HOW-TO setup Plesk with Samba Share and OpenVPN on CentOS

Source: GraFX 15 April 2010

Plesk Samba Share

In order to use Plesk Samba Share, you must have Plesk installed on a CentOS Linux System.

Once you have Plesk installed:
  1. Point to the administration panel: https:/yourdomain.tld:8443/ and Log in with your credentials

    PLESK Admin Panel

  2. Go to the "Modules" Section

    PLESK Modules

  3. Click on the "Samba FileServer Configuration"

    PLESK Samba module
    * If you do not see that Module, you probably have to install that module.

  4. When you are there, you may start setting up your Samba Server.

    PLESK Samba Status

  5. You must create a New Share in the Share Tab, give it a real path (make sure that the real path exists on the server. If do not have it, you have to create it via ssh with the "mkdir" command), check if it is writeable and who has access to it.

    PLESK Samba properties

  6. In the Users tab, add a new user that will be used to access the Windows Share. Note that you must match the Virtual user to a real UNIX Account on the server.

    PLESK Samba User info

  7. In the Interfaces tab, Plesk will automatically detect the interface on which the Samba Share will listen for connections. Do NOT set it to broadcast mode if you indend to use that resource privately !

    PLESK Samba interface

  8. In the Access tab you may define which hosts or subnets are allowed to access the Share. Note that if the list is empty, everyone will be allowed to access. If the list is populated, then only the populated URIs will have access.
    Warning! Your goal is to enable File Sharing trough the VPN. Then you MUST specify ONLY the VPN Subnet that is allowed to access the Share, or other requests from other than the VPN Hosts must be refused

    Plesk Samba Access

OpenVPN Secure Server

1. Now that the Samba is set up and it accepts connection from VPN hosts only, we must set up the VPN.
Log on the server using SSH and become root.
Please run these commands to install and configure OpenVPN:
yum update
yum install openssl openssl-devel
# openssl and openssl-devel may be installed already... so don't worry
2. Right, now you want to install OpenVPN, here are the commands,

yum install openvpn -y
3. A few things to set up before you can make certificates, issue these commands,

find / -name "easy-rsa"
#you should get an output like this...
/usr/share/doc/openvpn-2.0.7/easy-rsa
#Now, make a copy of the easy-rsa directory, to /etc/openvpn/ ( make sure you
#have put the right version number in i.e. mine was -2.0.7, change if needed)
cp -R /usr/share/doc/openvpn-2.0.7/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
chmod 777 *
mkdir /etc/openvpn/keys
4. You need to edit the vars file, located in /etc/openvpn/easy-rsa
You may use any editor you like, I have used vi.

Change the line
export KEY_DIR=$D/keys
to

export KEY_DIR=/etc/openvpn/keys
Also at the bottom of this file you will see something similar to this,

export KEY_COUNTRY=US
export KEY_PROVINCE=CA
export KEY_CITY=SOMEWHERE
export KEY_ORG="My Org"
export KEY_EMAIL=me@mydomain.com
Change this to your own values.

5. Now its time to make the certificates, enter these commands

./vars
./clean-all
./build-ca
# just hit enter to the defaults apart from Common Name, this must be unique
# call it something like mydomain-ca

./build-key-server server
./build-key client1
# remember that common name must be unique e.g. use mydomain-client1
# and YES you want to sign the keys

./build-key client2
# do this step for as many clients as you need.

./build-dh
6. We are almost done now... though we need to create a few config files, you may download my template from here,

cd /etc/openvpn
port 1194
proto udp
dev tun
ca rootca.crt
cert server.crt
key server.key
dh dh.key
# tls-auth tlsauth.key 0
server 10.0.0.0 255.255.255.0
topology subnet
push "route 10.0.0.0 255.255.255.0"
ifconfig-pool-persist dhcp.db
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

# To enable client-to-client interchange, uncomment this:
client-to-client

## For Certificate Auth:
ns-cert-type client

## For user/pass Auth:
#client-cert-not-required
#username-as-common-name
#plugin /usr/lib/openvpn/openvpn-auth-pam.so login
#tmp-dir /tmp
Warning! This is only an example! There are lots of other parameters that OpenVPN can be customised with. Please visit the Official Documentation to learn about them!

touch server-tcp.log
~ this makes the log file..

touch ipp.txt
this makes the IP reservation list.

7. You need to make a few changes to OpenVPN itself. Go to..

cd /etc/init.d/
edit the openvpn file

#Uncomment this line (line 119)
echo 1 > /proc/sys/net/ipv4/ip_forward
Add the line below, changing *.*.*.* to your public IP address,

iptables -t nat -A POSTROUTING -s 10.0.0.0/0 -j SNAT --to *.*.*.*
Now install iptables if you don't have it already,

yum install iptables

#test it

service iptables start
service iptables stop
8. Now for the client config files. If your client is a Windows machine, make sure you have installed OpenVPN, use the gui version, downloadable from here;

http:/openvpn.net/release/openvpn-2.1.1-install.exe

You need to copy a few files from the server to your client machine, here is the list, located in /etc/openvpn/keys/

## WARNING ## Use a secure way of transferring these files off the server, something like WinSCP.

rootca.crt
client1.csr
client1.key
client1.crt

Put these files in this directory C:Program FilesOpenVPNconfig

Now you need to make a client config, here is an example..

client
remote *.*.*.* 1194
float
proto udp
dev tun
ca rootca.crt
cert client1.crt
key client1.key
# tls-auth tlsauth.key 1
ns-cert-type server
keepalive 10 120
cipher AES-256-CBC
auth SHA1
comp-lzo
status openvpn-status.log
verb 3

Make sure you edit the parameters to fit your needs.
Warning! This is only an example! There are lots of other parameters that OpenVPN can be customised with. Please visit the Official Documentation to learn about them!
Call this file client1.opvn and put it in C:Program FilesOpenVPNconfig
Make sure the file extension is .opvn and not .txt
To connect right click on OpenVPN in the taskbar >> Connect

Taskbar > OpenVPN

Now access the Samba Share on the server from Windows using the internal VPN IP

Command Line
* Note: the traffic is encrypted between the client and the server when the internal VPN IP is used

You're in business!:

Windows Explorer