Proxy Hosting Blog

We have made a small and dirty bash script which installs and configures OpenVPN on CentOS 5 32bit. The VPN server’s primary (and only) use is for safe browsing i.e. tunneling all your traffic through your VPS. The script also generates your client configuration file along with the necessary keys for authentication.

Requirements

1. CentOS 5 32bit minimal OS template

2. TUN/TAP device enabled on your VPS

3. iptables NAT support

You will have to open a ticket to request a TUN/TAP device to be enabled on your VPS. If you’re not a customer of ours and your host’s support staff doesn’t know how to do this, you may tell them to execute the following commands on the hardware node where your VPS is hosted.

vzctl stop YOUR_VEID
vzctl set YOUR_VEID –devices c:10:200:rw –save
vzctl set YOUR_VEID –capability net_admin:on –save
vzctl start YOUR_VEID
vzctl exec YOUR_VEID “mkdir -p /dev/net; mknod /dev/net/tun c 10 200; chmod 600 /dev/net/tun”
# iptables support
vzctl stop YOUR_VEID
vzctl set YOUR_VEID –iptables ipt_REJECT –iptables ipt_tos –iptables ipt_TOS –iptables ipt_LOG –iptables ip_conntrack –iptables ipt_limit –iptables ipt_multiport –iptables iptable_filter –iptables iptable_mangle –iptables ipt_TCPMSS –iptables ipt_tcpmss –iptables ipt_ttl –iptables ipt_length –iptables ipt_state –iptables iptable_nat –iptables ip_nat_ftp –save
vzctl start YOUR_VEID

Make sure they will replace ‘YOUR_VEID’ with your VPS’s VEID and you will be ready to roll

Login to your VPS as root and execute the following commands

wget http://vpsnoc.com/scripts/install-openvpn.sh
chmod +x install-openvpn.sh
./install-openvpn.sh

You will be prompted to enter values for your server and client certificate, feel free to accept (hit enter) the default values. Its not recommended to setup a password for your server certificate as you will have to type in the password each time you wish to start/restart the openvpn daemon.
You can however set a password for your client’s certificate since it offers extra level of protection in case your certificate and key files are compromised. You will be prompted for that password each time you connect on your VPS’s VPN.

After the script finished installing openvpn (should be very quick) the client keys and the openvpn client configuration file will be archived in /root/keys.tgz
You may use a sftp/scp client such as winscp or filezilla to download the archive on your computer.

If you already haven’t installed openvpn for windows you may do so now.
You may use winrar or 7zip to extract the content of keys.tgz in C:\Program Files\OpenVPN\config\VPN (create a folder named VPN there)
After you have extracted the files from keys.tgz in the above folder, you may start openvpn-gui from the start menu, right click the tray icon, go to VPN and click connect. After the icon turns green all your traffic will be forwarded through your VPS, no extra configuration on your browser/IM client/email client is required.

If you’re facing issues make sure that your computer clock is synchronized, if so make sure that your VPS’s clock is correct as well. If it’s not you will have to ask your host to sync it.

For any other issues and feedback please e-mail us at support@vpsnoc.com

You may use and modify this script however you see fit, provided that you do not edit the original copyright.

#!/bin/bash
# Quick and dirty OpenVPN install script
# Tested on Centos 5.x 32bit, openvz minimal CentOS OS templates
# Please submit feedback and questions at support@vpsnoc.com

# John Malkowski vpsnoc.com 01/04/2010

ip=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-venet0:0 | awk -F= ‘{print $2}’`

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -iv rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rm -rf rpmforge-release-0.3.6-1.el5.rf.i386.rpm

yum -y install openvpn openssl openssl-devel
cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
. ../vars
./clean-all
source ./vars

echo -e “\n\n\n\n\n\n\n” | ./build-ca
clear
echo “####################################”
echo “Feel free to accept default values”
echo “Wouldn’t recommend setting a password here”
echo “Then you’d have to type in the password each time openVPN starts/restarts”
echo “####################################”
./build-key-server server
./build-dh
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/

clear
echo “####################################”
echo “Feel free to accept default values”
echo “This is your client key, you may set a password here but it’s not required”
echo “####################################”
./build-key client1
cd keys/

client=”
client
remote $ip 1194
dev tun
comp-lzo
ca ca.crt
cert client1.crt
key client1.key
route-delay 2
route-method exe
redirect-gateway def1
dhcp-option DNS 10.8.0.1
verb 3″

echo “$client” > $HOSTNAME.ovpn

tar czf keys.tgz ca.crt ca.key client1.crt client1.csr client1.key $HOSTNAME.ovpn
mv keys.tgz /root

opvpn=’
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push “route 10.8.0.0 255.255.255.0″
push “redirect-gateway”
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group nobody
daemon’

echo “$opvpn” > /etc/openvpn/openvpn.conf

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
sed -i ’s/eth0/venet0/g’ /etc/sysconfig/iptables # dirty vz fix for iptables-save
echo “net.ipv4.ip_forward=1″ >> /etc/sysctl.conf

/etc/init.d/openvpn start
clear

echo “OpenVPN has been installed
Download /root/keys.tgz using winscp or other sftp/scp client such as filezilla
Create a directory named vpn at C:\Program Files\OpenVPN\config\ and untar the content of keys.tgz there
Start openvpn-gui, right click the tray icon go to vpn and click connect

As its name suggests a Proxy Service is a virtual service that hides the actual service. When defining a Proxy Service in the WSO2 ESB you could provide a inSequence, outSequence, faultSequence and a target endpoint (Not all of these are required).

A sequence as its name suggests send the message through a sequence of mediations. Hence users could perform mediation on requests heading into a Proxy Service (using the inSequence) as well as responses it receives (using the outSequence).

When an endpoint is defined in a Proxy Service, messages that are directed to it goes through the inSequence before been sent to the actual endpoint.

Now that we’ve covered a few basic ideas on the terms used in Proxy Services lets go ahead and create one. Its always advisable to declare entities in your configuration as reusable components (Just as you do it in OOP). Hence lets define our sequences and endpoints as reusable entities and use them in the creation of the Proxy Service.

For this example I would be creating a proxy service for the digit2image service which can be found on mooshup.com (The community site of the WSO2 Mashup Server).

1. Lets create our endpoint. An Endpoint can be created by visiting the Endpoints link (Located under Manage).

   There are four distinct kind of endpoints, Please refer the documentation on endpoints for there detail. For this example I will create a simple Address Endpoint.

   
   When creating a address endpoint I simple specify its name and an Address (Having a look at the wsdl of our actual service, I find that the endpoint URL is http://mooshup.com/services/system/digit2image.SOAP12Endpoint/

2. Lets create a sequence. A sequence can be created by visiting the Sequences link (Located under Manage)

   

   When it comes to sequences, you could create complex sequences using one or more of the inbuilt mediators or using your own custom mediators. For simplicity I will be creating a sequence with a simple Log mediator. All it does is log the message to the console.

   

3. Now that we have our reusable components in place its time to create the actual Proxy Service. This can be done by visiting the Proxy Service link (Located Under Add).

   
   This will take you through a 3 step wizard.

   1. In the first step I provide a name for my service. Additionally I could configure several properties on a Proxy Service, for simplicity I will be sticking to the defaults. You could refer the documentation on Proxy Service creation for more details.

      

   2. step 2 asks for an Insiquence and a targetEndpoint. Its mandatory that you have at-least one of these. You could optionally have both as well. In our example lets use the sequence we created in Step 2 (DemoSequence) as the inSequence and the endpoint we created in Step 1 (digit2ImageServiceEndpoint) as our target endpoint.

      

   3. step 3 asks us for an outSequence and a faultSequence, both of which are optional. So lets use the default of none.

      

   Once you’ve done hit finish. Now we have created our new Proxy Service on WSO2 ESB 2.0.

Note : If you want this proxy service to be saved dont forget to go to the synapse link and hit save so that this Proxy will be available when you restart the server.