Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


PC Engines APU - OpenVPN Access Server

Starting points

  • OS: CentOS 7.x
  • OpenVPN AS
  • Offline, automated OS install using USB & Kickstart.


  • Download the latest CentOS 7.x minimal install ISO.
  • Download the latest OpenVPN AS package for CentOS 7 64bit.
  • PC Engines APU with one mSATA SSD installed.
  • Connect the APU's serial console.

Prepare USB stick

  • Insert USB stick on another Linux box.
  • If the USB stick was automounted, unmount it now:
    umount /dev/sdc1
  • Wipe the USB stick (be careful!):
    wipefs -a /dev/sdc
    /dev/sdc: 5 bytes were erased at offset 0x00008001 (iso9660): 43 44 30 30 31
    /dev/sdc: 2 bytes were erased at offset 0x000001fe (dos): 55 aa
    /dev/sdc: calling ioctl to re-read partition table: Success
  • Create a bootable 256MiB FAT32 partition:
    parted /dev/sdc mklabel msdos
    parted /dev/sdc mkpart primary fat32 1MiB 256MiB
    parted /dev/sdc set 1 boot on
  • Create an ext4 partition on the remaining space:
    parted /dev/sdc mkpart primary ext4 256MiB 100%
  • Format the partitons:
    mkfs.vfat -n boot /dev/sdc1
    mkfs.ext4 -L CentOS7 /dev/sdc2
  • Install syslinux:
    • Copy MBR to USB-stick:
      dd conv=notrunc bs=440 count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sdc
    • Install syslinux to first partiton:
      syslinux /dev/sdc1

Copy files to USB

  • Mount filesystems:
    mkdir /mnt/{boot,CentOS7,iso}
    mount /dev/sdc1 /mnt/boot
    mount /dev/sdc2 /mnt/CentOS7
    mount CentOS-7-x86_64-Minimal-1503-01.iso /mnt/iso
  • Copy isolinux to USB:
    cp /mnt/iso/isolinux/* /mnt/boot
  • Edit syslinux.cfg:
    cd /mnt/boot
    mv isolinux.cfg syslinux.cfg
    vi /mnt/boot/syslinux.cfg
    label linux
      menu label ^Install CentOS 7 - Kickstart
      kernel vmlinuz
      append initrd=initrd.img inst.stage2=hd:sdb2:/ ks=hd:sdb1:/ks.cfg
  • Copy ISO file:
    cp CentOS-7-x86_64-Minimal-1503-01.iso /mnt/CentOS7
  • Copy Kickstart file to USB (/mnt/boot/ks.cfg), please replace sha512 passphrases:
    #### PC Engines APU KickStart installation
    network --onboot yes --bootproto dhcp
    lang en_US.UTF-8
    keyboard --vckeymap=us --xlayouts='us','us'
    rootpw --iscrypted <sha512 password hash>
    firewall --service=ssh
    authconfig --enableshadow --passalgo=sha512
    selinux --enforcing
    timezone --utc Europe/Amsterdam
    # Do not clear partitions / MBR on USB-stick!
    ignoredisk --drives=sdb
    # Set serial console and change disk elevator to noop for SSD.
    bootloader --location=mbr --driveorder=sda --append="console=tty0 console=ttyS0,115200 elevator=noop rd_NO_PLYMOUTH"
    # Any disks whose formatting is unrecognized are initialized.
    # Erases all partitions from the system.
    clearpart --all --drives=sda --initlabel
    # Initialize boot partition.
    part /boot --fstype=xfs --size=512 --asprimary
    # Create LVM pv and vg.
    part pv.01 --size=1000 --grow --asprimary
    volgroup vg pv.01
    # Create lv's, set discard, noatime and commit time. Leave some space left in the VG for later use.
    logvol swap  --vgname=vg --size=512  --name=lv_swap --fstype=swap
    logvol /     --vgname=vg --size=4096 --name=lv_root --fstype=xfs
    logvol /var  --vgname=vg --size=4096 --name=lv_var  --fstype=xfs
    logvol /home --vgname=vg --size=512  --name=lv_home --fstype=xfs
    # Create non administrative user
    user --name=username --homedir=/home/username --password=<sha512 password hash>
    # Reboot after installation.
    # Install minimal, exclude @Base, exclude documentation
    %packages --nobase --excludedocs
    @Core		#default
    openssh-clients #ssh client, key agent, sftp, scp
    # Disable SSH root login
    /bin/sed -i.bak 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
    # Mount /tmp as tmpfs.
    systemctl enable tmp.mount
    #Add weekly fstrim job
    cat << EOF >  /etc/cron.weekly/fstrim
    #this script will run weekly, will overwrite log.
    echo > \$trimlog
    for fs in \$(lsblk -o MOUNTPOINT,DISC-MAX,FSTYPE | grep -E '^/.* [1-9]+.* ' | awk '{print \$1}'); do
      printf "\`date\` - \`fstrim -v \$fs\`\n" >>\$trimlog
    chmod +x /etc/cron.weekly/fstrim
    # Enable LVM to issue discards.
    /bin/sed -i.bak 's/issue_discards = 0/issue_discards = 1/g' /etc/lvm/lvm.conf
    # Reduce swappiness.
    echo "vm.swappiness=1" >> /etc/sysctl.d/swappiness.conf
    echo "vm.vfs_cache_pressure=50" >> /etc/sysctl.d/swappiness.conf
    # Set chassis name and icon
    /bin/hostnamectl set-chassis "server"
    # Disable kdump
    /bin/systemctl disable kdump
    exit 0

Install the OS

  • Boot the APU, press F12 and select the USB-stick. Installation will be automatic. Output can be seen on serial console:
    screen /dev/ttyUSB0 115200

Configure the OS

  • Set hostname:
    hostnamectl set-hostname <your-FQDN>
  • Configure networking, firewall.
  • Retrieve latest updates:
    yum update
  • Install and configure chrony.
  • Configure postfix.
  • Install and configure yum-cron.
  • Install and configure apcupsd (in EPEL7).
  • Install and configure monitoring; check_mk, hddtemp, smartmontools, lm_sensors.
  • Install and configure back-up / restore (Bacula)

Install and configure OpenVPN AS

  • Download latest OpenVPN AS package.
  • Install prerequisite package:
    yum install net-tools
  • Install package:
    yum install openvpn-as-2.0.20-CentOS7.x86_64.rpm
  • Reconfigure manually:
  • Add customizations (logo).
pc_engings_apu_openvpn_as.txt · Last modified: 2021/10/09 15:14 by