The document provides instructions for setting up an OpenVPN server to allow both Linux and Mac OS X clients to securely connect. It describes generating certificates and keys, configuring the OpenVPN server, and then configuring Linux and Mac OS X clients to connect to the server. The key steps are:
1) Generate certificates and keys on the server using the OpenVPN easy-rsa scripts.
2) Configure the OpenVPN server configuration file and required files.
3) Distribute client certificates to Linux and Mac clients and configure the clients.
4) Start the OpenVPN server and test connectivity between clients and the server network.
The document provides an overview of SSH (Secure Shell), including what it is, its history and architecture, how to install and configure it, use public-key authentication and agent forwarding, and set up port forwarding tunnels. SSH allows securely executing commands, transferring files, and accessing systems behind firewalls.
5. hands on - building local development environment with Open Manovideos
This document describes how to build a local development environment using OpenMANO to test network scenarios and virtualized network functions (VNFs). It provides instructions on configuring OpenMANO and OpenVIM, creating tenants, networks, and VNF descriptors, and deploying a sample network scenario with four VNFs connected in series. The deployed scenario can then be managed and monitored using the OpenMANO graphical user interface.
6. hands on - open mano demonstration in remote pool of serversvideos
The document describes steps for demonstrating the deployment of a VNF using openMANO on a remote pool of NFV compute nodes. Key steps include:
1. Modifying the gateway VM configuration and creating images of the VNF VMs to point to a remote openVIM.
2. Running scripts from the openMANO VM to clean the database, rebuild the environment pointing to the remote openVIM, and copy over the new VM images.
3. Deploying the VNF scenario from openMANO-GUI or via CLI and validating the deployment points to the remote resources.
4. Generating traffic between VNF VMs to test near line-rate 10Gbps performance
The document discusses proxies and caching. Proxies act as intermediaries between local networks and external networks like the Internet. They can improve performance by caching frequently requested web pages. Squid is an open source proxy caching server that operates by checking its cache for requested objects, retrieving objects from origin servers if needed, and storing cacheable objects in its local cache.
The document discusses setting up a Squid proxy server on a Linux system to improve network security and performance for a home network. It recommends using an old Pentium II computer with at least 80-100MB of RAM as the proxy server. The document provides instructions for installing Squid and configuring the Squid.conf file to optimize disk usage, caching, and logging. It also explains how to set up the Squid proxy server to work with an iptables firewall for access control and protection from intruders.
this slide is created for understand open vswitch more easily.
so I tried to make it practical. if you just follow up this scenario, then you will get some knowledge about OVS.
In this document, I mainly use only two command "ip" and "ovs-vsctl" to show you the ability of these commands.
The document discusses Apache Traffic Server's plans to implement QUIC, including:
- Their goal is to start development of a QUIC implementation, with a first draft coming soon.
- QUIC is a new protocol that implements improved TCP and TLS over UDP. It includes congestion control and loss detection.
- There are 4 QUIC specifications covering the core transport, loss detection, TLS mapping, and HTTP mapping.
- They discussed initial prototype issues and a revised design, with milestones including experimental ATS support in 2018.
Tech Talk by Ben Pfaff: Open vSwitch - Part 2nvirters
Open vSwitch - Part 2
A previous presentation in March 2013 at Bay Area Network Virtualization meetup covered the past, present, and predicted future of Open vSwitch. This talk picks up where that one left off, covering improvements made in Open vSwitch since then, new directions for the coming year, and some related work of interest in the industry.
About Ben Pfaff (twitter: @Ben_Pfaff)
Ben joined Nicira as one of its first employees in 2007 after finishing his PhD at Stanford. Since then he has been working on what became OpenFlow and Open vSwitch. He also made some early contributions to the NOX controller. He has been involved with free software since about 1996, when he started work on GNU PSPP and joined the Debian project.
More info @ http://meetup.com/openvswitch
Follow us on twitter @nvirters
This document discusses various Linux system administration tasks such as managing runlevels, services, users, and networking. It provides details on common Linux services, how to start and stop services, and how to create, suspend, and remove user accounts. It also discusses the /etc/passwd and /etc/shadow files for managing user account information.
This document provides an overview of OpenStack Networking (Neutron) and the different networking plugins and configurations available in Neutron. It discusses the Nova network manager, the Neutron OpenvSwitch plugin configured for VLAN and GRE tunneling modes, Neutron security groups, and Neutron's software defined networking capabilities. Diagrams and examples of packet flows are provided to illustrate how networks are logically and physically implemented using the different Neutron plugins.
Netronome's Nick Tausanovitch, VP of Solutions Architecture and Silicon Product Management, Linley Data Center Conference in Santa Clara, CA on February 9, 2016.
This document summarizes an introduction to OpenvSwitch presented by pichuang@sdnds-tw. It provides an overview of OpenvSwitch including that it is a production quality, multi-layer virtual switch that supports OpenFlow and is written in platform-independent C. It then describes some key OpenvSwitch features and components and how they interact, such as the datapath, ovs-vswitchd, and ovsdb-server. It concludes with suggestions for debugging and setting OpenvSwitch.
The document provides information on installing and using openMANO, an open source platform for network functions virtualization management and orchestration. It describes:
1. The requirements to run openMANO including compute nodes, storage, and OpenFlow controller.
2. The different modes openMANO can run in including normal, host-only, development, and test modes.
3. How to install openMANO either automatically through scripts or manually by downloading packages and configuring components.
Site to-multi site open vpn solution with mysql dbChanaka Lasantha
OpenVPN is an open-source virtual private network (VPN) solution that can securely connect multiple network sites. It offers flexibility through both layer 2 and layer 3 modes. In layer 3 routing mode, each network site is separated into its own broadcast domain for improved scalability. The document provides a sample network diagram of a site-to-multi-site OpenVPN configuration connecting three network sites using layer 3 routing with separate IP subnets and firewalls at each location.
This document provides instructions for installing and configuring the Squid proxy server on Linux. It discusses system requirements for disk performance and memory. It also covers downloading and installing Squid, important configuration notes, starting and stopping Squid, log files, configuring cache disks and directories, access control lists, authentication, and examples of restricting web access by time and to specific websites.
Open VSwitch .. Use it for your day to day needsrranjithrajaram
Slides of open vSwitch used for Fudcon 2015.
Main agenda for this talk was.. why openvswitch is a better alternative to Linux bridge and why you should start using it as the bridge for your KVM host.
Netcat is a versatile networking tool that can be used for port scanning, port redirection, listening for incoming connections, and creating remote connections. It allows creating a simple command line chat server by running nc in listen mode on one system and connecting to it from another. Netcat can also identify services running on specific ports by obtaining port banners, and has been used by hackers to create backdoors by launching a shell on a listened port.
Docker networking basics & coupling with Software Defined NetworksAdrien Blind
This presentation reminds Docker networking, exposes Software Defined Network basic paradigms, and then proposes a mixed-up implementation taking benefits of a coupled use of these two technologies. Implementation model proposed could be a good starting point to create multi-tenant PaaS platforms.
As a bonus, OpenStack Neutron internal design is presented.
You can also have a look on our previous presentation related to enterprise patterns for Docker:
http://fr.slideshare.net/ArnaudMAZIN/docker-meetup-paris-enterprise-docker
QUIC is a new transport protocol developed by Google that aims to solve issues with TCP and TLS by multiplexing streams over UDP. It includes features like stream multiplexing, connection migration, 0-RTT connection establishment, and forward error correction. The document provides technical details on QUIC including its version history, wire format specifications, frame types, cryptographic handshake process, and examples of 0-RTT, 1-RTT, and 2-RTT connection establishment.
The purpose of OpenVPN is simple; it allows connecting to other devices within one secure network. It allows to keep online data safe by tunneling them through encrypted servers. So if you’re looking for a reliable, easy-to-use system that is adaptable enough to deal with any operating system, then OpenVPN is a no-brainer.
Presented by VEXXHOST, provider of Openstack based Public and Private Cloud Infrastructure
https://vexxhost.com/
1. The document provides instructions for installing CentOS and setting up a DNS server on the installed CentOS system.
2. It describes downloading and burning the CentOS ISO, installing it on a computer, and configuring the network interfaces and other installation options.
3. It also explains how to generate an rndc key for bind, edit the rndc.conf and named.conf files, and enable DNS services on the new CentOS server.
Free radius billing server with practical vpn exmapleChanaka Lasantha
This document provides instructions for setting up a total site-to-site Linux-based OpenVPN solution with dynamic DNS (DDNS) in 3 pages. It includes steps to install and configure a DDNS client, FreeRADIUS server, MySQL database, OpenVPN server, firewall rules, and a web interface for managing the FreeRADIUS server. The full document contains technical details for installing packages, editing configuration files, testing the setup, and securing the system.
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
The document discusses exploiting vulnerabilities in wireless routers that have USB ports for sharing storage and printers. It describes conducting attacks against a D-Link wireless router to steal data, delete data, and implant backdoors by accessing the shared USB flash drive and printer through the router's vulnerable SharePort technology. The attacker scans the wireless network, identifies the router and connected USB devices, and then explores ways to hack into the shared resources and conduct unauthorized activities.
The document discusses security in database systems. It covers topics like leaving the virtual machine network adapter in bridge mode, configuring Kali Linux for DNS spoofing attacks, modifying configuration files like etter.conf and etter.dns, scanning for hosts on the network, and initiating ARP poisoning and DNS spoofing attacks using Ettercap to redirect traffic to a malicious IP address. The document also provides information about the Optix Pro 1.3 trojan horse program and its ability to install backdoors and remotely control infected systems.
This document describes how to set up a thin client deployment using PXE boot in a Microsoft-dominated network environment. Key steps include:
1. Configuring the DHCP server to provide PXE boot options and boot file information.
2. Preparing the RIS server by creating a PXE directory structure and boot images using the PXES tool.
3. Addressing bugs in PXES related to USB support, Samba password changes, and keyboard mappings to allow booting into a Linux environment and connecting to Windows terminal servers.
The document provides information about the person's role as a Linux System Engineer including responsibilities like installing hardware, networking, building servers, patching systems, and troubleshooting issues for developers, DBAs and other teams. It also answers questions about supporting different environments, recent challenges, scripting experience, and Linux fundamentals.
Drupal Continuous Integration with Jenkins - The BasicsJohn Smith
Please check out our new SlideShow of setting up and configuring a Jenkins Continuous Integration server for use within a Drupal development environment. We walk you through the steps of installing Ubuntu 10.04 LTS, Jenkins, Drush and several other PHP coding tools and Drupal Modules to help check your code against current Drupal standards. Then we walk you through creating a git post-receive script, and Jenkins job to pull it all together.
ITERA Paper - IPSec L2TP VulnerabilityKunal Sharma
1) The document describes a vulnerability in IPSec/L2TP VPN connections where filtering UDP port 500 to drop IKEv2 negotiation packets allows an insecure L2TP connection to still be established, compromising confidentiality.
2) A simulation was created using 3 VMs to demonstrate exploiting this by capturing plain text traffic.
3) The only current workaround is changing the Windows VPN encryption setting, but a patch is needed to fully address the vulnerability.
This document provides instructions for configuring a Squid proxy server on CentOS. It discusses obtaining information about the system like the OS distribution, hardware architecture, and installed application versions. It also outlines basic Squid configuration steps like backing up the default configuration file, checking the port Squid listens on, and ensuring the log file location is set correctly before starting Squid. Configuring access controls and caching policies would be covered in more depth in subsequent sections.
1. The document describes how to set up a PXE kickstart server to automatically install CentOS 5.3 over the network using DHCP and TFTP. It provides instructions for configuring the TFTP, DHCP and NFS servers, creating a kickstart installation tree and kickstart files.
2. Additional clients can be added by modifying the DHCP configuration to assign them a static IP, creating a customized kickstart file, and PXE booting the client to initiate the network installation.
3. Example configurations are provided for the /etc/dhcpd.conf DHCP configuration file and a sample kickstart file.
This document describes setting up a high availability system using two Debian GNU/Linux virtual servers. Distributed Replicated Block Device (DRBD) will be used for data replication between the servers. Heartbeat will monitor the servers and ensure services are running on the active server. Wordpress will be installed to demonstrate that data entered on one server is immediately replicated to the other. Network, storage, and configuration details are provided to set up DRBD and Heartbeat to achieve high availability.
You’re ready to make your applications more responsive, scalable, fast and secure. Then it’s time to get started with NGINX. In this webinar, you will learn how to install NGINX from a package or from source onto a Linux host. We’ll then look at some common operating system tunings you could make to ensure your NGINX install is ready for prime time.
View full webinar on demand at http://nginx.com/resources/webinars/installing-tuning-nginx/
Complete MPICH2 Clustering Manual in UbuntuMinhas Kamal
Complete MPICH2 Clustering Manual in Linux Ubuntu for beginners.
Documented in 3rd year of Bachelor of Science in Software Engineering (BSSE) course at Institute of Information Technology, University of Dhaka (IIT, DU).
1. The document provides instructions for configuring an email server on CentOS 7 using the Postfix mail transfer agent and Dovecot mail delivery agent. It describes installing and configuring the required software, setting up SSL encryption, and testing the SMTP and IMAP protocols using Telnet.
2. Key steps include generating SSL certificates, editing Postfix configuration files main.cf and master.cf, and testing SMTP functionality using OpenSSL's s_client. The document then describes configuring Dovecot for IMAP, including recreating the dovecot.conf file.
3. Testing and configuration is demonstrated at each step, with the goal of setting up a secure email server that can be accessed via SMTP and
Make servers of web service, ftp service, VoIP video call service
Monitor & manage them centrally from a host in private connection or from remote connection.
The remote connection can be established through Secure Shell (SSH) connection which will connect to the servers through Router (or Routers).
1. The document discusses how to configure a firewall on CentOS 8 using firewalld and firewall-cmd. It covers installing and enabling firewalld, exploring the default firewall rules and zones, adding services and ports, and creating custom firewall zones.
2. Key steps include installing firewalld, enabling it to start at boot, checking the status and default zones, listing rules for default and other zones, adding or removing services and ports, and creating custom firewall zones tailored for specific uses.
3. Custom firewall zones can be more descriptive than default zones for separating interfaces by function, like a "public" zone only for web servers.
This document provides a guide for configuring a Squid proxy server. It discusses requirements like hardware specifications, choosing an operating system, and installing Squid. It then describes basic Squid configuration steps like editing configuration files, starting Squid, and configuring web browsers to use the proxy. Finally, it covers more advanced topics like designing access control lists to control which clients and sites can access the proxy server. The overall document aims to guide readers through the entire process of setting up and managing a Squid proxy server.
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Erasmo Purificato
Slide of the tutorial entitled "Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Emerging Trends" held at UMAP'24: 32nd ACM Conference on User Modeling, Adaptation and Personalization (July 1, 2024 | Cagliari, Italy)
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
AC Atlassian Coimbatore Session Slides( 22/06/2024)apoorva2579
This is the combined Sessions of ACE Atlassian Coimbatore event happened on 22nd June 2024
The session order is as follows:
1.AI and future of help desk by Rajesh Shanmugam
2. Harnessing the power of GenAI for your business by Siddharth
3. Fallacies of GenAI by Raju Kandaswamy
GDG Cloud Southlake #34: Neatsun Ziv: Automating AppsecJames Anderson
The lecture titled "Automating AppSec" delves into the critical challenges associated with manual application security (AppSec) processes and outlines strategic approaches for incorporating automation to enhance efficiency, accuracy, and scalability. The lecture is structured to highlight the inherent difficulties in traditional AppSec practices, emphasizing the labor-intensive triage of issues, the complexity of identifying responsible owners for security flaws, and the challenges of implementing security checks within CI/CD pipelines. Furthermore, it provides actionable insights on automating these processes to not only mitigate these pains but also to enable a more proactive and scalable security posture within development cycles.
The Pains of Manual AppSec:
This section will explore the time-consuming and error-prone nature of manually triaging security issues, including the difficulty of prioritizing vulnerabilities based on their actual risk to the organization. It will also discuss the challenges in determining ownership for remediation tasks, a process often complicated by cross-functional teams and microservices architectures. Additionally, the inefficiencies of manual checks within CI/CD gates will be examined, highlighting how they can delay deployments and introduce security risks.
Automating CI/CD Gates:
Here, the focus shifts to the automation of security within the CI/CD pipelines. The lecture will cover methods to seamlessly integrate security tools that automatically scan for vulnerabilities as part of the build process, thereby ensuring that security is a core component of the development lifecycle. Strategies for configuring automated gates that can block or flag builds based on the severity of detected issues will be discussed, ensuring that only secure code progresses through the pipeline.
Triaging Issues with Automation:
This segment addresses how automation can be leveraged to intelligently triage and prioritize security issues. It will cover technologies and methodologies for automatically assessing the context and potential impact of vulnerabilities, facilitating quicker and more accurate decision-making. The use of automated alerting and reporting mechanisms to ensure the right stakeholders are informed in a timely manner will also be discussed.
Identifying Ownership Automatically:
Automating the process of identifying who owns the responsibility for fixing specific security issues is critical for efficient remediation. This part of the lecture will explore tools and practices for mapping vulnerabilities to code owners, leveraging version control and project management tools.
Three Tips to Scale the Shift Left Program:
Finally, the lecture will offer three practical tips for organizations looking to scale their Shift Left security programs. These will include recommendations on fostering a security culture within development teams, employing DevSecOps principles to integrate security throughout the development
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsLinda Zhang
This brochure gives introduction of MYIR Electronics company and MYIR's products and services.
MYIR Electronics Limited (MYIR for short), established in 2011, is a global provider of embedded System-On-Modules (SOMs) and
comprehensive solutions based on various architectures such as ARM, FPGA, RISC-V, and AI. We cater to customers' needs for large-scale production, offering customized design, industry-specific application solutions, and one-stop OEM services.
MYIR, recognized as a national high-tech enterprise, is also listed among the "Specialized
and Special new" Enterprises in Shenzhen, China. Our core belief is that "Our success stems from our customers' success" and embraces the philosophy
of "Make Your Idea Real, then My Idea Realizing!"
Quality Patents: Patents That Stand the Test of TimeAurora Consulting
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
Details of description part II: Describing images in practice - Tech Forum 2024BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
How RPA Help in the Transportation and Logistics Industry.pptxSynapseIndia
Revolutionize your transportation processes with our cutting-edge RPA software. Automate repetitive tasks, reduce costs, and enhance efficiency in the logistics sector with our advanced solutions.
What's New in Copilot for Microsoft365 May 2024.pptx
Openvpn
1. 1
How to set up OpenVPN server with both Linux and Mac OS X clients
(A TechRepublic tip compilation)
October 2010
By Vincent Danen
The three tips in this download were originally published individually in the Linux and Open
Source blog and the Macs in Business blog on TechRepublic. Vincent Danen takes you through
the steps of setting up OpenVPN server and then how to set up both a Linux client and a Mac OS
X client using Shimo.
2. 2
How to set up an OpenVPN server
By Vincent Danen
Having a virtual private network affords a lot of convenience, particularly for those who want or
need to access a remote network from a different location, such as connecting to a work network
from home, or vice versa. With the availability of 3G on the road, or wireless hotspots
everywhere, being able to connect, securely, to a remote private network from anywhere is ideal.
OpenVPN is one of the most reliable VPN setups around. It's fully open source, it's supported on
Linux, Windows, and OS X, it's robust, and it's secure. Unfortunately, configuration can be a bit
of a pain, so in a series of upcoming tips, I aim to get you up and running quickly.
To begin, you will need to have OpenVPN installed on the server or system you wish to use as a
VPN end-point. Most distributions include OpenVPN; for the server setup, I am using OpenVPN
2.0.9 as provided by the RPMForge repository for CentOS 5.
The first part of this series concentrates on the server, while the second and third parts will
concentrate on the configuration of Linux and OS X clients, respectively. So without further ado,
let's get our hands dirty.
To begin with, you need to copy some files from the OpenVPN docs directory (typically
provided in /usr/share/doc/openvpn-[version]) to create certificates:
# cd /usr/share/doc/openvpn-2.0.9
# cp -av easy-rsa /etc/openvpn/
# cd /etc/openvpn/easy-rsa/
# vim vars
In the vars file, edit the KEY_* entries at the bottom of the file, such as KEY_COUNTRY,
KEY_ORG, KEY_EMAIL, etc. These will be used to build the OpenSSL certificates. Next, it's
time to initialize the PKI:
# . ./vars
# sh clean-all
# sh build-ca
# sh build-key-server server
For the above, and the below client certificates, you can enter pretty much anything for the
"Common Name" field, however there is a certain logic to use: "OpenVPN-CA" when
generating the Certificate Authority, "server" when generating the server certificate, and "client"
or the name of the specific client system for the client certificates. Those certificates are
generated with:
# sh build-key client1
# sh build-key client2
The next step is to generate the Diffie Hellman parameters for the server:
# sh build-dh
When this is done, you will have a number of files in the keys/ subdirectory. At this point, for the
clients, you want to copy the appropriate files to them securely (i.e., via SSH or on a USB stick);
the files the clients need are ca.crt, client1.crt, and client1.key (or whatever you named the files
when you generated them with the build-key script).
3. 3
Next, create the OpenVPN server configuration file. To get up and running quickly, copy one of
the example config files:
# cd /etc/openvpn/
# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf .
# vim server.conf
The aim here is to get this going right away, so we won't examine each of the options in detail.
The primary things you want to do are to uncomment the "user" and "group" directives, to make
the openvpn process run as the unprivileged "nobody" user. You may also want to change the
"local" directive to make it listen to one specific IP address. This would be the IP to which your
firewall is forwarding UDP port 1194. As well, you will want to set the "client-to-client"
directive to enable it, and also set the "push" directives for route and DNS options. What follows
is a comment-stripped server.conf, as an example:
local 192.168.10.11
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.254.0"
push "dhcp-option DNS 192.168.10.12"
push "dhcp-option DOMAIN domain.com"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Finally, copy the required keys and certificates that you previously generated:
# cd /etc/openvpn/
# cp easy-rsa/keys/ca.crt .
# cp easy-rsa/keys/server.{key,crt} .
# cp easy-rsa/keys/dh1024.pem .
And, finally, start the OpenVPN server:
# /etc/init.d/openvpn start
To get routing set up properly on the server so that remote clients, when they connect, can reach
more than just the server itself, you will need to enable IP forwarding. This can be done by the
following:
# echo 1 > /proc/sys/net/ipv4/ip_forward
You can also do it by editing /etc/sysctl.conf and adding the following (this is a good thing to do
as it will ensure that packet-forwarding persists across reboots):
4. 4
net.ipv4.ip_forward = 1
You also want to ensure that packets going back to the client system are routed properly. This
can be done by changing the route on the gateway of the server's network to route packets to the
client network (10.8.0.1/32) through the OpenVPN server (if the server happens to be the
gateway as well, you don't have to do anything additional to accomplish this). How this is done
largely depends on the operating system of the gateway.
Once this is done, you should be able to ping any machine on the server's LAN from the client,
and be able to ping the client from any machine on the server's LAN. For instance, from a
machine on the server LAN (not the server):
% traceroute 10.8.0.6
traceroute to 10.8.0.6 (10.8.0.6), 64 hops max, 52 byte packets
1 fw (192.168.10.1) 0.848 ms 0.342 ms 0.249 ms
2 server (192.168.10.11) 0.214 ms 0.231 ms 0.243 ms
3 server (192.168.10.11) 0.199 ms !Z 0.443 ms !Z 0.396 ms !Z
% ping 10.8.0.6
PING 10.8.0.6 (10.8.0.6): 56 data bytes
64 bytes from 10.8.0.6: icmp_seq=0 ttl=63 time=17.540 ms
And from the client:
# traceroute 192.168.10.65
traceroute to 192.168.10.65 (192.168.10.65), 30 hops max, 40 byte packets
1 10.8.0.1 (10.8.0.1) 22.963 ms 27.311 ms 27.317 ms
2 10.8.0.1 (10.8.0.1) 27.297 ms !X 27.294 ms !X 27.269 ms !X
# ping 192.168.10.65
PING 192.168.10.65 (192.168.10.65) 56(84) bytes of data.
64 bytes from 192.168.10.65: icmp_seq=1 ttl=62 time=515 ms
The setting up of OpenVPN clients will be the subject of two tips in the next week. I've made the
assumption that the client is correctly configured here, simply to illustrate how it should look
when it all works together, but in the next parts of this series we will get into more depth with the
client configuration.
5. 5
How to set up a Linux OpenVPN client
By Vincent Danen
In a previous tip last week, we looked at setting up an OpenVPN server. Now, I'll take you
through the setup of a Linux OpenVPN client. (I have also covered setting up an OS X client on
OpenVPN in the Macs in Business blog). The Linux client will be based on CentOS 5 using
OpenVPN 2.0.9.
For each client, you will need to have copied the client's certificate and key, as well as the CA
certificate, from the server. This should be done in a secure manner so you can ensure the files
are not altered in any way, such as using SSH to transfer or a USB stick in your possession. Once
they are on the client, copy them to the /etc/openvpn/ directory:
# cd /etc/openvpn
# cp ~/client.{key,crt} .
# cp ~/ca.crt .
# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf .
# vim client.conf
In the client.conf, what you need to uncomment are the "user" and "group" directives, to make
the openvpn run as the unprivileged" nobody" user rather than root. Also, if your key and
certificate files are not named "client.key" and "client.crt" you will need to change the crt and
key directives in the file as well.
An uncommented client configuration file follows, that serves as an example:
client
dev tun
proto udp
remote linsec.ath.cx 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
pull dhcp-options
To initiate a startup test, execute:
# openvpn client.conf
Tue Sep 14 17:18:14 2010 OpenVPN 2.0.9 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL]
built on Mar 8 2007
...
Tue Sep 14 17:18:15 2010 [server] Peer Connection Initiated with 1.2.3.4:1194
Tue Sep 14 17:18:16 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Sep 14 17:18:16 2010 PUSH: Received control message: 'PUSH_REPLY,route
192.168.10.0 255.255.254.0,route 10.8.0.0,ping 10,ping-restart 120,ifconfig 10.8.0.6
10.8.0.5'
...
Tue Sep 14 17:18:16 2010 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Tue Sep 14 17:18:16 2010 /sbin/ip route add 192.168.10.0/23 via 10.8.0.5
6. 6
Tue Sep 14 17:18:16 2010 /sbin/ip route add 10.8.0.0/32 via 10.8.0.5
Tue Sep 14 17:18:16 2010 GID set to nobody
Tue Sep 14 17:18:16 2010 UID set to nobody
Tue Sep 14 17:18:16 2010 Initialization Sequence Completed
There is a lot more output, but the above includes the important bits. We see here that a
connection has been established with the remote server, with the IP address 1.2.3.4. We also see
that the routes have been added, for the remote 192.168.10.0/23 network, and the VPN-specific
10.8.0.0/32 network. Now, you can make sure the link is up by using:
# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
And finally, make sure it works:
# ping 10.8.0.1 -c 2
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=21.1 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=14.8 ms
A connection to the remote OpenVPN server has been successfully established. And if you
followed the previous tip about setting up the OpenVPN server, you should be able to ping and
establish a connection to any other available system on the server's LAN at this point as well.
In order to access machines on the remote network with their FQDN (Fully Qualified Domain
Name), you will need to modify /etc/resolv.conf to add a nameserver from the remote network to
the top of the list. This can, and probably should, be scripted so that the DNS server is used
whenever the VPN connection is established. This will allow you to connect to "server.foo.com"
rather than always using IP addresses, like "192.168.10.23". On the server side, ensure that
requests from this IP range (10.8.0.0/32) are not being blocked by the DNS server ACLs -- this is
an important thing to remember, as it bit me and cost me a day of frustration.
At this point the Linux client is set up. The final part of this series (published in the Macs in
Business blog on TechRepublic) shows you how to set up Shimo on OS X to connect to the
OpenVPN server and access the remote network's services.
7. 7
How to set up an OS X OpenVPN client
In other tips I've covered how to set up an OpenVPN Linux server and an OpenVPN Linux
client. Here, I look at setting up OpenVPN as a client on OS X.
There are a few possible clients to choose from. One popular OpenVPN client for OS X is
Tunnelblick. Tunnelblick is free and open source. Another client is Viscosity. It has a cost of
$9USD with a 30 day trial. Finally, my client of choice is Shimo, which is not just an OpenVPN
client (like the other two), but also works with a number of other VPN and VPN-like solutions:
Cisco VPN, IPSec, PPTP/L2TP, SSH, and so forth. Shimo is more expensive than the others, but
not by much: it is only €14.95 (about $21USD).
Shimo is also easy to use with OpenVPN. If you have followed along with the other OpenVPN
tutorials in this series, you will have a copy of the client certificate, key, and the CA certificate
on your system. If not, you will need to obtain them from the server, where they would have
been generated, and securely copy (using SSH or a USB disk) them to your computer. Next, start
Shimo and head to the Preferences. In the Profiles pane, add a new OpenVPN profile.
Under the General tab, name your new connection -- something like "OpenVPN Home" would
suffice. In the Authentication pane, you will need to select your Certificate Authority file (ca.crt),
Local Certificate (client.crt), and Private Key File (client.key). Make sure the Authentication
Method is set to Certificate (Figure A). There is no need to set the username and password
unless it is required by the server (for the purposes of this series, we elected to use just
certificates without further authentication mechanisms).
Figure A
In the Connection tab, enter in the name of the remote host (i.e., openvpn-server.domain.com).
Ensure the Tunnel Device is TUN and the Protocol is UDP (Figure B); unless you have changed
the connection port on the server, leave it at the default 1194. Set Compression to Automatic,
and enable Automatic Reconnection. You can also elect to send keep-alive packets every few
8. 8
seconds to ensure the connection stays up (i.e., maybe send a keep-alive packet ever 120 seconds
or so).
Figure B
That's it! You can save the preferences for this profile; go to the Shimo menu icon, and select the
new OpenVPN network from the list, and Shimo will establish the connection. If you have
enabled the OpenVPN server to push DNS and DNS domain information to clients, when you
connect, you will be able to access systems on the remote network by their computer names
directly rather than IP addresses.
If you have an iPhone, you're in for an even bigger treat. With iPhone tethering, you can be on
the road, anywhere, and securely access the home or work network simply by connecting your
iPhone to the laptop (via USB or Bluetooth) and enabling tethering on the iPhone (via Settings |
General | Network | Internet Tethering). Once the connection between the Mac and iPhone is
established, simply fire up Shimo or whatever OpenVPN client you have chosen, and establish
the VPN connection. This works so well that I have been able to obtain a kerberos-ticket and
access a kerberos-authentication-only web site on the internal network while sitting in my car
across town.
If you only need to use OpenVPN, Shimo may be overkill. It is a fantastic and robust OpenVPN
client, but you may wish to give something like Tunnelblick a go first to see if it meets your
needs. The latest version of Tunnelblick is 3.0, but it requires you to edit the OpenVPN client
configuration directly.
This makes it a lightweight frontend to the OpenVPN command-line program, and the
configuration for such can be found in the previous tip about configuring the Linux client.
Primarily, you will need to change the "remote" directive to point to the OpenVPN server, and
ensure that the ca, cert, and key directives are correct. These directives look for those files in the
directory that the configuration file resides in, so you will want to copy those files to
~/Library/Application Support/Tunnelblick/Configurations/.
9. 9
Once that is done and the configuration file has been saved, use the Tunnelblick menu icon to
initiate a connection to the specified OpenVPN server and watch the OpenVPN log output as it
connects.
There are a few options to establishing connections to OpenVPN on the Mac. Tunnelblick is
good, if a little rough. It is, after all, a simple frontend to the openvpn command line program.
Shimo is great if you need a little more power, flexibility, and hand-holding. It is also the best of
the bunch if you need to connect to different types of VPNs.