CentOS, OpenVPN: How to configure openVPN on CentOS 6.5?

OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

Routing is probably a better choice for most people than bridging. It is more efficient and easier to set up.

I. RPMFORGE PACKAGE
Install rpmforge package to install other packages from repositories than default packages.

1. Login as root

2. Check your host’s architecture
uname -i

3. Install additional repositories EPEL or RPMForge on CentOS
Install RPMforge or EPEL (instructions below)

CentOS and Red Hat 5.x
wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rpm -Uvh epel-release-5*.rpm

CentOS and Red Hat 6.x
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm

CentOS and Red Hat 7.x
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm
sudo rpm -Uvh epel-release-7*.rpm

II. OPENVPN
yum install openvpn -y

III. EASY-RSA
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./clean-all

IV. GENERATE CA, keys, cert
1. Build necessary CA file
./build-ca

Fill the field „Common Name”: domain / server / hostname

3. Build Key Server
./build-key-server server

Fill the field „Common Name”: domain / server / hostname
sign the certificate: y
1 out of 1 certificate requests: y

4. Build Diffie Hellman
./build-dh

5. Generate certificate & keys for 1 client (always use a unique common name for each client)
generate without password for client
./build-key client
generate with password for client
./build-key-pass client

Fill the field „Common Name”: client

V. SERVER
Save file as server.conf

port 12345
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push „route 192.168.1.0 255.255.255.0”
push „redirect-gateway def1 bypass-dhcp”
push „dhcp-option DNS 8.8.8.8”
push „dhcp-option DNS 8.8.4.4”
client-to-client
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3

Enable ip forwarding (all OpenVPN clients can ping all IP in LAN (10.10.10.1 – 10.10.10.255)).
root@linux# echo 1 > /proc/sys/net/ipv4/ip_forward

To enable IP forwarding after the server is rebooted, you should edit „/etc/sysctl.conf” and uncomment line „net.ipv4.ip_forward=1”.
root@linux# vi /etc/sysctl.conf
net.ipv4.ip_forward=1

VI. FIREWALL
Add rules to your firewall (open port 12345 on your router)
root@linux# iptables -A INPUT -p udp –dport 12345 -j ACCEPT
root@linux# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@linux# iptables -A FORWARD -i eth0 -o tun0 -m state –state RELATED,ESTABLISHED -j ACCEPT
root@linux# iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

Show all iptables rules:
iptables -L -v

Show iptables nat rules:
iptables -L -t nat

VII. OPENVPN AS SERVICE
service openvpn start
or
/etc/init.d/openvpn start

Start automatically on boot system
chkconfig openvpn on

VIII. CLIENT (run with root privilieges)
Save file as client.conf

remote 8.8.8.8 23123
client
dev tun
proto udp
nobind
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
ns-cert-type server

# Additional on Windows Vista / 7 if „Route addition via IPAPI failed”
route-method exe
route-delay 2

SOURCE
https://openvpn.net/index.php/open-source/documentation/howto.html

PDF: error message „Document is encrypted”

When you try to save PDF you get the error message “Document is encrypted”.

Run below command in the terminal as root user or use before command sudo command:
1) Get information about new packages
robert@linux~$ sudo apt-get update

2) Install gpdf package
robert@linux~$ sudo apt-get install qpdf

3) input.pdf (source file), output.pdf (output file after decrypt pdf)
robert@linux~$ qpdf –decrypt input.pdf output.pdf

4) Open output file, makes changes in file and try to save as new file

CentOS 6: Good timezone, bad hour

Actual time is 10:30 but I see in the system 11:30. Timezone set correctly.

[root@server]# date
Fri Dec 6 11:30:53 CET 2013

[root@server]# yum install ntp
[root@server]# ntpdate 0.pl.pool.ntp.org

[root@server]# date
Fri Dec 6 10:30:53 CET 2013

Samba: Share Home Directories on CentOS 6.4

[global]
workgroup = WorkGroup
wins support = yes
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d

security = user
encrypt passwords = true
passdb backend = tdbsam
unix password sync = yes

unix charset = UTF8
display charset = UTF8
dos charset = CP852

[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0750
directory mask = 0750
valid users = %S

hide dot files = yes
hide files = rdiff-backup/

vfs objects = recycle
recycle:repository = kosz
recycle:keeptree = yes
recycle:versions = yes
recycle:directory_mode = 550

Check the SeLinux Settings
[root@Cenos]# getsebool -a | grep samba
[root@Cenos]# getsebool -a | grep smb

Share the default Centos home directory
setsebool -P samba_enable_home_dirs on

SMB Status
[root@Cenos]# service smb status
smbd (pid X) is running

NMB Status
[root@Cenos]# service nmb status
nmbd (pid X) is running

Start the SMB daemon
service smb start
Start the NMB daemon
service nmb start

Start Samba on boot
chkconfig smb on
chkconfig nmb on

or with specified runlevel
chkconfig –level 345 smb on

To show number of the runlevel
chkconfig –list smb
chkconfig –list nmb

CentOS 6.4: Configure EPEL Repository

EPEL repository is extra repository that creates, maintains, and manages a high quality set of additional packages for CentOS server. By using EPEL repository you can install some other third party software such as nagios, or bugzilla, phpmyadmin, rdiff-backup or any other standard open source software just using yum command. These repositories are not officially supported by CentOS, but this repository provide much more current versions of popular PHP or MySQL applications.

1. Download and import the GPG keys for EPEL software packages
[root@centos ~]# wget http://ftp.riken.jp/Linux/fedora/epel/RPM-GPG-KEY-EPEL-6
[root@centos ~]# rpm –import RPM-GPG-KEY-EPEL-6
[root@centos ~]# rm -f RPM-GPG-KEY-EPEL-6

2. Download and install EPEL repository for 64-bit CentOS
[root@centos ~]# wget http://ftp.riken.jp/Linux/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@centos ~]# rpm -ivh epel-release-6-8.noarch.rpm