting is not compatible with Windows

Client config file is still missing the paths for cert/key combo 🙂 but we will overcome this with one of two ways:

7a. Unified config file (one file to rule them all)

echo '<ca>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
echo '</ca>' >> /etc/openvpn/easy-rsa/keys/client.ovpn 

echo '<cert>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
cat /etc/openvpn/easy-rsa/keys/client.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
echo '</cert>' >> /etc/openvpn/easy-rsa/keys/client.ovpn 

echo '<key>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
cat /etc/openvpn/easy-rsa/keys/client.key >> /etc/openvpn/easy-rsa/keys/client.ovpn
echo '</key>' >> /etc/openvpn/easy-rsa/keys/client.ovpn

echo '<ca>' >> /etc/openvpn/easy-rsa/keys/client.ovpn

cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn

echo '</ca>' >> /etc/openvpn/easy-rsa/keys/client.ovpn

echo '<cert>' >> /etc/openvpn/easy-rsa/keys/client.ovpn

cat /etc/openvpn/easy-rsa/keys/client.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn

echo '</cert>' >> /etc/openvpn/easy-rsa/keys/client.ovpn

echo '<key>' >> /etc/openvpn/easy-rsa/keys/client.ovpn

cat /etc/openvpn/easy-rsa/keys/client.key >> /etc/openvpn/easy-rsa/keys/client.ovpn

echo '</key>' >> /etc/openvpn/easy-rsa/keys/client.ovpn

7b. Maybe you dont want to include cert inside profile file then we need to add this and copy needed files:

ca ca.crt
cert klient.crt
key klient.key

ca ca.crt

cert klient.crt

key klient.key

September 2018
M	T	W	T	F	S	S
« Jul
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30