Configure Plesk as OpenVPN Server with Windows 10 as Client

Plesk is a powerful web server management tool. Among the included features is an OpenVPN Server, so when you’re working remotely you can connect directly to your server remotely. This can be very helpful if you’re a developer who works remotely from insecure locations like a Starbucks Coffeeshop or other remote location. The instructions provided by Plesk are not really clear on this topic, nor at least not fully up-to-date and the included client download package is a legacy version of the OpenVPN client.

TLDR (in summary) if you’re the only person who manages both the Plesk Server and uploads files, and you want a really secure setup, read on. Otherwise, you can just stop here, because this is NOT going to give you any real-world benefits.

As of the writing of this post, Plesk only supports a single remote host at a given time. And if you configure multiple devices they all use the same encryption key. Additionally, you’re limited to traffic intended for the Plesk server directly, and it does not route traffic more broadly within either the server LAN or to the WAN. This results in a network configuration known as split-tunneling. Meaning only traffic for the remote server is sent over the tunnel and all other traffic still goes out your internet connection. So the net result is a secure connection just to your Plesk server, but nothing else. If you’re already using FTPS and SSH, then this really provides NO benefit for you. There are feature requests to extend the Virtual Private Network features of Plesk, but as of this writing, it has not been implemented yet.

Also, because technology changes quickly, please note the following – this documentation is based on the following software versions:

  • Plesk Onyx Version 17.8.11 Update #38
  • OpenVPN Windows Client 2.5.0.136 (link)
  • Windows 10 Enterprise, Version 10.0.17134.523

Let’s get started on how to configure the OpenVPN Server.

  1. Start by installing the Plesk Extension: Virtual Private Networking
  2. Then open the Extensions shortcut via the navigation pane > Virtual Private Networking.
  3. On the Preferences page that opens, specify the following parameters:
    1. Remote Address: Leave this blank as you’re intending to remotely connect TO the Plesk server.
    2. Remote UDP port: You can leave this field blank if you have not specified the remote address above.
    3. Local UDP port, your server will listen for incoming VPN traffic on this local UDP port. The default port is 1194.
    4. Local peer address and Remote peer address: Usually leave the default. This needs to be a separate address space from either your existing WAN or LAN of the server, as well as ideally not overlapping with the local IP address that you’ll be connecting from as well.
    5. Click OK.
  4. The Plesk VPN component is initially disabled. To use the VPN functionality, enable the component by clicking the “Switch On” button.
  5. Click on “For a Windows Client” button to download the package. BUT DO NOT use the OpenVPN client included.
  6. Extract the package to any location.
  7. Open the extracted files and copy the vpn-key to you c: directory
  8. Then open the openvpn.conf file using any text editor, such as Notepad, or my preferred editor, Notepad++
    1. Change the line: secret system/vpn-key
      To read: secret c://vpn-key
    2. Save the file as openvpn.ovpn
  9. Then move the file from its current location to c:\ — in Windows 10 usually the security permissions will prohibit you from directly saving-as to the c: directory.
  10. From the start menu, run OpenVPN Client — not the OpenVPN GUI.
  11. Right-click on the sys-tray icon and select Import > From File. Point it to your c:\openvpn.ovpn file
  12. In a few seconds (but not immediately), it will show the VPN in the listing when you right-click on the OpenVPN Client sys-tray icon. Click on the Plesk Server, then select Connect.

You should be all set, and you can test your connection by trying to ping your server from the command line to the IP address selected above, typically 172.16.0.1 — if this resolves then your VPN is setup properly. You can also go to a http://www.WhatIsMyIP.com and verify that all other web traffic is routing through your local internet connection and not your server.

You’re now configured to access your server over the VPN tunnel.

 

Now, you’ll need to access your Plesk server using that IP address, which can itself be problematic. Sure FTP/FTPS to 172.16.0.1 will work just fine, but if you try to navigate to the Plesk Web Console, at https://172.16.0.1 you’ll get a certificate error because the certificate is signed for the FQDN (Fully Qualified Domain Name) such as Plesk.example.com

You could modify you hosts file, but then you’ll have all sorts of problems connecting if your not connected via the VPN tunnel.

 

So this begs the question, why even bother with this? The only reason I can think of is if you’re using Plesk as a GUI management for your web servers, and you want to really keep the sever closed off. With the VPN setup, you can close down FTP/FTPS ports, as well as the Plesk ports like 8443 to the outside world. It creates a much more secure setup and is a good ideal if you’re the only one who is going to manage this server. But otherwise, if other people need to use FTP or the console, then there is no reason to implement this.

 

 

PuTTY – Accessing a Linode Server

PuTTY is a free and open source SSH client for Windows and UNIX systems. It provides easy connectivity to any server running an SSH daemon, so you can work as if you were logged into a console session on the remote system.

  1. Download and run the PuTTY installer from here.
  2. When you open PuTTY, you’ll be shown the configuration menu. Enter the hostname or IP address of your Linode. PuTTY’s default TCP port is 22, the IANA assigned port for for SSH traffic. Change it if your server is listening on a different port. Name the session in the Saved Sessions text bar if you choose, and click Save:

    Saving your connection information.

  3. Click Open to start an SSH session. If you have never previously logged into this system with PuTTY, you will see a message alerting you that the server’s SSH key fingerprint is new, and asking if you want to proceed.

    Do not click anything yet! Verify the fingerprint first.

    PuTTY verify SSH fingerprint

  4. Use Lish to log in to your Linode. Use the command below to query OpenSSH for your Linode’s SSH fingerprint:
    ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ed25519_key.pub
    

    The output will look similar to:

    
    256 MD5:58:72:65:6d:3a:39:44:26:25:59:0e:bc:eb:b4:aa:f7 root@localhost (ED25519)
    

    Note

    For the fingerprint of an RSA key instead of elliptical curve, use: ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub.
  5. Compare the output from Step 4 above to what PuTTY is showing in the alert message in Step 3. The two fingerprints should match.
  6. If the fingerprints match, then click Yes on the PuTTY message to connect to your Linode and cache the host fingerprint.

    If the fingerprints do not match, do not connect to the server! You won’t receive further warnings unless the key presented to PuTTY changes for some reason. Typically, this should only happen if you reinstall the remote server’s operating system. If you receive this warning again from a system you already have the host key cached on, you should not trust the connection and investigate matters further.

How to compress files and directories on Ubuntu

One of the most common ways to quickly and effectively compress files on a Linx server such as Ubuntu us the combination of TAR GZIP. When moving directories between servers this is far faster to compress, transfer and expand — compared to raw transfer of files.

Here is an example of how I used the command recently to move some files between web hosting servers.

Source server:

tar -czvf name-of-archive.tar.gz /path/to/directory-or-file

Then using normal FTP I copied this file to my local machine before uploading it to my destination server.

tar -xzvf archive.tar.gz

Install Composer on a Dreamhost VPS Instance

I have started to experiment with web development tools again and quickly ran into frameworks and tools which utilize Composer and there is mixed information on how to use composer with Dreamhost in a VPS environment, so I’m creating a blog post here. I’ll also add how to provision additional specific frameworks as we explore them as well.

  1. Through the Dreamhost console, verify which version of PHP you’re running.
    1. Domains > Manage Domain
    2. Look for the domain and you’ll see the PHP version, such as 5.6
  2. SSH into your VPS server
  3. The Phar extension for PHP must be enabled, do this by:
    1. verify you’re in the correct directory by typing “pwd”
    2. it should respond that you’re at /home/{{username}}
    3. Create a new directory “mkdir .php” – if you receive an error that it already exists, that is okay
    4. Move into that directory “cd .php”
    5. Now you’ll create a directory with the same name as your PHP version, in this case I’ll name it “mkdir 5.6”
    6. Move into that directory “cd 5.6”
    7. Now we’ll create (or edit) a file named phprc by typing “nano phprc”
    8. This will now have a full screen text editor, copy and paste the following into the editor:
      extension = phar.so 
      suhosin.executor.include.whitelist = phar
    9. To save changes you’ll press control-x, then Y, then {{enter}}
    10. You’ll be back at the command prompt.
    11. Test it by typing: “php -m | grep Phar” – the results should simply say “Phar”. If it just returns you to the command prompt without anything, then double-check your steps above.
  4. Enter the following to return back to your home directory: “cd ~”
  5. Now you’ll enter the website you want to use composer with, for example for my website http://www.sample.com you’ll enter “cd http://www.sample.com”
  6. Now you can install Composer here, or if necessary move into a subdirectory, if necessary.
  7. To install composer, simply type: “curl -sS https://getcomposer.org/installer | php”

Now to use it, whenever you are referred to use Composer, simply go into this directory and you’ll need to use the command “php composer.phar” followed by whatever you’ve been prompted to use composer for, such as:

  • You’re instructed to use:
    composer require twbs/bootstrap
  • What you’ll type is:
    php composer.phar require twbs/bootstrap

     

This is based on the assumption that you’ll only use Composer for one or two things, but if you’re a developer or will be using composer a lot of times, you’ll want to checkout how to make it available globally: https://help.dreamhost.com/hc/en-us/articles/214899037-Installing-Composer-overview

Note that about 90% of the information for this was based on that dreamhost.com hosted article, however how some finer elements were missing, and certain assumptions about using linux were made that not everyone will necessarily know. Additionally, the part about how to convert the composer call that most websites reference into the php composer.phar part is also missing.

 

Enjoy!

 

100,000 Mark

100thousand

I recently was reviewing some of the statics and discovered we have over 100,000 views not including search engine crawling. A couple of more interesting statistics:

Thank you to all of my readers who are enjoying all of the posts, and finding them valuable!  It has been a lot of fun sharing the technical information I have with everyone and helping give back to the online community which has taught me so much…

 

~ Enjoy!

XenServer – Pool Master Recovery (The Missing Part 1 to XenServer Hosts in Halted Mode)

In July of 2012 I wrote a “part 2” regarding XenServer Hosts in halted mode — however I seem to have misplaced part 1 – which I’ve rewritten after having to need to reference these steps again recently.

There are several events which can cause a XenServer Pool to become corrupt. In a recent instance of mine, the pool master was unable to communicate with the HA storage repository (SR) and fenced. I also had another instance where several shutdown unexpectedly, and the pool master was among them. Here are the steps I performed to recover the Pool Master.

  1. Work on recovering the pool, elect the server you want to become the master, and on that box run “xe pool-emergency-transition-to-master”
  2. Once that is completed, on the newly elected/transitioned master, run “xe pool-recover-slaves”
  3. Once that is complete, you should be able to run “xe host-list” and see all of your hosts listed

Enjoy

Based in part on information from: XenServer System Recovery Guide

Hung VM, unable to force reboot/shutdown

I have been working with a few vendor provided VM’s which run Linux. For some reason this specific set of Linux VMs do not properly respond when issuing reboot or shutdown commands when they VMs are hung. This is even true of force-shutdown. The following process works great for virtual servers that are non-responsive in a XenServer environment, after normal reboot/shutdown attempts have failed.

  1. “xe vm-list name-label={vm logical name}” to get the uuid of the VM that is hung
  2. “list_domains” to list the domain uuid’s so you can determine the domain # of the VM above by matching the uuids from this output with the uuid for your VM from the previous command.
  3. “/opt/xensource/debug/destroy_domain -domid XX” where XX is the domain number from the previous command
  4. “xe vm-reboot name-label={vm logical name} –force”

Enjoy

 

Based in part on information from: http://www.r2dtop.com/xenserver-6-virtual-machine-crash-and-hang-issue/

 

Sysinternal: Ctrl2cap

I am beginning a new series on the Sysinternal tools which is now part of Microsoft Technet tools. This series of posts will highlight both interesting and useful tools available as part of the Sysinternal suite of tools. The most common tool, and perhaps the most important is ProcMon, but we’ll get to that later. Today we’ll review the first tool posted, Ctrl2cap.

Ctrl2Cap was designed to help transition users from old Unix style keyboards where the control key is where the caps-lock key is on a standard windows keyboard. Installing this tool will capture keyboard inputs and will swap control and caps-lock keys to enable an easier transition for Unix administrators to a windows environment. I encounter the inverse-situation when I am at a Unix style workstation, or an AS400 and they are using a Unix style keyboard and am accustom to a standard windows keyboard layout.

Additional information directly from Microsoft on this tool:

On Win2K Ctrl2cap is a WDM filter driver that layers in the keyboard class device’s stack above the keyboard class device. This is in contrast to the Win2K DDK’s kbfiltr example that layers itself between the i8042 port device and the keyboard class device. I chose to layer on top of the keyboard class device for several reasons:

  • It means that the Ctrl2cap IRP_MJ_READ interception and manipulation code is shared between the NT 4 and Win2K versions.

  • I don’t need to supply an INF file and have the user go through the Device Manager to install Ctrl2cap – I simply modify the appropriate Registry value (the keyboard class devices’s HKLM\System\CurrentControlSet\Control\Class UpperFilters value).

More information and the download of this tool can be found at: http://technet.microsoft.com/en-us/sysinternals/bb897578.aspx

 

Powered by WordPress.com.

Up ↑