Install openvpn using the rpm
Installing OpenVPN from a binary RPM package has these dependencies:

• openssl
• lzo
• pamInstall rpms as root:# rpm -ivh openvpn-2.0.5-1.el4.rf.i386.rpm

 

installing rpm 

 

    rpm -ivh lzo-1.08-4.2.el4.rf.i386.rpm

 The main configuration directory for open vpn is /etc/openvpn

Setting up your Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients

The first step in building an OpenVPN 2.0 configuration is to establish a PKI (public key infrastructure). The PKI consists of:

• A separate certificate (also known as a public key) and private key for the server and each client, and
• A master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates

 Copy the /usr/share/doc/openvpn-2.0.7/easy-rsa/2.0/ directory to /etc/openvpn/easy-rsa

     cp -r /usr/share/doc/openvpn-2.0.7/easy-rsa/2.0/ /etc/openvpn/easy-rsa

Configure easy-rsa

Now edit the vars file  and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don’t leave any of these parameters blank.

Next, initialize the PKI. on Linux:

./vars

./clean-all

./build-ca

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

Generating a 1024 bit RSA private key

…………++++++

………..++++++

writing new private key to ‘ca.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [KG]:IN

State or Province Name (full name) [NA]:KERALA

Locality Name (eg, city) [BISHKEK]:KOCHI

Organization Name (eg, company) [OpenVPN-TEST]:company name

Organizational Unit Name (eg, section) []:company name

Common Name (eg, your name or your server’s hostname) []:company name

Email Address [Riyesh@linuxbuddies.com]

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above.

Generate certificate & key for server
Next, we will generate a certificate and private key for the server. On Linux:

./build-key-server server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter “server”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]“.

Generate certificates & keys for  clients

Generating client certificates is very similar to the previous step. On Linux:

./build-key client1

 

./build-key client2 and so on…

    Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server. On Linux:

./build-dh

 ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

……………..+…………………………………….

……………….+………….+……………..+………

………………………………..

          Creating TLS Key

The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS.
Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:

openvpn –genkey –secret ta.key

This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. It can be placed in the same directory as the RSA .key and .crt files.

In the server configuration, add:

tls-auth ta.key 0

In the client configuration, add:

tls-auth ta.key 1

          Creating configuration files for server and clients

remote ekm1.dyndns.org 1194

#remote  ekm2.linuxbuddies.com 1194/etc/openvpn/server.conf

port 1194                               ; Port for OpenVpn traffic

proto tcp                               ; TCP protocol

dev tun                                 ; use Tun device

ca ca.crt                               ; Certificate file of signing Authority

cert server.crt                         ; Server certificate

key server.key                          ; Server Key

dh dh2048.pem                           ;Diffie Hellman parameters

server 10.2.100.0 255.255.255.0         ; Openvpn subnet should be different from the local network of server and client

ifconfig-pool-persist ipp.txt

push “route 10.2.1.0 255.255.255.0“     ; Pushing routes to client

push “route 10.1.1.0 255.255.255.0“

client-config-dir ccd

route 10.2.100.0 255.255.255.0

push “dhcp-option DNS 10.2.1.11“        ; Pushing DNS server to client

client-to-client                        ; Clients can communicate eatch other

duplicate-cn

keepalive 10 120

tls-auth ta.key 0                       ; tls key

comp-lzo                                ; Use lzo compression Algo

max-clients 10

user nobody                             ; Run openvpn as user nobody  -

group nobody                            ; group nobody for security

persist-key

persist-tun

tun-mtu 1500

status openvpn-status.log

log-append /var/log/openvpn.log

verb 6

mute 20

client.conf

client

dev tun

proto tcp

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1

comp-lzo

verb 3

mute 20

ns-cert-type server

auth-user-pass

pull

mssfix 1450

 

 

############

 

Now anaconda will start to run and will pause at a particular moment showing the below message

Now try to telnet to this IP from a remote machine and proceed with installation steps as usual as we do as shown below

dma=off apci=off apm=off

edit /etc/hdparm.conf

command_line {
hdparm -d1 /dev/cdrom
}

command_line {
hdparm -d1 /dev/cdrom1
}

Edit sysctl.conf

dev.cdrom.check_media = 0

Please follow the steps to install SSL certificate on Apache

# cd /usr/local/apache

# mkdir cert
# cd cert

1. Generate your own Certificate Authority (CA)

# openssl genrsa -out ca.key 4096
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

2.Generate a server key and request for signing (csr)

# openssl genrsa -out server.key 4096
# openssl req -new -key server.key -out server.csr

3.Sign the certificate signing request (csr) with the self-created certificate authority (CA) that you made earlier

# openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Edit /usr/local/apache/conf/httpd.conf

ServerName xxx.xxx.xxx.xxx:443
Listen xxx.xxx.xxx.xxx:443
LoadModule ssl_module modules/mod_ssl.so

SSLEngine on
SSLCertificateFile /usr/local/apache/cert/server.crt
SSLCertificateKeyFile /usr/local/apache/cert/server.key

# /usr/local/apache/bin/apachectl restart

To do the same with a Passphrase follow below

# cd /usr/local/apache
# mkdir cert
# cd cert
# openssl genrsa -des3 -out ca.key 4096
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# openssl genrsa -des3 -out server.key 4096
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Rest of the configuration remains same

2.Extract it to the Squirrelmail – plugins directory

cd /var/www/html/squirrelmail/plugins

# tar xzf compatibility-2.0.9-1.0.tar.gz
# cd compatibility

3.Patch it to your squirrelmail version

# patch -p0 < patches/compatibility_patch-1.4.11.diff
patching file ../../functions/strings.php

4.Configure the Squirrelmail to include the plugin

# cd ../../config
# ./conf.pl

5.Extract Local Auto Responder Plugin

# cd ../plugins/
# tar xzf local_autorespond_forward-3.0-1.4.0.tar.gz
# cd local_autorespond_forward

6.Compile suid_backend module

# cd suid_backend/
# ./configure –enable-webuser=nobody

Here my Apache is running as user “nobody”.That user should have the permission to play
with the directories under this.

# make
# make install

7.Copy the sample config.php

# cd ..
# cp config.sample.php config.php

8.Edit the config.php to use “suid” instead of “ftp” for Maildir and “.forward” files

edit config.php

$laf_backend = ’suid’;

9.Configure the Squirrelmail to include the plugin

# cd ../../config
# ./conf.pl

10.Verify the Squirrelmail’s ATTACHMENT DIR and DATA DIR. Verify the permission also

edit /var/www/html/squirrelmail/config/config.php

$attachment_dir = ‘/var/local/squirrelmail/attach/’;

11.Create it if doesn’t exist

# mkdir /var/local/squirrelmail/attach
# chown nobody.nobody /var/local/squirrelmail/attach
# chmod 755 /var/local/squirrelmail/attach

Finish…… you can go now…

Thanks,

Riyesh

Linux buddy

On this documentation… Will help you to setup linux server as a network gateway without installing any proxy softwares….

#!/bin/sh
# The interface conneected to Your LAN
INTIF=”eth1?
# The interface conneected to Internet (ppp0 or eth)
EXTIF=”eth0?
# If you have a static IP (Public IP), Use the following line. Otherwise comment following line and use the next line
EXTIP=”XXX.XXX.XXX.XXX”

EXTIP=”`/sbin/ifconfig ppp0 | grep ‘inet addr’ | awk ‘{print $2}’ | sed -e ’s/.*://’`”

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo “1? > /proc/sys/net/ipv4/ip_forward
echo “1? > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -i $EXTIF -o $INTIF -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#End Of file
# execute this script and bring it to the startup of your system.
# Go to a client machine in your LAN, and set the gateway to the Linux server’s internal IP address, that’s all.

If you are able to solve that with keeping your colleague to watch how you are sorting out the issues you can use screen.

First of all ask your colleague for the username which he used to login into that remote machine. Now you can login to that remote machine as the same user. Imagine username is engineer and IP of the remote machine is 192.168.1.1. Try the below

# ssh engineer@192.168.1.1

Then after getting logged in run the screen command to set a session named myscreen

$ screen -S myscreen

Now tell your colleague to type the below for attaching his screen to your screen.

$ screen -x myscreen

Thats it. Now he can watch whatever you type and vice versa.

For example:

# groupadd salesgroup
# useradd -G salesgroup salesman1
# useradd -G salesgroup salesmanager
# echo “@salesgroup – maxlogins 10? >> /etc/security/limits.conf
# echo “salesman1 – maxlogins 5? >> /etc/security/limits.conf

Here the group salesgroup can make a maximum of 10 logins at a time.
And the user salesman1 is limited to 5 simultaneous logins.

If you are on an RPM installation of Apache you will find the apache configuration file probably here:

/etc/httpd/conf/httpd.conf

If you are using apache from the source tar balls probably you will find the configuration file here:

/usr/local/apache/conf/httpd.conf

Edit the httpd.conf file and scroll until you find a line like this:

Options All Indexes FollowSymLinks MultiViews

To disable directory browsing carefully remove the line that says: Indexes and leave the line like this:

Options All FollowSymLinks MultiViews

Restart your apache webserver and thats it

Create vnc passwd

x11vnc -storepasswd

Use authentication while connecting

x11vnc -rfbauth ~/.vnc/passwd

Keep the VNC Session after each login and logout

x11vnc -forever

Don’t use shm of X if you have problems in display

x11vnc -noshm

So the final command is

x11vnc -noshm -forever -rfbauth ~/.vnc/passwd

Finished