Bitbull Tech Notes - home of free minds ...

HowTo do tricky downgrade with yum (example)

This is tricky, because the version of Samba I need ist no longer available on the Repos.

Remove the software you want to downgrade:

rpm -qa | grep samba | xargs rpm -e --nodeps
rpm -e --nodeps libsmbclient libwbclient

Manually install the needed Version:

[root@backup x86_64]# ls -1
libsmbclient-4.1.1-10031.el7.centos.x86_64.rpm
libwbclient-4.1.1-10031.el7.centos.x86_64.rpm
samba-4.1.1-10031.el7.centos.x86_64.rpm
samba-client-4.1.1-10031.el7.centos.x86_64.rpm
samba-common-4.1.1-10031.el7.centos.x86_64.rpm
samba-dc-4.1.1-10031.el7.centos.x86_64.rpm
samba-dc-libs-4.1.1-10031.el7.centos.x86_64.rpm
samba-libs-4.1.1-10031.el7.centos.x86_64.rpm
samba-pidl-4.1.1-10031.el7.centos.x86_64.rpm
samba-python-4.1.1-10031.el7.centos.x86_64.rpm
samba-test-4.1.1-10031.el7.centos.x86_64.rpm
samba-vfs-glusterfs-4.1.1-10031.el7.centos.x86_64.rpm
samba-winbind-4.1.1-10031.el7.centos.x86_64.rpm
samba-winbind-clients-4.1.1-10031.el7.centos.x86_64.rpm
samba-winbind-krb5-locator-4.1.1-10031.el7.centos.x86_64.rpm
samba-winbind-modules-4.1.1-10031.el7.centos.x86_64.rpm

yum install *.rpm

Check if all deps are solved:

yum check

Pin the needed package versions:

yum -y install yum-versionlock
yum versionlock add samba\* BackupPC

 

Exclude the Versions from beeing upgraded:

vi /etc/yum.conf
------
[main]
...
exclude=*samba* libsmb* libwbclient* BackupPC
------

 

Check if yum is doing as expected:

yum makecache
yum upgrade

 

 

 

 

 

 

Install devstack on CentOS7

Recently I had to install Devstack, the Openstack Test environment in nested VM variant on KVM with qcow VM disks.

As always I used to start with a CentOS7 minimal installation.

below you can pickup my notes to build your own:

yum install -y git yum-utils python-testrepository epel-release
yum -y update getenforce # make permissive or disable iptables-save #no rules for testing
reboot

useradd -d /opt/stack -m -s /bin/bash stack
echo "stack ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
su - stack
git clone https://git.openstack.org/openstack-dev/devstack
cd devstack/
./stack.sh
# wait 1 minutes and feed passwords
# wait other 20 minutes

 

But I had some strange issues, even on a kickstarted minimal VM... here are my notes to get/got around:

 

ERROR1:

Command "python setup.py egg_info" failed with error code 1 in /opt/stack/keystone
+ /opt/stack/devstack/inc/python:pip_install:L1:   exit_trap
+ ./stack.sh:exit_trap:L474:   local r=1
++ ./stack.sh:exit_trap:L475:   jobs -p
+ ./stack.sh:exit_trap:L475:   jobs=
+ ./stack.sh:exit_trap:L478:   [[ -n '' ]]
+ ./stack.sh:exit_trap:L484:   kill_spinner
+ ./stack.sh:kill_spinner:L370:   '[' '!' -z '' ']'
+ ./stack.sh:exit_trap:L486:   [[ 1 -ne 0 ]]
+ ./stack.sh:exit_trap:L487:   echo 'Error on exit'
Error on exit
+ ./stack.sh:exit_trap:L488:   generate-subunit 1457190882 600 fail
[...]

SOLUTION1:

sudo yum -y install python-testrepository


ERROR2:

 

2016-03-06 15:01:31.414 | Starting Keystone
++ /opt/stack/devstack/functions-common:is_service_enabled:L1997:   set +o
++ /opt/stack/devstack/functions-common:is_service_enabled:L1997:   grep xtrace
+ /opt/stack/devstack/functions-common:is_service_enabled:L1997:   xtrace='set -o xtrace'
+ /opt/stack/devstack/functions-common:is_service_enabled:L1998:   set +o xtrace
+ /opt/stack/devstack/functions-common:is_service_enabled:L2026:   return 1
+ /opt/stack/devstack/lib/keystone:init_keystone:L497:   recreate_database keystone
+ /opt/stack/devstack/lib/database:recreate_database:L112:   local db=keystone
+ /opt/stack/devstack/lib/database:recreate_database:L113:   recreate_database_mysql keystone
+ /opt/stack/devstack/lib/databases/mysql:recreate_database_mysql:L56:   local db=keystone
+ /opt/stack/devstack/lib/databases/mysql:recreate_database_mysql:L57:   mysql -uroot -phdsshdk -h127.0.0.1 -e 'DROP DATABASE IF EXISTS keystone;'
+ /opt/stack/devstack/lib/databases/mysql:recreate_database_mysql:L58:   mysql -uroot -phdsshdk -h127.0.0.1 -e 'CREATE DATABASE keystone CHARACTER SET utf8;'
+ /opt/stack/devstack/lib/keystone:init_keystone:L500:   /usr/bin/keystone-manage db_sync
Traceback (most recent call last):
  File "/usr/bin/keystone-manage", line 6, in <module>
    from keystone.cmd.manage import main
  File "/opt/stack/keystone/keystone/cmd/manage.py", line 32, in <module>
    from keystone.cmd import cli
  File "/opt/stack/keystone/keystone/cmd/cli.py", line 23, in <module>
    from oslo_log import log
  File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 50, in <module>
    from oslo_log import formatters
  File "/usr/lib/python2.7/site-packages/oslo_log/formatters.py", line 27, in <module>
    from oslo_serialization import jsonutils
  File "/usr/lib/python2.7/site-packages/oslo_serialization/jsonutils.py", line 44, in <module>
    import six.moves.xmlrpc_client as xmlrpclib
ImportError: No module named xmlrpc_client
+ /opt/stack/devstack/lib/keystone:init_keystone:L1:   exit_trap
+ ./stack.sh:exit_trap:L474:   local r=1
++ ./stack.sh:exit_trap:L475:   jobs -p
+ ./stack.sh:exit_trap:L475:   jobs=
+ ./stack.sh:exit_trap:L478:   [[ -n '' ]]
+ ./stack.sh:exit_trap:L484:   kill_spinner
+ ./stack.sh:kill_spinner:L370:   '[' '!' -z '' ']'
+ ./stack.sh:exit_trap:L486:   [[ 1 -ne 0 ]]
+ ./stack.sh:exit_trap:L487:   echo 'Error on exit'
Error on exit
+ ./stack.sh:exit_trap:L488:   generate-subunit 1457275980 511 fail
Traceback (most recent call last):
  File "/bin/generate-subunit", line 7, in <module>
    from os_testr.generate_subunit import main
  File "/usr/lib/python2.7/site-packages/os_testr/generate_subunit.py", line 20, in <module>
    import subunit
  File "/usr/lib/python2.7/site-packages/subunit/__init__.py", line 141, in <module>
    from iso8601 import iso8601
ImportError: cannot import name iso8601

SOLUTION2:

sudo pip uninstall six; sudo pip install six

 

Start over:

If you got errors and do not know how to clean up... It's pretty easy:

rm -rf /opt/stack
rm -rf /usr/local/bin/

./clean.sh
./unstack.sh
userdel -r stack

 

 

 

Install Aircrack-NG on CentOS 7

copy paste ... :-)

yum -y install epel-release
yum install -y wireless-tools
iwconfig
yum install -y git-svn libpcap-devel sqlite-devel gcc gcc-c++ libnl-devel openssl-devel usbutils pciutils rfkill
cd /usr/local/src/
svn co http://svn.aircrack-ng.org/trunk/ aircrack-ng
cd aircrack-ng/
make install clean

 

use it:

# kill interfering processes
$ airmon-ng check kill
 
# set interface into monitor mode (my interface is wlan0)
$ airmon-ng start wlan0
 
# start packet capturing
$ airodump-ng wlan0mon
 
# stop monitor mode
$ airmon-ng stop wlan0mon

Turn On NFS Debugging

I found this on serverfault. It provides usefull internal information about nfs and rpc:

 

* RPC debugging:
       cat /proc/sys/sunrpc/rpc_debug
       echo 2048 > /proc/sys/sunrpc/rpc_debug
       grep . /proc/net/rpc/*/content
       ls -l /proc/fs/nfsd
       cat /proc/fs/nfs/exports 
* NFS debugging:
      # turn on linux nfs debug
      echo 1 > /proc/sys/sunrpc/nfs_debug
      # turn off linux nfs debug
      echo 0 > /proc/sys/sunrpc/nfs_debug 

Enable Kdump in CentOS7

Just a small hint :-)

yum install kexec-tools

grep crashkernel= /etc/default/grub
   GRUB_CMDLINE_LINUX="vconsole.font=latarcyrheb-sun16 vconsole.keymap=sg crashkernel=auto console=tty0 console=ttyS0,115200"

grub2-mkconfig -o /boot/grub2/grub.cfg

reboot

systemctl enable kdump.service

systemctl start kdump.service

systemctl status kdump

grep ^path /etc/kdump.conf

   path /var/crash

 

done!

ntpd on CentOS 7 is starting before networking on reboot

Strange Issue, but it is true!

Here is my way how to fix:

# first check systemd service and only fix if present
if [ -f /usr/lib/systemd/system/ntpd.service ] ; then
   cat /usr/lib/systemd/system/ntpd.service > /etc/systemd/system/ntpd.service
   grep -q 'After=.*network.target' /etc/systemd/system/ntpd.service
   if [ $? -ne 0 ] ; then
      sed -i '/After=/ s/$/ network.target/g' /etc/systemd/system/ntpd.service
   fi
fi   

systemctl daemon-reload

CentOS 7 set MTU on bonding and VLAN interfaces

YES IT IS A BUG ON CENTOS7!
mtu on bonding interface is ignored by default ... to sad!!!

What we can do to get around:

eth0 + eth1 (NIC) > SAN1 (BOND) > NFS (VLAN.99) and MTU=9000

# egrep "MTU=|ONBOOT=|NM_CONTROLLED=" /etc/sysconfig/network-scripts/ifcfg-*
[...]
/etc/sysconfig/network-scripts/ifcfg-NFS:ONBOOT=yes
/etc/sysconfig/network-scripts/ifcfg-NFS:MTU=9000
/etc/sysconfig/network-scripts/ifcfg-SAN1:ONBOOT=yes
/etc/sysconfig/network-scripts/ifcfg-SAN1:MTU=9000
/etc/sysconfig/network-scripts/ifcfg-SAN1.1:ONBOOT=yes
/etc/sysconfig/network-scripts/ifcfg-SAN1.1:MTU=9000
/etc/sysconfig/network-scripts/ifcfg-SAN1.2:ONBOOT=yes
/etc/sysconfig/network-scripts/ifcfg-SAN1.2:MTU=9000
/etc/sysconfig/network-scripts/ifcfg-VM1:ONBOOT=yes
/etc/sysconfig/network-scripts/ifcfg-VM1.1:ONBOOT=yes
/etc/sysconfig/network-scripts/ifcfg-VM1.2:ONBOOT=yes

Configured with nmtui

  • /etc/NetworkManager/dispatcher.d/bond-mtu.sh
#!/bin/sh  

INTERFACE_NAME_REGEX="^bond?|SAN1|NFS"

/usr/bin/logger -t `basename $0` "starting"

if [[ $CONNECTION_ID =~ $INTERFACE_NAME_REGEX ]]; then
   if [[ $2 == up ]]; then
      MTU=$(awk -F "=" '($1 ~ "^MTU") {print $NF}' /etc/sysconfig/network-scripts/ifcfg-$CONNECTION_ID)
      if [[ $MTU > 0 ]] && [[ $MTU != 1500 ]]; then
         /usr/bin/logger -t `basename $0` -s "Setting MTU of $CONNECTION_ID to $MTU..."
         if /usr/sbin/ip link set dev $1 mtu $MTU ; then
            /usr/bin/logger -t `basename $0` "Successfully set MTU of $CONNECTION_ID to $MTU"
         else
            /usr/bin/logger -t `basename $0` "Failed to set MTU of $CONNECTION_ID to $MTU"
         fi
      fi
   fi
fi
chmod 755 /etc/NetworkManager/dispatcher.d/bond-mtu.sh
systemctl enable NetworkManager-dispatcher.service
systemctl start NetworkManager-dispatcher.service
reboot
ip a

 

log traffic with iptables

Recently I had to Log nated traffic in PREROUTING chain on CentOS7 , is still impossible in firewalld !!!! :-(

So I switched back to iptables firewall, which is still possible in CentOS7, I hope RHEL8 will have a better firewalling solution.
The idea of firewalld is ok, but firewalld brings more limitations than features.

How to switch back to iptables:

yum remove firewalld
yum install iptables-services iptables
systemctl enable iptables
systemctl restart iptables

And finally here is the way to log the chains you need:

vi /etc/sysconfig/iptables
*nat
-A PREROUTING -m limit --limit 1/sec --limit-burst 7 -j LOG --log-prefix "[IPTABLES PREROUTING "
# do not nat apache traffic
-A PREROUTING -s 10.8.0.0/16  -d 10.0.40.10/32 -p tcp -m tcp --dport 80  -j DNAT --to-destination 10.0.40.10:80
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 21  -j DNAT --to-destination 10.0.40.10:3128
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 80  -j DNAT --to-destination 10.0.40.10:3128
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.40.10:3129
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT  -m limit --limit 1/s --limit-burst 7   -j LOG --log-prefix "[IPTABLES INPUT "
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#http transparent
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
#https transparent
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3129 -j ACCEPT
#classic proxy
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m limit --limit 1/sec --limit-burst 7 -j LOG --log-prefix "[IPTABLES FORWARD "
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

External qcow2 snapshots on CentOS7 KVM

I am using a glusterfs storage with qcow2 files on it for months.
VMs are running fast, live migration works also fine.
But I was missing real live snapshot.

Internal qcow2 snapshots which are also dumping guest memory are working fine,
but they suspend during backup and it can take from few second to few minutes.

So I was searching for something like external snapshots,
but there was no way to blockcommit the delta file back to its original after backing it up.

But with recent CentOS7 and oVirt kvm repo, now it is possible!!!

  • Guest freezes during backup for less than 2 seconds (depends on your storage and system)
  • Memory is not dumped, as it is a diskonly backup
  • Backup is now possible by simply copy the qcow2 file
  • Delta file can now be committed back into original
  • Delta file can not be deleted with virsh, but there is a simple workaround, see below

I have written a prototype of backup tool, which can do cron based backup (external), restore and snapshot(internal)
http://www.bitbull.ch/dl/scripts/virsh-qcow-backup.sh

cheers, chris

[root@clue1 ~]# virsh domblklist vm10
Target     Source
------------------------------------------------
vda        /srv/vm/images/vm10.qcow2

[root@clue1 ~]# ls -l /srv/vm/images/vm10*
-rw-r--r--. 1 qemu qemu 2908291072 Jun 25 12:37 /srv/vm/images/vm10.qcow2

[root@clue1 ~]# virsh snapshot-list vm10
 Name                 Creation Time             State
------------------------------------------------------------

[root@clue1 ~]# virsh snapshot-create-as --domain vm10 snap --disk-only --atomic
Domain snapshot snap created

[root@clue1 ~]# virsh snapshot-list vm10
 Name                 Creation Time             State
------------------------------------------------------------
 snap                 2015-06-25 12:38:12 +0200 disk-snapshot

[root@clue1 ~]# virsh domblklist vm10
Target     Source
------------------------------------------------
vda        /srv/vm/images/vm10.snap

[root@clue1 ~]# ls -l /srv/vm/images/vm10*
-rw-r--r--. 1 qemu qemu 2908291072 Jun 25 12:38 /srv/vm/images/vm10.qcow2
-rw-------. 1 qemu qemu     197632 Jun 25 12:38 /srv/vm/images/vm10.snap

[root@clue1 ~]# cp /srv/vm/images/vm10.qcow2 /srv/vm/images/vm10.qcow2.bak

[root@clue1 ~]# ssh vm10 mkdir /test

[root@clue1 ~]# ssh vm10 touch /test/$(date +%H_%M_%S)

[root@clue1 ~]# ssh vm10 ls /test/
12_40_19

[root@clue1 ~]# virsh blockcommit vm10 vda --active --pivot  --verbose
Block Commit: [100 %]
Successfully pivoted

[root@clue1 ~]# virsh domblklist vm10
Target     Source
------------------------------------------------
vda        /srv/vm/images/vm10.qcow2

[root@clue1 ~]# virsh snapshot-list vm10
 Name                 Creation Time             State
------------------------------------------------------------
 snap                 2015-06-25 12:38:12 +0200 disk-snapshot

[root@clue1 ~]# virsh snapshot-delete vm10 snap --metadata
Domain snapshot snap deleted

[root@clue1 ~]# virsh snapshot-list vm10
 Name                 Creation Time             State
------------------------------------------------------------

[root@clue1 ~]# ls -l /srv/vm/images/vm10*
-rw-r--r--. 1 qemu qemu 2908356608 Jun 25 12:42 /srv/vm/images/vm10.qcow2
-rw-r--r--. 1 root root 2908291072 Jun 25 12:39 /srv/vm/images/vm10.qcow2.bak
-rw-------. 1 qemu qemu    3080192 Jun 25 12:40 /srv/vm/images/vm10.snap

[root@clue1 ~]# rm -f /srv/vm/images/vm10.snap

[root@clue1 ~]# ssh vm10 sync

[root@clue1 ~]# virsh destroy vm10
Domain vm10 destroyed

[root@clue1 ~]# virsh start vm10
Domain vm10 started

[root@clue1 ~]# ssh vm10 ls /test/
12_40_19

[root@clue1 ~]# virsh destroy vm10
Domain vm10 destroyed

[root@clue1 ~]# mv /srv/vm/images/vm10.qcow2 /srv/vm/images/vm10.qcow2.current

[root@clue1 ~]# mv /srv/vm/images/vm10.qcow2.bak /srv/vm/images/vm10.qcow2

[root@clue1 ~]# virsh start vm10
Domain vm10 started

[root@clue1 ~]# ssh vm10 ls /test/
ls: cannot access /test/: No such file or directory

[root@clue1 ~]# virsh snapshot-list vm10
 Name                 Creation Time             State
------------------------------------------------------------

[root@clue1 ~]# ls -l /srv/vm/images/vm10*
-rw-r--r--. 1 qemu qemu 2908553216 Jun 25 12:45 /srv/vm/images/vm10.qcow2
-rw-r--r--. 1 root root 2908553216 Jun 25 12:44 /srv/vm/images/vm10.qcow2.current

[root@clue1 ~]# rpm -qa | grep kvm
libvirt-daemon-kvm-1.2.8-16.el7_1.3.x86_64
qemu-kvm-ev-2.1.2-23.el7_1.3.1.x86_64
qemu-kvm-common-ev-2.1.2-23.el7_1.3.1.x86_64

[root@clue1 ~]# ls -1 /etc/yum.repos.d/*
/etc/yum.repos.d/CentOS-Base.repo
/etc/yum.repos.d/CentOS-CR.repo
/etc/yum.repos.d/CentOS-Debuginfo.repo
/etc/yum.repos.d/CentOS-fasttrack.repo
/etc/yum.repos.d/CentOS-Sources.repo
/etc/yum.repos.d/CentOS-Vault.repo
/etc/yum.repos.d/glusterfs-epel.repo
/etc/yum.repos.d/ovirt-3.5-dependencies.repo
/etc/yum.repos.d/ovirt-3.5.repo

Bandwith Limitation with Apache on CentOS 7

 

Install and configure:

yum install http://repo.unmanarc.com/CentOS/7/RPMS/x86_64/mod_bw-0.92-2.el7.centos.x86_64.rpm
rpm -ql mod_bw
sed -i 's@extramodules/mod_bw.so@modules/mod_bw.so@g' /etc/httpd/conf.d/mod_bw.conf
systemctl restart httpd

Configure virtual Apache host:

<VirtualHost *:80>
     ServerAdmin admin@bitbull.ch
     DocumentRoot /srv/www/html
     ServerName www.bitbull.ch
     ServerAlias www
     ErrorLog /srv/www/log/error.log
     DirectoryIndex index.php index.html index.htm
  <Directory /srv/www/html>
        BandWidthModule On
        ForceBandWidthModule On
        BandWidth all 409600
        BandWidthError 510
        AllowOverride all
        Require all granted
    </Directory>
</VirtualHost>
systemctl restart httpd

Backup LDAP with slapcat on CentOS 7

 #!/bin/bash

export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
set -e

KEEP=7
BASE_DN='dc=domain,dc=ch'
LDAPBK="ldap-$( date +%y%m%d-%H%M ).ldif"
BACKUPDIR='/srv/ldap-backup'

test -d "$BACKUPDIR" || mkdir -p "$BACKUPDIR"

slapcat -b "$BASE_DN" -l "$BACKUPDIR/$LDAPBK"
gzip -9 "$BACKUPDIR/$LDAPBK"

ls -1tr $BACKUPDIR/*.ldif.gz | head -n-$KEEP | xargs rm -

Enable debug logging on CentOS 7 LDAP Server

Enable debug logging on CentOS 7 LDAP Server

 

vi /root/ldap/logging.ldif
------
cat logging.ldif
dn: cn=config
replace: olcLogLevel
olcLogLevel: -1
------

# apply
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldap/logging.ldif

# verify
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -s base|grep -i LOG

systemctl restart slapd

vi /etc/rsyslog.conf
------
local4.* -/var/log/slapd.log
------

systemctl restart rsyslog

vi /etc/logrotate.d/syslog
-----
# add this line
/var/log/slapd.log
------

see: https://www.lisenet.com/2014/install-and-configure-an-openldap-server-with-ssl-on-debian-wheezy/

OpenVPN Site to Site with CentOS 7

OpenVPN site to site with centos7 and symmetric encryption

OFFICE:
Network: 192.168.10.0/24

HOME:
Network: 192.168.20.0/24


DO THIS ON ALL MACHINES:

yum install https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install openvpn

DO THIS ON OFFICE MACHINE:

vi /etc/openvpn/office-home.conf
------
remote home.compress.to
port 4001
float
proto udp
dev tun1
ifconfig 172.10.0.1 172.10.0.2
persist-tun
persist-local-ip
persist-remote-ip
comp-lzo
ping 15
secret /etc/openvpn/office-home.key
route 192.168.20.0 255.255.255.0
user openvpn
group openvpn
syslog office-home
verb 1
------

vi /etc/sysconfig/iptables
------
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# openvpn
-A INPUT -p udp --dport 8001 -j ACCEPT
# do not allow anything else
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# openvpn
-A FORWARD -s 192.168.10.0/24 -d 192.168.20.0/24 -j ACCEPT
-A FORWARD -s 192.168.20.0/24 -d 192.168.10.0/24 -j ACCEPT
# do not allow anything else
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
------

openvpn --genkey --secret /etc/openvpn/office-home.key
chmod 600 /etc/openvpn/office-home.conf
chmod 400 /etc/openvpn/office-home.key
scp /etc/openvpn/office-home.key root@vpn-home:/etc/openvpn/office-home.key

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

systemctl enable iptables
systemctl restart iptables

systemctl enable openvpn@office-home
systemctl restart openvpn@office-home

DO THIS ON HOME MACHINE:

vi /etc/openvpn/home-office.conf
------
remote office.compress.to
port 4001
float
proto udp
dev tun1
ifconfig 172.10.0.2 172.10.0.1
persist-tun
persist-local-ip
persist-remote-ip
comp-lzo
ping 15
secret /etc/openvpn/office-home.key
route 192.168.10.0 255.255.255.0
user openvpn
group openvpn
syslog office-home
verb 1
------

vi /etc/sysconfig/iptables
------
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# openvpn
-A INPUT -p udp --dport 8001 -j ACCEPT
# do not allow anything else
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# openvpn
-A FORWARD -s 192.168.10.0/24 -d 192.168.20.0/24 -j ACCEPT
-A FORWARD -s 192.168.20.0/24 -d 192.168.10.0/24 -j ACCEPT
# do not allow anything else
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
------

chmod 600 /etc/openvpn/home-office.conf
chmod 400 /etc/openvpn/home-office.key

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

systemctl enable iptables
systemctl restart iptables

systemctl enable openvpn@home-office
systemctl restart openvpn@home-office


DO NOT FORGETT DO SET STATIC ROUTES ON DEFAULT GATEWAYS

Home