OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol [2] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).
According to Server Mom, OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multi-client-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.
This article will guide you through the installation and configuration steps of OpenVPN server on CentOS 6.3.
Let’s Install and Configure OpenVPN Server!
Requirements:
- A Dedicated server running CentOS 6.x
- Proper knowledge to use Putty and SSH protocol
Good to know:
- SELinux was disabled on CentOS machine for this OpenVPN Server How To
- Firewall was disabled on CentOS machine for thisOpenVPN Server How To
- OpenVPN has to be in DMZ network or you need to open the necessary ports on your router – more HERE
1. Install RPMForge repository
CentOS 6 32-bit (x86):
[root@foo1 ~]# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm
OR
CentOS 6 64-bit (x86_64):
[root@foo1 ~]# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
2. Install required packages
[root@foo1 ~]# yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel lzo openvpn wget -y
3. Copy the easy-rsa folder to /etc/openvpn/
[root@foo1 ~]# cp -R /usr/share/doc/openvpn-2.2.2/ /etc/openvpn
4. Create the certificate
[root@foo1 ~]# cd /etc/openvpn/easy-rsa/2.0 [root@foo1 2.0]# chmod 755 * [root@foo1 2.0]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys [root@foo1 2.0]# ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys [root@foo1 2.0]# ./clean-all
5. Build necessary CA file
You must enter the information you are asked for – bold text.
[root@foo1 2.0]# ./build-ca Generating a 1024 bit RSA private key ..............++++++ ..++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:SI State or Province Name (full name) [CA]:Slovenia Locality Name (eg, city) [SanFrancisco]:Ljubljana Organization Name (eg, company) [Fort-Funston]:GeekPeek.Net Organizational Unit Name (eg, section) [changeme]:GeekPeek.Net Common Name (eg, your name or your server's hostname) [changeme]:foo1.geekpeek.net Name [changeme]:Mitch Email Address [mail@host.domain]:info@geekpeek.net
6. Build Key Server
In below case “server” after the “build-key-server” command is the name of the newly created cert file -> server.csr, server.key, server.crt. Again enter the information you are asked for – bold text. When asked for “challenge password” you can set it up or leave empty.
[root@foo1 2.0]# ./build-key-server server Generating a 1024 bit RSA private key ........++++++ ..........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:SI State or Province Name (full name) [CA]:Slovenia Locality Name (eg, city) [SanFrancisco]:Ljubljana Organization Name (eg, company) [Fort-Funston]:GeekPeek.Net Organizational Unit Name (eg, section) [changeme]:GeekPeek.Net Common Name (eg, your name or your server's hostname) [server]:foo1.geekpeek.net Name [changeme]:Mitch Email Address [mail@host.domain]:info@geekpeek.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:GeekPeek.Net Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'SI' stateOrProvinceName :PRINTABLE:'Slovenia' localityName :PRINTABLE:'Ljubljana' organizationName :PRINTABLE:'GeekPeek.Net' organizationalUnitName:PRINTABLE:'GeekPeek.Net' commonName :PRINTABLE:'foo1.geekpeek.net' name :PRINTABLE:'Mitch' emailAddress :IA5STRING:'info@geekpeek.net' Certificate is to be certified until Feb 25 11:31:42 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
7. Build Diffie Hellman key
NOTE: If you want to increase Diffie Hellman key size, you must edit KEY_SIZE variable in /etc/openvpn/easy-rsa/2.0/vars to the desired size.
[root@foo1 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ............................................................... ...............................................+............... .............+...............................................+. ............................................................... ......+...............+.......................+................ .......................................................+....... ..................................+............................ ............................................................... ....+...+...........................................+.......... .................+.....+.................+..................... ...+........................................................... ............................................+.................. ......+.................+......+....+..................++*++*++
8. Create OpenVPN Server config file
Be sure to configure your OpenVPN server to be accessible from the internet. This can be achieved by putting OpenVPN Server in DMZ or open the necessary ports on your router – more HERE. If you have multiple network cards bind OpenVPN Server to the WAN IP address.
[root@foo1 2.0]# cat /etc/openvpn/server.conf # IP address you want to bind OpenVPN Server to #local 89.212.236.44 # Pick the desired VPN port number - default 1194 #port 4444 proto udp # We use TUN when setting separate IPs on a VPN Network dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 # Adjust paths as needed. ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login # Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf # Uncomment this line if you are using FreeRADIUS client-cert-not-required # No client specific certificates required username-as-common-name # The Pool of IPs in the 'VPN Network' server 172.26.1.0 255.255.255.0 # Change this to reflect your Network environment push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3
9. Enable IP Forwarding
Change “net.ipv4.ip_forward” parameter in /etc/sysctl.conf file from “0” to “1” and issue “sysctl -p” command.
[root@foo1 2.0]# grep "net.ipv4.ip_forward" /etc/sysctl.conf net.ipv4.ip_forward = 1 [root@foo1 2.0]# sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 4294967295 kernel.shmall = 268435456
10. Create OS user for VPN login
[root@foo1 2.0]# useradd vpnuser -s /bin/false [root@foo1 2.0]# passwd vpnuser Changing password for user vpnuser. New password: Retype new password: passwd: all authentication tokens updated successfully.
11. Start OpenVPN Server service
[root@foo1 2.0]# /etc/init.d/openvpn start Starting openvpn: [ OK ]
If you want, you can check everything is OK in /var/log/messages.
12. Windows VPN client installation
Create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:
client dev tun proto udp remote 123.123.123.123 4444 # - Your OpenVPN Server IP and OpenVPN Server Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb
Save that file in the config directory of where you installed OpenVPN client in your computer.
13. Copy ca.crt file to client
Copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ location on OpenVPN Server to your client and save it to the same folder as .ovpn file you created. Now you can login to your VPN using username and password you’ve created.
This is a Guest Post by @jennycorteza
Author’s Bio: Jenny Corteza is always found working on advanced techniques to improve somputer system usability. She is fond of reading information about bcp and other relevant It related topics.