Sunday, August 19, 2018

Install and Configure OpenVPN on Raspberry Pi

This is a supplement post on setting and configuring OpenVPN. However, we are going to configure OpenVPN on a Raspberry Pi.

Download and Install Raspbian OS

Download the latest Raspbian OS and burn the image to a SD card using the software Etcher. Once we booted up the Raspberry Pi, we can follow the wizard to set password, enable wifi and update the software. We can also choose to enable ssh and vnc using Raspberry Pi Configuration software. We can also run the configuration software from command line using raspi-config.

Install OpenVPN and Easy-Rsa

Once the system is updated, we can proceed to install OpenVPN using the command:

```
sudo apt-get install -y openvpn

The repository for Raspberry Pi do not have version 3 of easy-rsa. Version 3 of easy-rsa is more easier to use without the need to perform many configuration. To use Easy-RSA version 3, we can download the package from github at the location https://github.com/OpenVPN/easy-rsa. Next we can once we download and unzipped the software, we can copy the content to /etc/openvpn folder.


Preparing Easy-RSA Folder

In this section we will show how to prepare for Easy-RSA. First, go to Github site on Easy-RSA and download the latest package here.  

Next, we extract the archive to the Downloads folder. Then we make new directory using the command below:

# make a direcotry for easy-rsa
sudo mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sudo cp -rv <download folder of easy-rsa>/* ./

The rest of the configuration is the same as our post "Configuring OpenVPN on AWS EC2 (Update: Aug 2018)". Please proceed to follow with the rest of the configuration.

Configure Router

If you are placing the Raspberry Pi behind your router, we need to configure the router tp perform port forwarding on TCP 1194 to the Raspberry Pi. Please consult the manual of your particular router on performing port forwarding.

Testing and Troubleshooting

Listed below are some tips on troubleshooting OpenVPN:

Server Configuration

  1. Check if the server is running using systemctl command. 
  2. Use journalctl -xe to check for error message.
  3. Please note that every time we change something of the conf file, we MUST restart the service.
  4. We have to eliminate every error so that the server is up and running.
  5. Common error are location of the key file, so check the path carefully. As software getting updates and changes are made. The path of the key may not be the same.

Client Configuration

  1. Similarly, we must make sure that client configuration file is loaded without any issue.
  2. Common problem is the client could not find the location of the key.
  3. Eliminate each problem until the profile is loaded to the client software.


Connection Problem

  1. If both the server and client is running without error, but we still could not  establish connection. Then we need to troubleshoot from client to server. First make sure that the client do not have firewall. Or at least the firewall is disabled for troubleshooting.
  2. Next, check the router that is in front of the Raspberry Pi. Change the setting such that the router can response to ping. Also make sure that you got the correct public IP address of your router. If you can ping the router proceed to next step.
  3. For next step, we need to check if the port forwarding is done correctly. You can perform the same port forwarding for TCP port 22. This port is for ssh server. Try to connect to the Pi using ssh. If you can perform ssh to the Pi behind the firewall, then it confirm that the method of port forwarding is correct.
  4. Next, we need to check if the correct port number is used as per server and client configuration file. Also make sure the router is forwarding the correct port number.
  5. Please also make sure that the correct protocol (tcp or udp) is configure on the server and client. Also check if the router is forward the correct protocol.
  6. Finally, disable tls-auth first and try connecting. If connection is successful without tls-auth but connection failed when tls-auth is turn on, thwn we know that the problem lies with tls-auth. 
  7. Change tls-auth to tls-crypt. Also make sure that server got 0 and client got 1 in the configuration. 
  8. If tls is configured correctly, we can also make sure that we have download and use the correct key files. You can download them again. 

Client Firewall

  1. If you can make connection to the VPN server with client firewall down, but you could not make connection on client firewall; then the problem is with client firewall.
  2. Usually, client firewall do not have nay problem as usually we block incoming but allow outgoing. Please make sure that your client firewall allow the vpn port for outgoing tracffic.

Internet Problem

  1. If the connection is successful, but you could not browse the Internet; then the problem definitely lies with IP routing. 
  2. First make sure the script is running. Also make sure that we system reboot it will automatically run the script.
  3. If the script is running, check the IP routing command. For some system, they do not use eth0 as default, so we need to change the interface name to the correct one. 
  4. If you are using wifi, then you should replace eth0 with wlan0.

Please search the web or ask in the forum when all else failed.


***



Friday, August 17, 2018

Configuring OpenVPN on AWS EC2 (Update: Aug 2018)

Update Aug 2018

When we configure OpenVPN on AWS few months back, OpenVPN is still in the Amazon repo. However, if we start a new instances now, we would not be able to install OpenVPN. Therefore, we need to configure epel as additional repo and install OpenVPN from CentOS. Using epel repo, we managed to installed the latest version of OpenVPN (2.4.6).  Please note that the configuration is quite different. New OpenVPN uses systemd instead of chkconfig. 

If you are still using old AWS image or you are using old version of OpenVPN, this post is not for you. Please check out our older post  Configuring OpenVPN on AWS EC2.

This post is for those who are using the latest AWS AMI image and OpenVPN version 2.4.6.

Creating and Starting AWS Instance

We would not be going through the process of starting the instance. Please check out our previous post Configuring OpenVPN on AWS EC2. Alternatively, you can also checkout Amazon AWS tutorial on Launch a Linux Virtual Machine.


Connecting to Instance

In this section, we will be connecting to the server via ssh. First, we copy the key file to ssh folder:

cp ~/Downloads/myServerKey.pem ~/.ssh/

If there is no .ssh folder, use the home folder first. 

cp ~/Downloads/myServerKey.pem ~

Next, we need to change the permission:

chmod 400 myServerKey.pem

We connect to ssh with:

ssh -i ~/.ssh/myServerKey.pem ec2-user@xxx.xxx.xxx.xxx
# (xxx refers to ip address from our instance summary)

Once the connection is successful, we have the following screen



Next, we would like to prepare the server for openvpn.

Installing OpenVPN and Preparation

Before we start installing openvpn, we need to update the system as follows:

# EC2 maintenance
sudo yum update -y

Next, try to install OpenVPN using the command below. 

# Install openvpn try 
sudo yum install openvpn -y
sudo yum install easy-rsa -y --enablerepo=epel

If it works, please skip the next section of configuring epel repo. Otherwise, please continue to configure epel repo.
To configure the latest epel repo using the following command:

# If we cannot install openvpn configure epel for centos 7
# we believe AMI it is base on centos 7
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Next, we would like to update the system first before installing openvpn and easy-rsa:

# After install epel perform system update and install openvpn
sudo yum update -y
sudo yum install openvpn -y
sudo yum install easy-rsa -y

Next, we would like to create a directory for easy-rsa under /etc/openvpn. This way any configuration will not be lost when there is an update. It is not advisable to store the configuration under /usr/share folder.

# make a direcotry for easy-rsa
sudo mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sudo cp -rv /usr/share/easy-rsa/3.0.3/* ./


Setup OpenVPN and Generate Keys

This section of setting up keys remains the same. To setup openvpn, first we initialize PKI and build the certificate authority:

# Build PKI and CA
sudo ./easyrsa init-pki
sudo ./easyrsa build-ca

Please note that we will be asked to create the password for the CA. It is advisable to create a good and long password.

Next, we will generate a Diffie-Hellman key. This is to provide forward secrecy.

sudo ./easyrsa gen-dh

Next we generate the vpn server certificate. Please create a good password for the server certificate. Please note that for the second command, it will prompt a signing password. We need to use CA PASSWORD FOR SIGNING.

# Generate server cert and signed
# Create a good server password
sudo ./easyrsa gen-req server
# When prompt, use CA password for signing
sudo ./easyrsa sign-req server server

Next, we generate client certificate. Similarly, create a good password for the client certificate. If we are generating the client certificate for family or friends; we may need to ask them to enter the passphrase. Similarly, use CA password for signing certificate.

# Generate client
sudo ./easyrsa gen-req client
sudo ./easyrsa sign-req client client

We can create as many client certificate according to our needs. The syntax of the command on creating client certificate is as follows:

sudo ./easyrsa gen-req <filename>
sudo ./easyrsa sig-req client <filename>

Note: We need to substitute <filename> with a name of our choice.

Finally for added security we add TLS security by generating a ta.key. This feature is to prevent DDOS attack.

# add TLS security
cd /etc/openvpn
sudo openvpn --genkey --secret ta.key



Copy Keys

We need to copy keys generated to client for connection. For that, we prefer to create a separate folder and park the necessary keys to the folder.

Please note that while preparing the key files, it is easier if we use operate as root.

# *********************************************
# Below is the step to copy key files to a folder for scp

sudo su
cd /etc/openvpn
mkdir keys
cp ta.key keys
cp /etc/openvpn/easy-rsa/pki/dh.pem keys
cp /etc/openvpn/easy-rsa/pki/ca.crt keys
cp /etc/openvpn/easy-rsa/pki/private/ca.key keys
cp /etc/openvpn/easy-rsa/pki/private/client.key keys
cp /etc/openvpn/easy-rsa/pki/issued/client.crt keys
cd keys
chmod 777 *

# ls to confirm
# exit from root
exit
# ************************************************

Please note that all the keys and certificate are necessary for the client to use except one key. The key that are not required is ca.key. We copy this key for safe keeping offline since it is not necessary for the server to use this key.

Just a reminder, .crt files are public key and .key are private key. If we are working with multiple clients, then we can only give them the appropriate client private key. Clients can have all the crt files. ta.key are for extra security, similar to dh.pem.


#################################################################################
# Below is instruction for local machine
# Copy from local machine
scp -i ~/.ssh/myServerKey.pem ec2-user@xxx.xxx.xxx.xxx:/etc/openvpn/keys/* ~/localpath/
#################################################################################

Finally, we clean up the ca.key and change the permission to the more restrictive one.

# Must only do after ca.key is copied to local machine
sudo rm /etc/openvpn/easy-rsa/pki/private/ca.key
sudo rm /etc/openvpn/keys/ca.key
cd /etc/openvpn/keys
sudo chmod 600 *

Summary we only provide client with the follow:
  • ta.key
  • dh.pem
  • ca.crt
  • client.crt - must be the same certificate create for the user.
  • client.key - must be the same key create for the user.
On the client side, please also make sure that the key files are secured with permission a 400 or 600. Please also reminded to safe keep ca.key.

Setup OpenVPN Server Configuration

We can get a sample server configuration from the openvpn site. It is easier to copy the config file from the server.

IMPORTAT CHANGED: Please note that we no longer place the config file server.conf on /etc/openvpn. Instead we will be keeping under root folder /etc/openvpn/server. 

Use the following command to copy the sample:

cd /usr/share/doc/openvpn-2.4.6/sample/sample-config-files
sudo cp server.conf /etc/openvpn/server/

To configure the server file using the command

#### Configure server file
sudo nano /etc/openvpn/server/server.conf


Listed below are the configuration we use:

IMPORTANT CHANGED: Please note that for tls-auth no longer work. Please use tls-crypt instead.

We add 2 lines as shown below

askpass
auth-nocache

The following are changes we made or setting we uncomment:

# We set the protocol to TCP as some firewall block UDP.
proto tcp

# SSL/TLS root certificate (ca), certificate
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key

# Diffie hellman parameters.
dh /etc/openvpn/easy-rsa/pki/dh.pem

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

# tls-auth no longer worked
# Please also provide full path of ta key
tls-crypt /etc/openvpn/ta.key 0 # This file is secret

# Enable compression on the VPN link and push the
compress lz4-v2
push "compress lz4-v2"

# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody

# We need to command out the following
# This is for udp, to use tcp, this must be disabled.
#explicit-exit-notify 1


The follow are the defaults we use:

port 1194
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3


Start OpenVPN Server

IMPORTANT CHANGE: Please note that OpenVPN server start to use systemd for services.

To start openvpn use the command:

# Use the following command to start server
sudo systemctl start openvpn-server@server.service
# server.service: the name server is the name of .conf file
# If foo.conf is the config file command will be
# sudo systemctl start openvpn-server@foo.service

To check if the server is running use the command:

# Use the following command to check server status
sudo systemctl status -l openvpn-server@server.service
To start server on boot, use the command:

# Use the following command to enable server on boot
sudo systemctl enable openvpn-server@server.service
If error occurs, use the command to check for errors:
# If error occurs use the following command to check for error
journalctl -xe
We can also check for error log at /var/logs/messages


Configure IP Routing 

we also need to configure ip routing. Create a shell script file with the following command:

###############################################################################
# Copy the section below on the script iproute.sh
###############################################################################
#!/bin/sh
# chkconfig: 345 99 10
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
###############################################################################


Once the shell script is done, we need to change the permission of the file using the command below:
sudo chmod +x iproute.sh


Once the shell script is done, we can test the script using the command below:

sudo ./iproute.sh


To make the script run every reboot, we need to create a service. Use the step as follows:

Step 1: Create a service file using the command:

sudo nano /etc/systemd/system/iproute.service

Step 2: Copy the following section to the service file:

#########################################
# Enter the following section on the file
#########################################
[Unit]
Description=iproute

[Service]
ExecStart=/etc/openvpn/iproute.sh

[Install]
WantedBy=multi-user.target
#########################################

Step 3: Use the following command to start and enable the service:

sudo systemctl start iproute.service
sudo systemctl status -l iproute.service
sudo systemctl enable iproute.service


Configuring Client

Before we start connecting the vpn session, we need to configure the client file. Copy the sample file from openvpn site.

We add the following line:

auth-nocache

We need to made changes to the following:

# The hostname/IP and port of the server.
remote ip-address-my-server-1 1194

# Use tcp for vpn
proto tcp

# tls-auth no longer work
# tls-auth ta.key 1
tls-crypt ta.key 1

#Need to change if keys are in different location
ca ca.crt
cert client.crt
key client.key

The following are default:

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3

For Mac OS X user, we recommend Tunnelblick. We can get their software at https://tunnelblick.net/. Please follow the site tutorial on how to use tunnelblick. But it is quite intuitive.

For Ubuntu (Debian class) or Red Hat class user,  we can install openvpn using yum or apt-get. After that we can launch the session using the command line


# To connect openvpn vis command line
sudo openvpn --config '/pathToClientConfigFile'

enter client password when asked.

Alternatively, we can also use network manager.

Connecting From Client and Troubleshooting

Now, we can start the session. To test connection, please ping 10.8.0.1. If ping test is successful then we are good to go.

If client failed to make connection, first check the server log to see if openvpn is running. The most common error is the location of all the keys.

If server is running well with no error, but the client is still not able to connect; then disable tls-auth. Comment them out. Please note that tls-auth is is not working for some version of OpenVPN, use tls-crypt instead.

If server is running well with no error and client still failed to make connection, perhaps we should try to make connection in a public wifi. Try to make connection from different location to see if the problem lies with the firewall.

If connection is successful but we cannot use the browser, then we need to check the DNS settings and IP routing. Please check port forwarding is correct. Please also check if IP routing command is for the correct interface. Make sure eth0 or wlan0 is the correct interface name. Please remember to check the server configuration file.


***




Wednesday, August 15, 2018

Syntax Highlighting with Prism.JS on Blogger.com

To enable syntax highlighting using Prism.JS. Insert the following code at the end of the header of your Blogger theme.



<link href='http://prismjs.com/themes/prism.css' rel='stylesheet'/>

<script src='http://prismjs.com/prism.js' type='text/javascript'/>


To include code in the blog, switch to html and insert the following code:


<pre class="lang-bash"><code>

#This is programming code for shell script
#!/bin/bash

</pre></code>

For other language we replace bash with c,  cpp, csharp, docker, javascript, swift, objectivec or python.

For more language code please refer to the end of the main page of Prism.JS.


***

Sunday, August 5, 2018

Install Fedora 28 on Mac Mini (late 2009)

This is a basic guide to install Fedora 28 on Mac Mini (late 2009) version.  This version is quite unstable as we received message that our boot image crash. Despite the error message, we manage to get Fedora to work. 

Preparing to Install Fedora 28

We prepare a Fedora USB driver, we can download the Fedora Media Writer App. Using this app, we can download Fedora and burn to the USB drive directly.

Installing Fedora 28

Bootup from USB using option (Alt) key. Then select Try Fedora 28. Once the live image is booted, we can use the disk app to remove any partition that we want to get rid of. Alternatively, we can do that during installation.

Click and run the app to install Fedora. The welcom screen is as follows:

 

Select the appropriate language, click Continue. You will be presented something similar to the following screen, except that the disk was not defined.


We can change the time zone and keyboard if we thin k the automated selection is wrong. Under System, click on Installation Destination to configure the drive.


Select the disk if you have more than one disk. Then select if you would want the system to configure the drive automatically for you. 


We select custom and click Done.


Due to the way Mac Mini was design, we need a few more partition. We need the following partition:


PartitionFile SystemDrive SpaceMount Point / Flag
sda1FAT16200MBFlag: boot, esp
sda2HFS+ESP200MB/boot/efi
sda3ext41GB/boot
sda4linux swap8GB/swap
sda5ext4rest of free space/

If you find defining partition is a hassle, you can allow the system to configure for you automatically. If you have not remove any unwanted partition, you will be ask to reclaim disk space. Click Done.


We will go back to this screen. Please note that as long as there is a red warnings words, we cannot proceed with the installation. Once we are ready, click Begin Installation.


The installation will proceed as shown above. Once it is completed, we can click Quit as shown below.


Reboot the system when ready.

Post Installation Configuration

During the first boot, we are given the chance to create user ID and even make connection to external storage services. We usually just create the user ID. We can start using Fedora when we have create the ID.

Update Fedora

Once we login to the system, the first thing is to update the system. Run the following command to update the system from a terminal:

sudo dnf update

Once the update is completed, reboot the system.

Enable Additional Repository 

We can enable additional repository from the Software app. Open the app as shown below.


Notice that There is a blue banner for us to enable additional repository. We can enabled that.

Next, we select Software Repositories from the drop down menu. We can enable or disable each repository.


Although RPM Fusion repository is included, but only Nvidia driver and Steam are available. We need to add the complete RPM fusion repositories using the command line. Run the following command:

sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm


Install Additional Software

Most of the software can be install via Software app. We need to download Chrome separately from Google site. Please note that Chromium and Chrome is different product. Chromium is the opens source web browser, Google Chrome is Google web browser that are tightly integrated with Google services.

Download the package that indicate 64bit Fedora.


Click Accept and Install. Once the software is downloaded, click Install as shown below.


We also install additional software via command line as below:

sudo dnf install -y vlc
sudo dnf install -y fuse-exfat exfat-utils


Final Note

Please note that we have no luck in installing any Broadcom wifi drivers. If wifi is a must please get another wifi adapter.

***



Saturday, August 4, 2018

Installing and Configuring Raspbian for Raspberry Pi

This is a simple guide on installing and configuring Raspbian for Raspberry Pi. Although Noobs is recommended for beginner, we find that downloading and transferring the image to SD card is much faster.

Installing Raspbian

First download the latest version Raspbian from Raspberry Pi website. To transfer the image to SD card, we need to unzip the file first. We also need to prepare a SD card with an adapter for card reader or USB drive.

Next we install and launch Etcher. This a free and open source tool to make bootable drive from Debian/Ubuntu based Linux. Select the image and drive and begin the transfer.


Once it is done, insert the SD card into Pi and boot the system. During first boot we have addition configuration such as setting password etc. Once the setup is completed, please run update as follows:

sudo apt-get update

Once the update is complete we are good to go. 

Configuring Raspbian

Raspbian is similar to other Linux distribution. In addition we can configure essential service such as ssh server and vnc server using the Raspberry Pi Configuration app. The app is located at Preference > Raspberry Pi Configuration as shown below:


Once the GUI interface is launch, select Interface.  We can enable camera, ssh or vnc.


Raspberry Pi has RealVNC installed, once we enabled VNC and we are good to go. For further configuration please refer to our post under server configuration. 

There are times that we need to reset Pi password or we need to perform audio configuration. We can perform that by launching from command line:

sudo raspi-config


A text based configuration box will appear as follows:


Forget Pi Password or Pi Password Not Accepted

To reset password select the first option, and you will be prompt to set a new password.

Reclaim Empty Space in SD Card

Raspbian image only uses lesss than 2GB of data. We can expand the os so that it could reclaim and use the remaining empty space in the SD card. To do that under Advanced Options, select the first option: Expand Filesystem.


Set Raspberry Pi Audio

If you have HDMI attached to the monitor, the audio will pass through HDMI by default. However, we can direct the audio to head phone jack user Advance Options > A4: Audio.

For configuration that are specific to Raspberry Pi, it is either in the GUI interface or the command line raspi-config.

***