Innehåll

1. Overview
2. What is a bridged VPN?
3. Setting up a Bridged VPN using OpenVPN
   1. Installing the Server
      1. Setting up the Bridge
      2. Generating Certificates
      3. Configuring the Server
   2. Getting Clients Connected
      1. Generating Client Certificate and Key
      2. Configuring the Client
   3. Firestarter configuration for OpenVPN
4. Other Resources

 

Overview

 

OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, reliable and secure. It belongs to the family of SSL/TLS VPN stacks (different from IPSec VPNs).

This page refers to the community version of the OpenVPN server. Setup examples are also provided on the OpenVPN community website. There is also a commercial Web GUI which might be easier to set up and maintain, especially for non-experts, and which allows clients to download VPN configurations themselves using the web browser.

What is a bridged VPN?

 

A bridged VPN allows the clients to appear as though they are on the same local area network (LAN) as the server system. The VPN accomplishes this by using a combination of virtual devices — one called a “bridge” and the other called a “tap device”. A tap device acts as a virtual Ethernet adapter and the bridge device acts as a virtual hub. When you bridge a physical Ethernet device and a tap device, you are essentially creating a hub between the physical network and the remote clients. Therefore, all LAN services are visible to the remote clients.

Setting up a Bridged VPN using OpenVPN

 

Note that good networking knowledge and enough time is required to follow this manual setup guide. These instructions are for setting up a Bridged VPN on Ubuntu 8.04 using x509 certs and some general administration tasks.

Newer instructions are found at the Ubuntu 11.10 Server guide — OpenVPN.

This example installation was performed using Ubuntu Jeos 8.04 in a KVM virtual machine (but could just have easily been performed on a standalone Ubuntu Server). In my configuration eth0 is connected to the Internet and eth1 is connected to the LAN network that will be bridged. Comments in configuration files are preceeded by two pound signs (##).

Installing the Server

 

Install OpenVPN:

sudo apt-get install openvpn bridge-utils

 

Setting up the Bridge

• Edit /etc/network/interfaces

When a Linux server is behind a NAT firewall, the /etc/network/interfaces file commonly looks like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo eth0
iface lo inet loopback

# The primary network interface
## This device provides internet access.
iface eth0 inet static
  address 192.168.1.10
  netmask 255.255.255.0
  gateway 192.168.1.1

 

Edit this and add a bridge interface:

sudo nano /etc/network/interfaces

 

so that it look similar to:

## This is the network bridge declaration

## Start these interfaces on boot
auto lo br0

iface lo inet loopback

iface br0 inet static
  address 192.168.1.10
  netmask 255.255.255.0
  gateway 192.168.1.1
  bridge_ports eth0

iface eth0 inet manual
  up ip link set $IFACE up promisc on
  down ip link set $IFACE down promisc off

• If you are running Linux inside a virtual machine, you may want to add the following parameters to the bridge connection:

  bridge_fd 9      ## from the libvirt docs (forward delay time)
  bridge_hello 2   ## from the libvirt docs (hello time)
  bridge_maxage 12 ## from the libvirt docs (maximum message age)
  bridge_stp off   ## from the libvirt docs (spanning tree protocol)

• Restart networking:

sudo /etc/init.d/networking restart

 

The bridging declarations come from the libvirt documentation. (I really only understand the bridge_ports directive and the bridge_stp directive. Please add more instructions here.)

Generating Certificates

• Generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. Another alternative is using the graphical program tinyca to create your CA.

Step 1:

• Copy files to the /etc/openvpn/easy-rsa/ directory

  sudo mkdir /etc/openvpn/easy-rsa/
  sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

   

Step 2:

• Edit /etc/openvpn/easy-rsa/vars

  sudo vi /etc/openvpn/easy-rsa/vars

  Change these lines at the bottom so that they reflect your new CA.

  export KEY_COUNTRY="US"
  export KEY_PROVINCE="CA"
  export KEY_CITY="SanFrancisco"
  export KEY_ORG="Fort-Funston"
  export KEY_EMAIL="me@myhost.mydomain"

Step 3:

• Setup the CA and create the first server certificate

  cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
  sudo chown -R root:admin .  ## make this directory writable by the system administrators
  sudo chmod g+w . ## make this directory writable by the system administrators
  source ./vars ## execute your new vars file
  ./clean-all  ## Setup the easy-rsa directory (Deletes all keys)
  ./build-dh  ## takes a while consider backgrounding
  ./pkitool --initca ## creates ca cert and key
  ./pkitool --server server ## creates a server cert and key
  cd keys
  openvpn --genkey --secret ta.key  ## Build a TLS key
  sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

   

The Certificate Authority is now setup and the needed keys are in /etc/openvpn/

Configuring the Server

 

By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.

First, we’re going to create a couple of new scripts to be used by the openvpn server.

sudo vi /etc/openvpn/up.sh

 

This script should contain the following

#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl addif $BR $DEV

 

Now, we’ll create a “down” script.

sudo vi /etc/openvpn/down.sh

 

It should contain the following.

#!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ip link set "$DEV" down

 

Now, make both scripts executable.

sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh

 

And now on to configuring openvpn itself.

sudo vi /etc/openvpn/server.conf

 

mode server
tls-server

local <your ip address> ## ip/hostname of server
port 1194 ## default openvpn port
proto udp

#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"

persist-key
persist-tun

#certificates and encryption
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret

cipher BF-CBC        # Blowfish (default)
comp-lzo

#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS your.dns.ip.here"
push "dhcp-option DOMAIN yourdomain.com"
max-clients 10 ## set this to the max number of clients that should be connected at a time

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

 

The server initialization script will complain about WARN: could not open database for 4096 bits. Skippedand you can work around it by running this command:

touch /usr/share/openssl-blacklist/blacklist.RSA-4096

 

Don’t forget to either reboot or run the command below. This will restart openvpn and load the new config.

sudo /etc/init.d/openvpn restart

 

In case you run a firewall like ufw, please consider enabling ip forwarding, otherwise the clients will only be able to connect to the server, but not to other LAN servers.

Getting Clients Connected

 

This section concerns creating client certificate and key files and setting up a client configuration file. The files can then be used with OpenVPN on a client platform. The described configuration will work with OpenVPN installations of OpenVPN GUI for Windows and Tunnelblick for Mac OS X clients. For a detailed discussion of each, refer to their respective home pages. It should also be compatible with Linux OpenVPN clients.

Generating Client Certificate and Key

 

Generating certificates and keys for a client is very similar to the process used for generating server certificates. It is assumed that you have already set up the /etc/openvpn/easy-rsa/ directory and updated the /etc/openvpn/easy-rsa/vars file as described above. You should have already setup your Certificate Authority and created a server certificate and keys.

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
source ./vars             ## execute the vars file
./pkitool client          ## create a cert and key named "client"

 

Configuring the Client

 

The client configuration has been adapted from the OpenVPN 2.0 sample configuration file. For Windows, the file should be named client.ovpn and for other operating systems, the file should be named client.conf. The file can be created using vi or other editor that can create plain text files.

The configuration file assumes that there is only one TUN/TAP device configured on the client.

### Client configuration file for OpenVPN

# Specify that this is a client
client

# Bridge device setting
dev tap

# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote your.server.example.com 1194

# Client does not need to bind to a specific local port
nobind

# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule.
##You may need to comment it out.
resolv-retry infinite

# Preserve state across restarts
persist-key
persist-tun

# SSL/TLS parameters - files created previously
ca ca.crt
cert client.crt
key client.key

# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1

# Specify same cipher as server
cipher BF-CBC

# Use compression
comp-lzo

# Log verbosity (to help if there are problems)
verb 3

 

Place the client.ovpn (or client.conf) configuration file along with the certificate and key files in the openvpn configuration directory on the client. With the above setup, the following files should be in the configuration directory.

client.ovpn
ca.crt
client.crt
client.key
ta.key

 

(For the OpenVPN GUI for Windows, the default location for the files is C:\Program Files\OpenVPN\config.)

(For Tunnelblick for Mac OS X, the default location for the files is ~username/Library/openvpn.

Firestarter configuration for OpenVPN

 

Firestarter requires some configuration on both client and server machines to allow services like SAMBA over a VPN tunnel. In addition the creation of rules within the GUI, it was also necessary to edit the /etc/firestarter/user-pre file. I used the instructions found here:

http://www.howtoadvice.com/FirestarterVPN/

Also, though the tutorial didn’t discuss it, I found it necessary to save the original user-pre file as a copy, then rename the original and rename the copy to user-pre due to permissions issues.

Other Resources

• Consult the official OpenVPN Howto.

• Consult this tutorial.

• Consult (K)Ubuntuguide — OpenVPN server installation

---

CategoryVPN CategoryVPN

OpenVPN (senast redigerad 2012-04-27 05:53:03 av beijersb)

http://linuxtv.org/wiki/index.php/How_to_Obtain,_Build_and_Install_V4L-DVB_Device_Drivers

In Ubuntu you need

sudo apt-get install libssl-dev libssl0.9.8

git clone git://linuxtv.org/media_build.git
cd media_build
./build
make
make install

To install TapeWare v7.0 Master and Server Enterprise (SP5C) you need to install xterm

sudo apt-get install xterm

sudo apt-get install ncurses-term

start xming server on Windows

start sudo xterm

start the install of TapeWare

 

SUN DLT7000 drive in TapeWare
in file twtapdev.ini add “SUN     DLT7000=DLT 7000″ in my case there was 5 spaces.
restartservice:
sudo ./twunxsvc -x
sudo ./twunxsvc -s

 

diff --recursive --brief /tmp/dir1 /tmp/dir2 |grep Only

These steps assume that the domain will remain on the same server.

Addon domain turned into a separate cPanel

1. Download the content of your addon domain to your local PC.
2. Backup any associated database(s).
3. Go into the original cPanel and remove the addon domain from under the Addon Domains icon. (You do not need to delete the original content or original databases.)
4. Create a New Account inside your WHM. Fill out the form, using the old addon domain name as the Domain. Click the Create button.
5. Once the new cPanel is ready, upload the content of your old addon domain to this new cPanel, in the public_html folder. (When using FTP to upload, connect to the cPanel’s IP address and login with the new cPanel’s username and password.)
6. Login to the new cPanel and restore the database backup(s).
7. Reconfigure any database connections. (The database name and username have likely changed.)

Your site will only be down as long as it takes to complete these steps. No need to change your name servers.

This code is not written by me!


/**
* xml2array() will convert the given XML text to an array in the XML structure.
* Link: http://www.bin-co.com/php/scripts/xml2array/
* Arguments : $contents - The XML text
* $get_attributes - 1 or 0. If this is 1 the function will get the attributes as well as the tag values - this results in a different array structure in the return value.
* $priority - Can be 'tag' or 'attribute'. This will change the way the resulting array sturcture. For 'tag', the tags are given more importance.
* Return: The parsed XML in an array form. Use print_r() to see the resulting array structure.
* Examples: $array = xml2array(file_get_contents('feed.xml'));
* $array = xml2array(file_get_contents('feed.xml', 1, 'attribute'));
*/
function xml2array($contents, $get_attributes=1, $priority = 'tag') {
if(!$contents) return array();

if(!function_exists(‘xml_parser_create’)) {
//print “‘xml_parser_create()’ function not found!”;
return array();
}

//Get the XML parser of PHP – PHP must have this module for the parser to work
$parser = xml_parser_create(”);
xml_parser_set_option($parser, XML_OPTION_TARGET_ENCODING, “UTF-8″); # http://minutillo.com/steve/weblog/2004/6/17/php-xml-and-character-encodings-a-tale-of-sadness-rage-and-data-loss
xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, 0);
xml_parser_set_option($parser, XML_OPTION_SKIP_WHITE, 1);
xml_parse_into_struct($parser, trim($contents), $xml_values);
xml_parser_free($parser);

if(!$xml_values) return;//Hmm…

//Initializations
$xml_array = array();
$parents = array();
$opened_tags = array();
$arr = array();

$current = &$xml_array; //Refference

//Go through the tags.
$repeated_tag_index = array();//Multiple tags with same name will be turned into an array
foreach($xml_values as $data) {
unset($attributes,$value);//Remove existing values, or there will be trouble

//This command will extract these variables into the foreach scope
// tag(string), type(string), level(int), attributes(array).
extract($data);//We could use the array by itself, but this cooler.

$result = array();
$attributes_data = array();

if(isset($value)) {
if($priority == ‘tag’) $result = $value;
else $result['value'] = $value; //Put the value in a assoc array if we are in the ‘Attribute’ mode
}

//Set the attributes too.
if(isset($attributes) and $get_attributes) {
foreach($attributes as $attr => $val) {
if($priority == ‘tag’) $attributes_data[$attr] = $val;
else $result['attr'][$attr] = $val; //Set all the attributes in a array called ‘attr’
}
}

//See tag status and do the needed.
if($type == “open”) {//The starting of the tag ”
$parent[$level-1] = &$current;
if(!is_array($current) or (!in_array($tag, array_keys($current)))) { //Insert New tag
$current[$tag] = $result;
if($attributes_data) $current[$tag. '_attr'] = $attributes_data;
$repeated_tag_index[$tag.'_'.$level] = 1;

$current = &$current[$tag];

} else { //There was another element with the same tag name

if(isset($current[$tag][0])) {//If there is a 0th element it is already an array
$current[$tag][$repeated_tag_index[$tag.'_'.$level]] = $result;
$repeated_tag_index[$tag.'_'.$level]++;
} else {//This section will make the value an array if multiple tags with the same name appear together
$current[$tag] = array($current[$tag],$result);//This will combine the existing item and the new item together to make an array
$repeated_tag_index[$tag.'_'.$level] = 2;

if(isset($current[$tag.'_attr'])) { //The attribute of the last(0th) tag must be moved as well
$current[$tag]['0_attr'] = $current[$tag.'_attr'];
unset($current[$tag.'_attr']);
}

}
$last_item_index = $repeated_tag_index[$tag.'_'.$level]-1;
$current = &$current[$tag][$last_item_index];
}

} elseif($type == “complete”) { //Tags that ends in 1 line ”
//See if the key is already taken.
if(!isset($current[$tag])) { //New Key
$current[$tag] = $result;
$repeated_tag_index[$tag.'_'.$level] = 1;
if($priority == ‘tag’ and $attributes_data) $current[$tag. '_attr'] = $attributes_data;

} else { //If taken, put all things inside a list(array)
if(isset($current[$tag][0]) and is_array($current[$tag])) {//If it is already an array…

// …push the new element into that array.
$current[$tag][$repeated_tag_index[$tag.'_'.$level]] = $result;

if($priority == ‘tag’ and $get_attributes and $attributes_data) {
$current[$tag][$repeated_tag_index[$tag.'_'.$level] . ‘_attr’] = $attributes_data;
}
$repeated_tag_index[$tag.'_'.$level]++;

} else { //If it is not an array…
$current[$tag] = array($current[$tag],$result); //…Make it an array using using the existing value and the new value
$repeated_tag_index[$tag.'_'.$level] = 1;
if($priority == ‘tag’ and $get_attributes) {
if(isset($current[$tag.'_attr'])) { //The attribute of the last(0th) tag must be moved as well

$current[$tag]['0_attr'] = $current[$tag.'_attr'];
unset($current[$tag.'_attr']);
}

if($attributes_data) {
$current[$tag][$repeated_tag_index[$tag.'_'.$level] . ‘_attr’] = $attributes_data;
}
}
$repeated_tag_index[$tag.'_'.$level]++; //0 and 1 index is already taken
}
}

} elseif($type == ‘close’) { //End of tag ”
$current = &$parent[$level-1];
}
}

return($xml_array);
}

After upgrade of MythBuntu the system do not open port 6543. After running:

sudo dpkg-reconfigure mythtv-common
sudo dpkg-reconfigure mythtv-database

the port is open and MythBuntu are working!

You can use this to find a string in a file and remove the file.
find . | xargs grep -l youemail@email.com | awk '{print "rm "$1}' > doit.sh
Look in file doit.sh for errors.
Execute the file:
bash doit.sh