Install OpenVPN 3 Client for Ubuntu 22.4 “Jammy”

June 1, 2023 The Geek Decoder No Comments openvpn

Follow these steps in order to install OpenVPN 3 Client on Linux for Debian and Ubuntu:

Open the Terminal by pressing:

ctrl + alt + T

Type the following command into the Terminal: 

sudo apt install apt-transport-https

This is done to ensure that your apt supports the https transport. Enter the root password as prompted.

Type the following command into the Terminal: 

sudo wget https://swupdate.openvpn.net/repos/openvpn-repo-pkg-key.pub

This will install the OpenVPN repository key used by the OpenVPN 3 Linux packages.

Type the following command into the Terminal: 

sudo apt-key add openvpn-repo-pkg-key.pub

Type the following command into the Terminal: 

sudo wget -O /etc/apt/sources.list.d/openvpn3.list https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-jammy.list

Type the following command into the Terminal: 

sudo apt update

Type the following command into the Terminal: 

sudo apt install openvpn3

This will finally install the OpenVPN 3 package.

How to use OpenVPN 3 Linux

Using openvpn2

For users familiar with the classic OpenVPN 2.x command line, the openvpn2 front-end aims to be fairly close to old behavior.

$ openvpn2 --config ${MY_CONFIGURATION_FILE}

Replace ${MY_CONFIGURATION_FILE} with the OpenVPN configuration file you want to use.

If this configuration includes the –daemon option, the VPN session will be started in the background and the user is given the command line back again. To further manage this VPN session, the openvpn3 session-manage command line interface must be used.

Without –daemon the console will be filled with log data from the VPN session and the session can be disconnected via a simple CTRL-C in the terminal.

For more information, see openvpn2 –help, openvpn3 session-manage –help as well as the ​openvpn2 and ​openvpn3-session-manage man pages.

Using openvpn3

For more advanced usage, the openvpn3 command line offers a lot more features. Configuration profiles in OpenVPN 3 Linux are managed by a ​Configuration Manager before the VPN session is started via the ​Session Manager. The openvpn3 utility gives access to the features these manager services provides.

Starting a one-shot configuration profile

A “one-shot configuration profile” means that the configuration file is parsed, loaded and deleted from the the configuration manage as soon as the VPN session has been attempted started. No configuration file is available for re-use after this approach. This is achieved by giving the configuration file to the openvpn3 session-start command directly.

$ openvpn3 session-start --config ${MY_CONFIGURATION_FILE}

Importing a configuration file for re-use and starting a VPN session
Using this approach, an imported configuration file can be used several times and access to the configuration file itself is not needed to start VPN tunnels. By default, configuration profiles imported are only available to the user who imported the configuration file. But OpenVPN 3 Linux also provides an Access Control List feature via ​openvpn3 config-acl to grant access to specific or all users on the system.

$ openvpn3 config-import --config ${MY_CONFIGURATION_FILE}

This loads the configuration profile and stores it in memory-only. That means, if the system is rebooted, the configuration profile is not preserved. If the –persistent argument is added to the command line above, the configuration profile will be saved to disk in a directory only accessible by the openvpn user. Whenever the ​Configuration Manager is started, configuration files imported with –persistent will be automatically loaded as well.

To list all available configuration profiles, run this command:

$ openvpn3 configs-list

A configuration file typically contains generic options to be able to connect to a specific server, regardless of the device itself. OpenVPN 3 Linux also supports setting more host-specific settings on a configuration profile as well. This is handled via the ​openvpn3 config-manage interface. Any settings here will also be preserved across boots if the configuration profile was imported with the –persistent argument.

Starting a new VPN session from an imported configuration profile
When a configuration profile is available via openvpn3 configs-list, it can easily be started via openvpn3 session-start using the configuration profile name (typically the filename used during the import)

$ openvpn3 session-start --config ${CONFIGURATION_PROFILE_NAME}

or it is possible to use the D-Bus path to the configuration profile:

$ openvpn3 session-start --config-path /net/openvpn/v3/configuration/openvpn.ovpn

In either of these cases is it necessarily to have access to the configuration profile on disk. As long as configuration profiles are available via openvpn3 configs-list, all needed to start a VPN session should be present.

Managing a running VPN session
Once a VPN session has started, it should be seen in ​openvpn3 sessions-list:

$ openvpn3 sessions-list

Using the openvpn3 session-manage there are a few things which can be done, but most typically it is the –disconnect or –restart alternatives which is most commonly used.

$ openvpn3 session-manage --config ${CONFIGURATION_PROFILE_NAME} --restart

This disconnects and re-connects to the server again, re-establishing the connection. The ${CONFIGURATION_PROFILE_NAME} is the configuration name as displayed in openvpn3 sessions-list. It is also possible to use the D-Bus path to the session as well:

$ openvpn3 session-manage --session-path /net/openvpn/v3/sessions/….. --disconnect

This command above will disconnect a running session. Once this operation has completed, it will be removed from the openvpn3 sessions-list overview.

It is also possible to retrieve real-time tunnel statistics from running sessions:

$ openvpn3 session-stats --config ${CONFIGURATION_PROFILE_NAME}
$ openvpn3 session-stats --session-path /net/openvpn/v3/sessions/…..

And to retrieve real-time log events as they occur, run the ​openvpn3 log command line below:

$ openvpn3 log --config ${CONFIGURATION_PROFILE_NAME}

This might be quite silent, as it does not provide any log events from the past. Issue an openvpn3 session-manage –restart from a different terminal, and log events will occur. You may want to boost the log-level with –log-level 6. Valid log levels are from 0 to 6, where 6 is the most verbose.

Note that the maximum log level is configured centrally. If you don’t get more output with higher log levels increase maximum log level first with ​openvpn3-admin (note that this command needs to be executed as root):

# openvpn3-admin log-service --log-level 6

VPN sessions are also owned by the user which started it. But the ​Session Manager also provides its own Access Control List feature via ​openvpn3 session-acl.

TECH-PREVIEW: OpenVPN Data Channel Offload – kernel module support
As of v11_beta, the OpenVPN 3 Linux client ships with Data Channel Offload (DCO) support. This is only supported on a selected list of Linux distributions, please see the distribution table earlier on this page for details.

To enable it, first install the kmod-ovpn-dco package from the software repositories described on this page.

Ubuntu preparation

# apt install kmod-ovpn-dco
Fedora preparation
# yum install kmod-ovpn-dco

Enable DCO on a VPN configuration profile
Now the OpenVPN configuration file must be pre-imported and the DCO mode must be activated:

$ openvpn3 config-import --config CONFIG_FILE --name CONFIG_NAME --persistent
$ openvpn3 config-manage --show --config CONFIG_NAME --dco true

And now a VPN session with DCO activated can be started as any normal VPN session:

$ openvpn3 session-start --config CONFIG_NAME

Start a VPN session directly with DCO enabled

Using the openvpn2 command line:

$ openvpn2 --config CONFIG_FILE --enable-dco

Using the openvpn3 command line:

$ openvpn3 session-start --config CONFIG_NAME --dco true

If the configuration profile is pre-imported and configured to use DCO by default, you can temporarily disable that by adding –dco false instead.

Create a bash script.

nano openvpn_connect.sh

#!/bin/bash
openvpn3 session-start --config configfile.ovpn

Make it executable:

chmod +x openvpn_connect.sh

Execute from command line:

./openvpn_connect.sh

Change permissions using find command

April 18, 2023 The Geek Decoder No Comments Knowledge Base

To change permissions using find command.

On a Linux server, if you are in need of changing the permissions of a bulk amount of files or directories recursively, we can use the ‘find’ command to do it. The steps are explained below:

Change to the directory in which you need to change the permissions.

cd /home/user/public_html

Changing Files

The permission changes are different based on the situation we are having. If you need to change the permissions of all files inside the directory to 644 recursively, please use the following:

find . -type f -exec chmod 644 {} \;

You can specify a specific directory in the following way as well:

find /home/abc/ -type f -exec chmod 644 {} \;

Directories

If you are looking to change the permissions of directories inside the current folder to 755, use the following:

find /home/abc/ -type d -exec chmod 755 {} \;

If you are looking to change the permissions of all files having 777 permissions only to 644, use the following:

find . -type f -perm 777 -exec chmod 644 {} \;

Use the same format for directories by changing the option f:

find . -type d-perm 777 -exec chmod 755 {} \;

You can also change permission using xargs command to do this quickly.

find . -type d -print0 | xargs -0 chmod 755

find . -type f -print0 | xargs -0 chmod 644


Apache vhosts are not segmented or chroot()ed. Enable “mod_ruid2” in the “EasyApache 4” area

March 31, 2023 The Geek Decoder No Comments cPanel

When running the Security Advisor in cPanel at Home / Security Center / Security Advisor, I received this error:

Apache vhosts are not segmented or chroot()ed. Enable “mod_ruid2” in the “EasyApache 4” area, enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache.

Read More

lfd on srv1.domain.net: Suspicious process running under user nobody

March 29, 2023 The Geek Decoder No Comments Unkategorisiert

The cPanel server has bene installed and NGINX is installed and started. Soon, the suspicious process notifications comes from CSF/LFD. 

...Executable:

/usr/sbin/nginx


Command Line (often faked in exploits):

nginx: worker process
...

So, the process needs to be whitelisted. Lets edit the following:

nano /etc/csf/csf.pignore

Add the following:

exe:/usr/sbin/nginx

Restart CDF/LDF

csf -r

We can also add this in cPanel at “Home” > “Plugins” : ConfigServer Security and Firewall

Determining an IP Address’ Authoritative Nameserver for PTR Records

March 29, 2023 The Geek Decoder No Comments Knowledge Base

An authoritative nameserver is a DNS (Domain Name System) server that contains the original source of information for a particular domain name. This server is considered as the ultimate or official source of DNS information for the domain and is responsible for providing the correct IP address or other DNS record information associated with the domain. When a DNS query is made for a domain name, the authoritative nameserver for that domain is queried to obtain the corresponding DNS information.

Read More

How to enable PHP-FPM for a domain

March 21, 2023 The Geek Decoder No Comments cPanel

You may follow the steps below to enable PHP-FPM for one domain or multiple domains.

Procedure

Enable PHP-FPM for one domain:

  1. Log into WHM.
  2. Navigate to MultiPHP Manager.
  3. In the bottom section, under User Domain Settings, use the search bar to search for your domain.
  4. To the far right of your domain, click the toggle icon to enable PHP-FPM.

Enable PHP-FPM for multiple domains:

  1. Log into WHM.
  2. Navigate to MultiPHP Manager.
  3. In the bottom section, under System settings, select “Enable on All Domains”.

Further information on PHP-FPM configuration in MultiPHP Manager can be found in our documentation here.

What are the top cache plugins for wordpress?

March 18, 2023 The Geek Decoder No Comments Administration, Wordpress

What are the top cache plugins for wordpress?

There are several popular cache plugins for WordPress, including:

Redis Object Cache – A persistent object cache backend powered by Redis. Supports Predis, PhpRedis, Relay, replication, sentinels, clustering and WP-CLI.

Panomity WP Cache – Provides an extremely simple full page cache of the homepage.

WP Fastest Cache – This is a lightweight and easy-to-use plugin that offers a range of caching options, including minification and Gzip compression.

W3 Total Cache – This is a comprehensive caching plugin that offers a range of caching options, including page caching, database caching, and object caching.

WP Super Cache – This is a popular caching plugin that offers a range of caching options, including page caching, gzip compression, and CDN support.

Comet Cache – This is a simple and easy-to-use caching plugin that offers features such as page caching, browser caching, and Gzip compression.

LiteSpeed Cache – All-in-one unbeatable acceleration & PageSpeed improvement: caching, image/CSS/JS optimization.

It’s worth noting that the effectiveness of a caching plugin can depend on your website’s specific setup and requirements, so it’s a good idea to experiment with different options to find the best fit for your site.

Let’s test a WordPress WooCommerce Site – CaptainsCBDShop.com.

Without Cache Plugins – https://gtmetrix.com/reports/www.captainscbdshop.com/bwO9zBlZ/

In this test, we will test without any plugins.

With Redis Object Cache

In this test, we set up redis and then installed the plugin in WordPress.

With Panomity WP Cache

In this test, we set up the Panomity WP Cache plugin.

WP Fastest Cache

Here we test with WP Fastest Cache.

W3 Total Cache

Below we set up W3 Total Cache

W3 Total Cache has a cool setup where you can configure it.

Here are the test results after installation.