VPS Setup at Binary Lane

Contents:

Binary Lane
Setup VPS User
Generate ssh keys
Prevent ssh Idle Timeouts
Installing openvpn server on the VPS
openvpn client
iptables
Backup and Restore iptables
Tutorials on iptables
iptables-persistent
How to configure iptables for openvpn
Rule Generator
IP Tunnel
How to setup OpenVPN on your VPS: Ubuntu 18.04
How to install Webmin on Ubuntu 18.04
Building A Raspberry Pi VPN
Setting up VPN Gateway with Raspberry PI
OpenVPN Setup on Ubuntu 18.04 Bionic Beaver Linux
/home/glenn/glenn.ovpn
pivpn
TUN and TAP
Private Network Space
Classless Inter-Domain Routing

Binary Lane

Dashboard:
https://home.binarylane.com.au/services/servers

Administrative Login:
https://www.binarylane.com.au/mpanel/manage/server.lyonscomputer.com.au

[Top][Home]

Setup VPS User

Add user and give administration privileges and permissions:

[Top][Home]

Generate ssh keys

Generate ssh keys:

[Top][Home]

Prevent ssh Idle Timeouts

If SSH drops out after a minute or so of no activity it could be because the NAT functionality on the home/office router is aggressively closing inactive connections. If I run a script that prints the date every 30 secs the link stays up it is probably an idle timeout.

On client (your workstation) enable ServerAliveInterval as follows:
vi /etc/ssh/ssh_config # gnl20200206 - stop the connection to the VPS from closing when inactive # add these lines to the end of the file if not already present. ServerAliveInterval 30 ServerAliveCountMax 5

[Top][Home]

Installing openvpn server on the VPS

The Server is installed on the VPS Site.

Launch OpenVPN Access Server On Ubuntu:
https://openvpn.net/vpn-software-packages/ubuntu/ Output from the Install process above:

Try this https://linuxconfig.org/basic-ubuntu-22-04-openvpn-client-server-connection-setup

[Top][Home]

openvpn client

Install on a local Rpi or computer.

Connecting to Access Server with Linux:
https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/

[Top][Home]

iptables

Some iptables commands:

iptables -S                 # list current rules
iptables -L INPUT           # table layout of INPUT chain
sudo iptables -L INPUT -v   # show data
sudo iptables -Z INPUT      # reset counters
iptables -L --line-numbers
sudo iptables -D INPUT 3    # delete rule line 3

Managing ports on a Dedicated or VPS server is done through command line.
For example, if you were trying to open port 9999, the command to add that rule would be:

iptables -A INPUT -m tcp -p tcp --sport 9999 -j ACCEPT
service iptables save
service iptables restart

Flush All Rules, Delete All Chains, and Accept All Network Traffic:
Note: This will effectively disable the firewall. Only follow this section if you want to start over the configuration of your firewall.
First, set the default policies for each of the built-in chains to ACCEPT to ensure that we won’t be locked out from the server via SSH:

sudo iptables -P INPUT ACCEPT       # Default rule
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Ten, flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X) so
the firewall will now allow all network traffic and there will only the three default
chains (INPUT, FORWARD, and OUTPUT) remaining:

sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F            # reset all rule except default rules
sudo iptables -X

[Top][Home]

Backup and Restore iptables

/sbin/iptables-save > /<bup-dir>/iptables-works-`date +%F`
/sbin/iptables-restore < /<bup-dir>/iptables-works-<date>

[Top][Home]

Tutorials on iptables

How the Iptables Firewall Works
https://www.digitalocean.com/community/tutorials/how-the-iptables-firewall-works
How To Set Up a Firewall Using Iptables on Ubuntu 14.04:
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04
Iptables Essentials: Common Firewall Rules and Commands:
https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#saving-rules
How To List and Delete Iptables Firewall Rules:
https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules#flush-chains
How To Set Up an Iptables Firewall to Protect Traffic Between your Servers
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-iptables-firewall-to-protect-traffic-between-your-servers
A Deep Dive into Iptables and Netfilter Architecture
https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
How To Test your Firewall Configuration with Nmap and Tcpdump
https://www.digitalocean.com/community/tutorials/how-to-test-your-firewall-configuration-with-nmap-and-tcpdump

16 iptables tips and tricks for sysadmins:
https://opensource.com/article/18/10/iptables-tips-and-tricks

[Top][Home]

iptables-persistent

Note: Rules added to iptables are ephemeral. This application creates a new service called iptables-persistent that is configured to run at boot. This service will load the rules and apply them when each time the server is started.

If the firewall is updated you must save your iptables rules for them to be persistent.

# For permanent iptables rules, use iptables-persistent apt install iptables-persistent /etc/init.d/iptables-persistent save /etc/init.d/iptables-persistent reload # invoke-rc.d iptables-persistent save # before firewall update vi /etc/iptables/rules.v4 # modifly iptables-restore -t < /etc/iptables/rules.v4 # test the syntax service iptables-persistent reload # load rules # netstat -4plunt # show ports in use ip -4 addr show scope global # find the network interface associated with an IP address

[Top][Home]

How to install Webmin on Ubuntu 18.04

Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more.

http://www.webmin.com/

vi /etc/apt/sources.list ### ADD WEBMIN REPOS ### deb http://download.webmin.com/download/repository sarge contrib wget http://www.webmin.com/jcameron-key.asc $ sudo apt-key add jcameron-key.asc $ sudo apt-get update ##Update the repositories apt install webmin https://112.213.34.215:10000/

How to install Webmin on Ubuntu 18.04:
Source:https://lowendbox.com/blog/how-to-install-webmin-on-ubuntu-18-04/

[Top][Home]

Building A Raspberry Pi VPN

Part One: How And Why To Build A Server:
https://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/

Part Two: Creating An Encrypted Client Side:

https://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side/

#!/bin/bash
# makeopenvpn.sh - generating a file for each client
# Default Variable Declarations
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
CA="ca.crt"
TA="ta.key"

#Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME


#1st Verify that client’s Public Key Exists
if [ ! -f $NAME$CRT ]; then
 echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
 exit
fi
echo "Client’s cert found: $NAME$CR"


#Then, verify that there is a private key for that client
if [ ! -f $NAME$KEY ]; then
 echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
 exit
fi
echo "Client’s Private Key found: $NAME$KEY"

#Confirm the CA public key exists
if [ ! -f $CA ]; then
 echo "[ERROR]: CA Public Key not found: $CA"
 exit
fi
echo "CA public Key found: $CA"

#Confirm the tls-auth ta key file exists
if [ ! -f $TA ]; then
 echo "[ERROR]: tls-auth Key not found: $TA"
 exit
fi
echo "tls-auth Private Key found: $TA"

#Ready to make a new .opvn file - Start by populating with the
default file
cat $DEFAULT > $NAME$FILEEXT

#Now, append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT

#Next append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT

#Then, append the client Private Key
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT

#Finally, append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT

echo "Done! $NAME$FILEEXT Successfully Created."

#Script written by Eric Jodoin
\ No newline at end of file

[Top][Home]

Setting up VPN Gateway with Raspberry PI

https://www.raspberrypi.org/forums/viewtopic.php?t=96691
or
http://ozcan.com/blog/eng/setting-up-vpn-gateway-with-raspberry-pi/

vi /etc/openvpn/vpn.conf

The first line enables the use of external scripts to handle the DNS implementation tasks. The up and down lines are there to implement DNS servers pushed by the VPN server when the connection goes up, and afterwards to undo it, when the connection goes down. client dev tun proto tcp tun-mtu 1500 remote 112.213.34.215 1194 resolv-retry infinite nobind persist-key persist-tun verb 3 keepalive 10 120 comp-lzo cipher DES-CBC #to run openvpn with root privileges; user glenn group glenn daemon script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf <ca> -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ......... -----END PRIVATE KEY----- </key>

Configuring iptables: iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

[Top][Home]

OpenVPN Setup on Ubuntu 18.04 Bionic Beaver Linux

apt update
apt install openvpn easy-rsa
cd
make-cadir certificates && cd certificates              # ca directory
source vars

https://linuxconfig.org/openvpn-setup-on-ubuntu-18-04-bionic-beaver-linux

ssh to VPS-Server wget https://git.io/vpn -O openvpn-install.sh

[Top][Home]

/home/glenn/glenn.ovpn

client
dev tun
proto udp
remote 112.213.34.215 1195
resolv-retry infinite
nobind
persis
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3

-----BEGIN CERTIFICATE-----
MIIDQjCCAiqgAwIBAgIUQ+h/5D0ytmuTJPoX3vqIE7rDzCgwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwIQ2hhbmdlTWUwHhcNMjAwMTIxMDgzNDI3WhcNMzAwMTE4
MDgzNDI3WjATMREwDwYDVQQDDAhDaGFuZ2VNZTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANHz4ERhktFIanbuT4TFU2GoXhecMWZtAICGD2vk/D1L3l+R
R3VyYwcUmjreW1VpdOYlaFe53WFh0j2yZeQiAJ3mBhh1kgQ9orkd1emZYGgaux1m
4Tck+Y+OZj21JLIkYFmb9UYo20vTJdC9DaoZGH3+Au+axN0PVBcdjRy/TiHN9tqZ
3vzUUW5i1GXeF98uQQa10PNEDu3yyNhUV9cw4zEVFDYcF/feh1o+qNfE8gB9FOzf
dAZqmKutYwl/pDA6pnkJ+j4KbAi3FV3dLKMGEUzZFWLAdtIy5ixzZVrkhsSP/8vi
+busMFOAgdHtr4KJye5IQry0XsQ+UZpVxQWwwb0CAwEAAaOBjTCBijAdBgNVHQ4E
FgQUyh7DNLA0jr7Mo1+4f8vBY7VG2IUwTgYDVR0jBEcwRYAUyh7DNLA0jr7Mo1+4
f8vBY7VG2IWhF6QVMBMxETAPBgNVBAMMCENoYW5nZU1lghRD6H/kPTK2a5Mk+hfe
+ogTusPMKDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsF
AAOCAQEAWuDVvf+/xPqcTjtvqUpYN/VGYu1m1jtjzDJHGY9ceeGYUfcwLrfkpNdg
fMtbqT0snlsqNjpELrxqLfOxz0Uc3pHvIZ/ZnEqb0sRJrrYOYON1aVrD/1rApRc5
8A00N/pPHW8KPFslTdSl9Bqkr6FMB6AQYNvpDySuicgnp+LeYTZono/80O9lwpFg
3JJ0h8L0/qnTYK72X0Vicq2gors85e1qPkRIn6LMiBEYHd2z0yxOkG3CGYCCKnwp
Ayg77OcOVrfTY42VVXR949MBzahwWn9G7q2b8AzAQK3Dj2cufoOmnTrgvvKn8AT1
HUpwt3i8jF0iLuIvl8C5E9DxKZwUZQ==
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIQUWt+R5tj8f+czLW63gqUZzANBgkqhkiG9w0BAQsFADAT
MREwDwYDVQQDDAhDaGFuZ2VNZTAeFw0yMDAxMjEwODM0MjhaFw0zMDAxMTgwODM0
MjhaMBAxDjAMBgNVBAMMBWdsZW5uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA0DEXkX4bACwkBXcftH5WxfeGvzNjlmevGR4QXcx6VwBpKe/mw/RytEf/
SCtTfDIuk1+I0Pb51ZouUAaVWFA86wQNCWXac+rfPEuBcNv81NPzylkeU5mrEt5I
Z+R6pMioQ5HGKFxLkrTkNJ/Zb0NSl1hrBQpB8WZNNnb79ZTOwxaApIzQ4ODgI8wt
CboYsMYjhaloIDIyFplADGZhfAP9zAgTTDu97Wm3HN0wVY2GbFE7e/aDefXbaRwe
AzOOIp2nfCEJOqTwV+PJgacnvqKU11I+bad/VenU8xh+bwjxV+eJyUdK9eoO/JDP
QCIbd7jnfSIT/DvzOKAnWpVpMUPs4QIDAQABo4GfMIGcMAkGA1UdEwQCMAAwHQYD
VR0OBBYEFDeXputuRR7DR3C034iIpn6qd5h1ME4GA1UdIwRHMEWAFMoewzSwNI6+
zKNfuH/LwWO1RtiFoRekFTATMREwDwYDVQQDDAhDaGFuZ2VNZYIUQ+h/5D0ytmuT
JPoX3vqIE7rDzCgwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0G
CSqGSIb3DQEBCwUAA4IBAQA6PxYh4N0JAQXScLMxuwmeDYiF6a5rJVbqOqDmysvy
XEltuzaxAWo4PomZnDrIEaJDZ3DpUqFNghrMmoKGSEjnZRQxzHAi8mUfkTq2VfKB
hvRO0VnaQLuGuCP7NGKMjVqELTwh8mYR94ebqal0senzOspVJr1HykKBkNxmKG6h
VrbuLLIP2s+7xBfkN/qUasSi564hWgu1yePwPmnqmTHMJYo5+FbiSQFw26xhR+J7
BThwZBWXW1FKeIiMgnDJaEukhT8q9Q1NnfHi0Mmfoqyg4mPKkQrqq9z+s0ZJ1s/i
pC/M94yl/MQscTvgf/nND4RxH+WwkBpToMfJTtiDhz8M
-----END CERTIFICATE-----


-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQMReRfhsALCQF
dx+0flbF94a/M2OWZ68ZHhBdzHpXAGkp7+bD9HK0R/9IK1N8Mi6TX4jQ9vnVmi5Q
BpVYUDzrBA0JZdpz6t88S4Fw2/zU0/PKWR5TmasS3khn5HqkyKhDkcYoXEuStOQ0
n9lvQ1KXWGsFCkHxZk02dvv1lM7DFoCkjNDg4OAjzC0JuhiwxiOFqWggMjIWmUAM
ZmF8A/3MCBNMO73tabcc3TBVjYZsUTt79oN59dtpHB4DM44inad8IQk6pPBX48mB
pye+opTXUj5tp39V6dTzGH5vCPFX54nJR0r16g78kM9AIht3uOd9IhP8O/M4oCda
lWkxQ+zhAgMBAAECggEAZ8oRldboXw2iZ5cblz/kwozEAE3+N904zazPO/PUicsK
on2W7dnP1VCPU8tFs4TQ82eNLZ/yrSpQLFUb3wshU4iRdz3vyhotcEG0Ji+FvBRu
VVJYbBUP1Dg8oI6nFb9zIzxpLXXVty23FwUZwP4vDoRl1f1nIpF9rMlkkum8qkSG
81R1Twe1OwZIaldHsQXgfyVmiKs/30bOdRnASN9PWPblZ85fL5YTukHwP41Wul/e
9z+9OeXBw5JYCupphr3tMsOWdsrRB5qTEGO5aUU3l1L78BDlH7scDO9emPvBwNpp
UEW4SMnFUEUO5SaJIXiQGI8zsqvnBmRrR0DIjTieAQKBgQD2QErGVbE/fBZpLO9E
viFLwoDHADUGoNuyXmYVLIgPhetDXN2WHo9Y+diUJKNucmPiV0OgEjAYKNNucp6+
FgA13DUx9PTbe27D2fV/QpL+1ZHUb31GG1DEC0L0nf+JrwJFuWJFbxnPVurCMX9U
eWLbwpfcZP+EpPfF3dnWuayVTQKBgQDYbxNWPPrwnjeeX21p0nGOQfv0QjNC8k2e
Qp9Y05/YxW/RcxlmQcYIQfB4EtheHxwJerX8x4edUS0jrSVTjO7GvmEcxQ0K8Cya
AQcU82vZe0Zn9orXT+iU+szsSi+OzQgJztYpRJp7Hiuy9qXsyqvo/j5mNnSlWCTb
gOaTHBBb5QKBgCffuTvsXEsfWLGnKQdEkjemQxv2GJ/+JBT53CXJlC6PTM0XmHna
cPPDYSJ73EriEvJvlu+wgkEnOzVDMhktjtMp2SNBuvRfRExKWspEiXDiPD7d3rcf
bTCRckIR43Lz97Y6koMTvmYoeNMBGNEg5rUXCWgSop1j6QsNJVzzq9JxAoGAZ4QQ
upFl8AmsTloT6aYWW9ThXbz/6YgcaZIxxnlJHZOo3INxZYAV6EMpcTSKOdIlRb9k
JWeFTE/UCBk7Hg/s8C+EIQ96In4mxu2w5mtabOVSEk1PsJVuhzrBIk6FGoajzpUX
xxshy7rtaaYgS/XPbRuU2qw29BIJZtbq8PdeN6UCgYA0dNuPriTwC5izcutIvT2S
XtxkKeda5jhrI9Bdz52INpzjlSSeYuRZvM+KRg9qkA7a7a/BPA1B3VgKCfMiPXd0
RvO9KdsVGSYVYYvLeHock1S1O33gtyat+RtzoODoDHxX3dDuPPEiELRDmA9pxjm7
NJiBbH0vUKp8HAvwmVvsuw==
-----END PRIVATE KEY-----


-----BEGIN OpenVPN Static key V1-----
935819e5401282627fa559cd7e6827a1
54e5096ae7a74080a68021d2de606981
0a075657a128a92620dbc7cc5bf95df5
a8b6be922b8b1e8c6b4eb33ec72e406d
9e966a8f5c13d5a60c47ba566cabeac1
1a5758d95d50ddd3603810a516fa6b1b
217ef2de7fca5edb029d184db1ed3138
bfd3ff732909e48293c05f93913a5ef6
a2bd51ed0a47c0a89a8bc86e5c70d6a7
a63c6f02fae970420bc39b1666f1f047
ae121df29f3e00e81b43ed9480cc5b9a
4f47ff869a15a433d6b9f4aaafaf8d09
e8deb327f47265734873b195f2ac8336
e03d710fc96cc2b2e3142c36c5a2abcf
71cfe547ff4154fa3195df6ff11763c1
0180ad70e052e42dc59f0be73281055d
-----END OpenVPN Static key V1-----

[Top][Home]

pivpn

PiVPN The simplest way to setup and manage a VPN in Rpi:

Designed for Raspberry Pi
Can choose Wire or OpenVPN
Installs as a Server
Generates Certificates slowly

https://www.pivpn.io/

On Rpi R5:

curl -L https://install.pivpn.io
install.pivpn.sh

[Top][Home]

TUN and TAP

https://en.wikipedia.org/wiki/TUN/TAP

[Top][Home]

Private Network Space

+---------------+-------------------------------+---------------------+--------------------+---------------+-------------+--------------+----------------+----------------------+
| RFC1918 name	| IP address range              | Number of Addresses | Largest CIDR block | Netmask       | Subnet Mask | Host ID size | Mask bits      | Classful Description |
| 24-bit block	| 10.0.0.0 – 10.255.255.255     | 16777216            | 10.0.0.0/8         | (255.0.0.0)   | 24 bits	 | 8 bits	    | single         | class A network      |
| 20-bit block	| 172.16.0.0 – 172.31.255.255   | 1048576             | 172.16.0.0/12      | (255.240.0.0) | 20 bits	 | 12 bits	    | 16 contiguous  | class B networks     |
| 16-bit block	| 192.168.0.0 – 192.168.255.255 | 65536	              | 192.168.0.0/16     | (255.255.0.0) | 16 bits     | 16 bits	    | 256 contiguous | class C networks     |
+---------------+-------------------------------+---------------------+--------------------+---------------+-------------+--------------+----------------+----------------------+

https://en.wikipedia.org/wiki/Private_network

[Top][Home]

Classless Inter-Domain Routing

Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and IP routing. IP addresses are described as consisting of two groups of bits in the address:

the most significant bits are the network prefix,
which identifies a whole network or subnet, and
the least significant set forms the host identifier

Source: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing [Top][Home]

Glenn Lyons VK4PK
glenn@LyonsComputer.com.au
Ver:gnl2019mmdd - pre published v0.9

VPS Setup at Binary Lane

Binary Lane

Setup VPS User

Generate ssh keys

Prevent ssh Idle Timeouts

Installing openvpn server on the VPS

openvpn client

iptables

Backup and Restore iptables

Tutorials on iptables

iptables-persistent

How to configure iptables for openvpn

Rule Generator

IP Tunnel

How to setup OpenVPN on your VPS: Ubuntu 18.04

How to install Webmin on Ubuntu 18.04

Building A Raspberry Pi VPN

Setting up VPN Gateway with Raspberry PI

OpenVPN Setup on Ubuntu 18.04 Bionic Beaver Linux

/home/glenn/glenn.ovpn

pivpn

TUN and TAP

Private Network Space

Classless Inter-Domain Routing