Complete solution for online privacy amongst ain private SSH, VPN in addition to VNC server
Taking command of your populace access security
An piece of cake path to greater safety through
OpenSSH, OpenVPN in addition to VNC on a singlehoned Fedora 21 Workstation on your abode network
While at that topographic point are publicly available VPN in addition to SSH servers available – some complimentary in addition to some non – on the Internet, anyone who has tried to purpose them has discovered that they are non equally reliable equally they had hoped them to be: Difficulty inwards connecting, in addition to really piteous performance are common. Many people experience that the servers should non maintain logs; something that is hard to uncovering without paying a monthly or annual fee — which, if y'all retrieve nearly it, takes away your anonymity because at ane time they receive got a tape of their sales transaction.
The best possible solution for this province of affairs is to fix a private SSH in addition to VPN server on your abode network in addition to purpose them when y'all are out on the route or overseas: You won’t receive got logs to worry about, it is e'er available in addition to totally exclusive to you; which way that your performance should survive outstanding! And, all of your traffic transverses an encrypted channel which makes it virtually immune to hacking in addition to prying eyes.
If y'all are to a greater extent than accustomed to using a GUI for direction of your computers, no worries! This article volition present y'all how to fix a VNC server (remote desktop) that y'all tin purpose to opened upward that server inwards a window amongst total GUI access – from anywhere inwards the globe – and practice it via an SSH encrypted tunnel or using your create novel VPN Server!
You don’t demand a lot of coin or heavy duty equipment to instruct inwards operate either! Any older reckoner amongst at to the lowest degree a Pentium processor, a unmarried connection, via Ethernet or WiFi, to your abode network, a lx GB (or larger) hard disk, in addition to 1 GB (multiuser.target [runlevel 3]) or 2 GB (graphical.target [runlevel 5]) RAM volition suffice. You tin in all likelihood pick ane upward for complimentary from a friend that is looking to dump the former “boat anchor” somewhere. All the software required for this projection is free, thus this fry investment into your private access safety is good worth the fourth dimension in addition to elbow grease to implement.
Project Requirements
- Boatanchor reckoner (as outlined above)
- Fedora 21 workstation iso file
- A blank DVD or a 2GB USB drive
- About four hours of time
- A basic agreement of using a terminal; both equally root in addition to equally a regular user
Hint: purpose su in addition to instruct inwards your password to instruct to root. Use exit to instruct dorsum to the regular user; which is when y'all volition purpose sudo to perform sure tasks. You volition never purpose sudo equally root. Caveats in addition to disclaimers…
Caveats in addition to Disclaimers
While this was written during installation in addition to testing on Fedora 21 workstation, the principles involved are the same regardless of distro. If y'all are non using Fedora 21, in addition to thus y'all should all the same survive able to figure out the details amongst some google searches for your distro. Since at that topographic point may survive documentation errors hither that I am non aware of, purpose these procedures at your ain risk! Double banking concern check everything, type slowly, deliberately in addition to double banking concern check ane time to a greater extent than before pressing Enter!! Do non just re-create in addition to glue the commands from this document into a root terminal!! You volition most for sure convey your machine down! Note that y'all volition already receive got installed Fedora 21 Workstation on a reckoner – y'all tin purpose whatever partitioning y'all wish for this project. The principal goal is to just instruct it installed in addition to working on the abode network. Also, exclusively the Linux customer is explained inwards this article.
Please Federal Reserve notation that these procedures are for a freshly installed Fedora 21 Workstation. If y'all kicking the bucket through these procedures on a box that has had its firewall, iptables, etc. modified from the default values, in addition to thus you may come across issues in addition to receive got to prepare workarounds for your exceptional circumstances …
One to a greater extent than thing. This operate is a conglomeration, amongst really piffling of the cloth beingness original. I had to dig through countless sites in addition to read until my eyes bled to seat together the solution equally outlined here; taking bits in addition to pieces from hither in addition to there; working my way through all the errors, developing workarounds, etc.. I apologize to the authors of the information that I receive got included “wholesale” for non citing each in addition to every procedure/note/comment, etc. that is written here. That would survive close impossible. If y'all catch something hither that y'all yourself receive got written, I know that y'all empathise where I am coming from on this issue.
Food for Thought: Numbering private subnets
Setting upward a VPN oft entails linking together private subnets from dissimilar locations.
For example, suppose y'all purpose the popular 192.168.0.0/24 subnet equally your private LAN subnet. Now y'all are trying to connect to the VPN from an mesh cafe which is using the same subnet for its WiFi LAN. You volition receive got a routing conflict because your machine won’t know if 192.168.0.1 refers to the local WiFi gateway or to the same address on the VPN.
The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 equally private LAN network addresses. Instead, purpose something that has a lower probability of beingness used inwards a WiFi cafe, airport, or hotel where y'all mightiness await to connect from remotely. The best candidates are subnets inwards the middle of the vast 10.0.0.0/8 netblock (for example 10.66.77.0/24).
With this inwards mind, it is a expert thought to start this whole projection past times changing your abode router to furnish DHCP addresses inwards the “middle” of the 10.0.0.0/8 netblock. As an example, I used my nascency twelvemonth to fix my local network addresses; thus mine is laid as: 10.19.58.0/24
Remember that inwards all instances within this document y'all receive got to substitute user amongst a valid user on your VPN Server box! The same goes for servername.
Warning: For some unknown reason, if y'all re-create in addition to glue a command line of piece of job from this document the – volition non appear when pasted! Therefore, double banking concern check your command line of piece of job in addition to supervene upon the – where necessary.
Set upward DDNS on the Internet
Go to http://www.noip.com/remoteaccess in addition to signup for the complimentary DDNS account.
Download the update client, configure in addition to install it after setting upward your router (see below) to allow the ports used past times the updater. http://www.noip.com/support/knowledgebase/ should response all of your questions.
Set upward an SSH Server on the machine that volition kicking the bucket your VPN Server
Before nosotros instruct started amongst anything else, nosotros demand to constitute our firewall’s Default Zone Set a Default Zone
[root@fedora21test ]# firewall-cmd --list-all-zones
[root@fedora21test ]# firewall-cmd --get-default-zone
[root@fedora21test ]# firewall-cmd --set-default-zone=whicheverzoneyoudesire
Further information is available at: https://fedoraproject.org/wiki/FirewallD#Using_firewallcmd
[root@fedora21test ]# yum -y install openssh
OpenSSH has a plethora of options, which volition non survive covered here. All nosotros demand is a basic setup for our project. For those who would similar to add together additional safety past times disabling root login in addition to implementing certificates for login authentication (all highly recommended), all the information needed is here: https://wiki.archlinux.org/index.php/SSH_keys#Disabling_password_logins
For now, ane affair y'all should practice is modify the listening port for the SSH server since it volition survive exposed to the internet. You practice that past times changing the port designation on line of piece of job sixteen of the /etc/ssh/sshd_config file. Of course, y'all volition receive got to add together that port to the server’s firewall equally good equally adapt the entry on the Virtual Servers page of your router (see below). You tin add together your custom port to the firewall using:
[root@fedora21test]# firewall-cmd --permanent --addport=yoursshportdesignator/tcp
Now add together the ssh service to the firewall, enable in addition to start the ssh server deamon…
[root@fedora21test ]# firewall-cmd --permanent --add-service ssh
[root@fedora21test ]# firewall-cmd --reload
[root@fedora21test ]# systemctl -f enable sshd.service
[root@fedora21test ]# systemctl daemon-reload
[root@fedora21test ]# systemctl start sshd.service
Tip: install htop equally good to catch precisely how your server is doing inwards reference to cpu load, retentivity usage in addition to services running, etc. from the terminal used to connect to your server using SSH.
[root@fedora21test ]# yum -y install htop
Once installed y'all volition survive able to log onto the server amongst ssh, type htop at the user prompt, in addition to instruct a complete, realtime, wellness study of your server.
To connect to your server locally
[user@fedora21test ]# ssh user@x.x.x.x ← local ip address of ssh server; i.e. 10.19.58.14
To connect when away from home
[user@fedora21test ]# ssh user@yourdomain.ddns.net ← whatever your fix is at noip.com
You should at ane time survive able to administer this server from anywhere on the planet using your newly fix DDNS in addition to SSH! You could just halt right hither in addition to configure your applications individually to purpose the SSH Tunnel, but, the VPN solution is way to a greater extent than secure in addition to truly really piece of cake to laid up: You just receive got to create sure that y'all create the appropriate changes before y'all laid about the OpenVPN Server installation.
Tip: Add your server call in addition to ip address to the clients’ /etc/hosts thus that y'all tin just practice something like:
[user@fedora21test ]# ssh user@servername
— to create the connection.
Tip: There are a serial of scripts at the destination of this document that volition allow y'all to connect inwards diverse ways after everything is fix in addition to running. Start past times creating a bin directory inwards your home directory in addition to re-create the contents for each script into the files indicated in addition to chmod 700 on all scripts. Then y'all tin create a link to each of them in addition to identify those links inwards a folder on your desktop. All of this is outlined inwards exceptional afterwards inwards this article.
Configure your router
Find out where y'all add together Virtual Servers, DHCP Reservations in addition to Port Triggers on your router in addition to add together the following…
Virtual Servers – Default settings are used for the servers inwards this listing
If y'all create upward one's hear to modify your ports for SSH in addition to VNC in addition to thus instruct inwards those ports instead of the defaults listed here…
| Description | Inbound Port | Type | Private IP Address | Local Port |
| DUC1 | 8245-8245 | Both | 10.19.58.14 | 8245-8245 |
| DUC2 | 943-943 | TCP | 10.19.58.14 | 943-943 |
| VPN1 | 1194-1194 | UDP | 10.19.58.14 | 1194-1194 |
| VPN2 | 443-443 | TCP | 10.19.58.14 | 443-443 |
| SSHServer | 22-22 | TCP | 10.19.58.14 | 22-22 |
| VNCServer | 5910 | TCP | 10.19.58.14 | 5910 |
| VNCServer | 6010 | TCP | 10.19.58.14 | 6010 |
Note: The 6010 entry is non necessary if y'all volition non survive using ip6 to access your vnc server.
The Private IP address is the address that y'all volition reserve, nether the DHCP options, for your VPN server box. Unless y'all are using my ip scheme, it is non going to survive 10.19.58.14 for those entries.
Port Triggers – Default settings are used for the servers inwards this listing
If y'all create upward one's hear to modify your port for the VNCServer in addition to thus instruct inwards that port instead of the defaults listed here…
| Description | Outbound Port | Type | Inbound Port |
| DUC Out | 8245-8245 | Both | 82458245 |
| VNC | 5910 | TCP | 5910 |
| VNC | 6010 | TCP | 6010 |
Note: The 6010 entry is non necessary if y'all volition non survive using ip6 to access your vnc server.
A Port Trigger is needed because these services initiate a connectedness from within the network instead of just responding to incoming requests. The VNC entries are required ONLY if y'all programme on doing GUI installs on the server at some afterwards time. See the Fedora Installation Guide for details on VNC based installs.
Reserved IP Client List
| Name | IP Address | Mac Address | Status |
| [Server Name] | 10.19.58.14 | 00:03:C0:10:BE:40 | Online |
Enable IP masquerading
[root@fedora21test ]# firewall-cmd --permanent --add-masquerade
Then reload the firewall
[root@fedora21test ]# firewall-cmd --reload
Double banking concern check your work…
[root@fedora21test ]# firewall-cmd --query-masquerade && echo "enabled" || echo "Not enabled"
You should instruct dorsum a response of:
yes
enabled
Enable IP Forwarding
Next, edit or create /etc/sysctl.d/99sysctl.conf to permanently enable IPv4 packet forwarding (takes final result at the side past times side boot):
[root@fedora21test ]# vim /etc/sysctl.d/99sysctl.conf
Enable packet forwarding past times putting this line of piece of job into that file
[root@fedora21test ]# net.ipv4.ip_forward=1
Double banking concern check your work…
[root@fedora21test ]# sysctl net.ipv4.ip_forward
You should instruct dorsum a response of:
net.ipv4.ip_forward = 1
Adjust your iptables appropriately.
First instruct your networkinterfaceid for the side past times side laid of entries
[root@fedora21test ]# ifconfig
Now create these entries:
[root@fedora21test ]# iptables -A INPUT -i tun+ -j ACCEPT
[root@fedora21test ]# iptables -A FORWARD -i tun+ -j ACCEPT
[root@fedora21test ]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o networkinterfaceid -j MASQUERADE
Adjust SELinux Policy
[root@fedora21test ]# getenforce
[root@fedora21test ]# vim /etc/selinux/config
change SELINUX=enforcing to SELINUX=disabled or permissive (see Federal Reserve notation below)
[root@fedora21test ]# reboot
Note: Disabling selinux is required for the VNC server installation. If y'all practice non intend on installing the VNC server, in addition to thus y'all tin laid the inwards a higher identify variable proclamation to permissive.
Install OpenVPN
Install OpenVPN on the server
[root@fedora21test ]# yum install openvpn -y
OpenVPN ships amongst a sample server configuration, thus nosotros volition re-create it to where nosotros demand it:
[root@fedora21test ]# cp /usr/share/doc/openvpn/sample/sampleconfigfiles/server.conf /etc/openvpn
Generate Keys in addition to Certificates
NOTE: Build your keys on the machine amongst the highest Random Entropy. You practice non receive got to practice this on the server. To obtain your random entropy figure, use: cat /proc/sys/kernel/random/entropy_avail (the higher the figure the better. Do NOT purpose a machine that has less than 200!) See this article for to a greater extent than information on random entropy in addition to its importance inwards encryption: https://major.io/2007/07/01/check availableentropyinlinux/ The comments department has solutions for generating higher random entropy.
Also, Federal Reserve notation that the server in addition to customer clocks demand to survive roughly inwards sync or certificates mightiness non operate properly. If non already laid up, y'all should purpose ntp on both your server in addition to clients.
Generate the master copy Certificate Authority (CA) certificate & key
Install easy-rsa
[root@fedora21test ]# yum install easy-rsa
Copy the easy-rsa directory to /etc/openvpn/
[root@fedora21test ]# cp -r /usr/share/easy-rsa /etc/openvpn
[root@fedora21test ]# cd /etc/openvpn/easy-rsa
[root@fedora21test ]# init-config
Now edit the vars file in addition to laid the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, in addition to KEY_EMAIL parameters. Don’t leave of absence whatever of these parameters blank.
Next, initialize PKI:
[root@fedora21test ]# . ./vars
[root@fedora21test ]# ./cleanall
[root@fedora21test ]# ./build-ca
The finally command (build-ca) volition construct the certificate potency (CA) certificate in addition to fundamental past times invoking the interactive openssl command:
ai:easy-rsa # ./build-ca
Generating a 1024 fleck RSA private key
............++++++
...........++++++
writing novel private fundamental to 'ca.key'
You are nearly to survive asked to instruct inwards information that volition survive incorporated
into your certificate request.
What y'all are nearly to instruct inwards is what is called a Distinguished Name or a DN.
There are quite a few fields but y'all tin leave of absence some blank
For some fields at that topographic point volition survive a default value,
If y'all instruct inwards '.', the acre volition survive left blank.
-----
Country
Name (2 missive of the alphabet code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your call or your server's hostname) []: Servername-CA
Email Address [me@myhost.mydomain]:
Note that inwards the inwards a higher identify sequence, most queried parameters were defaulted to the values laid inwards the vars or vars.bat files. The exclusively parameter which must survive explicitly entered is the Common Name. In the illustration above, I used Servername-CA which y'all should modify to reverberate your ain CA name.
Generate certificate & fundamental for server
[root@fedora21test ]# ./build-key-server server
As inwards the previous step, most parameters tin survive defaulted. When the Common Name is queried, instruct inwards “server”. Two other queries require positive responses:
"Sign the certificate? [y/n]"
"1 out of 1 certificate requests certified, commit? [y/n]".
Generate certificates & keys for clients
[root@fedora21test ]# ./build-key client1
[root@fedora21test ]# ./build-key client2
[root@fedora21test ]# ./build-key client3 (etc.)
Remember that for each client, create sure to type the appropriate Common Name when prompted, i.e. “client1”, “client2”, or “client3”. Always purpose a unique mutual call for each client.
Generate Diffie Hellman
[root@fedora21test ]# ./build-dh
Generate the ta.key file
[root@fedora21test ]# openvpn --genkey --secret ta.key
Key Files Summary
All of your newly-generated keys in addition to certificates inwards the /etc/openvpn/easy-rsa/keys sub-directory. Here is an explanation of the relevant files:
| Filename | Needed By | Purpose | Secret |
| ca.crt | server + all clients | Root CA certificate | NO |
| ca.key | key signing machine only | Root CA key | YES |
| dh{n}.pem | server only | Diffie Hellman parameters | NO |
| server.crt | server only | Server Certificate | NO |
| server.key | server only | Server Key | YES |
| ta.key | server + all clients | tlsauth | YES |
| client1.crt | client1 only | Client1 Certificate | NO |
| client1.key | client1 only | Client1 Key | YES |
| client2.crt | client2 only | Client2 Certificate | NO |
| client2.key | client2 only | Client2 Key | YES |
| client3.crt | client3 only | Client3 Certificate | NO |
| client3.key | client3 only | Client3 Key | YES |
Distribute keys
[root@fedora21test ]# mkdir /etc/openvpn/keys
The finally measuring is to re-create the appropriate files to the /etc/openvpn/keys directory of machines that demand them. Take extra attention to re-create undercover files over a secure channel (or USB) to the other computers.
Although y'all tin identify the keys anywhere, for the sample config files to work, all keys are placed inwards the same subdirectory on all machines: /etc/openvpn/keys
Once the keys are inwards identify y'all demand to update your selinux policy on each of the clients in addition to the server. This is non required if y'all laid your policy to disabled.
[root@fedora21test ]# restorecon -Rv /etc/openvpn
Edit the server configuration file
(A completed, working sample file is included inwards this document)
The default OpenVPN server configuration volition create a tun0 network interface (for routing), volition hear for customer connections on UDP port 1194 (OpenVPN’s default), authenticate customer access, in addition to distribute virtual addresses to connecting clients from the 10.8.0.0/24 subnet.
[root@fedora21test ]# vim /etc/openvpn/server.conf
Edit the ca, cert, key, tls-auth in addition to dh parameters to dot to the ca, key, cert, dh in addition to ta files y'all generated above. (i.e. /etc/openvpn/keys) in addition to uncomment the next items:
server
proto udp
dev tun
topology subnet
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
cipher <-- conduct which method y'all wish in addition to leave of absence ← the others commented.
user nobody
group nobody
Install OpenVPN on the client
[root@fedora21Client ]# yum install openvpn -y
Edit the customer configuration file
(A completed sample file is included inwards this document)
The sample customer configuration file (client.conf) mirrors the default directives laid inwards the sample server configuration file. Since OpenVPN tin survive either a server or client, configuration files for both are included when installed.
[root@fedora21Client ]# cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf /etc/openvpn
[root@fedora21Client ]# vim /etc/openvpn/client.conf
Edit the ca, cert, key, in addition to tls-auth parameters to dot to the ca, key, cert, in addition to ta files y'all generated above. (i.e. /etc/openvpn/keys) in addition to banking concern check the next items:
- The remote directive points to the hostname/IP address in addition to port number of your OpenVPN server.
Follow the instructions inwards a higher identify for installation, configuration in addition to setup of DDNS. You volition purpose your DDNS call on the remote line… - That the dev (tun), proto (udp), cipher, comp-lzo in addition to fragment directives are consistent amongst the server.conf file.
- That the remote-cert-tls server choice is uncommented.
Final Steps for server
[root@fedora21test ]# ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
[root@fedora21test ]# firewall-cmd --permanent --add-service openvpn
[root@fedora21test ]# systemctl halt openvpn@server.service
[root@fedora21test ]# systemctl -f enable openvpn@server.service
[root@fedora21test ]# systemctl start openvpn@server.service
Final Steps for clients
[root@fedora21Client ]# firewall-cmd --permanent --zone=FedoraWorkstation --add-service openvpn
[root@fedora21Client ]# firewall-cmd --permanent --zone=FedoraWorkstation --add-service ssh
Either run the VPN Client via command line of piece of job inwards root terminal (Ctrlc volition exit) or fix your VPN connectedness using Network Manager (covered below). For now, nosotros volition just purpose a terminal…
To opened upward a VPN connectedness using the command line:
[root@fedora21Client ]# openvpn /etc/openvpn/client.conf
Test the connectedness past times pinging your side of the tunnel, the VPN server’s side of the tunnel (usually at 10.8.0.1) in addition to the internal ip address of the VPN server (the ane it uses to communicate on its Ethernet or WiFi connectedness to the router) in addition to finally the default gateway of the VPN server itself.
[root@fedora21Client ]# ifconfig ← to instruct ip address of tun0
[root@fedora21Client ]# ping 10.8.0.2 (tun0 ip address)
[root@fedora21Client ]# ping 10.8.0.1 (vpn server tun0 address)
[root@fedora21Client ]# ping 10.19.58.14 (vpn server address)
[root@fedora21Client ]# ping 10.19.58.1 (vpn server default gateway)
Ensure that all traffic is flowing through the tunnel:
[root@fedora21Client ]# ip route instruct [the ip address y'all used inwards testing the connection] ane ip at a time.
Note: The default gateway of the router may come upward dorsum amongst a expert ping, but ip route instruct may present a route other than the tunnel. In that case, the easiest way to evidence is to connect your laptop wifi to your prison theater mobile telephone phone hotspot (or connect to another external wifi network), reconnect to the VPN server, in addition to run the ping & ip route instruct commands again.
When successful, whatismyip.com should present the ip address of your abode routers external IP. When y'all disconnect it should present your prison theater mobile telephone phones IP address.
Once y'all receive got verified that y'all tin ping successfully through the vpn connection, y'all tin run traceroute and ip route get to verify that all traffic is flowing through the tunnel.
Compare call resolution for both
- While vpn is upward and
- When VPN is down.
While VPN is UP
[root@fedora21Client ]# traceroute www.google.com
Which should render a lot of information, but the most of import business office is inwards the kickoff 2 lines:
1 10.8.0.1 (10.8.0.1) 58.430 ms 68.225 ms 77.327 ms
2 10.19.58.1 (10.19.58.1) 77.510 ms 68.233 ms 68.235 ms
Notice that the kickoff route is to the vpn server in addition to the minute is to the default gateway on the server.
[root@fedora21Client ]# ip route instruct 8.8.8.8
8.8.8.8 via 10.8.0.1 dev tun0 src 10.8.0.2
Notice that it shows that the route was obtained through your tun0 interface in addition to that it got that route via the vpn server’s tun0 interface address.
When VPN is DOWN
[root@fedora21Client ]# traceroute www.microsoft.com
traceroute to www.microsoft.com (23.66.56.154), xxx hops max, lx byte packets
1 192.168.43.1 (192.168.43.1) 6.727 ms 10.024 ms 10.031 ms
2 33.sub6617443.myvzw.com (66.174.43.33) 43.569 ms 43.579 ms 53.647 ms
Useful OpenVPN References:
- https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveron centos6
- https://openvpn.net/index.php/opensource/documentation/howto.html#numbering
- https://wiki.archlinux.org/index.php/OpenVPN
Contents of /lib/systemd/system/openvpn@.server
[Unit]
Description=OpenVPN on %I
After=network.target
[Service]
PrivateTmp=true
Type=forking
PIDFile=/var/run/openvpn/%i.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i
.pid --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
You tin purpose this text for your server.conf if y'all receive got been next the procedures used inwards this document, or modify it if your keys are inwards dissimilar locations or y'all receive got made other adjustments along the way.
Example of working, simplified /etc/openvpn/server.conf – All comments removed…
server
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher BF-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
If y'all conduct non to hold condition logs, in addition to thus comment out the status openvpn-status.log in addition to the verb 3 lines.
You tin purpose this text for your client.conf if y'all receive got been next the procedures used inwards this document, or modify it if your keys are inwards dissimilar locations or y'all receive got made other adjustments along the way.
Just create sure to insert your ain DDNS value where the text is red inwards the following:
Example of working, simplified /etc/openvpn/client.conf – All comments removed…
client
dev tun
proto udp
remote yourdomain.ddns.net-1 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.crt
key /etc/openvpn/keys/client1.key
remote-cert-tls server
tls-auth /etc/openvpn/keys/ta.key 1
cipher BF-CBC
comp-lzo
verb 3
If y'all conduct non to hold condition logs, in addition to thus comment out the verb iii line.
Tip: Once y'all receive got created in addition to saved your client.conf file y'all tin import it into Network Manager! Just
bring upward Network Connections, select add, nether VPN select Import a saved OpenVPN configuration, point to your /etc/openvpn/client.conf file in addition to hitting create!
Double banking concern check all of the Authentication information on the VPN tab (you practice non demand to instruct inwards anything inwards the password box), in addition to thus select Advanced in addition to verify the information on the TLS Authentication tab. Save in addition to exit.
Now, y'all volition survive able toggle your VPN inwards Network Manager!
VNC Server in addition to Client Setup – With instructions for using VNC over SSH
This may seem pretty obvious, but VNC Server volition non charge if y'all boot your reckoner into multiuser.
target (runlevel 3).
To modify dorsum in addition to forth y'all tin run ane of the next in addition to and thus reboot.
[root@fedora21test ]# systemctl set-default multi-user.target
[root@fedora21test ]# systemctl set-default graphical.target
Be aware that y'all may receive got to re-do the server configuration from scratch if y'all switch to multi-user.target in addition to and thus wish to kicking the bucket dorsum to graphical.target. Shortened procedures for doing this are close the destination of this document.
NOTE! Pay really unopen attending to which user is issuing the command!
This changing dorsum in addition to forth is necessary for the appropriate files to survive created inwards the right locations! Watch what y'all are doing really closely hither because it is really piece of cake to instruct fouled up.
Step 1 :
Install the Tiger VNC server & customer packages
[root@fedora21test ]# yum -y install tigervnc-server (on the server)
[root@fedora21test ]# yum -y install tigervnc (on the client)
Step 2 :
Copy the VNC server configuration file to where it needs to survive for editing:
[root@fedora21test ]# cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:10.service
By default, VNC server uses port 5900. The vncserver@:10.service file, shows a portoffset of 10. This way that the service volition survive listening on the base of operations server listening port (5900) + 10 = 5910. So, X11 volition purpose port 5910 for routing the display to the client. This way nosotros are running the service on a subport of the default port 5900. When using this port-offset nosotros tin connect to the VNC server past times specifying the IP address:sub-port format.
Eg: 10.30.0.78:10*
* Tip: For added security, y'all tin modify the listening port to whatever y'all wish on line of piece of job 199 of the /usr/bin/vncserver file
[root@fedora21test ]# vim /usr/bin/vncserver
199 $vncPort = 4400 + $displayNumber;
In this illustration the listening port has been changed to 4400. Since the @:10.service file shows a 10 offset, y'all would purpose 4410 instead of 5910 inwards the upcoming firewall commands. You would equally good demand to ensure that y'all are using 4410 on the Virtual Server page of your router for the VNC Server.
Step 3:
Edit the copied file in addition to create changes equally mentioned below. Changes are indicated inwards RED in addition to BOLD
below…
[root@fedora21test ]# vim /etc/systemd/system/vncserver@\:10.service
For simplicity sake, I receive got a user named “user”, thus inwards my illustration this user is what the server will
authenticate me against when attempting to connect. Thus, my file would facial expression the ane below:
Please conduct your user in addition to modify accordingly.
[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target
[Service]
Type=forked #change this to simple if y'all are having issues amongst loading
# Clean whatever existing files inwards /tmp/.X11unix !!
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l user -c "/usr/bin/vncserver %i"
PIDFile=/home/user/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
[Install]
WantedBy=multi-user.target
Step 4:
Now add together the service in addition to ports to the firewall for VNC.
[root@fedora21test ]# firewall-cmd --permanent --add-service vnc-server
[root@fedora21test ]# firewall-cmd --permanent --addport=5910/tcp
[root@fedora21test ]# firewall-cmd --permanent --addport=6010/tcp
Remember to modify the port hither to the ane y'all entered in /usr/bin/vncserver.
Also, the 6010 entry is non necessary if y'all are non going to purpose ip6 for VNC.
NOTE: If y'all haven’t already done do, don’t forget to add together these ports to the Virtual Server department on your router (as shown nether Configure your Router above). If y'all intend on doing installs/upgrades via VNC on this same box (i.e. Fedora Server using the GUI interface – which is recommended) in addition to thus y'all volition equally good have to add together a Port Trigger for these 2 addresses; since inwards that illustration the server volition survive initiating a connection with a listening client… See the Fedora Installation guide for details. Once again, the 6010 entry volition not necessary on the Port Trigger page if y'all are non going to purpose ip6 for VNC.
Now, reload the firewall with:
[root@fedora21test ]# firewall-cmd --reload
Hints: You tin e'er double-check which ports are open, in addition to which services are allowed, on the firewall with:
[root@fedora21test ]# firewall-cmd --list-ports
[root@fedora21test ]# firewall-cmd --get-services
For a consummate listing of all firewall-cmd’s refer to this site: https://fedoraproject.org/wiki/FirewallD#Using_firewallcmd
Step 5:
Next, setup a password for the VNC user.
Using a criterion (nonroot) terminal, practice equally indicated below:
[user@fedora21test ]$ vncpasswd
Password :
Verify :
After this physical care for has finished, a novel directory (.vnc) volition survive created nether the abode directory of the user with a passwd file inwards it.
Check to create sure it was created…
[user@fedora21test ]# ls -l /home/user/.vnc/
-rw------. 1 user user 8 February twenty 17:55 passwd
Step vi :
Now reload the systemctl daemon in addition to start the VNC service.
[user@fedora21test ]# sudo systemctl daemon-reload
[user@fedora21test ]# sudo systemctl -f enable vncserver@:10.service
[user@fedora21test ]# sudo systemctl start vncserver@:10.service.
After the server service successfully starts, y'all tin verify which ports the VNCServer is listening to:
[root@fedora21test ]# lsof -i -P | grep -i "listen" | grep Xvn
Xvnc 8433 vpn 7u IPv4 110262 0t0 TCP *:5910 (LISTEN)
Running the systemctl start inwards a higher identify volition create an xstartup script nether the /home/user/.vnc/ directory of the specific user account.
Check to create sure that it was created…
[user@fedora21test ]# ls -l /home/user/.vnc/
-rw-------. 1 user user 8 February twenty 17:55 passwd
-rwxr-xr-x. 1 user user 355 February twenty 17:11 xstartup
Step seven :
IF y'all demand to laid the resolution for the VNC desktop, y'all tin edit /etc/sysconfig/vncservers
[root@fedora21test ]# vim /etc/sysconfig/vncservers
After editing the configuration file, y'all volition demand restart the VNC service.
[user@fedora21test ]# sudo systemctl daemon-reload
[user@fedora21test ]# sudo systemctl halt vncserver@:10.service.
[user@fedora21test ]# sudo systemctl start vncserver@:10.service.
Step 8
One of the drawbacks of VNC is that its connections in addition to traffic are non encrypted.
The easiest (and most secure) way to purpose VNC is to run it after y'all receive got established a VPN connection.
If y'all wish to run all of your traffic through an SSH tunnel instead, y'all tin practice thus past times next the procedures outlined below. Numbers inwards scarlet demand to survive changed if y'all chose to modify your ports earlier.
To run your VNC client through a secure ssh tunnel, practice the following:
For local network connections…
[user@fedora21Client ]# ssh user@x.x.x.x -L 6999:localhost:5910
Where x.x.x.x is the local network’s ← ip address for the VNC Server.
For cross mesh connections…
[user@fedora21Client ]# ssh user@mydynamic.ddns.net -L 6999:localhost:5910
where mydynamic.ddns.net is what was set upward at noip.com in addition to points to your abode routers external IP address.
NOTE: You demand to connect to the server via SSH every fourth dimension before running the VNC client…
The inwards a higher identify lines essentially say:
Establish an SSH connectedness in addition to and thus receive got all traffic saltation for port 6999 on the localhost interface, and forward it through the SSH connectedness to port 5910 on the server.
Step 9
Regardless of whether y'all receive got chosen to purpose the internal ip address or the external ane (as shown above) to forrad your VNC traffic over SSH, y'all volition e'er purpose the same line of piece of job (indicated below) to connect via the VNC client.
- Now connect using a VNC client…
- On the address line of piece of job enter:
- localhost:6999
- You should at ane time instruct a password prompt box.
- Enter your password in addition to y'all volition instruct a popup window showing the covert of the server.
Now your VNC connectedness is running within of a secure SSH tunnel! WooHoo! :)
Scripts for starting connections to your VPN, SSH, VNC server.
Obviously, y'all demand to edit these scripts amongst your ain exceptional user name, server name, noip
domain name, in addition to ip address:
Highlighted inwards red below…
ExternalSecureVNC:
#!/bin/bash
# To survive used prior to using vnc viewer securely across the internet.
ssh user@yourdomain.ddns.net -L 6999:localhost:5910
LocalSecureVNC:
#!/bin/bash
# To survive used prior to using vnc viewer securely locally.
# for a direct ip to the server
;ssh user@x.x.x.x -L 6999:localhost:5910
# for using your /etc/hosts entries
;ssh user@servername -L 6999:localhost:5910
StraightSSH:
#!/bin/bash
# for a direct local ip to the server
;ssh user@x.x.x.x
# for using your /etc/hosts entries
;ssh user@servername
# for connecting across the internet
;ssh user@yourdomain.ddns.net
VPNConnect:
#!/bin/bash
sudo openvpn /etc/openvpn/client.conf
Notes:
Don’t forget to chmod 700 * inwards the directory where all the scripts receive got been placed; to allow them to survive executable.
It is recommended that y'all create /home/user/bin in addition to seat all of your scripts there. That way they volition run from whatever location. While using the terminal, just type the call of the script.
As an alternative, y'all tin create links to your scripts in addition to seat them either on the desktop (or into a folder on the desktop) for piece of cake access in addition to execution. This tin survive accomplished past times executing the following:
[user@fedora21test ]# ln -s /home/user/bin/nameofscript /home/user/Desktop/nameofscript
What to practice if the VNC Server Service fails to start…
If the server fails to start for whatever reason, the next procedures should instruct it going …
First banking concern check to catch if this file all the same exists:
[root@fedora21test ]# ls /etc/systemd/system/vncserver@\:10.service
If not, in addition to thus re-create in addition to edit the sample file ane time to a greater extent than in addition to supervene upon <user> amongst a valid user on your system:
[root@fedora21test ]# cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:10.service
[root@fedora21test ]# vim /etc/systemd/system/vncserver@\:10.service
Then kicking the bucket on amongst the next commands:
[user@fedora21test ]# sudo rm -f /home/user/.vnc/*
[user@fedora21test ]# sudo rm -f /tmp/.X11unix/*
[user@fedora21test ]# vncpasswd
Do NOT purpose root or sudo here. Enter the vncserver password twice.
Display issues tin normally survive cleared upward past times editing the vncserver file in addition to making the next change
(I receive got indicated the line of piece of job numbers below):
[root@fedora21test ]# vim /usr/bin/vncserver
Go to this department in addition to uncomment the line of piece of job &GetXDisplayDefaults();
113 # Uncomment this line of piece of job if y'all wish default geometry, depth in addition to pixelformat
114 # to tally the electrical flow X display:
115 &GetXDisplayDefaults();
:wq!
[user@fedora21test ]# sudo systemctl daemon-reload
[user@fedora21test ]# sudo systemctl -f enable vncserver@:10.service
[user@fedora21test ]# sudo systemctl start vncserver@:10.service
Now kicking the bucket dorsum in addition to banking concern check that at that topographic point is a novel xstartup script in addition to passwd file inwards /home/user/.vnc
as good equally novel entries inwards /tmp/.X11unix
[user@fedora21test ]# ls -a /home/user/.vnc
[user@fedora21test ]# sudo ls -a /tmp/.X11unix
If everything went according to plan, y'all should at ane time receive got the powerfulness to survive anywhere on the planet and
have a secure communication channel dorsum to your abode server via SSH, VPN in addition to VNC! Each ane of these services provides y'all amongst dissimilar in addition to diverse options to access your server, or overstep through it out on to the Internet, securely. Do your homework on each of these services in addition to remain safe!
What to practice if the customer just goes away after clicking connect…
[root@fedora21test ]# yum erase tigervnc
[root@fedora21test ]# reboot
[root@fedora21test ]# yum install tigervnc
Double banking concern check that your scripts (if y'all are using them) receive got the right port entries:
Bring upward tigervnc in addition to if using SSH to furnish a secure tunnel for y'all VNC session, ensure that both of your ssh start scripts for VNC receive got the right ports entered.
Remember that y'all e'er receive got to run either the LocalSecureVNC or ExternalSecureVNC script before
attempting to connect amongst the vncviewer if y'all wish SSH security.
On the address line of piece of job of the vncviewer, ensure that y'all are entering localhost:6999 before selecting connect.
If y'all wish to connect to a VNC server in addition to y'all receive got a VPN connectedness up, ensure that y'all enter x.x.x.x:portnumber on the address line of piece of job of the customer before selecting connect.
x.x.x.x is the INTERNAL (home network; i.e. 10.19.58.14) ip address of the VNC server: It is the SAME
address that y'all entered on the Virtual Servers page on the router. The portnumber is your chosen port
number, if y'all receive got changed it from the default, or 5910 if y'all receive got not.
The included /etc/openvpn/server.conf has topology subnet equally ane of the options. If y'all did non purpose that
config file, in addition to thus ensure that y'all receive got uncommented that entry inwards the server.conf file y'all are using. That
entry makes it possible to connect through VPN to the VNC server equally if it were on the same subnet equally you. If you did receive got to create that modify in addition to thus y'all volition equally good receive got to halt in addition to restart the VPN server.
It is much easier to just convey upward a VPN connectedness in addition to and thus initiate a VNC connectedness to the server. I have included the SSH procedures equally a way of showing an alternative, should the VPN Service survive downwards for any reason.
Additional Tidbits:
Disk infinite usage amongst my ain setup:
| Filesystem | Size | Used | Avail | Use% | Mounted on |
| devtmpfs | 3.7G | 0 | 3.7G | 0% | /dev |
| tmpfs | 3.7G | 0 | 3.7G | 0% | /dev/shm |
| tmpfs | 3.7G | 856k | 3.7G | 1% | /run |
| tmpfs | 3.7G | 0 | 3.7G | 0% | /sys/fs/cgroup |
| /dev/mapper/fedoraroot | 50G | 103M | 47G | 1% | /root |
| /dev/mapper/fedorausr | 50G | 4.3G | 43G | 10% | /user |
| /dev/mapper/fedorahome | 50G | 139M | 47G | 1% | /home |
| /dev/mapper/fedoravar | 50G | 1.5G | 46G | 4% | /var |
| /dev/sda2 | 477M | 117M | 331M | 27% | /boot |
| /dev/sda1 | 200M | 9.6M | 191M | 5% | /boot/efi |
| /dev/mapper/fedoratmp | 20G | 45M | 19G | 1% | /tmp |
| tmpfs | 744M | 0 | 744M | 0% | /run/user/1000 |
As y'all tin see, my partitioning for this workstation is a fleck much for what is truly required…
My Virtual Server settings page on the router. Note the changed port number for the SSH server.
The Port Triggers page on my router. Since I volition non survive using ip6 I receive got left out the entry for that on this page.
Using htop to thought server condition via SSH connectedness over the internet.
Notice that inwards multi-user.target (runlevel 3) mode, the RAM usage is exclusively 177MB!
But, fifty-fifty inwards graphical.target way (runlevel 5), RAM usage is all the same exclusively 696MB! In either target, performance is outstanding when connecting externally.
