CDS Protocols

Introduzione

I protocolli CDS (Chlorine Dioxide Solution) sono un insieme di procedure e linee guida che coinvolgono l’uso del biossido di cloro come disinfettante e potenziale terapia complementare per una varietà di condizioni di salute. Il biossido di cloro è un composto chimico noto per le sue proprietà ossidanti e disinfettanti.

Il biossido di cloro è un composto chimico formato da un atomo di cloro e due atomi di ossigeno, con formula chimica ClO2. Si tratta di un gas di colore giallo-verde che viene utilizzato principalmente come agente disinfettante in diversi settori. Le sue proprietà ossidanti lo rendono efficace nel combattere batteri, virus, funghi e alghe, in quanto reagisce con le sostanze organiche e inorganiche, distruggendole o inattivandole. Il biossido di cloro viene prodotto mediante la reazione chimica tra acido cloridrico e clorato di sodio. È importante notare che il biossido di cloro non deve essere confuso con il cloro, poiché sono due sostanze chimiche distinte. Mentre il cloro è noto per la sua tossicità, il biossido di cloro è considerato meno tossico e viene utilizzato in concentrazioni diluite come disinfettante in diversi contesti industriali.

L’uso del biossido di cloro come disinfettante risale a molti anni fa ed è stato ampiamente utilizzato in vari settori, come il trattamento dell’acqua e la disinfezione di superfici.

Il vasto utilizzo di questa soluzione, implica che l’uso del biossido di cloro potrebbe aiutare a combattere malattie infettive, disturbi autoimmuni e persino il cancro. Si sostiene da picoli gruppi di comunità scientifiche che il biossido di cloro abbia proprietà antimicrobiche e possa ridurre l’infiammazione nel corpo, promuovendo così il benessere generale.

L’uso dei protocolli CDS coinvolge spesso la preparazione di una soluzione di biossido di cloro diluita.
Questa soluzione viene quindi assunta o applicata localmente, seguendo procedure specifiche e dosaggi consigliati

Andreas Kalcker

l’ideatore di questi protocolli è Andreas Kalcker.

Andreas Kalcker è un noto ricercatore, scienziato e difensore della salute, che si è guadagnato una certa notorietà per le sue ricerche nel campo della medicina alternativa e delle terapie complementari. Le sue scoperte e le sue teorie si concentrano principalmente sull’uso del biossido di cloro come possibile trattamento per una serie di condizioni di salute.

Nato in Germania, Kalcker ha studiato biologia e biochimica presso l’Università di Gottinga, dove ha approfondito la sua passione per la scienza e la ricerca. Successivamente, ha lavorato in vari paesi, tra cui la Spagna e il Messico, per ampliare la sua conoscenza e l’ambito delle sue ricerche.

L’importanza delle ricerche di Kalcker risiede nel suo impegno per trovare soluzioni alternative per malattie e disturbi che spesso non trovano una risposta adeguata nella medicina convenzionale. Si è concentrato in particolare sulle malattie croniche, come l’autismo, il cancro, il morbo di Lyme e altre condizioni che possono avere un impatto significativo sulla qualità della vita delle persone.

Kalcker è noto per aver esplorato l’uso del biossido di cloro come possibile trattamento per queste malattie. Il biossido di cloro, anche conosciuto come MMS (Miracle Mineral Solution), è un composto chimico che ha dimostrato proprietà antimicrobiche e antiparassitarie. Secondo le sue teorie, il biossido di cloro potrebbe essere in grado di uccidere agenti patogeni, inclusi virus, batteri e parassiti, all’interno del corpo umano, contribuendo così al miglioramento della salute.

I protocolli

I protocolli disponibili, ricoprono una vastissima gamma di utilizzi, vengono impiegati in base alle necessità.
Di seguito vengono riportati diversi documenti di divulgazione scientifica a dimostrazione delle tesi poste dai sostenitori di questa cura alternativa.

Tutti questi protocolli sono disponibili presso il suo sito ufficiale cliccando qua ma li allego di seguito poichè la probabilità che il sito venga abbattuto non è bassa.

Insieme al pdf con tutti i protocolli sono allegati documenti di ricerca e le stesse pubblicazioni di kalcker

DocumentoDownload
PROTOCOLLI CDS IN PDFDownload
FORBIDDEN HEALTH (EN) LIBRODownload
LA GUIDA DEL DMSO (IT) LIBRO Download
LA CONSPIRAZIONE DEL BORACE ARTICOLODownload
CURE PROIBITE Download

ATTENZIONE

Tieni a mente; i risultati sono solo valutazioni di ricerche sperimentali su volontari. Non costituiscono alcun tipo di consiglio o prescrizione medica. Non postuliamo alcuna raccomandazione a nessuno…. per qualsiasi condizione o malattia specifica. 

Jews in the American Porn Industry: A Disproportionate Role in Adult Entertainment by Nathan Abrams

Who is Nathan Abrams

Nathan Abrams is an author, scholar, and academic known for his work in the field of Jewish studies and popular culture. He has written extensively on various topics, including Jews in the American porn industry, Jewish involvement in Hollywood, and Jewish identity in contemporary society. His notable article, “Jews in the American Porn Industry,” published in the Jewish Quarterly in 2004, examines the historical and cultural aspects of Jewish participation in the adult film industry in the United States. Abrams’ research sheds light on the disproportionate role of secular Jews in shaping and contributing to the development of the porn industry.

Summary of “Jews in the American Porn Industry”

The article “Jews in the American Porn Industry” by Nathan Abrams explores the significant involvement of secular Jews in the adult film industry in the United States. Despite representing only two percent of the American population, Jews have played a prominent and disproportionate role in various aspects of pornography, including distribution, production, and performance. The author highlights key figures such as Reuben Sturman and Steven Hirsch, who made significant contributions to the industry. The article also discusses notable Jewish performers like Ron Jeremy and Seymore Butts, emphasizing their impact and fame within the adult film world. The author suggests that Jewish involvement in pornography can be attributed to factors such as the absence of discrimination against Jews in the industry, a desire for financial success, rebellion against societal norms, and the pursuit of personal and sexual liberation. While Jewish cultural identity is often present, many individuals involved in the industry are secular and not religiously affiliated. Overall, the article argues that Jewish participation in the porn industry can be seen as a form of rebellion, an expression of personal freedom, and a challenge to mainstream Christian values in America.

You can read the full article here:

Other Data

Here you can see a picture portraying the BIG envolvement of jewish actors and producers in the pornography industry.

Epstein’s little black book

What am i talking about

“Epstein’s Little Black Book” refers to a notorious document associated with the late financier and convicted sex offender, Jeffrey Epstein. This book, also known as the “Address Book,” was discovered during investigations into Epstein’s alleged criminal activities. It contained the names, contact information, and personal details of numerous influential individuals from various fields, including politicians, celebrities, businessmen, and other prominent figures.

The importance of Epstein’s Little Black Book lies in its potential to shed light on the extent of Epstein’s connections and his alleged involvement in a vast network of underage sex trafficking and exploitation. The book has been a subject of intense scrutiny and speculation, with many hoping it would uncover the truth about Epstein’s powerful associates and the depths of their involvement in his illicit activities.

Epstein’s disgusting deeds revolve around his criminal activities related to sex trafficking and the exploitation of minors. He was accused of operating a vast network that involved recruiting and sexually abusing underage girls, often promising them financial incentives or career opportunities. Epstein’s victims, many of whom were vulnerable and economically disadvantaged, alleged that they were coerced into engaging in sexual acts with him and other influential individuals connected to his circle.

Incriminating Files

FileDownload
Epstein’s black bookdownload
Epstein Docsdownload
you can also read the black book here:

Who was epstein?

Jeffrey Epstein was a jewish wealthy financier and convicted sex offender who became known for his connections to numerous influential individuals. Born in 1953, Epstein worked in the financial industry, eventually amassing a substantial fortune. He frequently associated with high-profile figures from the worlds of politics, business, and entertainment, building a network of influential acquaintances.

Some of the notable people linked to Epstein include

  • Prince Andrew, the Duke of York, who faced allegations of sexual misconduct and had a friendship with Epstein
  • former U.S. President Bill Clinton, who flew on Epstein’s private plane multiple times;
  • Alan Dershowitz, who defended Epstein against previous accusations.
  • Bill Gates, the co-founder of Microsoft and philanthropist, had some limited contact with Epstein. Gates admitted to meeting with Epstein on multiple occasions, particularly in the early 2010s, to discuss philanthropy and global health initiatives.
  • Donald Trump, the 45th President of the United States, received multiple visits from Epstein at his Mar-a-Lago resort, and once commented that Epstein was a “terrific guy” who liked women “on the younger side.”
  • A lot more

Epstein’s Death

The controversy surrounding Epstein’s death stems from the circumstances surrounding his apparent suicide in jail on August 10, 2019. While awaiting trial on charges of sex trafficking, Epstein was found dead in his cell at the Metropolitan Correctional Center (MCC) in New York City. His death raised numerous questions and led to widespread speculation about a possible cover-up or foul play, as he had connections to powerful individuals who might have wanted to prevent him from revealing damaging information.

Epstein’s death sparked several conspiracy theories and investigations into the circumstances surrounding it. The official cause of death was ruled as suicide by hanging, but the handling of the case by authorities has faced criticism and skepticism. The controversy surrounding Epstein’s death has only fueled public interest in understanding the full extent of his crimes and the possible involvement of influential individuals who may have wanted to silence him.

Configuring Ejabberd + TLS + Let’s Encrypt

Intro

Hi everyone, in this tutorial i’m going to explain you how to setup a TLS secured Ejabberd server on your raspberry pi.

What is Ejabberd?

Ejabberd is a powerful open-source instant messaging server based on the XMPP (Extensible Messaging and Presence Protocol) standard.

Ejabberd is designed to handle a large number of concurrent users and is highly scalable, reliable, and secure. It supports a wide range of features, including group chats, message archiving, push notifications, and user authentication.

One of the key strengths of ejabberd is its modular architecture, which allows developers to add new features and extend its functionality easily. Additionally, ejabberd provides a web-based administration console that allows administrators to manage users, chat rooms, and other aspects of the server configuration.

Overall, ejabberd is an ideal choice for building real-time messaging and collaboration applications that require a robust and scalable backend infrastructure.

What is TLS Encryption?

Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure and encrypted communication channel between two networked devices. In the case of ejabberd, TLS encryption can be used to secure the communication channel between the client devices (such as mobile devices, desktops, or other servers) and the ejabberd server.

When a client connects to an ejabberd server over an unencrypted connection, all the data exchanged between them can potentially be intercepted and read by a third party. This can be a major security risk, especially when the exchanged data includes sensitive information such as login credentials, private messages, or personal information.

By using TLS encryption, ejabberd can ensure that all the data exchanged between the client and the server is encrypted and can only be decrypted by the intended recipient. This helps to prevent eavesdropping, data tampering, and other security threats.

In addition to security, using TLS encryption can also help to improve the reliability and performance of the ejabberd service. Encrypted connections can help to prevent data loss or corruption due to network errors or malicious attacks, and can also help to reduce the risk of performance degradation caused by network congestion.

What is Let’s Encrypt?

When it comes to TLS encryption and ejabberd, Let’s Encrypt is a popular choice for obtaining digital certificates to enable secure communication over the XMPP protocol. Let’s Encrypt provides free digital certificates that are trusted by major web browsers, and can be used to secure the communication channel between the ejabberd server and client devices.

To enable HTTPS (HTTP Secure) on a website or service, including ejabberd, a digital certificate is required. Traditionally, obtaining and managing digital certificates has been a complex and expensive process, but Let’s Encrypt has made it easier and more accessible by providing free, automated certificate issuance and renewal.

In the case of ejabberd, Let’s Encrypt can be used to obtain a digital certificate that can be used to enable TLS encryption on the XMPP communication channel.

My scenario

to fully understand what i’m doing, you should understand before my setup scenario:
I did setup a raspberry in my LAN with the static IP 192.168.1.80, yet i didn’t want it to work only on my LAN, i wanted it to operate on the internet, thus allowing people to join my XMPP server freely.
How did i achieve that?

simple, with port forwarding

Port forwarding is a technique used to allow external devices to access services on a local network. It involves configuring a router or firewall to forward incoming network traffic from a specific port on the public IP address to a specific port on a device within the private network. This allows the device to receive and respond to incoming network requests from the internet. Port forwarding is commonly used to allow remote access to services such as web servers, email servers, and gaming servers hosted on a local network.

Last things i had to deal with were:

  1. Ejabberd doesn’t like IPs as hostnames. they require a Domain
  2. i Wanted people to easily access my raspbery without having to memorize an IP address that could change over time due to the lease time of the ISP.
  3. Certificates are associated to domains, not IP addresses

To deal with these “troubles” i decided to create a type A DNS record (xmpp.risingpirates.com) in my website (this) linking it to my public ip address.

This whole process is also called Self Hosting.

You will need

  • Raspberry Pi
  • Internet Connection
  • Domain
  • Access to your router configuration
  • Access to your Domain’s DNS settings

Setup Tutorial

1) Installing Ejabberd

to install ejabberd simply input these commands on the Raspberry pi’s Terminal

        # Update the package manager cache
        sudo apt-get update
        
        # Install ejabberd using the package manager
        sudo apt-get install ejabberd
        
        # Follow the prompts to complete the installation

        now that you’ve installed it, let’s move on to the next step.

        2) Generating certificates for our domain (or sub-domain)

        To to this we will need help of a good Friend, called certbot

        Certbot

        Certbot is a free and open-source client that automates the process of generating and renewing SSL/TLS certificates, offered by Let’s Encrypt. The software is designed to simplify the configuration of a secure website and provide secure encrypted connections via HTTPS.

        To install Certbot on a Raspberry Pi, you can follow these steps:

        sudo apt-get update
        sudo apt-get install certbot

        now that certbot is installed, let’s go on and setup our challenge.
        but first…

        What is a Certbot Challenge?

        A Certbot challenge is a process that Let’s Encrypt uses to verify that the person requesting the SSL certificate is the owner or has control over the domain name. Let’s Encrypt requires domain validation before issuing a certificate, and Certbot automates this process.

        There are several types of challenges that Certbot can use to verify domain ownership:

        1. HTTP-01 Challenge: This challenge involves placing a temporary file with a specific token in a specific location on the domain’s web server. The Let’s Encrypt server then checks that file to ensure the domain owner has control of the server.
        2. DNS-01 Challenge: This challenge involves adding a specific TXT record to the domain’s DNS zone file. Let’s Encrypt checks the DNS zone file to ensure the domain owner has control over the domain.
        3. TLS-ALPN-01 Challenge: This challenge uses the Application-Layer Protocol Negotiation (ALPN) extension in the TLS handshake to validate domain ownership. The Certbot client adds a specific extension to the TLS handshake, and the Let’s Encrypt server checks for it.

        since i had troubles with the HTTP-01, i tried the DNS-01 challenge, which by the way is the more popular and less “faulty”

        Challenge Setup

        To start the challenge we need to input the following command:

        sudo certbot certonly --manual --preferred-challenge=dns --email youremail@provider.com -d yourdomain

        Here’s a breakdown of the different parts of the command:

        • sudo: This command runs the Certbot command with administrator privileges.
        • certonly: This tells Certbot to obtain a certificate but not install it. This is useful if you want to manually configure your web server to use the certificate.
        • --manual: This option tells Certbot to use a manual verification process for domain ownership.
        • --preferred-challenge=dns: This option specifies that Certbot should use the DNS-01 challenge to verify domain ownership.
        • --email youremail@provider.com: This option specifies the email address to use for renewal reminders and security notices.
        • -d yourdomain: This specifies the domain name for which to request the SSL certificate. You can replace yourdomain with your own domain name.

        When you run this command, Certbot will ask you to add a specific TXT record to your domain’s DNS zone file. Once you’ve added the TXT record, Certbot will check your DNS zone file to ensure that you have control over the domain. Once domain ownership has been verified, Certbot will generate the SSL certificate and save it to a location on your server that you can specify.

        Certbot Keys

        When you use Certbot to request an SSL certificate, it generates two types of cryptographic keys: a private key and a public key.

        The private key is generated on your server and stored in a location specified during the Certbot request process. By default, Certbot stores private keys in the directory /etc/letsencrypt/live/yourdomain/privkey.pem (replacing yourdomain with your actual domain name).

        The public key is generated by Let’s Encrypt and is part of the SSL certificate that Certbot requests. The SSL certificate, which includes the public key, is also stored in a location specified during the Certbot request process. By default, Certbot stores SSL certificates in the directory /etc/letsencrypt/live/yourdomain/fullchain.pem (replacing yourdomain with your actual domain name).

        It’s important to keep the private key secure and protected, as it is used to decrypt SSL traffic sent to your server. The public key, on the other hand, can be freely shared with anyone who needs to communicate securely with your server.

        Generating a “Mashed up key”

        So, now you have private and public key. Ejabberd need only one file with both. To achieve this simply do this command:

        cat  /etc/letsencrypt/live/yourdomain/privkey.pem /etc/letsencrypt/live/yourdomain/fullchain.pem >> /etc/ejabberd/yourdomain.pem

        3) Configuring Ejabberd

        First thing first, let’s configure the package with the following command

        sudo dpkg-reconfigure ejabberd
        # Running this command will launch a configuration wizard that allows you to modify the # ejabberd configuration.

        After you’ve configured the basic settings, you should now configure the ejabberd.yml file located at /etc/ejabberd/ejabberd.yml

        run the following command:

        sudo nano /etc/ejabberd/ejabberd.yml

        once you’re into the ejabberd.yml file, this is the file you should be looking at:

        ###
        ###              ejabberd configuration file
        ###
        ### The parameters used in this configuration file are explained at
        ###
        ###       https://docs.ejabberd.im/admin/configuration
        ###
        ### The configuration file is written in YAML.
        ### *******************************************************
        ### *******           !!! WARNING !!!               *******
        ### *******     YAML IS INDENTATION SENSITIVE       *******
        ### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY *******
        ### *******************************************************
        ### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
        ###
        
        hosts:
          - localhost
        
        loglevel: info
        
        ## If you already have certificates, list them here
        # certfiles:
           - "/etc/ejabberd/ejabberd.pem"
        #  - /etc/letsencrypt/live/domain.tld/fullchain.pem
        #  - /etc/letsencrypt/live/domain.tld/privkey.pem
        
        listen:
          -
            port: 5222
            ip: "::"
            module: ejabberd_c2s
            max_stanza_size: 262144
            shaper: c2s_shaper
            access: c2s
            starttls_required: true
          -
            port: 5223
            ip: "::"
            tls: true
            module: ejabberd_c2s
            max_stanza_size: 262144
            shaper: c2s_shaper
            access: c2s
            starttls_required: true
          -
            port: 5269
            ip: "::"
            module: ejabberd_s2s_in
            max_stanza_size: 524288
          -
            port: 5443
            ip: "::"
            module: ejabberd_http
            tls: true
            request_handlers:
              /admin: ejabberd_web_admin
              /api: mod_http_api
              /bosh: mod_bosh
              /captcha: ejabberd_captcha
              /upload: mod_http_upload
              /ws: ejabberd_http_ws
          -
            port: 5280
            ip: "::"
            module: ejabberd_http
            request_handlers:
              /admin: ejabberd_web_admin
              /.well-known/acme-challenge: ejabberd_acme
          -
            port: 3478
            ip: "::"
            transport: udp
            module: ejabberd_stun
            use_turn: true
            ## The server's public IPv4 address:
            # turn_ipv4_address: "203.0.113.3"
            ## The server's public IPv6 address:
            # turn_ipv6_address: "2001:db8::3"
          -
            port: 1883
            ip: "::"
            module: mod_mqtt
            backlog: 1000
        
        s2s_use_starttls: optional
        
        acl:
          local:
            user_regexp: ""
          loopback:
            ip:
              - 127.0.0.0/8
              - ::1/128
        
        access_rules:
          local:
            allow: local
          c2s:
            deny: blocked
            allow: all
          announce:
            allow: admin
          configure:
            allow: admin
          muc_create:
            allow: local
          pubsub_createnode:
            allow: local
          trusted_network:
            allow: loopback
        
        api_permissions:
          "console commands":
            from:
              - ejabberd_ctl
            who: all
            what: "*"
          "admin access":
            who:
              access:
                allow:
                  - acl: loopback
                  - acl: admin
              oauth:
                scope: "ejabberd:admin"
                access:
                  allow:
                    - acl: loopback
                    - acl: admin
            what:
              - "*"
              - "!stop"
              - "!start"
          "public commands":
            who:
              ip: 127.0.0.1/8
            what:
              - status
              - connected_users_number
        
        shaper:
          normal:
            rate: 3000
            burst_size: 20000
          fast: 100000
        
        shaper_rules:
          max_user_sessions: 10
          max_user_offline_messages:
            5000: admin
            100: all
          c2s_shaper:
            none: admin
            normal: all
          s2s_shaper: fast
        
        modules:
          mod_adhoc: {}
          mod_admin_extra: {}
          mod_announce:
            access: announce
          mod_avatar: {}
          mod_blocking: {}
          mod_bosh: {}
          mod_caps: {}
          mod_carboncopy: {}
          mod_client_state: {}
          mod_configure: {}
          mod_disco: {}
          mod_fail2ban: {}
          mod_http_api: {}
          mod_http_upload:
            put_url: https://@HOST@:5443/upload
            custom_headers:
              "Access-Control-Allow-Origin": "https://@HOST@"
              "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
              "Access-Control-Allow-Headers": "Content-Type"
          mod_last: {}
          mod_mam:
            ## Mnesia is limited to 2GB, better to use an SQL backend
            ## For small servers SQLite is a good fit and is very easy
            ## to configure. Uncomment this when you have SQL configured:
            ## db_type: sql
            assume_mam_usage: true
            default: always
          mod_mqtt: {}
          mod_muc:
            access:
              - allow
            access_admin:
              - allow: admin
            access_create: muc_create
            access_persistent: muc_create
            access_mam:
              - allow
            default_room_options:
              mam: true
          mod_muc_admin: {}
          mod_offline:
            access_max_user_messages: max_user_offline_messages
          mod_ping: {}
          mod_privacy: {}
          mod_private: {}
          mod_proxy65:
            access: local
            max_connections: 5
          mod_pubsub:
            access_createnode: pubsub_createnode
            plugins:
              - flat
              - pep
            force_node_config:
              ## Avoid buggy clients to make their bookmarks public
              storage:bookmarks:
                access_model: whitelist
          mod_push: {}
          mod_push_keepalive: {}
          mod_register:
            ## Only accept registration requests from the "trusted"
            ## network (see access_rules section above).
            ## Think twice before enabling registration from any
            ## address. See the Jabber SPAM Manifesto for details:
            ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
            ip_access: trusted_network
          mod_roster:
            versioning: true
          mod_s2s_dialback: {}
          mod_shared_roster: {}
          mod_stream_mgmt:
            resend_on_timeout: if_offline
          mod_stun_disco: {}
          mod_vcard: {}
          mod_vcard_xupdate: {}
          mod_version:
            show_os: false
        
        ### Local Variables:
        ### mode: yaml
        ### End:
        ### vim: set filetype=yaml tabstop=8

        i know it does seem a complete mess, but here are the main sections of the file and what they’re used for

        • hosts: This section defines the virtual hosts that ejabberd will serve. You can define multiple virtual hosts in this section, each with its own configuration options.
        • loglevel: This section sets the verbosity level of the log files generated by ejabberd. There are six levels of verbosity: debug, info, warn, error, critical, and alert. The default level is info.
        • listen: This section defines the network interfaces and ports that ejabberd will listen on. You can define multiple listeners in this section, each with its own configuration options.
        • acl: This section defines the access control rules for the ejabberd server. You can define ACL rules based on IP addresses, domain names, or regular expressions.
        • auth_method: This section defines the authentication method that ejabberd will use to authenticate users. You can choose from a variety of authentication methods, such as internal authentication, LDAP, SQL, or OAuth.
        • modules: This section defines the ejabberd modules that will be loaded by the server. You can enable or disable modules by commenting or uncommenting the appropriate lines in this section.
        • shaper: This section defines the rate limiting rules for the ejabberd server. You can set limits on the number of connections, the number of messages, or the bandwidth usage.
        • s2s: This section defines the settings for server-to-server communication between ejabberd servers. You can define trusted domains, encryption options, and connection timeouts.
        • certfiles: This section defines the SSL/TLS certificates and keys that ejabberd will use for secure communication. You can specify the location of the certificate and key files, as well as the password for the key file.
        • c2s: This section defines the settings for client-to-server communication between ejabberd servers and XMPP clients. You can define encryption options, authentication methods, and connection timeouts.

        The ejabberd file is properly working as raw as it is, but if we try to connect to it at the 5222 port, mos of the clients will not consider our connection safe since he is still using his self-signed certificate

        What is a self-signed certificate

        A self-signed certificate is an SSL/TLS certificate that is signed by its own creator instead of a trusted third-party certificate authority (CA). Unlike a certificate issued by a trusted CA, a self-signed certificate is not automatically trusted by browsers or other client software.

        Self-signed certificates are often used for testing or internal purposes where the security requirements are not as strict. They can also be used in situations where it is not feasible or cost-effective to obtain a certificate from a trusted CA.

        However, because self-signed certificates are not signed by a trusted CA, users visiting a website secured with a self-signed certificate will typically receive a warning message from their browser indicating that the website’s identity cannot be verified. This warning can discourage users from accessing the website and may cause them to question its security. For this reason, self-signed certificates should be used with caution and only in appropriate situations.

        Giving ejabebrd our signed certificate

        Now, we do have our signed certificated at /etc/ejabberd/yourdomain.pem

        let’s modify the certificates section of the ejabberd.yml file this way

        certfiles:
          - /etc/ejabberd/yourdomain.pem

        File permissions

        now, the file is owned by root, we need to make it accessible to the ejabberd user

        sudo chown ejabberd yourdomain.pem

        finally, we need to allow only the owner to read and write the file, and all other users to read the file.

        sudo chmod 604 yourdomain.pem

        Restart

        now that everything is set up, you only need to restart the service

        sudo systemctl restart ejabberd.service

        4) Web management

        To access the web admin interface of ejabberd, you will need to access it through a web browser using the URL for your ejabberd server, followed by the port number and the /admin path. For example, if your ejabberd server is running on yourdomain.com and the web admin port is set to 5280, you would access the admin interface by navigating to https://yourdomain.com:5280/admin in your web browser.
        You will be prompted with a login popup, here you shall input the credentials you’ve set up at step 1.

        5) Conclusion

        In conclusion, setting up ejabberd with TLS encryption and Let’s Encrypt is an important step in ensuring secure and encrypted communication between users on your Jabber/XMPP server. With TLS encryption, all communication between clients and the server is encrypted, preventing unauthorized access and eavesdropping. Let’s Encrypt provides free SSL/TLS certificates that can be used to secure the server and enable HTTPS connections, which are essential for modern web browsers and applications.

        To set up ejabberd with TLS encryption and Let’s Encrypt, you first need to install ejabberd on your server and configure it to use the appropriate certificates and settings. You also need to obtain a Let’s Encrypt SSL/TLS certificate for your domain and configure it for use with ejabberd.

        While the process may seem daunting at first, following the steps outlined in this tutorial can help you secure your ejabberd server and enable encrypted and secure communication for your users. By taking the time to properly set up TLS encryption and Let’s Encrypt, you can create a safer and more secure environment for your users to communicate and collaborate.

        Arch linux dual boot with UEFI Windows 10

        Introduction

        Welcome to this guide on how to install Windows 10 alongside Arch Linux on a dual drive configuration with dual boot. If you’re someone who needs to use both operating systems for different purposes, or just want to explore the features of each, then you’ve come to the right place.

        In this guide, we’ll assume that you already have Arch Linux and Windows 10 installed on separate drives, and want to configure them to dual boot using GRUB. This guide is not intended to teach you how to install Arch Linux or Windows, but rather how to set up the dual boot configuration.

        By the end of this guide, you’ll be able to easily switch between Arch Linux and Windows 10 without having to go through the hassle of constantly changing boot settings or physically swapping drives.

        Disclaimer: Always backup important data when working on low level system settings. You never know what could go wrong! this guide should work for all Linux distros operating on GRUB bootloader, but i have only tried it on Arch, thus i put this title

        Before you start

        What is UEFI and LEGACY mode

        Legacy and UEFI are two different modes of booting a computer. Legacy boot mode is the traditional way of booting a computer, where the system BIOS initializes the hardware and starts the boot process from the MBR (Master Boot Record) on the hard disk. On the other hand, UEFI (Unified Extensible Firmware Interface) is a newer booting mode that replaces the traditional BIOS and provides more advanced features and security.

        The main difference between Legacy and UEFI boot modes is the way they initialize the system hardware and manage the boot process. Legacy mode uses the MBR partition scheme, which has a limit of 2.2TB disk size and only supports up to four primary partitions. UEFI mode, on the other hand, uses the GPT partition scheme, which can support larger disk sizes and up to 128 partitions.

        Another major difference is that UEFI firmware supports Secure Boot, which is a feature that ensures only trusted bootloaders and operating systems are loaded during the boot process, preventing malicious software from loading. Legacy boot mode does not support Secure Boot.

        When it comes to bootloaders, some bootloaders work with UEFI, while others work with legacy mode. Bootloaders such as GRUB2, rEFInd, and systemd-boot are compatible with both UEFI and legacy mode. However, some older bootloaders like LILO and GRUB Legacy only work with legacy mode.

        In summary, legacy and UEFI are two different boot modes that have different ways of initializing system hardware and managing the boot process. UEFI offers more advanced features and security, such as Secure Boot, and supports larger disk sizes and more partitions.

        What is a bootloader

        A bootloader is a small program that runs when a computer starts up and is responsible for loading the operating system into memory. It is usually located on the first sector of the hard disk and is loaded into memory by the BIOS (Basic Input/Output System) during the boot process.

        One popular bootloader for Linux systems is GRUB (Grand Unified Bootloader). GRUB is a flexible and powerful bootloader that can boot multiple operating systems and can be configured to meet various requirements.
        GRUB is open source software and is included with most Linux distributions. It supports a wide range of file systems, including ext2, ext3, ext4, Btrfs, XFS, and more. It also supports various boot options, such as booting in single-user mode or with specific kernel parameters.
        One of the main features of GRUB is its menu interface, which allows users to choose which operating system or kernel to boot. This menu can be customized with different themes and can also include options for booting into recovery mode or running memory tests.
        Another important feature of GRUB is its ability to load modules, which can extend its functionality. These modules can include additional file systems, support for encryption, or even custom boot screens

        How to Setup the dual boot

        If you’re here i suppose that:

        • You’ve succesfully installed Arch Linux in one drive (let’s call it /dev/sdb)
        • You’ve succesfully installed Windows in one drive (let’s call it /dev/sda)
        • you’ve installed grub for your linux distro

        As said before, GRUB is now your bootloader, but right now if you boot up your PC it will only show your linux distro.

        To setup GRUB to also boot your windows partition you need to follow these steps.

        1) Edit /etc/default/grub

        /etc/default/grub is a file that contains configuration options for the GRUB boot loader. It contains various settings that determine how GRUB behaves, such as the default boot entry, the timeout for booting, and the resolution of the boot menu.

        By modifying the options in /etc/default/grub, users can customize the behavior of the GRUB boot loader, such as changing the default boot entry or adding kernel parameters. However, it’s important to be cautious when making changes to this file, as incorrect settings can prevent the system from booting correctly.

        Let’s go on editing the file:

        sudo nano /etc/default/grub

        let’s find the row that states “GRUB_DISABLE_OS_PROBER” and we shall remove the comment

        From:

        #GRUB_DISABLE_OS_PROBER=false

        To:

        GRUB_DISABLE_OS_PROBER=false

        2) Install os-prober tool

        Depending on your Distro you should now install the tool “os-prober”

        os-prober is a tool used to detect and report other operating systems installed on a computer’s hard drive. It is often used in conjunction with the GRUB bootloader to generate a menu of available operating systems during system startup.

        The steps to install os-prober can vary depending on the Linux distribution you are using. Here are the instructions for a few popular distributions:

        Ubuntu, Debian, and their derivatives
        1. Open the terminal.
        2. Run the following command: sudo apt-get update
        3. Run the following command to install os-prober: sudo apt-get install os-prober
        Fedora, CentOS, and RHEL
        1. Open the terminal.
        2. Run the following command to install os-prober: sudo dnf install os-prober
        Arch Linux
        1. Open the terminal.
        2. Run the following command to install os-prober: sudo pacman -S os-prober

        3) Mount windows partition

        what you need to do now is mounting the windows boot partition.
        To find out what’s yours you should run the command

        lsblk

        in our case we have the boot partition in /dev/sda1 (windows partition is /dev/sda but the boot partition is /dev/sda1)

        To mound it:

        sudo mkdir /mnt/win10
        mount /dev/sda1 /mnt/win10

        4)Generating new grub.cfg

        Even if you’ve probably already generated a grub.cfg file, we need now to generate a new one.
        Run the following command:

        sudo grub-mkconfig -o /boot/grub/grub.cfg

        after sending this command you should see some output, in between those lines one should appeare that says something like “Found Windows Boot Manager at … “

        5) reboot

        reboot your system and you should be ready to go!

        Conclusion

        Congratulations, after following these steps your system should be ready to work with a GRUB configuration that allows dual boot!

        B01: My view on privacy and open source software

        Introduction

        For those who know me, it is well known that i am an opensource and pro-privacy enthusiast.
        It is also known that when it comes to this topic i am a little paranoid because, in the very end, i know that somehow and sometimes privacy is just an utopia.
        Yet now it’s not the moment where i want to talk about my paranoia, mind that this post is intended to clarify and tell you what is my point of view when it comes to privacy and open source software.

        Privacy

        As per the oxford dictionary privacy is

        a state in which one is not observed or disturbed by other people.
        the state of being free from public attention

        Oxford dictionary

        The thing is that we live in a complex world and not always it is possible to accomplish what we want most, not even being free from public attention.
        Isn’t it weird? Being free from being observed should be normal but in the technology era it’s not.
        Social media have completely ruined this idea and have set roots on what i call “an open society”, which means a society where people keep their doors opened to everyone, everywhere.
        Imagine it this way: Would you take a picture of yourself and put it everywhere around your city?
        When most people answer no, what they are doing instead is the exact opposite.
        But how? Well, it may seem obvious but it’s not, by posting selfies online we are legitimately putting our face everywhere. Once our picture is on the internet, it’s everywhere, yet we don’t care.
        And here the idea and concept of privacy starts playing the game.
        By exposing our pictures, exposing our private life, we are giving for free information about us, and all of these big money-farms such as Meta, are dealing our data around as if it was a drug.
        I think that everyone should consider more what privacy really is, because if we keep it this way, we will end up living in a society where we are fully controlled.
        And now we can talk about control.
        Having a good privacy is NECESSARY to avoid being controlled by the very people that are making money out of us.
        Do you really think that when you go shopping you are buying what you really want? That’s the millennial lie, because you are controlled from the very beginning of your morning routine when you lift up your phone and watch some stories on instagram.
        Ads are placed everywhere and they perfectly fit your interests, strangely then they slowly turn into something your mind absorbs into subliminal messages.
        Later on you go to your local grocery store and you end up buying products that you’ve seen, even for a fraction of second, around. Don’t lie to yourself, it is this way.
        But what am i telling you this? I don’t want to scare you, neither i want to make you do something you don’t want to but you should consider your privacy more.
        Those big companies are making money out of your data and furthermore you are later giving them money by buying their products.
        How can you change this? Start by using an opensource trusted VPN, start confusing the big money algorithm that’s behind ads, set up your phone to change its GPS location randomly in the world, start using well configured browsers that like your privacy such as Firefox, Opera, TOR, and for God’s sake stop posting your stuff online, they are completely using you.
        Let’s be clear, i do have an instagram profile, but i never post photos of my private life, NEVER!
        Wake up to this dream, nothing is free in this world, as the good uncle Bob said once, “if something is free, you are the product”.
        Thing is, my friend, that as i said before, we are slowly gliding over our own decisions, we are slowly falling into the hands of a great dystopia, and we simply don’t care, we simply leave it as it is.
        Start giving more value to your privacy as first step, it’s not too late and you’ll see that will make you feel safer and protected.
        This is not the end of this topic, a lot of my blog posts will be about data privacy, so, be ready to be stressed out more about it.

        Open Source programs

        another important topic for me is the opensource one.
        as the famous uncle Bob said,

        Open source software is code that is designed to be publicly accessible

        uncle Bob

        But why should code be publicly accessible? There are many reasons and different answers to this question, but i’ll be as quick as a bullet.
        The main reason i think is that most of programmers think their code is pure gold and fault-proof.. but almost all the times it’s not like that.
        Would you use a password manager that may leak all of your Hashes? I guess no.
        If the code is private then only the programmer who build and projected the program can modify it and try to fix the code, whilst if the code is public, the community can help fixing the problem because it has the full view of the code.
        That’s the first main reason, another reason is that i want to know what the code exactly does.
        If i did use a private code password manager, how can i be sure that the program is not coded in a way that it sends my data to someone else? Well it’s not that hard to guess if a program does such a nasty thing, yet it would it would take some time before someone notices a weird behavior.
        If the code is free for all, the programmer can’t hide hideous stuff in it because people would immediately notice it.
        Last reason is that, it’s a moral thing. Why would you need to hide your software? Just let it free to anyone, help the community, help programmers and help people giving your source code to the world, it may help a programmer who’s stuck in a problem and may also help you to improve your coding skills.
        To end up this post, i’ll be writing down here a quote of Richard Stallman, one of the knights of the free software life-style

        Free software’ is a matter of liberty, not price. To understand the concept, you should think of ‘free’ as in ‘free speech,’ not as in ‘free beer’.

        Richard Stallman

        APACHE 2 WEB SERVER Configuration

        Alcune domande

        per poter comprendere bene Apache2 e poter configurare apache con https dobbiamo prima comprendere alcune cose legate ad apache

        1. Cosa sono i “moduli” in apache? Come si abilitano? Come si disabilitano?
          Il server web Apache è uno dei server web più popolari e potenti al mondo, grazie in parte alla sua facilità diamministrazione e flessibilità. Questa flessibilità deriva dal design modulare di Apache. I moduli consentono ad Apache di eseguire funzioni aggiuntive, come la riscrittura nativa degli URL per supportare la crittografia SSL.
          Per abilitare i moduli si utilizza il comando a2enmod e per disabilitarli si utilizza a2dismod
        2. Cosa contiene /etc/apache2 ? quali sono le direttive principali di apache2.conf?
          le direttive di configurazione di Apache sono sparse in più file, tutti situati in sottodirectory di /etc/apache2.
          apache2.conf è il file di configurazione primario e contiene le direttive di configurazione principali In Ubuntu e Debian, la maggior parte del file è per le definizioni globali e la configurazione del server predefinito e degli host virtuali viene gestita alla fine, utilizzando “Include …” La sezione globale conterrà parametri come
          TIMEOUT = indica il tempo di timeout nelle risposte
          KEEPALIVE = Questa opzione, se impostata su “On”, consentirà a ciascuna connessione di
          rimanere aperta per gestire più richieste dallo stesso client.
          Se è impostato su “Off”, ciascuna richiesta dovrà stabilire una nuova connessione, che può
          comportare un sovraccarico significativo a seconda della configurazione e della situazione
          del traffico.
          MAXKEEPALIVEREQUESTS= indica il numero di richieste massime che possono essere gestite
          da una connessione
          KEEPALIVETIMEOUT = Questa impostazione specifica per quanto tempo attendere la
          richiesta successiva dopo aver terminato l’ultima. Se viene raggiunta la soglia di timeout, la
          connessione morirà.
        3. Cosa indica la direttiva “DocumentRoot” di Apache2? Qual’è il suo valore?
          Questa direttiva imposta la directory da cui httpd servirà i file. Di default è “DocumentRoot “/usr/local/apache/htdocs”” ma il path può ovviamente essere modificato in base alle esigenze
        4. Directory “available” e “enabled”
          La dir “conf-available” contiene i file di configurazione per caricare i moduli e configurarli
          La dir “conf-enabled” detiene i collegamenti simbolici ai file in / etc / apache2 / conf-available. Quando un file di configurazione è collegato simbolicamente, verrà abilitato al successivo riavvio di Apache.
        5. Cosa sono le “per user web directory”? Come funzionano?
          Sui sistemi con più utenti, ogni utente può avere la possibilità di avere un sito Web nella propria directory home utilizzando la direttiva UserDir. I visitatori di un URL http://example.com/~username/ otterranno il contenuto dalla directory home dell’utente “nomeutente”, preso dalla sottodirectory specificata dalla direttiva UserDir.
          Di default l’accesso a queste directory non è abilitato.
        6. a2ensite, a2dissite, a2enmod, a2dismod, apache2ctl
          a2ensite è uno script che abilita il sito specificato (che contiene un blocco ) all’interno della configurazione di apache2. a2dissite invece disabilita un sito specificato, rimuovendo i link simbolici. apache2ctl è un front-end del server HTTP (HyperText Transfer Protocol) di Apache. È progettato per aiutare l’amministratore a controllare il funzionamento del demone Apache2 di Apache.

        Configurazione HTTPS con apache2

        TLS e il suo predecessore SSL, (secure sockets layer), sono protocolli Web utilizzati per avvolgere il traffico normale in un pacchetto protetto e crittografato.

        1) Creazione certificato SSL

        TLS / SSL funziona utilizzando una combinazione di un certificato pubblico e una chiave privata. La chiave SSL è tenuta segreta sul server e viene utilizzato per crittografare il contenuto inviato ai client. Il certificato SSL è condiviso pubblicamente con chiunque ne faccia richiesta. Può essere utilizzato per decodificare il contenuto firmato dalla chiave SSL associata.
        Per creare la chiave basta eseguire il seguente comando

        sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -
        keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apacheselfsigned.crt
        

        in seguito bisogna creare i parametri Diffie-Hellman:

        sudo openssl dhparam –out /etc/ssl/certs/dhparam.pem 2048
        

        2) Configurare apache per l’utilizzo di SSL

        per prima cosa bisogna modificare il file Virtual Hosts SSL:

        sudo nano /etc/apache2/sites-available/defaultssl.conf
        
        <IfModule mod_ssl.c>
         <VirtualHost _default_:443>
            ServerAdmin your_email@example.com
            ServerName server_domain_or_IP
            . . .
            SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
            SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
               SSLOptions +StdEnvVars
               BrowserMatch "MSIE [2-6]" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0
         </VirtualHost>
        </IfModule>

        Una buona pratica è anche quella di effettuare un redirect su HTTPS ogni qual volta un utente
        visiti il sito in http.
        Per permettere ciò basta modificare il file default.conf

        sudo nano /etc/apache2/sites-available/000-default.conf
        <VirtualHost *:80>
            . . .
            Redirect "/" "https://your_domain_or_IP/"
            . . .
        </VirtualHost>
        

        3) Abilitare le modifiche

        Per abilitare il servizio con le modifiche basterà effettuare i seguenti comandi:

        sudo a2ensite default-ssl
        sudo a2enconf ssl-params
        

        Per effettuare un controllo degli errori basterà scrivere:

        sudo apache2ctl configtest
        

        infine basta rivviare il servizio

        sudo systemctl restart apache2

        B00: Website creation

        I’ve started this website with the sole purpose of sharing information, no much more. What most websites miss in my opinion are a board diary of what’s going on in it. You know, updates etc, news stuff like that.

        This page is just a general test to see if this article can be correctly displayed in its place. As far as I know it should work just fine.

        So, let’s get back to the presentation of the website. As you can see in the about me page, I will be posting stuff that you, user, may find interesting.

        Probably some of these blog posts will be password protected, but I’m more likely prone to let everything public, so, only restricted content will be.. well, password restricted.

        Well, right now I don’t have much more to say as I’ve already spoken way too much.

        OpenVPN Configuration

        Disclaimer

        This guide is a piece of an old project (2017-2018), which means that some of its content may be OUTDATED. This does not imply that everything written down here is trash or not working.
        If you have any troubles or if you have any improvements, leave a comment.

        Introduction

        OpenVPN is an open source program used to create secure point-to-point encrypted tunnels between two computers over an insecure network, typically the internet. Allow hosts to authenticate with each other by means of shared keys (Pre Shared Key), digital certificates or username/password credentials.
        It operates on port 1194
        OpenVPN offers two types of network interface using the TUN/TAP driver:

        1) TUN:
        it is able to simulate a point-to-point type network device and works with
        IP-type packets. When we send data on these interfaces the VPN takes the original packet
        and encapsulates it in another encrypted packet in which the starting and destination IP
        they are no longer those of the tunnel, but those of the remote and local physical interfaces.
        They require configuration of both server and client side routing routes because the
        networks at the ends of the tunnel are different, but have the advantage of not being vehicular
        broadcast traffic on the tunnel

        2) TAP:

        is able to simulate an Ethernet device and logically uses frames
        Ethernet. When a client connects in bridged mode to a remote network it must
        have an IP address that belongs to the remote network, as if it were connected
        locally.

        Configuration modes

        • OpenVPN can operate in two main modes:
        1. Site to Site
        2. Remote Access

        Site – to – Site

        In site-to-site mode, a single host can
        establish multiple OpenVPN tunnels, each of them
        it can be for separate sites. Even if all the
        tunnels come from a single interface
        physics, each tunnel is represented by a
        different IP address of the tunnel interface e
        operates independently.
        It is a configuration used to connect
        entire networks virtually to each other

        Remote Access Mode

        In Remote Access mode the client-server paradigm. Indeed, a host does will connect to the endpoint by establishing a secure connection to get access to network resources. each client has an independent tunnel that connect to the server

        Authentication Methods

        OpenVPN has two ways to authenticate:

        1. Static Key = A pre-shared key is generated and shared between the two peers
          OpenVPN before starting the tunnel. This static key contains 4 independent keys : HMAC-Send, HMAC-Receive, encryption and decryption. By default settings, in static key mode, both hosts will use the same key HMAC and the same encryption / decryption key.
        2. SSL/TLS = An SSL session with two-way authentication is established. If SSL/TLS authentication is successful, the key source material of encryption/decryption and HMAC is then randomly generated by the function RAND_bytes of OpenSSL and exchanged over the SSL/TLS connection. Both sides of the connection provide random source material. This mode does not ever use any bi-directional key, so each peer has its own HMAC-Send, HMAC-Receive, and its own encryption and decryption key.

        Static Key Setting

        The follow up steps are used to use a static key as auth method for the VPN:

        1) Generate the Key

        by using the command

        openvpn --genkey --secret static.key

        you will be generating a static key that must be available on both client and server so you have to transfer it with a secure channel (or physically with USB or with SCP)

        2) Configuring Server

        the server file is located at

        /etc/openvpn/server.conf

        and we want to configure it this way

        local [ADDRESS WHERE WE WANT TO ACCEPT REQUESTS]
        dev tun
        proto udp
        port 1194
        ifconfig [IP TUNNEL SERVER] [IP TUNNEL CLIENT]
        secret [GENERATED STATIC KEY PATH]
        push "route [LOCAL SERVER SUBNET] [MASK]"
        persist-tun
        persist-key
        cipher AES-256-CBC
        verb 6
        log [LOG FILE]

        3) Activating and enabling the server

        At this point you need to know that the service should be started with Systemd, so:

        systemctl start openvpn@server.conf
        systemctl enable openvpn@server.conf

        4) Setting up the Client

        the server conf file is located at

        /etc/openvpn/client.conf

        and here is the configuration file content as should be set

        remote [REAL REMOTE SERVER ADDRESS]
        dev tun
        proto udp
        ifconfig [IP TUNNEL CLIENT] [IP TUNNEL SERVER]
        route [SERVER PRIVATE SUBNET][MASK] [SERVER IP TUNNEL]
        secret [STATIC KEY PATH]
        persist-tun
        persist-key
        cipher AES-256-CBC
        verb 6
        log [LOG FILE]
        

        5) Starting the Client

        as before,

        systemctl start openvpn@client
        systemctl enable openvpn@client

        6) Heading

        We need now to define the routes and there are 2 options:

        1. define routes on the hosts of the network behind the server so that to reach the
          client traffic is routed to the VPN server
        2. perform a SNAT operation on the server so that clients receive packets of the VPN client with source ip replaced by the server’s

        SSL-TLS Configuration method

        pre requirements

        cd /etc/openvpn
        mkdir easy-rsa
        apt-get install easy-rsa
        cp -R /usr/share/easy-rsa/* easy-rsa/
        echo -n '1' > /proc/sys/net/ipv4/ip_forward

        1) Vars setup

        Edit the file: /etc/openvpn/easy-rsa/vars according to your organization

        2) Environment variables setup

        cd easy-rsa/
        mkdir keys
        touch keys/index.txt
        echo 01 > keys/serial
        . ./vars ( in raspbian stretch this command will fail because it won't find “openssl.cnf”. Just create a symlink from the file openssl_1.0.0.cnf → ln -s openssl-1.0.0.cnf openssl.cnf )
        ./clean-all
        

        3) Certification Authority

        Execute the follwing command inside the easy-rsa folder to create the CA

        ./build-ca

        This command will generate public key (ca.crt) and private key (ca.key)

        4) Generating Diffie Hellman parameters

        ./build-dh

        Note: Diffie hellman is a cryptographic protocol that allows two entities to establish a shared and secret key using an insecure (public) communication channel without the need for the two parties have exchanged information or met previously.”

        5) Generate Server keys

        ./build-key-server server

        6) Generate keys for each client

        ./build-key-server clientname

        7) Key Copying

        Copy the keys needed by the client(ca.crt, clientname.crt, clientname.key) into the directory
        /etc/openvpn/easy-rsa/keys/
        Following, a table summarizing all the keys and certificates with their purpose and usage

        8) Server Configuration

        The conf file is the same as before but this time the configuration is as follows:

        local [INDIRIZZO SU CUI SI ACCETTANO CONNESSIONI]
        port 1194
        proto udp
        dev tun
        
        ca /etc/openvpn/easy-rsa/keys/ca.crt
        cert /etc/openvpn/easy-rsa/keys/server.crt QUI VENGONO SPECIFICATE
        key /etc/openvpn/easy-rsa/keys/server.key TUTTE LE CHIAVI E LE DIR
        dh /etc/openvpn/easy-rsa/keys/dh[n].pem
        
        server 172.28.0.0 255.255.255.0 [TUNNEL NETWORK SUBNET][MASK]
        (This directive establishes that the machine will work in
         server mode and will acquire the first IP of the subnet. To the
         clients will be assigned other network addresses.)
        
        ifconfig-pool-persist ipp.txt
        (file where to record the correspondence between client and IP
         virtual assigned.)
        
        push "route [SUBNET LOCAL NETWORK SERVER][MASK]"
        (allows clients to reach other networks behind the server,
         obviously to make the communication bidirectional
         networks will need to be able to route to them in turn
         the address pool of the VPN)
        
        client-config-dir /etc/openvpn/ccd
        comp-lzo
        cipher [CIPHER SET]
        log [LOG FILES]

        9) Activating Services

        openvpn --config server.conf
        systemctl start openvpn@server.conf
        systemctl enable openvpn@server.conf

        10) Configuring Client

        Clients
        dev tun
        port 1194
        udp protocol
        remote [REAL IP OF THE ROUTER]
        
        ca /etc/openvpn/easy-rsa/keys/ca.crt
        cert /etc/openvpn/easy-rsa/keys/client1.crt 
        key /etc/openvpn/easy-rsa/keys/client1.key 
        
        nobind
        persist-key
        persist-tun
        cipher [CIPHER SET]

        11) Starting and enabling services

        systemctl start openvpn@clientname
        systemctl enable openvpn@clientname

        12) Routing and NATting

        To allow traffic on the TUN interface
        - IPTABLES -A INPUT -i tun0 -j ACCEPT
        - IPTABLES -A FORWARD -i tun0 -j ACCEPT
        - IPTABLES -A OUTPUT -o tun0 -j ACCEPT
        
        To allow forwarding only to the VPN
        - IPTABLES -A FORWARD -i tun0 -o eth0 -s [SOURCE] -j ACCEPT
        - IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j
         ACCEPT
        
        To perform SNAT
        - IPTABLES -t nat -A POSTROUTING -s [TUNNEL SOURCE] -o eth0 -j
         SNAT --to-source [SERVER'S IP IN LAN]