A corrected procedure for the installation of OpenVPN on Fedora 27

note 2020/01/26: there is a more recent and corrected version of this post:

https://blog.gordonbuchan.com/blog/index.php/2020/01/27/installing-openvpn-server-on-fedora-31/

Fedora 27 is a close cousin of CentOS 7, which is actually Fedora 19. Most of the documentation for server-centric stuff is still targeted at CentOS 7. Some topics, like how to install and configure OpenVPN, are poorly documented.

I was pleased to find this link, a tutorial on how to install OpenVPN on Fedora 26:

https://chichivica.github.io/2017/08/02/Install-OpenVPN-on-Fedora-26/

I found this guide to be useful, but found myself taking notes on corrections to the procedure. Unable to contact the author of the howto, I offer the procedure with minor corrections here. Note that my procedure was done on Fedora 27.

1) First of all install necessary dependencies

sudo dnf install openvpn easy-rsa

2) Copy rsa scripts to the home folder

mkdir ~/openvpn-ca

cp -ai /usr/share/easy-rsa/3/* ~/openvpn-ca
cd ~/openvpn-ca

3) According to this start a new PKI and build a CA keypair/cert

./easyrsa init-pki
./easyrsa build-ca nopass

4) Build Server certificate, key

./easyrsa build-server-full server nopass

5) Build Client certificate, key

./easyrsa build-client-full client01 nopass

you can omit nopass on steps 3,4,5 if you need to

6) Generate a strong Diffie-Hellman keys

./easyrsa gen-dh

7) Generate HMAC signature to strengthen the server’s TLS integrity verification capabilities

openvpn –genkey –secret pki/ta.key

8) Before openvpn server setting up we need to put appropriate keys ca.crt ca.key server.crt server.key ta.key dh.pem into /etc/openvpn/server/keys folder

sudo ln -s ~/openvpn-ca/openssl-1.0.cnf ~/client-configs/

sudo cp ~/openvpn-ca/pki/issued/server.crt /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/private/server.key /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/private/ca.key /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/ta.key /etc/openvpn/server

9) Now we need to set up the server itself, firstly copy configurations

sudo cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server

10) Modify several lines in that configuration file

sudo nano /etc/openvpn/server/server.conf

add these lines at the end of the file:

key-direction 0
auth SHA256
remove ; symbol to uncomment following lines

user nobody
group nogroup

10a) [optional] In order to Redirect all traffic Through the VPN, remove ; from the following lines:

push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”

10b) [optional] Adjust port and protocol if you don’t wish to use default:

port 443
proto tcp

and if you have server.crt and server.key with the different name point to them here:

cert myservername.crt
key myservername.key

11) Allow IP Forwarding. This is fairly essential to the functionality we want our VPN server to provide.

sudo nano /etc/sysctl.conf
and drop a line there

net.ipv4.ip_forward=1
activate that:

sudo sysctl -p

12) Set up firewalld to work with OpenVPN

sudo firewall-cmd –permanent –add-service openvpn
sudo firewall-cmd –permanent –add-masquerade

13) Now we are going to set up our systemd service.

sudo ln -s /usr/lib/systemd/system/openvpn-server\@.service /etc/systemd/system/multi-user.target.wants/openvpn-server\@server.service

sudo ln -s /etc/openvpn/server/dh.pem /etc/openvpn/server/dh2048.pem

server corresponds with the configuration file name in /etc/openvpn/server such as server.conf. So if you have myserver.conf you have to replace server with myserver

14) Now we are ready to start OpenVPN service

sudo systemctl -f enable openvpn-server@server.service
sudo systemctl start openvpn-server@server.service

15) enter in /etc/rc.d/rc.local (reminder: chmod 755 rc.local):

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp3s0 -j MASQUERADE
(where enp3s0 is the name of your ethernet device)

Done! We successfully deployed our OpenVPN server, and we are ready to move on and set up the client

Client setup

As you remember we already generated client01.crt and client01.key at step 5. Now we need combine them with our general Certificates of Authority in order to build client config file.

1) First of all we need generate Client Configurations. Let’s create client-configs directory and prepare with the keys

mkdir -p ~/client-configs/files
cd ~/client-configs

we are actually going to omit these instructions, we have re-coded our batch file under client creation to avoid this issue:
# mkdir ~/keys
# cp ~/openvpn-ca/pki/ca.crt ~/client-configs/keys
# cp ~/openvpn-ca/pki/ta.key ~/client-configs/keys
# cp ~/openvpn-ca/pki/private/client1.key ~/client-configs/keys
# cp ~/openvpn-ca/pki/private/client1.crt ~/client-configs/keys

2) Next we need to copy base configuration from examples

cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf ~/client-configs/base.conf

3) Open this file in your text editor

nano ~/client-configs/base.conf

4) and modify as following

remote server_IP_address 1194
# place your server address here
proto udp
# update with specified protocol
next uncomment (by removing leading semicolons)

user nobody
group nogroup

NB: If you are using CentOS, change the group from nogroup to nobody to match the distribution’s available groups
and comment out the lines because we place them directly in client’s config

#ca ca.crt
#cert client.crt
#key client.key

add these lines at the end of the file:

auth SHA256
key-direction 1

5) Next, we will create a simple script to compile our base configuration with the relevant certificate, key, and encryption files. This will place the generated configuration in the ~/client-configs/ files directory.

Note: to be consistent with the portion of this document above, I should really use ~ instead of /home/desktop in the section below. However that is how I run it:

nano ~/client-configs/make_config.sh

#!/bin/bash

# remember to run easyrsa build-client-full clientid nopass

# First argument: clientid

KEY_DIR=~/openvpn-ca/pki
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \
<(echo -e ‘<ca>’) \
${KEY_DIR}/ca.crt \
<(echo -e ‘</ca>\n<cert>’) \
${KEY_DIR}/issued/${1}.crt \
<(echo -e ‘</cert>\n<key>’) \
${KEY_DIR}/private/${1}.key \
<(echo -e ‘</key>\n<tls-auth>’) \
${KEY_DIR}/ta.key \
<(echo -e ‘</tls-auth>’) \
> ${OUTPUT_DIR}/${1}.ovpn

make the file executable:

chmod 700 ~/client-configs/make_config.sh

6) Execute that file with client01 input parameter

Note you must first run the client creation from step 5 in the server setup. A repeatable procedure for client creation is as follows (using client02 as token):

cd ~/openvpn-ca

./easyrsa build-client-full client02 nopass

cd ~/client-configs

./make_config.sh client02

If everything went well, we should have a client02.ovpn file in our ~/client-configs/ directory

7) Now that file can be used on the client machine

sudo dnf install openvpn
sudo openvpn –config client02.ovpn

Let’s talk about wifi on cruise ships

On my most recent cruise on Norwegian Cruise Lines (NCL), I chose to buy the unlimited wifi package for US$180. The alternative was 250 minutes for US$125 plus a US$3.95 “activation fee,” which meant that I was looking at an additional US$51 to go unlimited wifi.

My last experience with satellite maritime wifi was during a Holland America cruise in 2014, where the biggest package I could buy was US$100 for 250 minutes. That wifi was slow and spotty, and stopped working for days at a time.

The wifi on Norwegian is excellent — at least by ship wifi standards. Only one device permitted at a time, but the system worked well. I used bluetooth on my phone to share the Internet with my brother’s phone when he was near me. Coverage aboard the ship was uniformly good — transmitters everywhere.

On the last day and a half, while we were at sea heading back to Miami, the wifi was almost unusable. That being said, I was satisfied with my wifi purchase overall over the course of the week.

On land, I had a personal roaming plan for the days in Miami. For Honduras and Mexico, I was able to use Rogers Roam Like Home on my work-issued phone (my boss asked me to stay available and use the roaming).

 

A WordPress tip: enabling links under Categories

In theory, if you tag posts in your blog by category, those category titles should be offered as links that show a search list of matching posts, on the blog’s main page, in a section labeled “Categories.”

It turns out that, in order for this to actually work, you must first enter values under Settings | Optional | “Category base” and “Tag base” as below. Note I chose to use the value “categories” rather than the suggested value “topic” for both fields. Entering values in these fields will result in the links under Categories displaying a correct listing of the posts in each category:

Inline image 1

New VPS: remember the swap file

Recently, I activated a very small VPS: 512MB RAM, 20GB SSD drive space. It ran WordPress well under Fedora 27. However, I encountered a problem with DNF refusing to update, exiting with a kernel panic on the executable.

Turns out that a virtual server image with minimal OS config can be born without a swap file. I found this link to be useful (note that for this subsystem Fedora 27 is close enough to CentOS 7, which itself is Fedora 19):

https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-centos-7

 

Self-sufficiency in web hosting: over the years

Although my experience with web hosting servers goes back two decades, I have recently stopped hosting content for others, and no longer maintain DNS or email server infrastructure.

Given the trends of consolidation and cloud, what are the best practices to manage a digital footprint at the beginning of 2018? There are 4 fundamentals: domain registrar, dns server, email server, and web server. For bonus points, a test server.

Here is what I did, which is a strategy that would be suitable for a small business or personal presence on the Internet, or for a startup up to 10 or 20 people.

Domain registrar

I purchased the domain on which this is hosted from godaddy.com

DNS server

GoDaddy offers a terrific DNS control panel built-in — I encourage people to use it rather than giving up control of their DNS to a hosting ISP.

email server

A colleague continues to maintain an email server, and has been gracious enough to host my email. I would suggest outsourcing your email to a boutique ISP like integrationm.com, or a service like Gmail for Business.

web server

What works for me:

I leased a small Virtual Private Server (VPS) from Digital Ocean running Fedora Linux, and have configured it to host a few websites, including my personal blog using WordPress, and some vacation photos. Some people might want a server with cPanel in order to manage the server.

What you should consider as a hosted option:

Get a WordPress blog from a boutique ISP like integrationm.com or wordpress.com, or if you need a builder and commerce capabilities, squarespace.com to host the www.domain.com and domain.com for your site. Do not give the ISP control of your DNS, just ask them for the IP address and point to the hosts using your DNS control panel.

Test server

I have a test server at home, a Vista-class 64 bit dual core with 4GB RAM and a small SSD for the operating system, and a few big usb external drives formatted with ext4 and ntfs partions, running Fedora 27. I can supplement the limited resources of a very small VPS package by mounting, over the WAN, the file system on my home test server. Some of this can of course be done as a network mount like xfs or smb (windows style) over a VPN link. However, an even cleaner yet still secure approach is sshfs remote file system mount, which I predict will make many VPN setups redundant or greatly simplified in the future.

We may live in the age of the cloud but there is still room for individual expression and self-sufficiency. It’s never too late to reformat a piece of junk as a home test server.

 

New domain, VPS, blog, and test server

This blog is my way of posting relatively uncontroversial information, like technical articles about Linux, or vacation photos. There have been times where a Google search helped me find a blog article written by somebody in 2012 that helped me fix a technical problem. I hope to pay it forward by creating similar articles myself.

Although I work as a system administrator, I have only recently renovated my personal digital presence, with a domain, a Virtual Private Server (VPS), and now this blog. I plan to follow my brother’s example in terms of blog posting, except that I plan to keep the blog hosted on the VPS rather than on bare metal running at home.

My test server at home can run of course run Linux/Apache/MySQL/MariaDB/PHP (LAMP) sites, but it is mostly a home media server and VPN server. In the next few days I will be posting about my test server and recent experiments with OpenVPN on my home network — making home resources available remotely via a VPN client, or acting as a network gateway to other computers on the network. There have been many howtos, some excellent but out of date. I will share my adaptation of another person’s suggested procedure, along with corrections and additions.

If you stick around for a few weeks, you might even see pictures of Star Trek stuff.