Yegor G. yegorg

Static OpenVPN configuration between a single pair of hosts

So you've got two boxes, separated by some kind of network that you're not in control of, and you'd like to encrypt traffic between them. You're not going to have multiple clients connecting to each other, just these two boxes.

As of OpenVPN 2, it's possible to configure the hosts in peer-to-peer mode, with static keying, meaning that the actual VPN setup is super easy:

Install OpenVPN (>=2) on both boxes, the standard Wheezy version is fine.
Generate a static key as follows: openvpn --genkey --secret /path/to/somewhere/secret.key
Copy the secret key to both boxes over a secure channel (e.g SSH)
Create /etc/openvpn/p2p.conf on both boxes as show in box1.vpn.cnf and box2.vpn.cnf below

Building Secure Networks with Vyatta

What is Vyatta, and why do you want to use it?

Discussion of key strenths of vyatta, and firewalls in general
Link to the open-source VyOS version and the commercial Vyatta project
Talk about Softlayer choices specifically -- why softlayer version is insecure / finnicky with SSL & PPTP options, limitations & cost of the Fortigate appliance

Splitting your public and private traffic

Preconditions

You need to have TUN/TAP enabled

Install dependencies

$ apt-get install -y openvpn easy-rsa

##Domain

We need some records on our domain (mydomain.com) DNS for connections. Add these records:

t1              IN      NS      t1ns.mydomain.com. ; note final the dot!
t1ns            IN      A       OUR_SERVER_IP

##Server

	# This file describes the network interfaces available on your system
	# and how to activate them. For more information, see interfaces(5).

	# The loopback network interface
	auto lo
	iface lo inet loopback

	# The primary network interface

	auto eth0

	vrrp_script chk_haproxy {
	script "killall -0 haproxy" # verify the pid existance
	interval 2 # check every 2 seconds
	weight 2 # add 2 points of prio if OK
	}

	vrrp_instance VI_1 {
	interface eth0 # interface to monitor
	state MASTER
	virtual_router_id 51 # Assign one ID for this route

	{
	"title": "Collectd: Blackbox",
	"services": {
	"query": {
	"list": {
	"0": {
	"query": "plugin:\"load\"",
	"alias": "Load",
	"color": "#7EB26D",
	"id": 0,

	$modload imtcp
	$InputTCPServerRun 10514

	# $ActionQueueType LinkedList # use asynchronous processing
	# $ActionQueueFileName srvrfwd # set file name, also enables disk mode
	# $ActionResumeRetryCount -1 # infinite retries on insert failure
	# $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
	# *.notice @@logserver.local:10514

	auth,authpriv.* -/var/log/auth.log

	#
	# /etc/sysctl.conf - Configuration file for setting system variables
	# See /etc/sysctl.d/ for additional system variables.
	# See sysctl.conf (5) for information.
	#

	#kernel.domainname = example.com

	# Uncomment the following to stop low-level messages on console
	#kernel.printk = 3 4 1 3

	#!/usr/bin/env python
	"""
	Synchronise block devices over the network

	Copyright 2006-2008 Justin Azoff <[email protected]>
	Copyright 2011 Robert Coup <[email protected]>
	License: GPL

	Getting started: