Red hat linux Web Hosting

How to install, setup and configure an OpenVPN Service on CentOS 5

In this tutorial, we will learn how to install, setup and configure an OpenVPN Service on CentOS 5 as well as configuring the firewall to allow vpn traffic. Clients configuration will be done in the linked article, available at the bottom of this tutorial.

Topology used in this scenario:

1 Ethernet card (eth0) connected to a router, which forward all connection on port 1723 for UDP and TCP protocol to our server internal IP.
Internet IP: 1.2.3.4
Internal IP: 192.168.0.2
Existing Subnet: 192.168.0.0/24
New VPN Subnet: 172.16.0.0/24

Installation:

1) To begin, we need to make sure we have the RPMForge repository installed and activated.

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
rpm --install rpmforge-release-0.5.2-2.el5.rf.i386.rpm

2) If you have SELinux enabled and enforcing, you will need to run this:

semanage port -a -t openvpn_port_t -p tcp 1723
semanage port -a -t openvpn_port_t -p udp 1723

3) Install OpenVPN via yum. This will make sure that the following package are installed: openvpn, lzo, pkcs11-helper

yum install openvpn

4) Copy the easy-rsa directory from the template to your /etc/openvpn (please change the version number according to your version of openvpn)

cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/

**PLEASE NOTE** if the above command brings up an error such as below, then please follow the following steps to download and copy over easy-rsa as its not included in the new build OpenVPN 2.3.1:

cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/’: No such file or directory

Download easy-rsa from below:

wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz

Extract the package:

tar -zxvf easy-rsa-2.2.0_master.tar.gz

5) Change permissions

chmod +rwx *

6) Edit the configuration file /etc/openvpn/easy-rsa/2.0/vars with your favorite editor such as `nano` or `vi`, and change the values at the complete bottom to correspond with your own informations and make sure you save a copie somewhere. (from KEY_COUNTRY up to KEY_OU)

nano /etc/openvpn/easy-rsa/2.0/vars

example:
KEY_COUNTRY="CA"
KEY_PROVINCE="QC"
KEY_CITY="Montreal"
KEY_ORG="CompanyName"
KEY_EMAIL="your@email.com"
KEY_EMAIL=your@email.com
KEY_CN=server.hostname.com
KEY_NAME=server.hostname.com
KEY_OU=OrganisationUnitName

7) Source the configuration file `vars` with the following command and clean-all

source /etc/openvpn/easy-rsa/2.0/vars
/etc/openvpn/easy-rsa/2.0/clean-all

8) Once we reach this step, openvpn has been installed and initially configured. Now we have to build our CA Certificate, our Server Certificate and our Client Certificate.

9) Start by building the CA Certificate with the command:

/etc/openvpn/easy-rsa/2.0/build-ca

This step will ask your information for the CA Certificate Authority that we are creating, if we configured the `vars` configuration file in step 6, the default values provided between ‘[‘ and ‘]’ for each value should be fine. Otherwise change accordingly.

10) It is time now to create the Server Certificate with our newly created CA Authority Certificate. Run the following command (and replace `server.hostname.com` with your server hostname):

/etc/openvpn/easy-rsa/2.0/build-key-server server.hostname.com

This will print a summary of the certificate to be created and ask you to confirm that you want to “Sign the certificate” which you will say YES ot ‘y’
Finally, it will ask you to confirm to commit the change, which again, you will say YES or ‘y’

11) Now we have to edit our main configuration file at /etc/openvpn/openvpn.conf with our favorite editor such as `nano` or `vi`,
(change server.hostname.com for the value used while building the server certificate at step 10)

nano /etc/openvpn/openvpn.conf

example: 

port 1723
proto udp # UDP is faster than TCP
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.hostname.com.crt
key /etc/openvpn/keys/server.hostname.com.key
dh /etc/openvpn/keys/dh1024.pem
cipher BF-CBC
comp-lzo
server 172.16.0.0 255.255.255.0
push "dhcp-option DNS 4.2.2.2" # Change these to your own DNS Server for even greater security
push "dhcp-option DNS 4.2.2.1" # Change these to your own DNS Server for even greater security
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3

12) Create the directory to hold our created keys and certificates, make it private and move them into it:

mkdir /etc/openvpn/keys/
chmod 0700 /etc/openvpn/keys/
mv /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,ca.key,server.hostname.com.crt,server.hostname.com.key} /etc/openvpn/keys/

13) Create the DH and move it.

/etc/openvpn/easy-rsa/2.0/build-dh
mv /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/keys/

14) Make sure that the OpenVPN Service start at boot time

chkconfig openvpn on

15) That it! The OpenVPN Service is now ready to be executed.

/etc/init.d/openvpn start

16) For the Firewall configuration, you need to run the following commands:

/sbin/iptables -A INPUT -d 1.2.3.4 -i eth0 -p udp -m udp --dport 1723 -j ACCEPT
/sbin/iptables -A OUTPUT -s 1.2.3.4 -d 172.16.0.0/255.255.255.0 -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -s 1.2.3.4 -d 172.16.0.0/255.255.255.0 -o tun0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables-save > /etc/sysconfig/iptables
/sbin/service iptables restart

We still have to create the client certificate and configure the client to connect to our OpenVPN Service.

How to install OpenVPN on Windows 7 using Certificates

 

o install OpenVPN on Windows 7, go on the OpenVPN website, in the community downloads, and download the Windows Installer.

Once it is downloaded, do not run it just yet. Open the download location, right click on the file and choose properties. Go to the compatibility tab and set it compatibility to Windows Vista SP1 and tick the checkbox at the bottom that say ‘Run this program as an administrator’, Click OK which will close this dialog

Finally, right click on the Windows Installer file for the OpenVPN installation package and choose ‘Run as an Administrator’

Proceed with standard installation and accept any popup about signed or unsigned drivers if there is any.

Tutorial topology

OpenVPN Server IP Address: 1.2.3.4
Client Internet IP Address: 6.7.8.9

(Important, make sure it matches these values, change it later)
Client ABC Local Subnet before OpenVPN: 10.0.0.0/24
Client ABC Local Router IP Address: 10.0.0.1
Client ABC Local IP Address: 10.0.0.10

(certificates)
CA Certificate filename: ca.crt
Client ABC Certificate filename: client-abc.crt
Client ABC Key filename: client-abc.key


Client Certificates file:

The client certificate, the client key and the CA certificate must be copied into the client computer, especially in the OpenVPN config folder, located at:

"C:\Program Files (x86)\OpenVPN\config\" for 64 bits
"C:\Program Files\OpenVPN\config\" for 32 bits

To generate the client abc certificate and key, and that you have followed our tutorial on how to setup the openvpn service on CentOS, you can run the following command and then copie (not move), the generated client certificate and key, with the CA cert to the OpenVPN config folder, stated above:

cd /etc/openvpn/easy-rsa/2.0/
source vars
/etc/openvpn/easy-rsa/2.0/build-key client-abc


Client Configuration file:

By default the file do not exist, so open a new notepad, and save it at this location:

"C:\Program Files (x86)\OpenVPN\config\client-abc.ovpn" for 64 bits
"C:\Program Files\OpenVPN\config\client-abc.ovpn" for 32 bits

Then copy the following configuration inside and save the file:

 client
 auth-nocache
 dev tun
 proto udp
 comp-lzo
 resolv-retry infinite
 persist-key
 persist-tun
 remote 1.2.3.4 1723
 ca ca.crt
 cert client-abc.crt
 key client-abc.key

 # Uncomment the following line if you want by example that your openvpn client,
 # Which should be on the 172.16.0.0/24 subnet to be be able to access and route
 # traffic to the 192.168.1.0/24 subnet on the side of the OpenVPN Server,
 # assuming you have put the proper needed firewall / iptables rules.
 # route 192.168.1.0 255.255.255.0

 verb 3
 float

Leave a Reply

Your email address will not be published. Required fields are marked *