OpenVPN and SSH tunnel

Big Brother doesn't like my OpenVPN server, time to try something else. How about SSH tunneling!
In the following example I'll use local port 1234, but it could be any. 

Btw what's "SSH tunneling"? Check this: http://www.revsys.com/writings/quicktips/ssh-tunnel.html, or that (nice graphs): http://www.akadia.com/services/ssh_putty.html

The web page below indicate how to run OpenVPN over SSH tunnel:
http://www.niteoweb.com/blog/openvpn-over-ssh

First I need to install SQUID on my server: 
apt-get install squid
--> seems Squid is up and running right after that, listening on port 3128.
_ add /etc/squid a line "http_access allow all" ... (insecure but...)
_ keep playing around with "http_access" in squid config (haven't found the optimal config yet)

Create the SSH tunnelling on Windows side:
_ Run Putty
_ Go to Connection / Data / Tunnels
_ Check "Local port accept connections from other host" (!!! not sure that is needed ???)
_ Add new port: 1234, host "yourvpnserver_address:3128"

[EDIT Feb. 2nd 2013 : I don't use OpenVPN at all anymore. I've just setup proxy 127.0.0.1:1234 in my Firefox ]
And finally tweak the OpenVPN config as indicated on niteoweb.com. With a little difference: SQUID being an HTTP proxy, not a SOCKS proxy. I'm lazy for the time being:
_ in server.conf:

   proto tcp

_ in client.conf:

   proto tcp
   http-proxy 127.0.0.1 1234
   route <some_IP_on_the_net> 255.255.255.255 net_gateway

_ Add a new IPTABLE rule on server side:

   iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT

or: iptables -I INPUT 1 -p tcp --dport 1195 -j ACCEPT 

 
(the latest is because I've kept the old server on 1194. Note: I first made a mistake and set 1194 for the new IPTABLES rule, and the new server on 1195 still worked! So not sure how useful it is in my setup).

Install OpenVPN with all traffic routed thru

New: my server is now located in Hong-Kong, and is running Debian 6 / OpenVZ

How to install an OpenVPN server? What I wanted was a fully-routed VPN server, I mean: to make all PC-applications traffic be transparently routed through the gateway, just by establishing VPN connection, and without having to set-up proxy. OpenVPN allows that.

First step: get a Linux server. If you want to bypass the Great Firewall, I recommend http://vpshosting.com.hk, good prices and support.

But when running OpenVpn, I've got following error:
Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory

Don't panic, if like me you are running a virtual server, your TUN interface might be disabled by default for your container. Kindly mail your hosting provider so he enables it for you ("dear sir/madam, please enable TUN interface for my container", took mine one hour).

To ensure TUN interface is enabled, check this:
cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state <- mean TUN exists :)


Second step: install OpenVPN. With Debian it takes one command:
apt-get install openvpn

Third step: configure VPN

Here I give you the warning: here are some errors I made and that slowed me down.
1_ Don't read 10 tutorial at a time. Focus on http://openvpn.net/index.php/open-source/documentation/howto.html, it just works.
2_ Don't create a secret key-based VPN, for some reason it prevents full traffic redirection (don't have the full picture, it just turned out to be so for me.
3_ Instead of 2, make sure you create a client - server configuration. Follow those steps and save time, they are the truth: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
4_ Oh but, wait, the "iptables" command from previous step is not working? Indeed, it's using "MASQUERADE" rules, which is not supported in OpenVz-based VPS (like yours probably). Fortunately a geek out there found a solution, simply applies his steps: http://unixtitan.net/main/2010/09/20/openvpn-in-openvz-no-masquerade/

IPTABLES rules I finally had to apply:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to $VPS_STATIC_IP
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $VPS_STATIC_IP


That's it. I avoid copy-pasting all my own steps, don't want to be yet-one-more easy step-by-step tutorial (they got me lost).

Redirecting all traffic: this was my main purpose. The keys resides in the two following lines to add to your server.conf:
_ push "redirect-gateway def1"
_ push "dhcp-option DNS 8.8.8.8"
That's directing the client to redirect all traffic through the gateway. 8.8.8.8 is Google's public DNS, which just works well. Note: in some tutorial, tell you to use the "bypass-dhcp" option for full-traffic redirection. It doesn't work unless your VPN server is also a DNS server.

Hmm I think that's all.

If you follow all those steps, all remains is to run your server.
openvpn my_server.conf

You can run it manually if you want, but if you're a newbie like me don't forget the "screen" command (that I let you google)!

Then from client perspective, the OpenVpnGui is pretty easy to use.

Install Apache2 / PHP5

apt-get install apache2
apt-get install php5

Et là, on a beau taper "/etc/init.d/apache2 start", il ne se lance pas !

--> Il faut éditer le fichier "/etc/default/apache2" et mettre le "NO_START" à "0". Et voilà, Apache2 se lance au démarrage.

Commandes shell disque et mémoire

Afficher l'utilisation des disques (utilisé / disponible) :
df -h

Afficher l'utilisation mémoire :
free

Plein de commandes mémoire utiles ici :
http://www.oreilly.fr/contenu/2007/04/26/surveiller-la-consommation-m%C3%A9moire-sous-linux

Accélerer l'authentification SSH

L'authentification SSH vous semble lente ?
Editez votre fichier: /etc/ssh/ssh_config
Et commentez la ligne: "GSSAPIAuthentication yes"

Source

PC dans l'huile

Ca fait un moment que l'idée d'immerger mon serveur dans un bain d'huile me trottait dans la tête...
Pour ceux qui ne connaisse pas ce concept : cela permet de se passer de ventilateurs, et donc d'obtenir un silence total (hormis le disque dur).

Bon eh bien ça y est je l'ai fait !

Pour faire tenir la CM et l'alim au fond de la cuve, j'ai utilisé des réglettes en plastique qu'on utilise normalement pour l'électricité :


Evidemment j'ignorais que le Nokia N95 stoppait l'enregistrement vidéo à 30 secondes, du coup... Ben pas de remplissage en vidéo. Voici quand même le PC juste après le remplissage (avec le login XFCE) :

L'huile est de la premier prix, on est loin de la transparence et de la fluidité des huiles de marques. Le pire c'est l'odeur nauséabonde qui manque de transformer mon salon en station-service ; c'est pourquoi j'ai entouré le tout de cellophane afin de masquer l'odeur :

Côté ventilos, il n'y en a plus du tout, j'ai même viré celui de l'alim. Verdict au bout de 2 jours : ça chauffe pas mal, mais ça reste raisonnable (pas de fission du réacteur prévue à priori...).

Par contre le disque dur est très bruyant, c'est un vieux 4 Go qui fiat un bruit de turbine en permanence.

Installer NFS

Sous Xubuntu, il n'y a pas de serveur NFS par défaut ; normal puisqu'Ubuntu est orientée desktop.
Il faut donc d'abord installer le bon package :

apt-get install nfs-kernel-server

Cela étant fait, NFS Server se lance automatiquement au démarrage.

Vérifier que NFS tourne :
rpcinfo -p | grep nfs

PArtager les réperoires voulus :
/etc/exports

Relancer NFS :
killall -HUP nfsd
/etc/init.d/nfs-kernel-server start

Ports à oubrir : TCP/UDP 111(rpc), 2049(nfs), 4001-4003 (port dynamiques portmap).
Peut être : 369 (rpc2pormap), 952-tcp + 955-udp (mountd)

/etc/hosts.allow : doit être créé pour contenir adresse du réseau qui accède

Sous Windows (en local), il faut récupérer les fichiers /etc/passwd et /etc/group afin que Windows Client for Unix puisse les utiliser.

Et là, j'hallucine : j'ai perdu un temps énorme à essayer de comprendre pourquoi mon login / pass était rejeté sous Windows.... En fait, il faut se connecter à NFS en faisant click droit / connecter un lecteur réseau ! Et là ça fonctionne ! Edifiant !