Multiple OpenVPN Clients Sharing the Same Certificate

Traditionally I've been configuring OpenVPN in a scenario where each client would have a unique certificate. This requires a bit more time initially but is well worth it in terms of security.

Sometimes this is not needed though, so you can probably get away with multiple clients sharing the same certificate. This way you build a client key once and then propagate it across all the clients that you plan on connecting to your VPN server.

While setting this up just now, I noticed a curious thing: by default all clients with the same cert would end up having the same internal IP address. This behaviour is unlikely to be what you wanted though.

So in order to allow multiple OpenVPN clients share the same client certificate but enjoy a unique internal IP address (so that clients could connect to each other, for instance), add the following line to your OpenVPN server:


That's it! Restart your openvpn service and enjoy.

Ansible 2.0

If you're managing configuration with Puppet or Chef, chances are you've heard of Ansible as well.

Just last week we got Ansible 2.0 released which brings quite a few improvents on top of a massive refactoring.

I'm quite late starting with Ansible but very impressed with it so far: it's a great way of quickly confirming remote server's state with SSH and sudo AND a neat way of scripting configurations with Ansible playbooks.

I have written my first playbook two weeks ago and need to change them now so that they follow the updated syntax.

Are you guys using Ansible as well?


Centralized BASH history with timestamps

For every Unix user, there comes a point where shell history suddenly becomes very relevant. You learn to consult it, then start recovering the last command, then switch to searching past commands history to save precious time normaly taken typing.
Shortly after such a point in your life, you'll probably want to enhance your shell history in two very common ways:
  1. Make sure every terminal window can update AND access your centralized shell history. So you run a command or two in one window, then type "history" anywhere else and see them two commands right there.
  2. Provide meanigful timeline, this is done with timestamps. Very simple and powerful change helps you see exactly when each command occured.

Here's how you achieve both of these massive improvents to your history in BASH. Just add this to /etc/bashrc on your Linux system:

export HISTTIMEFORMAT="%d.%m.%y %T "
export HISTCONTROL=ignoredups:erasedupsshopt -s histappend
export PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND$'\n'}history -a; history -c; history -r;"
export HISTCONTROL=ignoreboth

How To Create an Alias in Unix shell

When you want to save yourself from typing an unwieldy command over and over again you can create and use an alias for it. It will then act as a shortcut to the larger command, which you can type and run instead.

Creating aliases in UNIX (and Linux) is done with a simple alias command which follows this format: alias name='command you want to run'.

Replace the "name" with your shortcut command, and "command you want to run" with the larger command you want to create an alias of. Here's a simple example:

alias accesslog='tail -f /var/log/lighttpd/access.log'  

In this example I've effectively created a new accesslog command which is an alias of the tail -f /var/log/lighttpd/access.log command. What it does is follow the access.log file and display new entries in it as they happen. Now instead of having to write the whole tail -f command every time I want to look at what's happening in the access.log file I can simply run the accesslog alias command instead, which is pretty nifty.

What if I want to unset the alias once I no longer need it or wish to set a new better alias? Well, simply run:

unalias accesslog  

Quite logical. Now the accesslog alias no longer exists.

One thing to keep in mind though is that aliases that are set this way get lost the moment you close the command line session, or in other words, they are temporary. If you want to save aliases permanently you will have to edit the bash configuration file, which is usually .bashrc or .bash_profile residing in your user home directory. You can edit whichever you prefer, or whichever exists on your system.

To edit .bashrc just open it in a command line text editor such as nano, or any other you might prefer, and add the same exact alias command as in the above example at the bottom of it, or find where other aliases are already set and add yours after them.

nano .bashrc  

Once you add your aliases save the file, which in the nano editor is done by pressing the Сtrl-x keyboard shortcut, answering "y" when asked to save, and hitting enter.

Now your alias is saved permanently, and it will therefore work even after you close the session and come back. Of course, to remove the permanent alias just edit the file again and remove the line you've just added. If it's still set run the unalias command as shown above and it will be gone.

Note that aliases are set for the currently active user. So you have to edit the .bashrc file in the home directory of that user. If you're logged in as root that would be /root/.bashrc, and if you're logged in as joe, for example, it will be in /home/joe/.bashrc. If you try to run root's alias while acting as joe or vice versa you'll get a "command not found" error.

Also note that aliases added to .bashrc aren't active immediately after you save the file since that file is read on user's login. If you log out and log back in then it will work.

Finally, once you have a bunch of aliases set up you might want to check up on which aliases are available. To do that just run the alias command by itself:


And it will list something like this:

alias accesslog='tail -f /var/log/lighttpd/access.log' 
alias ls='ls --color=auto'  

The list represents all of the aliases that have been set in .bashrc, or on the command line during the current session. In the above example we see my accesslog alias, and another one for the ls command associating it with the ls –color=auto command, which simply adds some coloring to our ls lists.

That brings us to the final point worth a mention, as demonstrated by the above ls alias, and that is that you can alias an already existing real command. For example if we have a nmon command installed, which shows various system activity information, we can actually turn it into an alias for the top command, which also shows system activity.

You probably don't want to do this, or at least, you don't want to keep this alias, but for the sake of demonstration:

alias nmon='top'  

And now when you run nmon, instead of opening the actual nmon program it will open top. In other words the alias is masking the original command.

This serves as a word of caution when it comes to setting names of aliases; try to avoid setting names that match existing commands. Chances are you'll want those commands doing what they're supposed to do, except in special cases like the above ls alias, which simply aliases to its own coloring options.

And that's how aliases work in UNIX (and Linux).

How To: Make IP Forwarding Permanent in Linux

While IP forwarding in Linux is disabled by default, as most people don't need it, there may be various reasons why you might want it enabled. Enabling IP forwarding is easy. First let's check if it is already enabled, by running the sysctl command as follows:

$ sysctl net.ipv4.ip_forward

If it is disabled the result will be:

$ net.ipv4.ip_forward = 0

… otherwise instead of "0" the value will be "1".

It gets this setting from the /proc/sys/net/ipv4/ip_forward file so another way of checking it is to just see what value is in that file, like this:

$ cat /proc/sys/net/ipv4/ip_forward

It will just return "0" for disabled or "1" for enabled. If it is disabled you can enable IP forwarding by changing the value from 0 to 1 using either of the following two commands with superuser privileges (sudo or login as root):

# sudo sysctl -w net.ipv4.ip_forward=1
# echo 1 > /proc/sys/net/ipv4/ip_forward

The latter may require you to be logged in as root. This would enable IP forwarding immediately, but after a reboot it will revert back to default. To permanently enable IP forwarding you would need to edit the /etc/sysctl.conf configuration file (with superuser privileges or as root). Specifically look for the lines that say:

# Uncomment the next line to enable packet forwarding for IPv4
# net.ipv4.ip_forward=1

To uncomment it just remove the hash sign # in front of net.ipv4.ip_forward=1, as the comment above it instructs. If the value there says "0" just change it to "1". Once you save the file IP forwarding will remain enabled permanently, or until you disable it again.

Installing VLC in Ubuntu

An extremely popular and extremely powerful VLC Media Player by VideoLAN is known for its ability to play just about any media file format you can throw at it.

Great news is that VLC is readily available from Ubuntu default repositories, and you can install it by opening the Ubuntu Software Center, searching for "VLC", and clicking install.

Or you can just open the terminal and run this apt-get command:

$ sudo apt-get install vlc

If this is just too easy or (more likely) you wish to have the latest and greatest version of VLC you can get one from a third party PPA repository. Note though that this is not officially supported by VideoLAN nor Ubuntu, and you just may run into an occasional bug, even though most of the times everything's fine.

A third party repository is maintained by a user djcj at

You can add this repository by running:

$ sudo add-apt-repository ppa:djcj/vlc-stable

Then update the package database to include the new repository:

$ sudo apt-get update

Now simply install vlc as usual:

$ sudo apt-get install vlc

Also note that if you're gonna be doing any transcoding with VLC you should also install libavcodec-extra, and if you wish to use the VLC browser extension you'll also need browser-plugin-vlc. To make sure you got them all just run:

$ sudo apt-get install vlc libavcodec-extra browser-plugin-vlc

And you're done. For all information about VLC visit its web site at


Ubuntu: How To Enable SSH

Secure Shell (SSH) allows secure communication between networked computers for such purposes as logging in to a remote computer, running some commands remotely, and transferring files (with the scp command).

By default SSH is not enabled in Ubuntu. There is an ssh command installed, but it is only a client, and only allows you to login into another computer, not to allow others to login into yours.

To enable that you first need to install the OpenSSH Server. To do that just use apt-get:

sudo apt-get install openssh-server

If you prefer you can also search for openssh server in the Ubuntu Software Center and install it that way.

Once it is installed you need to enable it in the OpenSSH Server configuration. To do this open and edit the /etc/ssh/ssh_config file with superuser privileges:

sudo nano /etc/ssh/ssh_config

The nano program is a terminal based text editor, but if you prefer a graphical editor you can open it in gedit:

$ sudo gedit /etc/ssh/ssh_config

In that configuration file look for the Port 22 line and uncomment it by removing the preceding hash sign #. That's all you need to edit to get the SSH server working, but if you wish you can review, enable, and edit other configuration options.

Once you're done save the file and restart SSH (which was started automatically when openssh-server was installed) for changes to take effect:

sudo service ssh restart

… or using the old method:

$ sudo /etc/init.d/ssh restart

Your Ubuntu machine will now be able to accept SSH logins and communications through its IP address or host domain.

Ubuntu: how to clean APT cache

Ubuntu uses APT (Advanced Package Tool) for installing, removing and managing software on the system, and in doing so it keeps a cache of previously downloaded and installed packages even after they've been uninstalled.

To save disk space the apt cache can be cleaned. This can be done in one of two ways. First will do it partially:
$ sudo apt-get autoclean
This command will remove only the outdated packages, like those superseded by a recent update, making them completely unnecessary.

This may free up some disk space, but if you want to clean out the cache in its entirety you would run:
$ sudo apt-get clean
This command will remove all of the cached packages, saving the most space. This just means that if you were to ever need a package that was cached it will simply have to be downloaded again. Depending on your connection speed and data plan this may or may not be of concern. Other than that, it is safe to do.

Perhaps noteworthy is that the apt cache resides in /var/cache/apt/archives/. You can see them if you run the ls command on that path or view it in a file manager. Manually removing packages from this directory should be safe, but with the simpler and faster methods above there's no need.

Book Review: Linux iptables Pocket Reference

I've just read a really useful book on iptables: Linux iptables Pocket Reference.

It's a great reference book which is quite short but packed with more details than you'll ever want to know.

For my review of this book, please read the post on Books @ UnixTutorial website: Linux iptables Pocket Reference review.

Welcome to the all new Unix Tutorial!

Hey guys, just wanted to let you know that Unix Tutorial is now sporting a modern theme that will make it even easier to find and read articles on different topics.

Unix Tutorial Priorities for 2014 so far

  • finish the Unix Tutorial: Guide to SSH
  • expand the Unix Glossary section
  • write more about OSX command line

Anyone has more ideas? Please leave a comment so that I know!