Archive for March, 2010

Picture of Darkbliss/Snakeroot

"Darkbliss/Snakeroot"

This is A Picture of Myself Snakeroot/Darkbliss :)

Setup Linux as a openVPN server

I Recently added a openVPN to my network i have a few computers all running static i.p’s and i need to share resources between them securely. So i setup a bridged openVPN this is how to do it:

open a bash shell and type:

sudo apt-get install openvpn bridge-utils

once everything has finished downloading and installing type:

sudo gedit /etc/networking/interfaces

make the following changes to the interfaces file

## This is the network bridge declaration

## Start these interfaces on boot
auto lo br0

iface lo inet loopback

iface br0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports eth0

iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Then restart the networking with the following command:

sudo /etc/init.d/networking restart

Next we have to create some folders to help generate the certificates

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Then we have to edit the vars file:

sudo gedit /etc/openvpn/easy-rsa/vars

change the following lines at the bottom of the file to the details you want:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

then setup the CA and create the first server certificate

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

The Certificate Authority is now setup and the needed keys are in /etc/openvpn/

Now we need to configure the server

sudo gedit /etc/openvpn/up.sh

Add the following to the file and save:

#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

Now, we’ll create a “down” script:

sudo gedit /etc/openvpn/down.sh

It should contain the following

#!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Now we make both scripts executable:

sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh

and now we configure openvpn itself:

sudo gedit /etc/openvpn/server.conf

and add:

mode server
tls-server

local ## ip/hostname of server
port 1194 ## default openvpn port
proto udp

#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

persist-key
persist-tun

#certificates and encryption
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret

cipher BF-CBC # Blowfish (default)
comp-lzo

#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS your.dns.ip.here"
push "dhcp-option DOMAIN yourdomain.com"
max-clients 10 ## set this to the max number of clients that should be connected at a time

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

then you will need to restart you openvpn with the following command:

sudo /etc/init.d/openvpn restart

Next we are going to generate some keys and certificates for the client and create a *.conf or *.ovpn (windows) configuration file

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
source ./vars ## execute the vars file
./pkitool client ## create a cert and key named "client"

Next you need to setup your configuration file (i actually made a *.ovpn and added a windows version of openvpn to my network as a client):

### Client configuration file for OpenVPN

# Specify that this is a client
client

# Bridge device setting
dev tap

# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote your.server.example.com 1194

# Client does not need to bind to a specific local port
nobind

# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule.
##You may need to comment it out.
resolv-retry infinite

# Preserve state across restarts
persist-key
persist-tun

# SSL/TLS parameters - files created previously
ca ca.crt
cert client.crt
key client.key

# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1

# Specify same cipher as server
cipher BF-CBC

# Use compression
comp-lzo

# Log verbosity (to help if there are problems)
verb 3

Place the client.ovpn (or client.conf) configuration file along with the certificate and key files in the openvpn configuration directory on the client. With the above setup, the following files should be in the configuration directory.

client.ovpn
ca.crt
client.crt
client.key
ta.key

And with any luck it should work! if you have any probblems post a message

2600

I am going to 2600 this comming month in manchester to talk tech check out the website

I’m Not Dead Yet…

I think i may be going slightly crazy (well not much of a change there…!) I found this song by cesium 137 that i think mentions my username Darkbliss as well as perhaps my second name. I’m surprized to say the least, and given all the weird behaviour i have witnessed, i can only assume that this song actually *is* about me. Anyways judge for yourself…

here it is: