Learn about Centmin Mod LEMP Stack today
Become a Member

Installing OpenVPN with "oneclick" script

Discussion in 'Other Web Apps usage' started by Meirami, Jan 12, 2018.

  1. Meirami

    Meirami Member

    97
    9
    8
    Dec 21, 2017
    Ratings:
    +31
    Local Time:
    7:32 PM
    There are a lots of settings which can be changed because of this kind of scripts. But how well centmin fights against bad changes?
    So I decided to use Angristan's OpenVPN installer. There's also Nyr's similar installer. I don't know which is better... :)

    Everything worked almost like a charm. Only few 'not founds':
    Code:
    Complete! ./openvpn-install.sh: line 421:
    /etc/systemd/system/iptables .service: No such file
    or directory ./openvpn-install.sh: line 422:
    systemctl: command not found ./openvpn-install.sh:
    line 423: systemctl: command not found
    ./openvpn-install.sh: line 425: systemctl: command
    not found ./openvpn-install.sh: line 426: systemctl:
    command not found --2018-01-11 07:11:00--
    https://github.com/OpenVPN/easy-rsa
    /releases/download/v3.0.3/EasyRSA-3.0.3.tgz
    Code:
    WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
                            systemctl daemon-reload
                            systemctl enable iptables.service
                            # Disable firewalld to allow iptables to start upon reboot
                            systemctl disable firewalld
                            systemctl mask firewalld
                    fi
    
    Of course OpenVPN worked before csf -r like I expected. Anyway I luckily make it work:
    nano /etc/csf/csf.conf
    allow udp 1191 in and out

    nano /etc/csf/csfpre.sh
    If the file does not exist, you can create it. If it already exists, you should append to it.

    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    iptables -A FORWARD -j REJECT
    iptables -t nat -A POSTROUTING -j SNAT --to-source SER.VER.IPH.ERE
    (with KVM and similar you can propably use iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE instead of the nat line.)
    After booting it still worked. :)
    But because I'm not a coder or anything like it I don't know how secure is my OpenVZ VPS now? I looked thru OpenVPN install script and didn't find anything else "bad" settings like above. There can still be some incompatible code which I didn't notice. Can someone say if my VPS is unsecure or not?

    This is not a tutorial!

    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 6 64bit
    • Centmin Mod Version Installed: 123.09beta01 (minimal)
    • Nginx Version Installed:1.13.8
    • PHP Version Installed: stopped
    • MariaDB MySQL Version Installed: stopped
    • When was last time updated Centmin Mod code base ? : few moments ago
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:

      Code:
      NSD_DISABLED=y               # when set to =y, NSD disabled by default with chkconfig off
      NGINX_RTMP=n                 # Nginx RTMP Module support https://github.com/arut/nginx-rtmp-module
      NGINX_FLV=n                  # http://nginx.org/en/docs/http/ngx_http_flv_module.html
      NGINX_MP4=n                  # Nginx MP4 Module http://nginx.org/en/docs/http/ngx_http_mp4_module.html
      NGINX_AUTHREQ=n              # http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
      NGINX_SECURELINK=n           # http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
      NGINX_FANCYINDEX=n           # http://wiki.nginx.org/NgxFancyIndex
      NGINX_VHOSTSTATS=n           # https://github.com/vozlt/nginx-module-vts
      NGINX_PAGESPEED=n            # Install ngx_pagespeed
      NGINX_PASSENGER='n'          # Install Phusion Passenger requires installing addons/passenger.sh before hand
      NGINX_WEBDAV=n               # Nginx WebDAV and nginx-dav-ext-module
      NGINX_UPSTREAMCHECK='n'      # nginx upstream check https://github.com/yaoweibin/nginx_upstream_check_module
      NGINX_OPENRESTY='n'          # Agentzh's openresty Nginx modules
      LUAJIT_GITINSTALL='n'        # opt to install luajit 2.1 from dev branch http://repo.or.cz/w/luajit-2.0.git/shortlog/refs/heads/v2.1
      ORESTY_LUANGINX='n'          # enable or disable or ORESTY_LUA* nginx modules below
      NGINX_STUBSTATUS=y           # http://nginx.org/en/docs/http/ngx_http_stub_status_module.html required for nginx statistics
      NGINX_SUB=n                  # http://nginx.org/en/docs/http/ngx_http_sub_module.html
      NGINX_ADDITION=n             # http://nginx.org/en/docs/http/ngx_http_addition_module.html
      NGINX_IMAGEFILTER=n          # http://nginx.org/en/docs/http/ngx_http_image_filter_module.html
      NGINX_CACHEPURGE=y           # https://github.com/FRiCKLE/ngx_cache_purge/
      NGINX_ACCESSKEY=n            #
      NGINX_HTTPCONCAT=n           # https://github.com/alibaba/nginx-http-concat
      NGINX_THREADS=y              # https://www.nginx.com/blog/thread-pools-boost-performance-9x/
      ORESTY_HEADERSMORE=y         # openresty headers more https://github.com/openresty/headers-more-nginx-module
      LOWMEM_INSTALL='y'
      
    • betainstaller-minimal.sh
     
  2. eva2000

    eva2000 Administrator Staff Member

    36,063
    7,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,195
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such VPN configurations/installs.

    However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out :)

    script looks to be made for centos 7 not centos 6 so may have issues so unless you configured your own init.d start up script, rebooting server won't start the openvpn server and you probably don't have openvpn server started right now anyway.

    You may have issues on openvz vps as generally i only use openvpn on kvm vpses. Reason is on openvz vps servers TUN/TAP isn't supported by most web hosts and it is required. Some SolusVM control panel web hosts allow their openvpn servers to have TUN/TAP support but that has to be enabled manually by end user too. Also VPN need TCP tuning to enable IP forwarding but openvz vps don't support tuning TCP via sysctl.conf on guest servers.

    Without TCP tuning and TUN/TAP, openvpn won't work. KVM VPSes do not have such issues.

    To check if VPN works use dns and ip leak test sites which should report your VPN's ip address and dns servers NOT your own ISP ip /dns
     
    • Agree Agree x 1
  3. eva2000

    eva2000 Administrator Staff Member

    36,063
    7,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,195
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    OpenVPN isn't to secure your server, it's installed to secure your ISP connection when browsing the internet through encrypted traffic. You install a VPN server and install/setup the VPN client on your desktop, laptop, tablet and mobile device and connect those devices to VPN server to protect your devices not your server.
     
  4. Meirami

    Meirami Member

    97
    9
    8
    Dec 21, 2017
    Ratings:
    +31
    Local Time:
    7:32 PM
    It must be my bad english. :) I didn't mean OpenVPN as a securing thing to my VPS. I'm worried about automatic script which I used to install OpenVPN. Can the script do bad changes to my VPS settings and make my VPS unsecure? Can it mess Centmin mod?

    Hmm... Script should be CentOS 6 (i386, amd64) compatible. According to readme.md at github.
    Yes the VPN connection is working. IP is VPS's IP and DNS is the set up IP. No leaking. OpenVPN Android connects nicely. Netflix have different movies and betting site won't let me in because "wrong country"... :D

    I forgot to mention TUN/TAP is enabled... I'm quite sure that OpenVPN started upon reboot. Have to check it later.

    Hopefully forum posts like these (stupid newbie questions :D ) courages more people to join here. Setting VPS up should be fast and easy like it is with centmin mod. Personal tuning can be done later. :)
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,063
    7,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,195
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes it can alter centmin mod setup configuration i.e. csf firewall vs iptables settings so your mileage will vary
     
  6. Meirami

    Meirami Member

    97
    9
    8
    Dec 21, 2017
    Ratings:
    +31
    Local Time:
    7:32 PM
    Is there a short cut to install and setup csf/iptables again? Or should I delete vps and do everything again?
    Maybe I edit openvpn install script and do manually firewall settings next time...
     
  7. eva2000

    eva2000 Administrator Staff Member

    36,063
    7,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,195
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    what i mean is other automated scripts can change stuff and you'd have unknown consequences possibly it isn't always bad but other scripts won't usually be familiar with how centmin mod is setup and configured.

    If you don't have any important data on server, then easiest would be to reinstall CentOS OS and reinstall centmin mod. Especially, seeing as the script mistakenly detected your system as CentOS 7 and tried to do related configuration i.e. systemctl etc when your system was CentOS 6.
     
  8. Meirami

    Meirami Member

    97
    9
    8
    Dec 21, 2017
    Ratings:
    +31
    Local Time:
    7:32 PM
    Forgot to mention IPv6 settings.

    Code:
    1. Enable IPv6 forwarding in /etc/sysctl.conf adding/editingnet.ipv6.conf.all.forwarding=1
    
    2. Run sysctl -p to load changes.
    
    3. Edit server.conf adding:
    
    server-ipv6 2001:1234:5678:9::/64 # your subnet
    push "route-ipv6 2000::/3" # tell client to route IPv6 traffic via the VPN. 
    Copied & pasted from ipv6 support? · Issue #242 · Nyr/openvpn-install · GitHub
     
  9. eva2000

    eva2000 Administrator Staff Member

    36,063
    7,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,195
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    probably easy to save future ipv6 hassles and not enable ipv6 anyway :)
     
  10. Meirami

    Meirami Member

    97
    9
    8
    Dec 21, 2017
    Ratings:
    +31
    Local Time:
    7:32 PM
    As far as I know, I need a rooted phone to disable ipv6. I'm not going to root it. (yet)
    While using mobile data, it will leak ipv6 if ovpn is not configured for ipv6.

    Of course better ideas are allways welcome. This is the easiest method (for me). :)
     
    • Informative Informative x 1
  11. eva2000

    eva2000 Administrator Staff Member

    36,063
    7,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,195
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    (y)
     
..