Category Archives: Uncategorised

Installing openvpn server (Ubuntu 12.04)

Leave a comment

This page is mostly based on these instructions (starting at appendix A2). I have followed the procedure below to get VPN servers running on 2 different virtual private servers. In each case, those have a “tun” interface (google how to check if tun interface is loaded for your VPS).

Everything is done as root. Comments on the various steps are marked with a pound sign (#).

Install OpenVPN and setup the structure to build the encryption keys

sudo -s #to become root
apt-get install openvpn #to install openvpn
cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa #to copy rsa-config files and scripts
cd /etc/openvpn/easy-rsa

Open the file /etc/openvpn/easy-rsa/vars and make sure you have the following:

export EASY_RSA="/etc/openvpn/easy-rsa" #necessary
export KEY_COUNTRY="US"#optional
export KEY_PROVINCE="CA"#optional
export KEY_CITY="SanFrancisco"#optional
export KEY_ORG="MartinLys"#optional
export KEY_EMAIL="admin@myvpnserver.com"#optional
export KEY_EMAIL=mail@host.domain#optional
export KEY_CN=changeme#optional
export KEY_NAME=myvpnserver.com#optional
export KEY_OU=changeme#optional
export PKCS11_MODULE_PATH=changeme#optional
export PKCS11_PIN=1234#optional

Now build the certificates (from the easy-rsa directory):

source vars
./clean-all
./build-ca #the values that you enter are not important

Build the certificate/key files for the server

./build-key-server serverName

Answer the following questions:

Common Name [serverName]: #Must be the same as serverName
A challenge password: #Must leave blank!
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

Now, generate the certificates for the clients (assuming you have a client called UserName, which does not need to be a linux user on your server)

./build-key UserName

Answer the questions

Common Name [UserName]: #must be the same as UserName
A challenge password: #Must leave blank!
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

Repeat this for all clients (which will generate files in “keys/” called UserName.crt and UserName.key). Then, build the Diffie-Hellman key:

cd /etc/openvpn/easy-rsa/
./build-dh #(this takes a few seconds)

Then, create the OpenVPNaHMAC Key with:

openvpn –-genkey –-secret keys/ta.key

Create the file /etc/openvpn/server.conf with the following in it:

local XXX.XXX.XXX.XXX #this is the public IP of your server (try commenting this out if you get the error:" Socket bind failed on local address [AF_INET]xxxxx:1194: Cannot assign requested address"
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/serverName.crt #name that you gave build-ca
key /etc/openvpn/easy-rsa/keys/serverName.key #name that you gave build-ca
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0 #range of IP address that it will give out (change this if it conflicts with your network and submask
push "dhcp-option DNS 8.8.8.8" #use Google DNS
push "dhcp-option DNS 8.8.8.4" #more Google DNS
push "redirect-gateway def1 bypass-dhcp"
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 #TLS auth key
keepalive 10 120
cipher AES-128-CBC
comp-lzo #use compression
user nobody #run openvpn as nobody:nogroup
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 0 #increase the number if you want more logging (max = 5?)

Make sure the IP V4 forwarding is on, by making sure that the following line in /etc/sysctl.conf is uncommented:

net.ipv4.ip_forward=1

Apply the changes with :

sysctl -p

You need to add rules using iptables to forward the VPN traffic. I’m not completely sure that all the lines are necessary, but this seemed to work! On one of my virtual servers running in OpenVZ, I had to replace “eth0″ by “venet0″, as that was apparently the name of the network interface (use ifconfig to check which interface has the external address). Note that the rules refer to the subnet that you chose in server.conf (10.8.0.0/24 in this case, so modify the rules as appropriate). You could place the following in a (executable, chmod 700) script, e.g., /etc/openvpn/firewallrules.sh:

#! /bin/bash
#probably not necessary (default for output should be accept)
iptables -A OUTPUT -o tun+ -j ACCEPT
#not sure that this is needed:
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
#these are most likely the ones that matter:
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
#definitely need this one:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
exit 0

You can add this to your start-up scripts, for example when your network interface comes up. In which case, edit /etc/network/interfaces, and add the following code immediately below the line with “iface eth0 inet dhcp” (or similar I actually put it under the “lo” interface and it worked fine), with indentation:

iface eth0 inet dhcp 
   pre-up /etc/openvpn/firewallrules.sh

When you reboot the server, openvpn server should now be running, and the forwarding should work. On my OpenVZ machine, I found that /etc/network/interfaces gets over-written at reboot, so I added the following line to /etc/rc.local:

/etc/openvpn/firewallrules.sh

To start openvpn server, as root, type:

openvpn /etc/openvpn/server.conf

You then need to create a configuration file for each client. If you place the following (executable, chmod 700) script in the etc/openvpn/build-client-config-file.sh:

#! /bin/bash
client=$1
server="serverName" #this is the IP address of the server (or domain name)
keydir="/etc/openvpn/easy-rsa/keys" #where the keys were saved if you followed the instruction on this webpage
ca="$keydir/ca.crt"
cert="$keydir/$client.crt"
key="$keydir/$client.key"
tls="$keydir/ta.key"
configfile=$1".ovpn"
echo -e "client \ndev tun\nproto udp\nkey-direction 1\nremote $server 1194\nresolv-retry infinite\nnobind\nns-cert-type server\ncomp-lzo\nverb 3\ncipher AES-128-CBC\n">$configfile
echo "<ca>">>$configfile
cat $ca>>$configfile
echo "</ca>">>$configfile
echo "<cert>">>$configfile
cat $cert>>$configfile
echo "</cert>">>$configfile
echo "<key>">>$configfile
cat $key>>$configfile
echo "</key>">>$configfile
echo "<tls-auth>">>$configfile
cat $tls>>$configfile
echo "</tls-auth>">>$configfile

You can easily create a config files for each client (called UserName, same as before, as the script will look for the corresponding files) by typing:

./build-client-config-file.sh UserName

This will output an OpenVPN configuration file called “UserName.ovpn” which can be given (securely) to the client. At this point, you could delete the following files from the server:

ca.key #I'm not sure you can actually delete this one, if you wanted to generate more clients.
UserName.key
UserName.ovpn

Radish gazpacho

Leave a comment
  • 3 big tomatoes, diced coarsely
  • 8-10 radishes, diced coarsely (same volume roughly as tomatoes)
  • 6 green onions, sliced
  • 3 gloves of garlic (pressed before putting in blender)
  • 1 and 1/2 cucumber, peeled, diced
  • a little bit of salt and pepper (really, it hardly needs seasoning!)
  • 3/8 cup of olive oil
  • 4 tbsp of lime juice

Blend it all together (consistency of salsa). Best if refrigerated over night.

Chicken tagine

Leave a comment
  • 2 lbs of chicken thighs (about 8 of them) or vegetarian: use a cauliflower and a root vegetable (parsnips work great!)
  • 4-6 carrots sliced
  • 1 large onion diced
  • 1 can of chickpeas
  • 3/4 cup of dried cranberries or raisins
  • 1/2 cup ish of chicken bouillon
  • 1 big tomato diced
  • 4 minced garlic cloves
  • 2 tbsp of lemon juice (or juice from 1/2 lemon)
  • couscous

Spice mix:

  • 1 1/2 tsp cumin
  • 1 1/2 tsp ground ginger
  • 1 tsp coriander
  • 3/4 tsp turmeric
  • 1 1/2 tsp cinnamon
  • 1 tsp black pepper

Instructions:

  1. In dutch oven, on med high, add a bit of olive oil
  2. Add chicken thighs and onion and brown until there is stuff to deglaze
  3. Turn heat down, deglaze with red wine or beer (I used a nice Belgian Ale)
  4. Add broth, tomatoes, carrots, garlic, chickpeas (with their juice), lemon juice, cranberries, spices
  5. Let simmer with lid on for a couple of hours (no need to simmer for really long)
  6. To make couscous (in a separate pot!), boil water (same volume as couscous), remove from heat, stir in couscous and cover for 5min. Then fluff with fork.

Pan Kale

Leave a comment
  • On medium-low heat, get 2 gloves of mashed garlic going in some butter
  • After ~2 minutes (before garlic browns) throw in the Kale (cut in ~1″ strips, make sure that the pieces only have “thin” stems on them (~1/4″ thick stem at most))
  • Add pepper (don’t add salt, or very very little!!)
  • Stir Kale every once in a while, for about 5 minutes (until it gets soft, but before it turns in to mush!)
  • Add in about 1/4 cup of broth, let it simmer on medium heat until broth has evaporated (don’t let it evaporate dry though!)
  • Serve! More garlic makes it taste more garlicky, which is ok, right!

Magret de canard in shallot reduction

Leave a comment
  • Slice diamond pattern in the fat side (score)
  • Heat up a pan (not a non-stick one! i.e. a stick one!) to medium high
  • Place breasts fat side down, cook 10-15 minutes (with heat on medium soon after putting them in)
  • Cook meat side down 3-5 minutes
  • Finish off for 1-2 minutes on fat side, then remove from heat
  • Drain fat out of pan and keep for other cookings
  • Dice a couple of shallots, thrown in the pan with 2-3 tablespoons of the duck fat
  • Throw the shallots for 2-3 minutes in the fat
  • Add ~1/4 cup of red wine
  • Add same amount of broth
  • Reduce until good (pretty thick)
  • Wait until reduction is ready before slicing the duck (i.e. let it sit!).
  • Slide duck breasts diagonally, drizzle with reduction
  • Enjoy!

Pheasant in pear and shallot cream sauce

Leave a comment
  • Cut pheasant into medallion size pieces
  • Fry in butter (use a metal pan, not a non-stick pan) at medium heat
  • Remove the pheasant medallions once they are just cooked (do not overcook!)
  • Add more butter to the pan
  • Add 2 finely chopped shallots and cook at medium heat for ~4 minutes
  • Add 2 pears cut into slices, fry for another 2 minutes
  • Add a generous amount of white wine (~ 1cup) and reduce on medium high heat
  • Add 1/2 cup of broth, reduce more
  • Add cream and reduce, but do not let it get thick
  • Add the pheasant back in for a minute to reheat
  • Serve!

Easy Awesome Venison

Leave a comment

An easy recipe to fry up some venison steaks and make a little sauce.

  • Fry the steaks (about 1-2cm thick) in a generous amount of butter. Do not overcook! It only takes a couple of minutes on each side, you can see the blood come up. Medium high heat.
  • Take the steaks out and set aside. There should be quite a bit of liquid in the pan.
  • Add about the same amount of red wine as there was liquid, let it reduce.
  • Add some milk (a little less than the red wine)
  • Let it reduce to a nice consistency, and serve right away!

This goes well with some roasted sweet potatoes. Dice them up, sprinkle some salt and pepper, a little olive oil and about 35min at 400F.

Swiss Fruit Pie

Leave a comment

Pie crust:

  • 100g sugar
  • 100g softened butter (room temperature)
  • 200g flour
  • 1 egg

Mix all until it barely holds together. Don’t over knead. Make into a flattened ball and wrap in seran wrap. Place in freezer for >20min.

Turn oven on to 350F (180C).

Butter a pie dish and flatten dough into it with fingers. Sprinkle some almond meal to keep dough from from getting soggy. Lay fruit inside. Can go in the oven as is, or one can add the following egg custard along with the fruit:

  • 2 Tbsp of sugar
  • 2 eggs, lightly beaten
  • 1 Tsp of vanilla extract
  • 1Tsp of corn starch (or flour), mixed into the cream
  • 2 dl of cream

Cook in oven for 45min. Let cool.