And finally …. i pay for the premium hosting account.

No more force redirect like the free hosting …  ;)

deny_file={*.mp3,*.avi}

If we put the option in vsftpd.conf, it will be applied to all vsftpd users.  In virtual users configuration, we can put the option in specific user configuration file, so only selected user will be affected by the configuration.

In this section, we will discuss the client side of OpenVPN site-to-site configuration. At the client side, I use pfSense as the firewall, webproxy, and VPN gateway to connect to the HO through site-to-site VPN with OpenVPN server. pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. pfSense is a powerful, flexible firewalling and routing platform, and easy to configure. You can download pfSense from pfsense.org.

In this configuration, there are two network interface card use in the pfSense. One network interface is connected to the internet, and the other network interface is connected to the LAN and used as the default gateway for the LAN.

Here are the steps to configure pfSense as an OpenVPN client and perform as a VPN gateway:

Go to VPN menu and click on OpenVPN.

In the OpenVPN page, click on Client tab.

To add a new VPN client tunnel configuration, click on + button in the OpenVPN client page, the in the OpenVPN client edit page fill in the requested fields.

In the server address field, fill in the public ip address of the OpenVPN server.

In the server port field, fill in the same port as use in the OpenVPN server.

In the cryptography field, fill in the same cryptography algorithm used in the OpenVPN server.

Before we can fill in the CA certificate field, client certificate field and client key field, we need to export the files from OpenVPN server. In the OpenVPN server, go to Server -> OpenVPN +CA, click on VPN List. In the VPN Server list page, click on Client List of the VPN Server. In the client list click the export link of the selected the client.

When we export the vpn client configuration files, we will get one zip file with several files inside it. For example, for client named site-1, we will have site-1.zip file. The content of the site-1.zip file are as follow.

To fill in the CA certificate field, open the ca.crt file with text editor then copy the content and paste it in the CA certificate field. To fill in the Client certificate field, open the site-1.crt file with text editor then copy the content and paste it in the Client certificate field. To fill in the Client key certificate field, open the site-1.key file with text editor then copy the content and paste it in the Client key field. When finish with the requested field, click Save.

The VPN client tunnel configuration will look like picture below.

In order for the VPN client to have DNS information from internal DNS server in HO, we need to configure the DNS forwarder service and specify an authoritative dns server to be queried for internal domain/zone. To configure the DNS forwarder service, go to Services menu and click on DNS forwarder.

In the Services: DNS forwarder page, put a check mark on Enable DNS forwarder. Then click on + button on the Domain to override.

In the Services: DNS forwarder: Edit Domain Override, fill in the domain name and the ip address of the DNS server in the HO then click Save.

With all the configuration have been set up, the OpenVPN client in the pfSense will start to connect to the OpenVPN server and established the VPN tunnel. When the VPN tunnel established, all client in site-1 behind the pfSense can access resources in HO that are allowed for them.

Here are the steps to setup time synchronization on HP Procurve 2910 series, 2520 series and 5400 series switches:

ProCurve(config)# timesync sntp
ProCurve(config)# sntp unicast
ProCurve(config)# sntp server priority 1 10.123.123.123 3
ProCurve(config)# time timezone 420

The “time sync sntp” command instruct the switch to use SNTP as the time synchronization method. The “sntp unicast” directs the switch to poll a specific server for SNTP time synchronization. We can configure up to three server. The “priority” specifies the order in which the configured servers are polled for getting the time. The server “version” specifies the SNTP software version to use. The version setting is backwards-compatible. For example, using version 3 means that the switch accepts versions 1 through 3. The “time timezone 420” specifies 420 minutes after GMT or the timezone of GMT+7.

For HP Procurve 2610 series switches, the command is a little bit different. There is no server priority setting.

ProCurve(config)# timesync sntp
ProCurve(config)# sntp unicast
ProCurve(config)# sntp server 10.123.123.123 3
ProCurve(config)# time timezone 420

1. Create Certification Authority
To create the Certification Authority, go to Server -> OpenVPN + CA, click on Certification Authority List.

In the New Certification Authority form page, fill in the fields with the required informations and click Save.

The system will generate required parameters, ca.key and ca.crt for the Certification Authority.


When finished, the Certificate Authority name will be displayed in the Certification Authority List.

2. Create Key for server
To create the Server key, go to Server -> OpenVPN + CA, click on the Certication Authority List, then click on Keys list.

In the New key to Certification Authority: alambil-ca form page, fill in the required fields, make sure to choose “server” for the Key Server type and don’t put any password in the key password field. Click Save when finished.

The system will generate the server key.

3. Create New VPN server and configure the server
We will use the Certification Authority to create the VPN Server. Go to Servers -> OpenVPN + CA, click on VPN List, then click on the New VPN server.

In the New VPN Server form page, fill in the required fields.

The port use in the VPN server should be allowed access in the firewall.
In the NetIP assign, allocate a network address range that will be used for the TUN interface of the VPN server and for the connecting clients. Make sure that this network range is routable in the LAN.
In the vpn server configuration, we put additional configuration:

route 10.22.1.0 255.255.255.0
route 10.22.2.0 255.255.255.0
route 10.22.3.0 255.255.255.0
push "route 10.180.0.0 255.255.252.0"
push "route 10.22.1.0 255.255.255.0"
push "route 10.22.2.0 255.255.255.0"
push "route 10.22.3.0 255.255.255.0"
push "dhcp-option DNS 10.180.3.12"
client-to-client

The route entries are added on the server to adjust the server local routing table, telling it to route those networks over the vpn. The push routes are added on the clients connecting, telling them to route those networks over the vpn connection. The push dhcp-option are added on the clients connecting, so that they can use the specified private DNS server. The client-to-client are added so that client can connect to other client over the vpn connection.

4. Create client Key and VPN client account for each client
We need to create client Key and VPN client account for each client that will use VPN connection. To create the client key, go to Servers -> OpenVPN + CA, click on the Certication Authority List, then click on Keys list.
In the New key to Certification Authority: alambil-ca form page, fill in the required fields, make sure to choose “client” for the Key Server type. Click Save when finished.

The system will generate the client key.

To create the OpenVPN client account for the client key, go to Server -> OpenVPN +CA, click on VPN List. In the VPN Server list page, client on Client List of the VPN Server.

Then click on New VPN Client button.

In the New VPN Client form page, fill in the required fields.

In the remote IP field, fill in with the public IP of the VPN server. Make sure that the port is opened in the firewall.
In the ccd file content field for client site-1, we put:

iroute  10.22.1.0  255.255.255.0

The iroute entry is useful for site-to-site VPN. The iroute entry tells the openvpn server that client site-1 is responsible for or the owner of the network 10.22.1.0/24. When creating VPN client for mobile user, there is no need to add the iroute entry.

5. Enable IP forwarding on the server
To enable IP forwarding on the server, in the webmin, go to Networking -> Network Configuration, then click on Routing and Gateways.

Make sure to choose Yes on the Act as router, then in the network configuration page, click Apply Configuration button.

You can also use the shell command to enable ip forwarding:

# echo 1 >> /proc/sys/net/ipv4/ip_forward

To check if the configuration have been applied correctly, use cat to display the value. It should be 1.

# cat /proc/sys/net/ipv4/ip_forward

6. Configure the firewall
In the firewall, we should configure:
- NAT policies to associate public IP and private IP used by the OpenVPN server
- Access rule from the Internet to the public IP of the OpenVPN server on port 1194
- Access rule from DMZ to LAN for VPN client to access resources on the LAN
- Access rule from LAN to DMZ for computers on the LAN that need access to the VPN client
If needed, we can also enable firewall/iptables on the Linux server. If we do it, then we need to put access rule for the VPN client to access resources outside the OpenVPN server and vice versa.

In the next section, we will discuss about the client side of  OpenVPN configuration.

[root@alambil ~]# wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
[root@alambil ~]# rpm -Uvh rpmforge-release-0.5.2-2.el5.rf.i386.rpm

Then I use yum to install OpenVPN packages.

[root@alambil ~]# yum install openvpn
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: apt.sw.be
 * base: mirror.nus.edu.sg
 * updates: mirror.nus.edu.sg
 * addons: mirror.nus.edu.sg
 * extras: mirror.nus.edu.sg
rpmforge                                                 | 1.1 kB     00:00
primary.xml.gz                                           | 2.3 MB     00:23
rpmforge                                                       10740/10740
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package openvpn.i386 0:2.1.4-2.el5.rf set to be updated
--> Processing Dependency: liblzo2.so.2 for package: openvpn
--> Processing Dependency: lzo for package: openvpn
--> Processing Dependency: libpkcs11-helper.so.1 for package: openvpn
--> Running transaction check
---> Package lzo.i386 0:2.04-1.el5.rf set to be updated
---> Package pkcs11-helper.i386 0:1.08-1.el5.rf set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
 Package              Arch        Version                 Repository       Size
================================================================================
Installing:
 openvpn              i386        2.1.4-2.el5.rf          rpmforge        443 k
Installing for dependencies:
 lzo                  i386        2.04-1.el5.rf           rpmforge        131 k
 pkcs11-helper        i386        1.08-1.el5.rf           rpmforge        128 k
Transaction Summary
================================================================================
Install      3 Package(s)
Update       0 Package(s)
Remove       0 Package(s)
Total download size: 701 k
Is this ok [y/N]: y
Downloading Packages:
(1/3): pkcs11-helper-1.08-1.el5.rf.i386.rpm              | 128 kB     00:01
(2/3): lzo-2.04-1.el5.rf.i386.rpm                        | 131 kB     00:02
(3/3): openvpn-2.1.4-2.el5.rf.i386.rpm                   | 443 kB     00:06
--------------------------------------------------------------------------------
Total                                            40 kB/s | 701 kB     00:17
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : pkcs11-helper                                     [1/3]
  Installing     : lzo                                               [2/3]
  Installing     : openvpn                                           [3/3]
Installed: openvpn.i386 0:2.1.4-2.el5.rf
Dependency Installed: lzo.i386 0:2.04-1.el5.rf pkcs11-helper.i386 0:1.08-1.el5.rf
Complete!
[root@alambil ~]#

The next step is to download and install webmin. We can get webmin source from http://www.webmin.com/download.html and then install it.

[root@alambil ~]# rpm -Uvh webmin-1.550-1.noarch.rpm

Default Webmin package do not contain module to administer OpenVPN. I need to download a Webmin OpenVPN Admin module and add it to my Webmin installation.
I get Webmin OpenVPN Admin module from http://www.webmin.com/cgi-bin/search_third.cgi?search=openvpn Download openvpn-2.5.wbm.gz file and extract it.

[root@alambil ~]# gunzip openvpn-2.5.wbm.gz

To add this module to the webmin installation, we need to log on to Webmin.
Using the browser, go to the servers ip and port 10000: https://10.180.1.10:10000. After succesfully logon, go to menu Webmin -> Webmin Configuration and click on Webmin Modules.

In the webmin modules page, click on From local file and browse for the openvpn-2.5.wbm that have been extracted from the gz file then click Install Module.

After the installation finished, OpenVPN + CA menu will be listed in the Servers Menu.

Now, we have installed all the components needed for the OpenVPN configuration.

In the next section, I will discuss about the OpenVPN configuration.

This article came out as my documentation on configuring the system. In this article, I provide step-by-step instruction for configuring an OpenVPN server running on CentOS using webmin, configuring OpenVPN client running on pfSense and OpenVPN client running on Windows 7.

In the head office, I put the OpenVPN server in a DMZ segmen, separate it from LAN segmen where the internal server and client reside. I use an UTM/firewall to separate the WAN, DMZ and our LANs. Using this, I can configure firewall rule between WN, DMZ and LAN segmen.

Here is the diagram of our network environment.

In the next section, I will describe about the webmin and openvpn installation.

Manually deleting those email is very time consuming.  Here are the step to clean those email with one single command:

for i in `/usr/sbin/postqueue -p|grep 'user@domain.com' |awk {'print $1'}|grep -v 'user@domain.com'`; do /usr/sbin/postsuper -d $i ; done

This command will delete mail queue from or to user@domain.com.  To check current mail queue, run this command:

/usr/sbin/postqueue -p

Your mail queue will be much shorter.

After googled and searched, I found the source of the problem.  The default gateway on the Service Console was missing.   Not sure how this could happen.  After fill in the default gateway IP and run the Reconfigure HA, the HA works fine on that host.