So I finally got back to the grind and updated The Seven Minute Server!
I was inspired to update it for two reasons:
We were camping at this really cool brewery…but their network blocked both port 1194 (the default VPN port) and port 22 (what!). I’ve configured most of my working systems to only allow me to connect from a VPN that I couldn’t access…so I ate my own dog food for the first time in awhile, popped open https://github.com/jenh/sevenminutevpn and launched a new VPN on a high port they didn’t block, added it to my security group, et voila, back in business. Five minutes to resolve the entire problems.
I got an email from a reader running into problems in the OSSEC section as my instructions didn’t work with the latest and greatest version and I realized I needed to bring things up-to-date.
Here’s a summary of what’s changed:
New procedures for OpenVPN 2.4.7 on Amazon Linux 2 (with systemd) and OSSEC 3.3.0.
New procedures for automating ad server blocking and obtaining/installing/auto-renewing TLS certificates using LetsEncrypt.
Instructions for firewalld instead of iptables when configuring OpenVPN (I did leave in some iptables instructions in Extending Your VPN Server, mostly because I do think it’s important to know the “old ways”).
Miscellaneous editorial content updates and improvements. I.e., many typos fixed, but 19-year-old me is still pretty disappointed at the typos old-me keeps letting fall through.
If you’ve already purchased the ebook, it should update automatically (in fact, ad blocking with dnsmasq was added back in 2018, so that’s not really new there…but it is new in the paperback).
Updating the book was fun, I got to see how things have changed a little in the last two years (firewalld with firewall-cmd is fun and straightforward to use…sorry, sweet iptables!), I went back through that OSSEC chapter and wondered…“How did my rules ever work?” But they work now.
One other thing I did for the first time — and I don’t know why I didn’t run repeatable test cases before — was to run the sevenminutevpn scripts on Lightsail from my cell phone and clock it. Gotta tell you the honest truth:
The Seven Minute VPN is a lie.
On my iPhone SE (!), I clocked an average of 5:59 from start to active connection across multiple tests. Pretty neat!
Now if we could just get Netflix to stop blocking EC2 IPs…;)