Saturday, December 12, 2009


SkyHi @ Saturday, December 12, 2009

Friday, December 11, 2009

How to Convert chm files to HTML or PDF files

SkyHi @ Friday, December 11, 2009
Microsoft Compiled HTML Help is a proprietary format for online help files, developed by Microsoft and first released in 1997 as a successor to the Microsoft WinHelp format. It was first introduced with the release of Windows 98, and is still supported and distributed through Windows XP platforms.

HTML Help files are made with help authoring tools. Microsoft ships the HTML Help Workshop with supported versions of Microsoft Windows and makes the tool available for free download. There are also a lot of third-party help authoring tools available.

CHM files, known as Microsoft Compressed HTML Help files, are a common format for eBooks and online documentation. They are basically a collection of HTML files stored in a compressed archive with the added benefit of an index.

Under Linux, you can view a CHM file with the xchm viewer. But sometimes that’s not enough. Suppose you want to edit, republish, or convert the CHM file into another format such as the Plucker eBook format for viewing on your Palm. To do so, you first need to extract the original HTML files from the CHM archive.

This can be done with the CHMLIB (CHM library) and its included helper application extract_chmLib.

Install Chmlib in Ubuntu

sudo apt-get install libchm-bin

Convert .chm files in to HTML files

If you want to convert .chm files in to HTML files use the following command

extract_chmLib book.chm outdir

where book.chm is the path to your CHM file and outdir is a new directory that will be created to contain the HTML extracted from the CHM file.

Convert .chm files in to PDF files

First you need to install htmldoc. HTML processor that generates indexed HTML, PS, and PDF.HTMLDOC is a program for writing documentation in HTML and producing indexed HTML, PostScript, or PDF output (with tables of contents). It supports most HTML 3.2 and some HTML 4.0 syntax, as well as GIF, JPEG, and PNG images.

sudo apt-get install htmldoc

If you want to use htmldoc type the following command in terminal


Once it opens you should see similar to the following screen here you can choose the html file and convert them to pdf,ps

You need to install xchm, which will read chm files. (chm files are Microsoft help files.) To install xchm, open a terminal and type:

sudo apt-get install xchm

Perl Regular Expression

SkyHi @ Friday, December 11, 2009

How it is used

  • test if a string or its substring matches with some pattern.

  • For example, if the user input in a form contains all digits, legal phone number patterns, credit card number patterns, or date patterns.
  • replace or substitute some string pattern in a text string.

  • For example, remove all tags in a web page and only leave text content.
  • extract substring from a string based on certain text pattern.

  • For example, given a URL, extract the protocol, domain name, port no., and uri fields for further processing such as web crawling, web indexing/searching, or copying web pages for offline reading.

Web Pag for Testing Your Regulart Expression with provided data


  • Mastering Regular Expressions by Jeff Friedl, Oreily.
  • Perlre man page ("man perlre")

Perl Metacharacter Summary

Items to match a single characters

. dot Match any one characters
[...] character class Match any character listed
[^...] negated character class Match any character not listed
\t tab Match HT or TAB character
\n new line Match LF or NL character
\r return Match CR character
\f line feed Match FF (Form Feed) character
\a alarm Match BELL character
\e escape Match ESC character
\0nnn Character in octal, e.g. \033 Match equivalent character
\xnn Character in hexa decimal, e.g. \x1B Match equivalent character
\c[ Control character, e.g., \c[A? Match control character?
\l lowercase next character
\u uppercase next character
\L lowercase characters till \E
\U uppercase characters till \E
\E end case modification
\Q quote (disable) pattern metacharacters till \E

Example 1: character class
if ($string =~ /[01][0-9]/) {
print "$string contains digits 00 to 19\n";
} else {
print "$string contains digits 00 to 19\n";

Example 2: negated character class
if ($string =~ /[^A-z]/) { print "$string contains nonletter characters\n"}
else { print "$string does not contains non-letter characters.\n"}

Class Shorthand: Items that match a single character in a predefined character class

\w Match a "word" character (alphanumeric plus "_")
\W Match a non-word character
\s Match a whitespace character
\S Match a non-whitespace character
\d Match a digit character
\D Match a non-digit character

Quantifiers: Items appended to provide "Counting"

* Match 0 or more times
+ Match 1 or more times
? Match 0 or 1 times
{n} Match exactly n times
{n,} Match at least n times
{n, m} Match at least n but no more than m times

Items That Match Positions

^ Caret, Match start of the line (can match multiple times when /m (multiline matching)
$ Match end of the line (can match multiple times when /m (multiline matching)
\b Match a word boundary
\B Match a non-(word boundary)
\A Match only at beginning of string
\Z Match only at end of string, or before newline at the end
\z Match only at end of string
\G Match only where previous m//g left off (works only with /g)

Grouping and Alternation

| Alternation, Match either expression it separates
(...) Limit scope of alternation, Provide grouping for the quantifiers, Capture matched substrings for backreferences.
\1, \2, ... Backreference, Match text previously matched within first, second, ..., set of parentheses.
(?:...) Grouping only, non-capturing parentheses
(?=...) Positive lookahead, non-capturing parentheses
(?!...) Negative lookahead, non-capturing parentheses

Modes, append at the end of regular expression

i ignore case
g global, in substitute case s/.../.../g, repeat substitution multiple times.
m multiline matching mode


Thursday, December 10, 2009

auto-sense MDI/MDI-X and auto-negotiating questions

SkyHi @ Thursday, December 10, 2009
I had a couple of questions, so after a half an hour of google inestigating, I have come to some conclusions so I need to confirm/deny my thoughts. Here they are (correct me if I am mistaken):

1) MDI & MDI-X - to my knowledge those are are types of ethernet ports - MDI-X is crossed MDI. Ex: if I have one device with MDI port and one device with MDI-X port, then I need a straight cable. If both are MDI, then I need a crossover cable. If both are MDI-X, I guess crossover cable?

2) If the above is correct, then does it mean that connection between any two network devices (NIC, hub, switch, router, etc) needs crossed lines (1 -> 3 & 2 -> 6)

3) NIC's have MDI interface, while routers, switches and hubs have MDI-x interface. Is this always true,  are there exceptions, and if there are, how would I know if port is MDI or MDI-X?

4) Newer switches/routers have autosense ports, which means that you can put any type of cable (crossover or straight), and it will detect and cross lines it if necessary. Are there any speed penalties while sending packets if I use straight cable between 2 routers - I guess no.

5) auto-negotiating - it means that it detects speed of connected network devices and automatically sets transmision speed of both devices to same speed (lower one). what is the benefit of this? What will happen if device doesn't have auto-negotiating feature?

1) Yes but most devices today are autosensing and determine the correct configuration.

2) same as 1

3)Switches and Hubs are usually MDI-x but routers are normally MDI

4) No, speed is still the same

5)If one device isn't capable of auto or hard set to a speed/duplex then the auto device can easily detect the speed of the other interface and sets itself accordingly. The downside is on duplex because there is not a good way to determine whether the other device can handle half or full so in most cases defaults to half.  In order for this to work correctly both devices need to be able to "Auto-Negotiate". This way you don't have to manually set speed/duplex on every port.

Hope this helps
Accepted Solution


11/20/07 01:01 PM, ID: 20323191
In the past when you connected a device other than a PC into a Cisco switch, you always wanted to hard code the speed and duplex and not use the auto feature as they never performed correctly. Today switches from Cisco have been greatly improved where the AUto detect actually works and is preferred over hard setting speed/duplex. In fact there have been instances where hardcoding the port actually resulted in errors.

The MDI-X is auto sensing on most of the new Cisco switches, but the preferred method on a switch if connecting two switches together is to disable MDI-x and use a crossover between them.


11/20/07 05:04 PM, ID: 20324767
Tnaks guys for the answers. I am a little confused now by this statement:

>>  Switches and Hubs are usually MDI-x but routers are normally MDI

Does this mean (assuming that if switch & router don't have auto sense feature)

nic (mdi) to switch (mdi-x) needs straighthrough cable
nic (mdi) to router (mdi) needs crossover cable (like nic (mdi) to nic (mdi) does)
router (mdi) to switch (mdi-x)  needs straighthrough cable

since in question two I say

>> 2) If the above is correct, then does it mean that connection between any two network devices (NIC, hub, switch, router, etc) needs crossed lines (1 -> 3 & 2 -> 6)



11/21/07 06:58 AM, ID: 20328095
No don't over-complicate it. Forget MDI. A hub(please don't use one) or a switch connects all other network devices using plain straight through cabling. The only times where a crossover will be needed is if you are connecting two non switched devices to each other, say a PC to a router(without a built in switch) or a network printer to a PC, or PC to PC. The only other time you would use a crossover to a switch is to connect another switch to it.
Assisted Solution


11/21/07 09:09 AM, ID: 20329206
Well, I knew most of those (didn't know the one pc to printer), I just like to understand things and not to learn them as they are. :) One thing you didn't mention is switch to router and router to router - is it crossover too, and is there any general rule about what port number should I use when connecting switches and routers.



11/21/07 09:36 AM, ID: 20329457
Router is considered the same as a PC, unless it has a built in switch like most SOHO routers, in that case, they can use either a straight or a crossover. Router to Router is crossover, same as a PC, with above exceptions.


What is the difference between MDI-II and Auto MID/MDI-X

SkyHi @ Thursday, December 10, 2009
MDI is a standard twisted pair ethernet port (Medium Dependent Interface). A port labeled MDI/MDIX usually has a switch that will swap the transmit and receive pairs so that you wouldn't need a crossover cable (as required for a hub to hub connection). An Auto MDI/MDIX will automatically detect if a crossover is required and make the swap for you internally. The X in MDIX is short for crossover.

Sorry, I got carried away and forgot the first part: MDI-II is a "cascade" port for allowing two or more hubs to be connected together. Some brands of hubs will have two jacks or even DB-25 connectors on the back for cascading hubs - these are often proprietary for stack management and/or increased speed.


Multitabbed PuTTY

SkyHi @ Thursday, December 10, 2009

Need for a tabbed version of famous PuTTY? That's exactly what PuTTY Connection Manager does.
PuTTY Connection Manager is a free PuTTY Client Add-on for Windows platforms which goal is to provide a solution for managing multiple PuTTY instances.

Below is a cut from features:

  • Tabs and dockable windows for PuTTY instances
  • Fully compatible with PuTTY configuration (using registry)
  • Easily customizable to optimize workspace (fullscreen, minimze to tray, add/remove toolbar, etc…)
  • Automatic login feature regardless to protocol restrictions (user keyboard simulation)
  • Post-login commands (execute any shell command when logged)
  • Connection Manager: Manage a large number of connections with specific configuration (auto-login, specific PuTTY Session, post-command, etc.)
  • Quick connect toolbar to quickly launch a PuTTY connection
  • Import/Export whole connections informations to XML format (generate your configuration automatically from another tool and import it, or export your configuration for backup purpose)
  • Encrypted configuration database option available to store connections informations safely (external library supporting AES algorithm used with key sizes of 128, 192 and 256 bits, please refer for the legal status of encryption software in your country)
  • Standalone executable, no setup required
  • Localizable: English (default) and French available (only when using setup version, standalone is english only)
  • Completely free for commercial and personal use: PuTTY Connection Manager is freeware

Linux Setup Notes

SkyHi @ Thursday, December 10, 2009
This page details the tribulations involved on getting Linux running and configured on this system. Its purpose is to provide a reference for setting up new systems here but hopefully will also help other users who may have similar problems.


Connecting via Jameco 4 serial port card to a HP200LX Palmtop
Installing latex2html (version 97.1)
Configuring Linux for Japanese Kana and Kanji input
Configuring disk automounter
Setting up a ppp dialup server
Setting up a pap authentication on ppp
Installing SuSE 7.0 Linux on a Toshiba Portege 3015CT Laptop and Setting up NFS server
Installing a FAX server
Setting up a Bind 9 DNS Name Server
Installing anomy email virus filter and interfacing with f-prot or clamav antivirus scanner
Installing LaTeX fonts for TeTeX
Installing and maintaining INN news server
Monitoring network utilization with NetFlow and cflowd
Creating audio CDs
Creating data CDs
Installing Samba, dhcpd, crack, and Nessus
Windows problems
Browsing Across Subnets in Samba
Server not visible in Network Neighborhood browsing
Windows authentication problems
Common Samba commands
Common Windows problems
Installation of Squirrelmail Web Email Interface
Installing SSL and Apache HTTPD with PHP4 support in Linux
Enabling server-side includes (SSIs) in Apache
Upgrading NFS server (nfs-utils)
Writing CGI scripts
Software Installation Procedure for Fuji LAS-1000 Plus Gel Documentation System
Setting up a VPN (Virtual Private Network) with FreeS/WAN and SSH Sentinel
Miscellaneous problems
Printing to lprng from Windows Samba clients
NFS mount hanging
Open Office crashes on startup
Date is wrong after reboot
External USB and Firewire Hard Drives
Changing disks or adding larger disk to Maxtor External USB Drive
Installing Spam Assassin
Installing sendmail
Setting up USB printer
Lexmark E323n printer TCP/IP problems
Installing OpenSSH and OpenSSL
Stopping Mozilla's drop-down "Search Netscape Search" menu
Installing libmilter, MIMEDefang and clamav antivirus sendmail virus scanners
"lpc: connect: No such file or directory couldn't start daemon" error in lpd
Installation of SuSE Linux 9.0
Spam assassin
Printing problems
Fixing sendmail
Fixing netatalk
Fixing inn news server
Fixing apache
Problems with freetype
Problems with autoconf
Problems reading SuSE's CD
Other problems
Setting up DNS in Small Subnets
Installing Perl Modules
Comparison of Linux graph plotting software
Installing SuSE 9.0 Linux on a Toshiba Portege 3015CT Laptop
Installing "Links" browser
Fixes for bugs in midnight commander
Plotting Bar Graphs in Xmgrace
Installing and Programming RocketPort Universal PCI Serial Controller
Using Nikon Coolpix USB Camera in Linux
Customizing nedit
Installing freetype, libXft, and libXrender
Installing a Virtual Private Network with OpenVPN
User Instructions for Connecting to a VPN with OpenVPN
Inexpensive Incubator Alarm System using Linux
Inexpensive Freezer Alarm System using Linux
Password Protecting Directories and Files in Apache
Installation of Hauppauge WinTV-PVR 350
Creating high-quality PDF files from LaTeX documents
Tests on WinRadio software
Sending audio over a network
Tracking Radio Frequency Interference
Linux Power Line Monitor - APC UPS Uninterruptible Power Supply
Installing htdig
Installing BlockHosts
Problems with SuSE 10.0
Converting from inetd to xinetd
ftpd and telnetd not starting
Skencil font problem
yacc problem
Can't set time and date
Acroread crashes on startup
Keyboard is slow
Setting up Sound Blaster Live! 24-bit model SB0410 sound card
Reverse ftp using netcat and wget
DSL vs. Cable Modem: A Real-World Comparison
Firefox and Mozilla problems
Changing daylight savings time in Linux
Installing and using R statistical package in Suse Linux
Configuring A Widescreen Monitor in Suse Linux
Creating Buttons in HTML
Setting up DKIM with Sendmail
Review of Netgear ReadyNAS Duo in Linux
Converting LaTeX documents to MS Word
Creating Animated Molecule Movies in Chimera
Opensuse 11.0 - First Impressions
Configuring a Cisco 2821 Router for a T1
LaTeX tips
OS X Users Losing Mail in Squirrelmail
How to upload a file using Apache and PHP
Windows file sharing over NFS
Eliminating Spam With Spam Assassin's Learning Function
Wireless Data Link From Beckman LS-6500 Scintillation Counter
Configuring an HP ProCurve Network Switch
Windows users unable to print in Samba: Invalid handle
Inkscape problems, annoyances and tricks

name and address

Sendmail RunAsUser: unknown user smmsp

SkyHi @ Thursday, December 10, 2009
--------------------- sendmail Begin ------------------------


System Error Messages:
/etc/mail/ line 432: readcf: option RunAsUser: unknown user smmsp: 1 Time(s)
/etc/mail/ line 451: readcf: option TrustedUser: unknown user smmsp: 1 Time(s)



Set the correct permissions and ownerships:

mkdir /var/spool/clientmqueue
chown smmsp:smmsp /var/spool/clientmqueue
chmod 770 /var/spool/clientmqueue
chmod 700 /var/spool/mqueue
chown root.root /var/spool/mqueue
chmod 777 /var/spool/mail
chown root.root /var/spool/mail
chmod 4555 /usr/sbin/sendmail
chown root.smmsp /usr/sbin/sendmail

NOTE: /var/spool/mail must be world read/write, otherwise clients can't open their inbox. The permissions for individual mailboxes for each user should be 600:

-rw------- 1 daboss users 20219537754 2006-03-31 10:15 daboss

Check to make sure of the following:

-r-sr-xr-x root smmsp /usr/sbin/sendmail
drwxrwx--- smmsp smmsp /var/spool/clientmqueue
drwx------ root root /var/spool/mqueue
-r--r--r-- root bin /etc/mail/
-r--r--r-- root bin /etc/mail/

Installing sendmail with aliases and procmail support

SkyHi @ Thursday, December 10, 2009
This page describes how to compile and install sendmail with email aliases and procmail support. Email aliases let you create mailing lists and give alternate names or addresses for users. Procmail is a tool for filtering email to remove spam, sort mail, etc. The procedure for configuring procmail is described here and here.
If you are running a version sendmail earlier than 8.13.6, you need to upgrade because of a serious security problem. As of version 8.12, you must also create a new user smmsp and change the permissions of various files as described in the file sendmail/SECURITY.


  1. Back up the following files:
  2. Create a user and group called `smmsp':
    useradd smmsp
    groupadd smmsp
    This step is essential, as sendmail will not start up unless it has its own userid.
    The entries in /etc/passwd and /etc/group should look something like this:
    cat /etc/passwd | grep smmsp
    cat /etc/group | grep ^smmsp

Install libdb

If you don't care about email aliases, skip this step. Otherwise, if you don't have libdb on your system ('locate libdb'), get it from and install it. For Unix/Posix systems:
cd db-4.2.52/build_unix
make install
Make a note of where the libraries were installed (e.g., /usr/local/BerkeleyDB.4.2/lib).

After installing, it may be necessary to perform these three extra steps (as root), depending on whether an old version of libdb is already present.
  1. First, copy db.h to /usr/include. This is essential, as the db.h must match the library. If it doesn't, sendmail won't compile.
    cd db-4.2.52
    cp build_unix/db.h /usr/include/ 

  2. Second, get rid of the old libdb libraries.
    cd /usr/lib
    mkdir libdb-old
    mv libdb* libdb-old

  3. Third, add the new libdb path (/usr/local/BerkeleyDB.4.2/lib) to /etc/ and reconfigure the run-time linker.
    vi /etc/

Compile and install sendmail

Compile sendmail. In some linux distributions, you will need to have the source code for a kernel installed before sendmail will compile. However, sometimes this can be avoided by creating an empty version.h file.
touch /usr/include/linux/version.h
tar -xzvf sendmail.8.11.6.tar.gz
cd send*
  1. First, edit the config files if you plan to use procmail.
    cd cf/cf
    Edit and add
    at the end. Add any other commands as needed.
  2. Create and install new config files using the following command:
    sh Build  
    sh Build  
    make install-cf
    In earlier versions, the file was not copied automatically if an old version of the file already existed. If you try to use an old version of, when you start sendmail it will say:
    NOQUEUE: SYSERR(root): can not chdir(/var/spool/clientmqueue/):
    Permission denied
    This error can also occur if sendmail is running as the wrong user or group.

    Alternatively, install the config files manually.
    cd cf/cf
    cp /etc/mail/
    cp /etc/mail/
  3. Create a devtools/Site/site.config.m4 file containing the paths for libdb. Change the paths to indicate wherever the libdb libraries and include files are located.
    APPENDDEF(`confINCDIRS', `-I/usr/include/db2')
    APPENDDEF(`confLIBDIRS', `-L/usr/lib')
    APPENDDEF(`confLIBS', `-ldb') 
    The exact syntax will vary depending on your system. On one of our computers, where we installed a new libdb, the file contained the following four lines:
    APPENDDEF(`confLIBS', `-lssl -lcrypto -ldb')
    APPENDDEF(`confLIBDIRS', `-L/usr/local/ssl/lib -L/usr/local/ssl/lib
              -L/usr/local/BerkeleyDB.4.2/lib -L/usr/lib')
    APPENDDEF(`confINCDIRS', `-I/usr/local/ssl/include -I/usr/include')
    APPENDDEF(`confMAPDEF', `-DNEWDB')dnl 
    Sometimes compilation fails with undefined references to `pthread_mutex_trylock' and other pthread functions. If this happens, change the confLIBS line to
    APPENDDEF(`confLIBS', `-ldb -lpthread') 

    NOTE: If you use the site.config.m4.example file that is included with sendmail, be sure to comment out items you don't want, or sendmail will probably not compile.

  4. Compile sendmail
    sh Build 
    If you change any configuration files and need to compile a second time, use the -c option.
    sh Build -c 
    The -c option rebuilds all the files to include your changes. It should automatically add the correct options to the commands, for example:
    cc -O2 -I. -I../../sendmail   -I../../include  \
         -I/usr/include/db2 -DNEWDB -DNEWDB -DNOT_SENDMAIL     \
         -c -o vacation.o vacation.c 

    IMPORTANT: It's necessary to watch the screen continuously while sendmail is building, because the build script does not stop if there's an error.

    If your linux system is really old, you will get error messages like
    map.c:2084: `DB_FCNTL_LOCKING' undeclared (first use in this function)
    This means you need to install a newer copy of the Berkeley DB libraries from
  5. Check to make sure it created an executable sendmail in the directory obj.Linux.#.#.##.i686/sendmail. If it bombs out, edit the file include/libsmdb/smdb.h, removing the lines
    # ifndef NDBM
    # ifndef NEWDB
    ERROR   NDBM or NEWDB must be defined.
    #  endif /* ! NEWDB */
    # endif /* ! NDBM */ 
    and type sh Build -c again.
  6. Install the new sendmail
    sh Build install     
    Scroll back through the output and make sure there were no errors. If it says:
    install: invalid group `smmsp'
    make[1]: *** [install-sendmail] Error 1
    you must fix the groups and repeat.
  7. Set the correct permissions and ownerships:
    mkdir /var/spool/clientmqueue
    chown smmsp:smmsp /var/spool/clientmqueue
    chmod 770 /var/spool/clientmqueue
    chmod 700 /var/spool/mqueue
    chown root.root /var/spool/mqueue
    chmod 777       /var/spool/mail
    chown root.root /var/spool/mail
    chmod 4555       /usr/sbin/sendmail
    chown root.smmsp /usr/sbin/sendmail
    NOTE: /var/spool/mail must be world read/write, otherwise clients can't open their inbox. The permissions for individual mailboxes for each user should be 600:
    -rw-------    1 daboss users     20219537754 2006-03-31 10:15 daboss

    Check to make sure of the following:
    -r-sr-xr-x   root    smmsp  /usr/sbin/sendmail
    drwxrwx---   smmsp   smmsp  /var/spool/clientmqueue
    drwx------   root    root   /var/spool/mqueue
    -r--r--r--   root    bin    /etc/mail/
    -r--r--r--   root    bin    /etc/mail/

  8. Add a local-host-names file.
    cp /etc/ /etc/mail/local-host-names
    If local-host-names doesn't exist, create one. It should contain a single line: 
    If the server has more than one name, add them to this file, one per line.

Testing sendmail

  1. First, as root, test it to make sure the 'newaliases' command works. If it says
    Cannot rebuild aliases: no database format defined
    Cannot create database for alias file /etc/mail/aliases 
    It means sendmail couldn't find the libdb files. Check that db.h is in /usr/include, that the new libraries are in their correct location, the old ones have been removed, and that /etc/ has a line indicating the path to the new libraries.
  2. Restart inetd to make sure imap and pop3 aren't crashing.
  3. Make sure sendmail is running. Unlike earlier versions, it sometimes now has two or more entries:
    ps -aux | grep mail
    root   Mar30   0:01 sendmail: accepting connections                 
    smmsp  Mar30   0:00 sendmail: Queue control                         
    smmsp  Mar30   0:01 sendmail: running queue: /var/spool/clientmqueue
  4. Test to make sure users can send and receive mail in all of the following:
    1. smtp client (e.g. pine)
    2. http (e.g. squirrelmail via browser)
    3. pop3 client (e.g. windows)
    4. imap4 client (e.g. windows)
    Also, check the system logs to make sure there are no weird error messages.
  5. If you like pain and you want to change, the easiest way is to edit and then create it using
    m4 /etc/mail/ > /etc/mail/
  6. You may wish to test to ensure that your sendmail installation is not acting as an open mail relay by typing the command: telnet There is also a web service at You can download software to test it yourself from To be valid, the testing must be done using an account on a machine in some other domain (such as a temporary email account on

    However, testing this way is risky. If the testing software discovers that you're an open relay, your hostname or even your entire domain may end up in their public blacklist, thereby blocking valid email sent by your users. Last time I checked, the testing site does this. We have found these blacklists are so inaccurate that we had to disable the blacklist check in spamassassin to avoid losing incoming mail. Thus, remote testing may do more harm than good.

Error messages

Problem: SMTP greeting failure: 421 SMTP connection went away!
Solution: Ownership or permissions of sendmail binary are wrong. Set it to 4555. Or, sendmail is not running.

Problem: pthreads errors when building sendmail
/usr/local/BerkeleyDB.4.2/lib/ undefined reference to `pthread_condattr_setpshared'
/usr/local/BerkeleyDB.4.2/lib/ undefined reference to `pthread_mutexattr_destroy'
/usr/local/BerkeleyDB.4.2/lib/ undefined reference to `pthread_mutexattr_setpshared'
/usr/local/BerkeleyDB.4.2/lib/ undefined reference to `pthread_mutexattr_init'
/usr/local/BerkeleyDB.4.2/lib/ undefined reference to `pthread_mutex_trylock'

Solution: Turn off pthreads in sendmail by changing the confLIBS line in the file devtools/Site/site.config.m4 to:
APPENDDEF(`confLIBS', `-ldb -lpthread')
and rebuild with sh Build -c.

Problem: Sendmail won't start
Initializing SMTP port (sendmail)/etc/mail/ 
    line 430: readcf: option RunAsUser: unknown user smmsp: 
    No such file or directory 

Solution: Create user smmsp and group smmsp and rebuild sendmail.

newaliases says:
Cannot rebuild aliases: no database format defined
Cannot create datase for alias file /etc/mail/aliases  

Solution: This means sendmail couldn't find libdb. Compile and install libdb as described above, and rebuild sendmail.

Unable to receive mail Solution: If using Suse Linux (or possibly other distributions), check /etc/sysconfig/mail and make sure it contains the line
See also Pine email problems.

Tweaking sendmail configuration

  1. Changing hostname: Some computers are on two different domains. To get sendmail to use the second domain in its headers instead of your FQDN, add the following to and
    It may also be necessary to change the settings in your email client. For example, in pine, if you have the line:
    customized-hdrs = Reply-To:
    change it to
  2. Slowing down dictionary attacks and distributed denial of service (DDoS) attacks: (this information is from
    Add the following to
    # block dos attacks
    # no of seconds  connection rate
    FEATURE(`ratecontrol', ,`terminate')dnl
    # no of connections simultaneously
    define(`confCONNECTION_RATE_THROTTLE', `8')dnl
    FEATURE(`conncontrol', ,`terminate')dnl
    FEATURE(`greet_pause', `5000')dnl
    # stop dictionary attacks
    define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl
  3. Stopping server from sending receipts: Some people try to check up on you by requesting a receipt when the email is delivered. Spammers may also use this to validate your users' email addresses.
    # no receipts on delivery
    define(`confPRIVACY_FLAGS', `noreceipts')dnl
    Check your email client; some clients send receipts as well.
After changing the .mc files, run sh Build, sh Build, su, make install-cf as before and restart sendmail.


Logwatch cron ORPHAN (no passwd entry)

SkyHi @ Thursday, December 10, 2009
Error in Logwatch:

**Unmatched Entries**
ORPHAN (no passwd entry)
ORPHAN (no passwd entry)
ORPHAN (no passwd entry)
ORPHAN (no passwd entry)

---------------------- Cron End -------------------------


Dec 9 10:58:00 webserver crond[1120]: (tmp.1136) ORPHAN (no passwd entry)
Dec 9 10:58:00 webserver crond[1120]: (root) RELOAD (cron/root)
Dec 9 10:58:00 webserver crond[1120]: (tmp.8970) ORPHAN (no passwd entry)
Dec 9 10:58:00 webserver crond[1120]: (tmp.12560) ORPHAN (no passwd entry)
Dec 9 10:58:00 webserver crond[1120]: (tmp.3833) ORPHAN (no passwd entry)

[root@webserver ]# ll /var/spool/cron/
total 12
drwx------ 2 root root 4096 Dec 9 10:57 .
drwxr-xr-x 12 root root 4096 Jun 28 2004 ..
-rw------- 1 root root 679 Dec 9 10:57 root
-rw-r--r-- 1 root root 0 Nov 22 2006 tmp.1136
-rw-r--r-- 1 root root 0 Oct 16 2007 tmp.12560
-rw-r--r-- 1 root root 0 Apr 14 2008 tmp.3833
-rw-r--r-- 1 root root 0 Jan 26 2007 tmp.8970


on redhat boxes crons could run from a few spots:


Found them here:


I've removed and will see the result in the AM.

Thx much.

Reply With Quote
View Public Profile
Find all posts by JayBaen
Old 03-06-2005, 06:42 PM
JayBaen JayBaen is offline
Registered User

Join Date: Apr 2004
Posts: 186
Alrighty ... that worked to solve that part of the equasion, however, I'm now getting a few more of these than I'd like daily:


ORPHAN (no passwd entry)

In the logwatch.

I've read that this is usually due to something trying to run a cron job against a non-existent user account. I've checked what I can and don't see any rogue cron jobs left. Any thoughts on where to hunt?


Wednesday, December 9, 2009

Linux change date and hardware clock

SkyHi @ Wednesday, December 09, 2009
[root@home ~]# date 010817092010
Fri Jan 8 17:09:00 PST 2010

[root@home ~]# date
Fri Jan 8 17:09:02 PST 2010

[root@mustang ~]# hwclock --help
hwclock - query and set the hardware clock (RTC)

Usage: hwclock [function] [options...]

--help show this help
--show read hardware clock and print result
--set set the rtc to the time given with --date
--hctosys set the system time from the hardware clock
--systohc set the hardware clock to the current system time
--adjust adjust the rtc to account for systematic drift since
the clock was last set or adjusted
--getepoch print out the kernel's hardware clock epoch value
--setepoch set the kernel's hardware clock epoch value to the
value given with --epoch
--version print out the version of hwclock to stdout

--utc the hardware clock is kept in coordinated universal time
--localtime the hardware clock is kept in local time
--directisa access the ISA bus directly instead of /dev/rtc
--badyear ignore rtc's year because the bios is broken
--date specifies the time to which to set the hardware clock
--epoch=year specifies the year which is the beginning of the
hardware clock's epoch value
--noadjfile do not access /etc/adjtime. Requires the use of
either --utc or --localtime

[root@home ~]# hwclock --show
Wed 09 Dec 2009 05:13:18 PM PST -0.887453 seconds

//sync hardwareclock
[root@home ~]# hwclock -w

Backup and restore a single MySQL table

SkyHi @ Wednesday, December 09, 2009


Dump a single table to a SQL file:

<code>mysqldump -uuser -ppassword dbName tableName > backup.sql</code>

If you want to get or restore a single table from a large MySQL dump file you can use the following methods:
Using AWK
Using Ruby
Using Perl:

<code>#!/usr/bin/perl -wn<br />BEGIN {<br />  $table = shift @ARGV;<br />  $printing = 0;<br />}<br />$printing = 1 if /^create table $table\b/io;<br />exit if $printing && /^create table (?!$table)\b/io;<br />print if $printing;</code>


<code>perl tablename dumpfile.sql<br /><br />Reference: <a href=""></a><br /></code>

Secure existing ProFTPd server installation

SkyHi @ Wednesday, December 09, 2009


ProFTPd is a high-performant, extremely configurable and most of all secure FTP server written for use on Unix and Unix-like operating systems. The FTP daemon has Apache-like configuration syntax and supports virtual servers – a parallel FTP environments that are physically located on the same system but that answer to different IP addresses or ports.

ProFTPD generally uses a single configuration file, found at /etc/proftpd.conf or at /etc/proftpd/proftpd.conf. This small cheatsheet describes directives in config file that helps to harden currently running ProFTPd instance.

To quickly secure ProFTPd server – open config file and make the following changes:

<code>ServerType standalone
ServerName "SysAdmin.MD secured FTP server"
ServerIdent on "FTP server"
DeferWelcome on

UseIPv6 off
IdentLookups off

MaxInstances 30
MaxClients 10
MaxLoginAttempts 10 "Maximum number of allowed users are already connected (%m)"

DefaultRoot ~
AllowFilter "^[a-zA-Z0-9 ,]*$"

Below is a short explanation for each directive:

Set the mode ProFTPd runs in. In standalone mode, a new connections to the server results in spawned child process for each new-connected client.

Sets the default message displayed when a new client connects. You can check this message by connecting with telnet to ftp port. Example:

<code>srv:~# telnet 21<br />Trying<br />Connected to<br />Escape character is '^]'.<br />220 <strong>FTP server</strong></code>

Enabling this directive makes initial welcome message to be exceedingly generic and do not give any type of information about the host.

Set to off to disable IPv6 protocol support which is annoying on IPv4 only boxes.

Tells ProFTPd to disable attempts to identify the remote username when a client initially connects to the server.

The directive configures the maximum number of child processes that may be spawned by a parent proftpd process in standalone mode. This directive is used to prevent undesirable denial-of-service attacks.

Configures the maximum number of authenticated clients which may be logged into a server. Once this limit is reached, additional clients attempting to authenticate will be disconnected with message:
Maximum number of allowed users are already connected.

The DefaultRoot directive controls the default root directory assigned to a user upon login.
Symbol ~ means that the client is chroot-jailed into their home directory

AllowFilter controls what characters may be sent in a command to ProFTPD to prevent some possible types of attacks against FTP daemon.
Symbols "^[a-zA-Z0-9 ,]*$" tells to daemon to only accept commands containing alphanumeric characters and white-space.


Secure existing OpenSSH installation

SkyHi @ Wednesday, December 09, 2009
Secure OpenSSH
Though OpenSSH provides secure solutions to several connectivity quandaries, poor configuration and management of this daemon can still lead to security compromises. Also, do not forget that OpenSSH itself could contain bugs that could be exploited if is used default config file.
These days I got a security advisory that demonstrates above words – possibly exists 0day exploit for OpenSSH daemon, that seems to affect OpenSSH 4.3 on CentOS/RHEL servers.
This post provides you with the instructions how to make your OpenSSH daemon secure and usable as possible.

To quickly secure OpenSSH daemon, open config file located at /etc/ssh/sshd_config and make the following changes:

Protocol 2

PermitRootLogin without-password
StrictModes yes
Banner /etc/sshd_banner

LoginGraceTime 60
MaxAuthTries 3
MaxStartups 10

PermitEmptyPasswords no
PrintLastLog yes
AllowTcpForwarding no

IgnoreRhosts yes
IgnoreUserKnownHosts yes
HostbasedAuthentication no</code>
Create SSH banner, just open in a favourite text editor file /etc/sshd_banner and fit it with following contents:
This is secured SSH service. Your activities are logged and monitored.
Warning: Unauthorized access to this system is strictly prohibited.
Also, to secure access to the OpenSSH daemon it is recommended to disable the password authentication and use a public/private keys.
Below is a description of directives used to secure OpenSSH:
This directive allows to specify the version of SSH to use. For security reasons it is strongly recommended to use only protocol 2, because the old version has several security flaws.
Configure behaviour for the root account to eliminate security risks. The without-password argument allows root login only using public keys. The password authentication will not be allowed.
Tells SSH daemon to check user's permissions in their home directory and rhosts files before accepting login. For security reasons it is recommended to enable it because sometimes users may accidentally leave files or directories writable, and script-kiddies may use this to assume user's identity.
Directive tells to SSH daemon to the file that contents should be displayed before login occurs. Usually this directive is used by organizations where is required some legal verbage to be shown when host is accessed.
This parameter tells to SSH daemon drop connection attempts if a successful connection hasn't occured in a specifed amount of seconds. I limited it to 60 seconds.
This directive allows to avoid some brute-force attacks to the daemon by limiting failing connections attempts. By default, users who cannot remember the password, gets 3 attempts.
This parameter enhance security by limiting number of unauthenticated sessions keeped alive. This also helps in combating brute-force attacks because other attempts to authenticate will not be blocked, until one of active sessions succeeds authentication or times out.
Allows or disallows empty passwords. It is recommended to disable them because usage of empty passwords is discouraged for security reasons.
This directive empowers the user to check for security by displaying the users last login time at the time of login.


Controls tunneled connctions of TCP protocols over SSH (like rsync over SSH). Sometimes tunneling is a security risk because it is difficult to detect behaviour of malicious protocols or applications. Also, tunnels are usually used by script-kiddies for crossing firewalls.
This directive enhances security by ignoring the legacy .rhost file from users. This is a best practice, in case rsh/rlogin are enabled or could accidentally become enabled.
Directive is used to protect against users setting up host-based authentication. For security purposes, it is often best to change the directive to yes.
Tells SSH daemon to enable or disable host-based authentication. Most security experts are extremely opposed to any form of host-based authentication and recommends to use public keys or password authentication as alternative.

Opensource scripts to backup mysql databases

SkyHi @ Wednesday, December 09, 2009

Keeping good database backups is crucial because unpredictable disastrous events always occurs. In web-based business – backup is a critical component.

Exists different open-source scripts, that could help to organize the database backup process in a customized and easy way, avoiding use of mysqldump (default MySQL backup tool).

This post describes various open-source scripts that can help a newbie sysadmin to organize MySQL backup process.


Homepage | Downloads


A shell script to take daily, weekly and monthly backups of MySQL databases using mysqldump. It's features includes: backing up mutiple databases, create a backup into a single backup file or to a separate file for each DB, backup files compression, backup to remote server, e-mail user when backup is completed and others.


Homepage | Download


Backup2Mail is a PHP script that creates regular backups of MySQL databases and sends them to configurable e-mail address. The whole process can be scheduled with a help of Cron (for Unix/Linux) or with Task Scheduler (for Windows).


Homepage | Download


mylvmbackup is utility for creating MySQL backups via LVM snapshots. To perform this, mylvmbackup obtains a read lock on all tables, flushes all server caches to disk, creates a snapshot of the volume containing the MySQL data directory and unlocks the tables again. The LVM snapshot is mounted to a temporary directory and all data is backed up using the tar or rsync program. Script requires Perl5 and LVM utilities.

MyPHPdumpTool (mpdt)

Homepage | Downloads


MyPHPdumpTool is a PHP (CLI) based MySQL backup tool that can be configured to automatically archive and upload any database-dump file to any FTP server. The backup process can be scheduled with a help of Cron (for Unix/Linux) or with Task Scheduler (for Windows).

mysqlblasy (MySQL backup for lazy sysadmins)

Homepage | Download


mysqlblasy is a Perl script for automating MySQL database backups. The main feature of this script is automatic backups rotation to avoid that the backup disk gets full when the administrator is on vacation (or is lazy). Each database gets dumped into a separate file, after which all the dumps get tarred/compressed and placed into the specified backup directory. Old files in the backup directory get deleted, and the number of newest files that is specified in configuration file is kept.


Homepage | Download Page


MySQLDumper is a script for backing up MySQL databases written in PHP and Perl. It uses a proprietary technique to avoid execution interruption by reading and saving a certain amount of commands, then calling itself via JavaScript to memorize how far in the process it was. Finally, the script resumes its action from last standby.


Homepage | Download Page


phpMyBackup Pro is a very easy to use, free, web-based MySQL backup script, licensed under the GNU GPL. Script allows a lot of operations such: backup of one or several databases with or without data, table structure; backup directly onto FTP server and sending of backups by email; manage, restore and schedule backups and others. phpMyBackup Pro is platform independent: it requires only a web-server and PHP.

Sypex Dumper Lite

Homepage | Download Page


Sypex Dumper Lite is developed by specialists of Ukrainian company and it is a PHP script for quick and easy MySQL database backup. The script is very fast with all types of databases (small or large), because it uses special technique for dumping: the backup file is not stored entirely in memory.

Zmanda Recovery Manager for MySQL (Community Edition)

Homepage | Download Page

Zmanda Recovery Manager (ZRM) for MySQL simplifies the life of a Database Administrator who needs an easy-to-use yet flexible and robust backup and recovery solution for MySQL server. The Community Edition is free and has a lot of features in a single utility: different types of backup (logical, incremental, lvm), backup rotation, schedule, remote server transfer, alerts. Also, it has additional features like: publish report to web site, RSS feed, point-in-time restore.


Secure Communications with OpenVPN on CentOS 5

SkyHi @ Wednesday, December 09, 2009
OpenVPN, or Open Virtual Private Network, is a tool for creating networking "tunnels" between and among groups of computers that are not on the same local network. This is useful if you have services on a local network and need to access them remotely but don't want these services to be publicly accessible. By integrating with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.
For many private networking tasks, we urge users to consider the many capabilities of the OpenSSH package which can provide easier VPN and VPN-like services. OpenSSH is also installed and configured by default on all Linodes. Nevertheless, if your deployment requires a more traditional VPN solution like OpenVPN, this document covers the installation and configuration of the OpenVPN software.
Before installing OpenVPN, we assume that you have followed our getting started guide. If you're new to Linux server administration you may be interested in our using Linux document series including the beginner's guide and administration basics guide. If you're concerned about securing and "hardening" the system on your Linode, you might be interested in our security basics article as well.
These instructions work with the Linode platform. If you don't have a Linode yet, sign up for a Linux VPS and get started today.

Installing OpenVPN Link

The packages required to install OpenVPN and it's dependencies are not available in the standard CentOS repositories. As a result, in order to install OpenVPN, we must install the "EPELExternal Link" system. EPEL, or "Extra Packages for Enterprise Linux," is a product of the Fedora Project that attempts to provide Enterprise-grade software that's more current than what is typically available in the CentOS repositories. Enable EPEL with the following command:
rpm -Uvh
Make sure your package repositories and installed programs are up to date by issuing the following command:
yum update
Now we can begin installing the OpenVPN software with the following command:
yum install openvpn
The OpenVPN package provides a set of encryption-related tools called "easy-rsa". These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these scripts should be located in the /etc/openvpn directory. Copy these files with the following command:
cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn
Most of the relevant configuration for the OpenVPN public key infrastructure is contained in /etc/openvpn/easy-rsa/2.0/, and much of our configuration will be located in this directory.

Configure Public Key Infrastructure Variables Link

Before we can generate the public key infrastructure for OpenVPN we must configure a few variables that the easy-rsa scripts will use to generate the scripts. These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file. Here is an example of the relevant values:
File: /etc/openvpn/easy-rsa/2.0/vars :
export KEY_CITY="Oxford"
export KEY_ORG="Ducklington"
export KEY_EMAIL=""
Alter the examples to reflect your configuration. This information will be included in certificates you create and it is important that the information be accurate, particularly the KEY_ORG and KEY_EMAIL values.

Initialize the Public Key Infrastructure (PKI) Link

Issue the following three commands in sequence to initialize the certificate authority and the public key infrastructure:
cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca
These scripts will prompt you to enter a number of values. By configuring the vars you can be sure that your PKI is configured properly. If you set the correct values in vars, you will be able to press return at each prompt.

Generate Certificates and Private Keys Link

With the certificate authority generated you can generate the private key for the server. To accomplish this, issue the following command:
. /etc/openvpn/easy-rsa/2.0/build-key-server server
This script will also prompt you for additional information. By default, the Common Name for this key will be "server". You can change these values in cases where it makes sense to use alternate values. The challenge password and company names are optional and can be left blank. When you've completed the question section you can confirm the signing of the certificate and the "certificate requests certified" by answering "yes" to these questions.
With the private keys generated, we can create certificates for all of the VPN clients. Issue the following command:
. /etc/openvpn/easy-rsa/2.0/build-key client1
Replace the client1 parameter with a relevant identifier for each client. You will want to generate a unique key for every user of the VPN. Each key should have it's own unique identifier. All other information can remain the same. If you need to add users to your OpenVPN at any time, repeat this step to create additional keys.

Generate Diffie Hellman Parameters Link

The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. Issue the following command to generate these parameters:
. /etc/openvpn/easy-rsa/2.0/build-dh
This should produce the following output:
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
This will be followed by a quantity of seemingly random output. The task has succeeded.

Relocate Secure Keys Link

The /etc/openvpn/easy-rsa/2.0/keys/ directory contains all of the keys that you have generated using the easy-rsa tools.
In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines. They are:
  • ca.crt
  • client1.crt
  • client1.key
You can use the scp tool, or any other means of transferring. Be advised, these keys should transferred with the utmost attention to security. Anyone who has the key or is able to intercept an unencrypted copy of the key will be able to gain full access to your virtual private network.
Typically we recommend that you encrypt the keys for transfer, either by using a protocol like SSH, or by encrypting them with the PGP tool.
The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:
  • ca.crt
  • ca.key
  • dh1024.pem
  • server.crt
  • server.key
Issue the following commands:
cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
These files need not leave your server. Maintaining integrity and control over these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they're encrypted and secured. If these files are compromised, they will need to be recreated along with all client keys.

Revoking Client Certificates Link

If you need to remove a user's access to the VPN server, issue the following command sequence.
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full client1
This will revoke the ability of users who have the client1 certificate to access the VPN. For this reason, keeping track of which users are in possession of which certificates is crucial.

Configuring the Virtual Private Network Link

We'll now need to configure our server file. There is an example file in /usr/share/doc/openvpn-2.1.1/examples/sample-config-files. Issue the following sequence of commands to retrieve the example configuration files and move them to the required directories:
cp /usr/share/doc/openvpn-2.1.1/sample-config-files/server.conf /etc/openvpn/
cp /usr/share/doc/openvpn-2.1.1/sample-config-files/client.conf ~/
cd ~/
Modify the remote line in your ~/client.conf file to reflect the OpenVPN server's name.
File: ~/client.conf
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.

remote 1194
Edit the client.conf file to reflect the name of your key. In this example we use client1 for the file name.
File: ~/client.conf
# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key
Copy the ~/client1.conf file to your client system. You'll need to repeat the entire key generation and distribution process for every user and every key that will connect to your network.

Connect to the OpenVPN Link

To initialize the OpenVPN server process, run the following command:
/etc/init.d/openvpn start
This will scan the /etc/openvpn directory on the server for files with a .conf extension. For every file that it finds, it will create and run a VPN daemon (server). Enable OpenVPN to start on the following boot, issue the following command:
chkconfig openvpn on
The process for connecting to the VPN varies depending on your specific operating system and distribution running on the client machine. You will need to install the OpenVPN package for your operating system if you have not already.
Most network management tools provide some facility for managing connections to a VPN. Configure connections to your OpenVPN through the same interface where you might configure wireless or ethernet connections. If you choose to install and manage OpenVPN manually, you will need to place the the client1.conf file and the requisite certificate files in the local machine's /etc/openvpn directory, or equivalent location.
If you use OS X on a Mac, we have found that the TunnelblickExternal Link tool provides an easy method for managing OpenVPN connections. If you use Windows, the OpenVPN GUIExternal Link tool may be an effective tool for managing your connections too. Linux desktop users can install the OpenVPN package and use the network management tools that come with your desktop environment.

Using OpenVPN Link

Connect Remote Networks Securely With the VPN Link

Once configured, the OpenVPN server allows you to encrypt traffic between your local computer and your Linode's local network. While all other traffic is handled in the conventional manner, the VPN allows traffic on non-public interfaces to be securely passed through your Linode. This will also allow you to connect to the local area network in your Linode's data center if you are using the LAN to connect to multiple Linodes in the same datacenter. Using OpenVPN in this manner is supported by the default configuration, and if you connect to the OpenVPN you have configured at this point, you will have access to this functionality.

Tunnel All Connections through the VPN Link

By deploying the following configuration, you will be able to forward all traffic from client machines through your Linode, and encrypt it with transport layer security (TLS/SSL) between the client machine and the Linode. Begin by adding the following parameter to the /etc/openvpn/server.conf file to enable "full tunneling":
File excerpt: /etc/openvpn/server.conf
push "redirect-gateway def1"
Now edit the /etc/sysctl.conf file to modify the following line to ensure that your system is able to forward IPv4 traffic:
File excerpt: /etc/sysctl.conf
net.ipv4.ip_forward = 1
Issue the following command to set this variable for the current session:
echo 1 > /proc/sys/net/ipv4/ip_forward
Issue the following commands to configure iptables to properly forward traffic through the VPN:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
Before continuing, insert these iptables rules into your system's /etc/rc.local file to ensure that theses iptables rules will be recreated following your next reboot cycle:
File excerpt: /etc/rc.local
# [...]

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

touch /var/lock/subsys/local
This will enable all client traffic except DNS queries to be forwarded through the VPN. To forward forward DNS traffic through the VPN you will need to install the dnsmasq package and modify the /etc/opnevpn/server.conf package. Begin by issuing the following commands to install, start the service, and configure the service to start on boot:
yum install dnsmasq
/etc/init.d/dnsmasq start
chkconfig dnsmasq on
Add the following directive to the /etc/openvpn/server.conf file:
File excerpt: /etc/openvpn/server.conf
push "dhcp-option DNS"
Finally, before attempting to connect to the VPN in any configuration, restart the OpenVPN server by issuing the following command:
/etc/init.d/openvpn restart
Once these configuration options have been implemented, you can test the VPN connection by connecting to the VPN from your local machine, and access one of the many websites that will display your IP address. If the IP address displayed matches the IP address of your Linode, all network traffic from your local machine will be filtered through your Linode and encrypted over the VPN between your Linode and your local machine. If, however, your apparent public IP address is different from your Linode's IP address, your traffic is not being filtered through your Linode or encrypted by the VPN.

More Information Link

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Installing OpenVPN server on CentOS Linux (part3)

The configuration is similar to the process used for Debian, except for the beginning of the installation process.
Since the package is not included into the CentOS repository, you need to enable RPMforge ( to install OpenVPN.

Run the commands:
wget -ivh
rpm -Uvh rpmforge-release-0.5.1-1.el5.rf.i386.rpm
The repository installs, and you may install OpenVPN by the command
yum -y install openvpn
Copy the files (key utilities) into the openvpn configuration files’ folder
cp /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/* /etc/openvpn/
Go to the
directory and set the required access privileges for the following files:
cd /etc/openvpn/
chmod +x clean-all build-ca build-key-server build-dh build-key /etc/openvpn/whichopensslcnf ./build-ca
Create the keys (as for the installation on Debian Linux)
Then copy the openvpn configuration file
cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
Configuration is similar to the process used for Debian; you also provide other settings, for example NAT configuration.

Configuring a client’s OpenVPN on Windows Vista

We recommend using OpenVPN GUI for Windows as a client’s software
Download an openvpn-2.0.9-gui-1.0.3-install.exe file from the official website and install it leaving its parameters on the default.
Once finished, copy the client.ovpn file form
C:\Program Files\OpenVPN\sample-config\ into c:\Program Files\OpenVPN\config\
and paste there the certificates’ files from the server
In the client.ovpn client’s configuration file change the following line
remote my-server-1 1194
into the one that refers to your server address, for example,
remote 1194
and specify other certificates’ names
cert client1.crt
key client1.key
If you wish to connect to the Internet through the OpenVPN-server, you need to add the following lines to modify the routing
route-method exe
route-delay 2
Run OpenVPN as administrator – Start -> Programs -> OpenVPN –> double-click OpenVPN GUI and start it as administrator
Otherwise, modified parameters will not be applied.
Also you double click OpenVPN GUI and choose Connect
Congratulations! You have successfully installed the clients’ software.

Installing and configuring a VPN-server with OpenVPN (part1)
Installing OpenVPN on a Debian Linux (part2)