OpenVPN Installation and configuration on CentOS 6.x

OpenVPN How To: Install and configure on CentOS 6.4

In this page I write a step-by-step tutorial which will guide you through installing OpenVPN on CentOS 6.x server. I will demonstrate all the steps in order to be as clear as possible. Do not hesitate to ask if you have any question.

What do I need OpenVPN for?

If you need to access your office network from a different location, the office located abroad or just far your 3G phone availability, than a virtual private network might be the solution you are looking for. In todays world many organizations still pay fees for VPN services, rather than use a server or system to fucntions as a VPN end-point. Setting up and configuring OpenVPN was never as easy with the RPMForge repository for CentOS 6.

Wikipedia short description:

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol^[2] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).^[3] OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

How To: Install and configure OpenVPN on CentOS 6.x – Geek-KB.com

System requirements:

1. A Dedicated server running CentOS 6.x
2. Proper knowledge to use Putty and SSH protocol.

How to Install OpenVPN to Build a CentOS VPN server

Prerequisite

Step 0 – Login to your server via SSH. Best login as root.

Step 1 – Now issue this first command syntax:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Login as root to your server via SSH.

Step 2 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Download LZO RPM and Configure RPMForge Repo Using wget command:

Step 3 – Now add correct repo for your server:

CentOS 6 32-bit (x86):

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm

Or: CentOS 6 64-bit (x86_64):

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Add correct repo for your server

How to know which one is your server? Issue this command:

uname -a

If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.

username finder

Step 4 – Then build the rpm package using this command:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

hit enter for each line above.

Build the rpm package

Installing OpenVPN

Step 5 – Issue the special yum command:

yum install openvpn -y

Install OpenVPN on CentOS 6.x

Step 6 – Copy the easy-rsa folder to /etc/openvpn/, use this command:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

It seems like in the new version of OpenVPN (2.3.2) easy-rsa is not included, thus, here’s a download link: http://snk.to/f-ch2svs03

Step 7 – Now edit it:

nano /etc/openvpn/easy-rsa/2.0/vars

Edit this line:

export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'

And replace it with this line:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

How To: Install and configure OpenVPN on CentOS 6.x

once done hit Control+O to save then Control+X to exit.

Step 8 – Create the certificate using these commands:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

hit enter for each line.

Create the certificate

Step 9 – It’s time to build necessary CA file:

./build-ca

Build necessary CA file

Hint Country Name: may be filled or press enter State or Province Name: may be filled or press enter City: may be filled or press enter Org Name: may be filled or press enter Org Unit Name: may be filled or press enter Common Name: your server hostname Email Address: may be filled or press enter

Step 10 – Time to build Key Server:

./build-key-server server

Build Key Server

Hint: Almost the same with ./build.ca but check the changes and additional Common Name: server A challenge password: leave Optional company name: fill or enter sign the certificate: y 1 out of 1 certificate requests: y You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)

Step 11 – Now issue command below to build Diffie Hellman:

./build-dh

Build Diffie Hellman

Step 12 – Create OpenVPN config file:

nano /etc/openvpn/server.conf

Step 13 – Now copy and paste these values into the config file:

port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

Save it once done. (Control+O then Control+X)

Edit config file

How To: Install and configure OpenVPN on CentOS 6.x

Step 14 – Lets start OpenVPN service on your server for the very first time:

service openvpn start

Start OpenVPN service

How To: Install and configure OpenVPN on CentOS 6.x

Step 15 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:

nano /etc/sysctl.conf

replace 0 with 1 in this line:

net.ipv4.ip_forward = 1

enable IP forwarding in the file /etc/sysctl.conf

Hit Control+O to save then Control+X to exit nano.

Step 16 – Issue this command to load the change:

sysctl -p

Step 17 – Create new Linux username which can also be used to login to the VPN:

useradd username -s /bin/false

replace username with your own username. Then also create its password:

passwd username

Replace password\username

Step 18 – Now route some iptables.

Xen and KVM users use:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123

Do not forget to replace 123.123.123.123 with your server IP.

route iptables

How To: Install and configure OpenVPN on CentOS 6.x

Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

Step 20 – Now save that iptables rules:

service iptables save

Step 21 – Windows VPN client installation,  lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:

client
dev tun
proto udp
remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3

Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer. See

create a server.ovpn config file.

Step 22 – That’s it. Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).

cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory

example:

cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/www.geek-kb.com/public_html

Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier. That’s it. Now you can login to your VPN using username and password you’ve created.

Step 23 – Ubuntu VPN client installation:

Install openvpn:

yum install openvpn -y

Next, copy ca.crt, username.key, and username.crt from the OpenVPN server to your Ubuntu machine.

Step 24 – Configure the client

Create a new config file called server.conf for example and paste these values into it (don’t forget to replace 123.123.123.123 with your OpenVPN server IP and also point the red marked lines to the relative path of your ca.crt, username.key, and username.crt ):

client itaig-lt
dev tun
proto udp
remote 123.123.123.123 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca "/etc/openvpn/homecerts/ca.crt"
cert "/etc/openvpn/homecerts/itaig-lt.crt"
key "/etc/openvpn/homecerts/itaig-lt.key"

Next, move the server.conf file to /etc/openvpn and restart the service:

service openvpn restart

There’s one more thing remaining to do on machines in the remote VPN network:

On each machine you intend to connect to remotely, you have to add the relevant route (if you have a router in the remote network you can simply add the route there):

On a Linux machine:

# route add -net net.id/network.size gw ip.of.gateway metric 1

Example:

# route add -net 192.168.1.0/24 gw 192.168.0.100 metric 1

After adding the route, test to see if it works by using ping on an IP on the remote network and if it works then you should set it as a permanent route. To do that, create a file in /etc/sysconfig/network-scripts/ folder and name it route-dev_name (the device which resides on the network you routed). Example:

nano /etc/sysconfig/network-scripts/route-eth0

And then type into the file the route line, it should look like that:

192.168.1.0/24 via 192.168.0.100 dev eth0

Hit ‘Ctrl + X’ to save the file.

On a Windows machine:

c:\route add net.id mask network.mask gateway.ip

Example:

c:\route add 192.168.1.0 mask 255.255.255.0 192.168.0.100

As mentioned above, after adding the route, test to see if it works by using ping on an IP on the remote network and if it works then you should set it as a permanent route. To do that, run the same command again and add -p at the end of the line, like so:

c:\route add 192.168.1.0 mask 255.255.255.0 192.168.0.100 -p

Optional section (password protect your certificate):

If you would like your users to use a password protected certificate when connecting to your VPN server, follow the next steps: 1. Go to:

/etc/openvpn/easy-rsa/2.0

2. Edit the vars file as mentioned above. 3. Run:

# source ./vars

# ./build-key-pass user_name

The password the user will have to input is the “PEM pass phrase”

Password protect your certificate

4. Now copy the user.crt, user.key and ca.crt to the relevant folder on the client and edit your .ovpn file on Windows or server.conf in Linux to add the new files. 5. Connect.   I hope this guide helped you, feel free to leave comments or ask questions.

Comments

comments