How to add Hamachi Moderated VPN for remote administration/softphone access

Basically, what this howto is intended to do is to teach you how to get hamachi to run as a service.

Why would you want to run Hamachi? Once installed on your CentOS 4.5/5.X system and installed on a workstation (perhaps a laptop) you can access your server remotely via VPN for http or ssh administrative tasks. You can also use the private network to connect softphones and even set up DUNDi trunking over this VPN.

For client installation see this link.

 

Installing hamachi as a linux system service is quite simple. You first follow the regular steps of installation of hamachi.

• Download the file from http://files.hamachi.cc/linux/hamach...-20-lnx.tar.gz and then execute the following command (see http://files.hamachi.cc/linux/ for other options):

  Code:
  # tar -zxvf hamachi-0.9.9.9-20-lnx.tar.gz

  (Note: You do not have to do these next 3 commands, it's just a good idea to keep your hard drive organized)

  Code:
  # mkdir /usr/src/hamachi
  # mv hamachi-0.9.9.9-20-lnx /usr/src/hamachi
  # cd /usr/src/hamachi/hamachi-0.9.9.9-20-lnx

  Once done with this, you need to do your standard hamachi installation command:

  Code:
  # make install

  Once installed, you need to first run the program "tuncfg". (Note: tuncfg is a program which makes the hamachi network adapter and must always be running while hamachi is running in order for hamachi to work)

  Code:
  # tuncfg

Now to get hamachi running as a system service and make your setup scripts:

First and foremost, you need to put your hamachi
configurations in a global directory as opposed to your home directory.
hamachi-init creates scripts in your home directory in a folder called
.hamachi by default, but we are going to specify the configuration
directory of /etc/hamachi. (note also that hamachi itself can be run under a non-privileged user. tuncfg, however, needs to be run as root).

Code:
# hamachi-init -f -c /etc/hamachi
# hamachi -c /etc/hamachi start
# hamachi -c /etc/hamachi login
# hamachi -c /etc/hamachi create network password

NOTE: Start thinking about how telephony might use a VPN when naming.

Next:

# hamachi -c /etc/hamachi set-nick nickname
# hamachi -c /etc/hamachi go-online network

Once done with this, we will need to make a hamachi runtime script.

Use your favorite text editor to make a file called hamachi-start.

Code:
# nano /usr/bin/hamachi-start

This file will be a shell script. For those who aren't well versed in
linux, just copy exactly what I tell you to and it should work
perfectly fine. If you feel like modifying it any, feel free -- it will
still work. The most important thing is, start tuncfg, then start hamachi.

Here is the contents of hamachi-start:

Code:

#!/bin/sh

hamachi_start() {
echo "Starting hamachi..."
/sbin/tuncfg
/usr/bin/hamachi -c /etc/hamachi start
}

hamachi_stop() {
echo "Stopping hamachi..."
killall tuncfg
/usr/bin/hamachi -c /etc/hamachi stop
}

hamachi_restart() {
hamachi_stop
sleep 1
hamachi_start
}

case "$1" in
'start')
hamachi_start
;;
'stop')
hamachi_stop
;;
'restart')
hamachi_restart
;;
*)
hamachi_start
esac

Not done yet, now you need to chmod it to give it executable permissions:

Code:
# chmod a+x /usr/bin/hamachi-start

To add Hamachi as a startup item you manually edit /etc/rc.local -- be sure to back this up before poking around in there though.

Code:
# cp /etc/rc.local ~/rc.local.bak

Then edit it (Again, use your favorite text editor instead of nano. If nano doesn't work, you can always try pico)

Code:
# nano /etc/rc.local

At the very bottom of this file, add the following lines:

Code:

if [ -x /usr/bin/hamachi-start ]; then
. /usr/bin/hamachi-start
fi

Crtl-x and Crtl-y then press enter and viola! You have Hamachi as a service when you restart.

SOME ADDITIONAL NOTES:

I found the easiest way to manage a Hamachi
network is to use the free Windows version (Better still to purchase a
full version) and create all networks from that workstation.

We want to use a global configuration file... So, you need to always
specify the file's location. Therefore, instead of "hamachi join
network password" and so on, the commands will look like this:

Code:
# hamachi -c /etc/hamachi set-nick nickname
# hamachi -c /etc/hamachi login
# hamachi -c /etc/hamachi create network password
# hamachi -c /etc/hamachi join network password
# hamachi -c /etc/hamachi go-online network
# hamachi -c /etc/hamachi list
# hamachi -c /etc/hamachi go-offline my-net

Prevent unauthorized access to Webmin (or FreePBX or any other service)

I have my PBX configured, so I can only access my FreePBX web interface and my webmin from within my network, or from ON the machine itself… however, I occasionally need to access it when I am not in my office, and here is a GREAT way to do it:

((The following example is assuming you are using a windows desktop, and using Putty to connect to your server via SSH, and that you currently have iptables configured for firewall blocking (why wouldn’t you), and you are know what ports your services are running on. If you have a linux desktop, try: ssh -L 80:localhost:80 user@remotemachine))

IF YOU ARE NOT SURE WHAT YOU ARE DOING WITH YOUR FIREWALL - READ THE MANUAL OR YOU MAY LOCK YOURSELF OUT OF THE SERVER!!!

On your server, connect via SSH and nano /etc/sysconfig/iptables Modify your iptables firewall as follows:

-A INPUT -p tcp -m tcp --dport 80 -j DROP    
#(If this same line exists with an ACCEPT, put a # in front of the line) - Web Interface Port

-A INPUT -p tcp -m tcp --dport 9001 -j DROP    
#(If this same line exists with an ACCEPT, put a # in front of the line) - Webmin Port

(change the port numbers as appropriate)

You should also make sure you have a line similar to one of the following

-A INPUT ! -i eth0 -j ACCEPT
or
-A INPUT -i lo -j ACCEPT

Then do a service iptables restart

Now, if you try to connect to webmin or your web interface, your browser will just timeout or disconnect.

Now, open your putty configuration, and set it up as follows:
LinuxPuttyTunnelConfiguration: Picture to show how to configure Putty for SSH Tunneling

This will map the ports on your machine (80 and 9001) to the same port on "localhost" on the remote machine when you make an ssh connection.

Now, here's the cool part:
Just connect and login to your remote server via SSH.

Then open a browser on your local machine and browse to http://localhost:9001 and your webmin interface on the remote machine will answer and allow you to login. Because we setup "Putty Tunneling", your local machine port 9001 is passed down the SSH connection to your remote server on port 9001, allowing you to do exactly what you need to do, only do it without the threat of having a hacker keep trying to login to your webmin and gaining control of your server by leaving your webmin open in the firewall.
In addition, you can just browse to http://localhost and connect to your FreePBX configuration.

Obviously, this can be used for any service/port on your server, but webmin is a good example to show you how to set this up.

Editor Note: Additional security related items you **should** configure in your iptables is to block EVERY port not necessary. Then setup SSH on an alternative port by editing /etc/ssh/sshd_config and restarting sshd (configure the firewall to accept this alternate port first), as well as ensuring you are using STRONG passwords. THIS IS NOT EVERYTHING YOU SHOULD DO TO SECURE YOUR LINUX SYSTEM, BUT HOPEFULLY THIS WILL HELP GET YOU STARTED!

-Richard Teachout
RHCE, MCSA, MCTS:Hosting

Notes: This assumes you have AllowTcpForwarding yes (or have #AllowTcpForwarding commented out which is default) in your /etc/ssh/sshd_config, or tcp forwarding won't work.

Setting Network Card Duplex Settings

Note: This should be read completely before you try this, as it could cause you to lose connectivity to the server if your network doesn't support it!

Many of the asterisk servers you may install/deploy are going to be setup in someone else's network, who likely doesn't have a linux engineer, and you may not be one, so this is for you. Even experienced linux engineers often miss the little things, and this is one of them!

On any network switch, you have settings for "Full Duplex"/"Half Duplex" 10Mb/100Mb/100Mb etc.. Most of the networks that are around today, are 100Mb networks. Many of us know how to set this up on a windows PC, but have you ever wondered how you do this in linux? Or have you just hoped that using "Auto-Detect" always works... (ps.. not recommended)
Have you ever had "wierd" sip timeouts, or network disconnects to a sip provider that you just can't trace?? THIS MAY BE THE REASON! (the network card is flapping between 10Mb and 100MB or Full and Half duplex, causing packet loss). By forcing the NIC's to be the same as the switch, you eliminate this issue. It may not solve your problem, but it definitely can't hurt, and is recommended.

In order to ensure your linux server and the switch are always talking at the same speeds, I recommend that you have the onsite network engineer setup the switch port that you are plugging into to be forced to 100MB FULL DUPLEX, and the use the following tool to set this up on your network interface(s) on the server. Note: I use the following tool on Redhat/Centos (so pbxinaflash and trixbox should both be able to do this for **most** network cards. If you have an abnormal linux driver for your network card, you should know what you are doing anyway).

The tool I recommend using (because it is soo easy) is ethtool, and is likely already installed on your PBX as it is used by the ifup utilities. (If not, try "yum install ethtool" or visit http://sourceforge.net/projects/gkernel/ - just know what you are doing..)

I take and run the following on any new machine I setup:
ethtool eth0 | grep -e eth -e Speed -e Duplex
which would show you:
Settings for eth0:
Speed: 100Mb/s
Duplex: Half
(You should run "ethtool eth0" once to see the full output!)
As you can see, the duplex reported as Half.. So I then run:
ethtool -s eth0 speed 100 duplex full autoneg off
This sets the duplex settings on the NIC.

Note If you are doing this on a remote server, it may timeout your SSH session for a moment, or if your switch port doesn't support Full-Duplex, you may not be able to re-connect, so do your homework, or have someone locally who can restart the network services or restart the machine!!!. Just doing this will only keep the setting for the current session.

Assuming it worked, you should then be able rerun the first command and you would see:
Settings for eth0:
Speed: 100Mb/s
Duplex: Full

Now. Assuming this was true, you need to make sure this gets setup after a server reboot as well.
Here's how:
Add the following at the end of /etc/rc.d/rc.local
ethtool -s eth0 speed 100 duplex full autoneg off
OR
Add the following to your /etc/sysconfig/network-settings/ifcfg-eth0
ETHTOOL_OPTS="speed 100 duplex full autoneg off"

I hope this helps some of you properly setup a linux server on a corporate network, and for those lucky ones, I hope this helps you resolve odd connectivity issues with your sip provider (as it did for me on the first asterisk server I installed way back when, where I forgot to set this - we lost an occasional sip trunk for about 10 seconds, randomly - I found errors on the switch port, and remembered I forgot to set the duplex settings.. now no more switch port errors, and the sip trunk stopped randomly dropping).

-Richard Teachout
RHCE, MCSA, MCTS:Hosting

Using Screen for Session Mgmt (Never have your upgrade/installation die because you lost your connection!)

Ever had a remote SSH connection where you were doing an upgrade (say to asterisk or pbxinaflash, etc) and you lost your internet connection, which killed your ssh session, and stopped your compile, leaving your system in a horribly unusable state? NEVER AGAIN! That is what I use screen for!

This will quickly become your FAVORITE AND REGULARLY USED LINUX UTILITY!!!

What is Screen?
As the man page states, "Screen is a full-screen window manager that multiplexes a physical terminal between several processes (typically interactive shells)." This can be a life saver when working with remote servers. Screen has a several great features for helping you administer your linux box more productively and most importanly, safely.

I am going to discuss the four features (multiple windows, sessions, logging, sharing) that I use the most.
(Check out the man screen for more info)

Installing Screen
If you are using a RedHat/CentOS distribution, you probably already have this installed (pbxinaflash/trixbox/and more!) You will find it in /usr/bin/screen. To see if it is, type which screen
If you do not have it already installed, it is easily installed by doing "yum install screen" or installing the appropriate RPM for your distribution (most distributions have this great application, and it's been around for YEARS). You can visit the screen website at http://www.gnu.org/software/screen/

Using Screen
Screen is started from the command line, just like any other application

[root@pbx ~]# screen
You may or may not get a text message about screen. If you do not, then you probably think nothing has happened, but it has. You are now inside of a window within screen. This functions just like a normal shell except for a few special characters. Screen uses the command "Ctrl-A" as a signal to send commands to screen instead of the shell. To get help, just use "Ctrl-A" then "?". You should now have the screen help page.

                               Screen key bindings, page 1 of 2.

                               Command key:  ^A   Literal ^A:  a

 break      ^B b        info       i           other      ^A          suspend    ^Z z
 clear      C           kill       K           pow_break  B           time       ^T t
 colon      :           lastmsg    ^M m        pow_detach D           title      A
 copy       ^[ [        license    ,           prev       ^P p ^?     vbell      ^G
 detach     ^D d        lockscreen X           readbuf    <           version    v
 digraph    ^V          log        H           redisplay  ^L l        width      W
 displays   *           login      L           removebuf  =           windows    ^W w
 fit        F           meta       a           reset      Z           wrap       ^R r
 flow       ^F f        monitor    M           screen     ^C c        writebuf   >
 focus      ^I          next       ^@ ^N sp n  select     '           xoff       ^S s
 help       ?           number     N           silence    _           xon        ^Q q
 history    { }         only       Q           split      S
                          [Press Space for next page; Return to end.]

Key bindings are the commands the screen accepts after you hit "Ctrl-A". You can reconfigure these keys to your liking using a .screenrc file, but I just use the defaults.

Multiple Windows
Screen, like many windows managers, can support multiple windows. This is very useful for doing many things at the same time without opening new sessions. As a RHCE, I often have four or five SSH sessions going at the same time. In each of the shell, I may be running two or three applications. Without screen, that would require 15 SSH sessions, logins, windows, etc. With screen, each system gets its own single session and I use screen to manage different tasks on that system.

To open a new window, you just use "Ctrl-A" "c". This will create a new window for you with your default prompt. For example, I can be running top and then open a new window to do other things. Top stays running! It is still there. To try this for yourself, start up screen and then run top.
start "top"
Now open a new window with "Ctrl-A" "c"
To get back to top, use "Ctrl-A "n"

You can create several windows and toggle through them with "Ctrl-A" "n" for the next window or "Ctrl-A" "p" for the previous window. Each process will keep running while your work elsewhere.

Leaving Screen
There are two ways to get out of screen. The first is just like logging out of a shell. You kill the window with "Ctrl-A" "K" or "exit" will work on some systems. This will kill the current windows. If you have other windows, you will drop into one of those. If this is the last window, then you will exit screen.

The second way to leave screen is to detach from a windows. This method leaves the process running and simple closes the window. If you have really long processes, you need to close your SSH program, you can detach from the window using "Ctrl-A" "d". This will drop you into your shell. All screen windows are still there and you can re-attach to them later.

Re-attaching to existing sessions
This is the best part!!

So you are using screen now and compiling a program. It is taking forever and suddenly your connection drops. Don't worry screen will keep the compilation going. Login to your system and use the screen listing tool to see what sessions are running:

[root@pbx ~]# screen -ls
There are screens on:
        31620.pts-0.pbx       (Detached)
        31625.pts-0.pbx       (Detached)
2 Sockets in /var/run/screen/S-root.

Here you see I have two different screen sessions. To re-attach to a session, use the re-attach command:
[root@pbx ~]#screen -r 31620.pts-0.pbx
Just use screen with the -r flag and the session name. You are now re-attached to the screen. A nice thing about this, is you can re-attach from anywhere. If you are at work or a clients office, you can use screen to start a job and then logout. When you get back to your office or home, you can login and get back to work. If you only have one screen running, screen -r will automatically connect to that session.

Screen Logging
I find it important to keep track of what I do to someone else's server. Fortunately, screen makes this easy. Using "Ctrl-A" "H", creates a running log of the session. Screen will keep appending data to the file through multiple sessions. Using the log function is very useful for capturing what you have done, especially if you are making a lot of changes. If something goes awry, you can look back through your logs.

Sharing a Screen Session
If you have two users connected to the same server (say as root) and one user types screen another user can type screen -x and now BOTH of you are able to type and view in the same window!!! GREAT FOR REMOTE TRAINING OR GETTING ASSISTANCE FROM SOMEONE ELSE, especially if you want to know how they fixed your server!!

Screen Tips
I also wanted to mention to other beneficial tricks you can do with screen. Screen can monitor a window for activity or lack thereof. This is great if you are downloading large files, compiling, or watching for output. If you are downloading something or compiling, you can watch for silence. To start the monitor, go to the screen you want to monitor and use "Ctrl-A" "M" to look for activity or "Ctrl-A" "_" to monitor for silence. Then open or switch to a new window. When the monitor detects activity or silence, you will get an alert at the bottom with the window number. To quickly go to that window, use "Ctrl-A" " (thats a quote mark, ctrl-a then a "). After you do this, just type in the number of the window and enter. To stop monitoring, go to that window and undo the monitor with the same command. For example, to stop monitoring for activity you would use "Ctrl-A" "M" again.

Hopefully this will help.. well lets face it, ALL OF US... in working with remote servers and help to ensure we don't brick the server while we work remotely!

Richard Teachout
RHCE, MCSA, MCTS:Hosting