INSTALLING PURPLENET 0.7.2 ON UBUNTU SERVER 8.04 LTS v1.1 2010-Jun-29 Karri Huhtanen 1. Install Ubuntu Server 8.04 LTS 2. Install all updates: % sudo apt-get update % sudo apt-get upgrade 3. Install the additional packages Enable the universe repository for Ubuntu by either adding the following lines or removing comment marks so that you have the following lines in your /etc/apt/sources.list: deb http://fi.archive.ubuntu.com/ubuntu/ hardy universe deb-src http://fi.archive.ubuntu.com/ubuntu/ hardy universe deb http://fi.archive.ubuntu.com/ubuntu/ hardy-updates universe deb-src http://fi.archive.ubuntu.com/ubuntu/ hardy-updates universe deb http://security.ubuntu.com/ubuntu hardy-security universe deb-src http://security.ubuntu.com/ubuntu hardy-security universe The host (ftp.fi.debian.org) may vary depending on the installation. If the same host is used both for WWW user interface and OpenVPN termination, install the following packages. % apt-get update % apt-get install bridge-utils vlan ebtables openvpn libapache2-mod-python postgresql python-psycopg2 If only for WWW user interface, only libapache2-mod-python postgresql and python-psycopg2 packages are needed. 4. Install Django framework The Django framework packaged with the Ubuntu 8.04 LTS is old. On newer versions the already packaged Django framework can be used. For old Ubunut new version must be installed manually and it can be done by using Django source packages or by finding up-to-date packages from some other repository. The framework can be found from: http://www.djangoproject.com/ and downloaded to a working directory with command: % wget http://www.djangoproject.com/download/1.1.1/tarball/ % tar zxf Django-1.1.1.tar.gz % cd Django-1.1.1 % more INSTALL As you can see from INSTALL, Django can be installed either by using setup tool or by copying django subdirectory under Python site-packages. In Ubuntu 8.04 there exists /usr/local/lib/python-2.5/sitepackages, which is a good location for Django files. % sudo cp -pr django /usr/local/lib/python2.5/site-packages/ 5. Create a database for PurpleNet PurpleNet requires a database and although SQLite could be used, all development and testing is done on PostgreSQL database which is setup as follows: First create a user (purplenet) for database access: % sudo -u postgres createuser -S -D -R -l -P -E purplenet Enter password for new role: Enter it again: Write down or otherwise document this password as it is the password of the database user. Second, create a database (purplenetdb) with purplenet user as owner: % sudo -u postgres createdb --encoding=UTF-8 --owner=purplenet purplenetdb You can check the result by listing the databased with command: % sudo -u postgres psql -l List of databases Name | Owner | Encoding -------------+-----------+---------- postgres | postgres | UTF8 purplenetdb | purplenet | UTF8 template0 | postgres | UTF8 template1 | postgres | UTF8 (4 rows) To ensure that PurpleNet database user has an access to the database, the /etc/postgresql/8.3/main/pg_hba.conf should either already contain: host all all 127.0.0.1/32 md5 or more specific host purplenetdb purplenet 127.0.0.1/32 md5 Both allow access for purplenet user to purplenetdb via local loopback. Remember to restart/reload PostgreSQL if you make any changes to the pg_hba.conf. 6. Install PurpleNet Download PurpleNet from Sourceforge ( http://purplenet.sourceforge.net/ ): % wget http://sourceforge.net/projects/purplenet/files/purplenet-0.7.2/purplenet-0.7.2.tar.bz2/download % bzip2 -dc purplenet-0.7.2.tar.bz2 | tar xf - % mkdir -p /opt % sudo cp -r purplenet-0.7.2 /opt % sudo ln -s /opt/purplenet-0.7.2 /opt/purplenet % cd /opt/purplenet/purplenet % sudo cp settings.py.dist settings.py Edit settings.py with the editor of choice: Set the following variables ADMINS = ( ('Firstname Surname', 'firstname.surname@yourdomain'), ) DATABASE_ENGINE = 'postgresql_psycopg2' DATABASE_NAME = 'purplenetdb' DATABASE_USER = 'purplenet' DATABASE_PASSWORD = 'somepassword' DATABASE_HOST = '127.0.0.1' DATABASE_PORT = '5432' MEDIA_ROOT = '/opt/purplenet/media' MEDIA_URL = 'http://servername/purplenet/media/' ADMIN_MEDIA_PREFIX = '/purplenet/media/admin/' SECRET_KEY = 'SomeSecretKey' LOGIN_URL = '/purplenet/login/' TEMPLATE_DIRS = ( '/opt/purplenet/templates', ) FIXTURE_DIRS = ( # os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "fixtures")), '/opt/purplenet/fixtures' ) PURPLENET_LOGOUT_URL = "http://servername/" PURPLENET_SETUP_KEY = "SomeOtherSecretKey" Next you must configure the settings for creating the certificate infrastructure behind your OpenVPN service. The first configuration file is in the /opt/purplenet/libpurplenet/mkca.cnf file. This file is used for creating the root CA, which is then used to sign both the server and client CA. In the file change at least the following according to your own organisation: countryName_default = FI localityName_default = Tampere organizationName_default = Research Organisation organizationalUnitName_default = Certificate Authority The next file is /opt/purplenet/templates/mkca/openssl.cnf. This file defines the attributes for intermediate CAs for OpenVPN server and clients. countryName_default = FI localityName_default = Tampere organizationName_default = Research Organisation organizationalUnitName_default = OpenVPN Connectivity Service Now the settings should be ready for populating the database and creating a superuser for the whole system. You can do it with the following commands: % cd /opt/purplenet % source env.sh % manage syncdb Creating table auth_permission Creating table auth_group Creating table auth_user Creating table auth_message Creating table django_content_type Creating table django_session Creating table django_site Creating table django_admin_log Creating table openvpn_userinterface_siteconfig Creating table openvpn_userinterface_interestingenvvar Creating table openvpn_userinterface_clientca Creating table openvpn_userinterface_serverca Creating table openvpn_userinterface_intermediateca Creating table openvpn_userinterface_clientcertificate Creating table openvpn_userinterface_servercertificate Creating table openvpn_userinterface_cacertificate Creating table openvpn_userinterface_org Creating table openvpn_userinterface_admingroup Creating table openvpn_userinterface_client Creating table openvpn_userinterface_logentry Creating table openvpn_userinterface_networkprofile Creating table openvpn_userinterface_profileinheritance Creating table openvpn_userinterface_networkattributetype Creating table openvpn_userinterface_networkattribute Creating table openvpn_userinterface_network Creating table openvpn_userinterface_mappingtype Creating table openvpn_userinterface_orgmapping Creating table openvpn_userinterface_mappingelement Creating table openvpn_userinterface_server You just installed Django's auth system, which means you don't have any superusers defined. Would you like to create one now? (yes/no): yes Username (Leave blank to use 'someuser'): administrator E-mail address: firstname.surname@organisation Password: Password (again): Superuser created successfully. Installing index for auth.Permission model Installing index for auth.Message model Installing index for admin.LogEntry model Installing index for openvpn_userinterface.ClientCA model Installing index for openvpn_userinterface.ServerCA model Installing index for openvpn_userinterface.IntermediateCA model Installing index for openvpn_userinterface.ClientCertificate model Installing index for openvpn_userinterface.ServerCertificate model Installing index for openvpn_userinterface.CACertificate model Installing index for openvpn_userinterface.Org model Installing index for openvpn_userinterface.LogEntry model Installing index for openvpn_userinterface.ProfileInheritance model Installing index for openvpn_userinterface.NetworkAttribute model Installing index for openvpn_userinterface.Network model Installing index for openvpn_userinterface.OrgMapping model Installing index for openvpn_userinterface.MappingElement model Installing json fixture 'initial_data' from '/opt/purplenet/fixtures'. Installed 7 object(s) from 1 fixture(s) If something goes wrong, for example you interrupt the database table creation, it is easier to start with clean database by deleting the database with command: % sudo -u postgres psql Welcome to psql 8.3.9, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit postgres=# DROP DATABASE purplenetdb; DROP DATABASE postgres=# \q and recreating the database from the scratch as shown earlier. 7. Configure Apache WWW server settings The following configuration needs to be added to the running web server's configuration. In Ubuntu the default web server configuration can be found from /etc/apache2/sites-available/default. SetHandler python-program PythonHandler django.core.handlers.modpython SetEnv DJANGO_SETTINGS_MODULE purplenet.settings PythonOption django.root /purplenet PythonDebug On PythonAutoReload On PythonPath "['/opt/purplenet'] + sys.path" PythonInterpreter purplenet Alias "/purplenet/media/admin" "/usr/local/lib/python2.5/site-packages/django/contrib/admin/media/" Alias "/purplenet/media" "/opt/purplenet/media" SetHandler None Apache needs now be restarted with the new configuration with the following command: % sudo /etc/init.d/apache2 restart 8. Configure PurpleNet Before PurpleNet configuration a new directory must be made for the PurpleNet Certificate Authority. This directory must be accessible by the web server. % sudo mkdir -p /var/lib/purplenet/ca % sudo chown www-data:www-data /var/lib/purplenet/ca % sudo chmod 750 /var/lib/purplenet/ca Now access the PurpleNet setup with your web browser in URL: http://yourwebserver/purplenet/setup/ Answer the questions. The already configured PURPLENET_SETUP_KEY can be found from your /opt/purplenet/purplenet/settings.py file. The common name for various CA:s can be for example the hostname where the CA certificates are on the WWW server. PURPLENET_SETUP_KEY from settings.py: SomeOtherSecretKey Base directory for Certificate Authorities: /var/lib/purplenet/ca Common Name for the root CA: purplenet-root-ca.organisation Common Name for the server CA: purplenet-server-ca.organisation Common Name for the client CA: purplenet-client-ca.organisation Superuser account name: root Superuser password: SuperUserPassword Superuser password (again): SuperUserPassword Follow the instructions and create a organisation. You can use the superuser credentials, which you have defined on the setup page. Now the rest of the configuration depends on your network environment and needs. Stay tuned for more concrete configuration examples in the future.