HOWTO: Poor man VPN in Debian/Ubuntu with OpenSSH

If you are managing a remote Linux network and you are tired of NATting or two ssh hops to enter a remote server, but OpenVPN poses too much overhead, you can use ssh tunneling to easily create a workstation-to-site VPN.
I’ve tested this with Ubuntu 9.10 Karmic Koala as the workstation and Debian 5.0 Lenny as the server, but it should work identically with older Ubuntu and Debian (both server or workstation).

I’ve been inspired by these two tutorials, although both didn’t work 100% for me, but joining pieces did the trick, so here I am :)

Software prerequisites:

  • Standard Debian or Ubuntu
  • openssh-server on the remote side of the VPN
  • openssh-client on the local side of the VPN (your PC)

Network configuration (as an example)

  • Workstation LAN: 192.168.0.0/24
  • Server LAN: 192.168.10.0/24 on eth1
  • VPN: 10.0.0.0/24
  • Remote server public address: 1.2.3.4 on eth0

First of all, on the workstation generate a dedicated key (it should be a dedicated one cause the server will identify you’re going to bring up a tunnel based on the key you’re using to connect) with

# ssh-keygen -f /root/.ssh/VPNkey -b 2048

Now edit /etc/network/interfaces and create a new stanza like this one (remember to change IP addresses – in bold – according to your personal network configuration)

iface tun0 inet static
# from pre-up to true on the same line
pre-up ssh -i /root/.ssh/VPN -S /var/run/ssh-vpn-tunnel-control -M -f -w 0:0 1.2.3.4 true
pre-up sleep 5
address 10.1.0.2
pointopoint 10.1.0.1
netmask 255.255.255.0
up route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.1.0.1 tun0
post-down ssh -i /root/.ssh/VPN -S /var/run/ssh-vpn-tunnel-control -O exit 1.2.3.4

Just a copuple of notes: address is your VPN local endpoint address (say, your workstation) while pointopoint is the remote VPNaddress (your server), which are the two tunnel’s endpoints.

Now let’s go to the server.

Edit /etc/ssh/sshd_server, add the line
PermitTunnel point-to-point

and restart your sshd instance.
Now edit (or create) /root/.ssh/authorized_keys (remember, we are on the server now, not your workstation) and add a line like

tunnel="0",command="/sbin/ifdown tun0; /sbin/ifup tun0" ssh-rsa HERE IT GOES YOUR VPNkey.pub FROM YOUR WORKSTATION

now edit /etc/network/interfaces and add this stanza:

iface tun0 inet static
address 10.1.0.1
netmask 255.255.255.0
pointopoint 10.1.0.2
post-up /sbin/sysctl -w net.ipv4.ip_forward=1
post-up /sbin/iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth1 -j MASQUERADE
post-down /sbin/iptables -t nat -D POSTROUTING -s 10.1.0.0/24 -o eth1 -j MASQUERADE
post-down /sbin/sysctl -w net.ipv4.ip_forward=0

the post-up and post-down commands enable the network sharing between the VPN server endpoint and the remote LAN (it’s called masquerading), so you can access the remote LAN from your workstation and not only the remote server. Obviously you need to instruct your workstation with a dedicated static route to reach the remote LAN network, and this is the route add -net in your workstation config.

Now, bring up the tunnel on the workstation with
# ifup tun0
and you should be able to reach a remote server on your remote LAN, with traffic secured by OpenSSH encryption.

Advertisements

HOWTO: Install Mysql 5.1 for SPARC64 under Debian Lenny

If you happen to own a SPARC64 box, you’ll probably already know that even if the kernel is 64bit the userland comes from the normal SPARC Debian port, so it’s 32bit. Mysql is no exception, with all the 32bit limitations – mainly the 4GB RAM per process limit.

This is really¬† a PITA because if you have a SPARC64 box probably it has got plenty of RAM and you want to use it at its full potential, without having to messing around with Solaris (yeah, I don’t like it very much, I’m sorry).

This guide covers Mysql 5.1 installation in Debian Lenny, so we have to use SID repositories.


# echo "deb http://ftp.de.debian.org/debian/ sid main" >> /etc/apt/sources.list
# echo "deb-src http://ftp.de.debian.org/debian/ sid main" >> /etc/apt/sources.list

then let’s edit our apt preferences to avoid massive update on next dist-upgrade :)

# vim /etc/apt/preferences
Package: *
Pin: release a=stable
Pin-Priority: 900
Package: *
Pin: release a=sid
Pin-Priority: 100

and then update our repo list

# aptitude update

And here we go:

# apt-get build-dep mysql-server-5.1
# mkdir /tmp/mysql-build; cd /tmp/mysql-build
# apt-get source mysql-server-5.1
# vim mysql-dfsg-5.1*/debian/rules

here we touch a little the rules for compiling cause there are a couple of things that are not going to work by default.

The MAKE_J variable doesn’t work very well, so you can modify the grep to look for “CPU” instead of “processor” or you could hardcode it to the number of processor you have. This will make compilation a lot faster.

MAKE_J = -j$(shell if [ -f /proc/cpuinfo ] ; then grep -c CPU* /proc/cpuinfo ; else echo 1 ; fi)

then edit the CFLAGS variable because it’s used to compile some library that will ignore the environment variables we are going to set later in this howto.

CFLAGS=$${MYSQL_BUILD_CFLAGS:-"-O3 -DBIG_JOINS=1 -m64 -mcpu=niagara2 ${FORCE_FPIC_CFLAGS}"} \

it should be about line 73. Please note that -m64 will make it 64bit so it’s mandatory while the mcpu flag it’s to optimize the executable for your CPU. In my case it’s a niagara2 chip but you can use another CPU as well. Check the GCC documentation for more details
Save and quit and then we can start with the compilation process:

# export CFLAGS="-m64 -mcpu=niagara2 -O2 -g"
# export CXXFLAGS="-m64 -mcpu=niagara2 -O2 -g"
# export CPPFLAGS="-m64 -mcpu=niagara2 -O2 -g"
# export LDFLAGS="-m64 -mcpu=niagara2 -O2 -g"
# export DEB_BUILD_OPTIONS="nocheck"
# debuild -us -uc --preserve-env

that’s it. After some minutes (depending on your HW), you should have in /tmp/mysql-build all your new DEBs which you can install with dpkg -i. I advice to install the stock mysql-server-5.1 with aptitude before to get all dependencies installed, then you can use dpkg with your new DEBs.

HOWTO: Debian and SCSI multipathing with multipath-tools

After getting iSCSI working on Debian Etch the next thing to do is to set up multipath to get redundancy in case one path from the SCSI client to the SCSI target fails.

First, let’s digg a bit more in depth about what a path is, what can go wrong and what we can do to prevent it. Usually in a simple iSCSI environment there are two network interfaces dedicated to the remote storage, each one connected to a distinct ethernet switch and each switch connected to the a distinct ethernet interface in the host SAN. Then here you have two separated controller cards (let’s call them A and B) which connect to the same logical volume (a RAID array.. so here redundancy is already covered). I repeat, this is the simplest redundant scenario, in which you can have redundancy, a good fault-tolerance and can parallelize via round-robin the requests from the initiator to the host target.
Continue reading

HOWTO: the definitive guide to Debian Etch open-iscsi (take 2)

I guess the fact I’m here writing again on this topic goes for that definitive I put in the title the first time :) So obviously it was not so definitive, and here we are again with a, I hope, better and improved version.
This time we are going to use th backports repository and the Etcn’n’half kernel, cause they provide a better and far more stable support for iSCSI under Debian (Etch).

So, first of all add the backports repository:


echo "deb http://www.backports.org/debian etch-backports main contrib non-free" >> /etc/apt/sources.list

and do some basic stuff:

# aptitude update
# aptitude install debian-backports-keyring
# aptitude update

Now, let’s install the newer 2.6.24 kernel from the Debian Etch’n’half project (note: it’s present in the officila Debian repository, it doesn’t come from the backports.org one)


# aptitude install linux-image-2.6-amd64-etchnhalf # remove amd64 if you're on x86_32

now here, if you are a Broadcom NeteXtreme 2 user (lsmod|grep bnx2), be careful and remember to install these NEW package before rebooting, or you will have an unpleasant surprise


# aptitude install firmware-bnx2

This is due to a change in newer Linux versions

Then reboot, cross your fingers and then install the newer open-iscsi package:

# aptitude install -t etch-backports open-iscsi

Everything should be ok and this time you should have all the config files in the right place, a proper script to mount/unmount iSCSI target devices at boot time and so on…
Anyway, I still prefer the old-school config file, so usually I replace the Debian stock one with something like this:


node.active_cnx = 1
#node.startup = manual
node.startup = automatic
#node.session.auth.username = dima
#node.session.auth.password = aloha
#node.session.timeo.replacement_timeout = 15
node.session.timeo.recovery_timeout = 15
node.session.err_timeo.abort_timeout = 10
node.session.err_timeo.reset_timeout = 30
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.session.iscsi.DefaultTime2Wait = 0
node.session.iscsi.DefaultTime2Retain = 0
node.session.iscsi.MaxConnections = 0
node.conn[0].iscsi.HeaderDigest = None
node.conn[0].iscsi.DataDigest = None
node.conn[0].iscsi.MaxRecvDataSegmentLength = 65536

I have highlighted one line because that parameter is used to choose the timeout after which an iSCSI device is considered dead, and thus that path discarded (we’ll talk about paths later).

So, time to discover new devices now:

# /etc/init.d/open-iscsi restart
# iscsiadm -m discovery -t sendtargets -p $SAN_IP_ADDRESS
# /etc/init.d/open-iscsi restart

check out your dmesg output and look for new /dev/sdX devices.
Some partitioning and formatting later, you can edit your fstab with something like this


/dev/sdb1 /mnt/files ext3 defaults,auto,_netdev 0 0

and you should be done!

HOWTO: the definitive guide to Debian Etch open-iscsi (step-by-step)

Ok, maybe this is a little bit arrogant title :) but since I’ve experienced more than a problem/issue when installing iSCSI initiator support in Debian 4.0 Etch, I think that this howto could help people setting up their first open-iscsi in Etch (in which open-iscsi is UTTERLY broken, let me say it loud).

First of all, install open-iscsi

aptitude install open-iscsi

and remove the broken init scripts (they are going to give you lots of headaches when rebooting, if you don’t do this.)

update-rc.d -f open-iscsi remove
Continue reading

HOWTO: Install a basic Gentoo server

If you want to install a new Gentoo server (no graphical system at all), this is the quickest way I’ve found after lots of installations :)

  • First, boot the machine with a live CD
  • create the partitions you want with fdisk/cfdisk/partition tool you like. In our example we create 3 partions (swap, /boot and /) on our disk /dev/sda
  • mkfs.ext2 /dev/sda1
    # mkswap /dev/sda2
    # mkfs.ext3 /dev/sda3
    # mkdir -p /mnt/gentoo && cd /mnt/gentoo
    # wget http://www.gtlib.gatech.edu/pub/gentoo/releases/x86/current/stages/stage3-x86-2007.0.tar.bz2
    # wget http://www.gtlib.gatech.edu/pub/gentoo/snapshots/portage-latest.tar.bz2

    Note: if you are on a different architecture, please use a different release
  • tar xvjpf stage3-*.tar.bz2
    # tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr
    # nano -w /mnt/gentoo/etc/make.conf
    # cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
    # mount -t proc none /mnt/gentoo/proc
    # mount -o bind /dev /mnt/gentoo/dev
    # chroot /mnt/gentoo /bin/bash
    # env-update
    # source /etc/profile
    # export PS1="(chroot) $PS1"
    # emerge --sync
    # cp /usr/share/zoneinfo/Europe/Paris /etc/localtime
    # USE="-doc symlink" emerge gentoo-sources
    # emerge genkernel
    # genkernel all --menuconfig
    # nano /etc/fstab
    # nano /etc/conf.d/hostname
    # nano /etc/conf.d/net
    # passwd
    # echo "tts/0" >> /etc/securetty
    # nano /etc/rc.conf
    # nano /etc/conf.d/keymaps
    # nano /etc/conf.d/clock
    # emerge syslog-ng && rc-update add syslog-ng default && emerge vixie-cron && rc-update add vixie-cron default && emerge logrotate && emerge slocate && emerge ntp && rc-update add ntpd default && rc-update add ntp-client default && modules-update
    # emerge gcc
    # emerge world
    # emerge grub
    # nano /boot/grub/grub.conf
    # grep -v rootfs /proc/mounts > /etc/mtab
    # grub-install /dev/sda
    # exit
    # cd
    # umount /mnt/gentoo/boot /mnt/gentoo/dev /mnt/gentoo/proc /mnt/gentoo
    # reboot

NOTES: when it’s indicated “nano $SOMEFILE” it means you have to edit and adjust the settings to your own taste.
When you are creating /etc/localtime, use a source file according to your local timezone
And here it is a basic make.conf configuration:

CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"

USE=”-X -qt -gtk -gnome -kde bash-completion -snmp sockets threads latin1 -berkdb -ipv6 snmp perl”

PORTDIR_OVERLAY=”/usr/local/portage”

HOWTO: Install recent Mysql Community 5.0.x in Debian Etch

EDIT: If you want to upgrade a 5.0.x installation on Etch, forget this howto and use the packages provided by http://www.backports.org which is the official way to do it. You may still use this howto as an inspiration if you plan to install Mysql 5.1.x, until it get backported ;) (although I doubt it will ever be).
Anyway, for the lazy:

  • Add this line to /etc/apt/sources.list

    deb http://www.backports.org/debian etch-backports main contrib non-free
  • Then execute these commands:
    apt-get update
    apt-get -t etch-backports install mysql-server

THIS IS DEPRECATED!!If you install a Debian 4.0 (Etch) system and you do an apt-get install mysql-server you will install an old 5.0.32 version. So, since we know there are a couple of critical bugs fixed in more recient versions (solving for example scalability issues on SMP machines), you may want to install a more recent version from the official Mysql Community web site. This link will let you download a dinamically-linked RPM which needs glibc 2.3, which is the version we have in our Etch system.After the download, install the Alien tool
apt-get install alienand then magically convert the RPM to a DEB package withalien --scripts MySQL-server-5.0.*.glibc23.i386.rpmand in a couple of minutes you will have a new mysql-server_5.0.45-1_i386.deb (for example, the number depends on the Mysql version you have downloaded and the architecture you are using).Now, let’s install the old, default Debian mysql version, with

apt-get install mysql-server
that will install mysqld in the Debian way and create all the things it needs.

WARNING:
Before proceding furthermore, we have to remove the mysql-server-5.0 package with

apt-get remove mysql-server-5.0

This is needed because otherwise when upgrades to this package appear in the official Debian repository, you will be forced to install them (if you’re not using pinning) even if you don’t need them. Why? Because the mysql-server package that we’re replacing in this howto is only a meta-package for mysql-server-5.0 which is in Debian the real package. I’m working on a better solution, I’ll keep you informed.

Now, with the deb we have just generated with Alien, we can update the Debian installation, since they both provide the same package (mysql-server)

Install it with:

dpkg -i --force-overwrite mysql-server_*i386.deb

the –force-overwrite is needed because there are files in conflict between the Debian meta-package mysql-server-5.0 and the deb we are installing right now. This could be solved modifying the manifesto of our debian package telling the system that our deb provides a mysql-server-5.0 installation or, since the original RPM is LSB-compliant, with this force-overwrite option.

Now, let’s stop the mysql daemon just a moment

/etc/init.d/mysql stop

create this symlink (because the RPM init script will look for /etc/my.cnf)

ln -s /etc/mysql/my.cnf /etc/my.cnf

and then let’s start again Mysql

/etc/init.d/mysql start

and that’s all, it should work (at least it worked for me).