Share, , Google Plus, Pinterest,

Print

Posted in:

OpenVPN Server On Centos 6

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol [2] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).

According to Server Mom, OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multi-client-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

OpenVPN Server on CentOS 6
OpenVPN Server on CentOS 6

This article will guide you through the installation and configuration steps of OpenVPN server on CentOS 6.3.

Let’s Install and Configure OpenVPN Server!

Requirements:

  • A Dedicated server running CentOS 6.x
  • Proper knowledge to use Putty and SSH protocol

Good to know:

  • SELinux was disabled on CentOS machine for this OpenVPN Server How To
  • Firewall was disabled on CentOS machine for thisOpenVPN Server How To
  • OpenVPN has to be in DMZ network or you need to open the necessary ports on your router – more HERE

1. Install RPMForge repository

CentOS 6 32-bit (x86):

[root@foo1 ~]# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm

OR

CentOS 6 64-bit (x86_64):

[root@foo1 ~]# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

2. Install required packages

[root@foo1 ~]# yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel lzo openvpn wget -y

3. Copy the easy-rsa folder to /etc/openvpn/

[root@foo1 ~]# cp -R /usr/share/doc/openvpn-2.2.2/ /etc/openvpn

4. Create the certificate

[root@foo1 ~]# cd /etc/openvpn/easy-rsa/2.0
[root@foo1 2.0]# chmod 755 *
[root@foo1 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
[root@foo1 2.0]# ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
[root@foo1 2.0]# ./clean-all

5. Build necessary CA file

You must enter the information you are asked for – bold text.

[root@foo1 2.0]# ./build-ca
Generating a 1024 bit RSA private key
..............++++++
..++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:SI
State or Province Name (full name) [CA]:Slovenia
Locality Name (eg, city) [SanFrancisco]:Ljubljana
Organization Name (eg, company) [Fort-Funston]:GeekPeek.Net
Organizational Unit Name (eg, section) [changeme]:GeekPeek.Net
Common Name (eg, your name or your server's hostname) [changeme]:foo1.geekpeek.net
Name [changeme]:Mitch
Email Address [mail@host.domain]:info@geekpeek.net

6. Build Key Server

In below case “server” after the “build-key-server” command is the name of the newly created cert file -> server.csr, server.key, server.crt. Again enter the information you are asked for – bold text. When asked for “challenge password” you can set it up or leave empty.

[root@foo1 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
........++++++
..........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:SI
State or Province Name (full name) [CA]:Slovenia
Locality Name (eg, city) [SanFrancisco]:Ljubljana
Organization Name (eg, company) [Fort-Funston]:GeekPeek.Net
Organizational Unit Name (eg, section) [changeme]:GeekPeek.Net
Common Name (eg, your name or your server's hostname) [server]:foo1.geekpeek.net
Name [changeme]:Mitch
Email Address [mail@host.domain]:info@geekpeek.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:GeekPeek.Net
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'SI'
stateOrProvinceName   :PRINTABLE:'Slovenia'
localityName          :PRINTABLE:'Ljubljana'
organizationName      :PRINTABLE:'GeekPeek.Net'
organizationalUnitName:PRINTABLE:'GeekPeek.Net'
commonName            :PRINTABLE:'foo1.geekpeek.net'
name                  :PRINTABLE:'Mitch'
emailAddress          :IA5STRING:'info@geekpeek.net'
Certificate is to be certified until Feb 25 11:31:42 2024 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

7. Build Diffie Hellman key

NOTE: If you want to increase Diffie Hellman key size, you must edit KEY_SIZE variable in /etc/openvpn/easy-rsa/2.0/vars to the desired size.

[root@foo1 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................................................
...............................................+...............
.............+...............................................+.
...............................................................
......+...............+.......................+................
.......................................................+.......
..................................+............................
...............................................................
....+...+...........................................+..........
.................+.....+.................+.....................
...+...........................................................
............................................+..................
......+.................+......+....+..................++*++*++

8. Create OpenVPN Server config file

Be sure to configure your OpenVPN server to be accessible from the internet. This can be achieved by putting OpenVPN Server in DMZ or open the necessary ports on your router – more HERE. If you have multiple network cards bind OpenVPN Server to the WAN IP address.

[root@foo1 2.0]# cat /etc/openvpn/server.conf 
# IP address you want to bind OpenVPN Server to
#local 89.212.236.44

# Pick the desired VPN port number - default 1194
#port 4444
proto udp

# We use TUN when setting separate IPs on a VPN Network
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0

# Adjust paths as needed.
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login # Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf # Uncomment this line if you are using FreeRADIUS
client-cert-not-required # No client specific certificates required
username-as-common-name

# The Pool of IPs in the 'VPN Network'
server 172.26.1.0 255.255.255.0 # Change this to reflect your Network environment

push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

9. Enable IP Forwarding

Change “net.ipv4.ip_forward” parameter in /etc/sysctl.conf file from “0” to “1” and issue “sysctl -p” command.

[root@foo1 2.0]# grep "net.ipv4.ip_forward" /etc/sysctl.conf 
net.ipv4.ip_forward = 1

[root@foo1 2.0]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456

10. Create OS user for VPN login

[root@foo1 2.0]# useradd vpnuser -s /bin/false

[root@foo1 2.0]# passwd vpnuser
Changing password for user vpnuser.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

11. Start OpenVPN Server service

[root@foo1 2.0]# /etc/init.d/openvpn start
Starting openvpn:                                          [  OK  ]

If you want, you can check everything is OK in /var/log/messages.

12. Windows VPN client installation

Create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:

client
dev tun
proto udp
remote 123.123.123.123 4444 # - Your OpenVPN Server IP and OpenVPN Server Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb

Save that file in the config directory of where you installed OpenVPN client in your computer.

13. Copy ca.crt file to client

Copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ location on OpenVPN Server to your client and save it to the same folder as .ovpn file you created. Now you can login to your VPN using username and password you’ve created.

This is a Guest Post by @jennycorteza

Author’s Bio: Jenny Corteza is always found working on advanced techniques to improve somputer system usability. She is fond of reading information about bcp and other relevant It related topics.

  • Jeff

    rpoblem now, easy-rsa is not included with openvpn any help?

  • robert

    I appreciate clear instructions, thanks

    Question, was SELINUX disabled for this install or was it previously disabled? Seems like if we are concerned about security leaving it on and making a policy module if there was no one already would be a good thing? Just adds a few extra steps to most things with chcon, audit2allow and the like. But, has the side benefit of extra security.

    Robert

    • Mitch

      Hi robert! Yes you are correct, i disabled SELINUX prior to installing OpenVPN but your point is good. Definitely something to think about on my next OpenVPN Server install. Regards, Mitch

  • WOW, DID THAT ALL, THEN DOWN THE BOTTOM, DO IT THE EASY WAY,… FUCK OFF.

    • Mitch

      Well Kieran, look at this from the bright side.. You learned something new hopefully 😉 regards, Mitch

  • Stewart Chen

    Did all that, Tunnelblick could connect. But could not resolve DNS.
    I added iptables -t nat -A POSTROUTING -s 172.26.1.0/24 -o eth0 -j MASQUERADE

    Seems to help.

    • Stewart

      I am running CentOS 6.5 and the installation of the openvpn will create a directory structure as such

      /etc/openvpn/openvpn-2.2.2/

  • fred mark

    please how can i open port for you applications i want to open port like 3344, 5566 9744 many more for my different application so i can communicate with my applications.

    also i can check http://canyouseeme.org/ and see my port open once my applications running thanks