Backuppc Basic Setup and Configuration on Debian Lenny for Windows and Linux Hosts

Backuppc is an extremely robust and flexible backup solution for your entire network.  Unfortunately, the very complex and flexible nature of Backuppc makes it a very complicated solution to setup and get working correctly.  However, as usual, installing the application on debian is very easy:

sudo aptitude install backuppc

Unfortunately that is only the first step... once it is done installing, it will have you answer some setup questions about setting up the web interface.  It will also generate a password for the web interface that you will need to use to log on.
Once the setup is complete, you can visit the backuppc web interface through http://localhost/backuppc.  One of the errors you may be greeted with is "Error: Unable to connect to BackupPC server".  If that happens, it may be because backuppc is not running, or is attempting to run under the wrong user.  To fix this (in almost every case), you need to change your use to backuppc, and start backuppc again.

su backuppc
/usr/share/backuppc/bin/BackupPC -d

This should start backuppc as a daemon, solving your problem, and allowing you to once again revisit the web interface.
The web interface is laid out (in my opinion) in a slightly confusing way.

The view you will see when you first log on is an overall server status page.  Once you have hosts with backups, there will be some very useful graphs displaying pool storage size.  Good, you have the basic program up and running... now for a little bit of customization.

Changing the Backuppc Pool Directory

By default, all your backups are stored at /var/lib/backuppc.  However, I wish to store my backups on another disk drive that has a lot more storage than my system disk.  To do this we need to create a soft link from the default backup directory to whatever directory you wish to store the backups.  You will notice that we create two directories called "pc" and "cpool". "pc" is where all the files are stored, and those two directories were originally causing permission issues.
Changing the Pool directory:

cd /var/lib/backuppc
sudo rm -r *ln -s /var/lib/backuppc /new_drive/backuppc
sudo mkdir pc cpool
cd ..
sudo chown -R backuppc *

If you have problems, it may be a permissions issue:

sudo chmod -R 777 backuppc

I would recommend not leaving the permissions wide open... just make sure it is a permission error and slowly restrict the permissions until everything works correctly.  Now the backups should redirect directly to your new drive.

Adding Hosts

Now we need to add some hosts for backup.  Select "Edit Config" from the left menu.  Click on the "Hosts" tab.  Here we can add hosts for backup.  I personally have DNS reservations for all of my hosts, so I can add by IP, however if your hosts will have different IP's I would highly recommend checking the DHCP option.  As long as your hosts are registered in DNS backuppc can track them and back them up no matter where they are.  Add the hosts you will be backing up, hit save, and then click on the "Xfer" tab.

Setting Default Xfer Options (for Windows)

Next, we need to set the default transfer settings.  This is mostly a setting for large networks of pc's that are set up the same way, which makes it unnecessary for the admin to configure each pc individually. Click on "Edit Config" on the menu on the left, and select "Xfer" from the top menu.  How you set this up depends entirely on your network setup.  I have two Windows 7 PC's, so I will be setting the default settings for a SMB share.

The above screen shot shows the settings I set for the default.  I chose SMB for the transfer method.  The advantage of using SMB is that it is already built into Windows... which is good from an ease of use scenario, but is not as good from a security standpoint.  For the SMB share name, I added the administrative C$ share, which is the entire C$.  In this instance I also should have set default "Include/Exclude" settings.  This part is not extremely intuitive, and it took me a little while to figure that out.  Shown below is one of my host machines.

To ensure that only the right files are backed up, we need to add first the "SmbShareName" to the "New Key" field, and click "Add".  Once we have added the base share name, we can add the individual paths that we wish to backup.  You will notice above that I told backuppc to backup only the "Users" directory under the C$ share.  So now, instead of backing up the entire OS, backuppc will only backup "C:\Users", which is a much better option. You can obviously add more than one folder.  You can also add folders to exclude, which is a nice option as well. Notice that the "Override" box is checked... that just means that this host differs from the default configuration in this area.

Backing up the Localhost

Backing up the localhost is the easiest of all the pc's to backup (in my opinion).  The easiest way to backup your linux localhost is through "tar".  In the top host drop-drop menu, select "localhost".  Click on "Edit Config" which will enter the host-specific configuration.  Select "tar" and from the "XferMethod" drop-down menu.  Next, we need to select the tar share names that we wish to back up.  Since the localhost is not running a whole lot of services, and is not mission critical, I am only backing up the /var and /etc directories.  Go ahead and save the config and you should be ready to backup your localhost!

Backing up Linux Hosts with Rsyncd

I prefer the rsyncd method for backing up linux hosts.  It does involve installing rsyncd on the linux hosts in question, but it is a rather quick install.

sudo aptitude install rsync

Once that is done installing, we need to setup the configuration file.  On linux, the config file is called rsyncd.conf and is located at /etc/rsyncd.conf.. so

sudo nano /etc/rsyncd.conf

Now we copy the config in: uid = root pid file = /var/run/rsyncd.pid use chroot = no read only = yes transfer logging = true log format = %h %o %f %l %b log file = /var/log/rsyncd.log slp refresh = 900 secrets file = /etc/rsyncd.secrets [backup] path = / comment = backuppctest read only = no auth users = backuppc
Now we need one more file to complete the configuration. The file is called rsyncd.secrets, and is stored in whatever place you specified in rsyncd.conf. The file only contains one line

backuppc:Yourpassword

The format of the file is simple: username:Password. Make sure the username matches exactly what you specified in rsyncd under "auth users", otherwise you will have difficulties.
Next we need to secure the secrets file:

sudo chown root /etc/rsyncd.secrets
sudo chmod 600 /etc/rsyncd.secrets

Next, lets setup the backuppc side... shown below is a screenshot of the configuration.

The "RsyncShareName" is the share name that you specified in the rsyncd.conf file.  The username and password should match exactly what is in the rsyncd.secrets file, and make sure the "RsyncdAuthRequired" is checked.  You will notice in the config I posted above, I was very aggressive and made the share root be root.  That being the case, there are many folders I should exclude from backing up, since they are either temporary folders/files or files/folders I really don't want backed up (i.e. floppy).  As well, be very careful about hard/soft links as those can cause issues.
If you experience problems, there is one configuration issue that you can check on the backuppc server.
When using rsyncd for backuppc you will need the File::RsyncP perl module installed.  It may be installed already, but if not perldoc File::RsyncP, to make sure RsyncP is installed.
As well, the log file on the client machine is a great help as well, located at /var/log/rsyncd.log.

Restoring Files, Logging and Information

Well, you now have a local backup solution for all your PC's.  Now you can use backuppc's powerful logging and reporting functions to view the status of all your backups.  As well, you can easily browse your backups and restore files if needed.  To browse backups, just select your host, and in the left menu will be an option to  "Browse Backups".  Select this to browse and restore backups.

Congratulations on completing the basic Backuppc setup.  Hopefully in a later post more advanced topics can be covered. 

Udev "Error" in Debian Sid, Kernel Upgrade difficulties

So I have been hesitant for some time now to upgrade by Debian Lenny box, due to some upgrade errors I encountered in the past due to dependency conflicts.  (I have now switched to aptitude, which seems to do much better).  However, it was finally time.. I had several hundred updates to run, so it was time.  When I ran this installer, I received the following error:

Preparing to replace udev 0.125-7+lenny3 (using .../archives/udev_151-3_i386.deb) ... Since release 150, udev requires that support for the CONFIG_SYSFS_DEPRECATED feature is disabled in the running kernel. Please upgrade your kernel before or while upgrading udev. AT YOUR OWN RISK, you can force the installation of this version of udev WHICH DOES NOT WORK WITH YOUR RUNNING KERNEL AND WILL BREAK YOUR SYSTEM AT THE NEXT REBOOT by creating the /etc/udev/kernel-upgrade file. There is always a safer way to upgrade, do not try this unless you understand what you are doing! dpkg: error processing /var/cache/apt/archives/udev_151-3_i386.deb (--unpack) subprocess new pre-installation script returned error exit status 1

Manually Upgrade the Kernel

So, it was time to upgrade my kernel manually.. no way around it.  I downloaded the latest kernel for Sid (2.6.32-3-686 at the time of running) and manually installed, which I've never done (not too difficult, or so I thought)....

I then needed to reboot after the kernel installed, so that changes could be made.  I waited patiently on reboot for my server to come back on-line.... it never did.  I went over and hooked up a screen to my server, and noticed that GRUB had errored out.

Fix Grub

I noticed that the problem must be that for root it was looking at (hd0,1) and root=/dev/hdb1 (not possible).
So after changing (hd0,1) to (hd0,0) and root=/dev/hdb1 to root=/dev/hda1.  I'm not entirely sure why, however, if you do run into this issue, I would recommend that before you reboot, run this command:

 sudo update-grub

Generating grub.cfg ...
Found background image: moreblue-orbit-grub.png
Found linux image: /boot/vmlinuz-2.6.32-3-686
Found initrd image: /boot/initrd.img-2.6.32-3-686
Found linux image: /boot/vmlinuz-2.6.26-2-686
Found initrd image: /boot/initrd.img-2.6.26-2-686
done

This may fix your problem.  If you need to, you may manually edit your grub file to make sure it is correct.

 sudo nano /boot/grub/menu.lst

Haven't had a problem since!

Happy upgrading!

Jinzora 3 Tutorial - Setup and Configuration on Linux

Prerequisites:
Jinzora requires the following programs:
A web server, I recommend Apache2
PHP (PHP 5 is the latest).
MySQL (or some other version of a database) - Free and easy to download and setup.


Obtaining the files:

Download the lastest Jinzora3 at http://github.com/jinzora/jinzora3
untar the file to the directory you wish to install it in.. /var/www/ for instance

tar -zxvf jinzora*

Rename the folder as you desire.. since I have a jinzora2 installation I name mine Jinzora3.

sudo mv jinzora* jinzora3

I change the permissions and ownership of jinzora

sudo chown -R www-data jinzora3

If you want to make things easier run the command below...sometimes causes permission issues!

sudo chmod -R 700 jinzora3 **

Or, if you want...

sudo chmod -R 755 jinzora3 **

I would recommend locking this down further than 755..... not nearly as safe!

Web Based Installer

Visit jinzora3 in your browser: http://localhost/jinzora3.  You should see the below page

Choose your language and select "Proceed to Requirements"

Here Jinzora will check your computer for requirements.. you may need to change permissions, just change the permissions for each of the files/folders listed, and recheck requirements, you shouldn't have any difficulty with that.

PDF support is used for album art, and is not required.
 Your default PHP installation will most likely not meet requirements... you will need to edit your php.ini file to meet these requirements (just searching for those terms (such as "memory_limit" and "max_execution_time") should find the setting in the php.ini file).
Locate php.ini (mine is located at /etc/php5/apache2/php.ini) and make the necessary changes.

Once you are all set.. "Proceed to License". Accept...

For Installation type, choose defaults unless you know what you are doing. Main settings is a very important section:

Choose your username and password for the admin account Choose the default access that non-authenticated users have - tooltips explain the options. Choose your front-end...there is a small thumbnail to assist you... Import settings are also very important, and depend on your media. My media is all organized into folders, so I choose "Filesystem" for the data structure, and I dont read the tag data, since I don't necesarrily keep that updated. The Media layout is another setting that needs to be carefully configured. The default is Genre which means the folder structure is "Genre/Artist/Album/Songs". I am not that detailed, I have mine laid out as "Artist/Album/Songs".  After you have that all set up, continue to "Backend Setup".

Setup database, this is quite self-explanatory, it is just for setting up the MySQL backend for Jinzora.

Next, you will need to import your media.  Using the web-based file browser select the directory to import music from.  Depending on what you selected before, and how much music you have, this may take some time.  After that, proceed to "Save Config" and then launch Jinzora.  Once you launch Jinzora, you will be greeted with the following error message:

 Remove /var/www/jinzora3/install (if that is your directory)

 sudo rm -r /var/www/jinzora3/install

You will now be able to log onto Jinzora3 by visiting http://localhost/jinzora3 (or whatever IP and naming scheme you used).

After Install Setup

If you immediately receive a long amount of errors when you log on that are PHP errors you need to change to following line in your php.ini (if you can...it is useful for debugging)

display_errors = on TO display_errors = off

And.. technically that is it.  The interface should be easy to navigate.  You can start building playlists, or play a random selection of songs.  When you select "Play"  your browser will download (by default) a m3u playlist file... just open the file in your player of choice and you should be good to go!
There are, however, a few troubles you may run into.  Jinzora is able to convert different file types on the fly.. however, this option usually needs to be setup correctly to do this.  To set this up, we need to edit the settings.php file, which  is located in the root folder. (We can also edit this from the Jinzora interface... however I find the interface to be rather clunkly... however, if you wish to do so, click on the little hammer icon "Admin Tools" then  to system tools -- settings manager -- main settings -- resampling). Lets go ahead and open the file:

nano /var/www/jinzora3/settings.php

There are a few settings we need to check to make sure they are set correctly.

$allow_resample = "false";  -- Change from false to true
$path_to_flac = "/usr/local/bin/flac"; --change to /usr/bin/flac
(on my distro at least, try "whereis flac" to locate flac on your distro)
$path_to_faad = "c:pubfaad";  --change to   $path_to_faad = "/usr/bin/faad";   (again, double check)
$path_to_mplayer = "/usr/bin/mplayer"; --change to $path_to_mplayer = "/usr/bin/faad";
$mplayer_opts = "-ao pcm -aofile /dev/stdout";  --change to $mplayer_opts = "-f 1 -o /dev/stdout";
$always_resample = "flac|mpc|wv|wav|shn|m4a|ape|ofr|ogg|wma|m4a"; --add m4a if you need to

As a person preference I like to add:

$allow send email = true

You should be all set up for resampling! For grins, here is a chunk of my settings.php

$allow_resample = "true";      $force_resample = "false";     $default_resample = "32";     $resampleRates = "192|128|112|96|64|48|32";     $path_to_lame = "/usr/local/bin/lame";     $path_to_flac = "/usr/bin/flac";     $path_to_mpc = "/usr/local/bin/mppdec";     $path_to_wavunpack = "/usr/local/bin/wvunpack";     $path_to_oggdec = "/usr/local/bin/oggdec";     $path_to_oggenc = "/usr/local/bin/oggenc";     $path_to_mpcenc = "/usr/local/bin/mppenc";     $path_to_wavpack = "/usr/local/bin/wavpack";     $path_to_wmadec = "c:pubwmadec";     $path_to_faad = "/usr/bin/faad";      $path_to_shn = "/usr/local/bin/shorten";     $path_to_ofr = "/usr/local/bin/ofr";     $path_to_macpipe = "/usr/local/bin/macpipe";     $path_to_mplayer = "/usr/bin/faad";      $mplayer_opts = "-f 1 -o /dev/stdout";     $lame_cmd = "/usr/local/bin/lame -S --silent --quiet -m j -b ";     $lame_opts = "/usr/local/bin/lame -b 32 -f -m m";     $always_resample = "flac|mpc|wv|wav|shn|m4a|ape|ofr|ogg|wma|m4a";     $always_resample_rate = "128";     $allow_resample_downloads = "true";     $resample_cache_size = "100";     $no_resample_subnets = "(192.168..*..*)|(127..*..*..*)";     $multiple_download_mode = "zip";     $single_download_mode = "raw";     $allow_send_email = "true";     $email_from_address = "user@jinzora.org";     $email_from_name = "Jinzora";     $email_server = "server";     $jukebox = "false";     $jukebox_display = "default";     $jukebox_default_addtype = "current";     $default_jukebox = "stream";     $jb_volumes = "100|90|80|70|60|50|40|30|20|10|0"; $allow send email = true

Playing Music in the Web Browser

Next, we can setup your in-browser player.  Once again, that can be changed from the web interface.  Go to Admin Tools -- system tools -- settings manager -- main settings -- playlist, and at the bottom there is a setting for "embedded_player".  This can be set to many different kinds of players... the official list of players listed for jinzora is:

• Apple Quicktime (qt)
• JW MP3 Player (jwmp3)
• XSPF Web Music Player (xspf)
• Wimpy MP3 Player (wimpy)
• Wimpy AV Player (wimpyav)
• Windows Media Player (wmp)
• Windows Media Player Mobile(wmmobile)

A player I really enjoy is xspf.  Just enter xspf into the embedded player field, and next time you play a song, the player will open up start playing the file.

For mobile phone integration, there is a free app for Jinzora3 on the android operating system for playing your tunes on the go!

That finishes the basic overview of how to get Jinzora3 up and running... enjoy your music anywhere you go!

Using Ketarin to Automatically Update Software Packages

Program Overview

After using Debian, it quickly becomes frustrating switching to Windows... especially when you want to easily and quickly check and update all of your software packages.  There are several programs that allow some similar functionality, such as AppSnap and AppUpdater, but I find that Ketarin has the most features and offers the most flexibility and customization.

When you first launch Ketarin, you will not have any applications in your window, and as a first step we will quickly add an application from an online database.

Adding Applications - the Easy Way

Click on the arrow for "Add new application" and from the drop down menu select "Import from online database".  Next you just need to search for the application you need, select it and hit "Import".  The application will automatically be added to your list.
Next, we need to configure the application so that it automatically downloads to the correct directory.  To do this, we need to understand Ketarin variables.  Below is a list of common variables from the Ketarin Howto, found here.

Name	Content	Example
{file}	Location of the downloaded file (only for commands) Remember to enclose this variable in double quotes (”) if the path contains spaces.	c:\…\x.exe
{filesize}	Size of the downloaded file in bytes	1482245
{root}	Root of the application startup path	c:\
{category}	Category of the application	Security
{appname}	Name of the application	Ketarin
{appguid}	GUID of the application	{AC1DB…}
{url:ext}	Extension of the file that is being downloaded	exe
{url:basefile}	Base file name of the file that is being downloaded	Ketarin-0.9

Now, we can use the variables to create a download path and name for our application, so we can copy and paste the line into every single application we download.  Let us take a look at a sample application shown below.

We can see the application we are downloading is the ffdshow codec, and that we are downloading it into the Media category.  Using the variables we can see that we are downloading the file to C:\Apps\Media\ffdshowx64.exe.  

Adding Applications From FileHippo

You will notice that there is an option for "FileHippo ID".  This is another excellent option for downloading programs.  Just search for a program on filehippo, and use the last part of the URL (after download) as the ID.  For example, for Trillian Astra, the FileHippo URL is http://filehippo.com/download_trillian_astra/. The FileHippo ID would be "trillian_astra".  These two options are the easy options for step one for obtaining the most updated program files from the internet.

Installing Applications Automatically

The second step can be found in the "Commands" section.  There is an option for Ketarin to run commands before or after downloading the application.  In this instance, since we want to install the application after it is downloaded, we need to get the application to install silently after download.  This is actually the tricky part.  It can be a challenge to discover what switches are needed to make sure the application installs silently.  Unfortunately, some applications do not even offer the option of installing silently, and those will have to be installed manually.

Above is show the command we are executing after ffdshowx64 to get it to install correctly.  Using the Ketarin variable {file}, we do not have to enter the entire path manually, which is a very nice feature.  Some of the common silent install switches are: /s /S /q (/q is for msi files mostly) /SILENT /VERYSILENT /quiet.

You can also run the installer with the /? switch, and sometimes it will tell you the silent install option.  If all else fails, Google it.

 Installing Applications - the Hard Way

Unfortunately, you will run into applications that require a little bit more work to download easily.  While filehippo has a good amount of files, it will certainly not have all of the files you may need.  This is where things get tricky.   You will need to specify where to download the file, and (even more difficult) tell the program how to determine what the filename will be.  Lets take a look at an example, namely Virtualdub x64.  Virtualdub is available for download from Sourceforge, which is a tricky site to use.  First, we need to determine what the latest version of Virtualdub is.  To do so, the author's website becomes quite helpful.

http://virtualdub.org.  The current version is easily noticed.  Now we need to tell Ketarin to use that number to dynamically update the version number.

To do this, we need load the page in and select a variable, but before we can do that we need to specify a download location, which is where we use our sourceforge link:

http://prdownloads.sourceforge.net/virtualdub/VirtualDub-{version}-AMD64.zip?download

This is what the regular download page looks like on sourceforge:

However, you will notice the download link is different, the download URL is different from the page download process, so our download URL becomes: http://prdownloads.sourceforge.net/virtualdub/VirtualDub-{version}-AMD64.zip?download

Now, of course we need to specify a value for the {version} variable.  For that we click on the variable button, which loads the following screen:

First, click on the plus button to add a variable, and name it version.  Then add http://www.virtualdub.org to the "Contents from URL:" field, and hit load.  Next search for your version number inside of the page.  You should easily find it.  Next, select the part of the line before it.. how much you select is up to you, and select "Use selection as start".  Do the same for the part of the line after the version number.  I assume Ketarin uses the start and end selections to make sure it has the correct version number, so choose carefully.  If you program has a particularly tricky version number, you can specify multiple variables. 

There!  You added one program using the advanced method.  Many of these programs will present a new challenge as they will all be different, but using these tools, you should be able to figure out how to extract the necessary information.

Now, to update all of your applications, all that is needed is to select "Check for updates and download" from the Ketarin Menu,

and all of your applications should automatically download, and install themselves in the background, without ever bothering you.

As well, if you are really a fanatic you can schedule a task to run with the following command:

 C:\Apps\Ketarin\Ketarin.exe /silent /notify /log=C:\Users\Administrator\Desktop\SoftwareUpdates.log

This will cause Ketarin to run silently in the background updating, so you never even have to think about it.

The one drawback to Ketarin is that sometimes when you silently install applications, they can fail for whatever reason, and you will not be notified, and if the program continuously fails, you will NEVER know that your application is out of date.

Ketarin is a powerful program, and a program that saves you a large amount of time downloading and installing your applications.  I suggest you use it.

Tutorial on how to Setup an Openvpn Server on Debian, with a Windows Client

Installation

First, we need to quickly install openvpn on our debian server.

aptitude install openvpn

 Next we need to locate our easy-rsa folder, on debian it is located at /usr/share/doc/openvpn/examples/easy-rsa
If you are having trouble finding it, try the following:

updatedb

locate easy-rsa

Once we find the folder, we need to copy it to /etc/openvpn:

cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

cd /etc/openvpn/easy-rsa/2.0

Editing the vars (variables) file

Now we need to edit some variables, to make things easier for us.

sudo nano vars

Once you open up the file vars, you should see the something like the following at the bottom:
 export KEY_COUNTRY="US"  export KEY_PROVINCE="CA"  export KEY_CITY="SanDiego"  export KEY_ORG="OpenVPN"  export KEY_EMAIL="myemail@mydomain.com"
 Change those values to reflect your values.
Now we need to build the certificate authority, so in the /etc/openvpn/easy-rsa/2.0 directory run the following commands:

. ./vars

(dot space ./vars)

./clean-all  ./build-ca

This should build the certificate authority (CA) certificate
 Many of the values should be autopopulated since we filled out the information. The one value you may need to fill is the Common Name. Enter the name of your server for the value.

Building the Server and Client Keys

Next we need to generate the server key:

build-key-server server

Next, we need to setup some keys for the clients, so that they can connect to the server. You have two choices for setting up clients. You can require the clients to enter a password to connect, or just generate the key files needed to connect. In this example we will be generating the files without password. If you wish to use a password, replace ./build-key with ./build-key-pass.

./build-key client1

 Again, it will ask you for a client name, enter the name of the client. When it asks for a challenge password just leave it black and press enter.

Next we need to generate Diffie Hellman paramaters.

./build-dh

This command may take a while to complete. Once the command completes, you should be able to navigate to /etc/openvpn/easy-rsa/keys/ and the files you generated should be located within.

Placing the Server Keys and Creating Server Config

Next, we need to copy the keys that are needed for the OpenVPN server into the correct folder:

cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn

 Obviously, whatever the name will reflect whatever you entered originally. Next, navigate to /etc/openvpn, to edit the configuration file.

sudo nano openvpn.conf

This is an example configuration, very basic, change the names of the .crt and .key files to the ones you made, and you should be all set. As well, I added the client-to-client line because I want my clients to be able to talk to eachother.
NOTE:  You may want to change the "server" line from 172.17.0.0 to something that won't possibly cause routing issues depending on your (and remote) network setups.  This won't happen in every use case, but it can come into play.  Something like "172.17.2.0" may work.
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem server 172.17.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group users persist-key persist-tun status openvpn-status.log verb 3 client-to-client
Next, lets start OpenVPN:

/etc/init.d/openvpn start

You can ping yourself as a quick test to see if you are up and running.

$ ping 172.17.0.1
 PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data.
 64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.041 ms 64 bytes from 172.17.0.1: icmp_seq=2 ttl=64 time=0.030 ms

Client Configuration

Next, we need to configure the clients.  In this example, I am using two windows clients to connect to the server.
I like the gui for OpenVpn, available here: http://openvpn.se.  (See below for Windows 7 fix). Once you install it, navigate to  C:\Program Files\OpenVPN\config.  Now, you need to copy the following files to our config folder from our server:
client.crt
client.key
ca.crt

Next, we need to create a client configuration file to use.  For windows, the client configurations all end with .ovpn.  So lets create a file called config.ovpn, and use the following:
client dev tun proto udp remote remote-ip-address 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key comp-lzo verb 3
You will need to change the name of your .key and .crt files, and your remote IP address as well.  Obviously, if you are connecting remotely, you can enter a domain name as well.

Once you connect, you should now be able to easily ping the Openvpn server.  If not you may need to check your firewall to make sure everything is working.  Don't forget to port forward the correct port to your OpenVPN server, or you will not be able to access your server from outside of your network.

If you need clients to be able to talk to eachother, you may need to execute the following command on your linux box.

echo 1 > /proc/sys/net/ipv4/ip_forward

Windows Client Options

Currently, setup on Windows 7 requires a little bit more setup than other versions of windows.  First, download the latest release client, from http://openvpn.net/release/, and run the program in compatibility mode for Windows Vista Service Pack 1, and run as administrator.  This will give the program the permissions it needs.

Another option is securepoint client at http://sourceforge.net/projects/securepoint/.  I have run it successfully on Windows 7 without any issues.

If you encounter problems, remember to turn off any firewalls that may be in the way.

Connecting to Internal Resources

This is a rather important point, that should have been here from the beginning (my bad).  This setup allows you to connect to the internal device that you have openvpn setup on.  Look at the picture below:

If your OpenVPN client needs to connect to your other server or desktop on your LAN, it has no way to do so!  If you attempt to ping 192.168.1.105 from your remote OpenVPN client, you will not get a response, or if you do, it will be the local network, not the remote network.  This requires further setup.  

Server Setup for Internal Access

You will need to push a route to your client.  To do so add the following line to your server conf file:

push "route 192.168.1.0 255.255.255.0"

Now when the OpenVPN client connects, it will know that to access the 192.168.1.0 network it needs to forward the traffic through the VPN connection.

Router Setup for Internal Access

However, when you attempt to ping 192.168.1.105, you will still not be able to ping (or RDP, or w/e protocol you want to test if ping is disabled).  This is because the router (192.168.1.1) still does not know the route back to the 172.17.0.0 network.  In dd-wrt it is simple to add the network route.

Now when you attempt to connect to an internal resource it should work correctly.

Logging

If you experience problems and need to troubleshoot the server, openvpn logging is pushed to syslog, but if you want the log file separate, you can add the following line to your server conf file:  "log openvpn.log" or "log-append openvpn.log".  This will output the OpenVPN log separately instead of adding it to syslog.

Web Management of OpenVPN

I need programmers :D.  I am attempting to create a web interface to simplify OpenVPN installation and management at github:  https://github.com/deranjer/OpenVPN-PHP-Management-Gui.  I am really busy with school and work so only have it working in beta (not to be run on production servers).  But if you know PHP at all (I am barely able to code in PHP so this won't be too complex) I would love to have help on this. 

Conclusion

I will try and keep this blog post updated and post answers or solutions to common issues with OpenVPN configuration and management.

Howto Tutorial on setting up Apache2, Php5, Mysql 5.0, phpmyadmin 4 on Debian Lenny (Squeeze Repos)

Recently, I had to rebuild my debian server, and decided to cover (in more depth this time) setting up several essential web server services.  I enabled the squeeze repositories, (I need them for the deluge torrent server setup).  The first thing we need to do is install apache2.


Apache2 Setup and Basic Configure

sudo aptitude install apache2

This should automatically set up and configure apache2 for you. It should also start the apache2 service at the end of installation. If not, here are some useful commands for apache2:
sudo /etc/init.d/apache2 [stop | start] - Starts or Stops the apache2 server.
sudo /etc/init.d/apache2 [restart | reload] - Restarts the apache2 server, or reloads the apache2 configuration files. Many times, all you will need to do is reload the configuration files and not restart apache2 entirely to apply changes.
Note:  When you install apache2, it creates a new user named "www-data".  This is the user that apache2 uses.  By default, the document root for apache web server is /var/www/
To test your configuration, type http://localhost or IP address if you are configuring remotely, and it should say "It works!".
Many of the configuration options can be changed by editing the apache2.conf file.

sudo nano /etc/apache2/apache2.conf

As well, many user configurations can be written to the httpd.conf file located in /etc/apache2/ folder along with apache2.conf
If for some reason apache2 is not working, you can ensure it is running by using the following command:

ps aux | grep apache2

This should list at least a few instances of apache2 running.
As well, if you want to change site specific settings, you can edit your default site file:

sudo nano /etc/apache2/sites-enabled/000-default

Next we will be covering PHP5, and how to integrate that into apache2.

PHP5 Installation and Integration with Apache2


Installing php5 is quite simple:

sudo aptitude install php5

Installing php5 should automatically link it with apache2 correctly. However to ensure that it is installed correctly, or if you encounter problems, you can check the following.

sudo nano /etc/apache2/apache2.conf

Around line 115, you should see the following lines:

Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

Make sure these lines are correct, and not commented out. This ensures that apache2 loads all of the enabled mods. Now if we want we can check to see which mods we have in our enabled folder.

ls -la /etc/apache2/mods-enabled

Notice that the mods-enabled are all links to .conf and .load files in the mods-available folder.
If you want to enable a mod there is an easy way to do that in debian:

a2enmod

This should bring up a large list of modules you can choose from to install, so just type the module you wish to install and apache should install it.
Next, you will notice that apache2 will not server .php file extensions by default, when there is a index.html file in the folder.  This is caused by a specific mod that is enabled with apache2 by default when installed.  The mod mod_dir controls what extensions and names are served first.  To change this we use the following command:

sudo nano /etc/apache2/mods-enabled/dir.conf

You should see the following line:

DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm

Change this line to suit your needs and you should be all set to go. Now, to test you php installation, you can create a simple php page and load it in the web browser. It should display a large amount of information about you php installation.
?php // Show all information, defaults to INFO_ALL phpinfo(); // Show just the module information. // phpinfo(8) yields identical results. phpinfo(INFO_MODULES); ?>

If the page loads successfully without errors, you should have php5 installed correctly.

Mysql 5.0 Server Installation and Configuration

sudo aptitude install mysql-server mysql-client

Follow the command prompts to set up an administrator password and you should be all set, mysql server 5.0 should be installed. To test the installation, log onto mysql:

mysql -u root -p

Enter your password and you should be logged into your mysql server. If you are good at mysql that might be all you need to get things done. However for those that need a little more help, we will install phpmyadmin.

Phpmyadmin Install and Configuration


Phpmyadmin is a very powerful tool for managing your mysql installation. Installing has to be done after you install your webserver, as phpmyadmin will automatically set itself up.

sudo aptitude install phpmyadmin

I am installing version (4:2.11.8.1-5+lenny3). As the package installs, it will prompt you to select the web server you have installed. Select apache2, and you should be all set. To access phpmyadmin, you should be able to navigate to http://localhost/phpmyadmin, and once you log in you should be able to manipulate mysql from your web browser.