SlackWiki - User contributions [en]

Slack-desc

Arfon — Thu, 23 Jan 2014 17:33:29 GMT

Arfon: /* Tools */ - linuxpackages.net is no more.

=Overview=
A proper slack-desc file should be written as follows:

# HOW TO EDIT THIS FILE:
# The "handy ruler" below makes it easier to edit a package description. Line
# up the first '|' above the ':' following the base package name, and the '|' on
# the right side marks the last column you can put a character in. You must make
# exactly 11 lines for the formatting to be correct. It's also customary to
# leave one space after the ':'.

|-----handy-ruler------------------------------------------------------|
appname: appname (Short description of the application)
appname: <this line is generally left blank>
appname: Description of application - this description should be fairly
appname: in-depth; in other words, make it clear what the package does (and
appname: maybe include relevant links and/or instructions if there's room),
appname: but don't get too verbose.
appname: This file can have a maximum of eleven (11) lines of text preceded by
appname: the "appname: " designation.
appname:
appname: It's a good idea to include a link to the application's homepage too.
appname:

The "appname" string must *exactly* match the application name portion of the
Slackware package (for example, a package titled "gaim-1.5-i486-1.tgz" must have
a slack-desc file with the <appname> string of "gaim: " rather than "Gaim: " or
"GAIM: " or something else.

The first line ''must'' show the application name followed by a short
description (enclosed in parentheses).

The "handy ruler" is meant to stop you at 79 characters, because the standard
console is 80x25 and if you go beyond this the words will wrap.

The space after the : is needed only when there is text after the :
In the above example lines 9 & 11 should not have a space after the :

=Tools=
1. There is a command-line tool that automates the creation of slack-desc files and helps you generate legal slack-desc files with minimal effort:
http://slack-desc.sourceforge.net/

=See Also=
man makepkg
man pkgtool

[[Category:Tutorials]]

Network Configuration

Arfon — Thu, 30 Aug 2012 18:40:34 GMT

Arfon: Forgot to add Category AGAIN!

==See Your Current Network Configuration==

ifconfig

/sbin/ifconfig (if you are not root)

==Network Reconfiguration - Temporary Changes==

ifconfig is the command to make changes to your networking.

ifconfig (shows the current interface configuration)

ifconfig eth0 up (brings eth0 interface up)

ifconfig eth1 down (takes eth1 interface down)

ifconfig eth0 192.168.1.5 netmask 255.255.255.0 up (brings eth0 up with an IP of 192.168.1.5)

ifconfig eth0:1 192.168.2.15 netmask 255.255.255.0 (adds a secondary IP address of 192.168.2.15 to eth0)

==Network Reconfiguration - Permanent Changes==
'''ETH0''' 
If you need to change your '''eth0''' configuration after an install, use netconfig

netconfig

'''OTHER INTERFACES''' 
To reconfigure other network devices, you need to edit the /etc/rc.d/rc.inet1.conf files by hand. The file is very easy to figure out.

vi /etc/rc.d/rc.inet1.conf

==Make changes take effect immediately==
To make the network changes immediately active:

/etc/rc.d/rc.inet1 restart (restarts all interfaces)
/etc/rc.d/rc.inet1 eth0_restart (restarts eth0)
/etc/rc.d/rc.inet1 eth1_restart (restarts eth1)
...etc...

[[Category: Tutorials]]

Network Configuration

Arfon — Thu, 30 Aug 2012 18:38:57 GMT

Arfon: CREATED!

NTPD - temp

Arfon — Thu, 30 Aug 2012 15:04:37 GMT

Arfon: Arfon moved page NTPD - temp to NTPD: Fixing page name

#REDIRECT [[NTPD]]

NTPD

Arfon — Thu, 30 Aug 2012 15:04:37 GMT

Arfon: Arfon moved page NTPD - temp to NTPD: Fixing page name

== Automating the time synchronization ==
You have two choices for automatic time updating, you can run ntpd all the time as a background process or you can have it run once in awhile (if you are tight on system resources).

'''Running ntpd all the time''' 
::Just enable rc.ntpd script:
::::<code>chmod +x /etc/rc.d/rc.ntpd</code>
::After the script is enabled you probably will want ntpd to start immediately so, can either restart the system or manually start ntpd with:
::::<code>/etc/rc.d/rc.ntpd start</code>

'''Running ntpd once in awhile''' 
::You have many choices but the two best ones are:
:::1) Set up a cron job
:::2) Set up a /etc/rc.d/rc.local entry and update the time on start-up only.
::Either way, you need to add the following commands into your cron job or rc.local script:
::::<code>ntpdate pool.ntp.org</code> <---(updates the time)
::::<code>hwclock --systohc</code> <------(saves the time to the hardware clock)
 
 

==Manually updating the time==
Issue the following commands:
::::<code>ntpdate pool.ntp.org</code>
::::<code>hwclock --systohc</code>
 
 

==Choosing the right time server==
On ntp.org you will find a complete list with the right time server for you.
Let's say you live in germany, then you will choose <code>de.pool.ntp.org</code>. A complete List is available at http://support.ntp.org/bin/view/Servers/NTPPoolServers
 
 

==DST changes==
If your time is off due to DST changes, you must update the <code>/etc/localtime</code> file. You should be able to find a correct file on the internet and just replace the old <code>/etc/localtime</code> file.
 
 

==PROBLEMS==
'''PROBLEM:''' "Unable to contact time server:" error with KDE's Time Control Module. 
'''FIX:''' Make sure ntpd is NOT running. If ntpd is running, manual ntp and KDE ntp updates will return errors due to ntpd having control of the ntp port.

[[Category:Tutorials]]

Ntpd

Arfon — Thu, 30 Aug 2012 15:04:19 GMT

Arfon: Arfon moved page Ntpd to NTPD - temp: Fixing page name

#REDIRECT [[NTPD - temp]]

NTPD

Arfon — Thu, 30 Aug 2012 15:04:19 GMT

Arfon: Arfon moved page Ntpd to NTPD - temp: Fixing page name

NTPD

Arfon — Thu, 30 Aug 2012 15:01:26 GMT

Arfon: Undo revision 771 by Arfon (talk) - Removed 2007 stuff, fixed typos

NTPD

Arfon — Thu, 30 Aug 2012 14:52:37 GMT

Arfon: Moved to NTPD

Pptp

Arfon — Thu, 30 Aug 2012 14:38:48 GMT

Arfon: Moved to PPPTP (Poptop)

PPTP (Poptop)

Arfon — Thu, 30 Aug 2012 14:38:02 GMT

Arfon: Moved from Pptp

[[Category:Server]]
[[Category:Networking]]
[[Category:Tutorials]]

==(Poptop) pptpd Server Setup==

Here's what I did to get Poptop pptpd (1.3.4) running on my Slackware (13.37) box.

1) Install the official Slackware ppp package using pkgtool or slackpkg.

2) Install the ppptpd package from Slackbuilds.org using sbopkg.
***NOTE: The package name is NOT Poptop, it's pptpd***

3) Edit /etc/pptpd.conf

ADD:
localip 10.7.0.1
remoteip 10.7.0.2-50
CHANGE:
option /etc/ppp/options.pptpd -> option /etc/ppp/options

4) Edit /etc/ppp/options
HERE IS A GOTCHA- The official Slackware ppp package (at the time of this writing) contains an error in the options
file. The pppd binary was compiled to look for the new ms-dns parameter but the option file has the old dns-addr
parameter.

CHANGE:
# dns-addr 192.168.1.1 -> ms-dns 8.8.8.8 (or whatever your dns server is)

5) Edit the /etc/ppp/chap-secrets file.
For some reason, the default Slackware package has 4 example entries in it that are not commented (jacco,*,sam,*)
delete these. You don't want jacco or sam to have a free connection into your box...

ADD: one entry for each user you want to allow access.
Format is: CLIENT [tab] SERVER [tab] PASSWORD [tab] IP ADDRESS
Mine looks like this:

bob * "BobsPasswordIsStrong" *
sue * "FluffyBunnies92" *

6) Finally to start pptpd, normally you would just execute 'pptpd &' but being that I'm a good Slacker, I wrote an
rc.pptpd script.
Create /etc/rc.d/rc.pptpd
contents:
#!/bin/sh
#
# /etc/rc.d/rc.pptpd
#
# Start/stop/restart the pptpd server.
#
# To make PopTop start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.pptpd
#

pptpd_start() {
if [ -x /usr/sbin/pptpd ]; then
echo "Starting PopTop pptpd: /usr/sbin/pptpd server.conf"
/usr/sbin/pptpd &
fi
}

pptpd_stop() {
killall pptpd
}

pptpd_restart() {
pptpd_stop
sleep 2
pptpd_start
}

case "$1" in
'start')
pptpd_start
;;
'stop')
pptpd_stop
;;
'restart')
pptpd_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
pptpd_start
esac

7) Make it executable (and autobootable on start up)

chmod 755 /etc/rc.d/rc.pptpd

To start it manually- /etc/rc.d/rc.pptpd start

To be useful you next need to configure your firewall to forward and masquerade traffic from the vpn out to
the world...

8) Edit/create: /etc/rc.d/rc.firewall

ADD:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o ppp+ -j MASQUERADE

9) Make it executable

chmod 755 /etc/rc.d/rc.firewall

10) Flush the old firewall rules (forgetting to do this caused me all sorts of grief (Thanks mancha))

iptables -F

11) Execute the new firewall rules

/etc/rc.d/rc.firewall

If you and I haven't made any mistakes, you should now have pptp (server) and router working on your box.

==pptp Client Setup==

Needs to be added.

X Windows: Remote X to Windows with Xming

Arfon — Thu, 30 Aug 2012 13:40:57 GMT

Arfon: ADDED: Enable X11Forwarding to sshd_conf

===Plain Ol' Vanilla Remote X Session===

1) Install Xming '''and''' Xming-fonts
* Download from sourceforge.net/projects/xming[http://sourceforge.net/projects/xming/]

2) Add the Linux machine's DNS name(s) and IP address to the C:\Program Files\xming\X0.hosts file. File should contain:
LinuxBox.mydomain.com
LinuxBox
192.168.1.25

3) Start Xming on your Windows machine '''(NOT XLaunch)'''

4) Start the connection:
Connect to the Linux machine via ssh/telnet/rlogin/whatever and run:
DISPLAY=WINDOWS_IP:0;export DISPLAY;APPLICATION_YOU_WANT_TO_RUN &

EXAMPLE: DISPLAY=192.168.1.10:0;export DISPLAY;xterm &

5) Minimize the SSH/telnet session, do not close it. If you close it, your X connections will close. 
 
 

----

===Remote X11 Over SSH===
'''On the remote machine (Linux):''' 
1) Ensure that X11Forwarding is enabled in /etc/ssh/sshd_conf on the remote machine.

'''On the local machine (Windows):''' 
2) Install Xming '''and''' Xming-fonts
* Download from sourceforge.net/projects/xming[http://sourceforge.net/projects/xming/]

3) Add the Linux machine's DNS name(s) and IP address to the C:\Program Files\xming\X0.hosts file. File should contain:
LinuxBox.mydomain.com
LinuxBox
192.168.1.25

4) Start Xming on your Windows machine '''(NOT XLaunch)'''

5) Install Putty (if it's not already installed) onto your Windows machine.

* Download from www.chiark.greenend.org.uk/~sgtatham/putty/[http://www.chiark.greenend.org.uk/~sgtatham/putty/]

6) Open putty and fill in the “Host Name” box.

7) Ensure that SSH is checked and that the port is correct (probably 22).

8) Under Category > Connection > SSH > X11 check the “Enable X11 forwarding” box.

9) Click the “Open” button to start the connection.

10) Log into the remote machine as you would do in a normal SSH session.

11) Start the X application from the command line, a window should open on your local machine with the application.

12) Minimize the SSH session, do not close it. If you close it, your X connections will close.

(It's a regular SSH session with putty but with X11 forwarding enabled.)

----

===PROBLEMS===

'''PROBLEM:''' "Xlib: connection to YOUR_IP refused by server" 
'''FIX:''' Check the Xming log, it probably contains "Xming.exe: client 4 rejected from IP YOUR_IP". If so,
* close Xming
* Make sure that the DNS names and/or IPs are in the C:\Program Files\xming\X0.hosts file
* restart Xming
'''FIX2:''' If problem is not fixed, restart Xming with the -ac option. 

'''PROBLEM:''' The application starts but then I get a font error(s). 
'''FIX:''' Install the Xming-fonts onto your Windows box. 

'''PROBLEM:''' When starting Xming, a Windows Security Alert pops up saying Windows Firewall has blocked this program. 
'''FIX:''' Change Windows Firewall setting to allow Xming. 
'''FIX2:''' Disable Windows Firewall by going to Services, setting Windows Firewall to MANUAL START and then stop the service. 

'''PROBLEM:''' Cannot connect to Xming and I have checked all of the above. 
'''FIX:''' When starting Xming as display 0, Windows Firewall does not complain. Check to see if Windows Firewall is blocking the connection. 

[[Category:Tutorials]]

X Windows: Remote X to Windows with Xming

Arfon — Thu, 30 Aug 2012 13:26:13 GMT

Arfon: ADDED: Remote X over SSH

===Plain Ol' Vanilla Remote X Session===

1) Install Xming '''and''' Xming-fonts
* Download from sourceforge.net/projects/xming[http://sourceforge.net/projects/xming/]

2) Add the Linux machine's DNS name(s) and IP address to the C:\Program Files\xming\X0.hosts file. File should contain:
LinuxBox.mydomain.com
LinuxBox
192.168.1.25

3) Start Xming on your Windows machine '''(NOT XLaunch)'''

4) Start the connection:
Connect to the Linux machine via ssh/telnet/rlogin/whatever and run:
DISPLAY=WINDOWS_IP:0;export DISPLAY;APPLICATION_YOU_WANT_TO_RUN

EXAMPLE: DISPLAY=192.168.1.10:0;export DISPLAY;xterm

5) Minimize the telnet session, do not close it. If you close it, your X connections will close. 
 
 

----

===Remote X11 Over SSH===

1) Install Xming '''and''' Xming-fonts
* Download from sourceforge.net/projects/xming[http://sourceforge.net/projects/xming/]

2) Add the Linux machine's DNS name(s) and IP address to the C:\Program Files\xming\X0.hosts file. File should contain:
LinuxBox.mydomain.com
LinuxBox
192.168.1.25

3) Start Xming on your Windows machine '''(NOT XLaunch)'''

4) Install Putty (if it's not already installed).

* Download from www.chiark.greenend.org.uk/~sgtatham/putty/

5) Open putty and fill in the “Host Name” box.

6) Ensure that SSH is checked.

7) Under Category > Connection > SSH > X11 check the “Enable X11 forwarding” box.

8) Click the “Open” button to start the connection.

9) Log into the remote machine as you would do in a normal SSH session.

10) Start the X application from the command line, a window should open on your local machine with the application.

(It's a regular SSH session with putty but with X11 forwarding enabled.)

----

===PROBLEMS===

'''PROBLEM:''' "Xlib: connection to YOUR_IP refused by server" 
'''FIX:''' Check the Xming log, it probably contains "Xming.exe: client 4 rejected from IP YOUR_IP". If so,
* close Xming
* Make sure that the DNS names and/or IPs are in the C:\Program Files\xming\X0.hosts file
* restart Xming
'''FIX2:''' If problem is not fixed, restart Xming with the -ac option. 

'''PROBLEM:''' The application starts but then I get a font error(s). 
'''FIX:''' Install the Xming-fonts onto your Windows box. 

'''PROBLEM:''' When starting Xming, a Windows Security Alert pops up saying Windows Firewall has blocked this program. 
'''FIX:''' Change Windows Firewall setting to allow Xming. 
'''FIX2:''' Disable Windows Firewall by going to Services, setting Windows Firewall to MANUAL START and then stop the service. 

'''PROBLEM:''' Cannot connect to Xming and I have checked all of the above. 
'''FIX:''' When starting Xming as display 0, Windows Firewall does not complain. Check to see if Windows Firewall is blocking the connection. 

[[Category:Tutorials]]

X Windows: Remote X to Linux

Arfon — Thu, 30 Aug 2012 12:59:00 GMT

Arfon: ADDED: X11 over SSH

'''NOTE:''' In the X11 world, the '''SERVER machine''' is the one listening for a connection (the local machine (your desktop)). 
'''NOTE:''' The '''CLIENT machine''' is the one initiating the connection (the remote machine). 
I know, it sounds backwards but, it is actually correct if you understand the X11 connection. 

----
===Plain Ol' Vanilla X11 Remote Connection===

1) Tell your X11 server machine (your desktop) to accept X11 connections from the client machine. 
* If it's a one time connection, just run the following from the command line 
or 
* You can add the following to .bashrc or .profile to make it permanent 

xhost +X11_SERVER_IP (the '''remote''' machine)

'''EXAMPLE:''' xhost +192.168.1.45

2) Start the connection from the Client Linux machine (the remote machine)- Connect to the remote Linux machine via ssh/telnet/rlogin/whatever and run:

DISPLAY=X11_SERVER_IP:0;export DISPLAY;APPLICATION_YOU_WANT_TO_RUN &

'''EXAMPLE:''' DISPLAY=192.168.1.10:0;export DISPLAY;xterm &

'''REMEMBER:''' ''The X11 server is your desktop.''

----
===Remote X11 Over SSH===

1) ensure that X11Forwarding is enabled in /etc/ssh/ssh'''d'''_conf on the '''remote''' machine.

2) ensure that X11Forwarding is enabled in /etc/ssh/ssh_conf on the '''local''' machine.

3) open an X11 forwarded ssh session '''from the local machine to the remote machine''' (opposite of what you do for a 'vanilla' remote X connection):

ssh -X USER@REMOTE_MACHINE
XAPPLICATION_YOU_WANT_TO_RUN

'''EXAMPLE:'''
ssh -X joe@192.168.1.45
xterm &

'''PROBLEMS''' 
'''PROBLEM:''' ssh connection is complaining about an “Invalid MIT-MAGIC-COOKIE”. 
'''FIX:''' start a less secure ssh session:

ssh -Y USER@REMOTE_MACHINE

[[Category: Tutorials]]

Perl Modules

Arfon — Wed, 29 Aug 2012 19:48:38 GMT

Arfon: ADDED: upgrade modules

[[Category:Tutorials]]
==Getting To The CPAN Prompt==
To administer your Perl modules you must use the CPAN prompt. To get to the CPAN prompt, as root type:

::<code>cpan</code>

If this is the first time that you have entered the CPAN shell, you will be asked some set-up questions that will allow the shell to access CPAN's servers to get modules. Just read the questions and answer them.

If you ever need to re-run the set-up again, enter the CPAN shell and then type:

::<code>o conf init</code>

==Listing The Installed Modules==
From the BASH prompt:

'''Easy way'''
instmodsh
l (L)

'''Hard way'''
use this Perl program:

#!/usr/bin/perl
use ExtUtils::Installed;
my $instmod = ExtUtils::Installed->new();
foreach my $module ($instmod->modules())
{
my $version = $instmod->version($module) || "???";
print "$module -- $version\n";
}

==Installing New Modules==
From the CPAN prompt, type:

install <Some::Module>

==Removing Modules==

A clean way is by using this Perl program from the BASH prompt:

#!/usr/bin/perl -w
use ExtUtils::Packlist;
use ExtUtils::Installed;
$ARGV[0] or die "Usage: $0 Module::Name\n";
my $mod = $ARGV[0];
my $inst = ExtUtils::Installed->new();
foreach my $item (sort($inst->files($mod)))
{
print "removing $item\n";
unlink $item;
}
my $packfile = $inst->packlist($mod)->packlist_file();
print "removing $packfile\n";
unlink $packfile;

==Upgrade Modules==
From the CPAN prompt, type:

upgrade MODULE::NAME (to upgrade an individual module)

'''or'''

upgrade (to upgrade ALL modules)

Perl Modules

Arfon — Wed, 29 Aug 2012 19:46:23 GMT

Arfon: ADDED: upgrade modules

[[Category:Tutorials]]
==Getting To The CPAN Prompt==
To administer your Perl modules you must use the CPAN prompt. To get to the CPAN prompt, as root type:

::<code>cpan</code>

If this is the first time that you have entered the CPAN shell, you will be asked some set-up questions that will allow the shell to access CPAN's servers to get modules. Just read the questions and answer them.

If you ever need to re-run the set-up again, enter the CPAN shell and then type:

::<code>o conf init</code>

==Listing The Installed Modules==

'''Easy way'''
instmodsh
l (L)

'''Hard way'''
use this Perl program:

#!/usr/bin/perl
use ExtUtils::Installed;
my $instmod = ExtUtils::Installed->new();
foreach my $module ($instmod->modules())
{
my $version = $instmod->version($module) || "???";
print "$module -- $version\n";
}

==Installing New Modules==
From the CPAN shell prompt, type:

install <Some::Module>

==Removing Modules==

A clean way is by using this Perl program:

#!/usr/bin/perl -w
use ExtUtils::Packlist;
use ExtUtils::Installed;
$ARGV[0] or die "Usage: $0 Module::Name\n";
my $mod = $ARGV[0];
my $inst = ExtUtils::Installed->new();
foreach my $item (sort($inst->files($mod)))
{
print "removing $item\n";
unlink $item;
}
my $packfile = $inst->packlist($mod)->packlist_file();
print "removing $packfile\n";
unlink $packfile;

==Upgrade Modules==

In the cpan prompt, type:

upgrade MODULE::NAME to upgrade an individual module

'''or'''

Perl Modules

Arfon — Wed, 29 Aug 2012 19:43:08 GMT

Arfon: /* Getting To The CPAN Prompt */ REMOVED perl MCPAN and ADDED cpan

[[Category:Tutorials]]
==Getting To The CPAN Prompt==
To administer your Perl modules you must use the CPAN prompt. To get to the CPAN prompt, as root type:

::<code>cpan</code>

If this is the first time that you have entered the CPAN shell, you will be asked some set-up questions that will allow the shell to access CPAN's servers to get modules. Just read the questions and answer them.

If you ever need to re-run the set-up again, enter the CPAN shell and then type:

::<code>o conf init</code>

==Listing The Installed Modules==

'''Easy way'''
instmodsh
l (L)

'''Hard way'''
use this Perl program:

#!/usr/bin/perl
use ExtUtils::Installed;
my $instmod = ExtUtils::Installed->new();
foreach my $module ($instmod->modules())
{
my $version = $instmod->version($module) || "???";
print "$module -- $version\n";
}

==Installing New Modules==
From the CPAN shell prompt, type:

install <Some::Module>

==Removing Modules==

A clean way is by using this Perl program:

#!/usr/bin/perl -w
use ExtUtils::Packlist;
use ExtUtils::Installed;
$ARGV[0] or die "Usage: $0 Module::Name\n";
my $mod = $ARGV[0];
my $inst = ExtUtils::Installed->new();
foreach my $item (sort($inst->files($mod)))
{
print "removing $item\n";
unlink $item;
}
my $packfile = $inst->packlist($mod)->packlist_file();
print "removing $packfile\n";
unlink $packfile;

Perl Modules

Arfon — Wed, 29 Aug 2012 19:41:55 GMT

Arfon: I originally created this page and things have changed slightly...

[[Category:Tutorials]]
==Getting To The CPAN Prompt==
To administer your Perl modules you must use the CPAN prompt. To get to the CPAN prompt, as root type:

::<code>perl -MCPAN -e shell</code>

If this is the first time that you have entered the CPAN shell, you will be asked some set-up questions that will allow the shell to access CPAN's servers to get modules. Just read the questions and answer them.

If you ever need to re-run the set-up again, enter the CPAN shell and then type:

::<code>o conf init</code>

==Listing The Installed Modules==

'''Easy way'''
instmodsh
l (L)

'''Hard way'''
use this Perl program:

#!/usr/bin/perl
use ExtUtils::Installed;
my $instmod = ExtUtils::Installed->new();
foreach my $module ($instmod->modules())
{
my $version = $instmod->version($module) || "???";
print "$module -- $version\n";
}

==Installing New Modules==
From the CPAN shell prompt, type:

install <Some::Module>

==Removing Modules==

A clean way is by using this Perl program:

#!/usr/bin/perl -w
use ExtUtils::Packlist;
use ExtUtils::Installed;
$ARGV[0] or die "Usage: $0 Module::Name\n";
my $mod = $ARGV[0];
my $inst = ExtUtils::Installed->new();
foreach my $item (sort($inst->files($mod)))
{
print "removing $item\n";
unlink $item;
}
my $packfile = $inst->packlist($mod)->packlist_file();
print "removing $packfile\n";
unlink $packfile;

X Windows: Remote X to Linux

Arfon — Wed, 29 Aug 2012 19:25:29 GMT

Arfon: CREATED!

'''NOTE:''' in the X11 world, the '''SERVER machine''' is the one listening for a connection (your desktop). 
'''NOTE:''' The '''CLIENT machine''' is the one initiating the connection (the remote machine). 
I know, it sounds backwards but, it is actually correct if you understand the X11 connection. 

----

1) Tell your X11 Server Linux box (your desktop) to accept X11 connections from the Client machines. 
* If it's a one time connection, just run the following from the command line 
or 
* You can add the following to .bashrc or .profile to make it permenant 

xhost +144.45.254.150

2) Start the connection from the Client Linux machine (the remote machine)- Connect to the remote Linux machine via ssh/telnet/rlogin/whatever and run:

DISPLAY=X11_SERVER_IP:0;export DISPLAY;APPLICATION_YOU_WANT_TO_RUN &

'''EXAMPLE:''' DISPLAY=192.168.1.10:0;export DISPLAY;xterm &

'''REMEMBER:''' ''The X11 server is your desktop.''

[[Category: Tutorials]]

DHCP Server: DNSMasq

Arfon — Wed, 29 Aug 2012 16:18:08 GMT

Arfon: FIXED: typo

Written from a Slackware 13.37 perspective.

To set up a DHCP server you can use the dchp package (that is included with Slackware) 
'''or''' 
you can do it the easier way and use DNSMasq (also included with Slackware).

'''Assuming that you do not have DNSMasq installed'''

1) Install the official dnsmasq Slackware package either by pkgtool or slackpkg.

2) Make DNSMasq start on boot:

CHMOD 755 /etc/rc.d/rc.dnsmasq

At this point you will have a really cool little DNS on your box...

'''If you already had DNSMasq running on your box, start here'''

1) edit the /etc/dnsmasq.conf file:

CHANGE: #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
TO: dhcp-range=1ST_POOL_IP,LAST_POOL_IP,12h (using your correct IP range)

1a) If your DNSMasq box isn't also your gateway router, tell your DHCP clients who is the default gateway:

CHANGE: #dhcp-option=3,1.2.3.4
TO: dhcp-option=3,YOUR_GATEWAY_IP

2) start/restart DNSMasq

/etc/rc.d/rc.dnsmasq restart

You should now have a working DCHP server.

----
'''Persistent IPs'''

To assign IPs based on a device's MAC address, edit /etc/dnsmasq.conf and add the following line for every device (using the correct MAC and IP of course):

dhcp-host=11:22:33:44:55:66,192.168.1.61

'''NOTE:''' The IP address should be OUTSIDE the DHCP pool.

[[Category: Tutorials]]

DHCP Server: dhcpd

Arfon — Wed, 29 Aug 2012 16:11:03 GMT

Arfon: CREATED to match DCHP Server: DNSMasq

NEEDS TO BE CREATED

You can look at [[DHCP Server: DNSMasq]]

[[Category: Tutorials]]

DHCP Server: DNSMasq

Arfon — Wed, 29 Aug 2012 16:08:37 GMT

Arfon: ADDED: Category

Written from a Slackware 13.37 perspective.

To set up a DHCP server you can use the dchp package that is included with Slackware OR you can do it the easier way and use DNSMasq (also included with Slackware).

'''Assuming that you do not have DNSMasq installed'''

1) Install the official dnsmasq Slackware package either by pkgtool oe slackpkg.

2) Make DNSMasq start on boot:

CHMOD 755 /etc/rc.d/rc.dnsmasq

At this point you will have a really cool little DNS on your box...

'''If you already had DNSMasq running on your box, start here'''

1) edit the /etc/dnsmasq.conf file:

CHANGE: #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
TO: dhcp-range=192.168.1.200,192.168.1.239,12h (using your correct IP range)

2) start/restart DNSMasq

/etc/rc.d/rc.dnsmasq restart

You should now have a working DCHP server.

----
'''Persistent IPs'''

To assign IPs based on a device's MAC address, edit /etc/dnsmasq.conf and add the following line for every device (using the correct MAC and IP of course):

dhcp-host=11:22:33:44:55:66,192.168.1.61

'''NOTE:''' The IP address should be OUTSIDE the DHCP pool.

[[Category: Tutorials]]

DHCP Server: DNSMasq

Arfon — Wed, 29 Aug 2012 16:07:31 GMT

Arfon: CREATED!

X Windows: Remote X to Windows with Xming

Arfon — Wed, 29 Aug 2012 15:16:15 GMT

Arfon: ADDED: Category

1) Install Xming '''and''' Xming-fonts
* Download from sourceforge.net/projects/xming[http://sourceforge.net/projects/xming/]

2) Add the Linux machine's DNS name(s) and IP address to the C:\Program Files\xming\X0.hosts file. File should contain:
LinuxBox.mydomain.com
LinuxBox
192.168.1.25

3) Start Xming on your Windows machine '''(NOT XLaunch)'''

4) Start the connection:
Connect to the Linux machine via ssh/telnet/rlogin/whatever and run:
DISPLAY=WINDOWS_IP:0;export DISPLAY;APPLICATION_YOU_WANT_TO_RUN

EXAMPLE: DISPLAY=192.168.1.10:0;export DISPLAY;xterm

5) Minimize the telnet session, do not close it. If you close it, your X connections will close. 
 
 

----

'''PROBLEMS'''

'''PROBLEM:''' "Xlib: connection to YOUR_IP refused by server" 
'''FIX:''' Check the Xming log, it probably contains "Xming.exe: client 4 rejected from IP YOUR_IP". If so,
* close Xming
* Make sure that the DNS names and/or IPs are in the C:\Program Files\xming\X0.hosts file
* restart Xming
'''FIX2:''' If problem is not fixed, restart Xming with the -ac option. 

'''PROBLEM:''' The application starts but then I get a font error(s). 
'''FIX:''' Install the Xming-fonts onto your Windows box. 

'''PROBLEM:''' When starting Xming, a Windows Security Alert pops up saying Windows Firewall has blocked this program. 
'''FIX:''' Change Windows Firewall setting to allow Xming. 
'''FIX2:''' Disable Windows Firewall by going to Services, setting Windows Firewall to MANUAL START and then stop the service. 

'''PROBLEM:''' Cannot connect to Xming and I have checked all of the above. 
'''FIX:''' When starting Xming as display 0, Windows Firewall does not complain. Check to see if Windows Firewall is blocking the connection. 

[[Category:Tutorials]]

X Windows: Remote X to Windows with Xming

Arfon — Wed, 29 Aug 2012 15:14:36 GMT

Arfon: FIXED: typo

X Windows: Remote X to Windows with Xming

Arfon — Wed, 29 Aug 2012 15:12:05 GMT

Arfon: CREATED!

1) Install Xming '''and''' Xming-fonts
* Download from sourceforge.net/projects/xming[http://sourceforge.net/projects/xming/]

2) Add the Linux machine's DNS name(s) and IP address to the C:\Program Files\xming\X0.hosts file. File should contain:
LinuxBox.mydomain.com
LinuxBox
192.168.1.25

3) Start Xming on your Windows machine '''(NOT XLaunch)'''

4) Start the connection:
Connect to the Linux machine via ssh/telnet/rlogin/whatever and run:
DISPLAY=WINDOWS_IP:0;export DISPLAY;APPLICATION_YOU_WANT_TO_RUN

EXAMPLE: DISPLAY=192.168.1.10:0;export DISPLAY;xterm

Minimize the telnet session, do not close it. If you close it, your OV connection will close.

----

'''PROBLEMS'''

'''PROBLEM:''' "Xlib: connection to YOUR_IP refused by server" 
'''FIX:''' Check the Xming log, it probably contains "Xming.exe: client 4 rejected from IP YOUR_IP". If so,
* close Xming
* Make sure that the DNS names and/or IPs are in the C:\Program Files\xming\X0.hosts file
* restart Xming
'''FIX2:''' If problem is not fixed, restart Xming with the -ac option. 

'''PROBLEM:''' Map starts but then I get a font error from OpenView. 
'''FIX:''' Install the Xming-fonts onto your Windows box. 

'''PROBLEM:''' When starting Xming, a Windows Security Alert pops up saying Windows Firewall has blocked this program. 
'''FIX:''' Change Windows Firewall setting to allow Xming. 
'''FIX2:''' Disable Windows Firewall by going to Services, setting Windows Firewall to MANUAL START and then stop the service. 

'''PROBLEM:''' Cannot connect to Xming and I have checked all of the above. 
'''FIX:''' When starting Xming as display 0, Windows Firewall does not complain. Check to see if Windows Firewall is blocking the connection.

MySQL Configuration

Arfon — Mon, 06 Aug 2012 15:30:58 GMT

Arfon: /etc/rc.d/rc.mysql start --> /etc/rc.d/rc.mysqld start AND ADDED: mysql> use mysql

[[Category:Tutorials]]
''Have you just installed Slackware and now see a MySQL error at the login prompt?''

This is a VERY quick HowTo and should take maybe 30 seconds to complete at its slowest. The reason I decided to do a write-up is because of the sheer number of people asking how to fix it.

== Option 1 ==
In a shell or xterm, type (you have to be logged in as superuser to use the mysql login):

su mysql

This logs you into the 'mysql' user account.

Next, run:

mysql_install_db

This will create the needed databases and set their permissions properly.

if your not logon as mysql user (root)

Don't forget to chown folder /var/lib/mysql
<pre>
chown -R mysql.mysql /var/lib/mysql
chmod 755 /etc/rc.d/rc.mysqld
</pre>

You're now finished and should not see the typical MySQL errors at the login prompt.

/etc/rc.d/rc.mysqld start

Now you should set a password for MySQL's root password:

mysqladmin -u root password 'new-password-here'

You can connect to your MySQL server with:
mysql -u root -p

For security reasons you should delete an empy user for localhost server
<pre>
mysql> use mysql
mysql> SELECT user, host FROM user;
mysql> DELETE FROM user WHERE host='localhost' AND user='';
</pre>
*''This tutorial is currently linked at ''
* ''http://www.unixfool.com/mysql-slack.shtml''

== Option 2 ==
1. log in as root and install the mysql package

2. <code>killall -9 mysqld mysqld_safe</code> to kill any running MySQL processes.

3. copy one of the my-size.cnf files in /etc to my.cnf (picking an apporpriate size): 
::<code>cp /etc/my-medium.cnf /etc/my.cnf</code>

4. Install the MySQL database-

::'''Slackware 12.1''' (and later):
::::<code>mysql_install_db --user=mysql</code>

::'''Slackware 12.0''' (and before):
::::<code>su mysql</code>
::::<code>mysql_install_db</code>
:::: <code>exit</code> (to get out of the mysql login and back to root).

5. <code>mysqld_safe --skip-grant-tables &</code>

6. <code>mysql -u root mysql</code>

7. <code>UPDATE user SET Password=PASSWORD('new_password') WHERE user='root';</code>

8. <code>FLUSH PRIVILEGES;</code>

9. <code>exit</code>

10. <code>killall -9 mysqld mysqld_safe</code>

11. <code>mysqld_safe &</code>

to check the new password, (as root) type: 
::<code>mysqladmin -u root -p status</code> 
:::::...and enter the new password.

== Option 3 ==

I'm starting from a [http://www.slackwiki.org/Minimal_System very basic install].

The only additional package needed is '''mysql''' in the '''AP''' group.

<pre>
# installpkg mysql-5.0.37-i486-1.tgz
# su mysql
$ mysql_install_db
Installing all prepared tables
Fill help tables
...
$ exit
# chmod 755 /etc/rc.d/rc.mysqld
# /etc/rc.d/rc.mysqld start
Starting mysqld daemon with databases from /var/lib/mysql
</pre>

MySQL is now installed, but there are no passwords defined yet.

<pre>
# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.37 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
</pre>

We can now set passwords from within the MySQL console. I know this can be achieved with '''mysqladmin''', but then, several ways lead to Rome. It's a simple matter of habit.

<pre>
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3 rows in set (0.01 sec)

mysql> use mysql;
Database changed

mysql> select user, host, password from user where user = 'root';
+------+-----------+----------+
| user | host | password |
+------+-----------+----------+
| root | localhost | |
| root | slacktest | |
+------+-----------+----------+
2 rows in set (0.00 sec)
</pre>

As you can see, there are two 'root' users here (and none of them is our system's root user, don't forget): root@localhost... and root@slacktest. We have to set a password for both of them. In theory, these can be different, but why make things more complicated than they already are? ;o)

<pre>
mysql> set password for root@localhost = password('yatahongaga');
Query OK, 0 rows affected (0.00 sec)
</pre>

Let's repeat our query above to see the actual changes:

<pre>
mysql> select user, host, password from user where user = 'root';
+------+-----------+-------------------------------------------+
| user | host | password |
+------+-----------+-------------------------------------------+
| root | localhost | *71CDE2704222D8D5A7608C92AF78C53F78DA5EBA |
| root | slacktest | |
+------+-----------+-------------------------------------------+
2 rows in set (0.00 sec)
</pre>

You can see that root@localhost's password is displayed as a shadow password. Now let's set the password for root@slacktest (replace ''slacktest'' by your machine's hostname):

<pre>
mysql> set password for root@slacktest = password('yatahongaga');
Query OK, 0 rows affected (0.00 sec)
</pre>

What do we have now?

<pre>
mysql> select user, host, password from user where user = 'root';
+------+-----------+-------------------------------------------+
| user | host | password |
+------+-----------+-------------------------------------------+
| root | localhost | *71CDE2704222D8D5A7608C92AF78C53F78DA5EBA |
| root | slacktest | *71CDE2704222D8D5A7608C92AF78C53F78DA5EBA |
+------+-----------+-------------------------------------------+
2 rows in set (0.00 sec)
</pre>

Now we have some (very) basic security, we can leave the MySQL monitor.

<pre>
mysql> quit;
Bye
</pre>

To connect to our MySQL database as MySQL's root user (who, remember, is ''not'' the system's root), we can do the following:

<pre>
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.37 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>
</pre>

If we have to do this often, we can create a /root/.my.cnf file and edit it as follows:

<pre>
[mysql]
user = root
password = yatahongaga
</pre>

Just to be on the safe side:

<pre>
# chmod 0600 /root/.my.cnf
</pre>

From now on, you can connect directly to the MySQL monitor, without having to type your password every time.

MySQL Configuration

Arfon — Mon, 06 Aug 2012 15:22:36 GMT

Arfon: chmod 755 /etc/rc.d/rc.mysql --> chmod 755 /etc/rc.d/rc.mysqld

[[Category:Tutorials]]
''Have you just installed Slackware and now see a MySQL error at the login prompt?''

This is a VERY quick HowTo and should take maybe 30 seconds to complete at its slowest. The reason I decided to do a write-up is because of the sheer number of people asking how to fix it.

== Option 1 ==
In a shell or xterm, type (you have to be logged in as superuser to use the mysql login):

su mysql

This logs you into the 'mysql' user account.

Next, run:

mysql_install_db

This will create the needed databases and set their permissions properly.

if your not logon as mysql user (root)

Don't forget to chown folder /var/lib/mysql
<pre>
chown -R mysql.mysql /var/lib/mysql
chmod 755 /etc/rc.d/rc.mysqld
</pre>

You're now finished and should not see the typical MySQL errors at the login prompt.

/etc/rc.d/rc.mysql start

Now you should set a password for MySQL's root password:

mysqladmin -u root password 'new-password-here'

You can connect to your MySQL server with:
mysql -u root -p

For security reasons you should delete an empy user for localhost server
<pre>
mysql> SELECT user, host FROM user;
mysql> DELETE FROM user WHERE host='localhost' AND user='';
</pre>
*''This tutorial is currently linked at ''
* ''http://www.unixfool.com/mysql-slack.shtml''

== Option 2 ==
1. log in as root and install the mysql package

2. <code>killall -9 mysqld mysqld_safe</code> to kill any running MySQL processes.

3. copy one of the my-size.cnf files in /etc to my.cnf (picking an apporpriate size): 
::<code>cp /etc/my-medium.cnf /etc/my.cnf</code>

4. Install the MySQL database-

::'''Slackware 12.1''' (and later):
::::<code>mysql_install_db --user=mysql</code>

::'''Slackware 12.0''' (and before):
::::<code>su mysql</code>
::::<code>mysql_install_db</code>
:::: <code>exit</code> (to get out of the mysql login and back to root).

5. <code>mysqld_safe --skip-grant-tables &</code>

6. <code>mysql -u root mysql</code>

7. <code>UPDATE user SET Password=PASSWORD('new_password') WHERE user='root';</code>

8. <code>FLUSH PRIVILEGES;</code>

9. <code>exit</code>

10. <code>killall -9 mysqld mysqld_safe</code>

11. <code>mysqld_safe &</code>

to check the new password, (as root) type: 
::<code>mysqladmin -u root -p status</code> 
:::::...and enter the new password.

== Option 3 ==

I'm starting from a [http://www.slackwiki.org/Minimal_System very basic install].

The only additional package needed is '''mysql''' in the '''AP''' group.

<pre>
# installpkg mysql-5.0.37-i486-1.tgz
# su mysql
$ mysql_install_db
Installing all prepared tables
Fill help tables
...
$ exit
# chmod 755 /etc/rc.d/rc.mysqld
# /etc/rc.d/rc.mysqld start
Starting mysqld daemon with databases from /var/lib/mysql
</pre>

MySQL is now installed, but there are no passwords defined yet.

<pre>
# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.37 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
</pre>

We can now set passwords from within the MySQL console. I know this can be achieved with '''mysqladmin''', but then, several ways lead to Rome. It's a simple matter of habit.

<pre>
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3 rows in set (0.01 sec)

mysql> use mysql;
Database changed

mysql> select user, host, password from user where user = 'root';
+------+-----------+----------+
| user | host | password |
+------+-----------+----------+
| root | localhost | |
| root | slacktest | |
+------+-----------+----------+
2 rows in set (0.00 sec)
</pre>

As you can see, there are two 'root' users here (and none of them is our system's root user, don't forget): root@localhost... and root@slacktest. We have to set a password for both of them. In theory, these can be different, but why make things more complicated than they already are? ;o)

<pre>
mysql> set password for root@localhost = password('yatahongaga');
Query OK, 0 rows affected (0.00 sec)
</pre>

Let's repeat our query above to see the actual changes:

<pre>
mysql> select user, host, password from user where user = 'root';
+------+-----------+-------------------------------------------+
| user | host | password |
+------+-----------+-------------------------------------------+
| root | localhost | *71CDE2704222D8D5A7608C92AF78C53F78DA5EBA |
| root | slacktest | |
+------+-----------+-------------------------------------------+
2 rows in set (0.00 sec)
</pre>

You can see that root@localhost's password is displayed as a shadow password. Now let's set the password for root@slacktest (replace ''slacktest'' by your machine's hostname):

<pre>
mysql> set password for root@slacktest = password('yatahongaga');
Query OK, 0 rows affected (0.00 sec)
</pre>

What do we have now?

<pre>
mysql> select user, host, password from user where user = 'root';
+------+-----------+-------------------------------------------+
| user | host | password |
+------+-----------+-------------------------------------------+
| root | localhost | *71CDE2704222D8D5A7608C92AF78C53F78DA5EBA |
| root | slacktest | *71CDE2704222D8D5A7608C92AF78C53F78DA5EBA |
+------+-----------+-------------------------------------------+
2 rows in set (0.00 sec)
</pre>

Now we have some (very) basic security, we can leave the MySQL monitor.

<pre>
mysql> quit;
Bye
</pre>

To connect to our MySQL database as MySQL's root user (who, remember, is ''not'' the system's root), we can do the following:

<pre>
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.37 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>
</pre>

If we have to do this often, we can create a /root/.my.cnf file and edit it as follows:

<pre>
[mysql]
user = root
password = yatahongaga
</pre>

Just to be on the safe side:

<pre>
# chmod 0600 /root/.my.cnf
</pre>

From now on, you can connect directly to the MySQL monitor, without having to type your password every time.

Pptp

Arfon — Wed, 13 Jun 2012 14:50:40 GMT

Arfon: ADDED: categories

OpenVPN smcr 2012

Arfon — Wed, 13 Jun 2012 14:50:07 GMT

Arfon: ca /etc/openvpn/certs/ca.crt -->ca /etc/openvpn/certsnkeys/ca.crt

[[Category:Server]]
[[Category:Networking]]
[[Category:Tutorials]]

'''OPENVPN MULTI-CLIENT ROUTED SERVER'''

Here's what I did to get OpenVPN (2.1.4) on my Slackware (13.37) box.

I wanted to get on the internet from public wifi WITHOUT being snooped on so I installed a MULTI-CLIENT, ROUTED (not bridged) OpenVPN server on my Linode. Again, this is MULTI-CLIENT and ROUTED.

1) Install OpenVPN from Slackbuilds.org or using sbopkg

2) Generate the needed certificates and keys-

cd /usr/doc/openvpn-2.1.4/easy-rsa/2.0/
vi vars
Set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
Don't leave any of these parameters blank.

source ./vars
./clean-all
./build-ca
answer questions
./build-key-server server (server could be anything e.g. VPN1.blah.net)
answer questions
./build-key client1 (client1 can be anything e.g bobs-phone)
answer questions
repeat for each client to have
./build-dh

3) Put the server certs and keys where they need to be-
mkdir /etc/openvpn/certsnkeys
cp ca.crt /etc/openvpn/certsnkeys/
cp ca.key /etc/openvpn/certsnkeys/
cp server.crt /etc/openvpn/certsnkeys/
cp server.key /etc/openvpn/certsnkeys/
cp dh1024.pem /etc/openvpn/

4) Send the client certs and keys where they need to be-
Each client gets a copy of his client.crt and client.key AND a copy of ca.crt
EXAMPLE: My android got a copy of client1.crt, client2.key and ca.crt.
My laptop got a copy of client2.crt, client2.key and ca.crt
NOTE: my android need a .p12 file, more on that below.

5) Configure the server.conf file-
cd /usr/doc/openvpn-2.1.4
cp server.conf.sample /etc/openvpn/server.conf
cd /etc/openvpn

***NOTE: in /etc/openvpn you will see a file called openvpn.conf. DO NOT USE THAT!
Use server.conf***

Edit /etc/openvpn/server.conf
CHANGE:
ca ca.crt -> ca /etc/openvpn/certsnkeys/ca.crt
cert server.crt -> cert /etc/openvpn/certsnkeys/server.crt
key server.key -> key /etc/openvpn/certsnkeys/server.key
dh dh.pem -> dh /etc/openvpn/dh1024.pem

6) Start OpenVPN-
Normally you would start OpenVPN by: openvpn /etc/openvpn/server.conf
but, being that I'm a good Slacker, I created an rc.openvpn file...

CREATE: /etc/rc.d/rc.openvpn
CONTAINS:
#!/bin/sh
#
# /etc/rc.d/rc.openvpn
#
# Start/stop/restart the openvpn server.
#
# To make OpenVPN start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.openvpn
#

ovpn_start() {
if [ -x /usr/sbin/openvpn -a -r /etc/openvpn/server.conf ]; then
echo "Starting OpenVPN: /usr/sbin/openvpn server.conf"
/usr/sbin/openvpn /etc/openvpn/server.conf &
fi
}

ovpn_stop() {
killall openvpn
}

ovpn_restart() {
ovpn_stop
sleep 2
ovpn_start
}

case "$1" in
'start')
ovpn_start
;;
'stop')
ovpn_stop
;;
'restart')
ovpn_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
ovpn_start
esac

7) Make it executable (and autostart on reboots)-

chmod 755 /etc/rc.d/rc.openvpn

To start/stop it manually- /etc/rc.d/rc.openvpn start (or stop or restart)

Now let's fix the firewall so our clients can get to the rest of the world...

8) Edit/create /etc/rc.d/rc.firewall

ADD:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

9) Flush the old firewall rules-

iptables -F

10) Activate the new rules now-

/etc/rc.d/rc.firewall

If the planets are aligned, you should now have a working OpenVPN server/router.

User:Arfon

Arfon — Sat, 09 Jun 2012 19:25:49 GMT

Arfon: Created page with "Find me on freenode ##Slackware as either arfon or urmom_ or drop me an email: REMOVETHIS arfon REMOVETHIS atsign REMOVETHIS 1337mail REMOVETHIS period REMOVETHIS net"

Find me on freenode ##Slackware as either arfon or urmom_

or drop me an email: REMOVETHIS arfon REMOVETHIS atsign REMOVETHIS 1337mail REMOVETHIS period REMOVETHIS net

OpenVPN smcr 2012

Arfon — Sat, 09 Jun 2012 19:21:54 GMT

Arfon: ADDED: Categories

[[Category:Server]]
[[Category:Networking]]
[[Category:Tutorials]]

'''OPENVPN MULTI-CLIENT ROUTED SERVER'''

Here's what I did to get OpenVPN (2.1.4) on my Slackware (13.37) box.

I wanted to get on the internet from public wifi WITHOUT being snooped on so I installed a MULTI-CLIENT, ROUTED (not bridged) OpenVPN server on my Linode. Again, this is MULTI-CLIENT and ROUTED.

1) Install OpenVPN from Slackbuilds.org or using sbopkg

2) Generate the needed certificates and keys-

cd /usr/doc/openvpn-2.1.4/easy-rsa/2.0/
vi vars
Set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
Don't leave any of these parameters blank.

source ./vars
./clean-all
./build-ca
answer questions
./build-key-server server (server could be anything e.g. VPN1.blah.net)
answer questions
./build-key client1 (client1 can be anything e.g bobs-phone)
answer questions
repeat for each client to have
./build-dh

3) Put the server certs and keys where they need to be-
mkdir /etc/openvpn/certsnkeys
cp ca.crt /etc/openvpn/certsnkeys/
cp ca.key /etc/openvpn/certsnkeys/
cp server.crt /etc/openvpn/certsnkeys/
cp server.key /etc/openvpn/certsnkeys/
cp dh1024.pem /etc/openvpn/

4) Send the client certs and keys where they need to be-
Each client gets a copy of his client.crt and client.key AND a copy of ca.crt
EXAMPLE: My android got a copy of client1.crt, client2.key and ca.crt.
My laptop got a copy of client2.crt, client2.key and ca.crt
NOTE: my android need a .p12 file, more on that below.

5) Configure the server.conf file-
cd /usr/doc/openvpn-2.1.4
cp server.conf.sample /etc/openvpn/server.conf
cd /etc/openvpn

***NOTE: in /etc/openvpn you will see a file called openvpn.conf. DO NOT USE THAT!
Use server.conf***

Edit /etc/openvpn/server.conf
CHANGE:
ca ca.crt -> ca /etc/openvpn/certs/ca.crt
cert server.crt -> cert /etc/openvpn/certsnkeys/server.crt
key server.key -> key /etc/openvpn/certsnkeys/server.key
dh dh.pem -> dh /etc/openvpn/dh1024.pem

6) Start OpenVPN-
Normally you would start OpenVPN by: openvpn /etc/openvpn/server.conf
but, being that I'm a good Slacker, I created an rc.openvpn file...

CREATE: /etc/rc.d/rc.openvpn
CONTAINS:
#!/bin/sh
#
# /etc/rc.d/rc.openvpn
#
# Start/stop/restart the openvpn server.
#
# To make OpenVPN start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.openvpn
#

ovpn_start() {
if [ -x /usr/sbin/openvpn -a -r /etc/openvpn/server.conf ]; then
echo "Starting OpenVPN: /usr/sbin/openvpn server.conf"
/usr/sbin/openvpn /etc/openvpn/server.conf &
fi
}

ovpn_stop() {
killall openvpn
}

ovpn_restart() {
ovpn_stop
sleep 2
ovpn_start
}

case "$1" in
'start')
ovpn_start
;;
'stop')
ovpn_stop
;;
'restart')
ovpn_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
ovpn_start
esac

7) Make it executable (and autostart on reboots)-

chmod 755 /etc/rc.d/rc.openvpn

To start/stop it manually- /etc/rc.d/rc.openvpn start (or stop or restart)

Now let's fix the firewall so our clients can get to the rest of the world...

8) Edit/create /etc/rc.d/rc.firewall

ADD:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

9) Flush the old firewall rules-

iptables -F

10) Activate the new rules now-

/etc/rc.d/rc.firewall

If the planets are aligned, you should now have a working OpenVPN server/router.

OpenVPN smcr 2012

Arfon — Sat, 09 Jun 2012 19:18:24 GMT

Arfon: Fixed some trash

'''OPENVPN MULTI-CLIENT ROUTED SERVER'''

Here's what I did to get OpenVPN (2.1.4) on my Slackware (13.37) box.

I wanted to get on the internet from public wifi WITHOUT being snooped on so I installed a MULTI-CLIENT, ROUTED (not bridged) OpenVPN server on my Linode. Again, this is MULTI-CLIENT and ROUTED.

1) Install OpenVPN from Slackbuilds.org or using sbopkg

2) Generate the needed certificates and keys-

cd /usr/doc/openvpn-2.1.4/easy-rsa/2.0/
vi vars
Set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
Don't leave any of these parameters blank.

source ./vars
./clean-all
./build-ca
answer questions
./build-key-server server (server could be anything e.g. VPN1.blah.net)
answer questions
./build-key client1 (client1 can be anything e.g bobs-phone)
answer questions
repeat for each client to have
./build-dh

3) Put the server certs and keys where they need to be-
mkdir /etc/openvpn/certsnkeys
cp ca.crt /etc/openvpn/certsnkeys/
cp ca.key /etc/openvpn/certsnkeys/
cp server.crt /etc/openvpn/certsnkeys/
cp server.key /etc/openvpn/certsnkeys/
cp dh1024.pem /etc/openvpn/

4) Send the client certs and keys where they need to be-
Each client gets a copy of his client.crt and client.key AND a copy of ca.crt
EXAMPLE: My android got a copy of client1.crt, client2.key and ca.crt.
My laptop got a copy of client2.crt, client2.key and ca.crt
NOTE: my android need a .p12 file, more on that below.

5) Configure the server.conf file-
cd /usr/doc/openvpn-2.1.4
cp server.conf.sample /etc/openvpn/server.conf
cd /etc/openvpn

***NOTE: in /etc/openvpn you will see a file called openvpn.conf. DO NOT USE THAT!
Use server.conf***

Edit /etc/openvpn/server.conf
CHANGE:
ca ca.crt -> ca /etc/openvpn/certs/ca.crt
cert server.crt -> cert /etc/openvpn/certsnkeys/server.crt
key server.key -> key /etc/openvpn/certsnkeys/server.key
dh dh.pem -> dh /etc/openvpn/dh1024.pem

6) Start OpenVPN-
Normally you would start OpenVPN by: openvpn /etc/openvpn/server.conf
but, being that I'm a good Slacker, I created an rc.openvpn file...

CREATE: /etc/rc.d/rc.openvpn
CONTAINS:
#!/bin/sh
#
# /etc/rc.d/rc.openvpn
#
# Start/stop/restart the openvpn server.
#
# To make OpenVPN start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.openvpn
#

ovpn_start() {
if [ -x /usr/sbin/openvpn -a -r /etc/openvpn/server.conf ]; then
echo "Starting OpenVPN: /usr/sbin/openvpn server.conf"
/usr/sbin/openvpn /etc/openvpn/server.conf &
fi
}

ovpn_stop() {
killall openvpn
}

ovpn_restart() {
ovpn_stop
sleep 2
ovpn_start
}

case "$1" in
'start')
ovpn_start
;;
'stop')
ovpn_stop
;;
'restart')
ovpn_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
ovpn_start
esac

7) Make it executable (and autostart on reboots)-

chmod 755 /etc/rc.d/rc.openvpn

To start/stop it manually- /etc/rc.d/rc.openvpn start (or stop or restart)

Now let's fix the firewall so our clients can get to the rest of the world...

8) Edit/create /etc/rc.d/rc.firewall

ADD:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

9) Flush the old firewall rules-

iptables -F

10) Activate the new rules now-

/etc/rc.d/rc.firewall

If the planets are aligned, you should now have a working OpenVPN server/router.

OpenVPN smcr 2012

Arfon — Sat, 09 Jun 2012 19:16:19 GMT

Arfon: CREATED! Saved because I put a lot of work into it so far and don't wanna lose it

Here's what I did yo get OpenVPN (2.1.4) on my Slackware (13.37) box.

I wanted to get on the internet from public wifi WITHOUT being snooped on so I installed a MULTI-CLIENT, ROUTED (not bridged) OpenVPN server on my Linode. Again, this is MULTI-CLIENT and ROUTED.

1) Install OpenVPN from Slackbuilds.org or using sbopkg

2) Generate the needed certificates and keys-

cd /usr/doc/openvpn-2.1.4/easy-rsa/2.0/
vi vars
Set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
Don't leave any of these parameters blank.

source ./vars
./clean-all
./build-ca
answer questions
./build-key-server server (server could be anything e.g. VPN1.blah.net)
answer questions
./build-key client1 (client1 can be anything e.g bobs-phone)
answer questions
repeat for each client to have
./build-dh

3) Put the server certs and keys where they need to be-
mkdir /etc/openvpn/certsnkeys
cp ca.crt /etc/openvpn/certsnkeys/
cp ca.key /etc/openvpn/certsnkeys/
cp server.crt /etc/openvpn/certsnkeys/
cp server.key /etc/openvpn/certsnkeys/
cp dh1024.pem /etc/openvpn/

4) Send the client certs and keys where they need to be-
Each client gets a copy of his client.crt and client.key AND a copy of ca.crt
EXAMPLE: My android got a copy of client1.crt, client2.key and ca.crt.
My laptop got a copy of client2.crt, client2.key and ca.crt
NOTE: my android need a .p12 file, more on that below.

5) Configure the server.conf file-
cd /usr/doc/openvpn-2.1.4
cp server.conf.sample /etc/openvpn/server.conf
cd /etc/openvpn

***NOTE: in /etc/openvpn you will see a file called openvpn.conf. DO NOT USE THAT!
Use server.conf***

Edit /etc/openvpn/server.conf
CHANGE:
ca ca.crt -> ca /etc/openvpn/certs/ca.crt
cert server.crt -> cert /etc/openvpn/certsnkeys/server.crt
key server.key -> key /etc/openvpn/certsnkeys/server.key
dh dh.pem -> dh /etc/openvpn/dh1024.pem

6) Start OpenVPN-
Normally you would start OpenVPN by: openvpn /etc/openvpn/server.conf
but, being that I'm a good Slacker, I created an rc.openvpn file...

CREATE: /etc/rc.d/rc.openvpn
CONTAINS:
#!/bin/sh
#
# /etc/rc.d/rc.openvpn
#
# Start/stop/restart the openvpn server.
#
# To make OpenVPN start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.openvpn
#

ovpn_start() {
if [ -x /usr/sbin/openvpn -a -r /etc/openvpn/server.conf ]; then
echo "Starting OpenVPN: /usr/sbin/openvpn server.conf"
/usr/sbin/openvpn /etc/openvpn/server.conf &
fi
}

ovpn_stop() {
killall openvpn
}

ovpn_restart() {
ovpn_stop
sleep 2
ovpn_start
}

case "$1" in
'start')
ovpn_start
;;
'stop')
ovpn_stop
;;
'restart')
ovpn_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
ovpn_start
esac

7) Make it executable (and autostart on reboots)-

chmod 755 /etc/rc.d/rc.openvpn

To start/stop it manually- /etc/rc.d/rc.openvpn start (or stop or restart)

Now let's fix the firewall so our clients can get to the rest of the world...

8) Edit/create /etc/rc.d/rc.firewall

ADD:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

9) Flush the old firewall rules-

iptables -F

10) Activate the new rules now-

/etc/rc.d/rc.firewall

If the planets are aligned, you should now have a working OpenVPN server/router.

OpenVPN

Arfon — Sat, 09 Jun 2012 19:12:02 GMT

Arfon: Fixed broken link

OpenVPN

Arfon — Sat, 09 Jun 2012 19:10:37 GMT

Arfon: Moved old instructions to their own page. Made this page a menu for the instructions

OpenVPN pre-2009

Arfon — Sat, 09 Jun 2012 19:03:37 GMT

Arfon: Moved from OpenVPN

[[Category:Server]]
[[Category:Networking]]
[[Category:Tutorials]]
As a user-space VPN daemon, OpenVPN is compatible with with SSL/TLS, RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices.

OpenVPN is not compatible with IPSec, IKE, PPTP, or L2TP.

'''[[OpenVPN(ID)|OpenVPN Instructions - Bahasa Indonesia]]'''

__TOC__
== Installation ==

'''EASY WAY:'''
Download and install from Slackbuilds.org or sbopkg.

or

'''HARD WAY:'''
Install from source.

Download source from [http://openvpn.net openvpn.net]

Download verison 2.0

install Lzo
<pre>
tar zxvf lzo-1.08.tar.gz
cd lzo-1-08.tar.gz
./configure --prefix=/usr
make ; make install-strip
</pre>
install OpenVPN
<pre>
tar zxvf openvpn-2.0.tar.gz
cd openvpn-2.0
./configure --prefix=/usr \
--sysconfdir=/etc/openvpn \
--enable-pthread \
--enable-iproute2 \
--with-ssl \
--with-lzo-header=/usr/include \
--with-lzo-lib=/usr/lib \
--with-ifconfig \
--with-route \
--with-mem-check=dmalloc
make ; make install-strip
</pre>

==Creating The Certificates==

Save all certificates in '''''/etc/openvpn/certs'''''
<pre>
This is a small RSA key management package,
based on the openssl command line tool, that
can be found in the easy-rsa subdirectory
of the OpenVPN distribution.

These are reference notes. For step
by step instructions, see the HOWTO:

http://openvpn.net/howto.html

INSTALL

1. Edit vars.
2. Set KEY_CONFIG to point to the openssl.cnf file
included in this distribution.
3. Set KEY_DIR to point to a directory which will
contain all keys, certificates, etc. This
directory need not exist, and if it does,
it will be deleted with rm -rf, so BE
CAREFUL how you set KEY_DIR.
4. (Optional) Edit other fields in vars
per your site data. You may want to
increase KEY_SIZE to 2048 if you are
paranoid and don't mind slower key
processing, but certainly 1024 is
fine for testing purposes. KEY_SIZE
must be compatible across both peers
participating in a secure SSL/TLS
connection.
5 . vars
6. ./clean-all
7. As you create certificates, keys, and
certificate signing requests, understand that
only .key files should be kept confidential.
.crt and .csr files can be sent over insecure
channels such as plaintext email.
8. You should never need to copy a .key file
between computers. Normally each computer
will have its own certificate/key pair.

BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY

1. ./build-ca
2. ca.crt and ca.key will be built in your KEY_DIR
directory

BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)

1. ./build-inter inter
2. inter.crt and inter.key will be built in your KEY_DIR
directory and signed with your root certificate.

BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
the server end of a SSL/TLS connection).

1. ./build-dh

BUILD A CERTIFICATE SIGNING REQUEST (If
you want to sign your certificate with a root
certificate controlled by another individual
or organization, or residing on a different machine).

1. Get ca.crt (the root certificate) from your
certificate authority. Though this
transfer can be over an insecure channel, to prevent
man-in-the-middle attacks you must confirm that
ca.crt was not tampered with. Large CAs solve this
problem by hardwiring their root certificates into
popular web browsers. A simple way to verify a root
CA is to call the issuer on the telephone and confirm
that the md5sum or sha1sum signatures on the ca.crt
files match (such as with the command: "md5sum ca.crt").
2. Choose a name for your certificate such as your computer
name. In our example we will use "mycert".
3. ./build-req mycert
4. You can ignore most of the fields, but set
"Common Name" to something unique such as your
computer's host name. Leave all password
fields blank, unless you want your private key
to be protected by password. Using a password
is not required -- it will make your key more secure
but also more inconvenient to use, because you will
need to supply your password anytime the key is used.
NOTE: if you are using a password, use ./build-req-pass
instead of ./build-req
5. Your key will be written to $KEY_DIR/mycert.key
6. Your certificate signing request will be written to
to $KEY_DIR/mycert.csr
7. Email mycert.csr to the individual or organization
which controls the root certificate. This can be
done over an insecure channel.
8. After the .csr file is signed by the root certificate
authority, you will receive a file mycert.crt
(your certificate). Place mycert.crt in your
KEY_DIR directory.
9. The combined files of mycert.crt, mycert.key,
and ca.crt can now be used to secure one end of
an SSL/TLS connection.

SIGN A CERTIFICATE SIGNING REQUEST

1. ./sign-req mycert
2. mycert.crt will be built in your KEY_DIR
directory using mycert.csr and your root CA
file as input.

BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
script generates and signs a certificate in one step,
but it requires that the generated certificate and private
key files be copied to the destination host over a
secure channel.

1. ./build-key mycert (no password protection)
2. OR ./build-key-pass mycert (with password protection)
3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
4. OR ./build-key-server mycert (with nsCertType=server)
5. mycert.crt and mycert.key will be built in your
KEY_DIR directory, and mycert.crt will be signed
by your root CA. If ./build-key-pkcs12 was used a
mycert.p12 file will also be created including the
private key, certificate and the ca certificate.

IMPORTANT

To avoid a possible Man-in-the-Middle attack where an authorized
client tries to connect to another client by impersonating the
server, make sure to enforce some kind of server certificate
verification by clients. There are currently four different ways
of accomplishing this, listed in the order of preference:

(1) Build your server certificates with the build-key-server
script. This will designate the certificate as a
server-only certificate by setting nsCertType=server.
Now add the following line to your client configuration:

ns-cert-type server

This will block clients from connecting to any
server which lacks the nsCertType=server designation
in its certificate, even if the certificate has been
signed by the CA which is cited in the OpenVPN configuration
file (--ca directive).

(2) Use the --tls-remote directive on the client to
accept/reject the server connection based on the common
name of the server certificate.

(3) Use a --tls-verify script or plugin to accept/reject the
server connection based on a custom test of the server
certificate's embedded X509 subject details.
IMPORTANT

To avoid a possible Man-in-the-Middle attack where an authorized
client tries to connect to another client by impersonating the
server, make sure to enforce some kind of server certificate
verification by clients. There are currently four different ways
of accomplishing this, listed in the order of preference:

(1) Build your server certificates with the build-key-server
script. This will designate the certificate as a
server-only certificate by setting nsCertType=server.
Now add the following line to your client configuration:

ns-cert-type server

This will block clients from connecting to any
server which lacks the nsCertType=server designation
in its certificate, even if the certificate has been
signed by the CA which is cited in the OpenVPN configuration
file (--ca directive).

(2) Use the --tls-remote directive on the client to
accept/reject the server connection based on the common
name of the server certificate.

(3) Use a --tls-verify script or plugin to accept/reject the
server connection based on a custom test of the server
certificate's embedded X509 subject details.

(4) Sign server certificates with one CA and client certificates
with a different CA. The client config "ca" directive should
reference the server-signing CA while the server config "ca"
directive should reference the client-signing CA.

NOTES

Show certificate fields:
openssl x509 -in cert.crt -text
</pre>
<pre>
# cd easy-rsa
# vi vars
. vars
./clean-all

## BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
./build.ca

## BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)
./build-inter inter

## BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection).
./build.dh

## BUILD A CERTIFICATE SIGNING REQUEST
## (If you want to sign your certificate with a root certificate controlled by another individual
## or organization, or residing on a different machine)

./build-req mycert
## SIGN A CERTIFICATE SIGNING REQUEST
./sign-req mycert

## BUILD AND SIGN A CERTIFICATE SIGNING REQUEST USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY
./build-key mycert (no password protection)
OR
./build-key-pass mycert (with password protection)
OR
./build-key-pkcs12 mycert (PKCS #12 format)
OR
./build-key-server mycert (with nsCertType=server)
</pre>

==Configuring the Server==

Edit the server.conf file: '''''vi /etc/openvpn/server.conf'''''
<pre>
## Mode Server
mode server

## Local Host Name/IP Server
;local 127.0.0.1

## Protocol
;proto tcp
proto udp

## Port
; port 1194

## Device Interface
;dev tap
dev tun

## TAP-Win32 adapter name
;dev-node MyTap

## SSL/TLS
## root certificate (ca)
## certificate (cert)
## private key (key)
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key

## Diffie hellman parameters
dh dh1024.pem

## VPN subnet
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

##ethernet bridging
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

## dhcpcaveats
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

;learn-address ./script

## dhcpcaveats
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

##
;client-to-client

## same "COMMON NAME" certificate/key
;duplicate-cn

## Status Connection
keepalive 10 120

## tls-auth key
;tls-auth ta.key 0

## Cryptographic cipher
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

## Link Compresion
comp-lzo

## Max Client Connections
;max-clients 100

## daemon privileges (non windows saja)
user nobody
group nobody

persist-key
persist-tun

## Openvpn Log
;log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log

## Output Log
status /var/log/openvpn/openvpn-status.log

## Log Verbosity
## 0 is silent, except for fatal errors
## 4 is reasonable for general usage
## 5 and 6 can help to debug connection problems
## 9 is extremely verbose
verb 3

## Repeating Messages
;mute 20

## Pid File
writepid /var/run/openvpn.pid
</pre>

'''Routing'''

<pre>
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
</pre>

'''Firewall'''
<pre>
iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
OR
iptables -A INPUT -p udp --dport 1194 -j ACCEPT

## Tun Device
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

## Tap Device
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
</pre>

==Configuring the Client==

Edit the client.conf file: '''''vi /etc/openvpn/client.conf'''''
<pre>
## Config
client

## Device Interface
;dev tap
dev tun

## Tap adapter name (Win only)
;dev-node MyTap

## Conectivity
;proto tcp
proto udp

## Server [hostname/ip] [port]
remote my-server-1 1194
;remote my-server-2 1194

## load-balancing
;remote-random

## resolve host name OpenVPN server
resolv-retry infinite

# local port
nobind

## privileges (non windows saja)
user nobody
group nobody

## preserve
persist-key
persist-tun

## HTTP proxy
;http-proxy-retry
;http-proxy [proxy server] [proxy port]

## duplicate packet warnings
;mute-replay-warnings

## SSL/TLS parms
/etc/openvpn/certs/ca ca.crt
/etc/openvpn/certs/cert client.crt
/etc/openvpn/certs/key client.key

## nsCertType key
;ns-cert-type server

## tls-auth key
;tls-auth /etc/openvpn/certs/ta.key 1

## Cryptographic cipher
;cipher x

## Link compression
comp-lzo

## verbosity
## 0 is silent, except for fatal errors
## 4 is reasonable for general usage
## 5 and 6 can help to debug connection problems
## 9 is extremely verbose
verb 3

## repeating messages
;mute 20
</pre>
'''Routing'''
<pre>
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
</pre>

==Example==

'''Example 1:''' A simple tunnel without security 
'''On May: Server Side'''
<pre>
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9
</pre>

'''On Jun: Client Side'''
<pre>
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9
</pre>

On May:
ping 10.4.0.2

On Jun:
ping 10.4.0.1

'''Example 2:''' A tunnel with static-key security (i.e. using a pre-shared secret) 
'''On May: Server Side'''
<pre>
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 \
--verb 5 --secret key
</pre>

'''On Jun: Client Side'''
<pre>
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 \
--verb 5 --secret key
</pre>

On May:
ping 10.4.0.2

On Jun:
ping 10.4.0.1

'''Example 3:''' A tunnel with full TLS-based security 
'''On May: Server Side'''
<pre>
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 \
--tls-client --ca tmp-ca.crt --cert client.crt --key client.key \
--reneg-sec 60 --verb 5
</pre>

'''On Jun: Client Side'''
<pre>
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 \
--tls-server --ca tmp-ca.crt --cert server.crt --key server.key \
--reneg-sec 60 --verb 5 --dh dh1024.pem
</pre>

On May:

ping 10.4.0.2

On Jun:

ping 10.4.0.1

== External Links ==

* http://dmalloc.com/
* http://valgrind.org/
* http://www.oberhumer.com/opensource/lzo/
* http://openvpn.net/
* http://openvpn.net/howto.html
* http://openvpn.net/1xhowto.html (Old-v1.06)
* http://openvpn.net/man.html

Pptp

Arfon — Sat, 09 Jun 2012 19:00:22 GMT

Arfon: /* (Poptop) pptpd Server Setup */ iptables -f --> iptables -F

==(Poptop) pptpd Server Setup==

Here's what I did to get Poptop pptpd (1.3.4) running on my Slackware (13.37) box.

1) Install the official Slackware ppp package using pkgtool or slackpkg.

2) Install the ppptpd package from Slackbuilds.org using sbopkg.
***NOTE: The package name is NOT Poptop, it's pptpd***

3) Edit /etc/pptpd.conf

ADD:
localip 10.7.0.1
remoteip 10.7.0.2-50
CHANGE:
option /etc/ppp/options.pptpd -> option /etc/ppp/options

4) Edit /etc/ppp/options
HERE IS A GOTCHA- The official Slackware ppp package (at the time of this writing) contains an error in the options
file. The pppd binary was compiled to look for the new ms-dns parameter but the option file has the old dns-addr
parameter.

CHANGE:
# dns-addr 192.168.1.1 -> ms-dns 8.8.8.8 (or whatever your dns server is)

5) Edit the /etc/ppp/chap-secrets file.
For some reason, the default Slackware package has 4 example entries in it that are not commented (jacco,*,sam,*)
delete these. You don't want jacco or sam to have a free connection into your box...

ADD: one entry for each user you want to allow access.
Format is: CLIENT [tab] SERVER [tab] PASSWORD [tab] IP ADDRESS
Mine looks like this:

bob * "BobsPasswordIsStrong" *
sue * "FluffyBunnies92" *

6) Finally to start pptpd, normally you would just execute 'pptpd &' but being that I'm a good Slacker, I wrote an
rc.pptpd script.
Create /etc/rc.d/rc.pptpd
contents:
#!/bin/sh
#
# /etc/rc.d/rc.pptpd
#
# Start/stop/restart the pptpd server.
#
# To make PopTop start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.pptpd
#

pptpd_start() {
if [ -x /usr/sbin/pptpd ]; then
echo "Starting PopTop pptpd: /usr/sbin/pptpd server.conf"
/usr/sbin/pptpd &
fi
}

pptpd_stop() {
killall pptpd
}

pptpd_restart() {
pptpd_stop
sleep 2
pptpd_start
}

case "$1" in
'start')
pptpd_start
;;
'stop')
pptpd_stop
;;
'restart')
pptpd_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
pptpd_start
esac

7) Make it executable (and autobootable on start up)

chmod 755 /etc/rc.d/rc.pptpd

To start it manually- /etc/rc.d/rc.pptpd start

To be useful you next need to configure your firewall to forward and masquerade traffic from the vpn out to
the world...

8) Edit/create: /etc/rc.d/rc.firewall

ADD:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o ppp+ -j MASQUERADE

9) Make it executable

chmod 755 /etc/rc.d/rc.firewall

10) Flush the old firewall rules (forgetting to do this caused me all sorts of grief (Thanks mancha))

iptables -F

11) Execute the new firewall rules

/etc/rc.d/rc.firewall

If you and I haven't made any mistakes, you should now have pptp (server) and router working on your box.

==pptp Client Setup==

Needs to be added.

Pptp

Arfon — Sat, 09 Jun 2012 18:16:31 GMT

Arfon: /* (Poptop) pptpd Server Setup */ typo fix

==(Poptop) pptpd Server Setup==

Here's what I did to get Poptop pptpd (1.3.4) running on my Slackware (13.37) box.

1) Install the official Slackware ppp package using pkgtool or slackpkg.

2) Install the ppptpd package from Slackbuilds.org using sbopkg.
***NOTE: The package name is NOT Poptop, it's pptpd***

3) Edit /etc/pptpd.conf

ADD:
localip 10.7.0.1
remoteip 10.7.0.2-50
CHANGE:
option /etc/ppp/options.pptpd -> option /etc/ppp/options

4) Edit /etc/ppp/options
HERE IS A GOTCHA- The official Slackware ppp package (at the time of this writing) contains an error in the options
file. The pppd binary was compiled to look for the new ms-dns parameter but the option file has the old dns-addr
parameter.

CHANGE:
# dns-addr 192.168.1.1 -> ms-dns 8.8.8.8 (or whatever your dns server is)

5) Edit the /etc/ppp/chap-secrets file.
For some reason, the default Slackware package has 4 example entries in it that are not commented (jacco,*,sam,*)
delete these. You don't want jacco or sam to have a free connection into your box...

ADD: one entry for each user you want to allow access.
Format is: CLIENT [tab] SERVER [tab] PASSWORD [tab] IP ADDRESS
Mine looks like this:

bob * "BobsPasswordIsStrong" *
sue * "FluffyBunnies92" *

6) Finally to start pptpd, normally you would just execute 'pptpd &' but being that I'm a good Slacker, I wrote an
rc.pptpd script.
Create /etc/rc.d/rc.pptpd
contents:
#!/bin/sh
#
# /etc/rc.d/rc.pptpd
#
# Start/stop/restart the pptpd server.
#
# To make PopTop start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.pptpd
#

pptpd_start() {
if [ -x /usr/sbin/pptpd ]; then
echo "Starting PopTop pptpd: /usr/sbin/pptpd server.conf"
/usr/sbin/pptpd &
fi
}

pptpd_stop() {
killall pptpd
}

pptpd_restart() {
pptpd_stop
sleep 2
pptpd_start
}

case "$1" in
'start')
pptpd_start
;;
'stop')
pptpd_stop
;;
'restart')
pptpd_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
pptpd_start
esac

7) Make it executable (and autobootable on start up)

chmod 755 /etc/rc.d/rc.pptpd

To start it manually- /etc/rc.d/rc.pptpd start

To be useful you next need to configure your firewall to forward and masquerade traffic from the vpn out to
the world...

8) Edit/create: /etc/rc.d/rc.firewall

ADD:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o ppp+ -j MASQUERADE

9) Make it executable

chmod 755 /etc/rc.d/rc.firewall

10) Flush the old firewall rules (forgetting to do this caused me all sorts of grief (Thanks mancha))

iptables -f

11) Execute the new firewall rules

/etc/rc.d/rc.firewall

If you and I haven't made any mistakes, you should now have pptp (server) and router working on your box.

==pptp Client Setup==

Needs to be added.

Pptp

Arfon — Sat, 09 Jun 2012 18:13:06 GMT

Arfon: Created!

==(Poptop) pptpd Server Setup==

Here's what I did to get Poptop pptpd (1.3.4) running on my Slackware (13.37) box.

1) Install the official Slackware ppp package using pkgtool or slackpkg.

2) Install the ppptpd package from Slackbuilds.org using sbopkg.
***NOTE: The package name is NOT Poptop, it's pptpd***

3) Edit /etc/pptpd.conf

ADD:
localip 10.7.0.1
remoteip 10.7.0.2-50
CHANGE:
option /etc/ppp/options.pptpd -> option /etc/ppp/options

4) Edit /etc/ppp/options
HERE IS A GOTCHA- The official Slackware ppp package (at the time of this writing) contains an error in the options
file. The pppd binary was compiled to look for the new ms-dns parameter but the option file has the old dns-addr
parameter.

CHANGE:
# dns-addr 192.168.1.1 -> ms-dns 8.8.8.8 (or whatever your dns server is)

5) Edit the /etc/ppp/chap-secrets file.
For some reason, the default Slackware package has 4 example entries in it that are not commented (jacco,*,sam,*)
delete these. You don't want jacco or sam to have a free connection into your box...

ADD: one entry for each user you want to allow access.
Format is: CLIENT [tab] SERVER [tab] PASSWORD [tab] IP ADDRESS
Mine looks like this:

bob * "BobsPasswordIsStrong" *
sue * "FluffyBunnies92" *

6) Finally to start pptpd, n0rmally you would just execute 'pptpd &' but being that I'm a good Slacker, I wrote an
rc.pptpd script.
Create /etc/rc.d/rc.pptpd
contents:
#!/bin/sh
#
# /etc/rc.d/rc.pptpd
#
# Start/stop/restart the pptpd server.
#
# To make PopTop start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.pptpd
#

pptpd_start() {
if [ -x /usr/sbin/pptpd ]; then
echo "Starting PopTop pptpd: /usr/sbin/pptpd server.conf"
/usr/sbin/pptpd &
fi
}

pptpd_stop() {
killall pptpd
}

pptpd_restart() {
pptpd_stop
sleep 2
pptpd_start
}

case "$1" in
'start')
pptpd_start
;;
'stop')
pptpd_stop
;;
'restart')
pptpd_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
pptpd_start
esac

7) Make it executable (and autobootable on start up)

chmod 755 /etc/rc.d/rc.pptpd

To start it manually- /etc/rc.d/rc.pptpd start

To be useful you next need to configure your firewall to forward and masquerade traffic from the vpn out to
the world...

8) Edit/create: /etc/rc.d/rc.firewall

ADD:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.7.0.0/24 -o ppp+ -j MASQUERADE

9) Make it executable

chmod 755 /etc/rc.d/rc.firewall

10) Flush the old firewall rules (forgetting to do this caused me all sorts of grief (Thanks mancha))

iptables -f

11) Execute the new firewall rules

/etc/rc.d/rc.firewall

If you and I haven't made any mistakes, you should now have pptp (server) and router working on your box.

==pptp Client Setup==

Needs to be added.

OpenVPN

Arfon — Thu, 07 Jun 2012 00:05:04 GMT

Arfon: ADDED: Install from Slackbuilds.org

OpenVPN

Arfon — Wed, 06 Jun 2012 23:52:31 GMT

Arfon: Moved English page here, made a new page for Indonesian translation and added link

[[Category:Server]]
[[Category:Networking]]
[[Category:Tutorials]]
As a user-space VPN daemon, OpenVPN is compatible with with SSL/TLS, RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices.

OpenVPN is not compatible with IPSec, IKE, PPTP, or L2TP.

'''[[OpenVPN(ID)|OpenVPN Instructions - Bahasa Indonesia]]'''

__TOC__
== Installation ==

Download source from [http://openvpn.net openvpn.net]

Download verison 2.0

install Lzo
<pre>
tar zxvf lzo-1.08.tar.gz
cd lzo-1-08.tar.gz
./configure --prefix=/usr
make ; make install-strip
</pre>
install OpenVPN
<pre>
tar zxvf openvpn-2.0.tar.gz
cd openvpn-2.0
./configure --prefix=/usr \
--sysconfdir=/etc/openvpn \
--enable-pthread \
--enable-iproute2 \
--with-ssl \
--with-lzo-header=/usr/include \
--with-lzo-lib=/usr/lib \
--with-ifconfig \
--with-route \
--with-mem-check=dmalloc
make ; make install-strip
</pre>
== Configuration ==

==Configuring Certificates==

Save all certificates in '''''/etc/openvpn/certs'''''
<pre>
This is a small RSA key management package,
based on the openssl command line tool, that
can be found in the easy-rsa subdirectory
of the OpenVPN distribution.

These are reference notes. For step
by step instructions, see the HOWTO:

http://openvpn.net/howto.html

INSTALL

1. Edit vars.
2. Set KEY_CONFIG to point to the openssl.cnf file
included in this distribution.
3. Set KEY_DIR to point to a directory which will
contain all keys, certificates, etc. This
directory need not exist, and if it does,
it will be deleted with rm -rf, so BE
CAREFUL how you set KEY_DIR.
4. (Optional) Edit other fields in vars
per your site data. You may want to
increase KEY_SIZE to 2048 if you are
paranoid and don't mind slower key
processing, but certainly 1024 is
fine for testing purposes. KEY_SIZE
must be compatible across both peers
participating in a secure SSL/TLS
connection.
5 . vars
6. ./clean-all
7. As you create certificates, keys, and
certificate signing requests, understand that
only .key files should be kept confidential.
.crt and .csr files can be sent over insecure
channels such as plaintext email.
8. You should never need to copy a .key file
between computers. Normally each computer
will have its own certificate/key pair.

BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY

1. ./build-ca
2. ca.crt and ca.key will be built in your KEY_DIR
directory

BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)

1. ./build-inter inter
2. inter.crt and inter.key will be built in your KEY_DIR
directory and signed with your root certificate.

BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
the server end of a SSL/TLS connection).

1. ./build-dh

BUILD A CERTIFICATE SIGNING REQUEST (If
you want to sign your certificate with a root
certificate controlled by another individual
or organization, or residing on a different machine).

1. Get ca.crt (the root certificate) from your
certificate authority. Though this
transfer can be over an insecure channel, to prevent
man-in-the-middle attacks you must confirm that
ca.crt was not tampered with. Large CAs solve this
problem by hardwiring their root certificates into
popular web browsers. A simple way to verify a root
CA is to call the issuer on the telephone and confirm
that the md5sum or sha1sum signatures on the ca.crt
files match (such as with the command: "md5sum ca.crt").
2. Choose a name for your certificate such as your computer
name. In our example we will use "mycert".
3. ./build-req mycert
4. You can ignore most of the fields, but set
"Common Name" to something unique such as your
computer's host name. Leave all password
fields blank, unless you want your private key
to be protected by password. Using a password
is not required -- it will make your key more secure
but also more inconvenient to use, because you will
need to supply your password anytime the key is used.
NOTE: if you are using a password, use ./build-req-pass
instead of ./build-req
5. Your key will be written to $KEY_DIR/mycert.key
6. Your certificate signing request will be written to
to $KEY_DIR/mycert.csr
7. Email mycert.csr to the individual or organization
which controls the root certificate. This can be
done over an insecure channel.
8. After the .csr file is signed by the root certificate
authority, you will receive a file mycert.crt
(your certificate). Place mycert.crt in your
KEY_DIR directory.
9. The combined files of mycert.crt, mycert.key,
and ca.crt can now be used to secure one end of
an SSL/TLS connection.

SIGN A CERTIFICATE SIGNING REQUEST

1. ./sign-req mycert
2. mycert.crt will be built in your KEY_DIR
directory using mycert.csr and your root CA
file as input.

BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
script generates and signs a certificate in one step,
but it requires that the generated certificate and private
key files be copied to the destination host over a
secure channel.

1. ./build-key mycert (no password protection)
2. OR ./build-key-pass mycert (with password protection)
3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
4. OR ./build-key-server mycert (with nsCertType=server)
5. mycert.crt and mycert.key will be built in your
KEY_DIR directory, and mycert.crt will be signed
by your root CA. If ./build-key-pkcs12 was used a
mycert.p12 file will also be created including the
private key, certificate and the ca certificate.

IMPORTANT

To avoid a possible Man-in-the-Middle attack where an authorized
client tries to connect to another client by impersonating the
server, make sure to enforce some kind of server certificate
verification by clients. There are currently four different ways
of accomplishing this, listed in the order of preference:

(1) Build your server certificates with the build-key-server
script. This will designate the certificate as a
server-only certificate by setting nsCertType=server.
Now add the following line to your client configuration:

ns-cert-type server

This will block clients from connecting to any
server which lacks the nsCertType=server designation
in its certificate, even if the certificate has been
signed by the CA which is cited in the OpenVPN configuration
file (--ca directive).

(2) Use the --tls-remote directive on the client to
accept/reject the server connection based on the common
name of the server certificate.

(3) Use a --tls-verify script or plugin to accept/reject the
server connection based on a custom test of the server
certificate's embedded X509 subject details.
IMPORTANT

To avoid a possible Man-in-the-Middle attack where an authorized
client tries to connect to another client by impersonating the
server, make sure to enforce some kind of server certificate
verification by clients. There are currently four different ways
of accomplishing this, listed in the order of preference:

(1) Build your server certificates with the build-key-server
script. This will designate the certificate as a
server-only certificate by setting nsCertType=server.
Now add the following line to your client configuration:

ns-cert-type server

This will block clients from connecting to any
server which lacks the nsCertType=server designation
in its certificate, even if the certificate has been
signed by the CA which is cited in the OpenVPN configuration
file (--ca directive).

(2) Use the --tls-remote directive on the client to
accept/reject the server connection based on the common
name of the server certificate.

(3) Use a --tls-verify script or plugin to accept/reject the
server connection based on a custom test of the server
certificate's embedded X509 subject details.

(4) Sign server certificates with one CA and client certificates
with a different CA. The client config "ca" directive should
reference the server-signing CA while the server config "ca"
directive should reference the client-signing CA.

NOTES

Show certificate fields:
openssl x509 -in cert.crt -text
</pre>
<pre>
# cd easy-rsa
# vi vars
. vars
./clean-all

## BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
./build.ca

## BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)
./build-inter inter

## BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection).
./build.dh

## BUILD A CERTIFICATE SIGNING REQUEST
## (If you want to sign your certificate with a root certificate controlled by another individual
## or organization, or residing on a different machine)

./build-req mycert
## SIGN A CERTIFICATE SIGNING REQUEST
./sign-req mycert

## BUILD AND SIGN A CERTIFICATE SIGNING REQUEST USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY
./build-key mycert (no password protection)
OR
./build-key-pass mycert (with password protection)
OR
./build-key-pkcs12 mycert (PKCS #12 format)
OR
./build-key-server mycert (with nsCertType=server)
</pre>

==Configuring the Server==

Edit the server.conf file: '''''vi /etc/openvpn/server.conf'''''
<pre>
## Mode Server
mode server

## Local Host Name/IP Server
;local 127.0.0.1

## Protocol
;proto tcp
proto udp

## Port
; port 1194

## Device Interface
;dev tap
dev tun

## TAP-Win32 adapter name
;dev-node MyTap

## SSL/TLS
## root certificate (ca)
## certificate (cert)
## private key (key)
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key

## Diffie hellman parameters
dh dh1024.pem

## VPN subnet
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

##ethernet bridging
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

## dhcpcaveats
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

;learn-address ./script

## dhcpcaveats
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

##
;client-to-client

## same "COMMON NAME" certificate/key
;duplicate-cn

## Status Connection
keepalive 10 120

## tls-auth key
;tls-auth ta.key 0

## Cryptographic cipher
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

## Link Compresion
comp-lzo

## Max Client Connections
;max-clients 100

## daemon privileges (non windows saja)
user nobody
group nobody

persist-key
persist-tun

## Openvpn Log
;log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log

## Output Log
status /var/log/openvpn/openvpn-status.log

## Log Verbosity
## 0 is silent, except for fatal errors
## 4 is reasonable for general usage
## 5 and 6 can help to debug connection problems
## 9 is extremely verbose
verb 3

## Repeating Messages
;mute 20

## Pid File
writepid /var/run/openvpn.pid
</pre>

'''Routing'''

<pre>
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
</pre>

'''Firewall'''
<pre>
iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
OR
iptables -A INPUT -p udp --dport 1194 -j ACCEPT

## Tun Device
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

## Tap Device
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
</pre>

==Configuring the Client==

Edit the client.conf file: '''''vi /etc/openvpn/client.conf'''''
<pre>
## Config
client

## Device Interface
;dev tap
dev tun

## Tap adapter name (Win only)
;dev-node MyTap

## Conectivity
;proto tcp
proto udp

## Server [hostname/ip] [port]
remote my-server-1 1194
;remote my-server-2 1194

## load-balancing
;remote-random

## resolve host name OpenVPN server
resolv-retry infinite

# local port
nobind

## privileges (non windows saja)
user nobody
group nobody

## preserve
persist-key
persist-tun

## HTTP proxy
;http-proxy-retry
;http-proxy [proxy server] [proxy port]

## duplicate packet warnings
;mute-replay-warnings

## SSL/TLS parms
/etc/openvpn/certs/ca ca.crt
/etc/openvpn/certs/cert client.crt
/etc/openvpn/certs/key client.key

## nsCertType key
;ns-cert-type server

## tls-auth key
;tls-auth /etc/openvpn/certs/ta.key 1

## Cryptographic cipher
;cipher x

## Link compression
comp-lzo

## verbosity
## 0 is silent, except for fatal errors
## 4 is reasonable for general usage
## 5 and 6 can help to debug connection problems
## 9 is extremely verbose
verb 3

## repeating messages
;mute 20
</pre>
'''Routing'''
<pre>
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
</pre>

==Example==

'''Example 1:''' A simple tunnel without security 
'''On May: Server Side'''
<pre>
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9
</pre>

'''On Jun: Client Side'''
<pre>
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9
</pre>

On May:
ping 10.4.0.2

On Jun:
ping 10.4.0.1

'''Example 2:''' A tunnel with static-key security (i.e. using a pre-shared secret) 
'''On May: Server Side'''
<pre>
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 \
--verb 5 --secret key
</pre>

'''On Jun: Client Side'''
<pre>
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 \
--verb 5 --secret key
</pre>

On May:
ping 10.4.0.2

On Jun:
ping 10.4.0.1

'''Example 3:''' A tunnel with full TLS-based security 
'''On May: Server Side'''
<pre>
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 \
--tls-client --ca tmp-ca.crt --cert client.crt --key client.key \
--reneg-sec 60 --verb 5
</pre>

'''On Jun: Client Side'''
<pre>
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 \
--tls-server --ca tmp-ca.crt --cert server.crt --key server.key \
--reneg-sec 60 --verb 5 --dh dh1024.pem
</pre>

On May:

ping 10.4.0.2

On Jun:

ping 10.4.0.1

== External Links ==

* http://dmalloc.com/
* http://valgrind.org/
* http://www.oberhumer.com/opensource/lzo/
* http://openvpn.net/
* http://openvpn.net/howto.html
* http://openvpn.net/1xhowto.html (Old-v1.06)
* http://openvpn.net/man.html

OpenVPN(ID)

Arfon — Wed, 06 Jun 2012 23:43:07 GMT

Arfon: Moved from: http://www.slackwiki.com/OpenVPN

[[Category:Server]]
[[Category:Networking]]
[[Category:Tutorials]]
As a user-space VPN daemon, OpenVPN is compatible with with SSL/TLS, RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices.

OpenVPN is not compatible with IPSec, IKE, PPTP, or L2TP.

__TOC__
== Instalasi ==

Download source dari [http://openvpn.net openvpn.net]

download versi 2.0

instalasi Lzo
<pre>
tar zxvf lzo-1.08.tar.gz
cd lzo-1-08.tar.gz
./configure --prefix=/usr
make ; make install-strip
</pre>
insalasi OpenVPN
<pre>
tar zxvf openvpn-2.0.tar.gz
cd openvpn-2.0
./configure --prefix=/usr \
--sysconfdir=/etc/openvpn \
--enable-pthread \
--enable-iproute2 \
--with-ssl \
--with-lzo-header=/usr/include \
--with-lzo-lib=/usr/lib \
--with-ifconfig \
--with-route \
--with-mem-check=dmalloc
make ; make install-strip
</pre>
== Konfigurasi ==

==Konfigurasi Sertifikat==

Simpan seluruh sertifikat di '''''/etc/openvpn/certs'''''
<pre>
This is a small RSA key management package,
based on the openssl command line tool, that
can be found in the easy-rsa subdirectory
of the OpenVPN distribution.

These are reference notes. For step
by step instructions, see the HOWTO:

http://openvpn.net/howto.html

INSTALL

1. Edit vars.
2. Set KEY_CONFIG to point to the openssl.cnf file
included in this distribution.
3. Set KEY_DIR to point to a directory which will
contain all keys, certificates, etc. This
directory need not exist, and if it does,
it will be deleted with rm -rf, so BE
CAREFUL how you set KEY_DIR.
4. (Optional) Edit other fields in vars
per your site data. You may want to
increase KEY_SIZE to 2048 if you are
paranoid and don't mind slower key
processing, but certainly 1024 is
fine for testing purposes. KEY_SIZE
must be compatible across both peers
participating in a secure SSL/TLS
connection.
5 . vars
6. ./clean-all
7. As you create certificates, keys, and
certificate signing requests, understand that
only .key files should be kept confidential.
.crt and .csr files can be sent over insecure
channels such as plaintext email.
8. You should never need to copy a .key file
between computers. Normally each computer
will have its own certificate/key pair.

BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY

1. ./build-ca
2. ca.crt and ca.key will be built in your KEY_DIR
directory

BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)

1. ./build-inter inter
2. inter.crt and inter.key will be built in your KEY_DIR
directory and signed with your root certificate.

BUILD DIFFIE-HELLMAN PARAMETERS (necessary for
the server end of a SSL/TLS connection).

1. ./build-dh

BUILD A CERTIFICATE SIGNING REQUEST (If
you want to sign your certificate with a root
certificate controlled by another individual
or organization, or residing on a different machine).

1. Get ca.crt (the root certificate) from your
certificate authority. Though this
transfer can be over an insecure channel, to prevent
man-in-the-middle attacks you must confirm that
ca.crt was not tampered with. Large CAs solve this
problem by hardwiring their root certificates into
popular web browsers. A simple way to verify a root
CA is to call the issuer on the telephone and confirm
that the md5sum or sha1sum signatures on the ca.crt
files match (such as with the command: "md5sum ca.crt").
2. Choose a name for your certificate such as your computer
name. In our example we will use "mycert".
3. ./build-req mycert
4. You can ignore most of the fields, but set
"Common Name" to something unique such as your
computer's host name. Leave all password
fields blank, unless you want your private key
to be protected by password. Using a password
is not required -- it will make your key more secure
but also more inconvenient to use, because you will
need to supply your password anytime the key is used.
NOTE: if you are using a password, use ./build-req-pass
instead of ./build-req
5. Your key will be written to $KEY_DIR/mycert.key
6. Your certificate signing request will be written to
to $KEY_DIR/mycert.csr
7. Email mycert.csr to the individual or organization
which controls the root certificate. This can be
done over an insecure channel.
8. After the .csr file is signed by the root certificate
authority, you will receive a file mycert.crt
(your certificate). Place mycert.crt in your
KEY_DIR directory.
9. The combined files of mycert.crt, mycert.key,
and ca.crt can now be used to secure one end of
an SSL/TLS connection.

SIGN A CERTIFICATE SIGNING REQUEST

1. ./sign-req mycert
2. mycert.crt will be built in your KEY_DIR
directory using mycert.csr and your root CA
file as input.

BUILD AND SIGN A CERTIFICATE SIGNING REQUEST
USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this
script generates and signs a certificate in one step,
but it requires that the generated certificate and private
key files be copied to the destination host over a
secure channel.

1. ./build-key mycert (no password protection)
2. OR ./build-key-pass mycert (with password protection)
3. OR ./build-key-pkcs12 mycert (PKCS #12 format)
4. OR ./build-key-server mycert (with nsCertType=server)
5. mycert.crt and mycert.key will be built in your
KEY_DIR directory, and mycert.crt will be signed
by your root CA. If ./build-key-pkcs12 was used a
mycert.p12 file will also be created including the
private key, certificate and the ca certificate.

IMPORTANT

To avoid a possible Man-in-the-Middle attack where an authorized
client tries to connect to another client by impersonating the
server, make sure to enforce some kind of server certificate
verification by clients. There are currently four different ways
of accomplishing this, listed in the order of preference:

(1) Build your server certificates with the build-key-server
script. This will designate the certificate as a
server-only certificate by setting nsCertType=server.
Now add the following line to your client configuration:

ns-cert-type server

This will block clients from connecting to any
server which lacks the nsCertType=server designation
in its certificate, even if the certificate has been
signed by the CA which is cited in the OpenVPN configuration
file (--ca directive).

(2) Use the --tls-remote directive on the client to
accept/reject the server connection based on the common
name of the server certificate.

(3) Use a --tls-verify script or plugin to accept/reject the
server connection based on a custom test of the server
certificate's embedded X509 subject details.
IMPORTANT

To avoid a possible Man-in-the-Middle attack where an authorized
client tries to connect to another client by impersonating the
server, make sure to enforce some kind of server certificate
verification by clients. There are currently four different ways
of accomplishing this, listed in the order of preference:

(1) Build your server certificates with the build-key-server
script. This will designate the certificate as a
server-only certificate by setting nsCertType=server.
Now add the following line to your client configuration:

ns-cert-type server

This will block clients from connecting to any
server which lacks the nsCertType=server designation
in its certificate, even if the certificate has been
signed by the CA which is cited in the OpenVPN configuration
file (--ca directive).

(2) Use the --tls-remote directive on the client to
accept/reject the server connection based on the common
name of the server certificate.

(3) Use a --tls-verify script or plugin to accept/reject the
server connection based on a custom test of the server
certificate's embedded X509 subject details.

(4) Sign server certificates with one CA and client certificates
with a different CA. The client config "ca" directive should
reference the server-signing CA while the server config "ca"
directive should reference the client-signing CA.

NOTES

Show certificate fields:
openssl x509 -in cert.crt -text
</pre>
<pre>
# cd easy-rsa
# vi vars
. vars
./clean-all

## BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY
./build.ca

## BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional)
./build-inter inter

## BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection).
./build.dh

## BUILD A CERTIFICATE SIGNING REQUEST
## (If you want to sign your certificate with a root certificate controlled by another individual
## or organization, or residing on a different machine)

./build-req mycert
## SIGN A CERTIFICATE SIGNING REQUEST
./sign-req mycert

## BUILD AND SIGN A CERTIFICATE SIGNING REQUEST USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY
./build-key mycert (no password protection)
OR
./build-key-pass mycert (with password protection)
OR
./build-key-pkcs12 mycert (PKCS #12 format)
OR
./build-key-server mycert (with nsCertType=server)
</pre>

==Konfigurasi Server==

edit server.conf '''''vi /etc/openvpn/server.conf'''''
<pre>
## Mode Server
mode server

## Local Host Name/IP Server
;local 127.0.0.1

## Protocol
;proto tcp
proto udp

## Port
; port 1194

## Device Interface
;dev tap
dev tun

## TAP-Win32 adapter name
;dev-node MyTap

## SSL/TLS
## root certificate (ca)
## certificate (cert)
## private key (key)
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key

## Diffie hellman parameters
dh dh1024.pem

## VPN subnet
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

##ethernet bridging
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

## dhcpcaveats
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

;learn-address ./script

## dhcpcaveats
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

##
;client-to-client

## same "COMMON NAME" certificate/key
;duplicate-cn

## Status Connection
keepalive 10 120

## tls-auth key
;tls-auth ta.key 0

## Cryptographic cipher
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

## Link Compresion
comp-lzo

## Max Client Connections
;max-clients 100

## daemon privileges (non windows saja)
user nobody
group nobody

persist-key
persist-tun

## Openvpn Log
;log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log

## Output Log
status /var/log/openvpn/openvpn-status.log

## Log Verbosity
## 0 is silent, except for fatal errors
## 4 is reasonable for general usage
## 5 and 6 can help to debug connection problems
## 9 is extremely verbose
verb 3

## Repeating Messages
;mute 20

## Pid File
writepid /var/run/openvpn.pid
</pre>

'''Routing'''

<pre>
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
</pre>

'''Firewall'''
<pre>
iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
OR
iptables -A INPUT -p udp --dport 1194 -j ACCEPT

## Tun Device
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

## Tap Device
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
</pre>

==Konfigurasi client==

edit file client.conf '''''vi /etc/openvpn/client.conf'''''
<pre>
## Config
client

## Device Interface
;dev tap
dev tun

## Tap adapter name (Win only)
;dev-node MyTap

## Conectivity
;proto tcp
proto udp

## Server [hostname/ip] [port]
remote my-server-1 1194
;remote my-server-2 1194

## load-balancing
;remote-random

## resolve host name OpenVPN server
resolv-retry infinite

# local port
nobind

## privileges (non windows saja)
user nobody
group nobody

## preserve
persist-key
persist-tun

## HTTP proxy
;http-proxy-retry
;http-proxy [proxy server] [proxy port]

## duplicate packet warnings
;mute-replay-warnings

## SSL/TLS parms
/etc/openvpn/certs/ca ca.crt
/etc/openvpn/certs/cert client.crt
/etc/openvpn/certs/key client.key

## nsCertType key
;ns-cert-type server

## tls-auth key
;tls-auth /etc/openvpn/certs/ta.key 1

## Cryptographic cipher
;cipher x

## Link compression
comp-lzo

## verbosity
## 0 is silent, except for fatal errors
## 4 is reasonable for general usage
## 5 and 6 can help to debug connection problems
## 9 is extremely verbose
verb 3

## repeating messages
;mute 20
</pre>
'''Routing'''
<pre>
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
</pre>

==Example==

'''Example 1:''' A simple tunnel without security 
'''On May: Server Side'''
<pre>
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9
</pre>

'''On Jun: Client Side'''
<pre>
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9
</pre>

On May:
ping 10.4.0.2

On Jun:
ping 10.4.0.1

'''Example 2:''' A tunnel with static-key security (i.e. using a pre-shared secret) 
'''On May: Server Side'''
<pre>
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 \
--verb 5 --secret key
</pre>

'''On Jun: Client Side'''
<pre>
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 \
--verb 5 --secret key
</pre>

On May:
ping 10.4.0.2

On Jun:
ping 10.4.0.1

'''Example 3:''' A tunnel with full TLS-based security 
'''On May: Server Side'''
<pre>
openvpn --remote jun.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 \
--tls-client --ca tmp-ca.crt --cert client.crt --key client.key \
--reneg-sec 60 --verb 5
</pre>

'''On Jun: Client Side'''
<pre>
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 \
--tls-server --ca tmp-ca.crt --cert server.crt --key server.key \
--reneg-sec 60 --verb 5 --dh dh1024.pem
</pre>

On May:

ping 10.4.0.2

On Jun:

ping 10.4.0.1

== External Links ==

* http://dmalloc.com/
* http://valgrind.org/
* http://www.oberhumer.com/opensource/lzo/
* http://openvpn.net/
* http://openvpn.net/howto.html
* http://openvpn.net/1xhowto.html (Old-v1.06)
* http://openvpn.net/man.html

Routing Tricks

Arfon — Sat, 09 Jan 2010 01:34:53 GMT

Arfon: /* Weighted Routing */ FIXED the screwed up link. And added the category

==Weighted Routing==
(aka Load Balancing, Net Balancing)

'''What is Weighted Routing'''
Simply put, distributing network traffic over multiple paths based on load.

EXAMPLE 1: You have two DSL connections incoming and you distribute your connection traffic between them.

EXAMPLE 2: You have a 1.5Mbs DSL connection and a 3MBs cable connection, therefore you set up your routing to send 1/3 of the traffic out the DSL connection and 2/3 out the cable connection.

'''How do I do it?'''

Niels Horn has written a slick little script to do the weighted routing for you. He has given me permission to copy it here.

#!/bin/bash
#
# bal_local Load-balance internet connection over two local links
#
# Version: 1.0.0 - Fri, Sep 26, 2008
#
# Author: Niels Horn <niels.horn(at symbol)gmail.com>
#
#
# Set devices:
DEV1=${1-eth0} # default eth0
DEV2=${2-ppp0} # default ppp0
#
# Get IP addresses of our devices:
ip1=`ifconfig $DEV1 | grep inet | awk '{ print $2 }' | awk -F: '{ print $2 }'`
ip2=`ifconfig $DEV2 | grep inet | awk '{ print $2 }' | awk -F: '{ print $2 }'`
#
# Get default gateway for our devices:
gw1=`route -n | grep $DEV1 | grep '^0.0.0.0' | awk '{ print $2 }'`
gw2=`route -n | grep $DEV2 | grep '^0.0.0.0' | awk '{ print $2 }'`
#
echo "$DEV1: IP=$ip1 GW=$gw1"
echo "$DEV2: IP=$ip2 GW=$gw2"
#
### Definition of routes ###
#
# Check if tables exists, if not -> create them:
if [ -z "`cat /etc/iproute2/rt_tables | grep '^251'`" ] ; then
echo "251 rt_dev1" >> /etc/iproute2/rt_tables
fi
if [ -z "`cat /etc/iproute2/rt_tables | grep '^252'`" ] ; then
echo "252 rt_dev2" >> /etc/iproute2/rt_tables
fi
#
# Define routing tables:
ip route add default via $gw1 table rt_dev1
ip route add default via $gw2 table rt_dev2
#
# Create rules:
ip rule add from $ip1 table rt_dev1
ip rule add from $ip2 table rt_dev2
#
# If we already have a 'nexthop' route, delete it:
if [ ! -z "`ip route show table main | grep 'nexthop'`" ] ; then
ip route del default scope global
fi
#
# Balance links based on routes:
ip route add default scope global nexthop via $gw1 dev $DEV1 weight 1 nexthop via $gw2 dev $DEV2 weight 1
#
# Flush cache table:
ip route flush cache
#
# All done...

To use the script, copy it to /usr/local/bin, make it executable with 'chmod +x' and call it with:
Code:

bal_local <dev1> <dev2>

filling in <dev1> and <dev2> with your network-devices.
If you call the script without any parameters, it tries to balance eth0 and ppp0 (because this works in my case ).

[http://www.linuxquestions.org/questions/slackware-14/script-to-load-balance-two-isps-with-ip-route-and-ip-rules-672602/ HERE IS HIS ORIGINAL POSTING]

(ALSO, I copied a copy of his permission on my DISCUSSION page)

[[Category:Tips]]

Talk:Routing Tricks

Arfon — Sat, 09 Jan 2010 01:29:01 GMT

Arfon: Created page with 'Neils Horn's permission to repost his weighted routing info- Hi, I'm hopelessly without time these days (last days before going on vacation), so feel free to post it on slack...'

Neils Horn's permission to repost his weighted routing info-

Hi,
I'm hopelessly without time these days (last days before going on
vacation), so feel free to post it on slackwiki.org for me.
I would appreciate it if you could send me the link afterwards so that
I can take a look :)
Thanks,
Niels

-------------------------------------------------------------------------

Routing Tricks

Arfon — Sat, 09 Jan 2010 01:27:56 GMT

Arfon: CREATED THIS PAGE

==Weighted Routing==
(aka Load Balancing, Net Balancing)

'''What is Weighted Routing'''
Simply put, distributing network traffic over multiple paths based on load.

EXAMPLE 1: You have two DSL connections incoming and you distribute your connection traffic between them.

EXAMPLE 2: You have a 1.5Mbs DSL connection and a 3MBs cable connection, therefore you set up your routing to send 1/3 of the traffic out the DSL connection and 2/3 out the cable connection.

'''How do I do it?'''

Niels Horn has written a slick little script to do the weighted routing for you. He has given me permission to copy it here.

#!/bin/bash
#
# bal_local Load-balance internet connection over two local links
#
# Version: 1.0.0 - Fri, Sep 26, 2008
#
# Author: Niels Horn <niels.horn(at symbol)gmail.com>
#
#
# Set devices:
DEV1=${1-eth0} # default eth0
DEV2=${2-ppp0} # default ppp0
#
# Get IP addresses of our devices:
ip1=`ifconfig $DEV1 | grep inet | awk '{ print $2 }' | awk -F: '{ print $2 }'`
ip2=`ifconfig $DEV2 | grep inet | awk '{ print $2 }' | awk -F: '{ print $2 }'`
#
# Get default gateway for our devices:
gw1=`route -n | grep $DEV1 | grep '^0.0.0.0' | awk '{ print $2 }'`
gw2=`route -n | grep $DEV2 | grep '^0.0.0.0' | awk '{ print $2 }'`
#
echo "$DEV1: IP=$ip1 GW=$gw1"
echo "$DEV2: IP=$ip2 GW=$gw2"
#
### Definition of routes ###
#
# Check if tables exists, if not -> create them:
if [ -z "`cat /etc/iproute2/rt_tables | grep '^251'`" ] ; then
echo "251 rt_dev1" >> /etc/iproute2/rt_tables
fi
if [ -z "`cat /etc/iproute2/rt_tables | grep '^252'`" ] ; then
echo "252 rt_dev2" >> /etc/iproute2/rt_tables
fi
#
# Define routing tables:
ip route add default via $gw1 table rt_dev1
ip route add default via $gw2 table rt_dev2
#
# Create rules:
ip rule add from $ip1 table rt_dev1
ip rule add from $ip2 table rt_dev2
#
# If we already have a 'nexthop' route, delete it:
if [ ! -z "`ip route show table main | grep 'nexthop'`" ] ; then
ip route del default scope global
fi
#
# Balance links based on routes:
ip route add default scope global nexthop via $gw1 dev $DEV1 weight 1 nexthop via $gw2 dev $DEV2 weight 1
#
# Flush cache table:
ip route flush cache
#
# All done...

To use the script, copy it to /usr/local/bin, make it executable with 'chmod +x' and call it with:
Code:

bal_local <dev1> <dev2>

filling in <dev1> and <dev2> with your network-devices.
If you call the script without any parameters, it tries to balance eth0 and ppp0 (because this works in my case ).

[http://www.linuxquestions.org/questions/slackware-14/script-to-load-balance-two-isps-with-ip-route-and-ip-rules-672602 HERE IS HIS ORIGINAL POSTING]

(ALSO, I copied a copy of his permission on my DISCUSSION page)

RAID Array (Hardware)

Arfon — Sat, 09 Jan 2010 01:03:30 GMT

Arfon: /* My Card Is In, Now What? */ TYPO fix

[[Category:Tips]]
[[Category:Tutorials]]
[[Category:Hardware]]

==My Card Is In, Now What?==
-Written from a Slackware 10 perspective-

1) SET UP THE ARRAY- If you are using a hardware RAID card (like ones made by 3ware), on boot you must enter the card's BIOS and set up your array. This is done by hitting a hotkey (ALT-3 for 3ware cards). Read your card's instructions for details on how to configure your array.

2) BOOT WITH THE CORRECT KERNEL- After you have set up your array, boot the computer with the Slackware Install CD (CD1) like normal. At the <code>boot:</code> prompt, choose a RAID supporting image (e.g. <code>raid.s</code>). YOU CAN NOT USE THE DEFAULT KERNEL (bare.i) to boot into set-up, you have to use a boot kernel that supports RAID arrays.

:EXAMPLE: <code>boot: raid.s</code>

'''NOTE: I don't believe STEP 2 applies to newer versions of Slackware. (e.g Slack13)'''

3) PROCEED NORMALLY- Once you boot the RAID kernel, everything else proceeds normally except the hard-drive is (usually) <code>/dev/sda</code>. Go ahead set up your partitions (<code>fdisk /dev/sda</code>) and continue the normal Slackware install.

==FAQs==

Q: What device is my RAID array? 
A: You are most likely running RAID.S kernel so therefore it is probably <code>/dev/sda</code>

Q: It's not <code>/dev/sda</code> where is it really? 
A: I don't know. Reboot your machine and watch the messages scroll by. If you don't see the info, you don't have RAID support compiled into your kernel or as a module and you need to fix that.

Q: My system has a [[forced fsck]] and it starts but after awhile, it resets and re-boots. How do I fix this? 
A: Re-boot the system using a Slackware install CD (make sure you boot with a RAID kernel) then get to a command line prompt and manually run <code>fsck</code>.
: EXAMPLE: <code>fsck -p /dev/sda1</code>

Q: I'm trying to run <code>fsck</code> manually but I get an "<code>The superblock cannot be read...</code>" error. How do I fix this? 
A: MOST LIKELY, you're not running a RAID supporting kernel. Re-boot and choose a RAID kernel like <code>raid.s</code>.

Q: I'm running <code>fsck</code> manually and I am getting a "<code>error allocating inode bitmap (2)</code>". How do I fix this? 
A: No clue. I haven't been able to find out what that means. If you do, let us know please.

==Hardware RAID Specific Help==

[[3ware 3DM2]] - Help with 3ware's 3DM2 program.

==Hardware RAID Specific Help==

[[3ware 3ware 8006-2LP Installation]] -

Installed slackware 12.2 with the 3ware 8006-2LP card today. I chose this hardware due to the fanfare I found on the net. It is supported with RedHat and Suse (presumably because they have a preinstall driver installation dialog)

Installing with slack was not as easy as was hoped. Lilo choked twice, first by installing to the MBR which the 3ware bios simply didn't see, and second after installing to the root partition, lilo complained with error 99 which is apparently a BIOS disk address mismatch of some sort.

What worked was this:

1. Install the card, or receive the machine with the card already installed.

2. Double check that all your cable connections are tight. mine were loose when the chassis arrived from the vendor. I am sincerely glad I found this now rather than later.

3. Slackware 12.2 has the 3ware driver in it, so it should boot from CD and see the disk as:

/dev/sda

4. fdisk /dev/sda and create some partitions, mine are as follows:

/dev/sda1 50G (/ this is the root partition) set bootable
/dev/sda2 2G (for /boot)
/dev/sda3 2G ( for swap) toggle to type 82
/dev/sda4 (extended)
/dev/sda5 25G (for /var)
/dev/sda6 25G (for /home)
/dev/sda7 50G (for the webserver)
/dev/sda8 50G (for the database)
/dev/sda9 10G (for source code)

You will note seperate /boot and /home partitions. Configuring the disk this way adds some security, which we will discuss in a moment.

5. Run setup and select your packages.

6. Do the configuration dialog: Generally I believe all network enabled devices should be on UTC so I set both system and hardware clocks accordingly. ignore gpm, ignore fancy fonts, and number the network interface... Then make sure the network interface _isn't_ connected.

7. Let the lilo configurator screw up lilo by select "Guess my lilo config" or whatever.

8. exit setup, DO NOT REBOOT!

9. chroot /mnt

10. vi /etc/lilo and make it point at your root partition. My lilo.conf is as follows:

lba32 # any modern drive should be able to do this.
boot = /dev/sda1
append = " vt.default_utf8=0"
vga = normal
image = /boot/vmlinuz
root = /dev/sda1
Label = Linux
read-only # for fscking during bootup.

11. Note above that /dev/sda1 is the root partition, or "/" if you stick it somewhere else, change as appropriate.

12. obliterate the master boot record: (prevents lilo from getting confused for some reason):
lilo -z -M /dev/sda

13. run lilo and listen to it complain:
lilo

14. If you don't get any fatals errors (warnings are ok), remove the cd then:
exit
reboot

15. Do your little chair dance, and irritate your coworkers.

16. vi /etc/fstab and adjust the following partitions:

/dev/sda2 /boot ext2 defaults,ro 1 2
/dev/sda6 /home ext2 defaults,nosuid 1 2

Leave your partitions ext3 if they are configured that way, but note the addition of "ro" to /boot and "nosuid" to /home. This makes the kernel secure from modification until the next reboot, and prevents root privileged code from being executed from /home. Generally good and fairly unintrusive security policy.

Now proceed onward oh great progenitors of slack. Your next steps should probably be using "find" to locate and disable most of what has a suid bit set, and then installing and configuring tripwire or some equivilant, then making a brutal set of access controls with iptables, and _then_.... _maybe_ you can connect the box to a public network.

But don't take my word for it.

Good Luck!

RAID Array (Hardware)

Arfon — Sat, 09 Jan 2010 01:01:16 GMT

Arfon: /* My Card Is In, Now What? */ ADDED the fact that this was with Slackware 10

[[Category:Tips]]
[[Category:Tutorials]]
[[Category:Hardware]]

==My Card Is In, Now What?==
-Written from a Slackware 10 perspective-
1) SET UP THE ARRAY- If you are using a hardware RAID card (like ones made by 3ware), on boot you must enter the card's BIOS and set up your array. This is done by hitting a hotkey (ALT-3 for 3ware cards). Read your card's instructions for details on how to configure your array.

2) BOOT WITH THE CORRECT KERNEL- After you have set up your array, boot the computer with the Slackware Install CD (CD1) like normal. At the <code>boot:</code> prompt, choose a RAID supporting image (e.g. <code>raid.s</code>). YOU CAN NOT USE THE DEFAULT KERNEL (bare.i) to boot into set-up, you have to use a boot kernel that supports RAID arrays.

:EXAMPLE: <code>boot: raid.s</code>

3) PROCEED NORMALLY- Once you boot the RAID kernel, everything else proceeds normally except the hard-drive is (usually) <code>/dev/sda</code>. Go ahead set up your partitions (<code>fdisk /dev/sda</code>) and continue the normal Slackware install.

==FAQs==

Q: What device is my RAID array? 
A: You are most likely running RAID.S kernel so therefore it is probably <code>/dev/sda</code>

Q: It's not <code>/dev/sda</code> where is it really? 
A: I don't know. Reboot your machine and watch the messages scroll by. If you don't see the info, you don't have RAID support compiled into your kernel or as a module and you need to fix that.

Q: My system has a [[forced fsck]] and it starts but after awhile, it resets and re-boots. How do I fix this? 
A: Re-boot the system using a Slackware install CD (make sure you boot with a RAID kernel) then get to a command line prompt and manually run <code>fsck</code>.
: EXAMPLE: <code>fsck -p /dev/sda1</code>

Q: I'm trying to run <code>fsck</code> manually but I get an "<code>The superblock cannot be read...</code>" error. How do I fix this? 
A: MOST LIKELY, you're not running a RAID supporting kernel. Re-boot and choose a RAID kernel like <code>raid.s</code>.

Q: I'm running <code>fsck</code> manually and I am getting a "<code>error allocating inode bitmap (2)</code>". How do I fix this? 
A: No clue. I haven't been able to find out what that means. If you do, let us know please.

==Hardware RAID Specific Help==

[[3ware 3DM2]] - Help with 3ware's 3DM2 program.

==Hardware RAID Specific Help==

[[3ware 3ware 8006-2LP Installation]] -

Installed slackware 12.2 with the 3ware 8006-2LP card today. I chose this hardware due to the fanfare I found on the net. It is supported with RedHat and Suse (presumably because they have a preinstall driver installation dialog)

Installing with slack was not as easy as was hoped. Lilo choked twice, first by installing to the MBR which the 3ware bios simply didn't see, and second after installing to the root partition, lilo complained with error 99 which is apparently a BIOS disk address mismatch of some sort.

What worked was this:

1. Install the card, or receive the machine with the card already installed.

2. Double check that all your cable connections are tight. mine were loose when the chassis arrived from the vendor. I am sincerely glad I found this now rather than later.

3. Slackware 12.2 has the 3ware driver in it, so it should boot from CD and see the disk as:

/dev/sda

4. fdisk /dev/sda and create some partitions, mine are as follows:

/dev/sda1 50G (/ this is the root partition) set bootable
/dev/sda2 2G (for /boot)
/dev/sda3 2G ( for swap) toggle to type 82
/dev/sda4 (extended)
/dev/sda5 25G (for /var)
/dev/sda6 25G (for /home)
/dev/sda7 50G (for the webserver)
/dev/sda8 50G (for the database)
/dev/sda9 10G (for source code)

You will note seperate /boot and /home partitions. Configuring the disk this way adds some security, which we will discuss in a moment.

5. Run setup and select your packages.

6. Do the configuration dialog: Generally I believe all network enabled devices should be on UTC so I set both system and hardware clocks accordingly. ignore gpm, ignore fancy fonts, and number the network interface... Then make sure the network interface _isn't_ connected.

7. Let the lilo configurator screw up lilo by select "Guess my lilo config" or whatever.

8. exit setup, DO NOT REBOOT!

9. chroot /mnt

10. vi /etc/lilo and make it point at your root partition. My lilo.conf is as follows:

lba32 # any modern drive should be able to do this.
boot = /dev/sda1
append = " vt.default_utf8=0"
vga = normal
image = /boot/vmlinuz
root = /dev/sda1
Label = Linux
read-only # for fscking during bootup.

11. Note above that /dev/sda1 is the root partition, or "/" if you stick it somewhere else, change as appropriate.

12. obliterate the master boot record: (prevents lilo from getting confused for some reason):
lilo -z -M /dev/sda

13. run lilo and listen to it complain:
lilo

14. If you don't get any fatals errors (warnings are ok), remove the cd then:
exit
reboot

15. Do your little chair dance, and irritate your coworkers.

16. vi /etc/fstab and adjust the following partitions:

/dev/sda2 /boot ext2 defaults,ro 1 2
/dev/sda6 /home ext2 defaults,nosuid 1 2

Leave your partitions ext3 if they are configured that way, but note the addition of "ro" to /boot and "nosuid" to /home. This makes the kernel secure from modification until the next reboot, and prevents root privileged code from being executed from /home. Generally good and fairly unintrusive security policy.

Now proceed onward oh great progenitors of slack. Your next steps should probably be using "find" to locate and disable most of what has a suid bit set, and then installing and configuring tripwire or some equivilant, then making a brutal set of access controls with iptables, and _then_.... _maybe_ you can connect the box to a public network.

But don't take my word for it.

Good Luck!