https://wiki.archlinux.org/api.php?action=feedcontributions&user=Abdulmueid&feedformat=atomArchWiki - User contributions [en]2024-03-28T16:07:58ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Arch_Linux_on_a_VPS&diff=151189Arch Linux on a VPS2011-08-10T12:33:58Z<p>Abdulmueid: </p>
<hr />
<div>{{Stub}}<br />
<br />
==VPS (Virtual Private Server) service provider that delivers Arch==<br />
===FanaticalVPS===<br />
URL: http://fanaticalvps.com/ [http://fanaticalvps.com/]<br />
<br />
Currently Using Release: 2010.05 x86_64 and i686<br />
<br />
===GigaTux===<br />
URL: http://www.gigatux.com/virtual.php [http://www.gigatux.com/virtual.php]<br />
<br />
Currently Using Release: 2010.05 x86_64<br />
<br />
===HazeNET.co.uk===<br />
URL: http://hazenet.co.uk/vps.html [http://hazenet.co.uk/vps.html]<br />
<br />
Currently Using Release: 2010.05 x86_64<br />
<br />
===Linode.com===<br />
URL: http://www.linode.com [http://www.linode.com]<br />
<br />
Currently Using Release: 2010.05<br />
<br />
===OpenVz.ca===<br />
URL: http://openvz.ca/ [http://http://openvz.ca/]<br />
<br />
Currently Using Release 2010.05 x86_64 and i686<br />
Hosted in Canada<br />
<br />
===RamHost.us===<br />
URL: http://www.ramhost.us[http://www.ramhost.us]<br />
<br />
Currently Using Release: 2009.10.31<br />
<br />
===SliceHost.com===<br />
URL: http://www.slicehost.com [http://www.slicehost.com]<br />
<br />
Currently Using Release: 2009.02 & 2010.05<br />
<br />
===ThrustVPS.com===<br />
URL: http://www.thrustvps.com [http://www.thrustvps.com]<br />
<br />
Currently Using Release: 2010.05 x86_64<br />
<br />
===XenVZ===<br />
URL: http://www.xenvz.co.uk/ [http://www.xenvz.co.uk/]<br />
<br />
===Clodo.ru===<br />
URL: http://www.clodo.ru/ [http://www.clodo.ru]<br />
<br />
===eNetSouth===<br />
URL: http://www.enetsouth.com/ [http://www.enetsouth.com]<br />
<br />
Currently Using Release: 2010.05 x86_64 and i686</div>Abdulmueidhttps://wiki.archlinux.org/index.php?title=OpenVPN&diff=151187OpenVPN2011-08-10T12:25:34Z<p>Abdulmueid: </p>
<hr />
<div>[[Category: Networking (English)]]<br />
[[Category:VPN (English)]]<br />
<br />
This article describes a basic installation and configuration of OpenVPN. For more detailed information, please use the official OpenVPN [http://openvpn.net/index.php/open-source/documentation/howto.html HOWTO] and [http://openvpn.net/index.php/open-source/documentation/manuals.html Manual].<br />
==Install==<br />
Install openvpn:<br />
pacman -S openvpn<br />
Also you may install [http://aur.archlinux.org/packages.php?ID=30584 ldap authentication module] from AUR.<br />
<br />
<br />
==Prepare OpenSSL data==<br />
Create certificates and keys. First copy /usr/share/openvpn/easy-rsa to /etc/openvpn/easy-rsa and cd there. Edit the file "vars" with the information you want, then source it. (note the single dot)<br />
. ./vars<br />
Clean up any previous keys:<br />
./clean-all<br />
<br />
Generate the certificates. build-ca creates the "certificate authority" key the key signing machine needs and the ca.crt certificate that the server and client both need. build-key-server (followed by your server name) creates certificate and private key for the server. build-dh creates the Diffie-Hellman pem file that the server needs. Don't enter a challenge password or company name when you set these up.<br />
./build-ca<br />
./build-key-server <server-name><br />
./build-dh<br />
<br />
build-key (followed by a common client name) creates the certificate for a client. You can build as many as you need for different clients.<br />
./build-key client1<br />
All certificates are stored in /etc/openvpn/easy-rsa/keys. If you mess up, you can start all over by doing a ./clean-all<br />
<br />
Copy the ca.crt, client1.crt and client1.key to client1, etc. over a secure connection.<br />
<br />
==Setting up the Server==<br />
Create empty conf file and store it in /etc/openvpn/openvpn.conf<br />
===Using PAM and passwords to authenticate===<br />
<pre><br />
port 1194<br />
proto udp<br />
dev tap<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt<br />
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt<br />
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key<br />
dh /etc/openvpn/easy-rsa/keys/dh1024.pem<br />
server 192.168.56.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
;learn-address ./script<br />
client-to-client<br />
;duplicate-cn<br />
keepalive 10 120<br />
;tls-auth ta.key 0<br />
comp-lzo<br />
;max-clients 100<br />
;user nobody<br />
;group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
verb 3<br />
client-cert-not-required<br />
username-as-common-name<br />
plugin /usr/lib/openvpn/openvpn-auth-pam.so login<br />
</pre><br />
<br />
===Using certs to authenticate===<br />
<pre><br />
port 1194<br />
proto tcp<br />
dev tun<br />
<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt<br />
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt<br />
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key<br />
dh /etc/openvpn/easy-rsa/keys/dh1024.pem<br />
<br />
server 10.8.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status openvpn-status.log<br />
verb 3<br />
<br />
log-append /var/log/openvpn<br />
status /tmp/vpn.status 10<br />
</pre><br />
<br />
===Routing traffic through the server===<br />
<br />
Append the following to your server's openvpn.conf configuration file:<br />
<pre><br />
push "dhcp-option DNS 192.168.1.1"<br />
push "redirect-gateway def1"<br />
</pre><br />
Change "192.168.1.1" to your external DNS IP address.<br />
<br />
Use an iptable for NAT forwarding:<br />
<pre><br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
</pre><br />
<br />
If running ArchLinux in a OpenVZ VPS environment [http://thecodeninja.net/linux/openvpn-archlinux-openvz-vps/]:<br />
<pre><br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)<br />
</pre><br />
<br />
If all is well, make the changes permanent:<br />
<br />
Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1<br />
<br />
<pre><br />
/etc/rc.d/iptables save<br />
</pre><br />
<br />
==Setting up the Client==<br />
===Password authentication===<br />
<pre><br />
client<br />
dev tap<br />
proto udp<br />
remote <address> 1194<br />
resolv-retry infinite<br />
nobind<br />
persist-tun<br />
comp-lzo<br />
verb 3<br />
auth-user-pass passwd<br />
ca ca.crt<br />
</pre><br />
<br />
passwd file (referenced by auth-user-pass) must contain two lines:<br />
* first line - username<br />
* second - password<br />
<br />
<br />
===Certs authentication===<br />
<pre><br />
client<br />
remote <MYSERVER> 1194<br />
dev tun<br />
proto tcp<br />
resolv-retry infinite<br />
nobind<br />
persist-key<br />
persist-tun<br />
verb 2<br />
ca ca.crt<br />
cert client1.crt<br />
key client1.key<br />
comp-lzo<br />
</pre><br />
Copy three files from server to remote computer. <br />
ca.crt<br />
client1.crt<br />
client1.key<br />
<br />
Install the tunnel/tap module:<br />
<pre><br />
# sudo modprobe tun<br />
</pre><br />
<br />
To have the '''tun''' module loaded automatically at boot time add it to the Modules line in /etc/rc.conf<br />
<br />
===DNS===<br />
The DNS servers used by the system are defined in '''/etc/resolv.conf'''. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install '''openresolv''', which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You shouldn't need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
Next, save the following script at '''/usr/share/openvpn/update-resolv-conf''':<br />
<pre><br />
#!/bin/bash<br />
#<br />
# Parses DHCP options from openvpn to update resolv.conf<br />
# To use set as 'up' and 'down' script in your openvpn *.conf:<br />
# up /etc/openvpn/update-resolv-conf<br />
# down /etc/openvpn/update-resolv-conf<br />
#<br />
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk><br />
# and Chris Hanson<br />
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.<br />
#<br />
# 05/2006 chlauber@bnc.ch<br />
#<br />
# Example envs set from openvpn:<br />
# foreign_option_1='dhcp-option DNS 193.43.27.132'<br />
# foreign_option_2='dhcp-option DNS 193.43.27.133'<br />
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'<br />
<br />
[ -x /usr/sbin/resolvconf ] || exit 0<br />
<br />
case $script_type in<br />
<br />
up)<br />
for optionname in ${!foreign_option_*} ; do<br />
option="${!optionname}"<br />
echo $option<br />
part1=$(echo "$option" | cut -d " " -f 1)<br />
if [ "$part1" == "dhcp-option" ] ; then<br />
part2=$(echo "$option" | cut -d " " -f 2)<br />
part3=$(echo "$option" | cut -d " " -f 3)<br />
if [ "$part2" == "DNS" ] ; then<br />
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"<br />
fi<br />
if [ "$part2" == "DOMAIN" ] ; then<br />
IF_DNS_SEARCH="$part3"<br />
fi<br />
fi<br />
done<br />
R=""<br />
if [ "$IF_DNS_SEARCH" ] ; then<br />
R="${R}search $IF_DNS_SEARCH<br />
"<br />
fi<br />
for NS in $IF_DNS_NAMESERVERS ; do<br />
R="${R}nameserver $NS<br />
"<br />
done<br />
echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"<br />
;;<br />
down)<br />
/usr/sbin/resolvconf -d "${dev}.inet"<br />
;;<br />
esac<br />
</pre><br />
<br />
Next, add the following lines to your OpenVPN client configuration file:<br />
<pre><br />
script-security 2<br />
up /usr/share/openvpn/update-resolv-conf<br />
down /usr/share/openvpn/update-resolv-conf<br />
</pre><br />
<br />
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.<br />
<br />
==Connecting to the Server==<br />
You need to start the service on the server<br />
<pre><br />
/etc/rc.d/openvpn start<br />
</pre><br />
You can add it to rc.conf to make it permanet.<br />
<br />
On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the '''.crt'''/'''.key''' files. Assuming your OpenVPN config folder is called '''.openvpn''' and your client config file is '''vpn1.conf''', to connect to the server issue the following command:<br />
<pre><br />
cd ~/.openvpn && sudo openvpn vpn1.conf<br />
</pre></div>Abdulmueid