Posts

Posted on

OpenVPN on Slackware

First things first… Thanks to DigitalOcean for their excellent howtos which helped me countless times. Thanks also for Rudi Drusian for giving me some complementary information here

I used Rudi’s first part with a few changes. I changes a few parts, removed others to make it simpler. I expect you to already know how to protect a VPN Servers so dumb stuff won’t be here.

In my case, openvpn was already installed. In case you need…

# Slackware
slackpkg install openvpn

Now this is the most important part for me. Even with Digital Ocean’s howtos, I never memorize where to get easy rsa

cd /mnt/usb
git clone https://github.com/OpenVPN/easy-rsa

Also valuable info here.. setting up easyrsa

cd easy-rsa/easyrsa3/
cp vars.example vars
vi vars

# Organizational fields
set_var EASYRSA_REQ_COUNTRY  "US" # Country
set_var EASYRSA_REQ_PROVINCE "California" # State
set_var EASYRSA_REQ_CITY     "Los Angeles" # City
set_var EASYRSA_REQ_ORG      "My Company" # Organization name
set_var EASYRSA_REQ_EMAIL    "contact@mycompany.com.br" # Email
set_var EASYRSA_REQ_OU       "IT Department" # Organizational Unit

# Expiration (in days)
set_var EASYRSA_CA_EXPIRE   7300 # CA validity
set_var EASYRSA_CERT_EXPIRE 3650 # Validity of issued certificates

Initializing PKI

# Access the EasyRSA directory
cd /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/

# Initialize the PKI
./easyrsa init-pki
# Access the EasyRSA directory
cd /mnt/usb/easy-rsa/easyrsa3/

# Create the CA
./easyrsa build-ca
# Generate the TLS key
./easyrsa gen-tls-crypt-key

# Generate the Diffie-Hellman (DH) parameters
./easyrsa gen-dh

I don’t know why Rudi didn’t run this but please, do:

#Use this against DoS and port flooding
cd /etc/openvpn/keys
openvpn --genkey tls-auth ta.key
cd -

Create server auth stuff

Remember to answer yes to whatever is asked here:

./easyrsa gen-req office nopass

./easyrsa sign-req server office

Copy files from easyresa to openvpn config directory:

cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/certs/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/issued/office.crt /etc/openvpn/certs/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/certs/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/private/office.key /etc/openvpn/keys/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/private/easyrsa-tls.key /etc/openvpn/keys/

 Grab a sample config file to setup server

cd /etc/openvpn/
cp sample-config-files/server.conf office.conf

 Change the file to match your needs, use the links I provided at the beggining or google it. Here’s an example:

##############################################
#   Example configuration for a OpenVPN      #
#  server with support for multiple clients. #
##############################################

local x.x.x.x  # Local IP address on which OpenVPN should listen
port  1194     # TCP/UDP port used by OpenVPN
proto udp      # Transport protocol (TCP or UDP)
dev   tun      # Tunnel type: routed (tun) or Ethernet (tap)

ca       /etc/openvpn/certs/ca.crt           # CA certificate
dh       /etc/openvpn/certs/dh.pem           # Diffie-Hellman (DH) parameters
cert     /etc/openvpn/certs/office.crt       # Server certificate
key      /etc/openvpn/keys/office.key        # Server private key
tls-auth /etc/openvpn/keys/easyrsa-tls.key 0 # TLS key (0 on server and 1 on client)

;crl-verify  /etc/openvpn/crl.pem # Certificate Revocation List

topology subnet                # Subnet /24 (255.255.255.0)
server 10.8.0.0 255.255.255.0  # Set the VPN network, server will be 10.8.0.1
ifconfig-pool-persist ipp.txt  # Keeps a record of IPs assigned to clients

# Sends a route to clients,
# allowing access to internal networks
push "route 192.168.10.0 255.255.255.0"

# Set a folder for client-specific
# configurations. Allows assigning
# fixed IPs and routes. 
client-config-dir ccd

# Uncomment to allow clients to
# communicate with each other
;client-to-client

# Sends a ping every 10 seconds and considers
# the client offline after 120 seconds
keepalive 10 120

cipher AES-256-GCM # Default encryption algorithm
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC # Supported algorithms
;data-ciphers-fallback AES-256-CBC # Support for older versions

# Disables compression for security reasons
allow-compression no

# Maximum number of simultaneous clients
max-clients 100

# Reduces privileges after initialization
user nobody
group nobody

# Improves connection stability
persist-key # Prevents reloading keys after a reconnection
persist-tun # Keeps the VPN interface active during a reconnection

# Path to log files
status      /var/log/openvpn-status.log
log-append  /var/log/openvpn.log

verb 3   # Log detail level
mute 20  # Silences repeated log messages after 20 displays

# Notifies clients when the server is
# restarted so they can reconnect
explicit-exit-notify 1

Allow it to openvpn start at boot:

chmod +x /etc/rc.d/rc.openvpn

From now on, please follow DigitalOcean HOWTO for client setup. It doesn’t make sense using anything else…

Posted on

De volta..

De tempos em tempos eu acabo retornando aqui. Bem ou mal, temos aqui um pouco da história da minha vida de mais de uma década.

No mundo atual, tudo fica restrito e limitado ao que os algoritmos querem mostrar em redes centralizadas que definem o que presta ou não.

O mundo online está no caminho errado e a tendência é piorar…

Posted on

This is me… not a song…

Like we’re holdin’ onto somethin’ that’s invisible there
‘Cause we’re livin’ at the mercy of the pain and the fear
Until we dead it, forget it, let it all disappear

Waiting for the end to come
Wishing I had strength to stand
This is not what I had planned
It’s out of my control

Flying at the speed of light
Thoughts were spinning in my head
So many things were left unsaid
It’s hard to let you go

I know what it takes to move on
I know how it feels to lie
all I wanna do is trade this life for something new
holding on to what I haven’t got

Sitting in an empty room
Trying to forget the past
This was never meant to last
I wish it wasn’t so

I know what it takes to move on
I know how it feels to lie
all I wanna do is trade this life for something new
holding on to what I haven’t got…

Posted on

Non è sempre la stessa cosa

Sai perché? Perché adesso sono cittadino Italiano ma purtroppo, essere italiano non significa nulla. Il governo italiano è antico, difficile, burocratico e non ha nessun interesse in aiutare gli italiani all’estero

Posted on

Carreira, rotina e despreparo

É impressionante como o conforto de estar em uma empresa “tradicional” deixa a gente acomodado. Em anos e anos na mesma empresa, trabalhando na área de tecnologia, o que eu aprendi foi que nossa evolução intelectual vai junto com o nosso trabalho do dia-a-dia. Se nosso trabalho exige pouco ou se nos acostumamos com a exigência que ele toma da gente, a estagnação vem forte.

Em praticamente 10 anos na mesma empresa, fazendo uma autoanalise, me deparei com um quadro em que o mercado tinha mudado razoavelmente e eu não. Claro que eu também estou mudando os rumos da minha carreira mas ainda assim, percebi uma limitação gigante que adquiri por conta da estagnação.

Enfim veio a troca de emprego, veio o aceite para algo novo que nem é mais tão novo assim no mercado mas acima de tudo, a oportunidade de testar mais minha capacidade, conhecimento e levar tudo a novos limites.

Um dos principais guias pra mim em tudo isso é poder adquirir a experiência e prestígio necessários para prover o que minha família necessita e para que eu possa ser um exemplo “menos ruim” de cristão por aí.

E que venha o MBA!

Posted on

E foi-se a pandemia

Essa maldição levou meu primo, minha sanidade mental mas abriu muitas portas, muita coisa mudou. Deus realmente queria mexer em tudo e assim o fez, impressionante.