Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision |
operating_systems:raspbian:easygateway_configuration [2019/07/08 15:05] – [Sign OpenVPN server certificate] maferreira | operating_systems:raspbian:easygateway_configuration [2019/07/22 09:15] – [acdsn] maferreira |
---|
| |
===== Installation ===== | ===== Installation ===== |
| |
<note warning>If you are downloading guacamole-server-0.9.9 in Stretch version, you will get the following compilation error: guac_common_ssh_openssl_id_callback [-Werror=unused-function]</note> | |
| |
==== Compilation ==== | ==== Compilation ==== |
$ make | $ make |
# make install | # make install |
| |
| <note warning>If you are downloading guacamole-server-0.9.9 in Stretch version, you will get the following compilation error: guac_common_ssh_openssl_id_callback [-Werror=unused-function]</note> |
| |
Load configuration modifications | Load configuration modifications |
Reference: [[https://guacamole.apache.org/doc/gug/installing-guacamole.html]] | Reference: [[https://guacamole.apache.org/doc/gug/installing-guacamole.html]] |
| |
====== Clone necessary git repositories ====== | ====== Clone required git repositories ====== |
Now, clone each git repository into the respective directory. | Now, clone each git repository into the respective directory. |
$ cd ~/git/ | $ cd ~/git/ |
@daily acdsn /usr/bin/curl http://easygateway.testing.com.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem | @daily acdsn /usr/bin/curl http://easygateway.testing.com.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem |
30 0 * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --readonly-check --git-check | 30 0 * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --readonly-check --git-check |
| |
@hourly acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --load-check --disk-check --timek | @hourly acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --load-check --disk-check --timek |
*/15 * * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --users-check | */15 * * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --users-check |
The CA public certificate /etc/easy-rsa/pki/ca.crt generated by **server1** needs to be copied over to the machine that will be running OpenVPN. | The CA public certificate /etc/easy-rsa/pki/ca.crt generated by **server1** needs to be copied over to the machine that will be running OpenVPN. |
| |
# cp /etc/openvpn/easy-rsa/pki/ca.crt /tmp/ | # cp /etc/openvpn/easy-rsa/pki/root_ca.crt /tmp/ |
# chown acdsn:acdsn /tmp/ca.crt | # chown acdsn:acdsn /tmp/root_ca.crt |
# su acdsn | # su acdsn |
$ scp -P <port number> /tmp/ca.crt acdsn@localhost:/tmp | $ scp -P <port number> /tmp/root_ca.crt acdsn@localhost:/tmp |
| |
Move server1 certificate to /etc/openvpn/server and change its rights. | Move server1 certificate to /etc/openvpn/server and change its rights. |
# mv /tmp/ca.crt /etc/openvpn/server/ | # mv /tmp/root_ca.crt /etc/openvpn/server/ |
# mv /etc/openvpn/server/ca.crt /etc/openvpn/server/root_ca.crt | |
# chown root:root /etc/openvpn/server/root_ca.crt | # chown root:root /etc/openvpn/server/root_ca.crt |
| |
# tar -xvzf EasyRSA-3.0.4.tgz | # tar -xvzf EasyRSA-3.0.4.tgz |
# rm EasyRSA-3.0.4.tgz | # rm EasyRSA-3.0.4.tgz |
# mv EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ | # mv EasyRSA-3.0.4/ /etc/openvpn/ |
| # ln -s /etc/openvpn/EasyRSA-3.0.4 /etc/openvpn/easy-rsa |
| |
<note warning>Make sure you have this option set: set_var EASYRSA_PKI “/etc/openvpn/easy-rsa/pki” in /etc/openvpn/easy-rsa/vars </note> | <note warning>Make sure you have this option set: set_var EASYRSA_PKI “/etc/openvpn/easy-rsa/pki” in /etc/openvpn/easy-rsa/vars </note> |
Make sure that **ONLY** **root** can **WRITE** and **READ** the **raspberry pi** and **server1** certificates. | Make sure that **ONLY** **root** can **WRITE** and **READ** the **raspberry pi** and **server1** certificates. |
# cd /etc/openvpn/server | # cd /etc/openvpn/server |
# chmod 660 <port number>.key ca.crt | # chmod 660 <port number>.key root_ca.crt |
# chown root:root <port number>.key ca.crt | # chown root:root <port number>.key root_ca.crt |
| |
Create the initial dh.pem file. | Create the initial dh.pem file. |
# scp -P <port number> /tmp/<port number>.crt acdsn@localhost:/tmp | # scp -P <port number> /tmp/<port number>.crt acdsn@localhost:/tmp |
| |
# mv /tmp/servername.crt /etc/openvpn/server/ | # mv /tmp/<port number>.crt /etc/openvpn/server/ |
# chown root:root /etc/openvpn/server/servername.crt | # chown root:root /etc/openvpn/server/<port number>.crt |
| |
References:\\ | References:\\ |
| |
<note warning> | <note warning> |
OpenVPN will look at /etc/openvpn/server/ca.crt to find the CA certificate. And since we renamed it root_ca.crt, openvpn service won't create tun0 interface. To solve this, set it path in server.conf. | OpenVPN will look for /etc/openvpn/server/ca.crt to identify the CA certificate. And, since we renamed it root_ca.crt, openvpn service won't create tun0 interface. To solve this, set it path in server.conf. |
</note> | </note> |
# vi /etc/openvpn/server.conf | # vi /etc/openvpn/server.conf |