Install and Configure Openvpn

Configure OPENVPN Server:

Assume that this VPN server we have 2 NIC as below:

eth0: use for VPN network with 192.168.1.0/24; gateway .254
eth1: use for management network with 10.0.0.100/24 (or public IP address as you want)

1) Installation

# sudo apt-get install -y openvpn bridge-utils easy-rsa

2) Configuration

# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/

# vi /etc/openvpn/server.conf


Do this:

# line 53: change

dev tap0

# line 78: change like follows

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key

# line 87: change (remember this, in new version, it's maybe create dh2048.pem, you should change this line to suitable file)

dh /etc/openvpn/easy-rsa/keys/dh2048.pem

# line 96: make it comment

# server 10.8.0.0 255.255.255.0

# line 103: make it comment

# ifconfig-pool-persist ipp.txt

# line 115: uncomment and chnage ( [VPN server's IP] [subnetmask] [the range of IP for client] )

server-bridge 192.168.1.100 255.255.255.0 10.0.0.101 10.0.0.150

# line 138: add ( [network VPN server in] [subnetmask] )

push "route 192.168.1.0 255.255.255.0"

# line 275: change

status /var/log/openvpn-status.log

# line 284: uncomment and change

log /var/log/openvpn.log

log-append /var/log/openvpn.log

3) Create CA certificate and CA key.

# cp -R /usr/share/easy-rsa/* /etc/openvpn/easy-rsa

# cd /etc/openvpn/easy-rsa

# mkdir keys

# vi vars


Do this:

# line 64: change to your environment

export KEY_COUNTRY="VN"

export KEY_PROVINCE="HCM"

export KEY_CITY="HCM"

export KEY_ORG="Home"

export KEY_EMAIL="info@home.home"

# source ./vars

# ./clean-all

# ./build-ca

Generating a 2048 bit RSA private key

.................++++++

......++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [VN]:# Enter

State or Province Name (full name) [HCM]:# Enter

Locality Name (eg, city) [HCM]:# Enter

Organization Name (eg, company) [Home]:# Enter

Organizational Unit Name (eg, section) []:# Enter

Common Name (eg, your name or your server's hostname) [GTS CA]:vpn.home.home   # input FQDN

Name []:server-ca   # set

Email Address [info@home.home]:# Enter

4) Create certificate and key for server


# ./build-key-server server

Generating a 2048 bit RSA private key

........++++++

.......++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [VN]:# Enter

State or Province Name (full name) [HCM]:# Enter

Locality Name (eg, city) [HCM]:# Enter

Organization Name (eg, company) [Home]:# Enter

Organizational Unit Name (eg, section) []:# Enter

Common Name (eg, your name or your server's hostname) [server]:vpn.home.home   # input FQDN

Name []:server   

Email Address [info@home.home]:# Enter

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: <give yours>

An optional company name []: <give yours>

Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName:PRINTABLE:'VN'

stateOrProvinceName:PRINTABLE:'HCM'

localityName:PRINTABLE:'HCM'

organizationName:PRINTABLE:'Home'

commonName:PRINTABLE:'vpn.home.home'

name:PRINTABLE:'server'

emailAddress:IA5STRING:'info@home.home'

Certificate is to be certified until Jul 12 09:30:14 2028 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

5) Generate Diffie Hellman ( DH ) parameter.

# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................................................


6) Create certificate and key for client.

# ./build-key-pass client

Generating a 2048 bit RSA private key

..................++++++

..................++++++

writing new private key to 'client.key'

Enter PEM pass phrase:# set pass-phrase

Verifying - Enter PEM pass phrase:# confirm

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [VN]:# Enter

State or Province Name (full name) [HCM]:# Enter

Locality Name (eg, city) [HCM]:# Enter

Organization Name (eg, company) [Home]:# Enter

Organizational Unit Name (eg, section) []:# Enter

Common Name (eg, your name or your server's hostname) [client]:vpn.home.home   # input FQDN

Name []:client

Email Address [info@home.home]:# Enter

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: <give yours>

An optional company name []: <give yours>

Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName:PRINTABLE:'VN'

stateOrProvinceName:PRINTABLE:'HCM'

localityName:PRINTABLE:'HCM'

organizationName:PRINTABLE:'GTS'

commonName:PRINTABLE:'vpn.home.home'

name:PRINTABLE:'client'

emailAddress:IA5STRING:'info@home.home'

Certificate is to be certified until Jul 12 09:31:14 2021 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

7) Start OpenVPN

# cp /usr/share/doc/openvpn/examples/sample-scripts/bridge-start /etc/openvpn/openvpn-startup

# cp /usr/share/doc/openvpn/examples/sample-scripts/bridge-stop /etc/openvpn/openvpn-shutdown

# chmod 755 /etc/openvpn/openvpn-startup

# chmod 755 /etc/openvpn/openvpn-shutdown

# vi /etc/openvpn/openvpn-startup

# line 17-20: change


eth="eth0" # change if needed

eth_ip="192.168.1.100"# IP address will be assigned for bridge

eth_netmask="255.255.255.0"# subnetmask

eth_broadcast="10.0.0.255" #broadcast address

Now start VPN server:

# /etc/rc.d/init.d/openvpn start

Remember, we dont need to run /etc/openvpn/openvpn-startup script to enable bridge, this will be run by /etc/rc.d/init.d/openvpn.




Configure VPN Client (in window):

1) Install Openvpn
Go to http://openvpn.net/index.php/open-source/downloads.html for download and install vpn client.

2) Configure
sFPT or use other way to transfer some below file from vpn server:

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key

To <vpn_client_installed_directory>/config/ in Window desktop

Copy example client configure to /config dir

Copy <vpn_client_installed_directory>\sample-config\client.ovpn to <vpn_client_installed_directory>\config\client.ovpn

and Edit

3) Run OVPN

Right-click on OVPN icon  at taskbar and click "Connect", type password and connect to VPN Server.

NGINX - Part 1 - Reverse Proxy Configuration

1_ Reverse Proxy with NginX

The topology for this test:

<Client>  ====>  [Nginx - Reverse Proxy] ====> [Backend Server]

1) Installation (on both server Proxy and Backend)

#sudo apt-get update
#sudo apt-get install nginx

2) Configuration 

Backend server (Using Nginx also)

After install nginx, edit nginx.conf and put some line

#sudo vi /etc/nginx/nginx.conf

Content of file:

user www-data;
worker_processes 4;
pid /run/nginx.pid;
worker_rlimit_nofile 30000;

events {
        worker_connections 10240;
        # multi_accept on;
}

http {

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;


        ## Start: Timeouts ##
        client_body_timeout 10;
        client_header_timeout 10;
        keepalive_timeout 5 5;
        send_timeout 10;
        ## End: Timeouts ##


        #server_names_hash_bucket_size 128; # this seems to be required for some vhosts
        index    index.html index.htm index.php;


        include /etc/nginx/sites-enabled/*;
}

Save the file and move to edit virtual host:
Change directory to /etc/nginx/sitess-available, create a file with the name as what you want and fill some thing (as sample below):

server {
        listen 8888;
        server_name  backend.nhut.com;
        root /web_data;

location / {
        include block-country.conf;
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
}

}

This configuration will create a website working under named "backend.nhut.com" with root dir site at /web_data and port listen on port 8888. Some next line, just inside "location" will make your site working as "directory listing".

This purpose of configuration is that we will do a Proxy Stress test using cosbench (or Jmeter, ab... as which as you want). Under /web_test, we will create a directory structure for tressing test purpose.

After create web virtual host, create a link to enable site

#sudo ln -s /etc/nginx/sites-available/nhut_backend /etc/nginx/sites-enabled/nhut_backend

and start nginx

#sudo /etc/init.d/nginx start

You should not got error ^^ for this step (checking error log : #sudo tail -f /var/log/nginx/error.log).


Proxy server (Nginx)

Install Proxy server on a separate server. Before we get into Nginx configuration, first thing, we should check our server limit configuration for advance test. Run command

#ulimit -Sn
#ulimit -Hn

If the number is too small, we should change it as below procedure:
1) Open the file /etc/security/limits.conf with your right permission, then paste the following line towards end:

*         hard    nofile      500000
*         soft    nofile      500000
root      hard    nofile      500000
root      soft    nofile      500000

You can change the number "500000" as you want. And REMEMBER: Once you save file, you may need to logout and login again.

2) Open /etc/pam.d/common-session, Add following line:

session required pam_limits.so

//Just forget it if it already had

3) Open /etc/sysctl.conf. Add the following;

fs.file-max = 2097152

And then run:

#sysctl -p

After this step, you can verify the new limit.
Now, move to configure Nginx working as Proxy server:

Edit /etc/nginx/nginx.conf and paste below configuration:

user www-data;
worker_processes 4;
pid /run/nginx.pid;
worker_rlimit_nofile 30000;

events {
        worker_connections 10240;
        # multi_accept on;
}

http {

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;


        ## Start: Timeouts ##
        client_body_timeout 10;
        client_header_timeout 10;
        keepalive_timeout 5 5;
        send_timeout 10;
        ## End: Timeouts ##


        #server_names_hash_bucket_size 128; # this seems to be required for some vhosts
        #index    index.html index.htm index.php;


        # Cach configure
        #limit_conn_zone   $binary_remote_addr  zone=nhutcache:10m; 
        proxy_cache_path /proxy_test/ levels=1:2 keys_zone=nhutcache:100m max_size=300000m inactive=30d; #if inactive value is reached, Cache-status in ngxin cache log will be MISS

        proxy_temp_path /proxy_test/tmp;


        log_format cache 'BEGIN-- ***$time_local '
                     '***Cache-status: $upstream_cache_status '
                     '***Cache-Control: $upstream_http_cache_control '
                     '***Remote-addr: $remote_addr '
                     '***Expires: $upstream_http_expires '
                     '***Action: "$request" ($status) ($body_bytes_sent Bytes) '
                     '***HTTP-referer: "$http_referer" '
                     '***Client-Browser: "$http_user_agent" --END';


        access_log  /var/log/nginx/cache.log cache;

        #Test if command

        #if ($status = ^(403|404)$ ) {
        #access_log off;
        #}
        include /etc/nginx/sites-enabled/*;
}

In nginx.conf we just create a memory caching allocation named "nhutcache" with cache directory on local disk at /proxy_test. So, we should create that directory for store the cache files (and directory for Proxy_temp_path as well).

Next, create virtual site for Nginx connection:
Change directory to virtual site /etc/nginx/sites-available, create a file and paste following :

upstream proxytest {
        server 10.76.0.46:8888;  # this is IP of backend server that we just create on step above

                }

server { 
        listen 8888;
        server_name  proxy.nhut.com;



        #for static file
        #location ~* ^.+.(jpg|jpeg|gif|png|ico|css|txt|js|htm|html|avi|mpeg)$ {
                location ~* .(jpg|jpeg|gif|png|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|xml|docx|xlsx|js|css)$ {
                include proxy.conf;
                #include block-country.conf;
                proxy_pass  http://proxytest;
                proxy_cache nhutcache;
                proxy_cache_valid 200 302 301 304 7d;   #this config for expiration of statis files with response 200 302 ...
                #expires 5m;
                #return 500;
                }
      

#for any queries to site that begin with "file"
location ~ ^/file {
                include proxy.conf;
                #include block-country.conf;
                proxy_pass  http://proxytest;
                proxy_cache nhutcache;
                proxy_cache_valid 200 302 301 304 7d; #if this value (7d) is reached, Cache-status in nginx cache log will be EXPIRED
                #return 500;
                }


        #For all remain queries
                location / {
                include proxy.conf;
                #include block-country.conf;
                proxy_pass      http://proxytest;
                proxy_cache nhutcache;
                proxy_cache_valid 200 302 301 60m;
                proxy_cache_valid 404 403 1m;
                #return 500;
                        }
}

Note, this file we will include 2 file from outside is proxy.conf and block-country.conf, so that we should create both file and put in same dir with nginx.conf, the content of both file is below:

Proxy.conf

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ignore_headers Expires Cache-Control;
client_max_body_size    10m;
client_body_buffer_size 128k;
proxy_connect_timeout   90;
proxy_send_timeout      90;
proxy_read_timeout      90;
proxy_buffer_size       4k;
proxy_buffers           32 4k;
proxy_busy_buffers_size    64k;
proxy_temp_file_write_size 64k;

Block-country.conf (this file is optional, i put this because in this test, i use public IP for some case)

allow <IP of range/mask>;
allow ......./24;
allow 127.0.0.1;
deny all;

Create a link to enable your site:

#sudo ln -s /etc/nginx/sites-available/nhut_proxy /etc/nginx/sites-enabled/nhut_proxy

Now, start Nginx

#sudo /etc/init.d/nginx start

If you want to mornitor Nginx cached, just:

#sudo tail -f /var/log/nginx/cache.log

If you want to show HIT/MISS/EXPIRE status, just run:

#sudo awk '{print $5}' /var/log/nginx/cache.log  | sort | uniq -c | sort -r