Using the correct timezone is essential for many systems related tasks and processes. For example, the cron daemon uses the system’s timezone for executing cron jobs, and the timestamps in the log files are based on the same system’s timezone.
On Ubuntu, the system’s timezone is set during the install, but it can be easily changed at a later time.
Follow bellow commands in order to activate time sync and set time zone:
The purpose of this article is to find out various subnet parameters from a given IP Address and its corresponding mask. This is one of a few available methods that can be used to achieve this.
This tutorial considers having basic knowledge of networking and understanding basic networking terminology.
We will be trying to find:
Network Address (ID)
“NID”
Broadcast Address (ID)
“BID”
Next Subnet
“NsubN”
First Host IP
“FHIP”
Last Host IP
“LHIP”
IP Host Range
“IPHR”
Number of Hosts
“N°H”
Number of Subnets
“N°subN”
Let’s take the following IP Address as an Example 1:
185.195.201.101 / 23
Firstly, let us break this IP Address into Binary
11111111.11111111.11111110.00000000
As we know the CIDR value of /23 tells us where the Mask Identifier ends and host identifier begins. In this case on the 23rd position. This position falls onto the 3rd Octet. Let us also mark any octet where this boundary falls into with a sign ‘|’ e.g NID(|). I will be using this to make clear which octet of the address is being meant.
Let us convert the Binary into Decimals. But let us first take a look at the Decimal value of each “Octet”
1
1
1
1
1
1
1
1
128
64
32
16
8
4
2
1
As we can see it all sums up to 255. Let us now translate the above Mask into Decimals
11111111.
11111111.
11111110.
00000000
255
255
254
0
As it can be seen our Netmask is 255.255.254.0 for the above IP Address.
The IP Address belongs also to a Class B Subnet
Network ID & Broadcast ID
Let us now try to determine the Network ID and Broadcast ID.
In order to achieve this we are going to concentrate on the 3rd Octet (because the division of Mask and Host modifier lies there).
2. Binary value of the 3rd. Octet of the IP Address
11001001
1. Binary Value of the 3rd. Octet of the Mask
11111110
3. Logical Conjunction of both (like a multiplier)
11001000
As we can see our logical conjunction is 11001000. Translating this into the Decimal value using the decimal chart above we get: 128 + 64 + 8 = 200
This Number is our Network Address (ID) value. Therefore our network ID is:
185.195.200.0
Having our network ID we can easily find out the Broadcast ID. Here we need to look at the 3rd octet of the Mask again and convert the last positive digit of the binary into a decimal value (it is the 7th digit marked orange). I will call this LastPositiveDigitDecimalValue (LPDDV)
11111110 --> 2
Now we can find out the Broadcast ID with this small equation
NID + (LPDDV-1) = 200 + (2-1) = 201
Our Broadcast Address (ID) is:
185.195.201.255
In order to get out next Subnet Address we just leave the -1 out of the equation above.
NID + LPDDV = 200 + 2 = 202
Out next Subnet begins at:
185.195.202.0
From here it will be very easy to calculate all the remaining parameters. Let’s integrate all into a single table and use the formulae in the second column :
NID
185.195.200.0
–
BID
185.195.201.255
NID(|) + (LPDDV-1)
NsubN
185.195.202.0
NID(|) + LPDDV
FHID
185.195.200.1
NID(4) + 1
LHID
185.195.201.254
BID(4) – 1
IPHR
185.195.200.1 – 185.195.201.254
–
N°H
256 * ((201-200)+1)-2= =2^(32-23)-2 = 2^9-2=510
256 * ((BID(|)-NID(|))+1)-2 or 2^(32-CIDR) – 2
N°subN
256 / (201-200+1)=128
256 / (BID(|)-NID(|)+1)
Formulae
Example 2
Let us have a look at another example without the explanation
185.120.120.29 / 21
11111111.11111111.11111000.00000000
11111111.
11111111.
11111000.
00000000
255
255
248
0
Binary value of the 3rd. Octet of the IP Address
01111000
Binary Value of the 3rd. Octet of the Mask
11111000
Multiplier of both
01111000
1
1
1
1
1
1
1
1
128
64
32
16
8
4
2
1
NID
185.120.120.0
–
BID
185.120.127.255
NID(|) + (LPDDV-1)
NsubN
185.120.128.0
NID(|) + LPDDV
FHID
185.120.120.1
NID(4) + 1
LHID
185.120.127.254
BID(4) – 1
IPHR
185.195.200.1 – 185.195.201.254
–
N°H
256*((127-120)+1)-2= =2^(32-21)-2=2046
256 * ((BID(|)-NID(|))+1)-2 or 2^(32-CIDR) – 2
N°subN
256 /((127-120)+1)=32
256 / (BID(|)-NID(|)+1)
Formulae
Should you have any question post a comment or send me a direct message.
Generated key need to pasted into the wp-config.php file. Also specify all the neccesssary infos for Database name, Hostname, Database Username and Passwords
$ sudo nano /var/www/your_domain/wp-config.php
SLS Configuration
There are two possibilities for your new site to be able to redirect its traffic to https protocol.
1. Via self signed Certificate
2. Via open source Certbot
I will describe both ways but strongly recommend using Certbot because its certificate will be trusted by most browsers. Check this link to find out more.
SLS Certificate via Certbot
First, make sure that any previously installed version of Certbot is removed. It probably is not installed, but just double check
$ sudo apt-get remove certbot
Install cerbot
$ sudo snap install --classic certbot
Run the cerbot configuration wizzard.
$ sudo certbot --apache
The created certificate is valid for 3 months. It will automatically be prolonged via certbot service running on the server. In order to prove the validation status run the command.
$ sudo certbot renew --dry-run
SLS Certificate with Self-Signature
As mentioned above I recommend using a self-signed certificate only for local websites e.g. intranet or testing purposes.
Now that we have our SLS Certificate up and running we must tell any traffic to be actually redirected over the HTTPS Protocol. If you type for example www.your-site.com it will open as http per default. When it does so, the browser will tell that the site is in an unsecure mode. This might, in many cases cause people to leave the website before even entering it. In order to avoid this we must tell apache to redirect all the traffic to https protocol using your newly created SLS certificate and key.
Here comes the .htaccess file in play. It is found inside the wordpress folder and is invisable by default
/var/www/wordpress/.htaccess
This file has got to be modified with the right entry.
There are two ways of achieving this:
Manually editing the .htaccess file
Using a plugin
Using method 1:
$ sudo nano /var/www/wordpress/.htaccess
Add this entry before the “# BEGIN WordPress” line.. It’s importan to add it before!
# BEGIN HTTPS Redirection Plugin
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END HTTPS Redirection
Save the file with Ctrl+x
You don’t need to restart apache here. “.htaccess” file is being read upon each time of refreshing a webpage.
Using Method 2:
Go into the plugin menu and search for Easy HTTP SLS Redirect. This plugin does the same without u needing to modify the .htaccess file manually.
Website Health Status
At this stage we are almost done. There are still a few small steps to undertake in order to have WordPress be able to use all of its features.
For this go into the Site Health Status page and check which modules still need to be installed onto the PHP server. You will most likely see this:
Please run the following commands in order to install the missing modules:
This concludes the tutorial. Now you have installed and fully configured linux server to be able to host a wordpress website. Should you have questions or suggestion don’t hesitate to contact me via email, or post a comment in the comments section.
Update: phpmyadmin installation & Firwall rules
Previously I have not mantioned how to install PHP MyAdmin for graphical database management. Additinally we are going to enable ufw Firewall and set the right rules.
Let us now configure PhpMyAdmin. For this we are going to have to create a new file inside ” /etc/apache2/conf-available/ ” folder and call it phpmyadmin.conf
now add this configuration code to the file and save the file.
Alias /phpmyadmin /usr/share/phpmyadmin
Alias /phpMyAdmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin/>
AddDefaultCharset UTF-8
<IfModule mod_authz_core.c>
<RequireAny>
Require all granted
</RequireAny>
</IfModule>
</Directory>
<Directory /usr/share/phpmyadmin/setup/>
<IfModule mod_authz_core.c>
<RequireAny>
Require all granted
</RequireAny>
</IfModule>
</Directory>
Firewall Configuration
If your firewall ist not enabled yet we should do this now.
$ sudo ufw enable
Let us add rules for the following protocols: http, https which obviously correspond to port 80 and 443. Both are needed to access the website and and http to access phpmyadmin
$ sudo ufw allow http
$ sudo ufw allow https
If you wish to create more sofisticated rules with ufw you can follow this post
You may now access your PhpMyAdmin portal by simply typing:
The Purpose of this article is to go thought the setup process of UFW Firewall as well as to learn some essential commands for managing your firewall rules
Requirements
Ubuntu 20.04
Sudo non-root user
Please note that most of the commands apply also to previous versions of ubuntu. In this tutorial we are concentrating on IPv4 rules. Should you be using IPv6 on your server make sure to also enable IPv6 in UFW
UFW installation
In order to install the fire wall run this command
$ sudo apt update
$ sudo apt install ufw
Now let us enable IPv6 (if needed) by editing the default configuration file
$ sudo nano /etc/default/ufw
please make sure that the value of IPv6 is set to yes
IPV6=yes
Setting up default UFW policies
When freshly installing an UFW firewall all of the policies are default and set to allow outgoing traffic but block incoming traffic. If you have had already an UFW running and wish to set all the default rules to default settings you can execute this command.
we can prove the current state of the firewall with the next command
$ sudo ufw status verbose
we receive a return showing us that the ufw is active allowing outgoing connections and denying incoming. Should you receive a status message as inactive you can enable the firewall with the following command.
$ sudo ufw enable
analogically should you wish to disable the firewall just type
$ sudo ufw disable
and further more a restart can be done by combining the two
sudo ufw disable && ufw enable
or
sudo systemctl restart ufw
Since by default there are no individual rules set let us add a rule for SSH so that we could manage our server form another Client via the ssh protocol which uses port 22 as default. The command “enable” switches the firewall permanently on, also after a system reboot.
Allowing SSH connection through UFW
As mentioned before we can allow the application directly or allow the specific port. First option will automatically open the necessary port therefore:
sudo ufw allow ssh
sudo ufw allow 22
both will allow communication on port 22 for us.
Please note that if you have specified a different port for ssh to listen on make sure to manually allow that port on ufw. For example if you set ssh on port 6666, analogically the command would be like this:
$ sudo ufw allow 6666
Allowing Specific Connections
You have seen by now how to allow a specific port. We can additionally configure our UFW to allow or block specific:
ip addresses
range of ports
subnets
network interfaces
Let us have a look at the first one. Imagine we would like to join our home server from work so that you could manage it any time you desire. Presuming you know what the external IP of your work is , which in our example would be 185.234.123.45 then we could add a rule allowing connection to our server for this IP only over the SSH port. Our command in this case looks like this.
$ sudo ufw allow from 185.234.123.45 to any port 22
should you wish to allow the specific IP to enter the whole network just leave the port out.
$ sudo ufw allow from 185.234.123.45
A word of advice: It is always best to have as few ports open as possible. Lowering the number of open ports lowers the risk of security breach. Try accessing your local network through a secure connection such as VPN. The process of setting up such a connection is quite straight forward. If interested follow this link.
Subnet
Should you want to allow or deny a whole range of IP addresses, we could do it by specifying a netmask. For example we wish to block a whole IP range from 192.168.1.1 to 192.168.1.254. In order to do so we would write:
$ sudo ufw deny from 192.168.1.0/24
analogically we can also allow this subnet to connect to specific port.
$ sudo ufw allow from 192.168.1.0/24 to any port 6666
We also have the possibility to narrow the allow/deny rule to a specific protocol. For example we would like to only allow UDP traffic on port 6666. We just replace have to replace “any” with “allow”
$ sudo ufw allow from 192.168.1.0/24 to UDP port 6666
Range of Ports
What if instead of a IP range we would like to add a rule for a port range. Let’s presume an app requires ports 5000 to 5005 over UDP. The syntax looks as follows:
$ sudo ufw allow 5000:5005 /udp
analogically you can allow or deny any range of ports as desired.
Network Interface
But what if we would like to add rules for specific netwrok interfece. Let’s presume we have multiple NICs on our server. We would like to allow external traffic to our server only via NIC 1. First we need to find out the interface name on ubuntu. We do it by running ‘ifconfig’ command.
$ sudo ifconfig
in my case the desired interface has a name of enp0s3. We are going to use this interface to allow external http traffic to our server.
$ sudo ufw allow in on enp0s3 to any port 80
Deleting Rules
Having added rules we might want to also delete them too. The best way to do it, is to first get a listing of all the applied rules in a numbered way. We achieve this by typing:
$ sudo ufw status numbered
In my case there are two available rules numbered as 1 and 2. I would like to get rid of the rule for IPv6 connections. To do so we just type:
$ sudo ufw delete 2
Resetting or Disabling UFW
Let’s summaries the few commands that we had previously used for disabling/restarting or resetting of the ufw process.
This is a continuation of the previous post “OpenVPN Installation”. Here I would like to go through the configuration process of OpenVPN Server so that the credentials authorisation will be done with active directory on a separate server.
In the previous post we had gone through the configuration process of the openvpen server and creating an .ovpn file. Now let us extend it so that when connecting to a vpnserver we will be prompted to enter user name and password which will be checked against the windows active directory server.
It is essential that you have basic kowledge of active directory management.
In this tutorial we are going to:
Install openvpn-auth-ldap tools
Add Users to Active Directory
Configure auth.ldap.conf file
Adjust openvpn configuration file
Firstly, let us jump over to our OpenVPN server and install necessary packages and libraries.
§ sudo apt install openvpn-auth-ldap
After the installation has been completed we will jump into usr/share/doc/openvpn-auth-ldap/examples/ and copy an example config file auth-ldap.conf into /etc/openvpn/. This file is the main configuration for our authentication.
Additionally let us note the location of the authentication module /usr/lib/openvpn/openvpn-auth-ldap.so. We are going to need this path for configuration later on.
Adding Users to Active Directory
In order to authenticate users against AD we are going to need to create a user just for the vpnserver, so that auth-ldap module can read the content of the Active directory users, groups and organisational units (OU):
In this case I create a user : VPNUser who resides inside an OU called MyUsers and is a part of a Group called VPNGroup. The VPNGroup is inside an OU called MyGroups. Any other AD user will also be inside OU:MyUsers and will be a part of the group called VPNGroup (in our scenario the users inside this group will be allowed to connect to our vpnserver)
The default file which we have just copied into /etc/openvpn/ looks like this:
<LDAP>
# LDAP server URL
URL ldap://ldap1.example.org# Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com# Bind Password # Password SecretPassword# Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable yes# Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP
<Authorization>
# Base DN
BaseDN "ou=People,dc=example,dc=com"# User Search Filter SearchFilter "(&(uid=%u)(accountStatus=active))"# Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users # Uncomment and set to true to support OpenVPN Challenge/Response #PasswordIsCR false <Group> # Default is true. Match full user DN if true, uid only if false. # RFC2307bis true # Default is true. Uncomment and set to false if you want to use a Search operation to determine group # membership instead of Compare. Lower performance, so Compare should generally be used, but Search is # required in certain LDAP environments. # UseCompareOperation true BaseDN "ou=Groups,dc=example,dc=com"SearchFilter "(|(cn=developers)(cn=artists))"MemberAttribute uniqueMember# Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group>
</Authorisation
According to the Active Directory users and groups we set up previously we are going to change the red marked lines of the config file. The new configuration should look as follows:
<LDPA>
# LDAP server URL
URL ldap://xxx.xxx.xx.xx:389 #Your IP here with Port number
# Bind DN (If your LDAP server doesn't support anonymous binds) BindDN cn=VPNUser,ou=MYUsers,dc=example,dc=local#Bind Password Password "YourPasswordforVPNUser" # Network timeout (in seconds) Timeout 15 # Enable StartTLSTLSEnable no# Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH
</LDPA>
<Authorisation>
# Base DN
BaseDN "ou=MYUsers,dc=example,dc=local"# User Search Filter SearchFilter "(samaccountname=%u)" #Replace the default with this function# Require Group Membership RequireGroup true # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users # Uncomment and set to true to support OpenVPN Challenge/Response #PasswordIsCR false <Group>
# Default is true. Match full user DN if true, uid only if false.
# RFC2307bis true
# Default is true. Uncomment and set to false if you want to use a Search operation to determine group # membership instead of Compare. Lower performance, so Compare should generally be used, but Search is # required in certain LDAP environments. # UseCompareOperation true BaseDN "ou=MYGroups,dc=example,dc=local"SearchFilter "(cn=VPNGroup)"MemberAttribute "Member"# Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group>
</Authorization>
Son now we have our configuration file adjusted. There is one last step that we must undertake. We are going to tell the VPNServer that it should use the LDPA module and the LDPA configuration file.
Adjust openvpn configuration file
Navigate to our server.conf file
$ sudo nano /etc/openvpn/server.conf
we are going to add this line to the end of the file:
The overall configuration of both the server as well as the LDAP service is somewhat long. Due to many configuration steps mistakes can unfortunatelly happan. Here are a few commands that will help rule out some of the mistakes:
1. Journal
The journal can tell a lot and point you directly to where the problem is:
$ sudo journalctl -xe
2. TCPDump
Tracking traffic on particular interfaces and ports can give a good indication if connection is established. If for example you like to check open vpn communication with Active Directory server then simply use:
$ sudo tcpdump -ni eth0 tcp and port 389
‘eth0’ – is my network adapter in this case. Check yours using “ifconfig” command.
3. VPN Logs
Watch realtime logs as you execute client connections. You will get a live feed on any activity on the vpn server
$ sudo tail -f /var/log/openvpn/openvpn.log
4. Filter System Logs
You can filter system logs for any VPN activity
$ grep VPN /var/log/syslog
5. Check Server Configuration File
You can check your main config file. Should any error accure you will be informed.
$ sudo openvpn --config /etc/openvpn/server.conf
6. OpenVPN Processes
It is always good to check if your processes are running and activated
Why would you want to install a private VPN Server?
The major purpose of having a vpn server is being able to access your local network from any place in the world in a secure manner. Looking at the nature of a VPN connection, which can forward all the traffic from the remote device to a VPN Server, there might also be other reasons why someone would want to use a VPN connection. For the purpose of this article, I am going to concentrate on solely accessing our home or business local network from anywhere in the world.
The process of setting up a VPN server can be somewhat difficult for a beginner. When I had done it for the first time it took me hours to have the task completed. No fear though, in this guide I will go through all the necessary steps and I will try to be as prompt and concentrated as possible.
Firstly let’s see what we need in order to accomplish this task.
Requirements
Two separate Linux Ubuntu 20.04 installations
Windows with PSCP command installed
We will be using two linux installation due to security reasons. On one server we will will run VPN server the other one will be used as a key and certificate signing authority. Having the two separated increased the overall security.
For the purpose of this guide, I will be using following names for the server:
CAServer: for certificate authority
VPNServer: for open-vpn server
Since we are going to be operating on two server installations I find it much easier to manage those from my Windows 10 installation via CMD using ssh protocol. We are also going to transfer files between Linux and Windows. In this case we are going to need PSCP on Windows.
Creation of Certificate Authority (CA), Server key and Certificate
Server Certificate Signature
Creation of client key & certificate and signing of the client certificate
Creation of TLS authentication key and DH Parameters
Open VPN firewall rules
Open VPN Server configuration
Creation of client OVPN file
User authorisation against Windows Active Directory (optional)
1. Creation of CA, Server key and certificate
Assuming that you have already created two independent servers we are going to perform operations on the CAServer first. We will need to install the easy-rsa package, which will serve as out certificate authority. We are also going to update our package repository before hand.
Placing ‘-y’ in the command line simply saves us time by accepting any options before hand.
As a next step we will use the in-built command of rsa to create a folder which contains all configuration files and any tools that come with it. In our case lets create a folder called rsa_certificate
$ make-cadir rsa_certificate
Let’s change directory to the newly created folder
$ cd rsa_certificate
Let’s list the content of the new folder
$ ls
you should be able to see a file named vars. We will open this file using nano command
$ sudo nano vars
edit the content of the file with your appropriate details e.g:
save the changes using Ctrl+x and then confirm by pressing enter.
Our next step ist to create a public key infrastructure. For this we are going to initiate a built-in command of easyrsa which will create a new folder called PKI with all the necessary tools.
$ ./easyrsa init-pki
Let us now create/generate our server certificate (CA) and server key. Execute the command below. You will be asked to enter a password for the ca key as well as a common name. If you leave the common name blank and press enter an automatic name will be assigned such as Easy-RSA CA.
$ ./easyrsa build-ca
The command generates two files inside the /pki folder.
ca.crt
ca.key (/pki/private/)
These files are: a public certificate and key used to sign the open-vpn server and clients certificates. In other words, each certificate, the server and client, need to receive a signature so that later a connection can take established between the vpn client and the vpn server. The ca.key is very important, therefore make sure you keep it safe. Also never forget the password you made before.
Now, that we have both the certificate and its key let us do the same for our Open-VPN server.
Let’s generate both and get a signature for them from our certificate authority (easy-rsa).
Switch over to the VPNServer. Install openvpn and easy-rsa
$ cd
$ make-cadir rsa_certificate
$ cd rsa_certificate
$ sudo nano vars
$ ./easyrsa init-pki
After going through these steps we will want to create a certificate and a key. These certificates are somewhat different because these are requests for a signature and the signature will be provided by the authentication server. Therefore also a slightly different command.
$ ./easyrsa gen-req server nopass
The above command will generate a request certificate with no password and with the above name ‘server’. You can call it whatever u want, but I will stick to the simplicity of calling these as server and client for ease of recognition.
The generated key and certificate will be placed in:
Now, we move back to CAServer in order to sign the request
2. Server Certificate Signature
Being on your CAServer change folder to your home directory if you haven’t done it yet. Inside you should find the transferred file from the previous step.
$ cd
$ ls
rsa_certificate server.req
Let us navigate to rsa_certificate folder
cd rsa_certificate
Now let’s import the certificate request. We are going to use a function of the easyrsa import-req
we use following syntax:
import-req <request_file_path> <short_basename>
$ ./easyrsa import-req /home/'your_user_name'/server.req server
It should return following output:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019
The request has been successfully imported with a short name of: server
You may now use this name to perform signing operations on this request.
Now, since we have imported the request, it needs to be signed. To do so we will use sign-req with short_basename syntax.
$ ./easyrsa sign-req server server
Upon execution we are going to be asked to provide the CA key password that we had previously set up.
Let us delete the server.req
$ cd
$ ls
rsa_certificate server.req
$ rm server.req
$ ls
… and copy the server.ctr & ca.crt (public certificate) back to the vpnserver
$ cd rsa_certifcate/pki/issued/
$ scp server.crt yourusername@your_vpnserver_ip:/home/yourusername
$ cd rsa_certificate/pki/ca.crt
$ scp ca.crt yourusername@your_vpnserver_ip:/home/yourusername
On the VPNServer lets move/copy the files into /etc/openvpn/
Switch over to the CAServer now and import the request
$ cd /rsa_certificate
$ ./easyrsa import-req /home/'yourusername'/client.req client
Now as it is time to sign the imported certificate request. You will be prompted to enter the CA Certificate key password which you have created at the beginning
$ cd
$ cd rsa_certificate
$ ./easyrsa sign-req client client
The client signed certificated will be created in
Certificate created at: /home/’yourusername’/rsa_certificate/pki/issued/client.crt
Now let us move all client related files into a folder called client. For this purpose we are going to create a new folder.
This is being done on the VPNServer now!
$ cd
$ mkdir client
$ cd rsa_certificate
$ mv pki/private/client.key /home/'yourusername'/client/client.key
$ cd
$ mv client.crt /home/'yourusername'/client/client.crt
Now our new client certificate and client key are in one folder for the ease of access.
4. Creation of the tls key (ta.key) and Diffie-Hellmann parameters (dh2048)
Open Vpn integrates tls-auth in order to further improve security. With the following steps we are going to generate a ta.key. Make sure to switch back to your VPNServer.
$ cd /rsa_certificate
$ openvpn --genkey --secret ta.key
Having done so let’s now generate a Diffie-Hellmann key used in the transfer of crypto key over insecure and public channels. We will create the key and move it form its default location the openvpn folder while changing its name to dh2048.pem
$ cd /rsa_certificate
$ ./easyrsa gen-dh
Let’s move both files to Openvpn folder
$ cd rsa_certificate
$ sudo cp ta.key /etc/openvpn
$ cd
$ cd rsa_certificate/pki/
$ sudo cp dh.pem /etc/openvpn/dh2048.pem
5. VPN Firewall rules
We are going to set up some firewall rules of the Open Vpn server now. This is important to further increase the security of the server. Before we proceed to ufw rules lets first activate IP forwarding on our VPNserver.
$ cd /etc/
$ sudo nano sysctl.conf
after opening the file find and uncomment the line
net.ipv4.ip_forward=1
now let’s reload the setting
$ sudo sysctl -p
Now we are going to modify the ufw by allowing the forwarding. We navigate to /etc/default/ufw file and change Default_Forward_Policy to accept.
$ sudo nano /etc/default/ufw
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"
As the next step we are going to add a routing rule, which will be added prior to any existing firewall rule. To do so you will need first to check the exact name of the interface used for the connection and secondly to add the rule to a file called before.rules
… so let’s check the Interface name first
$ ifconfig
in my case the interface is called enp03. In many cases it might be called eth0.. Make sure to check this out.
We have conducted many steps by now. Now is the time to configure the vpn server so that it actually accepts incoming connections. For this we will use a sample configuration file delivered with the server installation. File should be found in: /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
Let’s use the zcat command for compressed files and resave it as a new file
$ cd /usr/share/doc/openvpn/examples/sample-config-files/
§ zcat server.conf.gz | sudo tee /etc/openvpn/server.conf > /dev/null
We can now work on the newly generated file inside the /etc/openvpn/server.conf file.
So let us ‘nano’ the file.
$ sudo nano /etc/openvpn/server.conf
Now we have to make sure that the file contains the right names for our ca, cert, key and dh. We have created them before and placed inside the /etc/openvpn/ folder. Check it
ca ca.crtcert server.crtkey server.keydh dh2048.pem
Now find lines user nobody and group nobody. Unhash these. This will allow anyone with the client configuration file to connect to the vpn server. If you are willing to have user authentication against an Active Directory server you can find the steps in chapter 8.
Another parameter worth changing is on line 192.
push "redirect-gateway def1 bypass-dhcp"
This will tell the server to forward your default gateway through the vpn server. This option is great for geo-locked content. For example while visiting a foreign country for holidays it will in virtually place your laptop at home location :-). Isn’t that cool? Think of some other benefits such as your favorite movies that are geo-locked!!
Worth considering is line 200 and 201
push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
I use this myself.. If you have local network with server and devices, this option will save you typing in all the individual IP addresses as now you can us DNS Names.
So as a next step we must verify that we have all the necesary files inside /etc/openvpn folder. We have been moving them into that folder along the way. So lets check:
$ ls /etc/openvpn
ca.crt dh2048.pem server.conf server.crt server.key ta.key
These files should be found there. If you are missing any, go back and verify the steps.
There is one more step to go in this chapter but before we proceed lets copy the ta.key file into our /client folder. We normaly would not need to do this, but if you intend to use OpenVPNconnect App on your smart phone, this file might be needed. Well it was in my case at least.
$ cp /etc/openvpn/ta.key /client
Now as a final step let us change permissions on the etc/openvpn to root user. We do it to seal this folder from unauthorized access. Remember that if u decide later on to move this folder or the files inside of it to a different location you will have to reapply new permission or to elevate your user to root.
$ sudo chown -R root:root /etc/openvpn
7. Client configuration file
In chapter 3 we have created a folder called /client. We will use this folder to store all client files. Until now we have placed the client.key, client.crt, ta.key
Now we need to place inside the folder the client.conf file. We will use a template from /usr/share/doc/openvpn/examples/sample-config-files/client.conf
please replace ‘my-server-1’ with the actual external IP of your server or a host name e.g. itpassion.org. you can also replace the default port number. makes sure to forward this port on your router/firewall/gateway.
The next two entries that need uncommenting are:
;user nobody
;group nogroup
Just remove the semicolon ; Please note that if u decide to use user authentication we are going to set this up via the openvpn server. This will be explained in the next chapter though.
As the last step we will be adding some lines to the bottom of the file
<ca>
# Copy and paste the content of the ca.crt file
</ca>
<cert>
# Copy and paste the content of the client.crt file
</cert>
<key>
# Copy and paste the content of the client.key file
</key>
key-direction 1
<tls-auth>
# Copy and paste the content of the ta.key file
</tls-auth>
You will be placing the long chain of random signs from ca.crt, client.crt, client.key, ta.key. As you might remember these are stored on the VPNServer in the /home/client folder.
Once this has been completed you simply secure copy the client.config to your windows installation. Check this post to find out how to transfer files between linux und windows.
Once this has been done please rename the client.config to any desired name with *.ovpn extension. This file needs to be placed inside the OpenVPN installation folder. In my case this was “C:\Program Files\OpenVPN\config”. This would actually be all to establish a secure connection to your network. The negative point is that if any one got in position of this configuration file, he would be able to connect without user prompt. Since you already have setup a VPN server I strongly recommend to also run an Active Directory for your local network which manages all your local network user permissions. Therefore in the next chapter I will concentrate on explaining how to set up VPN User Authentication.
8. OpenVPN user authentication against Active Directory
Due to the length this chapter has been moved to a separate Post. Please follow this post to read more.
SSH known as Secure Shell is a protocol for operating network services securely. It is needed especially if you are for example planning on managing your Linux Server from Windows.
Installation:
SSH protocol can be installed automatically during ubuntu fresh installation. An option is being displayed which merely needs to be marked with an ‘x’ for an automated installation.
Lets presume this was not the case and you need to install this afterwords. The procedure is very simple.
Replace ‘linuxusername’ with the your linux username and replace ‘192.168.100.10’ with the IP address of your linux installation.
After doing so you will be prompted to enter the password of the linux username and you will be asked to accept the ssh key. After accepting it the key will be saved on windows machine as a trusted ssh keys.
Your are now logged into linux from a windows Command Prompt.
You might also consider setting up the appropriate firewall rules on your linux server especially opening the port 22 to gain access. You can follow this post to learn how to use, configure the ufw firewall
If you are looking for a way to copy files directly from Linux to windows I strongly recommend using a “pscp” command. This command which is by default part of Linux but in Windows environment it requires the necessary libraries. These can be downloaded here.
Upon downloading please place the file inside this path: C:Windows\System32.
You can test if the new command works by:
Starting CMD as Administrator
Starting PowerShell by typing ‘Powershell’
Type: pscp
You should receive a similar return:
Now you can start copying files from Linux to Windows using the following syntax
After pressing enter you will be prompted to accept ssh certificate (make sure that ssh is enabled on your Linux installation, if not follow this link) and you will be asked to enter the ‘sudo’ linux user password.
After doing this the desired file will be copied over port 22 into C:\temp. Here, instead of C:\temp, you are allowed to type any path to a desired folder on windows installation.
How to copy Files from Windows to Linux?
In order to achieve this just reverse the syntax. Using the example above type the following:
If you are intending to ssh your linux installation from the internet, make sure to forward port 22 to your Linux IP address.
Although this means of managing your server is possible. I do not recommend it due to security reasons. Firstly it open your server vulnerable to port scans, secondly the ssh ist not secure enough enough to sleep tightly in my opinion.
As alternative means I strongly suggest to use SSH over VPN (Virtual Private Network). Since you already have a Linux Server, it should not pose too much difficulties on setting up your own VPN Server, which will allow you to enter your own local network from all over the word 🙂
Please follow this link to learn how to install and configure a private VPN Server based on OpenVPN.
When running a server I strongly recommend to use commands as the means of operating your services. Firstly, it makes your system lighter, secondly it poses less system vunlerabilities and instabilities. But of course if you seek to make your life a bit easier, I propose to install the lightest GU interface possible. In our case it is going to be Lubuntu-Core
Step 1 – Install Tasksel
Tasksel allows to install different Desktop environments. Let us install it on our server. $ sudo apt-get install tasksel Step 2 – List all available environments$ tasksel –list-task
here you will see all the possible environments. For the purpose of this tutorial we choose Lubuntu-Core
Step 3 – Lubuntu – Core Installation
$ sudo tasksel install lubuntu-core
Step 4 – Start the new desktop environment
In order to start the service please type the following command:
$ sudo service light_dm start
Step 5 – Reboot the server
$ reboot -f
After reboot you will land on Login screen with graphical interface
In each operating system there are must-know command lines, which will significantly improve your effecivness is managing your system. Here are a few chosen ones, which I strongly suggest to memorise by heart
$ uname -a
Displays kernel version
$ ifconfig
Displays full IP configuration
$ ip addr show eth0
Similarly to ifconfig – shows the ip config of the physical network adapter
$ df -ah
Shows Disk space usage
$ service udev status
Shows services status: Note that this is an old version syntax. You might need to use the next command version
$ systemctl status udev
Shows sevrvices status (new version)
$ du -sh home
Shows disk usage for /Home folder
$ netstat -tulpn
Shows active internet connections. It shows which process / service is listening on which port. IT gives information about Program name and Process ID
$ top
Information about processes
$ htop
Information about processes
$ man
e.g. $ man ifconfig
This will open the manual for any command explaining to you the purpose of a command and its options
$ sudo etc/init.d/ stop
e.g. $sudo etc/init.de/apache2 stop
This will stop any service that you type in. You can use:
stop, start or restart as an option to this command
$ ls
$ ls -l
$ ls -a
$ ls -la
LS lists all the files in a directory.
Parameter -a displays all filess inc. hidden files.
Parameter -l displays all information about the files and folders
$ tcpdump
Listen to traffic on a chosen port.
tcpdump -ni eth0 udp and port 1194
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
