A corrected procedure for the installation of OpenVPN on Fedora 27

Fedora 27 is a close cousin of CentOS 7, which is actually Fedora 19. Most of the documentation for server-centric stuff is still targeted at CentOS 7. Some topics, like how to install and configure OpenVPN, are poorly documented.

I was pleased to find this link, a tutorial on how to install OpenVPN on Fedora 26:


I found this guide to be useful, but found myself taking notes on corrections to the procedure. Unable to contact the author of the howto, I offer the procedure with minor corrections here. Note that my procedure was done on Fedora 27.

1) First of all install necessary dependencies

sudo dnf install openvpn easy-rsa

2) Copy rsa scripts to the home folder

mkdir ~/openvpn-ca

cp -ai /usr/share/easy-rsa/3/* ~/openvpn-ca
cd ~/openvpn-ca

3) According to this start a new PKI and build a CA keypair/cert

./easyrsa init-pki
./easyrsa build-ca nopass

4) Build Server certificate, key

./easyrsa build-server-full server nopass

5) Build Client certificate, key

./easyrsa build-client-full client01 nopass

you can omit nopass on steps 3,4,5 if you need to

6) Generate a strong Diffie-Hellman keys

./easyrsa gen-dh

7) Generate HMAC signature to strengthen the server’s TLS integrity verification capabilities

openvpn –genkey –secret pki/ta.key

8) Before openvpn server setting up we need to put appropriate keys ca.crt ca.key server.crt server.key ta.key dh.pem into /etc/openvpn/server/keys folder

sudo ln -s ~/openvpn-ca/openssl-1.0.cnf ~/client-configs/

sudo cp ~/openvpn-ca/pki/issued/server.crt /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/private/server.key /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/private/ca.key /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/ta.key /etc/openvpn/server

9) Now we need to set up the server itself, firstly copy configurations

sudo cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server

10) Modify several lines in that configuration file

sudo nano /etc/openvpn/server/server.conf

add these lines at the end of the file:

key-direction 0
auth SHA256
remove ; symbol to uncomment following lines

user nobody
group nogroup

10a) [optional] In order to Redirect all traffic Through the VPN, remove ; from the following lines:

push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS”
push “dhcp-option DNS”

10b) [optional] Adjust port and protocol if you don’t wish to use default:

port 443
proto tcp

and if you have server.crt and server.key with the different name point to them here:

cert myservername.crt
key myservername.key

11) Allow IP Forwarding. This is fairly essential to the functionality we want our VPN server to provide.

sudo nano /etc/sysctl.conf
and drop a line there

activate that:

sudo sysctl -p

12) Set up firewalld to work with OpenVPN

sudo firewall-cmd –permanent –add-service openvpn
sudo firewall-cmd –permanent –add-masquerade

13) Now we are going to set up our systemd service.

sudo ln -s /usr/lib/systemd/system/openvpn-server\@.service /etc/systemd/system/multi-user.target.wants/openvpn-server\@server.service

sudo ln -s /etc/openvpn/server/dh.pem /etc/openvpn/server/dh2048.pem

server corresponds with the configuration file name in /etc/openvpn/server such as server.conf. So if you have myserver.conf you have to replace server with myserver

14) Now we are ready to start OpenVPN service

sudo systemctl -f enable openvpn-server@server.service
sudo systemctl start openvpn-server@server.service

15) enter in /etc/rc.d/rc.local (reminder: chmod 755 rc.local):

iptables -t nat -A POSTROUTING -s -o enp3s0 -j MASQUERADE
(where enp3s0 is the name of your ethernet device)

Done! We successfully deployed our OpenVPN server, and we are ready to move on and set up the client

Client setup

As you remember we already generated client01.crt and client01.key at step 5. Now we need combine them with our general Certificates of Authority in order to build client config file.

1) First of all we need generate Client Configurations. Let’s create client-configs directory and prepare with the keys

mkdir -p ~/client-configs/files
cd ~/client-configs

we are actually going to omit these instructions, we have re-coded our batch file under client creation to avoid this issue:
# mkdir ~/keys
# cp ~/openvpn-ca/pki/ca.crt ~/client-configs/keys
# cp ~/openvpn-ca/pki/ta.key ~/client-configs/keys
# cp ~/openvpn-ca/pki/private/client1.key ~/client-configs/keys
# cp ~/openvpn-ca/pki/private/client1.crt ~/client-configs/keys

2) Next we need to copy base configuration from examples

cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf ~/client-configs/base.conf

3) Open this file in your text editor

nano ~/client-configs/base.conf

4) and modify as following

remote server_IP_address 1194
# place your server address here
proto udp
# update with specified protocol
next uncomment (by removing leading semicolons)

user nobody
group nogroup

NB: If you are using CentOS, change the group from nogroup to nobody to match the distribution’s available groups
and comment out the lines because we place them directly in client’s config

#ca ca.crt
#cert client.crt
#key client.key

add these lines at the end of the file:

auth SHA256
key-direction 1

5) Next, we will create a simple script to compile our base configuration with the relevant certificate, key, and encryption files. This will place the generated configuration in the ~/client-configs/ files directory.

Note: to be consistent with the portion of this document above, I should really use ~ instead of /home/desktop in the section below. However that is how I run it:

nano ~/client-configs/make_config.sh


# remember to run easyrsa build-client-full clientid nopass

# First argument: clientid


cat ${BASE_CONFIG} \
<(echo -e ‘<ca>’) \
${KEY_DIR}/ca.crt \
<(echo -e ‘</ca>\n<cert>’) \
${KEY_DIR}/issued/${1}.crt \
<(echo -e ‘</cert>\n<key>’) \
${KEY_DIR}/private/${1}.key \
<(echo -e ‘</key>\n<tls-auth>’) \
${KEY_DIR}/ta.key \
<(echo -e ‘</tls-auth>’) \
> ${OUTPUT_DIR}/${1}.ovpn

make the file executable:

chmod 700 ~/client-configs/make_config.sh

6) Execute that file with client01 input parameter

Note you must first run the client creation from step 5 in the server setup. A repeatable procedure for client creation is as follows (using client02 as token):

cd ~/openvpn-ca

./easyrsa build-client-full client02 nopass

cd ~/client-configs

./make_config.sh client02

If everything went well, we should have a client02.ovpn file in our ~/client-configs/ directory

7) Now that file can be used on the client machine

sudo dnf install openvpn
sudo openvpn –config client02.ovpn

The problem with prequels, retcons, and canon in recent Star Trek productions

I believe that Star Trek producers have made 3 choices since 2001 that have damaged the franchise:

  • Star Trek Enterprise
  • JJVerse / Kelvin Timeline
  • Star Trek: Discovery

Star Trek Enterprise

Problem: prequel

All story lines have to account for known (by the audience) future canon. And the tech? Well, I can imagine how that meeting went down: “let’s just throw tech out the window, and buy all of the LCD flatscreens we can find.” So now we have a prequel with some better tech, like LCD screens, however our engines and weapons are a generation smaller and less effective. Great. Progress in reverse, with anachronisms.

JJVerse / Kelvin Timeline

Problems: alternate timeline, technology, costume and makeup, recycling existing characters out of context.

Starting in 2009, a series of 3 movies branded as Star Trek, but set in an alternate timeline where a random angry bad dude from 20 years in the future shows up and takes a misguided revenge by blowing up one of the 2 most important planets in a federation with a powerful military, and yet, insufficient orbital defenses.

Strangely, the producers felt the need to find alternate versions of characters in this alternate time line. In the other shows, each ship had a different crew with new characters.

Oh, and who decided to throw out consistent post-80s canon and change the look of known alien species? Oh, and if a portable transporter can send a person directly to a distant planet, why bother having a navy of spaceships?

Star Trek: Discovery

Problems: distribution strategy, prequel, technology, costumes and makeup

There is a lot to like about Star Trek: Discovery. It tries to balance between respect to canon and “let’s put on a show.” I would say that Discovery does this selectively. In terms of historical continuity, it tracks within the political and military facts of the timeline 10 years before Kirk’s taking command of 1701. The Enterprise is actually mentioned tangentially as the flagship. Discovery has completely abandoned any kind of technological continuity. It seems to have decided to simply be as advanced as current CGI allows, without fealty to “previous” design. And continuing on that theme, costumes and makeup for known aliens are different, and suspiciously close to JJVerse.

Can this be fixed?

Star Trek: Discovery will continue for some time. My guess is that CBS’s attempt to strong-arm US viewers to buy CBS all access will fail, and that there will only be a 3rd season of Discovery to make syndication easier, and its serial storytelling arc and dark mood make it unlikely to do well on reruns, although future Netflix binge-watchers may disagree.

Michael Dorn has been shopping Captain Worf. That project assumes a consistent TNG universe, post-Nemesis. That is where we should be going, people.


We need a post-Nemesis TNG canon sequel with updated costume and tech.

If producers wanted to start with 30 year olds for a new cast, they could at least put them 16 years after Nemesis, and show us an updated TNGverse, but with a new crew and slightly different tech and slightly updated culture.

My second elevator pitch is Federation Vice, set in the post-Nemesis TNG universe, but with civilians and criminals and a bit of Section 31: sort of a not-corny DS9.


Ice storm warning for Montreal today

My day was already a bit unusual because I planned to file some paperwork at a government office downtown this morning, then go to the office later. The weather was bad:


I had trouble on the sidewalk immediately outside my apartment building in NDG, a working-class suburb near downtown. I decided to stick with my plan, and took the bus to the metro, then the metro downtown. The streets downtown were cleared perfectly, and the sidewalks were also clear and well-salted, I could not have asked for better maintenance.

The city streets felt empty, as on a statutory holiday, perhaps because the schools were all closed for the day due to the predicted ice.

After my appointment, I took the metro and bus to work in Saint-Laurent, in an ugly but lucrative industrial park near the airport. The main road, Cote de Liesse, was cleared, as one would expect for a major expressway near the airport, with dozens of hotels offering shuttle buses to the airport, and a gazillion truck loading bays. The sidewalks, however, simply did not exist — they were filled with the snow blown by the machine that cleared the road. Between walking on the road (scary – cars going fast) and crunching through the snowbank, it was still better than the icy sheets covering the sidewalks of NDG this morning.

Star Trek Discovery: the show without US fans?

I just got back from a Star Trek cruise (this year’s second sailing, January 11-17). On the cruise, I heard 2 mentions of the Orville (“a friend of mine is writing for that show, Brannon Braga brought her onboard,” plus another reference that made Orville sound like a TNG class reunion, at least on the show-runner side.) However, in terms of Discovery, it was strange: none of the Star Trek alumni (writers, etc.) seemed to be involved (“Of course we wish for the best for that show.”)

Star Trek: Discovery is aired on CBS All access, an Internet service that works on things like Apple TV and Roku. Star Trek: Discovery is also shown on Space in Canada, and is shown on Netflix outside of Canada and the US.

What I discovered was that hardly any of the Americans on the ship had seen it, or that the sample episodes shown on board were their first exposure aside from the first episode as aired on CBS.

I would have expected this gap to be filled by piracy, and of course that is not a subject for polite company, but it would seem that instead of driving CBS streaming subscriptions or illegal pirate downloads or tube site views, that US fans, Star Trek fans, have simply not watched the show. There did not seem to be any anxiety about it, either: “Oh, it’ll be on Netflix in a year or two.”

There is an old saying that it is better to be despised than ignored. Star Trek: Discovery has its pluses and minuses, but it is not even being dissed for its downsides: it is simply ignored, as though it does not exist.

I wonder if CBS is aware of this dynamic. I suspect that CBS tried to duplicate the Voyager-on-UPN strategy, and to train their people to get ready for cord-cutting and “over-the-top” streaming services. Unfortunately, I think their strategy might have been 5 years too soon. The cost, I suspect, is the cultural relevance of Star Trek: Discovery itself.

Let’s talk about wifi on cruise ships

On my most recent cruise on Norwegian Cruise Lines (NCL), I chose to buy the unlimited wifi package for US$180. The alternative was 250 minutes for US$125 plus a US$3.95 “activation fee,” which meant that I was looking at an additional US$51 to go unlimited wifi.

My last experience with satellite maritime wifi was during a Holland America cruise in 2014, where the biggest package I could buy was US$100 for 250 minutes. That wifi was slow and spotty, and stopped working for days at a time.

The wifi on Norwegian is excellent — at least by ship wifi standards. Only one device permitted at a time, but the system worked well. I used bluetooth on my phone to share the Internet with my brother’s phone when he was near me. Coverage aboard the ship was uniformly good — transmitters everywhere.

On the last day and a half, while we were at sea heading back to Miami, the wifi was almost unusable. That being said, I was satisfied with my wifi purchase overall over the course of the week.

On land, I had a personal roaming plan for the days in Miami. For Honduras and Mexico, I was able to use Rogers Roam Like Home on my work-issued phone (my boss asked me to stay available and use the roaming).


The big text post about the Star Trek cruise 2018


For reference, here are my blog posts regarding my first post with pictures, and a link in my blog to my brother’s blog post with pictures and text. My brother’s narrative is so complete I have chosen to simply copy and paste his text here, attributed to him by being in italics.

The beforetime

Our planning began in late 2016, where a whimsical discussion about a web ad for a “Star Trek cruise” in early 2017 turned into a dare, and an attempt to register. We waited 2 days too long, and missed our chance. In retrospect, that was a good thing, it allowed us the luxury of a year to plan for one of the 2018 sailings.


When the 2 Star Trek cruise sailings for January 2018 were announced in 2017, my brother and I did not wait very long, I think we booked the same day or next day that we became aware. We were able to book 2 single inside (no port hole/window) staterooms on the second sailing January 11-17 out of Miami to Honduras, Belize, and Mexico then back to Miami. As it turned out, the promoters had difficulty filling the second ship, and offered discounts. To mollify us, we got a US$50 discount on our bills, and something else, swag or a minor event of some kind.

Air from YUL to MIA and hotel on Miami Beach 2 nights before cruise

We had the luxury of booking far in advance. We got a good price (C$580 return Montreal YUL – Miami MIA) on air, and allowing for winter weather on the East coast near the Atlantic, decided to book rooms on Miami Beach at the Four Points by Sheraton US$200/night, so we would arrive on January 9, 2 days before our cruise was to depart January 11.


We took lots of Ubers in Miami – about US$180 worth during 2 days at beginning and 1 day at end of trip, and worth every penny – fast, easy, cheap. Between Google Maps and Uber, it is easy to hit the ground anywhere and find a good local craft beer.

As travelers, my brother Don and I had 5 objectives:

  • Maximize participation in Comiccon setting and events on boat, especially by attending second-tier events like script read-throughs and small skits throughout the day, especially during the days at sea.
  • Maximize premium experiences on ship ie try to eat in main dining room on ship every night, try to attend main show in theater each night. We ate in the main dining room and the main café, not the specialty restaurants. We did order wine and drinks from time to time.
  • Visit each port, and go on on at least one excursion, which we did.
  • Sign up for paid extra activities on the ship. We signed up for a ship kitchen and environmental systems tour, a Klingon pub crawl between 3 bars on board, led in song by Gowron himself, and a wine tasting led by Damar, who on earth poses as a super-relaxed rich guy from Northern California who now grows wine with his wife but was a Cardassian on Star Trek.
  • Find a way to salvage the last day in Miami – after disembarking the ship with our luggage, without a hotel, no locker system at the port, and a flight in the early evening.

Tuesday 9

My brother and I decided to book rooms on Miami Beach at the Four Points by Sheraton US$200/night, so we would arrive on January 9, 2 days before our cruise was to depart January 11. We got to see Miami Beach, eat at the outside bar and grill of the Fontainebleau (it’s in a James Bond movie called Goldfinger). About 2 days after we had booked our hotel, the promoters announced a US$200 rate for the airport Hilton in Miami. We chose to stick with our original plans in case there would be too much competition to get from the airport hotel to the seaport at the same time the morning of the cruise.

Lynwood, craft beer

We took an Uber to the Lynwood to eat and drink at a craft beer hall called the Butcher Shop. The meal was simple – Bratwurst on a pretzel bun with fries. Nice takes on ambers and American ale, I did not try darker Belgian styles or whit beers.

Wednesday 10

Bay of Pigs Museum, Little Havana, craft beer

We visited the regimental museum of the veterans of the Bay of Pigs, then paid a visit the Union Beer Store in Little Havana. In between we walked through the real Little Havana, with its stores and shops.

Thursday 11


On January 11, we took an Uber to the seaport, and we were lucky to have Googled in advance that we wanted to be at Terminal D. We got off very close to the processing center, which was like a cross between a hotel checkin desk asking for photo ID like passport and issuing a ship ID card, and a private sector TSA with mags, wands, and xray of bags. Bag attendants in port took care of luggage, but hustled for tips – just like Vegas, have a stack of one and five dollar bills on hand.

We got on the ship by 1200, but staterooms were only ready around 1300. We had a drink, but declined a $20 ceramic Tiki mug as an upsell on the drink. As seasoned cruise ships travelers (ie one short cruise from Vancouver to Alaska in 2014) we were both already comfortable with cruise ship life.

My brother and I made a friend while sitting in the dining room, listening to safety drill information. Our friend Tracy joined us for dinner in the dining most nights of the cruise.

The single inside staterooms (US$2200 for 6 nights cruise) were small but well-designed, and each complete with all of the facilities of a good hotel room, including bathroom, minibar, a small table, a double bed (or perhaps 2 single beds pushed together) and a good TV. Nice design, art, and mirrors, easy to forget no windows to the outside world. I was content in a small stateroom by myself for the sleeping time between after late show snack and breakfast in cafe. However, if I had to share a stateroom with a second person, even in the context of a relationship, I would opt for a bigger place with windows and a balcony and more personal space per person.

Italics in this post identify text copied directly from my brother’s blog post on the subject. Don’s blog post is so complete it made more sense to reproduce portions of it whole within the timeline below.

The first evening’s show

  • Michael Dorn introduced Levar Burton, who read a children’s book he’d written, as well as an essay he’d written.
  • Later when he introduced René Auberjonois and Nana Visitor, one of Michael Dorn’s quotes was “you’d still be clapping even if I were reading from the phone book” — a comment I found fascinating, and which followed me and the shows I saw all week long, since so many of the shows were NOT Star Trek related at all beyond the actors starring in them, but were still rather entertaining.
  • René Auberjonois and Nana Visitor reading various humourous quotes and a scene from DS9.

Friday 12

  • Photo op with George Takei (basically, 15 seconds with Mr. Takei)
  • Star Trek’s Script Secrets Revealed with Lolita Fatjo.  Interesting points:  Star Trek The Next Generation had an open invitation for the public to submit scripts, virtually unique in the TV world.  And, at 10AM, people were ordering noisy-to-make margeritas.
  • Scopes Monkey Trial with John de Lancie, Ethan Phillips, and Robert Picardo.  As I recall, Mrs. de Lancie, René Auberjonois and Jeffrey Combs participated as well, and three people from the passengers, one of whom one who was a dead ringer for Col. Sanders of chicken fame, who also dressed the part.  The show was a dramatic reading / stage play based on the Scopes Monkey Trial in 1925 in Tennessee.
  • T-shirt party with DJ Needles:  Basically, a pool party on the pool deck offering free punch and carbonated barley water (oops, I think they called it Budweiser and Coors Light) to all those wearing the cruise T-shirt.
  • [snip]
  • Interstellar Improv: An episodic overdub with Denise Crosby and Friends (René Auberjonois and Robert Picardo) — a really dumb show with the three of them ad-libbing dumb comments to a silent viewing of “And the Children Shall Lead,” including some shady comments about Captain Kirk.  (Ahem, NOT along the lines of “Spock is better!”)

Saturday 13

Roatan, Honduras

  • Roatan, Honduras (suffice it to say that beyond the small and minimal but adequate tourist zone, we turned back within minutes, disappointed in the overly ferocious solicitation by the locals);
  • A Visit to Original Trek with Gates McFadden and Jonathan Frakes (and Picardo, Philipps, Auberjonois, de Lancie, Mrs. de Lancie).  Reading the script to “The Trouble with the Tribbles” — Hilarious!  And, having had a good amount of time on my hands, I had showed up about 50 minutes early to get a good seat.  Good call, it was an overflow crowd!
  • Gow-Rom:  A skit and then Q&A with Gowron (Robert O’Reilly) and Rom (Max Grodenchik) — in full costume and makeup, and during the first part, in character!
  • In Search of Lost Time:  Brent Spiner performing Broadway hits.  As it turns out, despite having know about “Ol’ Yellow Eyes is Back”, I learned that Brent Spiner is actually a decent singer!

Sunday 14

  • Harvest Caye, Belize, a private island owned by NCL best described as Gilligan’s Island run by Mr. Howell for tourists (yes, I am aware of “The Castaways” Resort);
  • Star Trek Squares, with George Takei as the centre square, and a Gorn with (intentionally) unintelligible speech.

Monday 15

  • Costa Maya, Mexico, with a large tourist zone.
  • Notes on the visit to the Mayan ruins:  The guide was excellent, and at least trilingual (she spoke French with me, to my pleasant surprise).  I learned that in a very flat area, not only were the ruins all built by volunteer labour (trying to get more “points” to get to the Mayan equivalent of Heaven), but also a low mountain!
  • Star Trek Online presents Gameshow Night:  The Liar’s Club with Jeffrey Combs, Phil Plait and Robb Pearlmann
  • Evening with George Takei:  George Takei spent an hour recounting his experiences in a WWII Japanese-American internment camp as a child, his path to becoming an actor, and as a civil rights activist both surrounding the Japanese-American internment camps as well as LGBT rights.

Tuesday 16

  • Behind the Scenes Tour:  A two hour walking tour of the ship in areas such as waste disposal, laundry, galley, and other areas, where passengers normally don’t get to see anything.
  • Klingon Pub Crawl:  A pub crawl to three of the ship’s bars led by Chancellor Gowron (Robert O’Reilly) in full costume and makeup.  As a part of his act, Gowron told two great dumb jokes, feigning a lack of understanding of the humour:
    • Two cannibals are eating supper.  One says, “I don’t care for my mother-in-law.”  The other responds, “Try the potatoes”.
    • Two cannibals are dining on a clown.  One says, “Does this taste funny to you?”
  • (Second half of) The “Women’s” View with Mrs. de Lancie, Nana Visitor, Denise Crosby, Lolita Fatjo
  • Oh My!  With George Takei, hosted by Brad Takei — Q&A with George Takei
  • Wine Tasting with Casey Biggs:  As it turns out, Casey Biggs, who played Damar on DS9, owns a vineyard in California, and is involved in making his wine!
  • The Real Life Search for Planet Vulcan, a short presentation on Mercury’s orbit, which at times fooled historic astronomers into claiming to have found another planet in close orbit to the Sun.
  • “BFF” with Robert Picardo and Jordan Bennet.  A show starting off with the Star Trek theme lyrics sung, and a cute set of jokes, stories and slides, but which ultimately featured a ho-hum performance by Robert Picardo and Jordan Bennet with a string of recognizable songs that (armchair critic here) could have been sung better, and which had little if any discernable link to each other, the show overall, Picardo and Bennet, and obviously Star Trek in general, and which left me scratching my head as to why they were included beyond a desire to fill up a one hour time slot.

Wednesday 17

My dear friend Dale happened to be in Miami for a conference and graciously let us keep our luggage in his hotel room, then gave us a tour of the funky side of Miami Beach and Lincoln Road.

We then took an Uber to the airport and flew home.



A WordPress tip: enabling links under Categories

In theory, if you tag posts in your blog by category, those category titles should be offered as links that show a search list of matching posts, on the blog’s main page, in a section labeled “Categories.”

It turns out that, in order for this to actually work, you must first enter values under Settings | Optional | “Category base” and “Tag base” as below. Note I chose to use the value “categories” rather than the suggested value “topic” for both fields. Entering values in these fields will result in the links under Categories displaying a correct listing of the posts in each category:

Inline image 1

New VPS: remember the swap file

Recently, I activated a very small VPS: 512MB RAM, 20GB SSD drive space. It ran WordPress well under Fedora 27. However, I encountered a problem with DNF refusing to update, exiting with a kernel panic on the executable.

Turns out that a virtual server image with minimal OS config can be born without a swap file. I found this link to be useful (note that for this subsystem Fedora 27 is close enough to CentOS 7, which itself is Fedora 19):