Making DigitalOcean's Private Networking Secure

A few weeks ago here at Hone, we decided to spin a new server cluster in DigitalOcean’s NYC3 data center. DigitalOcean introduced ‘private’ networking just over a year ago. However, it turns out that DigitalOcean actually refers to this as Shared Private Networking—and many of the comments under their announcement point out that their private networking isn’t really too private.

We decided to use OpenVPN to layer a secure network on top of DigitalOcean’s shared private networking.

What we wanted to accomplish:

  1. Install an OpenVPN server on our load balancer
  2. Install an OpenVPN client on all of our other machines
  3. Drop any traffic other than OpenVPN on eth1 (DO’s shared private network)
  4. Allow all traffic over tun0 (our secured private network)

With traffic passing through the tun0 interface between machines, we gain the ability to more quickly and easily spin up new machines and add them to our infrastructure.

Here’s how to setup a virtual private network on DigitalOcean (or whichever provider you might be using):

Setup / Configure Your OpenVPN Server

Update your packages and install OpenVPN and Easy RSA:

apt-get update && apt-get install openvpn easy-rsa

Copy some Easy RSA files over to a more permanent location so that you can upgrade OpenVPN in the future without losing your configuration settings:

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

Edit /etc/openvpn/easy-rsa/vars and change the various exports for default certificate values.
At the very least, you’ll want to change the following keys in the vars file to suit your needs:

export KEY_CITY="Chicago"
export KEY_ORG="Your Company, Inc."
export KEY_EMAIL="[email protected]"
export KEY_OU=""

With your vars configured, you can now generate a master Certificate Authority (CA) Certificate and Key for your server:

cd /etc/openvpn/easy-rsa/
source vars

Generate a certificate and private key for the server:

./build-key-server <vpn_server_name>

Generate some Diffie–Hellman–Merkle parameters for the OpenVPN server (This will take a minute or two):


Copy the keys, certs, and the Diffie–Hellman–Merkle params that you generated from /etc/openvpn/easy-rsa/keys into your OpenVPN directory, /etc/openvpn/:

cd /etc/openvpn/easy-rsa/keys/
cp <vpn_server_name>.crt <vpn_server_name>.key ca.crt ca.key dh2048.pem /etc/openvpn/

Generate Certificates For VPN Client(s)

You’ll need to generate a certificate and key for each VPN client:

cd /etc/openvpn/easy-rsa/
source vars
./build-key <vpn_client_name>

Securely copy these the following files to the client machine (via rsync, scp, etc.):

  1. /etc/openvpn/ca.crt
  2. /etc/openvpn/easy-rsa/keys/<vpn_client_name>.crt
  3. /etc/openvpn/easy-rsa/keys/<vpn_client_name>.key

After you’ve copied these keys and certs to your client machine(s), delete them from the VPN server. They’re no longer needed on that machine and keeping them there poses a security risk if unauthorized access is gained.

Edit Your OpenVPN Server Config

Copy over and unpack the provided example server config—server.conf.gz—to /etc/openvpn/server.conf

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz

Edit /etc/openvpn/server.conf to ensure it contains the settings that make sense for your intended setup.

You’ll want to make sure it points to the correct location of your certs, keys, and dh2048.pem file (Diffie–Hellman–Merkle parameters) that you generated earlier.

Here’s an example of some lines you should configure (or uncomment) in server.conf

ca ca.crt
cert <vpn_server_name>.crt
key <vpn_server_name>.key # This file should be kept secret
dh dh2048.pem
client-config-dir /etc/openvpn/static_clients # Specify where your static client info is stored

Note: Uncommenting client-to-client will enable your VPN clients to communicate with one another directly. By default, VPN clients will only see the VPN server.

Start OpenVPN on your server

service openvpn start

Check That it Works

After you start your openvpn service, you should see tun0 interface details when you run:

ifconfig tun0

If you’ve set up your server correctly, you should see some output like this:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr: P-t-P: Mask:
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

If you run the ifconfig tun0 command above and see the error ifconfig: interface tun0 does not exist, then you’ll need to check your OpenVPN server.conf again and make sure to reconfigure it.

Setup / Configure Your OpenVPN Client(s)

Update your packages and install OpenVPN:

apt-get update && apt-get install openvpn

Copy the example client.conf file over to /etc/openvpn/client.conf:

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

If you haven’t already done so: Make sure that you’ve generated and then securely transferred (or manually copied over) ca.crt, <vpn_client_name>.crt, and <vpn_client_name>.key to your new VPN client.
(For the purposes of this tutorial, I’ve copied them into /etc/openvpn/.)

Edit /etc/openvpn/client.conf and make sure everything points to correct certs and keys. You should also make sure to specify the IP address corresponding to your OpenVPN server’s eth1 interface (DO’s shared private network):

remote 1194 # This points to the private IP of your OpenVPN server (and the OpenVPN port)
ca ca.crt
cert <vpn_client_name>.crt
key <vpn_client_name>.key

Having finished editing client.conf, you can restart the OpenVPN service on your VPN client machine:

service openvpn restart

Check to see that you’ve got a tun0 interface (and that it has the correct IP):

ifconfig tun0

Ping Your VPN Server (From Client Machine)

If you’d like to sanity-check your connection to your VPN server, try pinging the OpenVPN server directly:


In this example, I’m pinging, which is set by OpenVPN default server config. You may have selected something different, in which case you should find the IP corresponding to your OpenVPN server’s tun0 interface.
You can grab this IP quickly by running (on the OpenVPN server itself): ifconfig tun0.

If you can’t ping the OpenVPN server, then something is wrong with your config. Consider re-reading all of the above.

Assign Static IPs to VPN Clients

You may desire to assign static IP addresses to some or all of your client machines. (Hat-tip to Michael Albert for a great post which helped here.)

On your OpenVPN server, create a folder in which to save the information of your static clients.
In this example, we’ll name our folder static_clients:

mkdir /etc/openvpn/static_clients

Make sure to uncomment and edit this line in server.conf:

client-config-dir /etc/openvpn/static_clients

Previously, when you generated a cert and key for your new VPN client, recall the common_name that you chose.
Create a file—naming it whatever you chose for the common_name— in /etc/openvpn/static_clients/ with the following content:

(Note that in this example, we’d like this VPN client’s tun0 interface to be assigned the IP


OpenVPN will need to read these files after it drops privileges. You can do that do that with the following:

sudo chown -R nobody:nogroup /etc/openvpn/static_clients

Configure Your iptables

If you want to further secure your VPN, you should edit your VPN client machine’s iptables. With your OpenVPN server and clients set up correctly and pingable (in both directions) via their tun0 interfaces, you can begin restricting traffic over your eth1 (DO’s shared private network interface) to accept only traffic over port 1194 (OpenVPN’s default port) on that interface.

For example, if you’re routing traffic through a load balancer, you may want to lock down VPN client boxes as such:

  • Restrict access on eth0 interface (public) to port 22 only
  • Restrict access on eth1 interface (DO’s shared private network) to udp/tcp traffic over port 1194 only
  • Unrestricted access on tun0 interface (OpenVPN tunnel interface).

Here’s an example iptables config that would restrict traffic in the way I mention above:

-A INPUT -i lo -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 1194 -j ACCEPT

Hone is Hiring!

Check out all of the positions for which we’re currently hiring.

Credit Where Credit Is Due

While figuring out how to do everything above—and while I was writing this tutorial—I was reading and consulting with the following sources:


Install MySQL on Mac OS X 10.7+

The no fuss, no muss guide to installing the latest stable version of MySQL DB locally on your Mac running OS X 10.7 or later. (Hat tip to Trey Piepmeier for his excellent tutorial, upon which I improved a few things.)

Install MySQL (using Homebrew)

I’ll assume you’ve already installed Homebrew.

Assuming you have your brew command ready to rock, make sure to run a quick brew update, telling brew to fetch the latest packages:

Update brew to ensure you have the latest library of packages (install scripts):
brew update

OK? Good. Now you need to tell brew to install MySQL by entering this command:

brew install mysql

Enter the following two commands, one after the other (the second one starts up your new, local MySQL server and creates an initial database):

unset TMPDIR
mysql_install_db --verbose --user=$(whoami) --basedir=$(brew --prefix mysql) --datadir=/usr/local/var/mysql --tmpdir=/tmp

Launch MySQL Automatically

The output from that last command should instruct you to enter three additional commands. (The ones below might not be exactly what you see in your terminal. Of course, make sure you follow those instructions and not these below, unless they’re identical.):

mkdir -p ~/Library/LaunchAgents
cp $(brew --prefix mysql)/homebrew.mxcl.mysql.plist ~/Library/LaunchAgents/
launchctl load -w ~/Library/LaunchAgents/homebrew.mxcl.mysql.plist

The three commands above do the following, respectively: create a LaunchAgents folder for you if you don’t already have one, copy the mysql.plist file into that launch folder, and then loads that file into a system file so that Mac OS X starts MySQL for you each time you restart your machine. Perfect!

Start Configuring MySQL

One final (optional) step is to run the included MySQL root/user config script. It’ll step you through various default username/password/etc options that you might want to configure now that you’ve got MySQL up and running on your machine. To run this automated post-MySQL-install wizard, enter:

$(brew --prefix mysql)/bin/mysql_secure_installation

Or, perhaps you’re interested in Installing and Setting up PostgreSQL on Mac OS X?

Install Homebrew on Mac OS X 10.7+

How to Install Homebrew on Mac OS X (10.7 or later)

This one’s super-quick and easy! If you want to easily install other tools and add-ons in the future, you need Homebrew.

Open a new shell and run the following:

ruby -e "$(curl -fsSL"

It’s that simple. Really.

Homebrew Future Tip

Once Homebrew has finished installing, you’ll want to make sure to always run the following before trying to install anything using the brew command:

brew update

Running Brew’s update command instructs it to fetch the latest install recipes from its remote repository. Remember: Before you use Brew to install something, you definitely want to run the brew update command Every single time! That way, you’ll always ensure you’re installing only the latest, stable packages.

That’s it! You’re done.

Want to learn more about Brew on your own? Check out:

Change OS X's Archive Utility Preferences

So you’re sick of the lame, default settings that OS X’s Archive Utility comes with and you want to change ‘em? Yeah—I did too. So, here’s three ways to change that little tool’s settings to whatever your heart desires once and for all! (…or temporarily if you’d like; I don’t much mind either way to be honest with you.)

Unless you’re as fast as Superman and can open Archive Utility’s preferences pane during the roughly 0.0006 few seconds that it’s displayed on the screen during its unarchiving process, it seems the only way to change the default preferences are:

How to Change Archive Utility Preferences

Launch Archive Utility manually and change the preferences as you would in any other app:
Open up Terminal and type: open -a Archive Utility

If you’re the type that doesn’t want anything to do with opening Terminal (not that there’s anything wrong with that) or one that prefers clicking the mouse a few more times, just for sport:

Click on OS X’s Finder (usually in the lower-left of your dock), then go to the very top OS X menu bar and select “Go” and then “Go to Folder…” Then, just enter the following—/System/Library/CoreServices—and smack the enter key on your keyboard (or gingerly click the “Go” button with your mouse—again, totally up to you. I prefer smacking the enter-key, myself.)

At this point, you need only find the Archive Utility App within the Finder window and give her the ol’ double-click to launch.

Let’s Get All Fancy-like

Want to add a new icon to OS X’s System Preferences app, enabling all users to set their own Archive Utility preferences? Do the following:

Open up Terminal and enter this beautiful one-liner:

open /System/Library/CoreServices/Archive

In the Finder window that opens as a result, locate and double-click on the Archives.prefPane file.

If you’re asked to enter your Admin password, DO IT IMMEDIATELY WITHOUT HESITATION. This isn’t a drill and your life could depend on it. Of course, that’s simply false. But the truth is that at this point, OS X wants to add a dedicated preference icon for Archive Utility to its System Preferences App and wants you to confirm this action by entering your password. Honest!

Enjoy the following panel that you now have access to and configure the settings until you’re blue in the face!

OS X Archives Settings Panel

Hat Tippity Tip / Source:

This “how to” article was adopted from one I originally read on TAUW right here, which itself was apparently adopted from an even earlier article, currently located on right here. Enjoy!

Setting up PostgreSQL on Mac OS X

What’s that? You’re making a Rails app, planning on eventually pushing it to Heroku, and you’re still running SQLite locally on your machine? Like a chump!? Come on now!

You’ve got to install Postgres locally! The good news is: It’s super easy.

First Things First

You’ll first need to install PostgreSQL. For this tutorial, we’ll use Homebrew to help us do that quickly.

Open terminal and type: brew -v
This will return the current version of brew (if you have it installed).
If you do have it installed, update it with the following command: brew update

That was pretty simple

If you saw a command not found: brew (or similar) error after you ran brew -v, then you likely need to install Homebrew. If you would like to do that now, type the following into your terminal:

ruby -e "$(curl -fsSL"

Pro Tip

If at this point you’re thinking of installing Homebrew, consider first reading more about installing Homebrew in this article I wrote on How To Install Homebrew on Mac OS X 10.7+.

With brew installed, you’re golden. Time to install PostgreSQL!

Install PostgreSQL and Configure

With Brew, you can install PostgreSQL with the following command in Terminal:

brew install postgresql

You can now start your PostgreSQL server and create a database:

initdb /usr/local/var/postgres

You’ll need to have PostgreSQL running locally in order for your app (running in development mode, of course) to read and write to your Postgres database(s). If you want to have PostgreSQL start automatically each time you start your computer, enter the following three lines into Terminal one after another:

mkdir -p ~/Library/LaunchAgents
cp /usr/local/Cellar/postgresql/9.1.3/homebrew.mxcl.postgresql.plist ~/Library/LaunchAgents/
launchctl load -w ~/Library/LaunchAgents/homebrew.mxcl.postgresql.plist

Done and done. PostgreSQL is up and running and now all you need to do is tweak a few setting in your Rails App’s database.yml file (in the config/ folder).

In your database.yml file, you’ll see a few environments and their respective configs beneath. Most likely you’ll see three environments: development:, test:, and production:.

For now, we’ll just change the development: environment. If you haven’t changed anything, you’ll see the following as the default config for development::

# adapter: sqlite3
# database: db/development.sqlite3
# pool: 5
# timeout: 5000

In order for your app to use your new PostgreSQL server, you’ll want to change the above to this:

# adapter: postgresql
# database: name_of_your_app_development
# encoding: utf8
# template: template0
# host: localhost

Super-awesome Protip

You’ll want to replace name_of_your_app with the name of your app.

Editing Your Gemfile

Hold on there partner, don’t forget to tweak your Gemfile! Make sure the you’ve got the pg gem in your gemfile:

Example line entry in your Rail's `Gemfile`, if you want to use the `pg` gem:
gem 'pg'

Want To Run PostgreSQL in Production?

If you want to run Postgres in your production environment as well as your development environment, make sure to add the gem 'pg' line somewhere within the :production block—and not only within your group :development, :test do block.

Finally, you’ll want to create a new database: rake db:create and you’ll probably want to run the following command to delete your tables, recreate them, and seed them with any data you may have in your seeds.db file with the following command: rake db:reset

Trying to install PostgreSQL on your Linux machine instead?

My buddy—Eric MacAdie—offers these helpful instructions for setting up a Postgres server for Rails on a Linux machine instead of OS X.

Credit Where Credit Is Due:

Dan Manges is crazy-smart, the CTO of Braintree, and happens to be my mentor while at Code Academy The Starter League. He saved me about three hours of chin-scratching, by teaching me everything below today (in about 15 minutes). Thanks man!
(Probably worth noting that any errors below are courtesy of yours truly—and not Dan :)

Don't forget to rake after deploying to heroku

Deploying your Rails 3 app to heroku (on their Cedar stack)?


Don’t forget to run this command—ya know, just as you would when first running the app locally on your own machine.
(Might save you 20 minutes of chin-scratching!)

Run a `rake` task on Heroku:
heroku run rake db:migrate

Good times!

Rails' default HTTP methods for button_to and link_to helpers

Here’s a tip when using Rails’ button_to and link_to URL helpers!
Never ever forget these two things:

button_to uses the :POST method by default

Believe me: Memorizing these two simple Rails defaults will save you routing headaches down the road.

Example — Specifying the :GET method:

Let’s say that you’d like to provide your user with a “Cancel” button on a form that redirects her back to the previous page after it’s clicked. (Because you’re nice, you’ll also throw up a warning modal…):

button_to "Cancel / Delete",
confirm: 'Are you sure you would like to cancel and delete this post?',
disable_with: 'Deleting...'

Guess what? That’s not right! When clicked, that button will either throw a routing error or unintentionally make a post request to one of your routes. Instead, you need to specify that you’d like the button to use the :GET method, instead of its default :POST method. (refer to rule 1 above.)

Here’s the correct code for such a button:

button_to "Cancel / Delete",
method: :get,
confirm: 'Are you sure you would like to cancel and delete this post?',
disable_with: 'Deleting...'

See how we specify the method in there with method: :get?

Example — Specifying the :POST method:

Want a text link that ends up sending sending a :POST to one of your routes? Simple. Just remember to pass the correct method:

link_to "Click here to submit post.",
method: :post

If you wanted a button to perform the same action, you wouldn’t need to specify the method, as the default method is already :POST:

button_to "Submit Post",
disable_with: "Submitting Post...

Example — Specifying the :DELETE method:

Just as you need to pass in the proper HTTP method into your button_to and link_to helpers if you’d like to use them for the opposite of their default method, so too must you specify the :DELETE method when you’d like to use that instead:

button_to "Cancel / Delete",
method: :delete,
confirm: "Are you sure you'd like to cancel and delete this post?",
disable_with: "Deleting..."

So you wanna use Git, huh?

Over the past few weeks, I’ve been working on an app with three other people. The four us divided up the necessary work that needed to be done, chose parts to work on that we found interesting, and then got to work.

How do multiple people add to, modify, and delete the project’s codebase (and other files)—all while keeping track of everything along the way?

As soon as we asked this question, the answer was simple: use Git!

What is Git?

Git is a Distributed, Revision Control System

Using Git, multiple people can easily work on the same project, at the same time, and keep track of all changes. In addition to providing a detailed history of who did what and when, Git empowers collaborators to revert back to a previous version of a project’s codebase (or a previous version of, say, a single file), should broken code or otherwise undesirable changes occur at some point.

Using Git in Your Own Projects

After creating your project, cd into your project’s working directory via terminal and initialize Git with the following command:

Initialize a new git repository within the present directory
git init

Git is now good to go and is ready to keep track of the files in that directory. Make changes to some code, return to terminal, and type the following:

Add all files in the present directory (**not** including those that have been deleted) to Git staging
git add .

Notice the . (period) at the end? That tells Git to add all of the new and modified files to it’s index. In other words, Git is now tracking every file in that directory and will know when changes are made to existing files or when new files are added.


If you ever delete a file from your project—and you want to track that deletion in your Git repository—you should type the following command in terminal:

Add all files in the present directory (including those that have been deleted) to Git staging
git add -A .

It’s similar to the previous command, but passing in the -A option will tell Git to “add” the files that you removed from your project. (You can think of this as Git keeping track of the fact that you just deleted a file.)

Committing Files

So far, Git has been initialized and is also tracking all of the files in your project (including any changes you’ve made so far). But, you’ve yet to commit these changes. These commits are the snapshots of your project that Git will keep a history of, enabling you to rollback or revert to at some point in the future should you so desire.

To commit your changes—and thus make your first/initial commit for this project—type the following command in terminal:

Your initial commit message probably shouldn't have the message of 'initial commit'
git commit -m 'initial commit'

This commits your changes. Note the -m option that we’ve passed in as well as the 'initial commit' message following it. As you might guess, the -m stands for “message” and the text in single (or double) quotes following it contains a message that will be saved along with the commit. (You should always pass in a descriptive note that will enable you (and/or other developers reading it later on) to quickly decipher what changes you made for that particular commit.

Part Two: Coming Soon

This post covers the basics of using Git for your personal projects. In the next post, I’ll detail how using the above-listed commands—as well as a few other commands—will enable you to use Git for a single project with multiple collaborators as I described in the opening paragraph.

Code Academy Has Begun!

Remember that one time when I moved to Chicago to start Code Academy The Starter League? Oh wait, that just happened!

Back Story

After graduating from college, I wisely decided to pursue my interests in technology and got a job working at Mahalo in Santa Monica, CA. (Many fun stories on this experience, of course. I’ll save them for future posts—including, “Greg’s guide to getting a job at a startup”. Good times.) After Mahalo was slapped by Google (note to self: avoid building a business entirely reliant on another company for both traffic and revenue) I parted ways and joined the team at Border Stylo.

I absolutely fell in love with startups. I soon realized that I wanted to become more technical myself so that I could start actualizing my own ideas and start a company of my own. Enter Code Academy.

Why Code Academy The Starter League?

Of course, there are many nice, free, online and interactive “teach yourself how to program” resources these days that enable an aspiring developer to teach herself various languages at her own pace, on her own time (not to mention all of the free and paid video courses that have been available for years).

But, I was looking for something that met the following criteria:

  1. I wanted to do this full-time and completely immerse myself without any distractions;
  2. I wanted an environment where I could work alongside others that were equally as dedicated and passionate about becoming developers;
  3. And, I wanted an adventure—I wanted to travel and live somewhere new for a while.
    Code Academy offered my all of these things and more so I jumped on the opportunity, applied for a spot, was accepted (duh), and made it happen. In talking with some of the then-current (now former) students before and while I applying, I was left without any doubt: this was the program for me and would be awesome.

The Focus

The focus over the next 12 weeks (the duration of Code Academy) will be Ruby on Rails, and a healthy dose of HTML, CSS, and Javascript to be dangerous. In talking with folks, it’s clear that many are looking to land a gig at a startup or dev shop once things are done, others are focusing on an existing idea for a web app that they came into the program with already and will pour everything they learn into that one idea, while many others are somewhere in between.

Code Academy offered a design class this quarter and so we’ll also be working closely with them throughout on the various projects we create throughout, hackathons, demo-day projects, etc.

The Beginning

Things have only just begun and so there’s not too much to share yet. But count on the fact that I’ll be posting regular updates on my progress, funny anecdotes, and everything in between in the coming weeks and months while I’m in Chicago.