pc_engings_apu_openvpn_as
Table of Contents
PC Engines APU - OpenVPN Access Server
Starting points
- OS: CentOS 7.x
- OpenVPN AS
- Offline, automated OS install using USB & Kickstart.
Prerequisites
- Download the latest CentOS 7.x minimal install ISO.
- Download the latest OpenVPN AS package for CentOS 7 64bit.
- PC Engines APU with one mSATA SSD installed.
- Connect the APU's serial console.
Prepare USB stick
- Insert USB stick on another Linux box.
- If the USB stick was automounted, unmount it now:
umount /dev/sdc1
- Wipe the USB stick (be careful!):
wipefs -a /dev/sdc /dev/sdc: 5 bytes were erased at offset 0x00008001 (iso9660): 43 44 30 30 31 /dev/sdc: 2 bytes were erased at offset 0x000001fe (dos): 55 aa /dev/sdc: calling ioctl to re-read partition table: Success
- Create a bootable 256MiB FAT32 partition:
parted /dev/sdc mklabel msdos parted /dev/sdc mkpart primary fat32 1MiB 256MiB parted /dev/sdc set 1 boot on
- Create an ext4 partition on the remaining space:
parted /dev/sdc mkpart primary ext4 256MiB 100%
- Format the partitons:
mkfs.vfat -n boot /dev/sdc1 mkfs.ext4 -L CentOS7 /dev/sdc2
- Install syslinux:
- Copy MBR to USB-stick:
dd conv=notrunc bs=440 count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sdc
- Install syslinux to first partiton:
syslinux /dev/sdc1
Copy files to USB
- Mount filesystems:
mkdir /mnt/{boot,CentOS7,iso} mount /dev/sdc1 /mnt/boot mount /dev/sdc2 /mnt/CentOS7 mount CentOS-7-x86_64-Minimal-1503-01.iso /mnt/iso
- Copy isolinux to USB:
cp /mnt/iso/isolinux/* /mnt/boot
- Edit syslinux.cfg:
cd /mnt/boot mv isolinux.cfg syslinux.cfg vi /mnt/boot/syslinux.cfg label linux menu label ^Install CentOS 7 - Kickstart kernel vmlinuz append initrd=initrd.img inst.stage2=hd:sdb2:/ ks=hd:sdb1:/ks.cfg
- Copy ISO file:
cp CentOS-7-x86_64-Minimal-1503-01.iso /mnt/CentOS7
- Copy Kickstart file to USB (/mnt/boot/ks.cfg), please replace sha512 passphrases:
#### #### PC Engines APU KickStart installation #### install cdrom network --onboot yes --bootproto dhcp lang en_US.UTF-8 keyboard --vckeymap=us --xlayouts='us','us' rootpw --iscrypted <sha512 password hash> firewall --service=ssh authconfig --enableshadow --passalgo=sha512 selinux --enforcing timezone --utc Europe/Amsterdam # Do not clear partitions / MBR on USB-stick! ignoredisk --drives=sdb # Set serial console and change disk elevator to noop for SSD. bootloader --location=mbr --driveorder=sda --append="console=tty0 console=ttyS0,115200 elevator=noop rd_NO_PLYMOUTH" # Any disks whose formatting is unrecognized are initialized. zerombr # Erases all partitions from the system. clearpart --all --drives=sda --initlabel # Initialize boot partition. part /boot --fstype=xfs --size=512 --asprimary # Create LVM pv and vg. part pv.01 --size=1000 --grow --asprimary volgroup vg pv.01 # Create lv's, set discard, noatime and commit time. Leave some space left in the VG for later use. logvol swap --vgname=vg --size=512 --name=lv_swap --fstype=swap logvol / --vgname=vg --size=4096 --name=lv_root --fstype=xfs logvol /var --vgname=vg --size=4096 --name=lv_var --fstype=xfs logvol /home --vgname=vg --size=512 --name=lv_home --fstype=xfs # Create non administrative user user --name=username --homedir=/home/username --password=<sha512 password hash> # Reboot after installation. reboot # Install minimal, exclude @Base, exclude documentation %packages --nobase --excludedocs @Core #default openssh-clients #ssh client, key agent, sftp, scp %end %post # Disable SSH root login /bin/sed -i.bak 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config # Mount /tmp as tmpfs. systemctl enable tmp.mount #Add weekly fstrim job cat << EOF > /etc/cron.weekly/fstrim #!/bin/sh #this script will run weekly, will overwrite log. trimlog=/var/log/fstrim.log echo > \$trimlog for fs in \$(lsblk -o MOUNTPOINT,DISC-MAX,FSTYPE | grep -E '^/.* [1-9]+.* ' | awk '{print \$1}'); do printf "\`date\` - \`fstrim -v \$fs\`\n" >>\$trimlog done EOF chmod +x /etc/cron.weekly/fstrim # Enable LVM to issue discards. /bin/sed -i.bak 's/issue_discards = 0/issue_discards = 1/g' /etc/lvm/lvm.conf # Reduce swappiness. echo "vm.swappiness=1" >> /etc/sysctl.d/swappiness.conf echo "vm.vfs_cache_pressure=50" >> /etc/sysctl.d/swappiness.conf # Set chassis name and icon /bin/hostnamectl set-chassis "server" # Disable kdump /bin/systemctl disable kdump exit 0 %end
Install the OS
- Boot the APU, press F12 and select the USB-stick. Installation will be automatic. Output can be seen on serial console:
screen /dev/ttyUSB0 115200
Configure the OS
- Set hostname:
hostnamectl set-hostname <your-FQDN>
- Configure networking, firewall.
- Retrieve latest updates:
yum update
- Install and configure chrony.
- Configure postfix.
- Install and configure yum-cron.
- Install and configure apcupsd (in EPEL7).
- Install and configure monitoring; check_mk, hddtemp, smartmontools, lm_sensors.
- Install and configure back-up / restore (Bacula)
Install and configure OpenVPN AS
- Download latest OpenVPN AS package.
- Install prerequisite package:
yum install net-tools
- Install package:
yum install openvpn-as-2.0.20-CentOS7.x86_64.rpm
- Reconfigure manually:
/usr/local/openvpn_as/bin/ovpn-init
- Add customizations (logo).
pc_engings_apu_openvpn_as.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1