Monday 20 April 2015

OPENVPN - Complete Setup - Bridge Mode


The following setup has been tested with both Windows ( win 7 ) and linux ( Cent OS 6 ) VPN clients.

Open VPN server: 192.168.201.128
Test node : 192.168.201.129

OpenVPN server and the test node are in the same LAN

SERVER CONFIG

On the open vpn server install the following

$yum install epel-release
$yum install openvpn easy-rsa bridge-utils -y

Now its time to configure the open vpn server

move to the easy-rsa directory to create the certificates and keys
$cd /usr/share/easy-rsa/2.0

change the variables to the requirement
$vim vars

# line 64: change to your own environment
export KEY_COUNTRY="JP"
export KEY_PROVINCE="Hiroshima"
export KEY_CITY="Hiroshima"
export KEY_ORG="GTS"
export KEY_EMAIL="root@dlp.server.world"
export KEY_OU="Server_World"

$source ./vars

$./clean-all

Build ca.crt
$./build-ca

Build server key and cert
$./build-key-server server

$./build-dh

To build the client cert and key
$./build-key client

Now copy the keys directory to /etc/openvpn directory

$cp -pR /usr/share/easy-rsa/2.0/keys /etc/openvpn/keys

Now create a user in the VPN server for VPN connection authentication

$useradd client1
$passwd client1

Now copy the sample config file to /etc/openvpn

$cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/

Make the following changes to server.conf in /etc/openvpn/ directory, or just copy the below contents and paste. ( Change the IP addresses as required)

$vim /etc/openvpn/server.conf


#################################################################################
#Enable plugin for VPN connection authentication
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so login

#change if need (listening port)
port 1194

#uncomment tcp and comment out udp
proto tcp
;proto udp

# change to tap which uses bridge mode
dev tap0
;dev tun

#change path for certificates
ca keys/ca.crt
cert keys/server.crt
key keys/server.key

#change path for certificates
dh keys/dh2048.pem

#uncomment and change ⇒ [VPN server's IP] [subnetmask] [the range of IP for client]
server-bridge 192.168.201.128 255.255.255.0 192.168.201.150 192.168.201.199


# keepalive settings
keepalive 10 120

#enable compress
comp-lzo

# enable persist options
persist-key
persist-tun

#uncomment and specify logs
log /var/log/openvpn.log
log-append /var/log/openvpn.log

# specify log level (0 - 9, 9 means debug lebel)
verb 3
user nobody
group nobody

#################################################################################
Now copy the startup and shutdown scripts to /etc/openvpn directory

$cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-start /etc/openvpn/openvpn-startup
$cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-stop /etc/openvpn/openvpn-shutdown

Now make them executables
$chmod 755 /etc/openvpn/openvpn-startup /etc/openvpn/openvpn-shutdown

Make the following changes to the start up script
$vim /etc/openvpn/openvpn-startup

#################################################################################
# line 17-20: change
eth="eth0" # change if need
eth_ip="192.168.201.128"# IP for bridge interface
eth_netmask="255.255.255.0"# subnet mask
eth_broadcast="192.168.0.255"# broadcast address
# add follows to the end: define gateway
eth_gw="192.168.201.2" # default gateway in my setup
route add default gw $eth_gw

#################################################################################

Enable IP forwarding via openvpn init script,

vim /etc/rc.d/init.d/openvpn

# line 133: uncomment
echo 1 > /proc/sys/net/ipv4/ip_forward

Now start all the services. In my example i will be stopping the firewall ( Iptables )
service iptables stop
service openvpn start
chkconfig openvpn on


CLIENT CONFIG

 Install the openVPN gui for windows from here

In cent os just install epel-release and install openvpn

$yum install epel-release -y

$yum install openvpn -y

Create the config file with the following contents

save the file as ".ovpn"

Replace X.X.X.X with the VPN server IP
#################################################################################
client
auth-user-pass
dev tap
proto tcp
remote X.X.X.X 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
contents of ca.crt
</ca>
<cert>
contents of client.crt
</cert>
<key>
contents of client.key

</key>

#################################################################################


In windows copy the config file to "C:\Program Files\OpenVPN\config", and try to connect, it will request for username and password


Once connected you should be able to reach and connect to the test node which is in the same LAN as you VPN server


In Linux client you have to run the following command to connect

$openvpn <configfile.ovpn>





Thats all folks.....








at 1 comment:

Thursday 2 April 2015

Apache Tomcat Cluster with Pacemaker on Cent OS 6



This is a two node Apache tomcat cluster with virtual IP 10.20.9.225

node1.example.com
node2.example.com

Add the following to the /etc/hosts file in both nodes so that they are able to reach each other

10.20.9.220       node1.example.com        node1
10.20.9.221       node2.example.com        node2


Now install the pre-requisites on both nodes

#yum install -y java-1.7.0-openjdk.x86_64 pcs pacemaker corosync cman wget

Download and extract Apache Tomcat

#cd /usr/local/
#wget http://apache.arvixe.com/tomcat/tomcat-6/v6.0.43/bin/apache-tomcat-6.0.43.tar.gz
#tar xvzf apache-tomcat-6.0.43.tar.gz

Now set password for the hacluster user on both nodes

#passwd hacluster

Now start pcsd service on both nodes and add it to startup

#service pcsd start
#chkconfig pcsd on

Now authorize the cluster nodes. Will ask for username and password. Use "hacluster"

#mkdir /etc/cluster
#pcs cluster auth node1 node2

Now create the cluster

#pcs cluster setup --name MYCLUSTER node1 node2
#pcs cluster start --all


Now disable STONITH and quorum as it is not required for a two node setup

#pcs property set stonith-enabled=false

#pcs property set no-quorum-policy=ignore

Now add the resources. We need a virtual IP and tomcat resource

#pcs resource create VirtualIP ocf:heartbeat:IPaddr2 ip=10.20.9.225 cidr_netmask=24  op monitor interval=30s

 #pcs resource create tomcat ocf:heartbeat:tomcat params java_home="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.75.x86_64/jre" catalina_home="/usr/local/apache-tomcat-6.0.43" tomcat_user="root" op monitor interval="15s"

Now to make both resources run in the same node we must have a constraint as follows

# pcs constraint colocation set VirtualIP tomcat

All done. Now stop the cluster and start it.

#pcs cluster stop --all

#pcs cluster start --all

#pcs status

#################################################################################




at 3 comments:
Subscribe to: Posts (Atom)

High Availability with IREDMAIL Integrated with Active Directory

This is step by step guide for Centos 7. Server1 will be the Active node and Server2 will be the failover node. After failover when ...