for keeping track of my digital experiments

I found out a pretty pro way of setting up the equivalent of Windows Remote Desktop for Linux. This allows you to run a multi-user VNC onto a Linux box. I’m using Debian 5 – Lenny – as usual, because I like being able to compress installation procedures into a couple of apt-get commands and a little configuration file editing. Cheers to APT! I had to jot this one down.

I feel much the same way about my desktop/server setups as one of the authors of my source material does.

As a not completely new Linux user I have been frustrated over and over again at all the extra bloat and apps that I will never use that gets loaded onto my system when I do an install. Debian was the second distro that I tried and have used many others since, but I keep coming back. – Azerthoth

Anyways … install from a minimal Debian install. You can get the new Debian 5 at the usual place. Get your apt-get all how you like it, update and upgrade the initial minimal install.

I like my /etc/apt/sources.list like:

deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb-src http://ftp.us.debian.org/debian/ lenny main contrib non-free

deb http://security.debian.org/ lenny/updates main
deb-src http://security.debian.org/ lenny/updates main

Replace “lenny” with “etch” if you are still using Debian 4.

Now to the good stuff. A large chuck of the following content has been taken from Azerthoth’s inspiraton article, “A minimal setup with X“. So … mad props to him! You will find my comments interspersed.

1. apt-get install xserver-xorg-core xorg xfs and accept the defaults.
2. See Azerthoth’s article (#8) for more information about what type of login manager you want to use. I rolled xdm: apt-get install xdm
3. Again I did not want a large X-Window manager package installed on my machine plus a bunch of dependencies. So I went with Fluxbox: apt-get install fluxbox

The next part of the setup was taken from Daniel Rigal’s article on “How to enable XDM and VNC for Linux and Solaris“. If you want background information on the process see the article for yourself.

1. vi /etc/X11/xdm/xdm-config and comment out the last line “DisplayManager.requestPort: 0” by adding an “!” on the front.
2. vi /etc/X11/xdm/Xaccess and uncomment the line “#* #any host can get a login window” by removing the first “#”.
3. vi /etc/X11/fs/config and comment out the last line “no-listen = tcp” by putting a “#” in front. Now restart the font server: /etc/init.d/xfs restart.

If you have followed my instructions so far, now it is time to install a VNC server and some dependencies, fonts, and xterm (the X-Window terminal emulator). I will be going with TightVNC.

1. apt-get install xutils xbase-clients xfonts-base xfonts-75dpi xfonts-100dpi xterm tightvncserver
2. vi /etc/X11/xdm/Xservers, comment out all other lines, and add “:0 /usr/bin/Xtightvnc /usr/bin/Xtightvnc -depth 24 -geometry 1280x1024". Modify the 1280×1024 if you want a smaller or larger screen resolution. I think 1280×1024 is about the max resolution you can use comfortably over a broadband connection without experiencing too much network lag. In my LAN it responds just like I am at a physical KVM.

A few final things.

1. Restart the font server, “/etc/init.d/xfs restart“, and the xdm server: “/etc/init.d/xdm restart“. If your iptables are configured correctly you should now be able to connect via tightvnc to your Linux box.
2. Quoting Daniel Rigal:
   

   None of these three protocols is secure! You should not allow access to them through your firewall. If you want to deploy VNC over the internet you should tunnel it over SSH or some sort of VPN. Doing this is not covered in this document which assumes you are setting this up for use within your LAN or over a private dial-up service.

3. Enjoy!

It is rather problematic accessing resources on my home development cluster when I am in other locations. After witnessing the functionality of my Dad’s work VPN, I figured why not have a whack at a VPN setup. SSH tunneling just does not cut it in some cases. In this walk through, I will be installing OpenVPN on a minimal Debian Linux 4.0 installation on a 1.5GHZ/1GB RAM/12 GB hard drive host node. I tried doing this on a OpenVZ virtual node, and it did not work too well dealing with all of the low level (virtual) hardware calls, linux kernel dependencies, and creating a bridged interface within a bridged interface. Use a physical server!

System Requirements

1. A computer that meets the following minimum system requirments: 300MHZ, 128MB RAM, 2GB HDD
2. Some sort of Linux installation on said computer. I’ll be using Debian Linux so those of you using Ubuntu, Slackware, Mandrake or any other distro with apt-get luckily won’t have to compile from source (too often).
3. Root terminal access to the computer (via ssh or KVM)
4. Knowledge of IPv4 routing in your Local Area Network
5. YOU NEED bridge-utils (apt-get install bridge-util)! Try and get any of this going without this package and your ifconfig setup will implode! It happened to me both times I tried this because I FORGOT!!!

Downloading and Installing OpenVPN

1. Use your built-in repository application. In my case “apt-get install openvpn openssl” and I was good to go. For some reason, even though openssl is required for setting up a secured VPN connection, it wasn’t auto-included. For more information on downloading and installing on RHEL based systems (CentOS, OpenSUSE, Red Hat, Fedora) see the OpenVPN howto.
2. Then determine whether you want to use routed or bridged mode: http://openvpn.net/index.php/documentation/howto.html#vpntype
3. Now copy the contents of “/usr/share/doc/openvpn/examples/easy-rsa/” to some place more accessible and so to keep a backup copy of the original. I moved it to “/etc/openvpn/”.

The setup on the server (needs openssl installed first)

1. Get into the new copy of your “easy-rsa” directory and run the following commands to get your server’s Certificate Authority ready.
   

   . ./vars
./clean-all
./build-ca

   According to the documentation on openvpn.net:

   The only parameter which must be explicitly entered is the Common Name. [...] I used “OpenVPN-CA”.

2. Now build the server key: ./build-key-server server. According to the documentation:
   

   When the Common Name is queried, enter “server”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]“.

   Enter “y” for both to continue.

3. Build the various client keys and certificates: ./build-key clientn. Where “n” is a integer.
   

   Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1″, “client2″, or “client3″. Always use a unique common name for each client.

4. Now execute, “./build-dh“, to build the necessary Diffie-Hellman parameters.
5. To add a further level of security with a HMAC signature, generate a key for tls-auth by running “openvpn --genkey --secret ta.key” while in your new “easy-rsa/keys” directory. See the section in the documentation on Hardening OpenVPN Security.
6. Finally copy the various generated keys and certificates to the various hosts that will be utilizing the virtual private network. See below table obtained from: http://openvpn.net/index.php/documentation/howto.html#pki.
   

   Filename	Needed By	Purpose	Secret
   ca.crt	server + all clients	Root CA certificate	NO
   ca.key	key signing machine only	Root CA key	YES
   dh{n}.pem	server only	Diffie Hellman parameters	NO
   server.crt	server only	Server Certificate	NO
   server.key	server only	Server Key	YES
   client1.crt	client1 only	Client1 Certificate	NO
   client1.key	client1 only	Client1 Key	YES
   client2.crt	client2 only	Client2 Certificate	NO
   client2.key	client2 only	Client2 Key	YES
   client3.crt	client3 only	Client3 Certificate	NO
   client3.key	client3 only	Client3 Key	YES

Configuration Files and the Rest
From here on out the rest of the documentation (on setting up configuration files and running OpenVPN) is pretty self explanatory. I don’t really want to take the time and re-create the end of the tutorial.

Introduction
I have been wanting to run a Halo Custom Edition dedicated server on one of my OpenVZ nodes for quite some time, so this afternoon I finally started on a fun little bit of research. Running Halo (full featured edition or dedicated server) on Linux requires Wine, which if run headless over a network requires VNC. Virtual Network Computing (VNC) is a graphical desktop sharing system which uses the RFB protocol to remotely control another [wikipedia]. Unfortunately as I found out later, the Halo dedicated servers require some OpenGL stuffs (specifically an extension by the name of “GLX”). In an upcoming post I guess I’ll try again and get an install that will be able to run the Halo client/dedicated server on linux. Ah well, in any case I’ve now got a X-Window system set up. Now all that I will have to do is install KDE or Gnome. Although maybe next time I’ll go with xorg-server instead; from what I have read it has a much easier setup procedure and integrates various OpenGL drivers.

The following assumes that:

1. you have a functioning Debian or Ubuntu – like system
2. you are logged in as root or are capable or running “sudo” commands. add in “sudo” where necessary, typically on the apt-get commands.

 
 
Installation
Now that the basics are out of the way, it is time to install some dependencies for vnc.
apt-get install xutils xbase-clients xfonts-base xfonts-75dpi xfonts-100dpi xterm

What just happened: X11, required X11 fonts, and the X-Window terminal emulator just got installed. All that is left to do is install your vnc server of choice (I personally prefer TightVNC): apt-get install tightvncserver

Cool so everything should be ready to start-up properly. So start tightvncserver for the first time: tightvncserver :1 -geometry 1024x768 -depth 16. If all goes according to plan it should ask you to enter a password, this will be your login password via vnc for the account you are currently logged in through (root). You can always modify the screen resolution and depth commands to match whatever resolution and pixel depth you please. Login via a vnc client (I suggest TightVNC viewer), to check if you can login, then close the session and kill the vnc server: tightvncserver -kill :1. We have some customizations to do yet.

If you execute “cat .vnc/xstartup” in your terminal session, you should probably get something like the following outputted to your terminal session.

#!/bin/sh

xrdb $HOME/.Xresources
xsetroot -solid grey
x-terminal-emulator -geometry 160×50+10+10 -ls -title “$VNCDESKTOP Desktop” &
x-window-manager &

This is the current start up script for your vnc server. Be sure to have the line starting with “x-terminal-emulator” in your start up script, because we will be needing terminal access via vnc to mess around with the Halo dedicated server. If you want to have your terminal window larger, modify that line accordingly (160×50+10+10 is plenty for me).

Now start the (tight)vncserver again and get into your cool graphical terminal session screen. For more information on VNC commands check out this article about vnc servers on the TWiki.

Conclusion
This setup is a great starting point. VNC and X-Window sessions are ready to go, and even will auto-restart after a power cycle. Unfortunately my goal of having a Halo dedicated server running on this setup, did not come to fruition. It requires some other dependencies and/or a completely different X-Window setup.