Author: Yeri Tiete

Categories
Apple Linux Networking

OpenVPN Linux + Mac howto

A short howto, as I was unable to find any clear ones on the net.

I’m using Mac OS X (Leopard) as client, and a Gentoo server as server/host.

I both tried Viscosity and Tunnelblick on my Mac as OpenVPN software, and Viscosity is probably somewhat easier to configure (using the GUI), it was shareware. So I ended up using Tunnelblick and it seems to be doing its job quite well.

First of all, make sure Gentoo is set up and working as intended. I used my home router as VPN server (having both eth0 and eth1 (= ppp0).

Using this howto, you’ll be able to get the server up and running.

Besides the installation, and perhaps (config) file locations it should be pretty similar on other Linux distros.

As I have dnsmasq running on my server (taking care of DNS) I added the following to the server.conf:

push "dhcp-option DNS 10.0.0.1"
push "redirect-gateway def1"
client-config-dir ccd
route 10.20.30.0 255.255.255.252

Don’t forget to allow DNS requests over tun0 interface in dnsmasq.conf.

The first line tells the server to hand out 10.0.0.1 as DNS server to its connecting clients (10.0.0.1 being the internal eth0 IP of my server).

The 2nd line, tells all clients to route ALL of their traffic through the VPN. I used the VPN to access a website that allowed only Belgian IPs, and I was in The Netherlands at the time I had to access the site (Skynet’s Rock Werchter stream). So I connected through my server at home.

And the 3rd and 4th line are needed if the client access the VPN is on a private IP subnet (like being connected on a WiFi router, using IP 192.168.178.x).

You’ll have to add, in the client-config directory a file per username connecting to the VPN with something similar to this:

iroute 192.168.178.0 255.255.255.0

I’m not entirely sure if you can add multiple iroutes; something I’ll have to figure out when being on a different network.

This is what my client config looks like (vpn-server-name.conf, located in ~/Library/openvpn/):

client
dev tun
proto udp
remote home.tiete.be 9000
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "ca.crt"
cert "yeri.crt"
key "yeri.key"
tls-auth "ta.key" 1
comp-lzo
verb 3

Yeri being my username. Don’t forget to download and add the ca.crt, user.crt, user.key (located in /usr/share/openvpn/easy-rsa/keys/) and ta.key (located in /etc/openvpn/) you’ve created on the server.

If your client asks for “directions”, pick 1.

Start up server and client software.

Hitting connect in Tunnelblick should connect you to the VPN server, and (in my case) giving me an IP similar to 10.20.30.6. You can check this using “ifconfig” in Terminal.

Client:

tun0: flags=8851 mtu 1500
    inet 10.20.30.6 --> 10.20.30.5 netmask 0xffffffff
    open (pid 20551)

Server:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.20.30.1  P-t-P:10.20.30.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:407595 errors:0 dropped:0 overruns:0 frame:0
TX packets:574351 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:27473209 (26.2 MiB)  TX bytes:603524377 (575.5 MiB)

Don’t forget; when using “tun” as driver, your gateway/VPN server will always have the IP ending on .1 (e.g.: 10.20.30.1).

Now, if you want to route all traffic throug the VPN, like I did, you’ll have to change some stuff in iptables (as the server is also acting as my home router, I already did have a few rules in it).

Allow all traffic through tun0 interface:

iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT

Allow traffic through the external port 9000 (UDP):

iptables -A INPUT -i ppp0 -p udp -m udp --dport 9000 -j ACCEPT

Enable forwarding and NAT:

iptables -A FORWARD -s 10.20.30.0/24 -i tun0 -j ACCEPT
iptables -A FORWARD -d 10.20.30.0/24 -i ppp0 -j ACCEPT
iptables -A POSTROUTING -o ppp0 -j MASQUERADE

And lastly, as I have Squid running on my server, I want to transparently forward all port 80 requests to the Squid server running on port 8080:

iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

That’s about it. You should have a running VPN from your current location to your VPN server. And you’re able to use it as a gateway.

You can always traceroute/tracepath to your VPN server (10.20.30.1). It should only find one hop.

Categories
Misc

Da Mastah Be Talkin’ To Ya

On which he replies:

🙂

End of total useless post. 😉

Categories
Misc

The SysAdmin Ten Commandments

I. Thou shalt respect thy user
It is paramount that you respect the user and their data. Don’t steal their MP3s, don’t look at their porn. When working with email, look without reading. Respect them and they will respect you.

II. Thou shalt empower the user
The user is the customer. The system is not yours, it is theirs. Provide users the tools they need to be successful and they will be happy. Give them space to experiment, learn and create. Do not hold users back.

III. Thou shalt keep it simple
Keep It Simple, Stupid. The KISS principle will keep you from building barrels to keep a bottle’s worth of wine. Do not mistake over-engineering for quality. Quality work is concise and scalable.

IV. Thou shalt expect catastrophe
Expect the worst surprises. Make your resources redundant, backup your data, test your backups, and then backup the backups. The shit will hit the fan someday. Be prepared.

V. Thou shalt plan
Great work follows great plans. Stay on target by first identifying it. Plan your work carefully and surprises will be easier to handle.

VI. Thou shalt stay informed
Gather all the news, information, logs and statistics you can. Without the raw data to analyze, you cannot be secure, you cannot debug problems and you cannot forecast. Without new information, you cannot learn.

VII. Thou shalt share
No one is alone in this world. Pass your knowledge on to others. Give to others, contribute to the community and you will reap many rewards. It is not wise to horde knowledge. Don’t be an asshole.

VIII. Thou shalt automate
Do more, faster by automating tasks. You are the puppet master, do not waste your time with menial work. Work smarter, not harder.

IX. Thou shalt document
Always document your work, your code and your plans. Then document their execution and maintenance. Document for others and document for yourself. Documentation should be an extension of your mind and a resource for others.

X. Thou shalt respect thy organization
Without organization, there is no system, there is no user and there is no job. Understand the organization and it’s business. Respect it and help it thrive.

Source.

Categories
Misc

Another fact.

From Twitter.

Categories
Misc

Fact.

fact