Archive for the ‘Linux’ category

Resize EBS volume on EC2

March 16th, 2012

This post will go through the steps required to resize an EBS volume that is attaches to an EC2 instance on Amazon Web Services using the AWS console

  • First stop the instance. Make sure you do not terminate, just stop and do not worry about the warning regarding ephemeral storage.
  • Note the mounting point where the volume is attached. Mine is /dev/SDA1
  • Detach the volume from the instance by clicking detach volume in the EBS section.
  • Create a snapshot of the volume. Depending on the size it could take an hour. In order to see the progress make sure you refresh the page by clicking the AWS consoles refresh button and not your browsers.
  • Create a volume from the snapshot specifying the size you require for the instance now.
  • Attach the new larger volume to the instance on SDA1
  • Start the instance
  • Reassign the elastic IP as this would have dropped off when the instance was stopped.
  • SSH to the instance and run the following
    df -h
    to ascertain the root partition code. Mine in this case is xvda1 and then run
    sudo resize2fs /dev/xvda1
    to resize the drive
  • Remove the old volume but keep the snapshot for backup.
  • Test that everything has worked as planned.

You have now increased the size of EBS volume attached to your EC2 instance on AWS. Feel free to comment.

Setting up OpenVPN on Ubuntu

December 17th, 2009

So here is the dilemma. I use a Mac and all of our office is Windows based.

I have a VPN connection set up between home and the office via the routers and the Watchguard Firebox firewall.

All is well until I go away from home. There is no client for the Watchguard Firebox firewall that will work on the Mac.

What I need is a way to connect to my home network when away from home with my Mac which will then in turn allow me to connect to my office.

There are probably many solutions out there so I am not saying this is the right or only solution out there for my dilemma

Setting up the server

My Server is running Ubuntu 9.04 in desktop mode with a fixed IP address of 192.168.1.9.

Install openvpn

sudo apt-get install openvpn

Comment all lines in /etc/default/openvpn with # and add:

AUTOSTART="openvpn"

This line tells OpenVPN which configuration file it should use by default when starting. Configuration files are in /etc/openvpn and use the .conf extension so the setting above points to/etc/openvpn/openvpn.conf, a file that still does not exist and we will create later

The following will start, stop or restart OpenVPN as usual, let’s see:

Start OpenVPN:
/etc/init.d/openvpn start

Stop OpenVPN:
/etc/init.d/openvpn stop

Restart OpenVPN:
/etc/init.d/openvpn restart

Every time you change settings in /etc/openvpn/openvpn.conf you will need to restart OpenVPN.

Keys and certificates

Now we need to create security certificates and keys. We’ll do all this in the server as root:

sudo su

And add your password to get root access

cd /etc/openvpn/

Copy the directory easy-rsa to /etc/openvpn:

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .

Remember we’re still inside the /etc/openvpn directory. Now let’s edit the file vars with our favorite editor (replace vi with yours):

nano easy-rsa/2.0/vars

modify the below

export KEY_COUNTRY="UK"
export KEY_PROVINCE="SU"
export KEY_CITY="Birmingham"
export KEY_ORG="home"
export KEY_EMAIL="jon@example.com"

Save and quit.

Now run:

cd easy-rsa/2.0/
. ./vars

Important: that’s a period, a space and another period followed by /vars. This is a common confusion in many setups.

Now:

./clean-all

The next command creates your certificate authority (CA) using the parameters you just set, you should just add Common Name, I used OpenVPN-CA. For this step you’ll need OpenSSL; if you don’t have it in your server install it by running:

sudo apt-get install openssl

Ok, now we’re ready:

./build-ca

Now let’s create the keys, first the server:

./build-key-server server

This is important. When build-key-server asks for Common Name write server, the same parameter you provided to the command.

Also you’ll need to answer yes to these two questions: Sign the certificate? [y/n] and 1 out of 1 certificate requests certified, commit? [y/n].

Now the key for the client:

./build-key client1

Use client1 as Common Name, the same parameter you used above for build-key.
You can repeat this step if you want to have more clients, just replace the parameter with client2,client3, etc.
Now let’s create Diffie Hellman parameters:

./build-dh

There you are! Now you should have a new directory with your certificates and keys:/etc/openvpn/easy-rsa/keys. To configure your first client copy these files from servo to cliento:

ca.crt
client1.crt
client1.key

Ideally you should use a secure channel, I use scp with RSA authentication

Openvpn.conf for the server:

dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
user nobody
group nogroup
server 10.8.77.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client

Place this file in /etc/openvpn/

Now start openvpn by

/etc/init.d/openvpn start

Setting up the router

Just make sure that the port and protocol 1194 TCp in my case are forwarded to the server 192.168.1.9

Setting up tunnelblick

Download the dmg from http://code.google.com/p/tunnelblick/

Install as usual by dragging the icon to the applications folder.

When you run it for the first time it will add a black tunnel icon near your spotlight icon.

You will also need to enter your admin password as the client requires root access.

When clicking the tunnel you are presented with options. The defaults are fine.

Click on the details and you will see the OpenVPN log output.

Click the edit configuration

Openvpn.conf client content:

dev tun
client
proto tcp
remote 81.174.97.97 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
# Set log file verbosity.
verb 3

Paste your client openvpn.conf copy in to the text editor and save.

Don’t worry it will overwrite despite the prompt.

It saves the file in user/Library/Application Support/Tunnelblick/Configurations

I placed the certificate and keys for the client in here as well. You can place them anywhere but you would need to change the client openvpn.conf accordingly.

Now press connect and you should see the verbose output suggesting a good connection

Test

If you ifconfig on the mac you should get an extra entry for tun0

Now ping 10.8.77.1 and you should get a reply from the server.

I can now vnc to this server and then vnc to from the server to any office computer on the subnet 192.168.40.0

Other things to consider could be username password authentication as well as the certificates in case the Mac is stolen.

I would now like to route traffic so that I can get to the 192.168.40.0 subnet without having to vnc to the openvpn server.