Posted on Leave a comment

Syncthing – Dropbox & GDrive Alternative

Syncthing

Google Drive (GDrive) and other cloud storage alternatives such as Dropbox and Microsoft Ondrive all have the serious drawback of keeping one's information in a third party cloud repository. Privacy and security are generally compromised this way, even when paying for storage (as opposed to having an advertising model, which is worse in many ways).

The challenge is to have an equally robust service that can effectively, and efficiently (regarding resource requirements) sychronize files across multiple devices. Remain on our own devices. And remain open source. In our case we have three different operating systems on four devices to support:

  • Android 7.1.2 (Nougat)
  • ChromeOS Dev distribution (using Chrome, Android, or Linux apps)
  • Debian Linux 9 (stretch) (server and desktop)

Options such as OwnCloud don't work because of the high overhead needed to get the services to work, in terms of memory and processing on a server.

Syncthing for File Synchronization

File synchronization is not backup, though with versioning there is a sort of backup-lite going on.

Syncthing is available from repositories and directly from Github. There are ports and other configuration issues to enable for routing. There is also an Android app, so that is what will be used on Android and ChromeOS.

Install Syncthing on Debian

See: https://apt.syncthing.net/

Add PGP key

curl -s https://syncthing.net/release-key.txt | sudo apt-key add -

Add the "stable" channel to your APT sources:

echo "deb https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list

Update repositories

sudo apt update

Install syncthing

sudo apt install syncthing

Edit the .xml file

sudo nano ~/.config/syncthing/config.xml

Change the 127.0.0.1 address to 0.0.0.0 to enable access from anywhere

Allow Ports on Debian

Had to punch holes through lightsail networking and also add rules for UFW

  • https://11.22.33.44:8384/ (server)
  • http://127.0.0.1:8384/ (workstation)

Install Syncthing on Android

For Android and ChromeOS devices, install Syncthing for Android from the Play Store.

Configure Syncthing to Turn on Automatically

Need to get synchthing to turn on automatically try this:

Note that this includes Debian and Android apps for auto-on functionality needed.

Some Issues with Synchronizing

The main thing is to think out one's synchronization policies and plans. One-way synchronization, two-way sinchronization, master and slave device replication, etc. There are many options. Some files one will want to keep everywhere, with version control. Other files one will want only in one or two locations (large files/repositories).

The best approach is to partition into folders so that different folders contain different content that will be sychronized differently. Some examples:

  • Images/Photos folder on a mobile device
    • Should be synchronized but also allow for repository of more images on a backup location.
    • Workflow: sync mobile folder to desktop. On desktop, move images to a second folder (removing them from mobile via synchronization), and then have the second folder synchronized to a server. That server folder can have SFTP for remote access and also provide two-way synchronization back to the desktop for things such as editing images that are on a web server.

It is important to have a manual workflow as well (or semi-automated) so that things are easier to manage.

Synchronization vs. SFTP

Synchronization is useful, but is not a replacement for SFTP which should be seen as on-demand push/pull. For example, a large repository can be synchronized between two larger-capacity devices (e.g, Debian server and Debian workstation), but also allow access via SFTP for smaller-capacity devices (ChromeOS/Android).

Syncthing Autostart

For a desktop, add to Startup Applications

/usr/bin/syncthing  -no-browser -home="/home/user/.config/syncthing"

For a server, create a service, or something like that.

Value of Syncthing for the Enduser

Ultimately, Syncthing lets the enduser take full control over their data on their devices in terms of files that are synchronized with other devices. Along with SFTP on a server, and possibly something like AWS S3 and Glacier, it appears to provide a useful protocol, gui admin console, and applications that can do everything that GDrive/Dropbox/OneDrive offer in terms of synchronization. Since disk space is already something that can be managed at the level of S3/Glacier and local devices, it provide a key element in a resource-efficient, open source package.

Posted on

XFCE vs. Cinnamon 2018

Summary -- The superiority of XFCE or Cinnamon comes down to use cases, and of course preference -- de gustibus non est disputandum.

XFCE Superiority

XFCE is a delight in many ways, when compared with Cinnamon: - Less memory and processor utilization - A bit more stable (though this could be an instability with Nemo) - Faster/easier to configure (the settings menus are much better organized with fewer top-level items)

Cinnamon Superiority

At the same time, Cinnamon has definitely fixed/improved a few things: - Keyboard settings to reconfigure standard keyboard remapping (Win/Cmd/Super remapping, CapsLock behavior) - Shortcuts on the start menu, ease of adding apps from the menu to the dock, and in general a more elegant start menu w/ search, better spacing Beyond these issues, everything else seems to be about applications. Both can do everything else more or less similarly. * Note: one can install Cinnamon on Debian directly, or try Linux Mint Debian Edition (LMDE), or simply standard Mint (an Ubuntu derrivative) and Cinnamon. Cinnamon is also available for a few other Linux distributions.

Nautilus beats Nemo and Thunar

Nemo is simply unstable. Try doing some drag-and-drop and it soon slows, hangs, quits. Thunar is nice, but there is no handy search or buttons to toggle between views. Everything has to be committed to remembered keyboard shortcuts. Silly. Nautilus is not perfect by any means. A seeming limitation of the icon view size set to max 133% is a disappointment. However, beyond that it is very good and definitely an improvement over Nemo and Thunar.

Cinnamon - Better Keyboard Support, Better Dock/Menu

The bottom line is that while Cinnamon has greater resource demands, and a bit less stability, it has a better dock/menu interface and better keyboard configuration support. This makes it a premium modern desktop for Debian and Ubuntu (via the Linux Mint Debian Edition (LMDE).

XFCE - Better Resource Management for Low End Devices

Either Debian + XFCE or the Linux Mint XFCE edition are appropriate for low-end devices, say those with 4gb or less of RAM. This would be appropriate for the Asus C101PA Convertible Chromebook.

See Also for Linux on the ASUS C101PA

Posted on

Debian + Cinnamon Keyboard Shortcuts

> Note: This is Incomplete

Function LMDE3 ChromeOS
Refresh Ctrl+R
Task List
Partial Screenshot

Debian Terminal

Under Edit > Preferences > Shortcuts set the Edit > Copy, Edit > Paste, and Edit > Select All accelerator keys to Ctrl+C, Ctrl+V, and Ctrl+A respectively.

Screenshots

Under Keyboard > Shortcuts > System > Screenshots and Recording assign F5 to Take a screenshot of an area. This is more efficent than the Ctrl+Shift+F5 of the standard ChrOS keystroke and the standard Dim keyboard backlight setting doesn't apply as I do not use backlit keyboards. In ChrOS it makes sense even to map the Overview (F5) key to partial screenshot as I really don't use that function in any case.

Keyboard Layouts Options

> Keyboard > Layouts > Options - Alt/Win key behavior - Ctrl is mapped to Win keys (and the usual Ctrl keys) - Caps Lock key behavior - Make Caps Lock an additional Hyper (deal with this later to create the Search behavior in ChrOS, if desired) - Switching to another layout - Caps Lock, though this really makes the Shift+Caps Lock function as a language switcher. Note that the last one would be better aligned with ChrOS' Ctrl+Space to switch between languages, if possible. It is more like the OSX Cmd+Space language toggle keystroke.

stty

Since I prefer to have ctrl+c be copy, then that can't be quit, and so I set the break command to ctrl-e using stty.

stty break ^e

However, that is not really necessary since ctrl+\ and ctrl+4 both also institute a quit or break in the console.

chsh

Set the default shell to Bash

chsh -s /bin/bash

> Note: have to log out and back in to see this work.

Notes (Incomplete)

  • With small keyboard there is no actual delete, only backspace. Need to change so the delete key can/is the backspace and so can delete in the file manager (nemo). Actually Fn+Delete = Delete on the Apple wireless keyboard, whereas Delete is actually Backspace.
    • Note that Nemo is so horribly slow when/after doing delete/paste of files between windows, I've gone on to use Nautilus. Also, Nautilus has good batch file renaming, whereas Nemo is woefully incomplete.
  • For rename, note: Fn+2 and slow double-click (nemo only) works.
  • Set the Bash so that it maps my favorite scripts (lx for ls -la), environment editor (nano), and in terminal so ctrl-E is the stop command.
    • Done
  • Set a partial screenshot keystroke / keyboard shortcut
    • Done (F5), set this in the Keyboard control panel/settings.
  • Install exo-utils and run exo-preferred-applications to set the file managers and browsers (though is this read by Cinnamon?)
  • Install and Run dconf-editor to set preferences in a variety of apps/locations
Posted on

Fish Shell – Friendly Interactive SHell

Note: I've replaced Fish Shell with Bash in my personal technology stack, as of March 2018. Ha ha, back on Fish Shell. Fish Shell is a very useful shell. I use it on OSX and Linux. Provides for some sanity at the command line. For an editor I use Nano. Note that there are some limitations, and a learning curve on getting it set up. However, it does have some limitations, and is definitely newer than other shells. When trying to run a command that won't work in fish, then simply invoke bash and get it done. No real limitations to speak of. For doing shell scripting, it is very straightforward and definitely more modern. Useful docs on the fish shell available.

What Fish Can't Do (So Well)

Fish is a bit more limited as a general purpose command/utility invoker, as it seems to throw errors. Overall, it is a bit cranky, and really only best when doing scripting. To that end, better facility with Python will probably fill in the gaps around Bash that Fish does well, while focusing on tool that would be even more extensible.

See Also

Posted on

Bash Shell Scripting

Bash being the most common shell, it makes sense to learn bash shell scripting. I didn't think this at first and later came to the conclusion, having spent time with Fish Shell. However, Bash is definitely old and creaky with some frankly ridiculous implementation details. Fish can be installed most everywhere, and is generally superior in many ways. Where it is not, commands can simply be run in Bash.

Variables, Conditionals, Utilities

Most of Bash scripting is variables (including initially environment variables), conditionals, and utilities. For example, the common task of changing the names of files in a directory, copying them, moving them, etc., is a combination of setting up variables (e.g., $f for filenames of a given sort), then looping over (while) them and executing various commands (mv, cp, etc.).

See Also

Touring Complete Programming Language

Apparently, Bash is Turing complete, which means it is fairly sophisticated, complex, and thorough. That doesn't mean it should be used for everything, but certainly can be used for many things. Python would be a competitor in terms of doing shell scripting, but it would depend on how complicated, or exactly what kind of functionality is needed in order to prefer Python over Bash in terms of scripting.

Current Assessment of Shell Scripting in Bash

For scripts that run simple commands (such as openvpn or autossh then Bash simply handles errors better with an old-school shim when missing a shebang. However, dealing with ease and elegance with actual scripting, and working from a modern design document, Fish is hard to beat.

Posted on

Portable Music Players & Linux

This article briefly describes some issues with managing portable music players on Linux, particularly the Apple Ipod Shuffle and the Sandisk Clip Jam (it's replacement).

Quod Libet

Quod Libet is absolutely zero help with managing portable music players (with a single exception, the generation of playlist.m3u files). This is a big regret since it has much of what I need in a music manager, including: - Low resource utilization - Relatively fast and stable when indexing large collections - Ability to edit metadata on individual and groups of files - Dark theme Therefore, I have to look outside of QL in order to manage portable music players.

Playlists in Quod Libet

Based on my workflow and media organization in Quod Libet, what I generally do for a playlist is clean up a set of albums/tracks from one or more artists and one or more albums, then create a playlist out of that. This generally means the complete contents of one or more albums organized under one or more artists. This allows me to use the Export as Playlist plugin which generates an *.m3u file with some pathing that needs to be cleaned up.

Sandisk Clip Jam Playlist Lament

My review of the Sandisk Clip Jam is a lament to SCJ Playlists: > Since playlists are important for portable media players, they should have a well-thought-out approach. Unfortunately this is not the case. One has to monkey about with .m3u files and actually edit them by hand. Sad and a bit nuts as well. > > Several issues: > > The namespace is effectively 7 characters, so don't have directories with playlists that might conflict on those first 7 characters. > > There are three "quick" playlists but no way to get them out of the way, so there is always "click, click, click" to get past them since they are the first three. I don't care to make playlists on the go, so please let me make these go away. > > .m3u file needs to have the full path of the location, e.g., Music/Joy Division/Peel Sessions/01 Exercise One.mp3 > > Unlike as stated in the documentation and forums, the music files do not need to be in the same directory as the playlist file, and they can be stacked all in Music with referenced directories and subdirectories underneath. > > CRLF for returns > > Obviously this is a nasty and brutish way of handling playlists, and so various scripting is needed to get things working without a huge amount of ongoing time being wasted. > > Also, the cheap and huge earbuds (unwearable in my medium-sized ears) are really a waste. No one really expects anything good to be bundled, so save the earth a little. > > Overall the device itself is pretty decent, except for the glaring problem noted above.

How to Create and Edit Sandisk Clip Jam *.m3u Playlists

The key is to use a media player/manager to generate the .m3u playlist, and then search/replace to change the paths in the files to match that of the Sandisk Clip Jam, which is generally Music/Artist/Album. Since my audio library has the very same structure, it is not difficult to copy entire albums and artists (with their albums) to the Sandik Clip Jam. As noted above, the playlists need to have the same Music/Artist/Album/Track structure. However, the playlists themselves can repose in the same Music directory. *Note: VLC can also perform the function of generating playlists, though my choice is Quod Libet, using the Export as Playlist plugin which generates an *.m3u file. After creating the playlists and editing them, copying wholesale the directory structure into Music completes the operation. Updates begin in Quod Libet and then a delete/recopy is necessary (akin to Ipod/Itunes operations)

GTKpod for Ipod Audio Management

[GTKpod](creating/editing playlists and ) is one of the last relatively decent and straightforward Ipod (only) managers. Capable of drag-and-drop audio and creating/editing playlists. Installation is available from the Gnome Software Manager and elsewhere.

Posted on

Managing Fonts in Debian

Microsoft Core Fonts Installer

Check to see if this is installed via apt-cache

sudo apt-cache search ttf-mscorefonts-installer

More Fonts with Installers

More fonts to install, if needed

ttf-liberation
fonts-liberation
ttf-uralic
fonts-uralic
ttf-root-installer
ttf-freefont
ttf-dustin
ttf-linux-libertine
fonts-linuxlibertine
fonts-dustin
ttf-staypuft

Copy Fonts to Directories

/usr/share/fonts
/usr/share/X11/fonts
/usr/local/share/fonts
~/.fonts

Note, better/easier to symlink to /usr/share/fonts/ if organized with a set of font directories. Example:

First remove font shares:

sudo rm -rf /usr/share/fonts/software-fonts
sudo rm -rf /usr/share/fonts/code-128-fonts
sudo rm -rf /usr/share/fonts/thai-fonts

Then add font shares

sudo ln -s /home/jeff/async/software/fonts /usr/share/fonts/async-fonts
sudo ln -s /home/jeff/async/github/code-128-font/fonts /usr/share/fonts/code-128-fonts
sudo ln -s /home/jeff/async/github/thai-font-collection/downloadable-free-thai-fonts /usr/share/fonts/thai-fonts

Rebuild the Font Cache

sudo fc-cache -fv

List all Installed and Cached Fonts

fc-list

Reconfigure Fonts

This may be needed to support bitmap fonts.

dpkg-reconfigure fontconfig-config
Posted on

LMDE3 Cinnamon Modifications

Here are some ways of getting things tweaked. Your mileage may vary.

Mint-Y-Dark

This theme has some hardcoded colors in PNG files. Grayscale them with ImageMagick, as follows:

for file in /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/*.png; do convert "$file" -colorspace Gray "$file"; done
for file in /usr/share/themes/Mint-Y-Dark/gtk-3.0/assets/*.png; do convert "$file" -colorspace Gray "$file"; done

Edit the /usr/share/themes/Mint-Y-Dark/gtk-2.0/gtkrc file for color. Replace #8fa876 with #993333 for a nice red to go with Mint-X-Red Icons. I prefer scrollbars with 15px width.

Edit the /usr/share/themes/Mint-Y-Dark/gtk-3.0/gtk.css file for color and scrollbar width. Replace #8fa876 with #993333 for a nice red to go with Mint-X-Red Icons. I prefer scrollbars with 15px width.

Double the size of the following .png files in /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/

  • slider-vert.png
  • slider-vert-active.png
  • slider-vert-insens.png
  • slider-vert-prelight.png
  • trough-vertical-active.png
  • trough-vertical.png
convert /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/slider-vert.png -resize 200% /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/slider-vert.png
convert /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/slider-vert-active.png -resize 200% /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/slider-vert-active.png
convert /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/slider-vert-insens.png -resize 200% /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/slider-vert-insens.png
convert /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/slider-vert-prelight.png -resize 200% /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/slider-vert-prelight.png
convert /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/trough-vertical-active.png -resize 200% /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/trough-vertical-active.png
convert /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/trough-vertical.png -resize 200% /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets/trough-vertical.png

Cinnamon Theme

Unfortunately there are also lots of .svg files in /usr/share/themes/Mint-Y-Dark/cinnamon/ (both in subdirectories of /common-assets/ and /dark-assets/) with colors also hard-coded into them (bizarre, to say the least). These cannot be handled with ImageMagic convert, but rather either need to go through a process of conversion, grascaling, then converting back into .svg format (such as with Autotrace), or some other tool which can directly deal with color inside .svg files.

Edit the /usr/share/themes/Mint-Y-Dark/cinnamon/cinnamon.css file for color and scrollbar width. Replace #8fa876 with #993333 for a nice red to go with Mint-X-Red Icons.

Atom Application Scrollbars

Atom does not inherit these gtk configuration/theme settings and needs its Atom Scrollbars to be Configured Manually. Same with Visual Studio Code, scrollbars need to be set manually.

Screenshot default folder location

Screenshot default folder location needs to be set manually, such as:

gsettings set org.gnome.gnome-screenshot auto-save-directory ~/async-images-2019
Posted on

Scrollbars in Atom, Firefox, Cinnamon

Scrollbar usability is shoddy and slipping across wide swaths of the web and software in general. Of course I am getting older, which means this is more and more of an annoyance. We know already, and for some time, how to do scrollbar usability and accessibility. Putting aside voice commands, just the bare minimum of finger and mouse pointer usability seems to hard for so many projects, and for so long. - Jakob Nielsen on Scrollbar Usability

Modifying Scrollbars in Atom Editor

Atom Editor requires several CSS overrides to get scrollbars modified.

Modifying / Customizing Scrollbars in Firefox

[Firefox has been without -webkit scrollbar functionality for the last 5 months, no wait, for the last 9 years... no wait, for the last 18 years. The work-arounds for this situation are a PITA. The only way to really deal with this is at the operating system level.

Modifying / Customizing Scrollbars in Linux Mint (and other Gtk windowing environments)

Editing Gtk themes for Linux Mint and other distributions takes a lot of effort of digging around. In many cases the CSS is imported in binary format for Adwaita, the Gtk3 base theme, and override ~/.config/gtk-3.0/gtk.css file doesn't work. While for Mate and Gnome there are tools, there is no tool to edit the scrollbar in Cinnamon. So, besides the gtk-2.0 and gtk-3.0 various files, there are the .svg files for things like the scrollbar, which are hidden in a gtk-2.0 subdirectory, for example: - /usr/share/themes/Mint-Y-Dark/gtk-2.0/assets in .png file format or is that - /usr/share/themes/Mint-X/gtk-2.0/images/scroll in .svg file format It is all a quandry and the Linux Mint folks really need to be a bit better organized, no matter how disorganized their upstream Gtk cousins may be. Suffice it to say there are many different files, and different file syntaxes at work here. Some examples: - Gnome Developer gtkscrollbar - Linux Questions: How to enable scrollbar arrow? - Question about GtkScrollbar Class in Custom Theme - Cinnamon issues - scrollbar configuration in Sys Wrestling with these issues, I've been able to get some things working (e.g., arrows) and others not (e.g., widths), at various times, depending on the base theme that is enabled and edited. That said, I've still been unable to get the Nemo scrollbar to stop disappearing when not hovered/clicked/being scrolled. This is simply pathetic usability and accessibility. Don't hide important navigation elements. If scrolling is not possible (e.g., all content is viewed on a screen, and there is no part to scroll to) then by all means hide/remove the scrollbar. But when I am viewing a directory structure with more rows of files yet to see, hiding the scrollbar removes important information from the display.

Posted on

OpenVPN on Debian

OpenVPN on Debian is the second step in securing an operating system. Below we include ufw firewall installation and configuration as well.

Related Artices in Debian Services and Applications - Debian on AWS Lightsail - OpenVPN on Debian + UFW Firewall - Nginx and Letsencrypt on Debian - PHP & MariaDB on Debian

- Grav CMS on Debian

Note: install and configure ufw prior to openvpn installation and configuration

apt-get install ufw
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 1194/udp
sudo ufw allow ssh
sudo ufw status
sudo ufw enable
sudo service ufw restart

; set the default to DROP Edit the ufw config file

nano /etc/default/ufw
  • Change line from DROP to: DEFAULT_FORWARD_POLICY="ACCEPT"
  • Save Edit the before.rules
nano /etc/ufw/before.rules

Add the START OPENVPN RULES as follows:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.10.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter

Save file Enable UFW

ufw enable

Check status

ufw status

Next install and configure the OpenVPN Server

Note: do this as root as it may not work otherwise, even with sudo

sudo apt-get install -y openvpn easy-rsa
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
nano /etc/openvpn/server.conf
  • uncomment push "redirect-gateway def1 bypass-dhcp"
  • uncomment/modify push "dhcp-option DNS 84.200.69.80"
  • uncomment/modify push "dhcp-option DNS 84.200.70.40"
  • uncomment user nobody
  • uncomment group nogroup Save file. Note at some point the file should look like this:
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca ca.crt
cert fir.crt
key fir.key  # This file should be kept secret
dh dh2048.pem
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher AES-256-CBC   # AES 256
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 0

Next, enable forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Enable forwarding again:

nano /etc/sysctl.conf

Uncomment net.ipv4.ip_forward=1

Next Configure and Build Certificates

Copy scripts and templates as follows:

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
nano /etc/openvpn/easy-rsa/vars
  • Change export KEY_ variables (there are six of them) to match the organization
  • Change the export KEY_NAME="EasyRSA" to your servername
  • Change the line export KEY_CONFIG=$EASY_RSA/whichopensslcnf $EASY_RSAtoexport KEY_CONFIG=/etc/openvpn/easy-rsa/openssl-1.0.0.cnf`
  • Save and exit Next, generate the dh parameters
openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Next, clean up and build the ca, as follows:

cd /etc/openvpn/easy-rsa
chmod 0755 *
source ./vars
./clean-all
./build-ca

Generate Certificate and Key for the Server

Note: servername is your servername

./build-key-server servername

Note it will ask you to hit enter to accept variables multiple times, do that, and any additional questions just use enter. When it asks to sigh the cert and commit the cert, use y and y. Next, move the certs/keys, but make sure to change the servername as above:

cp /etc/openvpn/easy-rsa/keys/{servername.crt,servername.key,ca.crt} /etc/openvpn

Verify files were copied:

ls -la /etc/openvpn

Start the service and check status:

service openvpn start
service openvpn status

Make sure you see Active: active (exited) since...

Generate Client Certs

Note that clientname is the client name, but in reality it is actually for the servername, so you know what/where you will connect to. The main point is to rename the clientname.ovpn file to servername.ovpn after it has concatenated and moved to the client. Note: can use one client cert for everyone as long as the following line is added to the server.conf file: duplicate-cn

cd /etc/openvpn/easy-rsa
./build-key clientname

Next, copy and rename the client.conf to clientname.ovpn

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/clientname.ovpn

Edit the .ovpn file:

nano /etc/openvpn/easy-rsa/keys/clientname.ovpn

Should be something like:


-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- key-direction 1 client dev tun remote 1.2.3.4 1194 udp resolv-retry infinite nobind tun-mtu 1500 user nobody group nogroup persist-key persist-tun pull tls-client push "redirect-gateway def1" mssfix 1450 tun-mtu-extra 32 reneg-sec 0 ;ca ca.crt ;cert client.crt ;key client.key ns-cert-type server comp-lzo verb 3

Note that the concatenated (unified) OpenVPN profile includes the ca, cert, and key. This can be done as follows (fix the below, it puts stuff at the end, not begining:

echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
cat /etc/openvpn/easy-rsa/keys/clientname.crt >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
cat /etc/openvpn/easy-rsa/keys/clientname.key >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn

One can scp the file from server to client with the following command from the client:

scp -i /home/usr/drive/.ssh/servername.pem admin@servername:etc/openvpn/easy-rsa/keys/clientname.ovpn /home/usr/drive/.ssh/clientname.ovpn

Change names of drives and users as applicable.