Deploying Your Own Server with DigitalOcean

We had a Free Technology Workshop on deploying your own server. Each student has a DigitalOcean Virtual Private Server (VPS), called a droplet, that they will setup and then configure some servers. DigitalOcean, as well as other websites, provide very good instructions for performing the setup. Here I collect the steps that we followed in the workshop into a single page so it is a bit faster. These instructions are copied from a few sources. It is probably best to follow the original sources rather than my instructions if you really want to understand and/or setup some other options.

Notation

In the instructions I use the following notation:

Create a New Droplet

Once you have a DO account, create a new droplet. See the tutorial from DO for details. I created a droplet with the following information/options. You may choose different values (especially the hostname) if you desire.

Once created you will receive an email from DO which contains the public IP address of your droplet, as well as the root password. In the following I assume the public IP address is 1.2.3.4 - change it to the IP you received in the email.

Login to your Droplet

Open up a terminal on your computer (or PuTTY on Windows) and connect using ssh to your new droplet. E.g. in a terminal:

yourcomputer$ ssh root@1.2.3.4

Enter the root password that you received in the email, answer 'yes' if there is a warning about SSH, and then you should be logged in. If this is the first login, then you will be prompted to change the root password. Do so now (which means you can skip the step later where you change the root password).

Initial Setup of Droplet

If you weren't prompted upon initial login, then change the root password:

root@droplet# passwd

Set the hostname:

root@droplet# echo "freetech" > /etc/hostname
root@droplet# hostname -F /etc/hostname

Check your IPv4 and global IPv6 addresses:

root@droplet# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 04:01:21:9b:30:01  
          inet addr:1.2.3.4  Bcast:1.2.3.255  Mask:255.255.192.0
          inet6 addr: fe80::601:21ff:fe9b:3001/64 Scope:Link
          inet6 addr: 2400:1234:0:d0::cc:1234/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:321987 errors:0 dropped:0 overruns:0 frame:0
          TX packets:348832 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:323746529 (323.7 MB)  TX bytes:309503051 (309.5 MB)

Add the lines to the file /etc/hosts that include your IPv4 and global IPv6 addresses and your hostname. Also replace the hostname for 127.0.1.1 (if it is different from yours).

root@droplet# nano /etc/hosts
[edit the file, see the output of cat below to know what to edit]
Ctrl-X
root@droplet# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1  freetech
1.2.3.4    freetech
2400:1234:0:d0::cc:1234 freetech

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Set the timezone and check the time:

root@droplet# dpkg-reconfigure tzdata
[select Asia ... Bangkok]

Update the existing software packages:

root@droplet# apt-get update
root@droplet# apt-get upgrade --show-upgraded

Install some additional packages. You may want to skip this step if you don't know these packages or don't want to use them. I've selected a set that may be useful for the workshop demonstration.

root@droplet# apt-get install imagemagick subversion pdftk wget lynx iperf rsync unrar unzip iptraf nmap tcpdump sysstat zip

Add a new user to your droplet (choose your own username) and add that user to the sudo group:

root@droplet# adduser steve
root@droplet# usermod -a -G sudo steve

Restrict the "root" user from logging in via SSH. This minimises that chance the brute force attacks can break into your Droplet via a root login. Note that the following is a single command all on one line. There is a single space between PermitRootLogin and yes, as well as between PermitRootLogin and no.

root@droplet# sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

Now you will run everything as your newly created user. If you need admin privileges to perform some task, then preceed the command with "sudo". Avoid logging in as the "root" user unless absolutely necessary.

Reboot your droplet (you really should test that you can successfully login with your newly created user in another terminal first, just in case you made a mistake; but lets take a chance ...):

root@droplet# reboot

You will be logged out and return to the terminal prompt on your computer.

Configure Servers

From your actual computer, use SSH to login to the droplet, this time using your newly created user:

yourcomputer$ ssh steve@1.2.3.4

Once logged in to your droplet continue to setup the servers.

Apache Web Server

Apache web server was automatically installed when we created the droplet (since we selected the LAMP option: Linux, Apache, MySQL and PHP). It is already running. You could test by typing typing the IP address of your droplet into your browser. You should see a default page explaing the configuration of Apache. Lets remove that default page, as well as the info.php file and create a new default page.

you@droplet$ sudo rm /var/www/html/index.html
you@droplet$ sudo rm /var/www/html/info.php
you@droplet$ sudo nano /var/www/html/index.html
[create a web page]
you@droplet$ cat /var/www/html/index.html
<html>
<head>
<title>Free Tech Workshop</title>
</head>
<body>
<p>
Free Tech Workshop
</p>
</body>
</html>

MySQL Database Server

We will create an example database on the MySQL database server. But before we do so we must find the MySQL root user password (note that MySQL users, including the root user, are not connected to the system users). When the droplet was created the MySQL root password was saved in a file (you may have noticed it in the welcome message when you logged in). Lets get the password, delete the file, then setup a database.

Get the MySQL root password:

you@droplet$ cat /etc/motd.tail

Change the MySQL root password (note that in the first mysqladmin command the string following -p is the actual word password):

you@droplet$ mysqladmin -u root -p password
Enter password: initialmysqlpassword
New password: newmysqlpassword
Confirm new password: newmysqlpassword

Delete the file that contains the initial MySQL root password:

you@droplet$ sudo rm /etc/motd.tail

Secure your MySQL installation, selecting the default values (except for creating a new root password):

you@droplet$ sudo mysql_secure_installation

Connect to the MySQL database as the MySQL root user:

you@droplet$  mysql -u root -p

After entering the new MySQL root password you will have a MySQL prompt to enter SQL statements. Create a new database called exampleDB:

mysql> create database exampleDB;

Set permissions for a MySQL user on that database. Use your own username, and choose your own password (it doesn't have to be, and should not be, the same as your login password):

mysql> grant all on exampleDB.* to 'student' identified by 'student';

Update and disconnect from MySQL:

mysql> flush privileges;
mysql> quit

Tor Relay

We will setup a Tor relay, i.e. a node that forwards other peoples traffic. (If you want to run a Tor client, then probably easiest to run it on your computer, not on the droplet, e.g. install the Tor Browser Bundle). There may be some legal issues if you run a Tor exit node, i.e. a node where traffic leaves the Tor network and enters the normal Internet, as servers on the Internet will identify the source as your droplet. We will NOT run a Tor exit node, but instead the much safer Tor relay (the node before the exit).

Edit /etc/apt/sources.list adding a line to enable download the latest Tor version:

you@droplet$ sudo nano /etc/apt/sources.list
[add a line to the bottom as shown below]
you@droplet$ cat /etc/apt/sources.list
...
deb http://deb.torproject.org/torproject.org trusty main

Update the software packages and install Tor. We will also install ARM which is a nice way to monitor your relay and a key which makes updates easier. We also need to initially allow the Tor software repository.

you@droplet$ gpg --keyserver keys.gnupg.net --recv 886DDD89
you@droplet$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
you@droplet$ sudo apt-get update
you@droplet$ sudo apt-get install deb.torproject.org-keyring
you@droplet$ sudo apt-get install tor tor-arm

Now Tor is install we will setup the relay by editing the file /etc/tor/torrc. The file contains comments explaining the parameters. I will show the parameter values I edited by uncommenting them (removing the # character).

you@droplet$ sudo nano /etc/tor/torrc
[edit/uncomment the parameters as highlighted below; don't change others]
you@droplet$ cat /etc/tor/torrc
...
ORPort 9001
Nickname freetech
RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
AccountingMax 4 GB
AccountingStart day 00:00
ExitPolicy reject *:* # no exits allowed
DisableDebuggerAttachment 0

Restart Tor and then start ARM to monitor:

you@droplet$ sudo service tor restart
 * Stopping tor daemon...                                                [ OK ] 
 * Starting tor daemon...                                                [ OK ]
you@droplet$ sudo -u debian-tor arm

The Tor relay spends a few minutes getting started, and then gradually starts to forward traffic.

PPTP Server

Install the PPTP software:

you@droplet$ sudo apt-get install pptpd

Set the tunnel IP addresses by editing /etc/pptpd.conf and adding two lines at the end:

you@droplet$ sudo nano /etc/pptpd.conf
[edit to set the localip and remoteip values]
you@droplet$ cat /etc/pptpd.conf
...
localip 10.0.1.1
remoteip 10.0.1.2-15

Add DNS servers for MS Windows clients by pointing to Google's DNS servers:

you@droplet$ sudo nano /etc/ppp/pptpd-options
[edit to add two lines with DNS servers similar to below]
you@droplet$ cat /etc/ppp/pptpd-options
...
ms-dns 8.8.8.8
ms-dns 8.8.4.4
...

Create a username and password:

you@droplet$ sudo nano /etc/ppp/chap-secrets
[edit as below]
cat /etc/ppp/chap-secrets
steve pptpd mysecretpassword *

Enable IP forwarding by editing /etc/sysctl.conf and uncommenting the entry that sets ip_forward to 1.

you@droplet$ sudo nano /etc/sysctl.conf
[uncomment #net.ipv4.ip_forward=1 by removing hash]
you@droplet$ cat /etc/sysctl.conf
...
net.ipv4.ip_forward=1
...
you@droplet$ sudo sysctl -p

Setup the firewall:

you@droplet$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
you@droplet$ sudo iptables -A FORWARD -i eth0 -o ppp0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
you@droplet$ sudo iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

Restart the PPTP server:

you@droplet$ sudo service pptpd restart
 * Restarting PoPToP Point to Point Tunneling Server pptpd   [ OK ] 

OpenVPN Server

Download and run a script that simplifies the installation process for OpenVPN. When you run the script will be asked a few questions - select the default answers. Then OpenVPN will be setup (the key creation step may take a few minutes).

you@droplet$ wget http://git.io/vpn --no-check-certificate -O openvpn-install.sh
you@droplet$ chmod +x openvpn-install.sh
you@droplet$ sudo ./openvpn-install.sh

Now on your computer (not the droplet) you need to configure the OpenVPN client. Assuming OpenVPN is already installed, download and unpack the config file created by your OpenVPN server:

yourcomputer$ scp steve@1.2.3.4:/home/steve/ovpn*.tar.gz .
yourcomputer$ tar xzvf ovpn-client.tar.gz
client.conf
ca.crt
client.crt
client.key

Copy the extracted files into the /etc/openvpn directory. If your client is using a different operating systems follow the instructions from OpenVPN as to where to put these configuration files.

yourcomputer$ sudo cp client.conf ca.crt client.crt client.key /etc/openvpn/

(Re)start the OpenVPN client on your computer. On Linux:

yourcomputer$ sudo service openvpn restart

Check that the tunnel interface has been created.

yourcomputer$ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:173 errors:0 dropped:0 overruns:0 frame:0
          TX packets:214 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:76146 (76.1 KB)  TX bytes:30034 (30.0 KB)

You can now use the VPN, e.g. visit a website that tells you your IP address - it should identify you with the IP address of your DO. You can stop the OpenVPN client:

yourcomputer$ sudo service openvpn stop

Other Things To Do

Some ideas for other things you may want to setup, and guides/instructions for different sources (most should be applicable to your droplet):