Author: dq

Disable Ctrl + Alt + Del

# sudo vi /etc/init/control-alt-delete.conf

Output 

# control-alt-delete - emergency keypress handling## This task is run whenever the Control-Alt-Delete key combination is# pressed, and performs a safe reboot of the machine.description     "emergency keypress handling"author          "Scott James Remnant "start on control-alt-deletetaskexec shutdown -r now "Control-Alt-Delete pressed"

Change the following line 

exec shutdown -r now "Control-Alt-Delete pressed"

To 

#exec shutdown -r now "Control-Alt-Delete pressed"

SFTP over SSH

Ubuntu SFTP-Only Account How-to

This guide will show you how to setup Linux user accounts restricted to using SFTP only. These accounts will be unable to run arbitrary shell commands on the server or access/create files outside their own home directories. The steps in this guide were tested on Ubuntu Server 12.04 with version 5.3p1 of the OpenSSH daemon, obtained from the Ubuntu software repositories.

Although this guide is aimed at Ubuntu users, it should also be applicable to other flavors of Linux as well. The most important factor to consider is the version of OpenSSH you have installed on your system. Version 5.0 or above is recommended as these versions support the OpenSSH ChrootDirectory configuration option that we’ll be using here.

Right, that’s enough of the rambling, let’s get to it…

Step 0 – Make sure /home is owned by ROOT

sudo chown root:root /home/

Step 1- Create a Group for the Restricted Accounts

For the sake of this example, we’ll create a new group called ‘sftponly‘ It’s best to use the addgroup command to do this, as it takes care of allocating an un-used GID (Group Identifier) to the new group for us: 

sudo addgroup sftponly

Step 2- Create the User Account

For examples sake, we’ll create a user account with the username ‘raq3785‘ , set his home directory as ‘/home/raq3785‘ and give him the password ‘pass

We’ll use the useradd command here as it takes care of assigning an unallocated UID to the user account for us.

Creating the User Account: 

sudo useradd -d /home/raq3785/bandrplus.com -s /usr/lib/sftp-server -M -N -g sftponly raq3785

Setting the Password: 

sudo passwd raq3785

sudo adduser raq3785 sftponly

Step 3- Setup the users home directory

Right, lets create a home for raq3785and give him somewhere to put his files. Enter the commands below one by one on separate lines:

sudo mkdir -p /home/raq3785/bandrplus.com
sudo chown root:sftponly /home/raq3785
sudo chown raq3785:sftponly /home/raq3785/bandrplus.com
sudo usermod raq3785 -d /bandrplus.com 
sudo chmod 755 /home/raq3785
sudo chmod 755 /home/raq3785/bandrplus.com

The first line creates the ‘/home/raq3785‘ and /home/raq3785/bandrplus.com‘ directories.

The second line sets the owner and group of the /home/raq3785 directory to root. This is an important step as the SSH server will complain (and refuse to let our restricted user login) if the root of the users home directory is NOT owned by root.

You should be able to login to you account with a username and password when you’ve completed all the steps in this guide, but it’s recommended you use the public key method for authentication as it is considerably more secure.

If you already have a private and public key you would like to use, then all you need to do is to upload a copy of the public key to a subdirectory named .ssh in the users home directory.

Assuming that our public key file is named ‘raq3785.pub‘, we would issue the following commands to setup public key authentication for the raq3785 user account. 


cd /home/raq3785/.ssh
cat raq3785.pub >> authorized_keys
chmod 700 authorized_keys
chown raq3785:sftponly authorized_keys
rm -r raq3785.pub

Step 4- Add an entry to /etc/shells

Open the file sudo vi /etc/shells as root in your favorite text-editor, and add the following line at the bottom: 

/usr/lib/sftp-server

Step 5- Amend the SSH Server Configuration file

Open the SSH server configuration file as root to start making changes. On a Ubuntu system, this file is usually

sudo vi /etc/ssh/sshd_config

this may differ with other distributions, so check beforehand.

Find the line Subsystem sftp /usr/lib/openssh/sftp-server and change it to read: 

Subsystem sftp internal-sftp

Find the line UsePam yes and comment it:

#UsePam yes

Now add the following lines at the bottom of the file:

Match group sftponly
ChrootDirectory /home/%u
# ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match



The line Match group sftponly tells the SSH server to apply the configuration options below it to all members of the ‘sftponly‘ system group.




The line (ChrootDirectory %h  tells the SSH server to confine a user to their home directory only (The home directory is specified here using ‘%h‘)




The ‘X11Forwarding no‘ and ‘AllowTcpForwarding no‘
lines prevent the user from, respectively, accessing graphical
applications on the server and from connecting to other systems via
ours.




The ‘ForceCommand internal-sftp ‘ line prevents the
user from executing their own commands and forces them to use the SFTP
server component of the SSH server by executing the ‘internal-sftp‘ command when the user logs in.




More information on the various SSH server configuration options available and what they do can be found here.



Step 6- Restart the SSH Server



Ubuntu/Debian users can issue the following command to restart the SSH server:



sudo /etc/init.d/ssh restart 




That’s it. You should be able to login using the ‘sftp‘
command with either the username and password you setup or using your
private key (if you set this up in Step 2.) Using the setup outlined
here, you would only have to repeat steps 1-3 to setup new accounts.




Hope this is useful to someone.














Should you run in any problems, check /var/log/syslog and /var/log/auth.log for details. Runssh or sftp with the -vvv option for debugging messages. For sftp, the
option must appear before the host as in sftp -vvv user@host.








=======================================================================











For extra security, restrict the users who can login. If you
forget to add SFTP users to the sftp group, you give them free shell access.
Not a nice scenario. Because SSH cannot combine AllowUsers andAllowGroups (a login has to fulfill both rules),
you've to create an additional group, say ssh-users. Add
the users who are allowed to login (youruser below) over SSH:



sudo groupadd ssh-users
sudo usermod -a -G ssh-users youruser




And add the next line to sudo vi /etc/ssh/sshd_config



AllowGroups ssh-users sftponly




Now proceed with modifying the permissions of the users home
directory to allow for chrooting (example user raq3785):







sudo chown root:sftponly /home/raq3785
sudo chmod 755 /home/raq3785










sudo chmod 755 /home/raq3785/bandrplus.com






Create a directory in which raq3785 is free to put any files in it:




sudo mkdir /home/raq3785/bandrplus.com





sudo chown raq3785: /home/raq3785/bandrplus.com





sudo chmod 755 /home/raq3785/bandrplus.com






==============================================================




==============================================================




==============================================================




### cd  /home/apache/http




### ln -s /home/raq3785/bandrplus.com/ /home/apache/http/bandrplus.com




### ls -l | grep bandrplus.com

lrwxrwxrwx 1 root   root     28 Feb  4 13:53 bandrplus.com -> /home/raq3785/bandrplus.com/





chown -R apache:apache   /home/apache/http/bandrplus.com



mkdir /home/apache/http/bandrplus.com




chown apache:apache /home/apache/http/bandrplus.com

ln -s /home/raq3785/bandrplus.com/* /home/apache/http/bandrplus.com






— =======================================================

— =======================================================

— =======================================================

Expected results for user::::




### ls -l / | grep home

drwxr-xr-x   6 root root  4096 Feb  4 13:10 home



### ls -l /home | grep raq3785


drwxr-xr-x 4 root   sftponly 4096 Feb  4 13:34 raq3785





### ls -l /home/raq3785/

total 8

drwxr-xr-x 2 raq3785 sftponly 4096 Feb  4 13:36 bandrplus.com

drwxr-xr-x 4 raq3785 sftponly 4096 Feb  4 13:27 www



### sudo cat /etc/group | grep sftp

sftponly:x:1002:apache,root,raq3785

sftpguy:x:1004:



### sudo cat /etc/passwd | grep raq3785


raq3785:x:1002:1002::/bandrplus.com:/usr/lib/sftp-server



— =======================================================



sudo service ssh start

sudo service ssh restart

sudo service ssh stop 




— =======================================================




	


	
	






	
	

		
Apache with MONO
	


	

		




Top of Form






http://www.smithvoice.com/apache-logging-access-and-errors




Build ASP.NET/Mono Applications with mod_mono and Apache
on Ubuntu 12.04




Published:
Thursday, August 5th, 2010 by Brett
Kaplan




mod_mono
is an Apache module that makes it possible to run ASP.NET applications in Linux
environments running Apache. While ASP.NET is a Microsoft technology and is
traditionally used with IIS, mod_monohas become a viable option for deploying
ASP.NET applications on Linux. This guide is largely based on the mod_mono guide from the Ubuntu Community and theMono Project's Apache and Mono documentwith minor modifications. This guide does
not cover installation and configuration of the Mono IDE which is used to
develop ASP.NET applications on Linux. If you are interested in developing
using Visual Studio for Mono, you can download a 30-day trial of the commercial
Mono Tools plugin at the Mono Tools for Visual Studio page.




This
guide assumes that you've followed the steps outlined in ourgetting started guide. You will install theApache web serverwith very minimal
configuration. If you already have Apache installed and configured, you may
omit these steps; however, if you have not installed Apache and are unfamiliar
with this server read the installation guide for additional documentation.
Additionally,mod_mono
is incompatible with the integrated PHP interpreter described in other guides.
If you need to have both mod_mono and PHP running on the same Apache server you
will need to run PHP scripts using the CGI method




Contents








Enable
Universe Repositories




Before
installing mod_mono
we must ensure that the universerepositories are enabled on your system.
Your/etc/apt/sources.list should resemble the following (you may
have to uncomment or add the universe lines):




File:  sudo vi /etc/apt/sources.list






### DAQ




## main
& restricted repositories




deb http://us.archive.ubuntu.com/ubuntu/ lucid main restricted




deb-src http://us.archive.ubuntu.com/ubuntu/ lucid main restricted




 




deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates main restricted




deb-src http://us.archive.ubuntu.com/ubuntu/ lucid main restricted




 




deb http://security.ubuntu.com/ubuntu lucid-security main restricted




deb-src http://security.ubuntu.com/ubuntu lucid-security main restricted




 




##
universe repositories




deb http://us.archive.ubuntu.com/ubuntu/ lucid universe




deb-src http://us.archive.ubuntu.com/ubuntu/ lucid universe




 




deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe




deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe




 




deb http://security.ubuntu.com/ubuntu lucid-security universe




deb-src http://security.ubuntu.com/ubuntu lucid-security universe






If you had to enable new repositories,
issue the following command to update your package lists:






#apt-get
update                




sudo aptitude
update




aptitude
(to see what remains)




#apt-get
upgrade




sudo aptitude
safe-upgrade




 




aptitude (to see what remains)






Install
Apache




If
you already have Apache installed and configured, you can safely skip this
section of the guide. Install Apache by running the following command:






sudo apt-get
install apache2






As
mentioned earlier, you will need to go to the installation guide if you wish to
configure your server beyond the default configuration.




Install
mod_mono




The
Apache daemon must be stopped before mod_mono is installed. Issue the following command
to stop the apache process:






sudo /etc/init.d/apache2
stop






At
this point we're able to install the required packages for mod_mono. Run the following
command:






sudo apt-get
install mono-apache-server2 libapache2-mod-mono libmono-i18n2.0-cil






While
installing, you will see a prompt that looks like the following:






Configuration file
`/etc/apache2/mods-available/mod_mono.conf'




 ==>
File on system created by you or by a script.




 ==>
File also in package provided by package maintainer.




   What
would you like to do about it ?  Your
options are:




    Y
or I  : install the package maintainer's
version




    N
or O  : keep your currently-installed
version





D     : show the differences between
the versions





Z     : background this process to
examine the situation




 The
default action is to keep your current version.




*** mod_mono.conf (Y/I/N/O/D/Z) [default=N] ?






Accept
the default option at this point. When the installation process completes start
Apache with the following command:




 




sudo vi /etc/apache2/apache2.conf 




ErrorLog
/srv/www-logs/apache2.error.log




 




sudo mkdir -p /srv/www-logs 




sudo mkdir -p /srv/www




 




sudo
useradd -d /home/apache -m apache




sudo
passwd apache




sudo
mkdir /home/apache/.mono




sudo
chown root:apache /home/apache/.mono




sudo
chmod 0774 /home/apache/.mono




 




sudo
chown root:apache /srv/www-logs/




sudo
chmod 0774 /srv/www-logs/




 




 




sudo
chown -R apache /srv/www/




sudo
chgrp -R apache /srv/www/




sudo
chmod -R 0774 /srv/www/




 




sudo
vi /etc/apache2/envvars




export
APACHE_RUN_USER= apache

export APACHE_RUN_GROUP= apache




 




Configure
Apache




We
recommend using name-based virtual hosts for web hosting. Refer to the Apache
documentation for setting up Name-based virtual hosts.




Recent
versions of mod_mono
utilize the AutoHosting
method of application deployment. This allows non-privileged users to deploy
new applications without modifying Apache configuration files. While this
provides great flexibility, it may also present a security risk. As a result, mod_mono must be enabled on a
per-virtual host basis.




For
the sake of this guide, we're going to create a site on the root of our example
domain, example.org.
If you already have an Apache configuration for the root of your site, you will
need to modify your existing virtual host file or create a new one on a
subdomain of your site. Create the virtual host file, taking the following
example virtual host configuration and modifying it to suit your needs. You may
also use the Mod_Mono Configuration Generator to generate your own
custom configuration.




File
excerpt:/etc/apache2/sites-available/example.org






<VirtualHost *:80>




  ServerName example.org




  ServerAdmin web-admin@example.org




  ServerAlias www.example.org




  DocumentRoot /srv/www/example.org/public_html




  ErrorLog /srv/www/example.org/logs/error.log




  CustomLog /srv/www/example.org/logs/access.log combined




 




  MonoServerPath example.org "/usr/bin/mod-mono-server2"




  MonoDebug example.org true




  MonoSetEnv example.org MONO_IOMAP=all




  MonoApplications example.org "/:/srv/www/example.org/public_html"




  <Location "/">




    Allow from all




    Order allow,deny




    MonoSetServerAlias example.org




    SetHandler mono




    SetOutputFilter DEFLATE




    SetEnvIfNoCase Request_URI "\.(?:gif|jpe?g|png)$" no-gzip dont-vary




  </Location>




  <IfModule mod_deflate.c>




    AddOutputFilterByType DEFLATE text/html text/plain
text/xml text/javascript




  </IfModule>




</VirtualHost>






Save
and close the file, and create the directories referenced in theDocumentRoot and ErrorLog directive:






mkdir
-p /srv/www/example.org/public_html




mkdir
/srv/www/example.org/logs






Enable
the site by running the a2ensite command:






a2ensite
example.org






 




 




 




FileZilla Copy all
files/directorys  E:\WebSites\.NET WWW\*
/home/apache/www




 




sudo
mv /home/apache/www/*.com /etc/apache2/sites-available/




sudo
mv /home/apache/www/*.Web /etc/apache2/sites-available/




sudo
mv /home/apache/www/*.org /etc/apache2/sites-available/




sudo
chown root:root /etc/apache2/sites-available/*




 




sudo
mv /home/apache/www/complete/* /srv/www/




sudo
–rf rm /home/apache/www/




 




 




sudo
/etc/apache2/sites-available




sudo
a2ensite AJ.QBytesWorld.com




sudo
a2ensite Ashleigh.QBytesWorld.com




sudo
a2ensite BlogEngine.Web




sudo
a2ensite Gaming.BlogEngine.Web




sudo
a2ensite Java.Qbytesworld.com




 




                Agile.QBytesWorld.com




                Ajax.QBytesWorld.com




                QbytesWorld.com




                QbytesWorld.DynDns.info




                QbytesWorld.info




                TFSBasicTraining.QBytesWorld.com




                _bandrplus.com




 




sudo
chown -R apache /srv/www/




sudo
chgrp -R apache  /srv/www/




sudo
chmod -R 0774 /srv/www/




Since
we have modified the virtual host configuration, Apache must be reloaded:






/etc/init.d/apache2
reload






If
you still see the default "It works!" Apache installation page, you
may need to disable the default site. Run the following command if this is an
issue for you:






a2dissite default




/etc/init.d/apache2 reload






Note:
Should you restart Apache in the future, you will see an error that will look
similar to this:






[crit] (13)Permission denied: Failed to
attach to existing dashboard,




and removing dashboard file
'/tmp/mod_mono_dashboard_XXGLOBAL_1' failed




(Operation not permitted). Further action
impossible.






You
can safely ignore this warning, as it won't affect deployment using the methods
explained in this guide.




 



Ubuntu Linux: add a new user to secondary group



Use the following syntax:



useradd -G Group-name Username



passwd Username






Create a group called foo and add user tom to a secondary group called foo:

$ sudo groupadd foo

$ sudo useradd -G foo tom

OR

# groupadd foo

# useradd -G foo tom

Verify new settings:





id tom



groups tom






Finally, set
the password for tom user, enter:

$ sudo passwd tom

OR

# passwd tom

You can add user tom to multiple groups – foo, bar, and ftp, enter:

# useradd -G foo,bar,ftp top




useradd
-d /home/apache -m apache




passwd
apache




mkdir
/home/apache/.mono




chown
root:apache /home/apache/.mono




chmod
0774 /home/apache/.mono




 




chown
root:apache /srv/www-logs/




chmod
0774 /srv/www-logs/




 




 




groupadd apache




useradd –g apache apache




sudo
chown -R apache /srv/www/




sudo
chgrp -R apache /srv/www/




sudo
chmod -R 0774 /srv/www/




 




 




#########################################################




###
Configure the rights to YourFolder ### (optional***)




cd /srv/www/YourFolder




sudo
chown -R root:www-data .




sudo
chmod -R 774 .




sudo
usermod -a -G www-data <yourusername>




#########################################################




cat /etc/apache2/envvars




change ENVARS user and group:




 




vi /etc/apache2/envvars




export
APACHE_RUN_USER= apache

export APACHE_RUN_GROUP= apache




 




sudo
/etc/init.d/apache2 stop




rm
-rf /tmp/.wapi/




sudo
rm -rf /tmp/*




sudo
rm -rf /srv/www-logs/*




sudo
/etc/init.d/apache2 start




 




 




 






sudo /etc/init.d/apache2
start






 




sudo
/etc/init.d/apache2 stop




sudo chmod -R
0777 /srv/




sudo chown -R
www-data /srv/




sudo chgrp -R
www-data /srv/




sudo rm -rf
/tmp/*




sudo rm -rf
/srv/www-logs/*




sudo
/etc/init.d/apache2 start







You
may wish to consult the following resources for additional information on this
topic. While these are provided in the hope that they will be useful, please
note that we cannot vouch for the accuracy or timeliness of externally hosted
materials.



	


	
	






	
	

		
Sesnors
	


	

		






Install HardDrive Sensor and run as non-root



    
	
  • sudo apt-get install hddtemp
	
      
		
    • no
      
		
      • 
	
    
	
    • 
	
  • sudo dpkg-reconfigure hddtemp  
    
	
      
		
    • yes
      • 
		
    • o
      • 
		
    • no
      • 
	
    
	
    • 




execute as:



    
	
  • hddtemp -n –unit=F /dev/sda1 
    • 
	
  • hddtemp -n –unit=F /dev/sda1 /dev/sdb1
    
	
    • 








Systen Sensors



    
	
  • sudo apt-get install lm-sensors
    • 
	
  • sudo sensors-detect
	
      
		
    • yes
      • 
		
    • yes
      
		
      • 
		
    • yes
      • 
		
    • yes
      • 
		
    • no
      • 
		
    • yes
      • 
		
    • yes
      
		
      • 
	
    
	
    • 




execute as:



    
	
  • sensors -f 
    
	
    • 



    
	
    






	


	
	






	
	

		
Hostname and TimeZone
	


	

		







Ubuntu / Debian



Enter following commands to set the hostname, replacing plato with the hostname of your choice:



echo "plato" > /etc/hostname
hostname -F /etc/hostname




If it exists, edit the file /etc/default/dhcpcd to comment out the SET_HOSTNAME directive:




File excerpt:/etc/default/dhcpcd





#SET_HOSTNAME='yes'













Update /etc/hosts



Next, edit your /etc/hosts file to resemble the following example, replacing plato with your chosen hostname, example.com with your system's domain name, and 12.34.56.78 with your system's IP address. As with the hostname, the domain name part of your FQDN does not necesarily need to have any relationship to websites or other services hosted on the server (although it may if you wish). As an example, you might host "www.something.com" on your server, but the system's FQDN might be "mars.somethingelse.com."




File:/etc/hosts





127.0.0.1        localhost.localdomain    localhost
12.34.56.78      plato.example.com        plato






If you have IPv6 enabled on your Linode, you will also want to add an entry for your IPv6 address, as shown in this example:




File:/etc/hosts





127.0.0.1                       localhost.localdomain    localhost
12.34.56.78                     plato.example.com        plato
2600:3c01::a123:b456:c789:d012  plato.example.com        plato






The value you assign as your system's FQDN should have an "A" record in DNS pointing to your Linode's IPv4 address. For Linodes with IPv6 enabled, you should also set up a "AAAA" record in DNS pointing to your Linode's IPv6 address. For more information on configuring DNS, seeAdding DNS Records.









Setting the Timezone



All Linodes are set to Eastern Standard Time by default, but you can change the timezone to whatever you want it to be. It may be best to set it to the same timezone of most of your users. If you're unsure which timezone would be best, consider using universal coordinated time or UTC (also known as Greenwich Mean Time).





Ubuntu / Debian



Enter the following command to access the timezone utility:



dpkg-reconfigure tzdata











Checking the Time



Now try entering the following command to view the current date and time according to your server:



date




The output should look similar to this: Thu Feb 16 12:17:52 EST 2012.






	


	
	






	
	

		
###  Installed Ubuntu Server 12.04  ###
	


	

		


Download here.




Installed Ubuntu Server 12.04



    
	
  • openSSH, if not from Install click here. 
    • 




Disable CTL-ALT-DEL





HostName and TimeZone





Apply Patches









Audit/Log user activity.





Disks and mounts.



    
	
  • Mount and Format disk…here. 
    • 
	
  • NFS – NetWork File Share, (Linux/UNIX only).
	
	
    • 
	
  • Samba File Share, (If windows needs access, click here). 
    • 




Backup Jobs.



Performance tool (server then desktop)

    
	
  • $ sudo apt-get install nmon  –> here.  
    • 
	
  • $ sudo apt-get install htop    –> here.   
    • 
	
  • Install sensors for monitoring –>here.
    • 
	
  • Xosview                                –> here. 
    • 







Ability to Search for packages 



    
	
  • sudo apt-get install aptitude
    • 
	
  • sudo aptitude search <package part>
    • 




Application Setup









    
	
  • 
	Hudson setup here or as a service here. 
    • 
	
  • Artifactory setup here. 
    • 
	
  • Subersion setup here. 
    • 




Secure the server:




http://library.linode.com/securing-your-server




High availability Ubuntu servers 




FTP




SSH should work for most needs (Filezilla), but if FTP is needed





CRONTAB



    
	
  • Setup backups here. 
    • 
	
  • Clean scripts 
    • 
	
  • etc…. 
    • 








Startup/Shutdown script



    
	
  • How to setup here.
    
	
    • 




Update and Patch



    
	
  • How to update and patch here.
    
	
    • 


	


	
	






	
	

		
Link two private networks using a VPN on Ubuntu Linux machines each behind NAT
	


	

		


http://blog.peter-b.org/2010/12/16/link-two-private-networks-using-a-vpn-on-ubuntu-linux-machines-each-behind-nat/



Link two private networks using a VPN on Ubuntu Linux machines each behind NAT



Posted on December 16, 2010  by  







Might seem like a stretch, but clearly given the number of people asking the question out on the internet this is common enough. And I wanted to do it, so…..




The scenario. You have two private , home.local which is 192.168.0.0 netmask 255.255.255.0 and office.local numbered 192.168.1.0 netmask 255.255.255.0. They’re regular private  connected to the internet via ADSL with routers of some description or other – could be the freebies that come from the service provider, or something you bought or built yourself. Either way it’s likely to be running NAT at the very least, possibly with some firewall as well, but for whatever reason, you can’t make these do the  for you (if you can, you should – it’s by far the simplest route).




On each network there’s an  machine that’s on all the time for whatever reason, and you figure you can use these to connect the two networks together somehow.




Good news, you can.




Please remember that connecting two networks like this has security issues. Unless you also run firewalls on the Ubuntu machines that run the VPN each network is only as secure as the other, so if one network was “more secure” than the other suddenly it will become less secure! Make sure that you own both networks, or if you don’t that you have the permission of whoever owns the remote network to do this and that you trust the remote network not to connect to your home Samba share and steal or delete all your music (but of course, you set up Samba so that can’t happen, right?).




Also note that if the two networks are not numbered differently – i.e. they’re both 192.168.0.0 netmask 255.255.255.0 – then you’re going to run into a whole mess of trouble. If this is the case, consider looking at a “Bridged VPN” that will make it seem like one big network (though if you do you’re going to run into a real whole mess of trouble as IP addresses must be unique across both networks!). Bridged VPNs are a whole other topic, and not covered here.




There are plenty of sites that will tell you how to set up the actual VPN, for example here and here to name just two. But they don’t really talk about anything other than the actual VPN itself and the basic  between the two machines.




First things first, you need some way to look up the external IP of each network. This means registering with some kind of DNS service. If you’re lucky enough to have your own server out on the internet you can use a script to find out what your external IP is and use nsupdate to register this with your DNS server on the internet.




If not, there are plenty of “Dynamic DNS” services out there that can do this.




Ok, so you have your networks successfully registering with a DNS server somewhere out on the internet. Now you can create the actual VPN.




I like Sébastian Wains’ solution best as it doesn’t require configuration of the routers to open NAT ports etc. (but you might need to set some routes, more later).




So, the setup so far:



    
	
  • Private Network 192.168.0.0
    • 
	
  • Local DNS suffix is home.local
    • 
	
  • Ubuntu box is 192.168.0.23 and called ubuntubox.home.local
    • 
	
  • Registers with DynDNS as myhomenetwork.dyndns.org
    • 



    
	
  • Private Network 192.168.1.0
    • 
	
  • Local DNS is office.local
    • 
	
  • Ubuntu box is DHCP assigned IP (today it’s 192.168.1.57) and called myubuntu.office.local
    • 
	
  • Registers with a private dns service as office.mycompany.com
    • 




The private IP addresses of the machines don’t matter too much for the VPN configuration but it’s handy to know what they are for testing and diagnostic purposes and you will probably need them for routing purposes later.




The following assumes you have root access; use sudo/su as required.




First, you need to install openvpn by running the following on both computers:



apt-get install openvpn




Then you need a pre-shared key for securing the VPN. On ubuntubox.home.local run:



openvpn --genkey --secret /etc/openvpn/static.key




You need to copy this file from one machine to the other some way. They must be identical on both machines. Best not to use email! Cut and paste over an SSH link or copy using a USB key or something similar.




Once this is done you can create the actual VPN:




On computer ubuntubox.home.local in /etc/openvpn/office.mycompany.com.conf:



remote office.mycompany.com
float
port 8000
dev tun
ifconfig 10.0.0.2 10.0.0.1
persist-tun
persist-local-ip
persist-remote-ip
comp-lzo
ping 15
secret /etc/openvpn/static.key
route 192.168.1.0 255.255.255.0
chroot /var/empty
user nobody
group nogroup # Nobody on RedHat, but we're on Ubuntu, right?
log vpn.log
verb 1




On computer myubuntu.office.local in /etc/openvpn/myhomenetwork.dyndns.org.conf:



remote myhomenetwork.dyndns.org
float
port 8000
dev tun
ifconfig 10.0.0.1 10.0.0.2
persist-tun
persist-local-ip
persist-remote-ip
comp-lzo
ping 15
secret /etc/openvpn/static.key
route 192.168.0.0 255.255.255.0
chroot /var/empty
user nobody
group nogroup # Nobody on RedHat, but we're on Ubuntu, right?
log vpn.log
verb 1




You’ll need to create ‘/var/empty’ if it doesn’t already exist. Then restart the VPN on each machine:



/etc/init.d/openvpn restart




At this point you should be able to ping each machine from the other, for example:



ubuntubox# ping -c1 192.168.1.57
PING 192.168.1.57 (192.168.1.57) 56(84) bytes of data.
64 bytes from 192.168.1.57: icmp_seq=1 ttl=64 time=100 ms
--- 192.168.1.57 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 100.456/100.456/100.456/0.000 ms




As you can see, all works great. If it doesn’t work, you should at least be able to ping both 10.0.0.1 and 10.0.0.2 from both machines. These are the addresses at the ends of the VPN tunnel. If that doesn’t work, then the tunnel doesn’t even exist. Check /etc/openvpn/vpn.log to find out why, often it’s because it can’t reach the remote host (lookup of office.mycompany.com for example).




If you can ping 10.0.0.1 and 10.0.0.2 but can’t ping the IP of the remote machine then it’s the routes that are broken. These are set up automatically thanks to the “route 192.168.0.0 255.255.255.0″ and “route 192.168.1.0 255.255.255.0″ lines in each of the configuration files. Check these first and restart the VPN if you need to make changes.




The routes should look something like:



ubuntubox# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.0.0.1        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.1.0     10.0.0.1        255.255.255.0   UG        0 0          0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         192.168.0.254   0.0.0.0         UG        0 0          0 eth0




This shows that anything destined for ip address 10.0.0.1 (the remote end of the VPN tunnel) will go down the tun0 interface, anything destined for network 192.168.1.0 (the office.local subnet) will be directed to 10.0.0.1 (therefore down the tunnel), anything for 192.168.0.0 (the home.local subnet, the one we’re actually connected to) will go out the local ethernet port, and that anything else (0.0.0.0) will go to whatever is connected to 192.168.0.254 – this ideally is the address of your ADSL router or similar device.




If you can ping both 10.0.0.x addresses but can’t ping the other machine’s IP address then check your /etc/openvpn config files that the “route” lines are correct, and check that there aren’t conflicting routes configured somewhere else on your machines.




So now that’s all working. But what about all the other machines on the network? You want everything on each side to reach everything else no?




Well, yes. So first off, you need to turn on IP forwarding on both machines. By default this is turned off, specifically to prevent information from one network “polluting” another.




To do this, on each machine type:



sysctl -w net.ipv4.ip_forward=1




To make this permanent across reboots you also need to edit /etc/sysctl.conf on both machines and make sure that there’s a line that looks like:



net.ipv4.ip_forward=1




Often this is simply commented out, though sometimes it says ‘=0′ rather than ‘=1′.




The last bit is tricky as a lot depends on your default routers. Remember that in ‘netstat -rn’ there’s a last route that looks like ’0.0.0.0′ (this is sometimes labelled ‘default’)? This is the IP address of the device that receives anything not destined for any of the other routes. Chances are that everything on your network sends anything not destined for the local private network to this IP address.




You have two choices at this point:



    
	
  1. You need to configure whatever device is using that IP address with two ‘static routes’ for the remote network and the tunnel address. Most routers will let you do this in their web interface.
    2. 
	
  2. Configure everything on each network to use the local Ubuntu box as the default route – this is usually specified in the settings of your DHCP server as the “default gateway”, or possibly individually in the network configuration of every device on your network.
    3. 




Option 1 is the simplest, assuming the router has the ability to let you do it. Option 2 may be easier but is not ideal, as everything will rely on your Ubuntu box for their internet connection and your Ubuntu box will be working a bit harder!




Remember, you need to do this on both networks, and you need to set routes for 192.168.x.0/255.255.255.0, 10.0.0.1 and 10.0.0.2. Why?




Assume all the routes are properly configured:




Let’s say machine 192.168.0.16 wants to ping 192.168.1.12. The default route on network 192.168.0.0 is for whatever is connected to 192.168.0.254 (and 192.168.1.0 it’s 192.168.1.254).




Assuming everything is set up correctly 192.168.0.16 will send a packet destined for 192.168.1.12 to 192.16.0.254 – the default route.  This device knows that it must forward anything for 192.168.1.x to your Ubuntu box as you gave it a static route. So, it then forwards the packet for 192.168.1.12 on to 192.168.0.23 – your Ubuntu box ubuntubox.home.local.




Thanks to the VPN your Ubuntu box knows to send this packet down the tunnel to 10.0.0.1. The office Ubuntu box then forwards this on directly to 192.168.1.12, however at this point the originating IP address of the packet is no longer 192.168.0.16, it’s 10.0.0.2 – the IP address of the end of the tunnel on ubuntubox.home.local! So when 192.168.1.12 receives the packet and wants to send a reply, it’s going to send it to 10.0.0.2. This is why you need the extra static routes. Use ‘tcpdump’ to watch ping requests across the VPN and you’ll see what I mean.




In my case I chose option 1. So, I logged on to the routers 192.168.0.254 and set up a static route for 192.168.1.0 netmask 255.255.255.0 to point to 192.168.0.23 and for 10.0.0.1 netmask 255.255.255.255 to 192.168.0.23.




Then I logged on to the router at 192.168.1.254 and set up a static route for 192.168.0.0 netmask 255.255.255.0 to point to myubuntu.office.local and for 10.0.0.2 netmask 255.255.255.255 to myubuntu.office.local. I see you noticed the hostnames. Why the hostname and not the IP? Remember, myubuntu.office.local is configured using DHCP and so the IP address may change. If your router forces you to use the IP address make sure it’s a static IP address and not assigned via DHCP, as if the address changes for some reason your shiny VPN will break!




If what you’re configuring doesn’t like the host specific 10.0.0.x routes you can specify a route of 10.0.0.0 netmask 255.255.255.0 (yes I know this is bad behaviour, but it works) – this will obviously cause problems if you have anything that uses the 10.0.0.0 subnet! You can change these addresses and network numbers to suit your requirements though, just remember to change them in both config files and both default routers!




That’s it. You can now access any IP on either network from any IP on the other network.




Of course, you now have the issue of DNS. Set up a forwarding zone on the DNS server on each network using the IP address of the DNS server on the remote network in each case so that requests for the remote network are forwarded to the DNS server for the remote network. But that’s a whole other topic!




		This entry was posted in Technical Tirades and tagged , , ,  by Peter. Bookmark the permalink.					





			3 thoughts on “Link two private networks using a VPN on Ubuntu Linux machines each behind NAT








    
	
  1. 
	
    
	David Valentine on September 3, 2011 at 5:45 am said:
	
    
	
	
    
	
    
	I just tried out this guide today, and I was successful in connecting my two home networks together. Thanks for the well written advice!
	
    
	
    
	Two minor mistakes that I found were:
    
	– Left out .conf at the end of the line: “On computer myubuntu.office.local in /etc/openvpn/myhomenetwork.dyndns.org:” ie. it should read: “On computer myubuntu.office.local in /etc/openvpn/myhomenetwork.dyndns.org.conf:”
    
	– A config thing really, in the latest version of Ubuntu 11.04 there is no /var/empty directory. So you need to run the command “sudo mkdir /var/empty” on each server.
	
    
	
    
	Thanks again for the detailed guide. Now I can connect to my samba share and printers from either of my home networks!
	
    
	
    
	~David
	
    
	
    
	
    2. 
	
  2. 
	
    
	Pingback: David and Claire’s Blog»Blog Archive » Link two private networks using a VPN on Ubuntu Linux machines each behind NAT
	
    
	
    3. 






Also see: http://www.debian-administration.org/articles/35




YOUTUBE: http://www.youtube.com/watch?v=C_B9k0l6kEs



    


	


	
	






	
	

		
NFS vs Samba on CentOS
	


	

		






http://www.google.com/#q=nfs+server+client+configuration+centos&hl=en&tbo=d&ei=DwzSUPrVIOm40QGzroHgBw&start=10&sa=N&bav=on.2,or.r_gc.r_pw.r_qf.&fp=a4c147812de756a9&bpcl=40096503&biw=1024&bih=684








http://www.yoyoclouds.com/2012/10/installing-and-configuring-nfs-on-centos.html




http://www.howtoforge.com/setting-up-an-nfs-server-and-client-on-centos-6.3












http://eduardo-lago.blogspot.com/2012/02/installing-nfs-on-centos-62.html




http://blog.malaya-digital.org/setup-a-minimal-centos-6-64-bit-nfs-server/








http://www.howtoforge.com/setting-up-an-nfs-server-and-client-on-centos-5.5








http://www.youtube.com/watch?v=i6bAfJBsKF8




http://www.youtube.com/watch?v=WCi5dH8AT34


	


	
	






	
	

		
DYNDNS – Dynamic DNS Introduction
	


	

		

























Parent page: Internet and Networking 














Dynamic DNS Introduction




Every
computer attached to the Internet has an IP address.  Name Translation
is the process of relating a name (like 'www.google.com') to an IP address
(like '74.125.19.103') so that a website (or other service) on a
computer can be accessed using an easily remembered name, rather than
the IP address number of the computer.  Name Translation is implemented
via a distributed database known as the Domain Name System. 




This database is implemented on the Internet by DNS name servers
which keep track of DNS records and exchange this information between
each other to maintain consistency. Every request for a name (ie. a web
browser) is then directed to one of these name servers. 




Most servers on the Internet have a fixed (static) IP address that never changes.  The DNS record for this node will only change infrequently. 




However, many home users are assigned an IP address that changes more frequently.  These dynamic IP addresses are assigned by an ISP.   This makes it a challenge to translate a Name to one of these IP addresses. 




A
number of DNS name servers offer a method to update the DNS database
with dynamic IP name translations.   This is accomplished by using a
small software utility on their computer or a local router. 




These
Dynamic DNS services allow the user to choose a hostname and set an
initial IP address to correspond to that hostname. The software utility
then periodically checks for a change to the computer's IP address, and
when a new IP address is discovered, it updates the Dynamic DNS database
to reflect that change. 







Registering with a Dynamic DNS provider




DNS requires
that a name server somewhere on the Internet keep track of 'where you
are' (i.e. your current IP address). That is, its database must always
be updated to make sure your hostname always corresponds to your current
IP address. 




In
order to use one of these Dynamic DNS services, registration is
required first. Here is a selection of these services (a full list is
available at DMOZ and at Dynamic DNS): 





Upon
registering, you will select a username and password, as well as a
hostname that you will use as the DNS name (to allow external access to
your machine using the hostname). 




Many
Dynamic DNS providers offer a selection of hostnames available for free
use with their service. However, with a paid plan, any hostname
(including your own registered domain name) can be used. 







Setting up Dynamic DNS service updates




Once
you have chosen a Dynamic DNS service provider, you need to set up a
way that your IP address record will be updated whenever it is changed.
There are two ways of doing this: 



    
	
  • using a dynamic DNS software utility that is installed on your computer 
    • 
	
  • using the built-in capabilities of a cable/DSL modem/router 
    • 




Many
router/modems support Dynamic DNS reporting/notification/updating
directly. If your router's configuration is accessible from a web
browser, try accessing it by logging into the local IP address of your
router (for example, http://10.1.1.1/ or http://192.168.0.1/ ) and look for the Dynamic DNS (DDNS) settings. 




However,
even if your modem/router does support dynamic DNS reporting, there are
cases in which you may wish to use a software utility on your computer
to perform the updates anyway: 



    
	
  • you are using several Dynamic DNS services at once (most routers only accommodate one service at a time) 
    • 
	
  • the router does not support your particular Dynamic DNS service 
    • 
	
  • your server is on a mobile computer (e.g. laptop) which is not always connected to the same network/router/modem. 
    • 







Using a software utility to perform Dynamic DNS Updates




There
are several available utilities. Each Dynamic DNS service may work
better with a particular utility. (You may need to add the Ubuntu
Universe to your set of software repositories to install some of these
utilities. See InstallingSoftware.) 







ddclient




ddclient is the original Linux utility for dynamic DNS updates. The ddclient wiki lists some configurations for several Dynamic DNS services. More info can be found on the ddclient forums. The following section has been adapted from Ubuntuguide.org Dynamic IP servers. 



    
	
  • Install ddclient using a software package manager, or using the command-line interface: 
    • 








sudo apt-get install ddclient





If
this is the first time you have installed ddclient, you will be
prompted by the installation script for the hostname(s) that you
registered with DynDNS (or other Dynamic DNS service). You will also be
prompted for the username/password your registered with your Dynamic DNS
service. Lastly, you will be asked which ethernet port you primarily
use to connect to the Internet (eth0 for wired or wlan0 for wireless,
usually). Most of the time this is all you will need to do for the
utility to function correctly. 




You
can also later edit the ddclient configuration file, however, to suit
your specific needs (or if you make changes to your service, hostname,
or other variables). 



    
	
  • Edit the ddclient configuration file (using kate instead of nano in Kubuntu, or gedit instead of nano in Ubuntu): 
    • 








 sudo nano /etc/ddclient.conf




    
	
  • To set the number of seconds between updates, I add the line 
    • 








 daemon=3600





My dynamic IP only changes rarely, so I only check it hourly (3600 seconds in an hour). 



    
	
  • To use secure SSL communications, I add the line 
    • 








 ssl=yes




    
	
  • To use the DynDNS checkip service (which will autodetect your current IP address), I add the line 
    • 








 use=web, web=checkip.dyndns.com/, web-skip='IP Address'





My configuration file now looks like: 



 # Configuration file for ddclient generated by debconf
 #
 # /etc/ddclient.conf
 #
 # Check the current IP address. Either check the eth0 port for its current IP address (can't be used on a LAN),
 # or use the DynDNS IP checking service.
 daemon=3600
 pid=/var/run/ddclient.pid
 #use=if, if=eth0
 use=web, web=checkip.dyndns.com/, web-skip='IP Address'
 #
 # Login and change the values at the DynDNS site, using SSL.
 protocol=dyndns2
 ssl=yes
 server=members.dyndns.org
 login=myDynDNSusername
 password='myDynDNSuserpassword'
 mysite_1.dynds.org,mysite_2.dyndns.org,mysite_3.dyndns.org





Note: if this doesn't work, try changing web-skip to 'Current Address' 




Note that the password must be enclosed in quotation marks, e.g 'myDynDNSuserpassword' for DynDNS. 



    
	
  • Ensure that the configuration is working: 
    • 








 sudo ddclient -daemon=0 -debug -verbose -noquiet




    
	
  • Note
	that you can add additional services and/or domain names to be updated
	simply by adding an additional block to the configuration file
	(appropriate for the service). Here is an example (see below for
	references to additional examples). 
    • 








 protocol=otherDDNSservice
 server=whatever.ddnsservice.org
 login=MyOtherDDNSserviceusername
 password=MyOtherDDNSservicepassword
 mysite4.dnsservice.org, mysite5.dnsservice.org








Troubleshooting




The following details a troubleshooting method used to repair a ddclient setup. 



    
	
  • Remove/purge all of the previous install attempts: 
    • 








sudo apt-get remove --purge ddclient




    
	
  • 
	
    
	Install ssh & ssh socket so that you can send your password via ssh instead of in the clear: 
	
    
	
    • 








sudo apt-get install ssh libio-socket-ssl-perl





Note:
ssh w/ddclient won't work without libio-socket-ssl-perl, so make sure
that you install that even if you have ssh already installed. 



    
	
  • Reinstall a current ddclient package from the repositories: 
    • 








sudo apt-get install ddclient





At the prompts enter the appropriate values, for example: 



    
	
  • 
	
    
	Dynamic DNS service provider: www.dyndns.com 
	
    
	
    • 
	
  • 
	
    
	DynDNS fully qualified domain names: your-hostname.dyndns.org 
	
    
	
    • 
	
  • 
	
    
	Username for dynamic DNS service: your-username 
	
    
	
    • 
	
  • 
	
    
	Password for dynamic DNS service: your-password 
	
    
	
    • 
	
  • 
	
    
	Interface used for dynamic DNS service: web 
	
    
	
    • 
	
  • Modify the /etc/ddclient.conf to send the password using ssh and to properly check for the IP address: 
    • 








sudo gedit /etc/ddclient.conf





Add entries for "daemon", "ssl" and replace "use=if, if=web" with "use=web" to match the following example: 








# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf

daemon=300
pid=/var/run/ddclient.pid
ssl=yes
use=web, web=checkip.dyndns.com/, web-skip='IP Address'
login=your-username
password=your-password
protocol=dyndns2
server=members.dyndns.org
your-hostname.dyndns.org





Reference for secure updates: https://www.dyndns.com/support/kb/using_ddclient_with_dyndns_services.html 




Now ddclient is set to run as a daemon. Because you had other ddclient configs previously, check: 








sudo gedit /etc/default/ddclient





Check to make sure it contains the following lines: 








run_ipup="false"
run_daemon="true"
daemon_interval="300"





Note: you can set the interval shorter or longer, but if you do, also reset your /etc/ddclient.conf to match. https://bugs.launchpad.net/ubuntu/+source/ddclient/+bug/152875 




Now, just to be sure everything sticks I generally reboot at this point, then check the status afterward: 








sudo /etc/init.d/ddclient status





You should see: 








Status of Dynamic DNS service update utility: ddclient is running





However, that may not always catch problems in the ddclient.conf file, so issue: 








sudo /etc/init.d/ddclient restart





if you do not get an error similar to the following you probably are good to go: 








WARNING: file /etc/ddclient.conf, line x





Then
I obtain a new IP address/lease from my service provider (shutting off
the modem, having my router request a new lease, whatever) & monitor
https://www.dyndns.com/account/services/hosts/ to see if the change actually makes it to dyndns. Also monitor /var/log/syslog to watch the changes there as well. 




Also note that there is a password length limitation. 



    
	
  • 
	
    
	Not
	very well tested, but passwords >=64 characters in length seem to
	fail. If you have a fairly long password, try changing it something
	shorter temporarily (try 8 characters) to see if that's the problem. 
	
    
	
    • 







Running ddclient with cron




Cron
is the automatic task scheduler for Linux systems. Although ddclient
runs as a daemon, for various reasons I have found it necessary to force
an update at least once a day. This can be done as a daily scheduled
task, using cron. 



    
	
  • Edit the crontab with administrative (root) privileges: 
    • 








 sudo crontab -e




    
	
  • Add the line: 
    • 








 45 04 * * * /etc/init.d/ddclient --force





This will run ddclient and force an update daily at 04:45. See here for a full description of cron and its options or Ubuntu Community Help — Cron. 







Namecheap & Python




You can update with namecheap and python with the following script. Use your prefered editor and create the file /home/USERNAME/update_dns 



# -*- coding: utf-8 -*-
import urllib2

urllib2.urlopen("http://dynamicdns.park-your-domain.com/update?host=%s&domain=%s&password=%s" % ("@", "YOURDOMAIN", "YOURPASSWORD"))





Enter into the terminal 



crontab -e





and add the following line 



* */1 * * * python /home/USERNAME/update_dns





This will update every hour. 







no-ip




This
is another Dynamic DNS reporting client. Install the noip2 package from
a software package manager, or from the command-line interface: 



sudo apt-get install noip2




    
	
  • Run no-ip and follow the installation prompts: 
    • 








sudo no-ip -C
Please enter the login/email string for no-ip.com: <your_login>
Please enter the password for user 'your_login': <your_password>
Please enter an update interval:[30] <interval time in minutes>
Do you wish to run something at successful update?[N] <N>




    
	
  • Start the no-ip client 
    • 








sudo no-ip








inadyn



    
	
  • 
	
    
	Install the inadyn package using a software package manager, or from the command-line interface: 
	
    
	
    • 








sudo apt-get install inadyn




    
	
  • Edit the file /etc/inadyn.conf: 
    • 








sudo gedit /etc/inadyn.conf





It should contain something like: 



--username myusername
--password mypassword
--update_period 60000
--alias myhost.dyndns.org
--background




    
	
  • Test that it works: 
    • 








sudo /usr/sbin/inadyn





* Add inadyn to your 'crontab': 



export EDITOR=gedit && sudo crontab -e





Edit the file to add the following line: 



@reboot /usr/sbin/inadyn




    
	
  • Verify using: 
    • 








sudo crontab -l




    
	
  • When you reboot, you should see indyn listed when you type: 
    • 








ps -A | grep inadyn





You
should be able to log in to your Dynamic DNS provider's website and
verify that the DNS entry is being updated. Certainly this is possible
with www.dyndns.org, in any case. Alternatively you can type your
hostname into a service like http://www.dnsstuff.com/. 







Useing dy.fi by cron tab




Edit crontab: 



sudo crontab -e





Add lines To update ddns at 0610 mon-sat: 



10 06 * * 1-6 wget --delete-after --no-check-certificate --no-proxy --user=yourname@yourmail.fi --password=password 'http://www.dy.fi/nic/update?hostname=yourdomain'





Add lines To redirect ddns and stop pointing 5.10pm mon-sat: 



10 17 * * 1-6 wget --delete-after --no-check-certificate --no-proxy --user=yourname@yourmail.fi --password=password 'http://www.dy.fi/nic/update?hostname=yourdomain&offline=yes'





Other method is installing perl script dyfi-update.pl from http://www.dy.fi/page/clients  







Using your Modem/Router to perform Dynamic DNS Updates




Here are some example screenshots from Wireless Routers that support dynamic DNS updates: 




Netgear router example: 



    
	
  • 
	
    
	dyndns.jpg 
	
    
	
    • 




D-Link router example: 



    
	
  • 
	
    
	routerdyn.jpg 
	
    
	
    • 




Linksys/Cisco router example: 



    
	
  • 
	
    
	linksysdyndns.jpg 
	
    
	
    • 







Redirecting a registered hostname to a dynamic DNS name




A user may
already have a hostname registered with a name server that does not have
Dynamic DNS capabilities. Most DNS services allow URL forwarding,
however.  That makes it possible to set up a free Dynamic DNS service
(using the instructions above) with a free hostname (URL) and then
forward the previously-registered static hostname (URL) to the Dynamic
DNS hostname (URL). 




For example, I set up a free Dynamic DNS hostname URL at DynDNS.com that is foobar.dyndns.org. I set up my software utility (DynDNS likes ddclient or inadyn) to constantly update the Dynamic DNS database for foobar.dyndns.org. 




However, I have used example.myoriginalfoobar.com
as a registered hostname (URL) for years, with a static DNS service
(DinosaurDNS.org) that doesn't have Dynamic DNS capabilities. I login to
DinosaurDNS.org and set my DNS record for example.myoriginalfoobar.com to forward (using a CNAME (Alias) record) to foobar.dyndns.org. 




Now anyone trying to access example.myoriginalfoobar.com will be redirected to foobar.dyndns.org, which will then redirect them to whichever IP address my Dynamic DNS updating utility has specified. 




Using
forwarding rules, an infinite number of URLs can be forwarded to a
single dynamic URL. (The primary host that resides at the destination IP
address must then resolve the forwarded URLs (using virtual host or
.htaccess files) and direct them to the appropriate server on the
computer (or LAN).) For this reason, it is only necessary to have one
dynamic DNS URL for your computer (or LAN). 







CNAME aliases




Different
DNS registrars have different methods of forwarding a URL, but in
general there is one method common to all of them: CNAME aliases. 




If
you have a URL registered with a DNS registrar, go to the DNS settings
for your domain name. Delete any A records (or other entries) and use
only CNAME entries. 




For example, let's say my free Dynamic DNS URL is foobar.dyndns.org (at DynDNS.com). My domain URL is myoriginalfoobar.com, registered at DinosaurDNS Registrar. 




Logging into DinosaurDNS Registrar, I edit the DNS settings for myoriginalfoobar.com (which in my control panel is found under Manage DNS). I make sure I have these entries: 



 Name Type Content
 @ CNAME foobar.dyndns.org.
 www CNAME foobar.dyndns.org.
 example CNAME foobar.dyndns.org.





The
period ("full stop") at the end of the URL is important to designate
that the CNAME is a FQDN (fully qualified domain name). A CNAME should
not have "http://" in it. The @ symbol indicates a URL name without the first segment, e.g. the URL myoriginalfoobar.com by itself. In this example, I am forwarding myoriginalfoobar.com, www.myoriginalfoobar.com, and example.myoriginalfoobar.com. 




Using
CNAME aliasing, the original URL is retained in the browser. It is up
to you (using virtual host files or Rewrite rules in the .htaccess files
of Apache, for example) if you wish to massage the URL at your server
(to change it to a canonical name) or redirect it. 







Other resources




Much of this page was adapted from the original articles at: 







CategoryInternet CategoryNetworking 










DynamicDNS  (last edited 2012-01-19 08:47:42 by joni-kurronen)











	


	
	






Tag Cloud