Because I was looking for the option of running a Oracle VM server at home, with a couple of virtual machines running on it, I wanted these virtual machines to be accessible remotely, when I’m on the road. The requirements I had where the following:
VPN software must be free
VPN software must be available for Linux (Oracle Enterprise Linux), Mac OS X and Windows
No tweaking of my currently used router (Apple Time Capsule)
VPN software must be easy to configure

The first three requirements where not that difficult, but I had some trouble configuring the software. At the end I ended up with the following software:
OpenVPN, software for both running a VPN server and client
Tunnelblick, software for running a VPN client on Mac OS X

Installing packages on the OpenVPN server

My startup-point was a installed Oracle Enterprise Linux 5 update 5 64 bit. I did a minimal installation, since I only wanted this server to be my OpenVPN server. If you create this new server as a virtual machine, make sure that your network card is bridged to the physical network card in your computer. Give your new server a dedicated ip-address, since you have to make an adjustment in your router. At my home I use the network segment 192.168.123.0/255.255.255.0. So I gave my OpenVPN server the ip-address 192.168.123.200.

Install the following packages:

lzo2-2.02-3.el5.rf.x86_64.rpm
openvpn-2.0.9-1.el5.rf.x86_64.rpm

If you follow the links above, it will get you to the site where you can download the RPM’s. Copy the packages to your server that you’re going to use as your OpenVPN server.

Install the packages with the rpm command:

[root@openvpn ~]# rpm -ivh lzo2-2.02-3.el5.rf.x86_64.rpm
warning: lzo2-2.02-3.el5.rf.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:lzo2 ########################################### [100%]
[root@openvpn ~]# rpm -ivh openvpn-2.0.9-1.el5.rf.x86_64.rpm
warning: openvpn-2.0.9-1.el5.rf.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:openvpn ########################################### [100%]

The packages are installed. Now it’s time to do the configuration of the OpenVPN server.

Configuration of the OpenVPN server

A lot of files of the openvpn package are placed in the directory /usr/share/doc/openvpn-2.0.9.
Thirst thing we’re going to do, is to create the certificates for our OpenVPN server. Go to the directory /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0:
[root@openvpn ~]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/
Change the Makefile that’s in this directory and set the DESTDIR to /etc/openvpn. After that the file will look simular to this:
DESTDIR=/etc/openvpn
PREFIX=

all:
echo "All done."
echo "Run make install DESTDIR=/usr/share/somewhere"

install:
install -c –directory "${DESTDIR}/${PREFIX}"
install -c –mode=0755 build-* "${DESTDIR}/${PREFIX}"
install -c –mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"
install -c –mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "${DESTDIR}/${PREFIX}"
Run the make install command to install all the necessary files to the directory /etc/openvpn:
[root@openvpn 2.0]# make install
install -c –directory "/etc/openvpn/"
install -c –mode=0755 build-* "/etc/openvpn/"
install -c –mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "/etc/openvpn/"
install -c –mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "/etc/openvpn/"

Go to the directory /etc/openvpn:
[root@openvpn 2.0]# cd /etc/openvpn
Change the last lines of the vars file that’s in this directory:
export KEY_COUNTRY="NL"
export KEY_PROVINCE="NH"
export KEY_CITY="dummytown"
export KEY_ORG="Dummy-Org"
export KEY_EMAIL="foo@dummy.org"
Fill in the Country, Province, City, Organization and an email address.

Make sure that the parameters are set by running the source command. You can ignore the message about the clean-all script:

[root@openvpn openvpn]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys

Run the clean-all procedure to clean the keys directory, if this is the first time, than this directory does not exists:
[root@openvpn openvpn]# ./clean-all
Build the certificate authority:
[root@openvpn openvpn]# ./build-ca
Generating a 1024 bit RSA private key
………………………………++++++
……..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:
State or Province Name (full name) [NH]:
Locality Name (eg, city) [dummytown]:
Organization Name (eg, company) [Dummy-Org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [Dummy-Org CA]:
Email Address [foo@dummy.org]:

Create the server certificates:
[root@openvpn openvpn]# ./build-key-server server
Generating a 1024 bit RSA private key
……++++++
………………..++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:
State or Province Name (full name) [NH]:
Locality Name (eg, city) [dummytown]:
Organization Name (eg, company) [Dummy-Org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [server]:
Email Address [foo@dummy.org]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’NL’
stateOrProvinceName :PRINTABLE:’NH’
localityName :PRINTABLE:’dummytown’
organizationName :PRINTABLE:’Dummy-Org’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’foo@dummy.org’
Certificate is to be certified until May 11 14:27:28 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Create at least one client key:

[root@openvpn openvpn]# ./build-key client1
Generating a 1024 bit RSA private key
…………………….++++++
…..++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:
State or Province Name (full name) [NH]:
Locality Name (eg, city) [dummytown]:
Organization Name (eg, company) [Dummy-Org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [client1]:
Email Address [foo@dummy.org]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’NL’
stateOrProvinceName :PRINTABLE:’NH’
localityName :PRINTABLE:’dummytown’
organizationName :PRINTABLE:’Dummy-Org’
commonName :PRINTABLE:’client1′
emailAddress :IA5STRING:’foo@dummy.org’
Certificate is to be certified until May 11 14:28:33 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Create the Diffie-Hellman (DH) settings:

[root@openvpn openvpn]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
……………………………………………………………………………..+………………………………………………………………………………………………+……………..+…………….+……………………………………………+…………………..+………………………………………………………………………………………………………………………………………………………………………………………………+…………………………+………………………………………………………………………………………………….+……..+……………………………………………………………..+…………………………………………………………………………………+…+…………………………………………………..+………………………………………………………………………………………+………………………………+……………………………………………………………………………+..+……………………….+…………………………………………………………………………………+……………..+…….+………………………………..+………………………+…………+…….+….+……………………..+……………………………………………………………………………………….+…………+…………….+………………………………………………………+…..+.+……..+………………………………………………+………………………………+……………….+………………………………………………….+…………………………………………………..+……………………………………………………+…………………..+…………………………………………+.+…………………………………….+..+………………………………………………………+……………………………………………………………………………………………………………………………………………..+…………………………….+………………..+…………+………………….+……………………..+……………………………………………………………………………………+………+…..+……+………….+…….+………………………..+.+………..+…………………………+………+……+……………..+…………………………………………………………………………………+………..+………………………………………….+…+……………………………+……………………………………..+……………….+..+……………………….+…………………..+………………+..+……………+………………………………………………………………….++*++*++*

Copy the following files from the /usr/share/doc/openvpn-2.0.9/sample-config-files to the /etc/openvpn directory:
openvpn-shutdown.sh
openvpn-startup.sh
server.conf
[root@openvpn openvpn]# cd /usr/share/doc/openvpn-2.0.9/sample-config-files/
[root@openvpn sample-config-files]# cp -pv openvpn-startup.sh openvpn-shutdown.sh server.conf
`openvpn-startup.sh’ -> `/etc/openvpn/openvpn-startup.sh’
`openvpn-shutdown.sh’ -> `/etc/openvpn/openvpn-shutdown.sh’
`server.conf’ -> `/etc/openvpn/server.conf’
Important: Remove from the openvpn-startup.sh and openvpn-shutdown.sh files the .sh extension. The init script in /etc/init.d/openvpn uses the filenames openvpn-startup and openvpn-shutdown.
Make sure that the files firewall.sh, openvpn-shutdown.sh and openvpn-startup.sh can be executed:

[root@openvpn sample-config-files]# cd /etc/openvpn
[root@openvpn openvpn]# chmod u+x firewall.sh openvpn-shutdown.sh openvpn-startup.sh
Modify the file server.conf so that at least it contains the following entries:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.123.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Copy the files ca.crt, server.crt, server.key and dh1024.epm from the /etc/openvpn/keys directory to the /etc/openvpn directory:
[root@openvpn openvpn]# cd /etc/openvpn/keys/
[root@openvpn keys]# cp -pv ca.crt server.crt server.key dh1024.pem ..
`ca.crt’ -> `../ca.crt’
`server.crt’ -> `../server.crt’
`server.key’ -> `../server.key’
`dh1024.pem’ -> `../dh1024.pem’

Start the openvpn service with the service command:
[root@openvpn openvpn]# service openvpn start
Starting openvpn: [ OK ]

Make sure that the openvpn service is started at boottime:
[root@openvpn openvpn]# chkconfig openvpn on
[root@openvpn openvpn]# chkconfig openvpn –list
openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
You can check the file /var/log/messages for the results of the startup:
May 14 17:10:10 openvpn kernel: tun: Universal TUN/TAP device driver, 1.6
May 14 17:10:10 openvpn kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 14 17:10:10 openvpn openvpn[9060]: OpenVPN 2.0.9 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007
May 14 17:10:10 openvpn openvpn[9060]: Diffie-Hellman initialized with 1024 bit key
May 14 17:10:10 openvpn openvpn[9060]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
May 14 17:10:10 openvpn openvpn[9060]: TUN/TAP device tun0 opened
May 14 17:10:10 openvpn openvpn[9060]: /sbin/ip link set dev tun0 up mtu 1500
May 14 17:10:10 openvpn openvpn[9060]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
May 14 17:10:10 openvpn openvpn[9060]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
May 14 17:10:10 openvpn openvpn[9060]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
May 14 17:10:10 openvpn openvpn[9068]: UDPv4 link local (bound): [undef]:1194
May 14 17:10:10 openvpn openvpn[9068]: UDPv4 link remote: [undef]
May 14 17:10:10 openvpn openvpn[9068]: MULTI: multi_init called, r=256 v=256
May 14 17:10:10 openvpn openvpn[9068]: IFCONFIG POOL: base=10.8.0.4 size=62
May 14 17:10:10 openvpn openvpn[9068]: IFCONFIG POOL LIST
May 14 17:10:10 openvpn openvpn[9068]: Initialization Sequence Completed

I had the linux firewall (iptables) running on my system, so I added another rule to this firewall, to allow incomming udp traffic on port 1194. I did this with the configuration tool system-config-security-tui.
Select the option Customize and in the Firewall Configuration – Customize screen add the following to the Other ports section: 1194:udp. Once that’s done you can check you’re newly added rule with the service iptables status command:
[root@openvpn sysconfig]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all — 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp — 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah — 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp — 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1194
10 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
11 REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

The configuration of the OpenVPN server is finished. The following thing to do, is to install and configure the client.

Opening the OpenVPN port on your Apple Time Capsule

To make sure that you can connect to your OpenVPN server from the internet, you must redirect port 1194 on your Time Capsule to your OpenVPN server.
Start the Airport Utility (I always use Spotlight to do this)
Select your Time Capsule
Select the Advanced options and select Port Mapping
Click on the plus button to add a new port mapping
Fill in the following entries:
Service: leave untouched
Public UDP Port(s): 1194
Public TCP Port(s): leave empty
Private IP Address: 192.168.123.200 (use the ip-address of your OpenVPN server)
Private UDP Port(s): 1194
Private TCP Port(s): leave empty
Click on the Continue button to effectuate the changes
In the next screen give a description for the portmapping. I used openvpn for that
Click on the Done button
Click on the the Update button
You’re Time Capsule will be restarted to make the changes permanent

If you’re using another router you must check the documentation of that router, how to map ports to particular servers.

Installation and configuration of Tunnelblick

Tunnelblick is an OpenVPN Graphic User Interface (GUI) for Mac OS X. The installation is very straightforward can be done just like installing any other program on Mac OS X.
Download the program at http://code.google.com/p/tunnelblick/.
Open the downloaded dmg file and double-click on the Tunnelblick icon to start the installation. Answer yes to the question if Tunnelblick should be started.
After the installation a Tunnelblick icon is placed near the Spotlight icon.
The configuration files for Tunnelblick are placed in the directory /Users/<your Mac username>/Library/Application Support/Tunnelblick/Configurations. Open the file openvpn.conf in your favorite editor.
Make sure that the configuration file contains at least the following entries:
client
dev tun
proto udp
remote <ip-address of your internet connection at home> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
The ip-address of your internet connection can be determined with the help of the website http://whatismyipaddress.com/. The ip-address is shown in blue at the right.
Copy the following files from your OpenVPN server to your Mac:
ca.crt
client1.crt
client1.key
These files are located at the /etc/openvpn/keys directory. The must be copied to the directory /Users/<your Mac username>/Library/Application Support/Tunnelblick/Configurations. I always use Cyberduck for copying files between Linux and Mac OS X.
Once the files are copied to the right location, you can test your VPN connection.
On the Tunnelblick icon, click with the right mouse button on Details.

Next thing to do is click on the Connect button. If you’re tunnel is working, you should see output similar to the following:
2010-05-16 20:59:19 *Tunnelblick: OS X 10.6.3; Tunnelblick 3.0 (build 1437); OpenVPN 2.1.1
2010-05-16 21:01:42 *Tunnelblick: Attempting connection with openvpn.conf; Set nameserver = 1; monitoring connection
2010-05-16 21:01:42 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start openvpn.conf 1337 1 0 0 0
2010-05-16 21:01:42 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpn –management-query-passwords –cd /Users/rob/Library/Application Support/Tunnelblick/Configurations –daemon –management-hold –management 127.0.0.1 1337 –config /Users/rob/Library/Application Support/Tunnelblick/Configurations/openvpn.conf –script-security 2 –up "/Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh" –down "/Applications/Tunnelblick.app/Contents/Resources/client.down.osx.sh" –up-restart
2010-05-16 21:01:42 SUCCESS: pid=22922
2010-05-16 21:01:42 SUCCESS: real-time state notification set to ON
2010-05-16 21:01:42 SUCCESS: real-time log notification set to ON
2010-05-16 21:01:42 OpenVPN 2.1.1 i386-apple-darwin10.2.0 [SSL] [LZO2] [PKCS11] built on Feb 24 2010
2010-05-16 21:01:42 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2010-05-16 21:01:42 waiting…
2010-05-16 21:01:42 MANAGEMENT: Client connected from 127.0.0.1:1337
2010-05-16 21:01:42 MANAGEMENT: CMD ‘pid’
2010-05-16 21:01:42 MANAGEMENT: CMD ‘state on’
2010-05-16 21:01:42 MANAGEMENT: CMD ‘log on all’
2010-05-16 21:01:42 END
2010-05-16 21:01:42 MANAGEMENT: CMD ‘hold release’
2010-05-16 21:01:42 SUCCESS: hold release succeeded
2010-05-16 21:01:42 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2010-05-16 21:01:42 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
2010-05-16 21:01:42 LZO compression initialized
2010-05-16 21:01:42 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
2010-05-16 21:01:42 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2010-05-16 21:01:42 Local Options hash (VER=V4): ’41690919′
2010-05-16 21:01:42 Expected Remote Options hash (VER=V4): ’530fdded’
2010-05-16 21:01:42 Socket Buffers: R=[42080->65536] S=[9216->65536]
2010-05-16 21:01:42 UDPv4 link local: [undef]
2010-05-16 21:01:42 UDPv4 link remote: <internet ip-address>:1194
2010-05-16 21:01:42
2010-05-16 21:01:44
2010-05-16 21:01:44 sid=e216f399 26ce1e22
2010-05-16 21:01:45 /C=NL/ST=NH/L=dummytown/O=Dummy-Org/CN=Dummy-Org_CA/emailAddress=foo@dummy.org
2010-05-16 21:01:45 /C=NL/ST=NH/L=dummytown/O=Dummy-Org/CN=server/emailAddress=foo@dummy.org
2010-05-16 21:01:46 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
2010-05-16 21:01:46 Data Channel Encrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
2010-05-16 21:01:46 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
2010-05-16 21:01:46 Data Channel Decrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
2010-05-16 21:01:46 1024 bit RSA
2010-05-16 21:01:46 [server] Peer Connection Initiated with <internet ip-address>:1194
2010-05-16 21:01:47
2010-05-16 21:01:49 SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
2010-05-16 21:01:49 ifconfig 10.8.0.6 10.8.0.5′
2010-05-16 21:01:49 OPTIONS IMPORT: timers and/or timeouts modified
2010-05-16 21:01:49 OPTIONS IMPORT: –ifconfig/up options modified
2010-05-16 21:01:49 OPTIONS IMPORT: route options modified
2010-05-16 21:01:49 ROUTE default_gateway=192.168.100.1
2010-05-16 21:01:49 TUN/TAP device /dev/tun0 opened
2010-05-16 21:01:49
2010-05-16 21:01:49 /sbin/ifconfig tun0 delete
2010-05-16 21:01:49 NOTE: Tried to delete pre-existing tun/tap instance — No Problem if failure
2010-05-16 21:01:49 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2010-05-16 21:01:49 /Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh tun0 1500 1542 10.8.0.6 10.8.0.5 init
2010-05-16 21:01:49
2010-05-16 21:01:49 /sbin/route add -net 192.168.123.0 10.8.0.5 255.255.255.0
2010-05-16 21:01:49 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
2010-05-16 21:01:49 Initialization Sequence Completed
2010-05-16 21:01:49 <internet ip-address>

The purpose of the shred command, as the man page tells us, is to overwrite a file to hide its contents, and optionally delete it. Since disks and LUNs are also represented as files on a Linux system, it’s also possible to use this command for shredding disks or LUNs.

In this example we assume that device /dev/sdb is the device that has to be returned to the storage department.

Most of the time a disk or LUN contain one or more partitions as shown in the output below:

[root@wolter ~]# ls -l /dev/sdb*

brw-r—– 1 root disk 8, 16 Apr 11 15:32 /dev/sdb

brw-r—– 1 root disk 8, 17 Apr 11 15:32 /dev/sdb1

brw-r—– 1 root disk 8, 18 Apr 11 15:32 /dev/sdb2

brw-r—– 1 root disk 8, 19 Apr 11 15:32 /dev/sdb3

brw-r—– 1 root disk 8, 20 Apr 11 15:32 /dev/sdb4

Currently the disks are still mounted and contain an ext3 filesystem:

[root@wolter ~]# df -h |grep sdb

/dev/sdb1 471M 376M 72M 85% /disk1

/dev/sdb2 471M 365M 83M 82% /disk2

/dev/sdb3 471M 324M 123M 73% /disk3

/dev/sdb4 580M 182M 369M 34% /disk4

[root@wolter ~]# mount | grep sdb

/dev/sdb1 on /disk1 type ext3 (rw)

/dev/sdb2 on /disk2 type ext3 (rw)

/dev/sdb3 on /disk3 type ext3 (rw)

/dev/sdb4 on /disk4 type ext3 (rw)

In this example we assume that device /dev/sdb is the device that has to be returned to the storage department.

First we make sure that the partitions on this particular disk do not contain any open files. This can be done with the lsof (list open files) command:

[root@wolter ~]# lsof /disk1

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

vim 2660 braberra 4u REG 8,17 12288 10308 /disk1/braberra/.test.swp

As show in the output above user braberra still has a file open on the particular disk. Make sure the user is logged out, or that the user is not using any file on the disk. When this is done, the disks can be unmounted, with the umount command:

root@wolter ~]# umount /disk1

[root@wolter ~]# umount /disk2

[root@wolter ~]# umount /disk3

[root@wolter ~]# umount /disk4

[root@wolter ~]# mount | grep sdb

We have a last look at the partition table of the disk:

[root@wolter ~]# fdisk -l /dev/sdb

Disk /dev/sdb: 2147 MB, 2147483648 bytes

255 heads, 63 sectors/track, 261 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

/dev/sdb1 1 62 497983+ 83 Linux

/dev/sdb2 63 124 498015 83 Linux

/dev/sdb3 125 186 498015 83 Linux

/dev/sdb4 187 261 602437+ 83 Linux

With the strings command we can have a look at what’s on the disk:

[root@wolter ~]# strings /dev/sdb |head -40

lost+found

braberra

ld.so.conf

fstab

environment

xinetd.conf

NetworkManager

auto.misc

.pwd.lock

screenrc

foomatic

sysctl.conf.orabackup

cups$@

xinetd.d9@

mke2fs.conf

nsswitch.conf

makedev.d

cron.hourly

adjtime

quotatabY@

ld.so.cache

jwhois.conf

Muttrc.local^@

vimrc

DIR_COLORS

reader.conf

yum.confc@

readahead.d

bluetooth

mtabp@

pinforc

csh.cshrc

sudoers

protocols

mcelog.conf

samba

dhcp6c.conf

alsa

krb5.conf

openldap

Now we can use the shred command to remove all the content of the device:

[root@wolter ~]# shred -v -n3 -z /dev/sdb

shred: /dev/sdb: pass 1/4 (random)…

shred: /dev/sdb: pass 1/4 (random)…1.0GiB/2.0GiB 54%

shred: /dev/sdb: pass 1/4 (random)…1.1GiB/2.0GiB 55%

shred: /dev/sdb: pass 1/4 (random)…2.0GiB/2.0GiB 100%

shred: /dev/sdb: pass 2/4 (random)…

shred: /dev/sdb: pass 2/4 (random)…1.0GiB/2.0GiB 53%

shred: /dev/sdb: pass 2/4 (random)…1.1GiB/2.0GiB 55%

shred: /dev/sdb: pass 2/4 (random)…2.0GiB/2.0GiB 100%

shred: /dev/sdb: pass 3/4 (random)…

shred: /dev/sdb: pass 3/4 (random)…1.0GiB/2.0GiB 52%

shred: /dev/sdb: pass 3/4 (random)…1.1GiB/2.0GiB 55%

shred: /dev/sdb: pass 3/4 (random)…2.0GiB/2.0GiB 100%

shred: /dev/sdb: pass 4/4 (000000)…

shred: /dev/sdb: pass 4/4 (000000)…1.0GiB/2.0GiB 54%

shred: /dev/sdb: pass 4/4 (000000)…1.1GiB/2.0GiB 55%

shred: /dev/sdb: pass 4/4 (000000)…2.0GiB/2.0GiB 100%

The options used in this command are:

-v shows verbose output

-n3 overwrites the device 3 times with random data. The default is 25.

-z adds a final overwrite with zeros to hide shredding

When we have a look with the strings command again, no output is shown:

[root@wolter ~]# strings /dev/sdb |head -40

[root@wolter ~]#

The partitions are also gone:

[root@wolter ~]# fdisk -l /dev/sdb

Disk /dev/sdb: 2147 MB, 2147483648 bytes

255 heads, 63 sectors/track, 261 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/sdb doesn’t contain a valid partition table

The files for the partitions, however, are still there:

[root@wolter ~]# ls -l /dev/sdb*

brw-r—– 1 root disk 8, 16 Apr 11 16:15 /dev/sdb

brw-r—– 1 root disk 8, 17 Apr 11 15:40 /dev/sdb1

brw-r—– 1 root disk 8, 18 Apr 11 15:40 /dev/sdb2

brw-r—– 1 root disk 8, 19 Apr 11 15:40 /dev/sdb3

brw-r—– 1 root disk 8, 20 Apr 11 15:40 /dev/sdb4

To remove those as well, use the fdisk command and only perform a write action:

[root@wolter ~]# fdisk /dev/sdb

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel

Building a new DOS disklabel. Changes will remain in memory only,

until you decide to write them. After that, of course, the previous

content won’t be recoverable.

Warning: invalid flag 0×0000 of partition table 4 will be corrected by w(rite)

Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.

Syncing disks.

The device is ready to be removed from your system. Use your own procedure to do this.

• VPN software must be free
• VPN software must be available for Linux (Oracle Enterprise Linux), Mac OS X and Windows
• No tweaking of my currently used router (Apple Time Capsule)
• VPN software must be easy to configure

The first three requirements where not that difficult, but I had some trouble configuring the software. At the end I ended up with the following software:

• OpenVPN, software for both running a VPN server and client
• Tunnelblick, software for running a VPN client on Mac OS X

Installing packages on the OpenVPN server

My startup-point was a installed Oracle Enterprise Linux 5 update 5 64 bit. I did a minimal installation, since I only wanted this server to be my OpenVPN server. If you  create this new server as a virtual machine, make sure that your network card is bridged to the physical network card in your computer. Give your new server a dedicated ip-address, since you have to make an adjustment in your router. At my home I use the network segment 192.168.123.0/255.255.255.0. So I gave my OpenVPN server the ip-address 192.168.123.200.

Install the following packages:

• lzo2-2.02-3.el5.rf.x86_64.rpm
• openvpn-2.0.9-1.el5.rf.x86_64.rpm

If you follow the links above, it will get you to the site where you can download the RPM’s. Copy the packages to your server that you’re going to use as your OpenVPN server.

Install the packages with the rpm command:

[root@openvpn ~]# rpm -ivh lzo2-2.02-3.el5.rf.x86_64.rpm

warning: lzo2-2.02-3.el5.rf.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6

Preparing...                ########################################### [100%]

1:lzo2                   ########################################### [100%]

[root@openvpn ~]# rpm -ivh openvpn-2.0.9-1.el5.rf.x86_64.rpm

warning: openvpn-2.0.9-1.el5.rf.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6

Preparing...                ########################################### [100%]

1:openvpn                ########################################### [100%]

The packages are installed. Now it’s time to do the configuration of the OpenVPN server.

Configuration of the OpenVPN server

A lot of files of the openvpn package are placed in the directory /usr/share/doc/openvpn-2.0.9.

Thirst thing we’re going to do, is to create the certificates for our OpenVPN server. Go to the directory /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0:

[root@openvpn ~]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/

Change the Makefile that’s in this directory and set the DESTDIR to /etc/openvpn. After that the file will look simular to this:

DESTDIR=/etc/openvpn

PREFIX=

all:

echo "All done."

echo "Run make install DESTDIR=/usr/share/somewhere"

install:

install -c --directory "${DESTDIR}/${PREFIX}"

install -c --mode=0755 build-* "${DESTDIR}/${PREFIX}"

install -c --mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"

install -c --mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "${DESTDIR}/${PREFIX}"

Run the make install command to install all the necessary files to the directory /etc/openvpn:

[root@openvpn 2.0]# make install

install -c --directory "/etc/openvpn/"

install -c --mode=0755 build-* "/etc/openvpn/"

install -c --mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "/etc/openvpn/"

install -c --mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "/etc/openvpn/"

Go to the directory /etc/openvpn:

[root@openvpn 2.0]# cd /etc/openvpn

Change the last lines of the vars file that’s in this directory:

export KEY_COUNTRY="NL"

export KEY_PROVINCE="NH"

export KEY_CITY="dummytown"

export KEY_ORG="Dummy-Org"

export KEY_EMAIL="foo@dummy.org"

Fill in the Country, Province, City, Organization and an email address.

Make sure that the parameters are set by running the source command. You can ignore the message about the clean-all script:

[root@openvpn openvpn]# source vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys

Run the clean-all procedure to clean the keys directory, if this is the first time, than this directory does not exists:

[root@openvpn openvpn]# ./clean-all

Build the certificate authority:

[root@openvpn openvpn]# ./build-ca

Generating a 1024 bit RSA private key

....................................++++++

........++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [NL]:

State or Province Name (full name) [NH]:

Locality Name (eg, city) [dummytown]:

Organization Name (eg, company) [Dummy-Org]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [Dummy-Org CA]:

Email Address [foo@dummy.org]:

Create the server certificates:

[root@openvpn openvpn]# ./build-key-server server

Generating a 1024 bit RSA private key

......++++++

....................++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [NL]:

State or Province Name (full name) [NH]:

Locality Name (eg, city) [dummytown]:

Organization Name (eg, company) [Dummy-Org]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [server]:

Email Address [foo@dummy.org]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'NL'

stateOrProvinceName   :PRINTABLE:'NH'

localityName          :PRINTABLE:'dummytown'

organizationName      :PRINTABLE:'Dummy-Org'

commonName            :PRINTABLE:'server'

emailAddress          :IA5STRING:'foo@dummy.org'

Certificate is to be certified until May 11 14:27:28 2020 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Create at least one client key:

[root@openvpn openvpn]# ./build-key client1

Generating a 1024 bit RSA private key

.........................++++++

.....++++++

writing new private key to 'client1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [NL]:

State or Province Name (full name) [NH]:

Locality Name (eg, city) [dummytown]:

Organization Name (eg, company) [Dummy-Org]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [client1]:

Email Address [foo@dummy.org]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'NL'

stateOrProvinceName   :PRINTABLE:'NH'

localityName          :PRINTABLE:'dummytown'

organizationName      :PRINTABLE:'Dummy-Org'

commonName            :PRINTABLE:'client1'

emailAddress          :IA5STRING:'foo@dummy.org'

Certificate is to be certified until May 11 14:28:33 2020 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Create the Diffie-Hellman (DH) settings:

[root@openvpn openvpn]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

.....................................................................

Copy the following files from the /usr/share/doc/openvpn-2.0.9/sample-config-files to the /etc/openvpn directory:

• openvpn-shutdown.sh
• openvpn-startup.sh
• server.conf

[root@openvpn openvpn]# cd /usr/share/doc/openvpn-2.0.9/sample-config-files/

[root@openvpn sample-config-files]# cp -pv openvpn-startup.sh openvpn-shutdown.sh server.conf

`openvpn-startup.sh' -> `/etc/openvpn/openvpn-startup.sh'

`openvpn-shutdown.sh' -> `/etc/openvpn/openvpn-shutdown.sh'

`server.conf' -> `/etc/openvpn/server.conf'

Important: Remove from the openvpn-startup.sh and openvpn-shutdown.sh files the .sh extension. The init script in /etc/init.d/openvpn uses the filenames openvpn-startup and openvpn-shutdown.

Make sure that the files openvpn-shutdown.sh and openvpn-startup.sh can be executed:

[root@openvpn sample-config-files]# cd /etc/openvpn

[root@openvpn openvpn]# chmod u+x openvpn-shutdown openvpn-startup

Modify the file server.conf so that at least it contains the following entries:

port 1194

proto udp

dev tun

ca ca.crt

cert server.crt

key server.key  # This file should be kept secret

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.123.0 255.255.255.0"

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3

Copy the files ca.crt, server.crt, server.key and dh1024.epm  from the /etc/openvpn/keys directory to the /etc/openvpn directory:

[root@openvpn openvpn]# cd /etc/openvpn/keys/

[root@openvpn keys]# cp -pv ca.crt server.crt server.key dh1024.pem ..

`ca.crt' -> `../ca.crt'

`server.crt' -> `../server.crt'

`server.key' -> `../server.key'

`dh1024.pem' -> `../dh1024.pem'

Start the openvpn service with the service command:

[root@openvpn openvpn]# service openvpn start

Starting openvpn:                                          [  OK  ]

Make sure that the openvpn service is started at boottime:

[root@openvpn openvpn]# chkconfig openvpn on

[root@openvpn openvpn]# chkconfig openvpn --list

openvpn        	0:off	1:off	2:on	3:on	4:on	5:on	6:off

You can check the file /var/log/messages for the results of the startup:

May 14 17:10:10 openvpn kernel: tun: Universal TUN/TAP device driver, 1.6

May 14 17:10:10 openvpn kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>

May 14 17:10:10 openvpn openvpn[9060]: OpenVPN 2.0.9 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007

May 14 17:10:10 openvpn openvpn[9060]: Diffie-Hellman initialized with 1024 bit key

May 14 17:10:10 openvpn openvpn[9060]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

May 14 17:10:10 openvpn openvpn[9060]: TUN/TAP device tun0 opened

May 14 17:10:10 openvpn openvpn[9060]: /sbin/ip link set dev tun0 up mtu 1500

May 14 17:10:10 openvpn openvpn[9060]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2

May 14 17:10:10 openvpn openvpn[9060]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2

May 14 17:10:10 openvpn openvpn[9060]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

May 14 17:10:10 openvpn openvpn[9068]: UDPv4 link local (bound): [undef]:1194

May 14 17:10:10 openvpn openvpn[9068]: UDPv4 link remote: [undef]

May 14 17:10:10 openvpn openvpn[9068]: MULTI: multi_init called, r=256 v=256

May 14 17:10:10 openvpn openvpn[9068]: IFCONFIG POOL: base=10.8.0.4 size=62

May 14 17:10:10 openvpn openvpn[9068]: IFCONFIG POOL LIST

May 14 17:10:10 openvpn openvpn[9068]: Initialization Sequence Completed

I had the linux firewall (iptables) running on my system, so I added another rule to this firewall, to allow incomming udp traffic on port 1194. I did this with the configuration tool system-config-security-tui.

Select the option Customize and  in the Firewall Configuration – Customize screen add the following to the Other ports section: 1194:udp. Once that’s done you can check you’re newly added rule with the service iptables status command:

[root@openvpn sysconfig]# service iptables status

Table: filter

Chain INPUT (policy ACCEPT)

num  target     prot opt source               destination

1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)

num  target     prot opt source               destination

1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)

num  target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)

num  target     prot opt source               destination

1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255

3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0

4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0

5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353

6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631

7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631

8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

9    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1194

10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

11   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

The configuration of the OpenVPN server is finished. The following thing to do, is to install and configure the client.

Opening the OpenVPN port on your Apple Time Capsule

To make sure that you can connect to your OpenVPN server from the internet, you must redirect port 1194 on your Time Capsule to your OpenVPN server.

• Start the Airport Utility (I always use Spotlight to do this)
• Select your Time Capsule
• Select the Advanced options and select Port Mapping
• Click on the plus button to add a new port mapping
• Fill in the following entries:
  • • Service: leave untouched
    • Public UDP Port(s): 1194
    • Public TCP Port(s): leave empty
    • Private IP Address: 192.168.123.200 (use the ip-address of your OpenVPN server)
    • Private UDP Port(s): 1194
    • Private TCP Port(s): leave empty
• Click on the Continue button to effectuate the changes
• In the next screen give a description for the portmapping. I used openvpn for that
• Click on the Done button
• Click on the the Update button
• You’re Time Capsule will be restarted to make the changes permanent

If you’re using another router you must check the documentation of that router, how to map ports to particular servers.

Installation and configuration of Tunnelblick

Tunnelblick is an OpenVPN Graphic User Interface (GUI) for Mac OS X. The installation is very straightforward can be done just like installing any other program on Mac OS X.

Download the program at  http://code.google.com/p/tunnelblick/.

Open the downloaded dmg file and double-click on the Tunnelblick icon to start the installation. Answer yes to the question if Tunnelblick should be started.

After the installation a Tunnelblick icon is placed near the Spotlight icon.

The configuration files for Tunnelblick are placed in the directory /Users/<your Mac username>/Library/Application Support/Tunnelblick/Configurations. Open the file openvpn.conf in your favorite editor.

Make sure that the configuration file contains at least the following entries:

client

dev tun

proto udp

remote  <ip-address of your internet connection at home> 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client1.crt

key client1.key

comp-lzo

verb 3

The ip-address of your internet connection can be determined with the help of the website http://whatismyipaddress.com/. The ip-address is shown in blue at the right.

Copy the following files from your OpenVPN server to your Mac:

• ca.crt
• client1.crt
• client1.key

These files are located at the /etc/openvpn/keys directory. The must be copied to the directory /Users/<your Mac username>/Library/Application Support/Tunnelblick/Configurations. I always use Cyberduck for copying files between Linux and Mac OS X.

Once the files are copied to the right location, you can test your VPN connection.

On the Tunnelblick icon, click with the right mouse button on Details.

Next thing to do is click on the Connect button. If you’re tunnel is working, you should see output similar to the following:

2010-05-16 20:59:19 *Tunnelblick: OS X 10.6.3; Tunnelblick 3.0 (build 1437); OpenVPN 2.1.1

2010-05-16 21:01:42 *Tunnelblick: Attempting connection with openvpn.conf; Set nameserver = 1; monitoring connection

2010-05-16 21:01:42 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start openvpn.conf 1337 1 0 0 0

2010-05-16 21:01:42 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpn --management-query-passwords

--cd /Users/rob/Library/Application Support/Tunnelblick/Configurations --daemon --management-hold --management 127.0.0.1 1337

--config /Users/rob/Library/Application Support/Tunnelblick/Configurations/openvpn.conf --script-security 2

--up "/Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh"

--down "/Applications/Tunnelblick.app/Contents/Resources/client.down.osx.sh" --up-restart

2010-05-16 21:01:42 SUCCESS: pid=22922

2010-05-16 21:01:42 SUCCESS: real-time state notification set to ON

2010-05-16 21:01:42 SUCCESS: real-time log notification set to ON

2010-05-16 21:01:42 OpenVPN 2.1.1 i386-apple-darwin10.2.0 [SSL] [LZO2] [PKCS11] built on Feb 24 2010

2010-05-16 21:01:42 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337

2010-05-16 21:01:42  waiting...

2010-05-16 21:01:42 MANAGEMENT: Client connected from 127.0.0.1:1337

2010-05-16 21:01:42 MANAGEMENT: CMD 'pid'

2010-05-16 21:01:42 MANAGEMENT: CMD 'state on'

2010-05-16 21:01:42 MANAGEMENT: CMD 'log on all'

2010-05-16 21:01:42 END

2010-05-16 21:01:42 MANAGEMENT: CMD 'hold release'

2010-05-16 21:01:42 SUCCESS: hold release succeeded

2010-05-16 21:01:42 WARNING: No server certificate verification method has been enabled.

See http://openvpn.net/howto.html#mitm for more info.

2010-05-16 21:01:42 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2010-05-16 21:01:42 LZO compression initialized

2010-05-16 21:01:42 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

2010-05-16 21:01:42 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

2010-05-16 21:01:42 Local Options hash (VER=V4): '41690919'

2010-05-16 21:01:42 Expected Remote Options hash (VER=V4): '530fdded'

2010-05-16 21:01:42 Socket Buffers: R=[42080->65536] S=[9216->65536]

2010-05-16 21:01:42 UDPv4 link local: [undef]

2010-05-16 21:01:42 UDPv4 link remote: <internet ip-address>:1194

2010-05-16 21:01:42

2010-05-16 21:01:44

2010-05-16 21:01:44  sid=e216f399 26ce1e22

2010-05-16 21:01:45  /C=NL/ST=NH/L=dummytown/O=Dummy-Org/CN=Dummy-Org_CA/emailAddress=foo@dummy.org

2010-05-16 21:01:45  /C=NL/ST=NH/L=dummytown/O=Dummy-Org/CN=server/emailAddress=foo@dummy.org

2010-05-16 21:01:46 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

2010-05-16 21:01:46 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2010-05-16 21:01:46 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

2010-05-16 21:01:46 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2010-05-16 21:01:46  1024 bit RSA

2010-05-16 21:01:46 [server] Peer Connection Initiated with <internet ip-address>:1194

2010-05-16 21:01:47

2010-05-16 21:01:49 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

2010-05-16 21:01:49 ifconfig 10.8.0.6 10.8.0.5'

2010-05-16 21:01:49 OPTIONS IMPORT: timers and/or timeouts modified

2010-05-16 21:01:49 OPTIONS IMPORT: --ifconfig/up options modified

2010-05-16 21:01:49 OPTIONS IMPORT: route options modified

2010-05-16 21:01:49 ROUTE default_gateway=192.168.100.1

2010-05-16 21:01:49 TUN/TAP device /dev/tun0 opened

2010-05-16 21:01:49

2010-05-16 21:01:49 /sbin/ifconfig tun0 delete

2010-05-16 21:01:49 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

2010-05-16 21:01:49 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up

2010-05-16 21:01:49 /Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh tun0 1500 1542 10.8.0.6 10.8.0.5 init

2010-05-16 21:01:49

2010-05-16 21:01:49 /sbin/route add -net 192.168.123.0 10.8.0.5 255.255.255.0

2010-05-16 21:01:49 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255

2010-05-16 21:01:49 Initialization Sequence Completed

2010-05-16 21:01:49 <internet ip-address>

Make sure that on your other systems, which you want to connect to remotly, a route is added. In my example I’ve added a route for the network segment 10.8.0.0 to 192.168.123.200 (my OpenVPN server).

www.youtube.com/watch?v=qrh6glzXa30

In this setup I use three networks:

1. This network (192.168.123.0) is attached to my home network and has access to the internet. To install packages on Openfiler you need a access to the internet.
2. This network (192.168.0.0) is uses for the public network. The listeners, GNS VIP, SCAN VIP, Node VIP and nodes public interface are using this network. DHCP can be used in this network segment for the Nodes VIP and SCAN VIP. Names for this VIPs are resolved by the GNS.
3. This network (10.0.0.0) is used for the Oracle private interconnect and for the shared storage (ISCSI). The IP addresses of the private interfaces of the RAC nodes can be assigned dynamically.

A Grid Naming Service Configuration Example can be found in the Oracle documentation.

Installing packages on a Openfiler server

Openfiler uses a packages system, called conary, developed by rPath. Take a look at the QuickReference to learn more about the parameters that can be used with the conary command. It’s important that your Openfiler server has access to the internet to download the extra packages.

Installing a new package is as easy as using the following command:

# conary update <packagename>

For the DHCP server and DNS server we need the packages dhcp and bind:runtime. Install both packages:

[root@openfiler ~]# conary update dhcp

Applying update job:

Install dhcp(:devel :devellib :doc :lib :runtime)=3.0.7-0.4-1

[root@openfiler ~]# conary update bind:runtime

Including extra troves to resolve dependencies:

bind:lib=9.4.3_P5-1.1-1 info-named:user=1-1-0.1

Applying update job 1 of 2:

Install info-named(:user)=1-1-0.1

Applying update job 2 of 2:

Update  bind(:lib) (9.3.4_P1-0.5-1[ipv6,~!pie,ssl] -> 9.4.3_P5-1.1-1)

Update  bind-utils(:doc :runtime) (9.3.4_P1-0.5-1[ipv6,~!pie,ssl] -> 9.4.3_P5-1.1-1)

Install bind:runtime=9.4.3_P5-1.1-1

To query which files are included in the packages you can use the command:

# conary q <packagename> -lsl

Take a look at the dhcp package:

[root@openfiler ~]# conary q dhcp --ls

/usr/include/dhcpctl.h

/usr/include/isc-dhcp/boolean.h

/usr/include/isc-dhcp/dst.h

/usr/include/isc-dhcp/int.h

/usr/include/isc-dhcp/lang.h

/usr/include/isc-dhcp/list.h

/usr/include/isc-dhcp/result.h

/usr/include/isc-dhcp/types.h

/usr/include/omapip/alloc.h

/usr/include/omapip/buffer.h

/usr/include/omapip/omapip.h

/usr/share/man/man3/dhcpctl.3.gz

/usr/share/man/man3/omapi.3.gz

/usr/share/man/man3/omshell.3.gz

/usr/lib64/libdhcpctl.a

/usr/lib64/libdst.a

/usr/lib64/libomapi.a

/usr/share/doc/dhcp-3.0.7/LICENSE

/usr/share/doc/dhcp-3.0.7/README

/usr/share/doc/dhcp-3.0.7/RELNOTES

/usr/share/doc/dhcp-3.0.7/dhcpd.conf.sample

/usr/share/man/man1/omshell.1.gz

/usr/share/man/man5/dhcp-eval.5.gz

/usr/share/man/man5/dhcpd.conf.5.gz

/usr/share/man/man5/dhcpd.leases.5.gz

/usr/share/man/man8/dhcpd.8.gz

/usr/share/man/man8/dhcrelay.8.gz

/var/lib/dhcp/dhcpd.leases

/etc/init.d/dhcpd

/etc/init.d/dhcrelay

/etc/sysconfig/dhcpd

/etc/sysconfig/dhcrelay

/usr/bin/omshell

/usr/sbin/dhcpd

/usr/sbin/dhcrelay

The installation of the packages is done. Next we need to configure both the servers.

Configuration of the DHCP server

We’re going to configure the DHCP server. Configuration of the DHCP server is done in the file /etc/dhcpd.conf. Since this file is not included in the DHCP package, you need to create it yourself.

Configure DHCP for both the public and the private network. At least the file should contain the following entries:

ddns-update-style none;

allow booting;

allow bootp;

# subnet for the public network

subnet 192.168.0.0 netmask 255.255.255.0 {

option routers                  192.168.0.1;

option subnet-mask              255.255.255.0;

option domain-name              "example.com";

# domain-name-server is this Openfiler server

option domain-name-servers      192.168.0.250;

range dynamic-bootp 192.168.0.100 192.168.0.150;

default-lease-time 21600;

max-lease-time 43200;

}

# subnet for the private network

subnet 10.0.0.0 netmask 255.255.255.0 {

range dynamic-bootp 10.0.0.100 10.0.0.150;

default-lease-time 21600;

max-lease-time 43200;

}

Check the configuration file with the command service dhcpd configtest. This only checks for syntax errors.

[root@openfiler ~]# service dhcpd configtest

Internet Systems Consortium DHCP Server V3.0.7

Copyright 2004-2008 Internet Systems Consortium.

All rights reserved.

For info, please visit http://www.isc.org/sw/dhcp/

To start the DHCP server use the following command:

[root@openfiler ~]# service dhcpd start

Starting dhcpd: Internet Systems Consortium DHCP Server V3.0.7

Copyright 2004-2008 Internet Systems Consortium.

All rights reserved.

For info, please visit http://www.isc.org/sw/dhcp/

Wrote 0 leases to leases file.

Listening on LPF/eth2/00:0c:29:94:29:56/10.0.0/24

Sending on   LPF/eth2/00:0c:29:94:29:56/10.0.0/24

Listening on LPF/eth1/00:0c:29:94:29:4c/192.168.0/24

Sending on   LPF/eth1/00:0c:29:94:29:4c/192.168.0/24

No subnet declaration for eth0 (192.168.123.240).

** Ignoring requests on eth0.  If this is not what

you want, please write a subnet declaration

in your dhcpd.conf file for the network segment

to which interface eth0 is attached. **

Sending on   Socket/fallback/fallback-net

[  OK  ]

You can ignore the warning about the subnet declaration for eth0, since we did not configure DHCP for this network segment.

To make sure the DHCP server is started at boottime use the chkconfig command:

[root@openfiler ~]# chkconfig dhcpd on

[root@openfiler ~]# chkconfig dhcpd --list

dhcpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off

The configuration of the DHCP server is done.

Configuration of the DNS server

Configuration of the DNS server is a bit more complicated than the DHCP server. The following files must be created:

• /etc/named.conf
• /srv/named/data/example.com.zone
• /srv/named/data/0.168.192.in-addr.arpa.zone

The first one contains the main configuration file. The last two contain the information about the zones.

Create the file /etc/named.conf with at least the following content:

options {

directory "/srv/named/data";

};

# forward zone

zone "example.com" IN {

type master;

file "example.com.zone";

};

# reverse zone

zone "0.168.192.in-addr.arpa" IN {

type master;

file "0.168.192.in-addr.arpa.zone";

};

The file /srv/named/data/example.com.zone should contain the following:

$ORIGIN .

$TTL 86400      ; 1 day

example.com     IN SOA  openfiler.example.com. foo.bar.tld. (

200612069  ; serial

7200       ; refresh (2 hours)

300        ; retry (5 minutes)

604800     ; expire (1 week)

60         ; minimum (1 minute)

)

NS      openfiler.example.com.

$ORIGIN example.com.

openfiler                       A       192.168.0.250

rac01                           A       192.168.0.101

rac02                           A       192.168.0.102

; delegation records for the GNS of the rac cluster

$ORIGIN cluster.example.com.

@                               IN              NS      gns.cluster.example.com.

gns.cluster.example.com.        IN              A       192.168.0.200

Important in the above configuration file are the delegation entries for the subdomain cluster.example.com.

The file /srv/named/data/0.168.192.in-addr.arpa.zone should contain:

$ORIGIN .

$TTL 86400      ; 1 day

0.168.192.in-addr.arpa IN SOA openfiler.example.com. foo.bar.tld. (

200612066  ; serial

7200       ; refresh (2 hours)

300        ; retry (5 minutes)

604800     ; expire (1 week)

60         ; minimum (1 minute)

)

NS      openfiler.example.com.

$ORIGIN 0.168.192.in-addr.arpa.

250                     PTR     openfiler.example.com.

101                     PTR     rac01.example.com.

102                     PTR     rac02.example.com.

Start the nameserver with the service command:

[root@openfiler ~]# service named start

Starting named:                                            [  OK  ]

Make sure that the nameserver is started at boottime:

[root@openfiler ~]# chkconfig named on

[root@openfiler ~]# chkconfig named --list

named           0:off   1:off   2:on    3:on    4:on    5:on    6:off

Configuration of RAC nodes

To make sure that all the hostnames can be resolved the file /etc/resolv.conf must be edited. Create this file with the following entries:

search example.com cluster.example.com

nameserver 192.168.0.250

The first line makes sure that you don’t have to specify the fully qualified host name, if you want to resolve a name in your local network.

To make sure that the file /etc/resolv.conf doesn’t get overwritten by the dhcp configuration of the private interface you have to create the file /etc/dhclient-enter-hooks with the following content:

make_resolv_conf() {

echo "doing nothing to resolv.conf"

}

More about this can be found here.

Installation of the Grid Infrastructure

When installing the Oracle 11g Release 2 Grid Infrastructure, make sure you choose the Advanced Installation as your installation type. In the screen Grid Plug and Play Information, you need to supply the GNS subdomain name and the GNS VIP Address as specified in the DNS configuration.

Just follow the normal installation procedure.

When the installation is finished you can test your new setup with the dig command:

[root@rac01 logs]# dig rac-scan.cluster.example.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> rac-scan.cluster.example.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63099

;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;rac-scan.cluster.example.com.  IN      A

;; ANSWER SECTION:

rac-scan.cluster.example.com. 120 IN    A       192.168.0.147

rac-scan.cluster.example.com. 120 IN    A       192.168.0.146

rac-scan.cluster.example.com. 120 IN    A       192.168.0.148

;; AUTHORITY SECTION:

cluster.example.com.    86400   IN      NS      gns.cluster.example.com.

;; Query time: 11 msec

;; SERVER: 192.168.0.250#53(192.168.0.250)

;; WHEN: Mon Apr 26 18:11:20 2010

;; MSG SIZE  rcvd: 160

As shown in the output above, the scan address is resolved to 3 different ip-addresses.

There is a bug (9018141) about GNS not removing old SCAN ip-addresses after a DHCP lease expires. On My Oracle Support there’s also a workaround for this bug.