From Hentschel
/* VPN via OpenVPN */
== Version ==
Current version is CentOS 6.10 - check with: <pre>cat /etc/redhat-release</pre>
== Changing HM password for SSH ==
* ssh login is always 'root'
* server: any server under the domain
=== Reset root/WHM password ===
# Login to your HostMonster Control Panel
# Click the Performance quicklink
# Scroll down to the Access Management section.
# Click the Root tab.
# Under Password field, Enter the New Root Password. Click on Update.
== Setting up VPN via SSHD ==
from [https://help.ubuntu.com/community/SSH_VPN this link]
One the ssh server side, modify the config:
* enable
** PermitTunnel yes
First, on zm.home, ensure IP forwarding is enabled via <pre>sysctl net.ipv4.ip_forward</pre>, and set it to enabled in ''/etc/sysctl.config'' if not.
Second, the gateway (default router) on network B needs to be modified to redirect traffic destined for host hentschel via eth0 on host zm.home. We don't redirect all internet traffic via the tunnel, just what is destined for the hentschel host. On the Asus router, that looks like this:
[[File:asus-static-route.png|400px600px|thumb|left|Under ''LAN''->''Route'']]<br clear=both>* the above seems flakey, sometimes the back route is incomplete. Ensuring that this works requires a route entry for each server on the home network (ugh), in the form of:<pre>route add -net 10.0.0.0/24 gw 192.168.1.100</pre>
To actually create the tunnel, here is what needs to happen:
ip link set tun0 up
ip addr add 10.0.0.200/24 peer 10.0.0.100 dev tun0
# not needed --> arp -Ds 10.0.0.200 eth0 pub # needed?
</pre>
=== Automating the login ===
remote script on hentschel
<pre>
#!/bin/bash
/sbin/ip link set tun0 up
/sbin/ip addr add 10.0.0.100/24 peer 10.0.0.200 dev tun0
sleep 4
/sbin/ip route add 192.168.1.0/24 via 10.0.0.100
</pre>
local script on zm.home:
<pre>
#!/bin/bash
ssh -n -w 0:0 root@server.hentschel.net /bin/bash /root/bin/ssh-vpn-remote.sh &
sleep 1
/sbin/ip link set tun0 up
/sbin/ip addr add 10.0.0.200/24 peer 10.0.0.100 dev tun0
</pre>
Here a few tricks [http://stackoverflow.com/questions/11543720/how-to-use-ssh-to-run-a-local-command-after-connection-and-quit-after-this-local at this link]
$ ssh -O check targetserver
Control socket connect(/home/sorin/.ssh/cm_socket/sorin@192.0.2.3:22): No such file or directory</pre>
Also, there seem to be timing dependencies between the commands and when they execute
== Setting up VPN via OpenVPN ==
* following this [https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6 link], enumerating how far I got
#
== Setting up add'l hosts via Apache ProxyPass ==
server.hentschel.net is running CentOS. Files are in non-standard locations. Hints are from [https://www.badllama.com/content/how-set-proxypass-confluence-cpanel this link] To setup isy.hentschel.net on port 443:
* create a 'subdomain' on the hoster.
[[File:hm-panel01.png|400px|left]]
[[File:hm-panel02.png|400px|left]]
<br clear=both>
* this stuff is done via cPanel, so need to find the location where cPanel expects the config files. The httpd.conf file under ''/usr/local/apache.conf'' gives some hints:
<pre> # To customize this VirtualHost use an include file at the following location
# Include "/usr/local/apache/conf/userdata/std/2/hentsche/isy.hentschel.net/*.conf"</pre>
Create the directory that this path entry is looking for, and chown to the web user:
<pre>
root@server.hentschel.net [hentsche]# mkdir isy.hentschel.net
root@server.hentschel.net [hentsche]# chown hentsche:hentsche isy.hentschel.net
</pre>
Add a file there that looks like:
<pre>
ServerName isy.hentschel.net
ProxyRequests On
# Order deny,allow
# Allow from all
ProxyPass / http://192.168.1.99/
ProxyPassReverse / http://192.168.1.99/
# Order allow,deny
# Allow from all
</pre>
and name it isy.hentschel.net.conf. Make sure to chown to hentsche this file too.
* '''Important''': If there should be SSL access, add the same file to ''/usr/local/apache/conf/userdata/'''ssl'''/2/hentsche/isy.hentschel.net/''. Then you only need to do the steps below once.
* run the verifier '''/scripts/verify_vhost_includes --show-test-output''':
<pre>root@server.hentschel.net [isy.hentschel.net]# /scripts/verify_vhost_includes --show-test-output
Testing /usr/local/apache/conf/userdata/std/2/hentsche/zm.hentschel.net/zm.hentschel.net.conf...ok
[TEST RESULTS]
[Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:443 has no VirtualHosts
[Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:80 has no VirtualHosts
Syntax OK
[/TEST RESULTS]
Testing /usr/local/apache/conf/userdata/std/2/hentsche/isy.hentschel.net/isy.hentschel.net.conf...ok
[TEST RESULTS]
[Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:443 has no VirtualHosts
[Mon Mar 27 06:08:21 2017] [warn] NameVirtualHost 198.57.187.185:80 has no VirtualHosts
Syntax OK
[/TEST RESULTS]
</pre>
* commit the changes via '''/scripts/verify_vhost_includes --commit /scripts/ensure_vhost_includes --all-users'''
<pre>
root@server.hentschel.net [isy.hentschel.net]# /scripts/verify_vhost_includes --commit /scripts/ensure_vhost_includes --all-users
Argument 1 did not match (?^:^--(.)) at /usr/local/cpanel/3rdparty/perl/524/lib64/perl5/cpanel_lib/Class/Std.pm line 438.
Testing /usr/local/apache/conf/userdata/std/2/hentsche/zm.hentschel.net/zm.hentschel.net.conf...ok
Testing /usr/local/apache/conf/userdata/std/2/hentsche/isy.hentschel.net/isy.hentschel.net.conf...ok</pre>
* next is the cpanel distiller '''/usr/local/cpanel/bin/apache_conf_distiller --update'''
<pre>root@server.hentschel.net [isy.hentschel.net]# /usr/local/cpanel/bin/apache_conf_distiller --update
warn [apache_conf_distiller] Unable to determine domain 198.57.187.185 ownership. Attempting lookup on domain 57.187.185 (manually added domain).
warn [apache_conf_distiller] Unable to determine domain 198.57.187.185 ownership. Setting user to 'nobody'.
warn [apache_conf_distiller] Unable to determine domain _wildcard_.hentschel.net ownership. Attempting lookup on domain hentschel.net (manually added domain).
Distilled successfully</pre>
* and finally a script that rebuilds the apache config via '''/scripts/rebuildhttpdconf'''
<pre>root@server.hentschel.net [isy.hentschel.net]# /scripts/rebuildhttpdconf
Built /usr/local/apache/conf/httpd.conf OK</pre>
* everything together w/o the screen output
<pre>/scripts/verify_vhost_includes --show-test-output
/scripts/verify_vhost_includes --commit /scripts/ensure_vhost_includes --all-users
/usr/local/cpanel/bin/apache_conf_distiller --update
/scripts/rebuildhttpdconf</pre>
* restart apache via the whm, (server.hentschel.net/whm, same login as ssh). WHM has a extra section for restarts almost all the way down. After that, should be ready to go
== Password protection for hosts ==
* snagged from [http://www.visionfactory.com.au/blog/apache_mod_proxy_and_basic_http_authenti this link]
* change the vhosts file to the following
<pre>
ServerName pvr.hentschel.net
<Location / >
AuthType Basic
AuthUserFile "/home/hentsche/.htpasswd"
AuthName Limited!
Require valid-user
</Location>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://192.168.1.101/
ProxyPassReverse / http://192.168.1.101/
</pre>
* create the .htpasswd file with <pre>htpasswd -c .htaccess username</pre>, add any other names w/o the '-c'. This file can be created on another host, since the server doesn't have htpasswd installed.