From Hentschel
/* VPN via OpenVPN */
== Version ==
Current version is CentOS 6.10 - check with: <pre>cat /etc/redhat-release</pre>
== Changing HM password for SSH ==
* ssh login is always 'root'
* server: any server under the domain
=== Reset root/WHM password ===
# Login to your HostMonster Control Panel
# Click the Performance quicklink
# Scroll down to the Access Management section.
# Click the Root tab.
# Under Password field, Enter the New Root Password. Click on Update.
== Setting up VPN via SSHD ==
from [https://help.ubuntu.com/community/SSH_VPN this link]
One the ssh server side, modify the config:
* enable
** PermitTunnel yes
+-------+-------+ point to point connection +-------+-------+
eth0 | creates a bridge | eth0
198.57.187xxx.185 xxx | that plugs machine B | 192.168.1.100
Routable | into network A |
address | |
</pre>
At this point, a request for any host on network B that originates on host hentschel will be answered. At the same time, traffic for hentschel from network B will be directed there via zm.home. Note that the web server on hentschel does '''not''' answer since it's interface is only set to the public interface.
=== Automating the login ===
remote script on hentschel
<pre>
#!/bin/bash
/sbin/ip link set tun0 up
/sbin/ip addr add 10.0.0.100/24 peer 10.0.0.200 dev tun0
sleep 4
/sbin/ip route add 192.168.1.0/24 via 10.0.0.100
</pre>
local script on zm.home:
<pre>
#!/bin/bash
ssh -n -w 0:0 root@server.hentschel.net /bin/bash /root/bin/ssh-vpn-remote.sh &
sleep 1
/sbin/ip link set tun0 up
/sbin/ip addr add 10.0.0.200/24 peer 10.0.0.100 dev tun0
</pre>
Here a few tricks [http://stackoverflow.com/questions/11543720/how-to-use-ssh-to-run-a-local-command-after-connection-and-quit-after-this-local at this link]
Add the following to ~/.ssh/config (client side):
<pre>host targetserver
ControlMaster auto
ControlPath ~/.ssh/cm_sockets/%r@%h:%p
</pre>
Then this will work:
<pre>
$ ssh -fNT -Llocalport:remoteserver:remoteport targetserver
$ ssh -O check targetserver
Master running (pid=23450)
$ <do your stuff>
$ ssh -O exit targetserver
Exit request sent.
$ ssh -O check targetserver
Control socket connect(/home/sorin/.ssh/cm_socket/sorin@192.0.2.3:22): No such file or directory</pre>
Also, there seem to be timing dependencies between the commands and when they execute
== Setting up VPN via OpenVPN ==
* following this [https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6 link], enumerating how far I got
#
== Setting up add'l hosts via Apache ProxyPass ==
server.hentschel.net is running CentOS. Files are in non-standard locations. Hints are from [https://www.badllama.com/content/how-set-proxypass-confluence-cpanel this link] To setup isy.hentschel.net on port 443:
* create a 'subdomain' on the hoster.
[[File:hm-panel01.png|400px|left]]
[[File:hm-panel02.png|400px|left]]
<br clear=both>
* this stuff is done via cPanel, so need to find the location where cPanel expects the config files. The httpd.conf file under ''/usr/local/apache.conf'' gives some hints:
<pre> # To customize this VirtualHost use an include file at the following location
# Include "/usr/local/apache/conf/userdata/std/2/hentsche/isy.hentschel.net/*.conf"</pre>
Create the directory that this path entry is looking for, and chown to the web user:
<pre>
root@server.hentschel.net [hentsche]# mkdir isy.hentschel.net
root@server.hentschel.net [hentsche]# chown hentsche:hentsche isy.hentschel.net
</pre>
Add a file there that looks like:
<pre>
ServerName isy.hentschel.net
ProxyRequests On
# Order deny,allow
# Allow from all
ProxyPass / http://192.168.1.99/
ProxyPassReverse / http://192.168.1.99/
# Order allow,deny
# Allow from all
</pre>
and name it isy.hentschel.net.conf. Make sure to chown to hentsche this file too.
* '''Important''': If there should be SSL access, add the same file to ''/usr/local/apache/conf/userdata/'''ssl'''/2/hentsche/isy.hentschel.net/''. Then you only need to do the steps below once.
* run the verifier '''/scripts/verify_vhost_includes --show-test-output''':
<pre>root@server.hentschel.net [isy.hentschel.net]# /scripts/verify_vhost_includes --show-test-output
Testing /usr/local/apache/conf/userdata/std/2/hentsche/zm.hentschel.net/zm.hentschel.net.conf...ok
[TEST RESULTS]
[Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:443 has no VirtualHosts
[Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:80 has no VirtualHosts
Syntax OK
[/TEST RESULTS]
Testing /usr/local/apache/conf/userdata/std/2/hentsche/isy.hentschel.net/isy.hentschel.net.conf...ok
[TEST RESULTS]
[Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:443 has no VirtualHosts
[Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:80 has no VirtualHosts
Syntax OK
[/TEST RESULTS]
</pre>
* commit the changes via '''/scripts/verify_vhost_includes --commit /scripts/ensure_vhost_includes --all-users'''
<pre>
root@server.hentschel.net [isy.hentschel.net]# /scripts/verify_vhost_includes --commit /scripts/ensure_vhost_includes --all-users
Argument 1 did not match (?^:^--(.)) at /usr/local/cpanel/3rdparty/perl/524/lib64/perl5/cpanel_lib/Class/Std.pm line 438.
Testing /usr/local/apache/conf/userdata/std/2/hentsche/zm.hentschel.net/zm.hentschel.net.conf...ok
Testing /usr/local/apache/conf/userdata/std/2/hentsche/isy.hentschel.net/isy.hentschel.net.conf...ok</pre>
* next is the cpanel distiller '''/usr/local/cpanel/bin/apache_conf_distiller --update'''
<pre>root@server.hentschel.net [isy.hentschel.net]# /usr/local/cpanel/bin/apache_conf_distiller --update
warn [apache_conf_distiller] Unable to determine domain 198.57.187.185 ownership. Attempting lookup on domain 57.187.185 (manually added domain).
warn [apache_conf_distiller] Unable to determine domain 198.57.187.185 ownership. Setting user to 'nobody'.
warn [apache_conf_distiller] Unable to determine domain _wildcard_.hentschel.net ownership. Attempting lookup on domain hentschel.net (manually added domain).
Distilled successfully</pre>
* and finally a script that rebuilds the apache config via '''/scripts/rebuildhttpdconf'''
<pre>root@server.hentschel.net [isy.hentschel.net]# /scripts/rebuildhttpdconf
Built /usr/local/apache/conf/httpd.conf OK</pre>
* everything together w/o the screen output
<pre>/scripts/verify_vhost_includes --show-test-output
/scripts/verify_vhost_includes --commit /scripts/ensure_vhost_includes --all-users
/usr/local/cpanel/bin/apache_conf_distiller --update
/scripts/rebuildhttpdconf</pre>
* restart apache via the whm, (server.hentschel.net/whm, same login as ssh). WHM has a extra section for restarts almost all the way down. After that, should be ready to go
== Password protection for hosts ==
* snagged from [http://www.visionfactory.com.au/blog/apache_mod_proxy_and_basic_http_authenti this link]
* change the vhosts file to the following
<pre>
ServerName pvr.hentschel.net
<Location / >
AuthType Basic
AuthUserFile "/home/hentsche/.htpasswd"
AuthName Limited!
Require valid-user
</Location>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://192.168.1.101/
ProxyPassReverse / http://192.168.1.101/
</pre>
* create the .htpasswd file with <pre>htpasswd -c .htaccess username</pre>, add any other names w/o the '-c'. This file can be created on another host, since the server doesn't have htpasswd installed.