Setting up OpenVPN for your road warriors :
http://www.wains.be/index.php/2008/07/15/a-vpn-for-remote-users-with-openvpn/

Setting up a VPN between two sites :
http://www.wains.be/index.php/2008/06/07/routed-openvpn-between-two-subnets-behind-nat-gateways/

Today : how to route all traffic through the OpenVPN tunnel

On the server side :

First of all, if you want to route all your traffic through the VPN tunnel, you need to turn on IP forwarding (also called routing) and add a masquerading rule on the server (where eth0 is the device connecting you to the internet) :

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 10.30.0.0/24 -o eth0 -j MASQUERADE

To make routing persistent, see http://www.wains.be/index.php/2006/06/06/enable-ip-forward-under-rhelcentos/

Then, here’s the OpenVPN configuration :

port 10000
proto udp
dev tun
comp-lzo
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
duplicate-cn
server 10.30.0.0 255.255.255.0
client-to-client
push "dhcp-option DOMAIN local.example.org"
push "dhcp-option DNS 172.16.7.253"
push "redirect-gateway def1"
keepalive 10 120
persist-key
persist-tun
user nobody
group nogroup
log vpn.log
verb 1
chroot /tmp

You can see the option redirect-gateway that is responsible for creating all the routes on the client computer when the connection is set up.

The two other push options are only taken into account by Windows clients (to my knowledge).
If you want to change the DNS resolution of your linux clients, you need to use the up and down options on the client (see below).

Client configuration :

vpn.conf :

client
dev tun
proto udp
remote vpn.example.org
port 10000
nobind
persist-key
persist-tun
ca ./ca.crt
cert ./user.crt
key ./user.key
verb 5
up ./up.sh
down ./down.sh
ping 60
ping-restart 120

up.sh :

#!/bin/sh
mv /etc/resolv.conf /etc/resolv.conf.bak
echo "search local.example.org" > /etc/resolv.conf
echo "nameserver 172.16.7.253" >> /etc/resolv.conf

down.sh :

#!/bin/sh
mv /etc/resolv.conf.bak /etc/resolv.conf

When connecting to the server (with verbose option set to 5), we can see the server pushing the route settings to the client.

Fri Jul 18 23:22:19 2008 us=838005 ifconfig tun0 10.30.0.6 pointopoint 10.30.0.5 mtu 1500
Fri Jul 18 23:22:19 2008 us=843211 route add -net 72.x.x.x netmask 255.255.255.255 gw 172.16.7.253
Fri Jul 18 23:22:19 2008 us=845178 route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.30.0.5
Fri Jul 18 23:22:19 2008 us=848568 route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.30.0.5
Fri Jul 18 23:22:19 2008 us=850460 route add -net 10.30.0.0 netmask 255.255.255.0 gw 10.30.0.5

On the client, the routes :

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
72.x.x.x  172.16.7.253   255.255.255.255 UGH   0      0        0 wlan0
10.30.0.5       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.16.7.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0
10.30.0.0       10.30.0.5       255.255.255.0   UG    0      0        0 tun0
0.0.0.0         10.30.0.5       128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.30.0.5       128.0.0.0       UG    0      0        0 tun0
0.0.0.0         172.16.7.253   0.0.0.0         UG    0      0        0 wlan0

RPM : vsftpd

Config : /etc/vsftpd/vsftpd.conf

By default :
- anonymous users will fall in a chroot located in /var/ftp/pub. They have read access only.
- local users are connecting in their /home and are not chrooted

In order to chroot local users use in the config :
chroot_local_user=YES

Thanks to Toutim for pointing out a mistake I’ve made in this article.

Create an empty 250M file :
dd if=/dev/zero of=/swapfile bs=1024 count=256000

Create the swap on the newly created file :
mkswap /swapfile

Enable the new swap file :
swapon /swapfile

Edit fstab and add :
/swapfile swap swap defaults 0 0

Verify if the new swap space is enabled :
cat /proc/swaps
free -m

A good idea is to have your swap partition as an LVM volume.. So you can always resize it if your needs are growing.

1. Creation of Physical Volumes (PV)

pvcreate /dev/hda4
pvdisplay

It is good practice to always use “(pv|vg|lv)display” after creating a volume.

/dev/hda4 is an empty partition.. see fdisk manpages for help.

2. Creation of Volume Groups (VG)

vgcreate VolGroup00 /dev/hda4
vgdisplay

We are naming the volume group “VolGroup00″, call it whatever you like.
The VG will take the whole partition space here. You can specify the size by using the “-s” option.

3. Creation of Logical Volumes (LV)

lvcreate --size 500M --name LogVol00 VolGroup00
lvdisplay

A 500M Logical Volume has been creating inside “VolGroup00″.

4. Formatting the newly created Logical Volume

mkfs.ext3 /dev/VolGroup00/LogVol00
mount /dev/VolGroup00/LogVol00 /somedir

5. (optional) Resizing a Logical Volume

umount /somedir
lvextend -v -L +100M /dev/VolGroup00/LogVol00
e2fsck -f /dev/VolGroup00/LogVol00
resize2fs /dev/VolGroup00/LogVol00
mount /dev/VolGroup00/LogVol00 /somedir

We made the Logical Volume 100M bigger.
Then, you need to resize the ext3 partition inside the Logical Volume.

We will enable quotas on /home on the /dev/hda3 partition.

Create user :
useradd user1
passwd user1

Edit /etc/fstab :
From :
/dev/hda3 /home ext3 defaults 1 2
To :
/dev/hda3 /home ext3 defaults,usrquota,grpquota 1 2

Remount the disk (make sure it’s not in use) :
mount -o remount /home

Check if usrquota and grpquota are enabled :
mount | grep /home

Create quota files :
quotacheck -cvug /home

This creates /home/aquota.user and /home/aquota.group

Check quota :
quotacheck -avug

Enable quota for user1 :
edquota user1
Edit soft and hard limits (1000 = 1 MB) or inode values.

Check the quota for user1 :
quota user1

Enable quota :
quotaon -avug

In addition :

Through a cron, run everynight when the filesystem is not used :
quotaoff -avug && quotacheck -avug && quotaon --avug

Get quota stats :
repquota -a

Warn users when their quota has been reached :
warnquota

For some reason I had to manually edit /etc/quottab for warnquota to work

I won’t explain here how to deal with the installer as it’s pretty easy.

1. create the partitions

Using fdisk or else
Set the ID type to “fd” (Linux RAID autodetect)

Say we got here /dev/hda2 and /dev/hdb2

2. create the RAID array with the first drive only

mdadm –create /dev/md0 –level=1 –raid-devices=2 /dev/hda2 missing

That’s my way of dealing with the creation of an array. You can obviously create the array with the 2 drives now.

3. Formatting the new array in ext3

mke2fs -j -c /dev/md0

-j for ext3
-c for check

4. Adding the other drive to the array

mdadm –add /dev/md0 /dev/hdb2

You should hear the drives working. They are actually synching
Type : cat /proc/mdstat to see what is actually happening.

5. Edit fstab

Edit /etc/fstab

Add a line to get the array mounting when the system boots

/dev/md0 /raid ext3 defaults 0 2

yum install httpd mod_ssl

service httpd start
chkconfig httpd on

Done !

I’m not sure what they could ask about Apache at the RHCE exam.. ? Virtual domains ?

Server side

Edit /etc/exports :
/home *(rw,sync)

Start service and make sure it’ll start at boot
service nfs start
chkconfig nfs on

Client side

Check if you can reach the server :
rpcinfo -p 10.0.0.254

Manually mounting the shared folder
mount -t nfs 10.0.0.254:/home /home

Setting up autofs on the client side to automount the NFS share :

Package needed : autofs

Let’s say we have a user “admin”

Edit /etc/auto.master :
/home /etc/auto.misc --timeout 60

Edit /etc/auto.misc :
admin -rw,soft,rsize=8192,wsize=8192 server:/home/admin

Start the service :
service autofs start

It should mount the NFS share.

Check the status :
service autofs status

Server side :

Packages needed : yp-tools ypbind ypserv portmap

Edit /etc/yp.conf :
domain lab.local server server
ypserver server

Following this scheme :
domain ${domain} server ${host}
ypserver ${host}

By default /etc/ypserv.conf is ok.

Edit /etc/sysconfig/network and add :
NISDOMAIN=lab.local

At the prompt :
# domainname lab.local
# ypdomainname lab.local

Still under the prompt :
service portmap start
chkconfig portmap on

Start the NIS server :
service ypserv start

Make sure it’s actually running :
# rpcinfo -u localhost ypserv

Output should look like :
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting

Build the NIS maps :
/usr/lib/yp/ypinit -m
There you should specify the machines that will run a NIS server, when done hit ctrl + D

Start ypbind, yppasswdd, ypxfrd :
# service ypbind start
# service yppasswdd start
# service ypxfrd start

Make sure the required services will start at boot :
for service in ypserv ypbind yppasswdd ypxfrd; do chkconfig $service on; done

Client side :

Packages needed : yp-tools ypbind portmap

At the prompt :
# authconfig
or
# system-config-authentication

There you should select “Use NIS” then select “Next”
Then fill in the required info :
Domain : lab.local
Server : server.lab.local

Click OK

Your client machine should be properly configured and attached to the NIS server now.
Verify with :
client1# rpcinfo -u localhost ypbind

Then, check the NIS server map with :
client1# ypcat passwd

You should see the list of accounts on the NIS server.

Make sure the needed services will start at boot on the client :
for service in portmap ypbind; do chkconfig $service on; done

Edit /etc/hosts and add :
10.0.0.254 server.lab.local server
This is very important, for some reason, after setting up NIS auth, when pinging “server.lab.local” it was actually pinging the localhost. (if someone has a clue as to why it does that, drop me a line. I sniffed the traffic and noticed some NIS traffic when trying to ping the server)

Now, back to the server side !

Adding new users to the NIS server :

server# useradd account
server# passwd account
server# cd /var/yp
server# make

Make will update the NIS maps

More info :

http://cern91.tuxfamily.org/linux/indexnet.php?page=nis

http://bradthemad.org/tech/notes/redhat_nis_setup.php

I had downloaded the 4 ISO images of CentOS 4.4 overnight and burnt them.

Please consider the following :
I’m only building a local copy of the base and updates repo for CentOS 4.4 for the i386 architecture.

Follow these steps :

mkdir -p /var/www/html/mirror/centos/4.4/os/i386/
ln -s /var/www/html/mirror/centos/4.4 /var/www/html/mirror/centos/4

Insert CD1
cp -a /media/cdrom/* /var/www/html/mirror/4.4/os/i386/
When done
eject /dev/cdrom

Repeat the previous steps for CD2, CD3 and CD4 (say yes when asking for overwriting)

When done, you should make sure your base repository is up to date
rsync -avzH --delete eu-msync.centos.org::CentOS/4.4/os/i386/ /var/www/html/mirror/centos/4.4/os/i386/

Then, synchronize the “updates” repository, this should take a while and will download a massive amount of data (around 6.3 Gb when I built the mirror)
mkdir -p /var/www/html/mirror/centos/4.4/updates/i386/
rsync -avzH --delete eu-msync.centos.org::CentOS/4.4/updates/i386/ /var/www/html/mirror/centos/4.4/updates/i386/

Make the mirror available through NFS (no security consideration here ! quick and easy way) :
vi /etc/exports :
/var/www/html/mirror/centos/4/os/i386 *(rw,sync)

Start NFS :
service nfs start
chkconfig nfs on

Server : server
Path : /var/www/html/mirror/centos/4/os/i386/

Making the mirror available through HTTP :
service httpd start
chkconfig httpd on

Path : http://server/mirror/centos/4/os/i386/

Please note :
If you do use the CentOS rsync service, it is implied that you are providing a mirror for public use and give the CentOS admins authority to publicise the mirror

If you use the rsync service to build a local mirror for testing/learning purpose, please just synchronize it once. DON’T ABUSE.