HOW-TO setup Plesk with Samba Share and OpenVPN on CentOS
Date: 15 April 2010
Source: GraFX
Plesk Samba Share
In order to use Plesk Samba Share, you must have Plesk installed on a CentOS Linux System.Once you have Plesk installed:
- Point to the administration panel: https:/yourdomain.tld:8443/ and Log in with your credentials
- Go to the "Modules" Section
- Click on the "Samba FileServer Configuration"
* If you do not see that Module, you probably have to install that module.
- When you are there, you may start setting up your Samba Server.
- You must create a New Share in the Share Tab, give it a real path (make sure that the real path exists on the server. If do not have it, you have to create it via ssh with the "mkdir" command), check if it is writeable and who has access to it.
- In the Users tab, add a new user that will be used to access the Windows Share. Note that you must match the Virtual user to a real UNIX Account on the server.
- In the Interfaces tab, Plesk will automatically detect the interface on which the Samba Share will listen for connections. Do NOT set it to broadcast mode if you indend to use that resource privately !
- In the Access tab you may define which hosts or subnets are allowed to access the Share. Note that if the list is empty, everyone will be allowed to access. If the list is populated, then only the populated URIs will have access.
Warning! Your goal is to enable File Sharing trough the VPN. Then you MUST specify ONLY the VPN Subnet that is allowed to access the Share, or other requests from other than the VPN Hosts must be refused
OpenVPN Secure Server
1. Now that the Samba is set up and it accepts connection from VPN hosts only, we must set up the VPN.Log on the server using SSH and become root.
Please run these commands to install and configure OpenVPN:
yum update yum install openssl openssl-devel # openssl and openssl-devel may be installed already... so don't worry2. Right, now you want to install OpenVPN, here are the commands,
yum install openvpn -y3. A few things to set up before you can make certificates, issue these commands,
find / -name "easy-rsa" #you should get an output like this... /usr/share/doc/openvpn-2.0.7/easy-rsa #Now, make a copy of the easy-rsa directory, to /etc/openvpn/ ( make sure you #have put the right version number in i.e. mine was -2.0.7, change if needed) cp -R /usr/share/doc/openvpn-2.0.7/easy-rsa /etc/openvpn/ cd /etc/openvpn/easy-rsa chmod 777 * mkdir /etc/openvpn/keys4. You need to edit the vars file, located in /etc/openvpn/easy-rsa
You may use any editor you like, I have used vi.
Change the line
export KEY_DIR=$D/keysto
export KEY_DIR=/etc/openvpn/keysAlso at the bottom of this file you will see something similar to this,
export KEY_COUNTRY=US export KEY_PROVINCE=CA export KEY_CITY=SOMEWHERE export KEY_ORG="My Org" export KEY_EMAIL=me@mydomain.comChange this to your own values.
5. Now its time to make the certificates, enter these commands
./vars ./clean-all ./build-ca# just hit enter to the defaults apart from Common Name, this must be unique
# call it something like mydomain-ca
./build-key-server server ./build-key client1# remember that common name must be unique e.g. use mydomain-client1
# and YES you want to sign the keys
./build-key client2# do this step for as many clients as you need.
./build-dh6. We are almost done now... though we need to create a few config files, you may download my template from here,
cd /etc/openvpn port 1194 proto udp dev tun ca rootca.crt cert server.crt key server.key dh dh.key # tls-auth tlsauth.key 0 server 10.0.0.0 255.255.255.0 topology subnet push "route 10.0.0.0 255.255.255.0" ifconfig-pool-persist dhcp.db keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 # To enable client-to-client interchange, uncomment this: client-to-client ## For Certificate Auth: ns-cert-type client ## For user/pass Auth: #client-cert-not-required #username-as-common-name #plugin /usr/lib/openvpn/openvpn-auth-pam.so login #tmp-dir /tmpWarning! This is only an example! There are lots of other parameters that OpenVPN can be customised with. Please visit the Official Documentation to learn about them!
touch server-tcp.log~ this makes the log file..
touch ipp.txtthis makes the IP reservation list.
7. You need to make a few changes to OpenVPN itself. Go to..
cd /etc/init.d/edit the openvpn file
#Uncomment this line (line 119)
echo 1 > /proc/sys/net/ipv4/ip_forwardAdd the line below, changing *.*.*.* to your public IP address,
iptables -t nat -A POSTROUTING -s 10.0.0.0/0 -j SNAT --to *.*.*.*Now install iptables if you don't have it already,
yum install iptables #test it service iptables start service iptables stop8. Now for the client config files. If your client is a Windows machine, make sure you have installed OpenVPN, use the gui version, downloadable from here;
http:/openvpn.net/release/openvpn-2.1.1-install.exe
You need to copy a few files from the server to your client machine, here is the list, located in /etc/openvpn/keys/
## WARNING ## Use a secure way of transferring these files off the server, something like WinSCP.
rootca.crt
client1.csr
client1.key
client1.crt
Put these files in this directory C:Program FilesOpenVPNconfig
Now you need to make a client config, here is an example..
client remote *.*.*.* 1194 float proto udp dev tun ca rootca.crt cert client1.crt key client1.key # tls-auth tlsauth.key 1 ns-cert-type server keepalive 10 120 cipher AES-256-CBC auth SHA1 comp-lzo status openvpn-status.log verb 3
Make sure you edit the parameters to fit your needs.
Warning! This is only an example! There are lots of other parameters that OpenVPN can be customised with. Please visit the Official Documentation to learn about them!
Call this file client1.opvn and put it in C:Program FilesOpenVPNconfig
Make sure the file extension is .opvn and not .txt
To connect right click on OpenVPN in the taskbar >> Connect
Now access the Samba Share on the server from Windows using the internal VPN IP
* Note: the traffic is encrypted between the client and the server when the internal VPN IP is used
You're in business!: