Category: linux

First things first… Thanks to DigitalOcean for their excellent howtos which helped me countless times. Thanks also for Rudi Drusian for giving me some complementary information here. 

I used Rudi’s first part with a few changes. I changes a few parts, removed others to make it simpler. I expect you to already know how to protect a VPN Servers so dumb stuff won’t be here.

In my case, openvpn was already installed. In case you need…

# Slackware
slackpkg install openvpn

Now this is the most important part for me. Even with Digital Ocean’s howtos, I never memorize where to get easy rsa

cd /mnt/usb
git clone https://github.com/OpenVPN/easy-rsa

Also valuable info here.. setting up easyrsa

cd easy-rsa/easyrsa3/
cp vars.example vars
vi vars

# Organizational fields
set_var EASYRSA_REQ_COUNTRY  "US" # Country
set_var EASYRSA_REQ_PROVINCE "California" # State
set_var EASYRSA_REQ_CITY     "Los Angeles" # City
set_var EASYRSA_REQ_ORG      "My Company" # Organization name
set_var EASYRSA_REQ_EMAIL    "contact@mycompany.com.br" # Email
set_var EASYRSA_REQ_OU       "IT Department" # Organizational Unit

# Expiration (in days)
set_var EASYRSA_CA_EXPIRE   7300 # CA validity
set_var EASYRSA_CERT_EXPIRE 3650 # Validity of issued certificates

Initializing PKI

# Access the EasyRSA directory
cd /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/

# Initialize the PKI
./easyrsa init-pki

# Access the EasyRSA directory
cd /mnt/usb/easy-rsa/easyrsa3/

# Create the CA
./easyrsa build-ca

# Generate the TLS key
./easyrsa gen-tls-crypt-key

# Generate the Diffie-Hellman (DH) parameters
./easyrsa gen-dh

I don’t know why Rudi didn’t run this but please, do:

#Use this against DoS and port flooding
cd /etc/openvpn/keys
openvpn --genkey tls-auth ta.key
cd -

Create server auth stuff

Remember to answer yes to whatever is asked here:

./easyrsa gen-req office nopass

./easyrsa sign-req server office

Copy files from easyresa to openvpn config directory:

cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/certs/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/issued/office.crt /etc/openvpn/certs/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/certs/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/private/office.key /etc/openvpn/keys/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/private/easyrsa-tls.key /etc/openvpn/keys/

 Grab a sample config file to setup server

cd /etc/openvpn/
cp sample-config-files/server.conf office.conf

 Change the file to match your needs, use the links I provided at the beggining or google it. Here’s an example:

##############################################
#   Example configuration for a OpenVPN      #
#  server with support for multiple clients. #
##############################################

local x.x.x.x  # Local IP address on which OpenVPN should listen
port  1194     # TCP/UDP port used by OpenVPN
proto udp      # Transport protocol (TCP or UDP)
dev   tun      # Tunnel type: routed (tun) or Ethernet (tap)

ca       /etc/openvpn/certs/ca.crt           # CA certificate
dh       /etc/openvpn/certs/dh.pem           # Diffie-Hellman (DH) parameters
cert     /etc/openvpn/certs/office.crt       # Server certificate
key      /etc/openvpn/keys/office.key        # Server private key
tls-auth /etc/openvpn/keys/easyrsa-tls.key 0 # TLS key (0 on server and 1 on client)

;crl-verify  /etc/openvpn/crl.pem # Certificate Revocation List

topology subnet                # Subnet /24 (255.255.255.0)
server 10.8.0.0 255.255.255.0  # Set the VPN network, server will be 10.8.0.1
ifconfig-pool-persist ipp.txt  # Keeps a record of IPs assigned to clients

# Sends a route to clients,
# allowing access to internal networks
push "route 192.168.10.0 255.255.255.0"

# Set a folder for client-specific
# configurations. Allows assigning
# fixed IPs and routes. 
client-config-dir ccd

# Uncomment to allow clients to
# communicate with each other
;client-to-client

# Sends a ping every 10 seconds and considers
# the client offline after 120 seconds
keepalive 10 120

cipher AES-256-GCM # Default encryption algorithm
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC # Supported algorithms
;data-ciphers-fallback AES-256-CBC # Support for older versions

# Disables compression for security reasons
allow-compression no

# Maximum number of simultaneous clients
max-clients 100

# Reduces privileges after initialization
user nobody
group nobody

# Improves connection stability
persist-key # Prevents reloading keys after a reconnection
persist-tun # Keeps the VPN interface active during a reconnection

# Path to log files
status      /var/log/openvpn-status.log
log-append  /var/log/openvpn.log

verb 3   # Log detail level
mute 20  # Silences repeated log messages after 20 displays

# Notifies clients when the server is
# restarted so they can reconnect
explicit-exit-notify 1

Allow it to openvpn start at boot:

chmod +x /etc/rc.d/rc.openvpn

From now on, please follow DigitalOcean HOWTO for client setup. It doesn’t make sense using anything else…

Hell, I got an idea.
After 2 perfect days at LinuxCon .br I decided I should change some of my thoughts regarding speeches and helping community. So many friends help the community and I decided I should do the same.
From now on I will start writing howtos and speeches with things I know.

I guess I’ll start with slackware+jboss and a good way to improve performance.

Bom,

Vou deixar aqui pq o Google deve indexar em algum momento pois duvido q alguém venha aqui verificar isso. Caso interesse. Link para OpenOffice x86_64 ja no package slackware

openoffice.org-3.1.0_en_US-x86_64-4_SBo.tgz