Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision |
operating_systems:raspbian:easygateway_configuration [2019/06/26 07:11] – maferreira | operating_systems:raspbian:easygateway_configuration [2019/07/22 09:15] – [acdsn] maferreira |
---|
| |
===== Installation ===== | ===== Installation ===== |
| |
<note warning>If you are downloading guacamole-server-0.9.9 in Stretch version, you will get the following compilation error: guac_common_ssh_openssl_id_callback [-Werror=unused-function]</note> | |
| |
==== Compilation ==== | ==== Compilation ==== |
$ make | $ make |
# make install | # make install |
| |
| <note warning>If you are downloading guacamole-server-0.9.9 in Stretch version, you will get the following compilation error: guac_common_ssh_openssl_id_callback [-Werror=unused-function]</note> |
| |
Load configuration modifications | Load configuration modifications |
Reference: [[https://guacamole.apache.org/doc/gug/installing-guacamole.html]] | Reference: [[https://guacamole.apache.org/doc/gug/installing-guacamole.html]] |
| |
====== Clone necessary git repositories ====== | ====== Clone required git repositories ====== |
Now, clone each git repository into the respective directory. | Now, clone each git repository into the respective directory. |
$ cd ~/git/ | $ cd ~/git/ |
@daily acdsn /usr/bin/curl http://easygateway.testing.com.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem | @daily acdsn /usr/bin/curl http://easygateway.testing.com.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem |
30 0 * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --readonly-check --git-check | 30 0 * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --readonly-check --git-check |
| |
@hourly acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --load-check --disk-check --timek | @hourly acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --load-check --disk-check --timek |
*/15 * * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --users-check | */15 * * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --users-check |
The CA public certificate /etc/easy-rsa/pki/ca.crt generated by **server1** needs to be copied over to the machine that will be running OpenVPN. | The CA public certificate /etc/easy-rsa/pki/ca.crt generated by **server1** needs to be copied over to the machine that will be running OpenVPN. |
| |
# cp /etc/openvpn/easy-rsa/pki/ca.crt /tmp/ | # cp /etc/openvpn/easy-rsa/pki/root_ca.crt /tmp/ |
# chown acdsn:acdsn /tmp/ca.crt | # chown acdsn:acdsn /tmp/root_ca.crt |
# su acdsn | # su acdsn |
$ scp -P <port number> /tmp/ca.crt acdsn@localhost:/tmp | $ scp -P <port number> /tmp/root_ca.crt acdsn@localhost:/tmp |
| |
Move server1 certificate to /etc/openvpn/server and change its rights. | Move server1 certificate to /etc/openvpn/server and change its rights. |
# mv /tmp/ca.crt /etc/openvpn/server/ | # mv /tmp/root_ca.crt /etc/openvpn/server/ |
# chown root:root /etc/openvpn/server/ca.crt | # chown root:root /etc/openvpn/server/root_ca.crt |
| |
Install easy-rsa and generate a key pair for the openvpn server. | Install easy-rsa and generate a key pair for the openvpn server. |
# tar -xvzf EasyRSA-3.0.4.tgz | # tar -xvzf EasyRSA-3.0.4.tgz |
# rm EasyRSA-3.0.4.tgz | # rm EasyRSA-3.0.4.tgz |
# mv EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ | # mv EasyRSA-3.0.4/ /etc/openvpn/ |
| # ln -s /etc/openvpn/EasyRSA-3.0.4 /etc/openvpn/easy-rsa |
| |
<note warning>Make sure you have this option set: set_var EASYRSA_PKI “/etc/openvpn/easy-rsa/pki” in /etc/openvpn/easy-rsa/vars </note> | <note warning>Make sure you have this option set: set_var EASYRSA_PKI “/etc/openvpn/easy-rsa/pki” in /etc/openvpn/easy-rsa/vars </note> |
Make sure that **ONLY** **root** can **WRITE** and **READ** the **raspberry pi** and **server1** certificates. | Make sure that **ONLY** **root** can **WRITE** and **READ** the **raspberry pi** and **server1** certificates. |
# cd /etc/openvpn/server | # cd /etc/openvpn/server |
# chmod 660 <port number>.key ca.crt | # chmod 660 <port number>.key root_ca.crt |
# chown root:root <port number>.key ca.crt | # chown root:root <port number>.key root_ca.crt |
| |
Create the initial dh.pem file. | Create the initial dh.pem file. |
# scp -P <port number> /tmp/<port number>.crt acdsn@localhost:/tmp | # scp -P <port number> /tmp/<port number>.crt acdsn@localhost:/tmp |
| |
# mv /tmp/servername.crt /etc/openvpn/server/ | # mv /tmp/<port number>.crt /etc/openvpn/server/ |
# chown root:root /etc/openvpn/server/servername.crt | # chown root:root /etc/openvpn/server/<port number>.crt |
| |
References:\\ | References:\\ |
# vim /etc/init.d/openvpn | # vim /etc/init.d/openvpn |
# systemctl daemon-reload | # systemctl daemon-reload |
# /etc/init.d/openvpn start #check with ps -Af | grep openvpn | # /etc/init.d/openvpn start |
| |
| Check if openvpn is running by typing the following: |
| # ps -Af | grep openvpn |
| |
<note warning> | <note warning> |
OpenVPN will look at /etc/openvpn/server/ca.crt to find the CA certificate. And since we renamed it root_ca.crt, openvpn service won't create tun0 interface. To solve this, set it path in server.conf. | OpenVPN will look for /etc/openvpn/server/ca.crt to identify the CA certificate. And, since we renamed it root_ca.crt, openvpn service won't create tun0 interface. To solve this, set it path in server.conf. |
</note> | </note> |
# vi /etc/openvpn/server.conf | # vi /etc/openvpn/server.conf |
ca /etc/openvpn/server/ca.crt -> /etc/openvpn/server/root_ca.crt | ca /etc/openvpn/server/ca.crt |
| |
| to |
| |
| ca /etc/openvpn/server/root_ca.crt |
| |
<note important> | <note important> |
To have openvpn logs add the following file to /etc/openvpn/server.conf:\\ | To have openvpn logs add the following to /etc/openvpn/server.conf:\\ |
log-append /var/log/openvpn.log | log-append /var/log/openvpn.log |
</note> | </note> |
===== Firewall rules ===== | ===== Firewall rules ===== |
References:\\ | References:\\ |
https://unix.stackexchange.com/questions/210604/how-to-write-a-systemd-service-unit-file-so-it-waits-until-a-specific-interface\\ | https://unix.stackexchange.com/a/212890\\ |
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-unit_files | https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-unit_files |
| |