Good Info:https://www.interserver.net/tips/kb/install-lets-encrypt-cpanel-whm-server/
Great Article: https://www.digitalocean.com/community/tutorials/how-to-install-jitsi-meet-on-ubuntu-18-04
Best Article: https://www.atlantic.net/hipaa-compliant-hosting/how-to-install-openfire-ubuntu-20-04/
Good Read: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
Add your keys to github.
Then run the following to set up keys easily for new projects:
# curl https://github.com/github_user_name.keys | tee -a /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys
Edit /etc/rsyslog.conf
$ sudo nano /etc/rsyslog.conf
Un-comment cron line
cron.* /var/log/cron.log
Save file and restart rsyslog
$ sudo systemctl restart rsyslog
First lets install UFW
$ sudo apt-get install ufw
Check the Status
$ sudo ufw status verbose
By default, UFW is disabled so you should see something like this:
$ Status: inactive
Let’s set your UFW rules back to the defaults so we can be sure that you’ll be able to follow along with this tutorial. To set the defaults used by UFW, use these commands:
$ sudo ufw default deny incoming
Output:
Default incoming policy changed to ‘deny’
(be sure to update your rules accordingly)
$ sudo ufw default allow outgoing
Output:
Default outgoing policy changed to ‘allow’
(be sure to update your rules accordingly)
Allow SSH Connections
To configure your server to allow incoming SSH connections, you can use this UFW command:
$ sudo ufw allow ssh
Output:
Rules updated
Rules updated (v6)
this command works the same as the one above:
$ sudo ufw allow 22
Or if ssh is on a different port
$ sudo ufw allow 2222
Now that your firewall is configured to allow incoming SSH connections, we can enable it
$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
Now lets add the port access for IPFS
4001 – default libp2p swarm port – should be open to public for all nodes if possible
5001 – API port – provides write/admin access to the node – should be locked down or only to your IP.
8080 – Gateway
$ sudo ufw allow 4001
$ sudo ufw allow 5001
$ sudo ufw allow 8080/tcp
Reload
$ sudo ufw reload
Remove a Port
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 4001 ALLOW IN Anywhere
[ 3] 5001 ALLOW IN Anywhere
[ 4] 8080/tcp ALLOW IN Anywhere
[ 5] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 4001 (v6) ALLOW IN Anywhere (v6)
[ 7] 5001 (v6) ALLOW IN Anywhere (v6)
[ 8] 8080/tcp (v6) ALLOW IN Anywhere (v6)
$ sudo ufw delete 2
Delete all firewall rules
$ sudo ufw reset
To Allow connections for the Webui on a specific IP:
$ sudo ufw allow from 1.2.3.4 to any port 5001
sudo ufw reload
Update your package list
$ sudo apt update
Install the dependencies for the python3-certbot-nginx package, which include the python3-acme, python3-certbot, python3-mock, python3-openssl, python3-pkg-resources, python3-pyparsing, and python3-zope.interface packages:
$ sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface
Iinstall the python3-certbot-nginx package:
$ sudo apt install python3-certbot-nginx
Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches your requested domain.
You should have a server block for your domain at /etc/nginx/sites-available/default with the server_name directive already set appropriately.
To check, open the server block file for your domain using nano or your favorite text editor:
sudo nano /etc/nginx/sites-available/your_domain
Find the existing server_name line. It should look like this:
/etc/nginx/sites-available/default ... server_name your_domain www.your_domain; ...
If it does, exit your editor and move on to the next step. If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:
$ sudo nginx -t
If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file syntax is correct, reload Nginx to load the new configuration:
$ sudo systemctl reload nginx
Certbot can now find the correct server block and update it.
Add a Cert.
$ sudo certbot --nginx -d your_domain -d www.your_domain
In a previous article, we set up a private IPFS cluster. We now need a public IPFS gateway so files on the private cluster are accessible by the public. This gateway will run on one of the IPFS nodes in the cluster.
We can use Nginx as a proxy to the local ipfs gateway that ships with the IPFS daemon (As a default for IPFS, the files and Webui are only accessable via localhost). So, set up a domain or subdomain pointing to one of the nodes.
Start with an Update
$ sudo apt update $ sudo apt upgrade -y
Install Nginx And Configure It.
$ sudo apt install nginx -y
Check status to make sure it started and is not throwing any errors:
$ systemctl status nginx
Results
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: en
Active: active (running) since Wed 2021-06-16 22:59:51 UTC; 1min 44s ago
Docs: man:nginx(8)
Process: 13062 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process
Process: 13063 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (cod
Main PID: 13064 (nginx)
Tasks: 2 (limit: 1163)
Memory: 5.3M
CGroup: /system.slice/nginx.service
├─13064 nginx: master process /usr/sbin/nginx -g daemon on; master_pr
└─13065 nginx: worker process
Jun 16 22:59:51 ip-10-0-1-209 systemd[1]: Starting A high performance web server
Jun 16 22:59:51 ip-10-0-1-209 systemd[1]: nginx.service: Failed to parse PID fro
Jun 16 22:59:51 ip-10-0-1-209 systemd[1]: Started A high performance web server
lines 1-16/16 (END)
Get your IP and open it with browser to make sure Nginx is serving its default page:
$ curl -s domain.com $ curl -s Ip_address
Now browse to http://your-ip-here and you should see the Nginx default page “Welcome to Nginx”.
Set Up your nginx configs:
$ sudo mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default_back $ sudo nano /etc/nginx/sites-available/default
Copy and paste this config (change ipfs.geekdecoder.com to your domain)
server {
listen 80;
listen [::]:80;
server_name your_domain_name.com;
location /api/v0/add {
proxy_pass http://localhost:5001;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
allow all;
}
location /ipfs {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
allow all;
}
location / {
proxy_pass http://localhost:5001;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
deny all; # <- Deny other traffic
}
#Uncomment below if adding ssl cert with certbot
# listen [::]:443 ssl ipv6only=on; # managed by Certbot
# listen 443 ssl; # managed by Certbot
# ssl_certificate /etc/letsencrypt/live/ipfs.dsla.network/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/ipfs.dsla.network/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
#server {
# if ($host = ) {
# return 301 https://host
#request_uri;
# } # managed by Certbot
# listen 80 ;
# listen [::]:80 ;
# server_name ;
# return 404; # managed by Certbot
Test that new config syntax and make sure it is ok:
$ sudo nginx -t
If all good reload:
$ sudo systemctl reload nginx
The setup here does not include an SSL cert but should. If yu do install certbot and enable SSL, you can modify the server block to include it.
Now there are changes to IPFS here.
Run there commands to set up a public gateway.
$ ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http://your_domain_name.com:5001", "http://localhost:3000", "http://127.0.0.1:5001", "https://webui.ipfs.io"]' $ ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "GET", "POST"]' $ ipfs config Addresses.API /ip4/0.0.0.0/tcp/5001 $ ipfs config Addresses.Gateway /ip4/127.0.0.1/tcp/8080
Restart IPFS
$ sudo systemctl restart ipfs
Update and Install OpneVPN
$ sudo apt-get update -y $ sudo apt-get upgrade -y $sudo apt-get install openvpn -y
Download the latest version of EasyRSA from the Git repository using the following command:
$ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
extract the downloaded file using the following command:
$ tar -xvzf EasyRSA-3.0.8.tgz
Next, copy the extracted directory to the OpenVPN directory:
$ sudo cp -r EasyRSA-3.0.8 /etc/openvpn/easy-rsa
Next, you will need to build the Certificate Authority (CA) for OpenVPN.
First, change the directory to EasyRSA with the following command:
$ sudo cd /etc/openvpn/easy-rsa
Next, you will need to create a vars file inside this. A vars file is a simple file that Easy-RSA will source for configuration.
You can create it with the following command:
$ sudo nano vars
Add the following lines as per your needs:
Add the following lines as per your needs:
set_var EASYRSA_REQ_COUNTRY "USA" set_var EASYRSA_REQ_PROVINCE "Texas" set_var EASYRSA_REQ_CITY "Buda" set_var EASYRSA_REQ_ORG "GEEKDECODER" set_var EASYRSA_REQ_EMAIL "admin@domain.com" set_var EASYRSA_REQ_OU "IT"
Save and close the file when you are finished.
Next, initiate the public key infrastructure with the following command:
$ sudo ./easyrsa init-pki
You should get the following output:
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
Next, you will need to run build-ca command to create ca.crt and ca.key file. You can run it with the following command:
$ sudo ./easyrsa build-ca nopass
You will be asked for several questions as shown below:
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) ...+++++ ......................................................................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:vpnserver CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt
Next, you will need to use the gen-req command followed by common name to generate the server key.
$ sudo ./easyrsa gen-req vpnserver nopass
You should see the following output:
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Generating a RSA private key .......................................................+++++ ....+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1428.Angtmh/tmp.C9prw4' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [vpnserver]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/vpnserver.req key: /etc/openvpn/easy-rsa/pki/private/vpnserver.key
Next, you will need to sign the vpnserver key using your CA certificate. You can do it with the following command:
$ sudo ./easyrsa sign-req server vpnserver
You should get the following output:
Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'vpnserver' Certificate is to be certified until Feb 6 14:38:52 2022 GMT (365 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/vpnserver.crt
Next, you will need to generate a strong Diffie-Hellman key to use for the key exchange. You can generate it with the following command:
$ sudo ./easyrsa gen-dh
Next, you will need to copy all certificate and key file to the /etc/openvpn/server/ directory. You can copy the using the following command:
$ sudo cp pki/ca.crt /etc/openvpn/server/ $ sudo cp pki/dh.pem /etc/openvpn/server/ $ sudo cp pki/private/vpnserver.key /etc/openvpn/server/ $ sudo cp pki/issued/vpnserver.crt /etc/openvpn/server/
Next, you will need to generate a certificate and key file for the client system.
You can create it with the following command:
$ sudo ./easyrsa gen-req vpnclient nopass
You should get the following output:
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Generating a RSA private key ....+++++ .................................+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1563.TeOf5v/tmp.i4YxLz' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [vpnclient]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/vpnclient.req key: /etc/openvpn/easy-rsa/pki/private/vpnclient.key
Next, sign the client key with the following command:
$ sudo ./easyrsa sign-req client vpnclient
You should get the following output:
Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'vpnclient' Certificate is to be certified until Feb 6 14:43:18 2022 GMT (365 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/vpnclient.crt
Next, copy all client certificate and key to the /etc/openvpn/client/ directory.
$ sudo cp pki/ca.crt /etc/openvpn/client/ $ sudo cp pki/issued/vpnclient.crt /etc/openvpn/client/ $ sudo cp pki/private/vpnclient.key /etc/openvpn/client/
At this point, both server and client certificate and key are ready. Now, you will need to create an OpenVPN configuration file and define all certificates and keys.
$ sudo nano /etc/openvpn/server.conf
Add the following lines ( add in server_ip you ip for openvpn server):
port 1194 proto udp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/vpnserver.crt key /etc/openvpn/server/vpnserver.key dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" duplicate-cn cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache keepalive 20 60 persist-key persist-tun compress lz4 daemon user nobody group nogroup log-append /var/log/openvpn.log verb 3
Save and close the file then start the OpenVPN service and enable it to start at system reboot:
$ sudo systemctl start openvpn@server $ sudo systemctl enable openvpn@server
If everything is fine, a new interface will be created. You can check it using the following command:
ip a show tun0
You should get the following output:
4: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::153d:f29:39a2:571a/64 scope link stable-privacy
valid_lft forever preferred_lft forever
IP forwarding allows your operating system to accept the incoming network packets and forward it to the other network. You can enable it with the following command:
$ sudo nano /etc/sysctl.conf
Uncomment or add the following line:
net.ipv4.ip_forward = 1
Save the file then apply the configuration changes with the following command:
sysctl -p
Next, you will need to install the OpenVPN client on another system and connect to the OpenVPN server.
First, install the OpenVPN with the following command:
apt-get install openvpn -y
Once installed, copy all Client certificate and key from the OpenVPN server to the Client machine. You can do it with the following command:
scp -r root@vpn-server-ip:/etc/openvpn/client .
Next, change the directory to client and create a Client configuration file:
cd client nano client.ovpn
Add the following lines:
remote server_ip 1194 client dev tun proto udp remote vpn-server-ip 1194 ca ca.crt cert vpnclient.crt key vpnclient.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lz4 nobind persist-key persist-tun mute-replay-warnings verb 3
Save and close the file then connect to your OpenVPN server with the following command:
openvpn --config client.ovpn
Once the connection has been established, you should get the following output:
Sat Feb 6 14:53:50 2021 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1) Sat Feb 6 14:53:50 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' Sat Feb 6 14:53:50 2021 OPTIONS IMPORT: timers and/or timeouts modified Sat Feb 6 14:53:50 2021 OPTIONS IMPORT: --ifconfig/up options modified Sat Feb 6 14:53:50 2021 OPTIONS IMPORT: route options modified
You can verify the OpenVPN interface on the client machine with the following command:
ip a show tun0
You should get the following output:
4: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::9206:94d7:8fb2:6b21/64 scope link stable-privacy
valid_lft forever preferred_lft forever
dfdf