From Hentschel
/* VPN via OpenVPN */
== Version ==
Current version is CentOS 6.10 - check with: <pre>cat /etc/redhat-release</pre>
== Changing HM password for SSH ==
* ssh login is always 'root'
* server: any server under the domain
=== Reset root/WHM password ===
# Login to your HostMonster Control Panel
# Click the Performance quicklink
# Scroll down to the Access Management section.
# Click the Root tab.
# Under Password field, Enter the New Root Password. Click on Update.
== Setting up VPN via SSHD ==
from [https://help.ubuntu.com/community/SSH_VPN this link]
One the ssh server side, modify the config:
* enable
** PermitTunnel yes
'''Important:''' Both sides need to run as root to create the tunnel device. Thus, 'ssh -w 0:0 root@www.hentschel.net' must run as root on the client side too.
<quotepre>
+---------------+ OpenSSH 4.3 +---------------+
| hentschel | tun0 -- Tunnel Interface -- tun0 | zm.home |
+-------+-------+ point to point connection +-------+-------+
eth0 | creates a bridge | eth0
198.57.187xxx.185 xxx | that plugs machine B | 192.168.1.100
Routable | into network A |
address | |
+---------------+ +---------------+
</quotepre> First, on zm.home, ensure IP forwarding is enabled via <pre>sysctl net.ipv4.ip_forward</pre>, and set it to enabled in ''/etc/sysctl.config'' if not. Second, the gateway (default router) on network B needs to be modified to redirect traffic destined for host hentschel via eth0 on host zm.home. We don't redirect all internet traffic via the tunnel, just what is destined for the hentschel host. On the Asus router, that looks like this:[[File:asus-static-route.png|600px|thumb|left|Under ''LAN''->''Route'']]<br clear=both>* the above seems flakey, sometimes the back route is incomplete. Ensuring that this works requires a route entry for each server on the home network (ugh), in the form of:<pre>route add -net 10.0.0.0/24 gw 192.168.1.100</pre> To actually create the tunnel, here is what needs to happen:: on zm.home# start ssh with ''-w0:0'' (creates tun0 interfaces on both ends), both sides need to be logged in as root# set tun0 to up# assign ip address to tun 0<pre>ssh -NTCf -w0:0 root@198.57.xxx.xxx ip link set tun0 upip addr add 10.0.0.200/24 peer 10.0.0.100 dev tun0# not needed --> arp -Ds 10.0.0.200 eth0 pub </pre> : once logged in on hentschel, the following needs to happen on that end# set tun0 to up# assign ip address to tun 0# add route to network B<pre>ip link set tun0 upip addr add 10.0.0.100/24 peer 10.0.0.200 dev tun0ip route add 192.168.1.0/24 via 10.0.0.100</pre> At this point, a request for any host on network B that originates on host hentschel will be answered. At the same time, traffic for hentschel from network B will be directed there via zm.home. Note that the web server on hentschel does '''not''' answer since it's interface is only set to the public interface. === Automating the login === remote script on hentschel<pre>#!/bin/bash /sbin/ip link set tun0 up/sbin/ip addr add 10.0.0.100/24 peer 10.0.0.200 dev tun0sleep 4/sbin/ip route add 192.168.1.0/24 via 10.0.0.100</pre> local script on zm.home:<pre>#!/bin/bash ssh -n -w 0:0 root@server.hentschel.net /bin/bash /root/bin/ssh-vpn-remote.sh &sleep 1/sbin/ip link set tun0 up/sbin/ip addr add 10.0.0.200/24 peer 10.0.0.100 dev tun0</pre> Here a few tricks [http://stackoverflow.com/questions/11543720/how-to-use-ssh-to-run-a-local-command-after-connection-and-quit-after-this-local at this link] Add the following to ~/.ssh/config (client side): <pre>host targetserver ControlMaster auto ControlPath ~/.ssh/cm_sockets/%r@%h:%p</pre> Then this will work:<pre>$ ssh -fNT -Llocalport:remoteserver:remoteport targetserver$ ssh -O check targetserverMaster running (pid=23450)$ <do your stuff>$ ssh -O exit targetserverExit request sent.$ ssh -O check targetserverControl socket connect(/home/sorin/.ssh/cm_socket/sorin@192.0.2.3:22): No such file or directory</pre> Also, there seem to be timing dependencies between the commands and when they execute == Setting up VPN via OpenVPN ==* following this [https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6 link], enumerating how far I got # == Setting up add'l hosts via Apache ProxyPass == server.hentschel.net is running CentOS. Files are in non-standard locations. Hints are from [https://www.badllama.com/content/how-set-proxypass-confluence-cpanel this link] To setup isy.hentschel.net on port 443:* create a 'subdomain' on the hoster. [[File:hm-panel01.png|400px|left]][[File:hm-panel02.png|400px|left]]<br clear=both>* this stuff is done via cPanel, so need to find the location where cPanel expects the config files. The httpd.conf file under ''/usr/local/apache.conf'' gives some hints:<pre> # To customize this VirtualHost use an include file at the following location # Include "/usr/local/apache/conf/userdata/std/2/hentsche/isy.hentschel.net/*.conf"</pre> Create the directory that this path entry is looking for, and chown to the web user:<pre>root@server.hentschel.net [hentsche]# mkdir isy.hentschel.netroot@server.hentschel.net [hentsche]# chown hentsche:hentsche isy.hentschel.net</pre> Add a file there that looks like:<pre>ServerName isy.hentschel.net ProxyRequests On# Order deny,allow# Allow from all ProxyPass / http://192.168.1.99/ ProxyPassReverse / http://192.168.1.99/# Order allow,deny# Allow from all</pre>and name it isy.hentschel.net.conf. Make sure to chown to hentsche this file too. * '''Important''': If there should be SSL access, add the same file to ''/usr/local/apache/conf/userdata/'''ssl'''/2/hentsche/isy.hentschel.net/''. Then you only need to do the steps below once. * run the verifier '''/scripts/verify_vhost_includes --show-test-output''':<pre>root@server.hentschel.net [isy.hentschel.net]# /scripts/verify_vhost_includes --show-test-outputTesting /usr/local/apache/conf/userdata/std/2/hentsche/zm.hentschel.net/zm.hentschel.net.conf...ok[TEST RESULTS][Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:443 has no VirtualHosts[Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:80 has no VirtualHostsSyntax OK [/TEST RESULTS] Testing /usr/local/apache/conf/userdata/std/2/hentsche/isy.hentschel.net/isy.hentschel.net.conf...ok[TEST RESULTS][Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:443 has no VirtualHosts[Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:80 has no VirtualHostsSyntax OK [/TEST RESULTS]</pre> * commit the changes via '''/scripts/verify_vhost_includes --commit /scripts/ensure_vhost_includes --all-users'''<pre>root@server.hentschel.net [isy.hentschel.net]# /scripts/verify_vhost_includes --commit /scripts/ensure_vhost_includes --all-usersArgument 1 did not match (?^:^--(.)) at /usr/local/cpanel/3rdparty/perl/524/lib64/perl5/cpanel_lib/Class/Std.pm line 438.Testing /usr/local/apache/conf/userdata/std/2/hentsche/zm.hentschel.net/zm.hentschel.net.conf...okTesting /usr/local/apache/conf/userdata/std/2/hentsche/isy.hentschel.net/isy.hentschel.net.conf...ok</pre>* next is the cpanel distiller '''/usr/local/cpanel/bin/apache_conf_distiller --update'''<pre>root@server.hentschel.net [isy.hentschel.net]# /usr/local/cpanel/bin/apache_conf_distiller --updatewarn [apache_conf_distiller] Unable to determine domain 198.57.187.185 ownership. Attempting lookup on domain 57.187.185 (manually added domain).warn [apache_conf_distiller] Unable to determine domain 198.57.187.185 ownership. Setting user to 'nobody'.warn [apache_conf_distiller] Unable to determine domain _wildcard_.hentschel.net ownership. Attempting lookup on domain hentschel.net (manually added domain).Distilled successfully</pre> * and finally a script that rebuilds the apache config via '''/scripts/rebuildhttpdconf'''<pre>root@server.hentschel.net [isy.hentschel.net]# /scripts/rebuildhttpdconfBuilt /usr/local/apache/conf/httpd.conf OK</pre> * everything together w/o the screen output<pre>/scripts/verify_vhost_includes --show-test-output/scripts/verify_vhost_includes --commit /scripts/ensure_vhost_includes --all-users/usr/local/cpanel/bin/apache_conf_distiller --update/scripts/rebuildhttpdconf</pre> * restart apache via the whm, (server.hentschel.net/whm, same login as ssh). WHM has a extra section for restarts almost all the way down. After that, should be ready to go == Password protection for hosts ==* snagged from [http://www.visionfactory.com.au/blog/apache_mod_proxy_and_basic_http_authenti this link]* change the vhosts file to the following<pre>ServerName pvr.hentschel.net <Location / > AuthType Basic AuthUserFile "/home/hentsche/.htpasswd" AuthName Limited! Require valid-user </Location> ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://192.168.1.101/ ProxyPassReverse / http://192.168.1.101/</pre> * create the .htpasswd file with <pre>htpasswd -c .htaccess username</pre>, add any other names w/o the '-c'. This file can be created on another host, since the server doesn't have htpasswd installed.