|
|
| Line 16: |
Line 16: |
| | *Finally download and install Dokan's SSH support (''Dokan SSHFS'') also from the [http://dokan-dev.net/download Dokan downloads page] | | *Finally download and install Dokan's SSH support (''Dokan SSHFS'') also from the [http://dokan-dev.net/download Dokan downloads page] |
| | | | |
| − | == OpenVPN == | + | == Samba over VPN == |
| − | OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN is a single program that is run on both the server hosting the share, and on the clients which will be accessing it.
| + | This is basically just a normal Samba installation which is included in the [[set up a new server]] procedure. Once a [[w:VPN|VPN]] has been set up with the [[install a new VPN]] procedure, all the workstations which are connected to the same VPN connection form part of a "virtual LAN" and they can all publish and use resources shared in that LAN such as shared directories, printers and services. They all show up in the normal "network places" or equivalent even though the hosts can be located in diverse locations around the internet, and all these connections are encrypted and secure. |
| − | | |
| − | === Server configuration ===
| |
| − | First install OpenVPN with '''apt-get install openvpn''', and set up the TUN/TAP device using the following shell commands from root (this step is specific to our VPS host which doesn't have these devices created by default, see the [http://forums.vpslink.com/linux/116-dev-net-tun-tun-tap-bridge-disabled-please-enable-it.html issue raised in their forum] and the [http://wiki.vpslink.com/index.php?title=TUN/TAP_device_with_OpenVPN_or_Hamachi solution added to their wiki]):
| |
| − | <pre>
| |
| − | mkdir -p /dev/net
| |
| − | mknod /dev/net/tun c 10 200
| |
| − | chmod 600 /dev/net/tun
| |
| − | </pre>
| |
| − | | |
| − | We'll go for a configuration which is as close to the default config file as possible to simplify the setup procedure. That means ''routed'' rather than ''bridged''.
| |
| − | | |
| − | === Creating Keys ===
| |
| − | There's a utility called ''easy-rsa'' in ''/usr/share/doc/openvpn/examples/easy-rsa'' which should be copied to another location (we use ''/etc/openvpn/easy-rsa''. The default values for all certificates generated can be updated in the ''vars'' file. First, configure ''easy-rsa'' with the following shell commands:
| |
| − | <pre>
| |
| − | cp -pR /usr/share/doc/openvpn/examples/easy-rsa /etc
| |
| − | cd /etc/easy-rsa
| |
| − | mkdir keys
| |
| − | . ./vars
| |
| − | ./clean-all
| |
| − | </pre>
| |
| − | | |
| − | Next we'll user ''easy-rsa'' to generate a master key, a server key and a couple of client keys (it's more secure for the client keys to be created locally, but we'll get that procedure sorted out another day!). Each of the commands requires a number of questions to be answered which can all be left as their defaults (which were set up in the ''vars'' file above), except for the ''common name'' setting which we'll set to "organicdesign-ca" for the master key, "server" for the server key, and the client name for all the client keys (e.g. "nad-laptop" or "zenia-office" for this example).
| |
| − | <pre>
| |
| − | ./build-ca
| |
| − | ./build-key-server server
| |
| − | ./build-key nad-laptop
| |
| − | ./build-key zenia-office
| |
| − | </pre>
| |
| − | Then after all the keys are made we must build the [[w:Diffie-Hellman key exchange|Diffie Hellman key exchange parameters]].
| |
| − | ./build-dh
| |
| − | All the generated key files are in the ''easy-rsa/keys''. All the files having the ''.key'' suffix are secret and should only be communicated over encrypted connections like ''SCP''. The ''ca.crt'' file belongs on the server and all the client machines as well. The files that start with a client name belong on that client machine.
| |
| − | | |
| − | === Setting up Ubuntu workstations ===
| |
| − | First install OpenVPN and the configuration GUI using '''apt-get install openvpn network-manager-openvpn'''. The GUI adds a "VPN Connections" item to the network menu from the system tray which VPN's can be added, removed and configured from.
| |
| − | | |
| − | === Setting up on Windows workstations ===
| |
| − | On Windows OpenVPN is normally run from the console, which can be a little annoying to have lying on the taskbar all the time. OpenVPN GUI lets you run OpenVPN without this console window. Instead you get an icon in the notification area (the area on the right side of the taskbar) from which you can control OpenVPN to start/stop your VPN tunnels, view the log, change your password and other useful things.
| |
| − | | |
| − | The simplest setup (and the only one covered here) is if your internet connection is through a normal LAN or Wifi adapter and uses DHCP (i.e. "obtain IP address automatically" is ticked).
| |
| − | | |
| − | After OpenVPN has been installed, you'll notice in network settings that an extra LAN connection has been added. First, right-click it and rename it to "OpenVPN". Then select both the original network connection that you connect to the internet through, and the OpenVPN connection, then right-click and select "Bridge connections" which takes a few seconds to complete. After that's done a new icon will appear in the network list called "Network bridge" or something which you can rename to "OpenVPN Bridge". No more settings are required if your original internet connection used DHCP.
| |
| − | | |
| − | *See [http://openvpn.se OpenVPN GUI for Windows]
| |
| − | *[http://www.pavelec.net/adam/openvpn/bridge OpenVPN Bridging with Windows HOWTO]
| |
| − | | |
| − | == See also ==
| |
| − | *[http://wiki.openvz.org/VPN VPN on OpenVZ] (our VPS OS)
| |
|
Configure SMB
Organic Design procedure
|
After doing some research, it seems that the most popular and reliable way of achieving an internet-based file share is using Samba over a Virtual Private Network (VPN). WebDav have turned out to be unreliable and temperamental.
SFTP
Another excellent option is SFTP which uses existing SSH authentication to transfer files and there are applications available for Windows which map this connectivity in to the file system like a normal file share. On Ubuntu, SFTP integration with the file system is a standard feature, simply go in to Places/Connect to server, select SSH, fill in the authentication details and the resource will be mounted as usual.
Unfortunately, the Windows client setup isn't quite as simple as the Ubuntu case, but there is a good application for integrating SFTP in to the FS called Dokan. There are a few other components to install onto the Windows machine before it's ready to map SSH drives as follows:
Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)]
Samba over VPN
This is basically just a normal Samba installation which is included in the set up a new server procedure. Once a VPN has been set up with the install a new VPN procedure, all the workstations which are connected to the same VPN connection form part of a "virtual LAN" and they can all publish and use resources shared in that LAN such as shared directories, printers and services. They all show up in the normal "network places" or equivalent even though the hosts can be located in diverse locations around the internet, and all these connections are encrypted and secure.
