In this tutorial, we will learn how to install, setup and configure an OpenVPN Service on CentOS 5 as well as configuring the firewall to allow vpn traffic. Clients configuration will be done in the linked article, available at the bottom of this tutorial.
Topology used in this scenario:
1 Ethernet card (eth0) connected to a router, which forward all connection on port 1723 for UDP and TCP protocol to our server internal IP. Internet IP: 1.2.3.4 Internal IP: 192.168.0.2 Existing Subnet: 192.168.0.0/24 New VPN Subnet: 172.16.0.0/24
Installation:
1) To begin, we need to make sure we have the RPMForge repository installed and activated.
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm rpm --install rpmforge-release-0.5.2-2.el5.rf.i386.rpm
2) If you have SELinux enabled and enforcing, you will need to run this:
semanage port -a -t openvpn_port_t -p tcp 1723 semanage port -a -t openvpn_port_t -p udp 1723
3) Install OpenVPN via yum. This will make sure that the following package are installed: openvpn, lzo, pkcs11-helper
yum install openvpn
4) Copy the easy-rsa directory from the template to your /etc/openvpn (please change the version number according to your version of openvpn)
cd /etc/openvpn/ cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/ cd /etc/openvpn/easy-rsa/2.0/
**PLEASE NOTE** if the above command brings up an error such as below, then please follow the following steps to download and copy over easy-rsa as its not included in the new build OpenVPN 2.3.1:
cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/’: No such file or directory
Download easy-rsa from below:
wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
Extract the package:
tar -zxvf easy-rsa-2.2.0_master.tar.gz
5) Change permissions
chmod +rwx *
6) Edit the configuration file /etc/openvpn/easy-rsa/2.0/vars with your favorite editor such as `nano` or `vi`, and change the values at the complete bottom to correspond with your own informations and make sure you save a copie somewhere. (from KEY_COUNTRY up to KEY_OU)
nano /etc/openvpn/easy-rsa/2.0/vars example: KEY_COUNTRY="CA" KEY_PROVINCE="QC" KEY_CITY="Montreal" KEY_ORG="CompanyName" KEY_EMAIL="your@email.com" KEY_EMAIL=your@email.com KEY_CN=server.hostname.com KEY_NAME=server.hostname.com KEY_OU=OrganisationUnitName
7) Source the configuration file `vars` with the following command and clean-all
source /etc/openvpn/easy-rsa/2.0/vars /etc/openvpn/easy-rsa/2.0/clean-all
8) Once we reach this step, openvpn has been installed and initially configured. Now we have to build our CA Certificate, our Server Certificate and our Client Certificate.
9) Start by building the CA Certificate with the command:
/etc/openvpn/easy-rsa/2.0/build-ca
This step will ask your information for the CA Certificate Authority that we are creating, if we configured the `vars` configuration file in step 6, the default values provided between ‘[‘ and ‘]’ for each value should be fine. Otherwise change accordingly.
10) It is time now to create the Server Certificate with our newly created CA Authority Certificate. Run the following command (and replace `server.hostname.com` with your server hostname):
/etc/openvpn/easy-rsa/2.0/build-key-server server.hostname.com
This will print a summary of the certificate to be created and ask you to confirm that you want to “Sign the certificate” which you will say YES ot ‘y’
Finally, it will ask you to confirm to commit the change, which again, you will say YES or ‘y’
11) Now we have to edit our main configuration file at /etc/openvpn/openvpn.conf with our favorite editor such as `nano` or `vi`,
(change server.hostname.com for the value used while building the server certificate at step 10)
nano /etc/openvpn/openvpn.conf example: port 1723 proto udp # UDP is faster than TCP dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.hostname.com.crt key /etc/openvpn/keys/server.hostname.com.key dh /etc/openvpn/keys/dh1024.pem cipher BF-CBC comp-lzo server 172.16.0.0 255.255.255.0 push "dhcp-option DNS 4.2.2.2" # Change these to your own DNS Server for even greater security push "dhcp-option DNS 4.2.2.1" # Change these to your own DNS Server for even greater security ifconfig-pool-persist /etc/openvpn/ipp.txt keepalive 10 120 persist-key persist-tun status openvpn-status.log verb 3
12) Create the directory to hold our created keys and certificates, make it private and move them into it:
mkdir /etc/openvpn/keys/
chmod 0700 /etc/openvpn/keys/
mv /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,ca.key,server.hostname.com.crt,server.hostname.com.key} /etc/openvpn/keys/
13) Create the DH and move it.
/etc/openvpn/easy-rsa/2.0/build-dh mv /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/keys/
14) Make sure that the OpenVPN Service start at boot time
chkconfig openvpn on
15) That it! The OpenVPN Service is now ready to be executed.
/etc/init.d/openvpn start
16) For the Firewall configuration, you need to run the following commands:
/sbin/iptables -A INPUT -d 1.2.3.4 -i eth0 -p udp -m udp --dport 1723 -j ACCEPT /sbin/iptables -A OUTPUT -s 1.2.3.4 -d 172.16.0.0/255.255.255.0 -o lo -j ACCEPT /sbin/iptables -A OUTPUT -s 1.2.3.4 -d 172.16.0.0/255.255.255.0 -o tun0 -j ACCEPT /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT /sbin/iptables -A FORWARD -j DROP
/sbin/iptables-save > /etc/sysconfig/iptables /sbin/service iptables restart
We still have to create the client certificate and configure the client to connect to our OpenVPN Service.
How to install OpenVPN on Windows 7 using Certificates
o install OpenVPN on Windows 7, go on the OpenVPN website, in the community downloads, and download the Windows Installer.
Once it is downloaded, do not run it just yet. Open the download location, right click on the file and choose properties. Go to the compatibility tab and set it compatibility to Windows Vista SP1 and tick the checkbox at the bottom that say ‘Run this program as an administrator’, Click OK which will close this dialog
Finally, right click on the Windows Installer file for the OpenVPN installation package and choose ‘Run as an Administrator’
Proceed with standard installation and accept any popup about signed or unsigned drivers if there is any.
Tutorial topology
OpenVPN Server IP Address: 1.2.3.4 Client Internet IP Address: 6.7.8.9 (Important, make sure it matches these values, change it later) Client ABC Local Subnet before OpenVPN: 10.0.0.0/24 Client ABC Local Router IP Address: 10.0.0.1 Client ABC Local IP Address: 10.0.0.10 (certificates) CA Certificate filename: ca.crt Client ABC Certificate filename: client-abc.crt Client ABC Key filename: client-abc.key
Client Certificates file:
The client certificate, the client key and the CA certificate must be copied into the client computer, especially in the OpenVPN config folder, located at:
"C:\Program Files (x86)\OpenVPN\config\" for 64 bits "C:\Program Files\OpenVPN\config\" for 32 bits
To generate the client abc certificate and key, and that you have followed our tutorial on how to setup the openvpn service on CentOS, you can run the following command and then copie (not move), the generated client certificate and key, with the CA cert to the OpenVPN config folder, stated above:
cd /etc/openvpn/easy-rsa/2.0/ source vars /etc/openvpn/easy-rsa/2.0/build-key client-abc
Client Configuration file:
By default the file do not exist, so open a new notepad, and save it at this location:
"C:\Program Files (x86)\OpenVPN\config\client-abc.ovpn" for 64 bits "C:\Program Files\OpenVPN\config\client-abc.ovpn" for 32 bits
Then copy the following configuration inside and save the file:
client auth-nocache dev tun proto udp comp-lzo resolv-retry infinite persist-key persist-tun remote 1.2.3.4 1723 ca ca.crt cert client-abc.crt key client-abc.key # Uncomment the following line if you want by example that your openvpn client, # Which should be on the 172.16.0.0/24 subnet to be be able to access and route # traffic to the 192.168.1.0/24 subnet on the side of the OpenVPN Server, # assuming you have put the proper needed firewall / iptables rules. # route 192.168.1.0 255.255.255.0 verb 3 float
