Install OpenVPN with IPv6 on Ubuntu

This article gives out the process of install OpenVPN with IPv6, and to be more specific, it will foucus on the difference with the Ubuntu official document about OpenVPN installation [1]. Before start, You need to check whether your server has IPv6 address. And if you are looking for tips about OpenVPN both with IPv4 and IPv6, you are supposed to read another post about 《OpenVPN both with IPv4 and IPv6》.

Currently the lastest stable version of OpenVPN is 2.2.2 and for Ubuntu repo is still 2.2.1, both of them are only IPv4 supported. But thankfully the 2.3 version which supports IPv6 is already in RC stage and there is an official apt repo [2] so that we can achieve it easily.

Most of commands need superuser privilege, so just use root to make everything easy.

1) Install OpenVPN 2.3_rc1 (Both on server and client)
[sh]
wget -O – http://repos.openvpn.net/repos/repo-public.gpg | apt-key add –
cd /etc/apt/sources.list.d
wget http://repos.openvpn.net/repos/apt/conf/repos.openvpn.net-precise-snapshots.list
apt-get update && apt-get install openvpn easy-rsa
[/sh]
Note that we install easy-rsa more than openvpn only because easy-rsa examples used to be in OpenVPN doc directory never exist in OpenVPN 2.3_rc1.

2) Generate Certificate Authority
[sh]
cp -r /usr/share/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/
[/sh]
Note that the location of easy-rsa directory has changed.

Edit the “vars” file by vim or nano or something else (I will use vim for following examples), be sure to change following variables:
[sh]
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_CNc=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
[/sh]
Note that there are two duplicate KEY_EMAIL, feel free to delete one. All these variables are required when building all crts and keys, make sure to change it which will make them as default value so that you can press Enter all the way.
[sh]
source vars
./clean-all
./build-ca
[/sh]

3) Generate Server Certificates
[sh]
./build-key-server servername
# change servername to whatever you like, just make it corresponding with configuration.
./build-dh
cd /etc/openvpn/easy-rsa/keys
cp servername.crt servername.key ca.crt dh1024.pem /etc/openvpn/
[/sh]

4) Generate tls auth key (Add more security to OpenVPN port)
[sh]
cd /etc/openvpn
openvpn –genkey –secret ta.key
[/sh]

5) Server Configuration
[sh]
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
vim /etc/openvpn/server.conf
[/sh]
Following is the change list by the default configure file. “A -> B # C” meaning change A to B, while C is the comment for more easy reading and you can just ignore it.
[sh]
port 1194 -> port XXXX # Choose one not fucked by GFW
proto udp -> proto udp6 # IPv6
cert server.crt -> cert servername.crt # Same with the name of Server Certificates
key server.key -> key server.key # ditto
;push “redirect-gateway def1 bypass-dhcp” -> push “redirect-gateway def1 bypass-dhcp” # IP redirect
;tls-auth ta.key 0 -> tls-auth ta.key 0 # tls auth
[/sh]

6) iptables Configuration
[sh]
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables-save > /etc/iptables.rules
vim /etc/network/if-up.d/iptables
[/sh]
This will be a new file and you should press following in it.
[sh]
#!/bin/sh
iptables-restore < /etc/iptables.rules [/sh] After saving the file you need to make it executeable. [sh] chmod +x /etc/network/if-up.d/iptables vim /etc/sysctl.conf [/sh] All following listings are commented in default configure file, just uncomment them. [sh] net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 [/sh] Note that the important difference is here. which make IP forward also work for IPv6. the parameter is different from IPv4, but fortunately it has been already listed in default configure file. At last, just make all related restart. [sh] sysctl -p /etc/init.d/openvpn restart /etc/init.d/networking restart [/sh] Now the server side should be working, a simple confirmation is to check whether tun0 or tun1 exists in ifconfig, then let's go for clients. 7) Generate Client Certificates [sh] cd /etc/openvpn/easy-rsa/ source vars ./build-key clientname # change clientname to whatever you like, just make it corresponding with configuration. [/sh] 8) Client Configuration Following are needed files for client, be careful to download them by scp or something else from server. And this is the last thing you need to do on the server. all things left should be done on the cliet besides step 1). Make sure to copy all needed files under the /etc/openvpn/ so that you can run it as daemon easily. [sh] /etc/openvpn/ca.crt /etc/openvpn/ta.key /etc/openvpn/easy-rsa/keys/clientname.crt /etc/openvpn/easy-rsa/keys/clientname.key [/sh] Copy the default client configure file to /etc/openvpn/ [sh] cd /etc/openvpn cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf . [/sh] Following is the change list by the default configure file. Just the same with Server Configuration in step 5) [sh] proto udp -> proto udp6
remote my-server-1 1194 -> remote ::1 XXXX # Same IPv6 Address and Port Number
cert client.crt -> cert clientname.crt # Same with the name of Client Certificates
key client.key -> key clientname.key # ditto
;tls-auth ta.key 1 -> tls-auth ta.key 1
[/sh]

9) Confirmation
Now you can just start the openvpn by
[sh]
opevpn /etc/openvpn/client.conf
[/sh]
if you can ping 10.8.0.1 successfully then everything should be ok. after that you can make it working as daemon by
[sh]
update-rc.d openvpn defaults
[/sh]

10) Reference:
[1] https://help.ubuntu.com/12.04/serverguide/openvpn.html
[2] https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
[3] http://www.vpser.net/build/linode-install-openvpn.html

安装 Ubuntu 12.04 (Precise) 之后

本文会不定期更新,最后更新时间 2012/06/02


Changelog

20120516: 优化最大化页面: gnome-shell-extension-window-buttons
20120602: 安装Calibre: sudo apt-get install calibre


曾经心血来潮写过一个Ubuntu的配置教程,还美其名曰《邂逅Ubuntu》系列,后来Ubuntu更新了,GNOME也变成了gnome shell,但是教程再也没更新过(惭愧不已)。适逢Ubuntu 12.04刚更新不久,简单记录下配置的流程。

本文主要记录了安装Ubuntu 12.04 (Precise) 之后的配置美化过程,主要包含:
1、配置软件源;2、安装配置gnome shell取代unity;3、安装相关软件;4、配置杂项。


配置软件源
我的策略是教育网一组,公网一组,官网一组,其次主要考虑地理位置和具体连接的速度。
教育网推荐是使用清华、北交、上交的(其一即可),公网推荐sohu(中国官方源)、163的(同样选择其一)。
[shell]
# /etc/apt/sources.list
# tsinghua
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ precise main multiverse restricted universe
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ precise-backports main multiverse restricted universe
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ precise-proposed main multiverse restricted universe
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ precise-security main multiverse restricted universe
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ precise-updates main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ precise main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ precise-backports main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ precise-proposed main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ precise-security main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu/ precise-updates main multiverse restricted universe

# # bjtu
# deb http://mirror.bjtu.edu.cn/ubuntu/ precise main multiverse restricted universe
# deb http://mirror.bjtu.edu.cn/ubuntu/ precise-backports main multiverse restricted universe
# deb http://mirror.bjtu.edu.cn/ubuntu/ precise-proposed main multiverse restricted universe
# deb http://mirror.bjtu.edu.cn/ubuntu/ precise-security main multiverse restricted universe
# deb http://mirror.bjtu.edu.cn/ubuntu/ precise-updates main multiverse restricted universe
# deb-src http://mirror.bjtu.edu.cn/ubuntu/ precise main multiverse restricted universe
# deb-src http://mirror.bjtu.edu.cn/ubuntu/ precise-backports main multiverse restricted universe
# deb-src http://mirror.bjtu.edu.cn/ubuntu/ precise-proposed main multiverse restricted universe
# deb-src http://mirror.bjtu.edu.cn/ubuntu/ precise-security main multiverse restricted universe
# deb-src http://mirror.bjtu.edu.cn/ubuntu/ precise-updates main multiverse restricted universe

# sohu (official China)
deb http://cn.archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse
deb http://cn.archive.ubuntu.com/ubuntu/ precise-security main restricted universe multiverse
deb http://cn.archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse
deb http://cn.archive.ubuntu.com/ubuntu/ precise-proposed main restricted universe multiverse
deb http://cn.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://cn.archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse
deb-src http://cn.archive.ubuntu.com/ubuntu/ precise-security main restricted universe multiverse
deb-src http://cn.archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse
deb-src http://cn.archive.ubuntu.com/ubuntu/ precise-proposed main restricted universe multiverse
deb-src http://cn.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse

# # 163
# deb http://mirrors.163.com/ubuntu/ precise main restricted universe multiverse
# deb http://mirrors.163.com/ubuntu/ precise-security main restricted universe multiverse
# deb http://mirrors.163.com/ubuntu/ precise-updates main restricted universe multiverse
# deb http://mirrors.163.com/ubuntu/ precise-proposed main restricted universe multiverse
# deb http://mirrors.163.com/ubuntu/ precise-backports main restricted universe multiverse
# deb-src http://mirrors.163.com/ubuntu/ precise main restricted universe multiverse
# deb-src http://mirrors.163.com/ubuntu/ precise-security main restricted universe multiverse
# deb-src http://mirrors.163.com/ubuntu/ precise-updates main restricted universe multiverse
# deb-src http://mirrors.163.com/ubuntu/ precise-proposed main restricted universe multiverse
# deb-src http://mirrors.163.com/ubuntu/ precise-backports main restricted universe multiverse

# official security
deb http://security.ubuntu.com/ubuntu precise-security main restricted
deb-src http://security.ubuntu.com/ubuntu precise-security main restricted
deb http://security.ubuntu.com/ubuntu precise-security universe
deb-src http://security.ubuntu.com/ubuntu precise-security universe
deb http://security.ubuntu.com/ubuntu precise-security multiverse
deb-src http://security.ubuntu.com/ubuntu precise-security multiverse

# canonical partner
deb http://archive.canonical.com/ubuntu precise partner
deb-src http://archive.canonical.com/ubuntu precise partner

# official extras
deb http://extras.ubuntu.com/ubuntu precise main
deb-src http://extras.ubuntu.com/ubuntu precise main
[/shell]

配置好之后记得更新升级

[shell]
sudo apt-get update
sudo apt-get upgrade
[/shell]


安装配置gnome shell
之前折腾过Arch、Gentoo、Mint、Deepin都是因为Ubuntu换了unity,也算因祸得福,学到了很多东西,现在可以兼容了,当然果断上之。

安装基本桌面
[shell]
sudo apt-get install gnome-shell # gnome shell 桌面
sudo apt-get install gnome-tweak-tool # 高级配置工具
[/shell]

安装图标和GTK主题
[shell]
sudo add-apt-repository ppa:tiheum/equinox # 添加图标主题PPA
sudo add-apt-repository ppa:satyajit-happy/themes # 添加GTK主题PPA
sudo apt-get update # 更新软件源
sudo apt-get install faenza-icon-theme faience-icon-theme # 两款Icon theme
sudo apt-get install evolve-gtk-theme orion-gtk-theme # 两款 GTK theme
[/shell]
我选择的Icon theme是Faience,Window theme和GTK+ theme都是Evolve

安装gnome shell extension
可以通过PPA和网站两种方式安装,主要还是个人喜好和需要,通过gnome-tweak-tool进行设置即可,这里只列出作者使用的部分
通过PPA安装
[shell]
sudo add-apt-repository ppa:webupd8team/gnome3 # 添加PPA
sudo apt-get update
sudo apt-get install gnome-shell-extensions # 官方插件
sudo apt-get install gnome-shell-system-monitor # 非官方系统监控插件,扩展性很强
sudo apt-get install gnome-shell-classic-systray # 移动所有底边信息栏图标至顶部
sudo apt-get install gnome-shell-extensions-autohidetopbar # 自动隐藏顶部功能条
sudo apt-get install gnome-shell-extensions-mediaplayer # 集成音乐到状态栏的声音设置
sudo apt-get install gnome-shell-extensions-noa11y # 删除accesibility按钮
[/shell]
通过GNOME Extensions网站安装
个人感觉PPA提供的已经基本够用了,而且很方便更新,你也可以在网站里淘一淘

需要注意 user-themes 插件可能有问题,导致gnome-tweak-tool无法打开或者打开报错,通过以下两条命令可以解决
[shell]
sudo cp ~/.local/share/gnome-shell/extensions/user-theme@gnome-shell-extensions.gcampax.github.com/schemas/org.gnome.shell.extensions.user-theme.gschema.xml /usr/share/glib-2.0/schemas/
sudo glib-compile-schemas /usr/share/glib-2.0/schemas
[/shell]

安装gnome shell theme
我有点洁癖,不喜欢下载安装,因为不方便更新,但暂时还未发现包含很合意的gnome shell theme的PPA,可以关注一下Satya的PPA(之前安装GTK主题时已经添加了)。我已经邮件和作者联系过了,确定还会维护更新的,就是需要等等。我现在安装的是London Smoke Gnome-Shell,作为暂时的选择。


安装相关软件
此部分列举了本人会用到的软件包,因根据个人需要选择
[shell]
sudo apt-get install ubuntu-restricted-extras # 有版权限制的软件
sudo apt-get install ibus ibus-googlepinyin # ibus输入法 和 谷歌拼音输入法
sudo apt-get install chromium-browser # Chromium 浏览器
sudo apt-get install flashplugin-installer # flash 插件
sudo apt-get install cheese # 摄像头软件
sudo apt-get install gnome-mplayer vlc# 视频播放器
sudo apt-get install gimp # PhotoShop 替代品
sudo apt-get install pidgin # 多协议聊天
sudo apt-get install xchat # irc聊天
sudo apt-get install libreoffice # office
sudo apt-get install stardict # 翻译辞典
sudo apt-get install calibre # 电子书管理工具
sudo apt-get install gtg # GTD 工具
sudo apt-get install bleachbit # 系统清洁
sudo apt-get install skype # skype
sudo apt-get install axel # 命令行下载
sudo apt-get install pastebinit # 命令行下上传文本至 pastebin
sudo apt-get install dia # 图表 (UML) 制作
sudo apt-get install synergy # 多电脑共享键鼠
sudo apt-get install vim # 神编辑器
sudo apt-get install git # git 版本控制
sudo apt-get install mercurial # hg 版本控制
sudo apt-get install subversion # svn 版本控制
sudo apt-get install bzr bzrtools # bzr 版本控制
sudo apt-get install octave # Matlab 替代品
sudo apt-get install python-dev python-pip # python dev pip
sudo apt-get install apache2 # apache 服务器
sudo apt-get install nginx # nginx 服务器
sudo apt-get install mysql-server mysql-client # mysql 数据库

sudo apt-get install openvpn # 这个干什么用就不解释了
sudo apt-get install proxychains # 命令行代理
# 配置好proxychains (/etc/proxychains.conf) 之后即可顺利安装dropbox
sudo proxychains apt-get install nautilus-dropbox # dropbox 文件同步

sudo add-apt-repository ppa:tualatrix/ppa # 添加 ubuntu-tweak PPA
sudo apt-get update # 更新软件源
sudo apt-get install ubuntu-tweak # Ubuntu的优化大师
[/shell]

此外还有MongoDB数据库指纹识别fprint的安装,可以进入对应页面查看详情


配置杂项
安装更新语言包
“System Settings” -> “Language Support”
在”Install / Remove Languages…” 中选择安装 “Chinese (simplified)” 和 “English”
最下方的输入法选择中选择ibus

配置字体
安装中文语言包之后会安装相应中文字体,通过gnome-tweak-tool即可配置
我一直比较喜欢使用文泉驿的微黑(WenQuanYi Micro Hei),等宽字体也使用WenQuanYi Micro Hei Mono

修改Chromium标题栏按钮位置问题
由于Unity的缘故,Chromium标题栏按钮会显示在左边,通过以下命令(其一)可以解决
[shell]
# 让标题栏只有关闭按钮
gconftool-2 –set /apps/metacity/general/button_layout –type string “:close”
# 让标题栏包含常规的最小化、最大化和关闭按钮
gconftool-2 –set /apps/metacity/general/button_layout –type string “:minimize,maximize,close”
[/shell]

在Startup Applications Preferences中显示开启启动项
默认情况下很多启动项都没有显示,通过以下命令即可实现
[shell]
sudo sed -i ‘s/NoDisplay=true/NoDisplay=false/g’ /etc/xdg/autostart/*.desktop
[/shell]

优化最大化页面
主要是来自 ppa:webupd8team/gnome3 (前面已经配置)的新插件 window-buttons
[shell]
sudo apt-get install gnome-shell-extension-window-buttons # 将窗口标题栏最大/小化和关闭按钮移至上方的通知栏
sudo apt-get install dconf-tools # 配置插件插件需要用到的工具
sudo apt-get install maximus # 取消最大化时的标题栏
sudo apt-get install gconf-editor # 配置 maximus 需要用到的工具
[/shell]

1)在 gconf-editor 中,进入 apps > maximus
1.1)启用 ‘no_maximus’
2)在 dconf-editor 中,进入 org > gnome > shell > extensions > window-buttons,
2.1)启用 “onlymax” 和 “hideonnomax” 窗口(如桌面和gnomw-tweak-tool)不支持最大化时隐藏标题栏中的按钮
2.2)其他 theme 、 order 之类的可以根据自己的喜好修改


其他主要是根据个人喜好修改系统和相应软件的设置
至此,基本配置完毕,欢迎交流和提出改进意见

在Ubuntu上安装MongoDB

由于Ubuntu版本发行的规则,版本库里往往不是最新的组建,所以有时候需要使用官方的PPA进行补充,例如MongoDB,版本库里的版本连UTF-8都不支持。官方已经有很详细的解释说明,这里主要是复述记录一下。

废话不多说,上代码:
[shell]
# Add GPG key 添加GPG密钥
apt-key adv –keyserver keyserver.ubuntu.com –recv 7F0CEB10

# Add source list 添加软件源
echo “deb http://downloads-distro.mongodb.org/repo/debian-sysvinit dist 10gen” > /etc/apt/sources.list.d/mongodb.list

# update and install 更新软件源并安装
apt-get update
apt-get install mongodb-10gen
[/shell]

这里也有一个简单的脚本实现自动安装,拷贝到单独的文件中,运行”sudo sh 文件名”即可。