Clean Ubuntu Install

Quick cheatsheet which I often use to bring up a Ubuntu machine.

Update

DEBIAN_FRONTEND=noninteractive apt-get update && apt-get upgrade -y

Minimal GUI (might not work well on ubuntu 16)

sudo apt-get install --no-install-recommends ubuntu-desktop
sudo apt-get install --no-install-recommends xorg xterm gdm menu gksu synaptic 
sudo apt-get install --no-install-recommends gnome-session gnome-panel metacity gnome-terminal indicator-session
sudo apt-get install open-vm-tools-desktop

Coding Environment


# vscode apt
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > packages.microsoft.gpg
sudo install -o root -g root -m 644 packages.microsoft.gpg /usr/share/keyrings/
sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/packages.microsoft.gpg] https://packages.microsoft.com/repos/vscode stable main" > /etc/apt/sources.list.d/vscode.list'

apt-get update
apt-get install code terminator

VScode Settings

Other Software

apt-get install software-properties-common

Faster

echo "vm.swappiness=1" >> /etc/sysctl.conf
sysctl -p

SoftEtherVPN Configuration/Installation

A quick lookup page for me to install softether vpn server on Ubuntu 16.04 since the apt version no longer work properly (17-01-2020)

Original apt version
https://launchpad.net/~paskal-07/+archive/ubuntu/softethervpn

Requirements

apt-get install -y build-essential make gcc

Download

wget -O /tmp/softether-vpnserver.tar.gz https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/download/v4.32-9731-beta/softether-vpnserver-v4.32-9731-beta-2020.01.01-linux-x64-64bit.tar.gz

Extract

tar xfz /tmp/softether-vpnserver.tar.gz -C /usr/local

Compile

cd /usr/local/vpnserver
make

Method 1: Non-root User

Note that local bridge setting will not work, so you will need to use SecureNAT

Adding a service account for softether

sudo useradd --system --no-create-home softether

Permissions

chown -R softether:softether /usr/local/vpnserver

find /usr/local/vpnserver -type f -exec chmod 600 {} \;
find /usr/local/vpnserver -type d -exec chmod 700 {} \;

chmod +x /usr/local/vpnserver/vpncmd 
chmod +x /usr/local/vpnserver/vpnserver

Create /etc/systemd/system/softether.service

[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
ConditionPathExists=!/usr/local/vpnserver/do_not_run

[Service]
Type=forking
TasksMax=16777216
User=softether
Group=softether
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure

# Hardening
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/usr/local/vpnserver
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID

[Install]
WantedBy=multi-user.target

Allow vpnserver to bind to local ports despite being run by softether user (non-root)

sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/local/vpnserver/vpnserver

Start service

systemctl daemon-reload
systemctl start softether.service
systemctl enable softether.service

Method 2: Root User

Permissions

chown -R root:root /usr/local/vpnserver

find /usr/local/vpnserver -type f -exec chmod 600 {} \;
find /usr/local/vpnserver -type d -exec chmod 700 {} \;

chmod +x /usr/local/vpnserver/vpncmd 
chmod +x /usr/local/vpnserver/vpnserver

Create /etc/systemd/system/softether.service

cat > /lib/systemd/system/softether.service << EOF
[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
ConditionPathExists=!/usr/local/vpnserver/do_not_run

[Service]
Type=forking
TasksMax=16777216
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure

# Hardening
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/usr/local/vpnserver
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID

[Install]
WantedBy=multi-user.target
EOF

Run

Enable and start the Service

systemctl daemon-reload
systemctl start softether.service
systemctl enable softether.service

Clean up

rm -f /tmp/softether-vpnserver.tar.gz 

Full Script

apt-get update
apt-get install -y build-essential make gcc

curl -s https://api.github.com/repos/SoftEtherVPN/SoftEtherVPN_Stable/releases/latest \
| grep "softether-vpnserver.*linux-x64-64bit.tar.gz" \
| cut -d : -f 2,3 \
| tr -d \" \
| wget -O /tmp/softether-vpnserver.tar.gz  -i -

cd /usr/local/vpnserver
make

chown -R root:root /usr/local/vpnserver

find /usr/local/vpnserver -type f -exec chmod 600 {} \;
find /usr/local/vpnserver -type d -exec chmod 700 {} \;

chmod +x /usr/local/vpnserver/vpncmd 
chmod +x /usr/local/vpnserver/vpnserver

cat > /lib/systemd/system/softether.service << EOF
[Unit]
Description=SoftEther VPN Server
After=network.target auditd.service
ConditionPathExists=!/usr/local/vpnserver/do_not_run

[Service]
Type=forking
TasksMax=16777216
ExecStart=/usr/local/vpnserver/vpnserver start
ExecStop=/usr/local/vpnserver/vpnserver stop
KillMode=process
Restart=on-failure

# Hardening
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=/usr/local/vpnserver
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl start softether.service
systemctl enable softether.service
rm -f /tmp/softether-vpnserver.tar.gz 

Certificate Creation

Some of the important openssl commands to create certificates

Configuration Issues

Environment Variables for Windows Openssl

set OpenSSL_HOME=C:\OpenSSL-Win64
set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg

Certificate Creation

Create self-sign certificates short method

openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

Create self-sign certificates long method

openssl genrsa -out helloeb.com.key 4096
openssl req -new -sha256 -key helloeb.com.key -out helloeb.com.csr
openssl x509 -req -nodes -days 365 -in helloeb.com.csr -CAkey helloeb.com.key -out sha1.crt -sha256