How To Install Ruby on Rails on Linux

Ruby on Rails is an application stack that provides developers with a framework to quickly create a variety of web applications.

sudo apt-get install curl
curl -L | bash -s stable
source ~/.rvm/scripts/rvm
rvm requirements
rvm install ruby
rvm use ruby --default
rvm rubygems current
gem install rails

Install OpenVPN TAP

This article will guide you in a basic OpenVPN installation on an Ubuntu server running 12.04 using a TAP device.

The TAP solution is useful if you want the remote VPN users to use the same IP scheme that is in use on the local subnet. Very useful if you don’t have a gateway/router in the local subnet that can do static routes since, to the internal hosts, the traffic will seem to originate from a locally connected device on the same subnet.

OpenVPN has a few methods of authentication. Out of the box, OpenVPN relies on certificate based auth. However, with a recompiled client, you can also use Id/password authentication as well providing 2 factor auth into your network (something you have = the cert, something you know= the password).

Before we begin, lets get the installation of the pre-reqs done.

apt-get install bridge-utils openvpn libssl-dev openssl

On the Ubuntu Server, we need to start by configuring the bridge adapter with Bridge Utilities. OpenVPN requires this ‘virtual interface’ when setting up the tap interface it needs to pass traffic into the internal network. This is done by modifying the interfaces file.

nano /etc/network/interfaces

When editing this file, you need to remove or comment out the original eth port settings and replace with what you see below. This creates a new br0 interface and allows eth0 to essentially communicate across it (hence the label ‘bridge’). You will, of course, adjust the file for your specific subnet scheme.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0

#iface eth0 inet static
# address
# netmask
# network
# broadcast
# gateway
# # dns-* options are implemented by the resolvconf package, if installed
# dns-nameservers
# dns-search myhome.local

auto br0
iface br0 inet static
bridge_ports eth0
#### NOTE: If you are running OpenVPN in a virtual machine, then uncomment these lines:
# bridge_fd 9
# bridge_hello 2
# bridge_maxage 12
# bridge_stp off

iface eth0 inet manual
up ifconfig $IFACE up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Next, we need to allow IPv4 forwarding so the server can send out packets on the VPN’s behalf.

nano /etc/sysctl.conf
Uncomment the line net.ipv4.ip_forward=1

Restart networking and run ‘sysctl -p’ for the changes to take effect. Or just restart the server.

Create Server Keys
We need to create the server keys and client keys that we need for the OpenVPN server and the eventual client. Easy-RSA will be used to generate the items we need.

Create the easy-rsa folder and copy the sample files into it.

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/

Edit the vars file and edit the following items for your needs, located near the bottom

sudo nano /etc/openvpn/easy-rsa/vars

export KEY_CITY=”New York City”
export KEY_ORG=”Queens”
export KEY_EMAIL=”me@myhost.mydomain”

Next step is to generate the Server Keys

cd /etc/openvpn/easy-rsa/
source vars
./pkitool –initca
./pkitool –server server
cd keys
openvpn –genkey –secret ta.key

Note: if you get an error on the command “./pkitool –initca”
grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x

Then you are hitting a known bug #998918

In a nutshell, openvpn easy-rsa is missing the openssl.cnf file in the package. As a workaround, create a softlink using the following:

cd /etc/openvpn/easy-rsa/
ln -s openssl-1.0.0.cnf openssl.cnf

Then rerun the command:

./pkitool –initca

Continue on from there.

Now copy certain keys to the openvpn directory

cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Create Client Certificates

If you are using the default method of authentication, have a client cert per client, then you need to create the cert on the openvpn server for the client. This is done on the server, not on the client because the server’s CA needs to sign the key. Also, the client cert process will prompt you for a client cert password. You need to give this to the client along with the cert.

cd /etc/openvpn/easy-rsa/
source vars
./pkitool client-name

Those commands will create new files int the easy-rsa/keys directory called client-name.crt and client-name.key (client-name.csr is the text request and can be ignored/deleted). These 2 files need to be copied out the client, along with the server ca.crt and the ta.key (the ta.key is used if TLS is enabled in server conf).


These files need to be copied to the client and placed in the proper folder. For a linux client, this would usually be the /home/folder for the user. For windows based machines, this would be in the openvpn client install folder where the profiles are stored.

Create OpenVPN Server scripts

We need 2 scripts in the /etc/openvpn directory to manage bringing the server up and down.


/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV

and /etc/openvpn/

/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Then we need to make the scripts executable:

sudo chmod 755 /etc/openvpn/
sudo chmod 755 /etc/openvpn/

Last step is to copy in the sample server config file and edit it to support our config. This sample is a default method using only certificates, but this could be changed to support id/pw instead of user certs (good for large subscription based services), or even 2 factor auth requiring both the cert and the password.

Also note that this config is a bridged network where the client will have an IP right on the target subnet. This sample server config reflects that solution. The Alternative is to create a 2nd subnet for the clients and have the server route between the vpn client and target subnet. For this home solution, that’s overkill, but would be useful in larger setups or where extra security is needed and the remote subnets can be used for access control.

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
nano /etc/openvpn/server.conf

Edit the /etc/openvpn/server.conf file and make the following changes:

Change the following because we don’t want a routed solution.
;dev tap
dev tun

dev tap0
;dev tun

Change the following because bridged networks don’t need it.

Change the following so OpenVPN can manage the bridged traffic ans assign IPs. (edit these to reflect your scheme).
server-bridge ‘server-ip’ ‘subnetmask’ ‘DHCP start ip’ ‘DHCP Ending ip’

Change this so the vpn clients have the correct GW router for all your IP traffic (edit these to reflect your scheme)
;push “route″
push “route″

Change this so all your client traffic passes through the VPN.
;push “redirect-gateway def1 bypass-dhcp”
push “redirect-gateway def1 bypass-dhcp”

Change these to 1 of your internal DNS servers if you have 1, otherwise use any public dns you want.
;push “dhcp-option DNS″
;push “dhcp-option DNS″
push “dhcp-option DNS″
push “dhcp-option DNS″

Change this to implement tls auth, without a proper file, the initial UDP communication is dropped. It also saves on processor time since it doesn’t have to service bad requests.
;tls-auth ta.key 0 # This file is secret
tls-auth ta.key 0 # This file is secret

Change the following to increase security so the VPN service has restricted access
;user nobody
;group nogroup
user nobody
group nogroup

Add this to the bottom of the file to manage starting and stopping the networking for VPN.
up “/etc/openvpn/ br0″
down “/etc/openvpn/ br0″
script-security 3

With that, you should be able to load the openvpn client, copy in the Ca and user certs and get a connection.

Remember the ta.key is used if ‘tls-auth’ is activated on the server.conf.

Install Linux DNS Server

This is a production ready DNS server installation procedure using DNSMasq:



This article gives you a step by step on installing bind9 to Ubuntu Server for dns resolution for an internal ‘local’ domain. This was done on Ubuntu 10.04 LTS 64 bit and also on 12.04 LTS 64 bit.   The zone ‘mydomain.local’ can be renamed to anything really.   I like to keep internal domains as ‘local’ on split dns so that there is a clear distinction between and mydomain.local addresses.  Internal subnet space used here is

Install Bind9 for DNS services

1) Run  apt-get install bind9

2) Create a zones folder “mkdir /etc/bind/zones”

3) Edit /etc/bind/named.conf.local

zone "mydomain.local" {
type master;
file “/etc/bind/zones/mydomain.local.db";

zone "" {
type master;
notify no;
file “/etc/bind/zones/rev-192.168.1.db";

4) Create the Zone files for mydomain.local. Replace ‘server1′ with your dns server name and adjust IP addresses as needed.

vim /etc/bind/zones/mydomain.local.db

 $TTL 604800     ; 1 week
 mydomain.local             IN SOA  server1.mydomain.local. admin.mydomain.local. (
 2011032909 ; serial
 604800     ; refresh (1 week)
 86400      ; retry (1 day)
 2419200    ; expire (4 weeks)
 604800     ; minimum (1 week)

NS      server1.mydomain.local.
 $ORIGIN mydomain.local.
 server1                 A
 server2                 A
 gateway                A

5) Create the reverse Zone file vim /etc/bind/zones/rev-192.168.1.db

 $TTL 604800     ; 1 week IN SOA  server1.mydomain.local. admin.mydomain.local. (
 2012080301 ; serial
 604800     ; refresh (1 week)
 86400      ; retry (1 day)
 2419200    ; expire (4 weeks)
 604800     ; minimum (1 week)

NS      server1.
 1                       PTR     gateway.mydomain.local.
 15                     PTR     server1.mydomain.local.
 245                   PTR     server2.mydomain.local.

6) Lastly don’t forget to add the forwarders by editing /etc/bind/named.conf.options

forwarders {;;