First lets install UFW

$ sudo apt-get install ufw

Check the Status

$ sudo ufw status verbose

By default, UFW is disabled so you should see something like this:

$ Status: inactive

Let’s set your UFW rules back to the defaults so we can be sure that you’ll be able to follow along with this tutorial. To set the defaults used by UFW, use these commands:

$ sudo ufw default deny incoming

Output:
Default incoming policy changed to ‘deny’
(be sure to update your rules accordingly)

$ sudo ufw default allow outgoing

Output:
Default outgoing policy changed to ‘allow’
(be sure to update your rules accordingly)

Allow SSH Connections

To configure your server to allow incoming SSH connections, you can use this UFW command:

$ sudo ufw allow ssh

Output:
Rules updated
Rules updated (v6)
this command works the same as the one above:

$ sudo ufw allow 22

Or if ssh is on a different port

$ sudo ufw allow 2222

Now that your firewall is configured to allow incoming SSH connections, we can enable it

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Now lets add the port access for IPFS
4001 – default libp2p swarm port – should be open to public for all nodes if possible
5001 – API port – provides write/admin access to the node – should be locked down or only to your IP.
8080 – Gateway

$ sudo ufw allow 4001
$ sudo ufw allow 5001
$ sudo ufw allow 8080/tcp

Reload

$ sudo ufw reload

Remove a Port

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 4001                       ALLOW IN    Anywhere
[ 3] 5001                       ALLOW IN    Anywhere
[ 4] 8080/tcp                   ALLOW IN    Anywhere
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 6] 4001 (v6)                  ALLOW IN    Anywhere (v6)
[ 7] 5001 (v6)                  ALLOW IN    Anywhere (v6)
[ 8] 8080/tcp (v6)              ALLOW IN    Anywhere (v6)

$ sudo ufw delete 2

Delete all firewall rules

$ sudo ufw reset

To Allow connections for the Webui on a specific IP:

$ sudo ufw allow from 1.2.3.4 to any port 5001
sudo ufw reload

Update your package list

$ sudo apt update

Install the dependencies for the python3-certbot-nginx package, which include the python3-acme, python3-certbot, python3-mock, python3-openssl, python3-pkg-resources, python3-pyparsing, and python3-zope.interface packages:

$ sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface

Iinstall the python3-certbot-nginx package:

$ sudo apt install python3-certbot-nginx

Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches your requested domain.

You should have a server block for your domain at /etc/nginx/sites-available/default with the server_name directive already set appropriately.

To check, open the server block file for your domain using nano or your favorite text editor:

sudo nano /etc/nginx/sites-available/your_domain

Find the existing server_name line. It should look like this:

/etc/nginx/sites-available/default
...
server_name your_domain www.your_domain;
...

If it does, exit your editor and move on to the next step. If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:

$ sudo nginx -t

If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file syntax is correct, reload Nginx to load the new configuration:

$ sudo systemctl reload nginx

Certbot can now find the correct server block and update it.

Add a Cert.

$ sudo certbot --nginx -d your_domain -d www.your_domain

In a previous article, we set up a private IPFS cluster. We now need a public IPFS gateway so files on the private cluster are accessible by the public. This gateway will run on one of the IPFS nodes in the cluster.

We can use Nginx as a proxy to the local ipfs gateway that ships with the IPFS daemon (As a default for IPFS, the files and Webui are only accessable via localhost). So, set up a domain or subdomain pointing to one of the nodes.

Start with an Update

$ sudo apt update 
$ sudo apt upgrade -y

Install Nginx And Configure It.

$ sudo apt install nginx -y

Check status to make sure it started and is not throwing any errors:

$ systemctl status nginx

Results

● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: en
   Active: active (running) since Wed 2021-06-16 22:59:51 UTC; 1min 44s ago
     Docs: man:nginx(8)
  Process: 13062 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process
  Process: 13063 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (cod
 Main PID: 13064 (nginx)
    Tasks: 2 (limit: 1163)
   Memory: 5.3M
   CGroup: /system.slice/nginx.service
           ├─13064 nginx: master process /usr/sbin/nginx -g daemon on; master_pr
           └─13065 nginx: worker process

Jun 16 22:59:51 ip-10-0-1-209 systemd[1]: Starting A high performance web server
Jun 16 22:59:51 ip-10-0-1-209 systemd[1]: nginx.service: Failed to parse PID fro
Jun 16 22:59:51 ip-10-0-1-209 systemd[1]: Started A high performance web server
lines 1-16/16 (END)

Get your IP and open it with browser to make sure Nginx is serving its default page:

$ curl -s domain.com
$ curl -s Ip_address

Now browse to http://your-ip-here and you should see the Nginx default page “Welcome to Nginx”.

Set Up your nginx configs:

$ sudo mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default_back
$ sudo nano /etc/nginx/sites-available/default

Copy and paste this config (change ipfs.geekdecoder.com to your domain)

server {
    listen 80;
    listen [::]:80;
    server_name your_domain_name.com;

    location /api/v0/add {
        proxy_pass http://localhost:5001;
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        allow all;
    }

    location /ipfs {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        allow all;
    }

    location / {
        proxy_pass http://localhost:5001;
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        deny all; # <- Deny other traffic
    }

#Uncomment below if adding ssl cert with certbot
#    listen [::]:443 ssl ipv6only=on; # managed by Certbot
#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/ipfs.dsla.network/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/ipfs.dsla.network/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
#server {
#    if ($host =  ) {
#        return 301 https://host
#request_uri;
#    } # managed by Certbot


#        listen 80 ;
#        listen [::]:80 ;
#    server_name ;
#    return 404; # managed by Certbot

Test that new config syntax and make sure it is ok:

$ sudo nginx -t

If all good reload:

$ sudo systemctl reload nginx

The setup here does not include an SSL cert but should. If yu do install certbot and enable SSL, you can modify the server block to include it.

Now there are changes to IPFS here.
Run there commands to set up a public gateway.

$ ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http://your_domain_name.com:5001", "http://localhost:3000", "http://127.0.0.1:5001", "https://webui.ipfs.io"]'
$ ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "GET", "POST"]'
$ ipfs config Addresses.API /ip4/0.0.0.0/tcp/5001
$ ipfs config Addresses.Gateway /ip4/127.0.0.1/tcp/8080

Restart IPFS

$ sudo systemctl restart ipfs

Update and Install OpneVPN

$ sudo apt-get update -y
$ sudo apt-get upgrade -y
$sudo apt-get install openvpn -y

Download the latest version of EasyRSA from the Git repository using the following command:

$ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

extract the downloaded file using the following command:

$ tar -xvzf EasyRSA-3.0.8.tgz

Next, copy the extracted directory to the OpenVPN directory:

$ sudo cp -r EasyRSA-3.0.8 /etc/openvpn/easy-rsa

Next, you will need to build the Certificate Authority (CA) for OpenVPN.

First, change the directory to EasyRSA with the following command:

$ sudo cd /etc/openvpn/easy-rsa

Next, you will need to create a vars file inside this. A vars file is a simple file that Easy-RSA will source for configuration.

You can create it with the following command:

$ sudo nano vars

Add the following lines as per your needs:

Add the following lines as per your needs:

set_var EASYRSA_REQ_COUNTRY     "USA"
set_var EASYRSA_REQ_PROVINCE    "Texas"
set_var EASYRSA_REQ_CITY        "Buda"
set_var EASYRSA_REQ_ORG         "GEEKDECODER"
set_var EASYRSA_REQ_EMAIL    "admin@domain.com"
set_var EASYRSA_REQ_OU          "IT"

Save and close the file when you are finished.

Next, initiate the public key infrastructure with the following command:

$ sudo ./easyrsa init-pki

You should get the following output:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Next, you will need to run build-ca command to create ca.crt and ca.key file. You can run it with the following command:

$ sudo ./easyrsa build-ca nopass

You will be asked for several questions as shown below:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
......................................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:vpnserver

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

Next, you will need to use the gen-req command followed by common name to generate the server key.

$ sudo ./easyrsa gen-req vpnserver nopass

You should see the following output:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
.......................................................+++++
....+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1428.Angtmh/tmp.C9prw4'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [vpnserver]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/vpnserver.req
key: /etc/openvpn/easy-rsa/pki/private/vpnserver.key

Next, you will need to sign the vpnserver key using your CA certificate. You can do it with the following command:

$ sudo ./easyrsa sign-req server vpnserver

You should get the following output:

Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'vpnserver'
Certificate is to be certified until Feb  6 14:38:52 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/vpnserver.crt

Next, you will need to generate a strong Diffie-Hellman key to use for the key exchange. You can generate it with the following command:

$ sudo ./easyrsa gen-dh

Next, you will need to copy all certificate and key file to the /etc/openvpn/server/ directory. You can copy the using the following command:

$ sudo cp pki/ca.crt /etc/openvpn/server/
$ sudo cp pki/dh.pem /etc/openvpn/server/
$ sudo cp pki/private/vpnserver.key /etc/openvpn/server/
$ sudo cp pki/issued/vpnserver.crt /etc/openvpn/server/

Next, you will need to generate a certificate and key file for the client system.

You can create it with the following command:

$ sudo ./easyrsa gen-req vpnclient nopass

You should get the following output:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
....+++++
.................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1563.TeOf5v/tmp.i4YxLz'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [vpnclient]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/vpnclient.req
key: /etc/openvpn/easy-rsa/pki/private/vpnclient.key

Next, sign the client key with the following command:

$ sudo ./easyrsa sign-req client vpnclient

You should get the following output:

Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'vpnclient'
Certificate is to be certified until Feb  6 14:43:18 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/vpnclient.crt

Next, copy all client certificate and key to the /etc/openvpn/client/ directory.

$ sudo cp pki/ca.crt /etc/openvpn/client/
$ sudo cp pki/issued/vpnclient.crt /etc/openvpn/client/
$ sudo cp pki/private/vpnclient.key /etc/openvpn/client/

At this point, both server and client certificate and key are ready. Now, you will need to create an OpenVPN configuration file and define all certificates and keys.

$ sudo nano /etc/openvpn/server.conf

Add the following lines ( add in server_ip you ip for openvpn server):

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpnserver.crt
key /etc/openvpn/server/vpnserver.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3

Save and close the file then start the OpenVPN service and enable it to start at system reboot:

$ sudo systemctl start openvpn@server
$ sudo systemctl enable openvpn@server

If everything is fine, a new interface will be created. You can check it using the following command:

ip a show tun0

You should get the following output:

4: tun0:  mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::153d:f29:39a2:571a/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

IP forwarding allows your operating system to accept the incoming network packets and forward it to the other network. You can enable it with the following command:

$ sudo nano /etc/sysctl.conf

Uncomment or add the following line:

net.ipv4.ip_forward = 1

Save the file then apply the configuration changes with the following command:

sysctl -p

Next, you will need to install the OpenVPN client on another system and connect to the OpenVPN server.

First, install the OpenVPN with the following command:

apt-get install openvpn -y

Once installed, copy all Client certificate and key from the OpenVPN server to the Client machine. You can do it with the following command:

scp -r root@vpn-server-ip:/etc/openvpn/client .

Next, change the directory to client and create a Client configuration file:

cd client
nano client.ovpn

Add the following lines:

remote server_ip 1194
client
dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert vpnclient.crt
key vpnclient.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

Save and close the file then connect to your OpenVPN server with the following command:

openvpn --config client.ovpn

Once the connection has been established, you should get the following output:

Sat Feb  6 14:53:50 2021 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1)
Sat Feb  6 14:53:50 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Sat Feb  6 14:53:50 2021 OPTIONS IMPORT: timers and/or timeouts modified
Sat Feb  6 14:53:50 2021 OPTIONS IMPORT: --ifconfig/up options modified
Sat Feb  6 14:53:50 2021 OPTIONS IMPORT: route options modified

You can verify the OpenVPN interface on the client machine with the following command:

ip a show tun0

You should get the following output:

4: tun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::9206:94d7:8fb2:6b21/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

 

dfdf