for keeping track of my digital experiments

I found out a pretty pro way of setting up the equivalent of Windows Remote Desktop for Linux. This allows you to run a multi-user VNC onto a Linux box. I’m using Debian 5 – Lenny – as usual, because I like being able to compress installation procedures into a couple of apt-get commands and a little configuration file editing. Cheers to APT! I had to jot this one down.

I feel much the same way about my desktop/server setups as one of the authors of my source material does.

As a not completely new Linux user I have been frustrated over and over again at all the extra bloat and apps that I will never use that gets loaded onto my system when I do an install. Debian was the second distro that I tried and have used many others since, but I keep coming back. – Azerthoth

Anyways … install from a minimal Debian install. You can get the new Debian 5 at the usual place. Get your apt-get all how you like it, update and upgrade the initial minimal install.

I like my /etc/apt/sources.list like:

deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb-src http://ftp.us.debian.org/debian/ lenny main contrib non-free

deb http://security.debian.org/ lenny/updates main
deb-src http://security.debian.org/ lenny/updates main

Replace “lenny” with “etch” if you are still using Debian 4.

Now to the good stuff. A large chuck of the following content has been taken from Azerthoth’s inspiraton article, “A minimal setup with X“. So … mad props to him! You will find my comments interspersed.

1. apt-get install xserver-xorg-core xorg xfs and accept the defaults.
2. See Azerthoth’s article (#8) for more information about what type of login manager you want to use. I rolled xdm: apt-get install xdm
3. Again I did not want a large X-Window manager package installed on my machine plus a bunch of dependencies. So I went with Fluxbox: apt-get install fluxbox

The next part of the setup was taken from Daniel Rigal’s article on “How to enable XDM and VNC for Linux and Solaris“. If you want background information on the process see the article for yourself.

1. vi /etc/X11/xdm/xdm-config and comment out the last line “DisplayManager.requestPort: 0” by adding an “!” on the front.
2. vi /etc/X11/xdm/Xaccess and uncomment the line “#* #any host can get a login window” by removing the first “#”.
3. vi /etc/X11/fs/config and comment out the last line “no-listen = tcp” by putting a “#” in front. Now restart the font server: /etc/init.d/xfs restart.

If you have followed my instructions so far, now it is time to install a VNC server and some dependencies, fonts, and xterm (the X-Window terminal emulator). I will be going with TightVNC.

1. apt-get install xutils xbase-clients xfonts-base xfonts-75dpi xfonts-100dpi xterm tightvncserver
2. vi /etc/X11/xdm/Xservers, comment out all other lines, and add “:0 /usr/bin/Xtightvnc /usr/bin/Xtightvnc -depth 24 -geometry 1280x1024". Modify the 1280×1024 if you want a smaller or larger screen resolution. I think 1280×1024 is about the max resolution you can use comfortably over a broadband connection without experiencing too much network lag. In my LAN it responds just like I am at a physical KVM.

A few final things.

1. Restart the font server, “/etc/init.d/xfs restart“, and the xdm server: “/etc/init.d/xdm restart“. If your iptables are configured correctly you should now be able to connect via tightvnc to your Linux box.
2. Quoting Daniel Rigal:
   

   None of these three protocols is secure! You should not allow access to them through your firewall. If you want to deploy VNC over the internet you should tunnel it over SSH or some sort of VPN. Doing this is not covered in this document which assumes you are setting this up for use within your LAN or over a private dial-up service.

3. Enjoy!

It is rather problematic accessing resources on my home development cluster when I am in other locations. After witnessing the functionality of my Dad’s work VPN, I figured why not have a whack at a VPN setup. SSH tunneling just does not cut it in some cases. In this walk through, I will be installing OpenVPN on a minimal Debian Linux 4.0 installation on a 1.5GHZ/1GB RAM/12 GB hard drive host node. I tried doing this on a OpenVZ virtual node, and it did not work too well dealing with all of the low level (virtual) hardware calls, linux kernel dependencies, and creating a bridged interface within a bridged interface. Use a physical server!

System Requirements

1. A computer that meets the following minimum system requirments: 300MHZ, 128MB RAM, 2GB HDD
2. Some sort of Linux installation on said computer. I’ll be using Debian Linux so those of you using Ubuntu, Slackware, Mandrake or any other distro with apt-get luckily won’t have to compile from source (too often).
3. Root terminal access to the computer (via ssh or KVM)
4. Knowledge of IPv4 routing in your Local Area Network
5. YOU NEED bridge-utils (apt-get install bridge-util)! Try and get any of this going without this package and your ifconfig setup will implode! It happened to me both times I tried this because I FORGOT!!!

Downloading and Installing OpenVPN

1. Use your built-in repository application. In my case “apt-get install openvpn openssl” and I was good to go. For some reason, even though openssl is required for setting up a secured VPN connection, it wasn’t auto-included. For more information on downloading and installing on RHEL based systems (CentOS, OpenSUSE, Red Hat, Fedora) see the OpenVPN howto.
2. Then determine whether you want to use routed or bridged mode: http://openvpn.net/index.php/documentation/howto.html#vpntype
3. Now copy the contents of “/usr/share/doc/openvpn/examples/easy-rsa/” to some place more accessible and so to keep a backup copy of the original. I moved it to “/etc/openvpn/”.

The setup on the server (needs openssl installed first)

1. Get into the new copy of your “easy-rsa” directory and run the following commands to get your server’s Certificate Authority ready.
   

   . ./vars
./clean-all
./build-ca

   According to the documentation on openvpn.net:

   The only parameter which must be explicitly entered is the Common Name. [...] I used “OpenVPN-CA”.

2. Now build the server key: ./build-key-server server. According to the documentation:
   

   When the Common Name is queried, enter “server”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]“.

   Enter “y” for both to continue.

3. Build the various client keys and certificates: ./build-key clientn. Where “n” is a integer.
   

   Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1″, “client2″, or “client3″. Always use a unique common name for each client.

4. Now execute, “./build-dh“, to build the necessary Diffie-Hellman parameters.
5. To add a further level of security with a HMAC signature, generate a key for tls-auth by running “openvpn --genkey --secret ta.key” while in your new “easy-rsa/keys” directory. See the section in the documentation on Hardening OpenVPN Security.
6. Finally copy the various generated keys and certificates to the various hosts that will be utilizing the virtual private network. See below table obtained from: http://openvpn.net/index.php/documentation/howto.html#pki.
   

   Filename	Needed By	Purpose	Secret
   ca.crt	server + all clients	Root CA certificate	NO
   ca.key	key signing machine only	Root CA key	YES
   dh{n}.pem	server only	Diffie Hellman parameters	NO
   server.crt	server only	Server Certificate	NO
   server.key	server only	Server Key	YES
   client1.crt	client1 only	Client1 Certificate	NO
   client1.key	client1 only	Client1 Key	YES
   client2.crt	client2 only	Client2 Certificate	NO
   client2.key	client2 only	Client2 Key	YES
   client3.crt	client3 only	Client3 Certificate	NO
   client3.key	client3 only	Client3 Key	YES

Configuration Files and the Rest
From here on out the rest of the documentation (on setting up configuration files and running OpenVPN) is pretty self explanatory. I don’t really want to take the time and re-create the end of the tutorial.

I installed Windows XP Home on some leftover space on one of my CentOS OpenVZ machines that I use for development purposes. It is nice to have a ready to go system for when friends come over and we get to hankering for some LAN gaming. So install my Windows to the leftover space and of course it wipes the Master Boot Record. Bah! So I get out my CentOS install disk and type in “linux rescue” at the install prompt. From there I was kind of lost, so I searched around and found a short guide to restoring the GRUB boot loader. After that everything was smiles.

My process:

1. Get a linux install disk and type “linux rescue” at the install prompt
2. The rescue process should mount any of the found linux systems. (It did in my case.) The rescue process mounted my linux installation to “/mnt/sysimage“. I then chrooted into my system: “chroot /mnt/sysimag“.
3. My main hard drive in said machine is named “hda”, so I reinstalled GRUB to /dev/hda with the command: “grub-install /dev/hda“. My original GRUB configuration was restored successfully.
4. I then added the boot entry for the new Windows XP Home installation. I had installed it to the 3rd partition on the main hard drive so I added the following entry to my GRUB menu.lst file (/boot/grub/menu.lst).
   

   title Windows XP Home
root (hd0,2)
savedefault
makeactive
chainloader +1

   (hd0,2) = (the first hard drive, 3rd partition). Thus, (hd0,0) would be the first hard drive and first partition.

5. Just remember to exit the chroot’ed shell before you reboot. Otherwise everything we just did goes to pot.

And everything was working spiffy after that.