How to setup an OpenVPN server?

PDF

You can install OpenVPN on CentOS using from a rpm binary package available from the EPEL repository. If you haven't setup the EPEL repository follow the instructions explained on their website. You can setup OpenVPN as bridged VPN or as routed VPN. This example demonstrates a routed VPN setup. OpenVPN should be installed on both the server and the clients. The OpenVPN installation depends in openssl, lzo and pam.

yum install openssl lzo pam openvpn

To prevent updates to overwrite you configuration, copy the easy-rsa directory to another directory and cd into the subdirectory, for example: /etc/openvpn

cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
Edit some variables the file vars. Find and change the variables matching
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
change them according your own situation and don't leave any of them empty, for example:
export KEY_COUNTRY="NL"
export KEY_PROVINCE="UT"
export KEY_CITY="Utrecht"
export KEY_ORG="Private"
export KEY_EMAIL="your e-mailaddress"
Now we can generate the authority certificate and key:
source ./vars
./clean-all
./build-ca
You will be asked some questions, of which you only have to answer
Common Name (eg, your name or your server's hostname)
The others are the defaults defined in vars Now we also need to generate the certificate and key for the server:
./build-key-server server
Again you will be asked some questions. Most of them are defaults defined in vars. Two questions we have to answer manually with 'y':
Sign the certificate? [y/n]:
and
1 out of 1 certificate requests certified, commit? [y/n]
After this we also need to generate Diffie-Hellman key. This can be done calling:
./build-dh
For each client we have to generate client certificates. Let's create one:
./build-key vpnclient1
Also for this key you will be asked some questions of which you only have to answer two manually with 'y':
Sign the certificate? [y/n]:
and
1 out of 1 certificate requests certified, commit? [y/n]
If you create more client keys, keep in mind that every client need a unique common name. For extra security we will also generate a key to use with tls-auth which adds an additional HMAC signature to all SSL/TLS handshake packets. Generate this key with:
openvpn --genkey --secret keys/ta.key
Next step is to transfer the necessary files to the client. cd to ./keys and copy ta.key, ca.key, ca.crt, vpnclient1.key, vpnclient1.csr and vpnclient1.crt to the client.

Next the server can be configured. Open and edit the file /etc/openvpn/openvpn.conf:

mode server
local 192.168.1.3 #IP of your OpenVPN server
port 1194
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.10.10.0 255.255.255.0
ifconfig 10.10.10.1 255.255.255.0
push "dhcp-option DNS 192.168.1.2" #IP of your DNS server
push "dhcp-option WINS 192.168.1.2"IP of you WINS server
push "route 192.168.1.0 255.255.255.0 10.10.10.1"
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-server
tls-auth ta.key 0
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 1
client-to-client
Copy the necessaery key and certificate files to /ect/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/ta.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/
On the client side edit the configfile /etc/openvpn/server.conf if the client is a Windows machine please read the documentation)
client
proto tcp
dev tap
port 1194
remote REMOTEHOST FQDN or IP
tls-client
ca ca.crt
cert vpnclient1.crt
key vpnclient1.key
tls-auth ta.key 1
comp-lzo
pull
verb 1
and place the necessary key and crt files in the directory /ect/openvpn/. To forward the VPN traffic to your LAN we need to configure iptables and enable forwarding. A sample firewall script looks like this:
#!/bin/bash
# Basic Firewall script for OpenVPN

IPT="/sbin/iptables" #Path to iptables binary
LAN="eth0" #Your LAN interface
VNET="10.10.10.0/24" #VPN network
VPNIF="tap+" #VPN tap interfaces

echo 1 > /proc/sys/net/ipv4/ip_forward

#Flush existing rules
$IPT -P INPUT ACCEPT
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t nat -F

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -i $VPNIF -j ACCEPT
$IPT -A FORWARD -i $VPNIF -j ACCEPT
$IPT -t nat -A POSTROUTING -s $VNET -o $LAN -j MASQUERADE
Note that forwarding can also be enabled by editing /etc/sysctl.conf and change the line
net.ipv4.ip_forward = 0
into
net.ipv4.ip_forward = 1
yum install openssl lzo pam openvpn

To prevent updates to overwrite you configuration, copy the easy-rsa directory to another directory and cd into the subdirectory, for example: /etc/openvpn

cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
Edit some variables the file vars. Find and change the variables matching
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
change them according your own situation and don't leave any of them empty, for example:
export KEY_COUNTRY="NL"
export KEY_PROVINCE="UT"
export KEY_CITY="Utrecht"
export KEY_ORG="Private"
export KEY_EMAIL="your e-mailaddress"
Now we can generate the authority certificate and key:
source ./vars
./clean-all
./build-ca
You will be asked some questions, of which you only have to answer
Common Name (eg, your name or your server's hostname)
The others are the defaults defined in vars Now we also need to generate the certificate and key for the server:
./build-key-server server
Again you will be asked some questions. Most of them are defaults defined in vars. Two questions we have to answer manually with 'y':
Sign the certificate? [y/n]:
and
1 out of 1 certificate requests certified, commit? [y/n]
After this we also need to generate Diffie-Hellman key. This can be done calling:
./build-dh
For each client we have to generate client certificates. Let's create one:
./build-key vpnclient1
Also for this key you will be asked some questions of which you only have to answer two manually with 'y':
Sign the certificate? [y/n]:
and
1 out of 1 certificate requests certified, commit? [y/n]
If you create more client keys, keep in mind that every client need a unique common name. For extra security we will also generate a key to use with tls-auth which adds an additional HMAC signature to all SSL/TLS handshake packets. Generate this key with:
openvpn --genkey --secret keys/ta.key
Next step is to transfer the necessary files to the client. cd to ./keys and copy ta.key, ca.key, ca.crt, vpnclient1.key, vpnclient1.csr and vpnclient1.crt to the client.

Next the server can be configured. Open and edit the file /etc/openvpn/openvpn.conf:

mode server
local 192.168.1.3 #IP of your OpenVPN server
port 1194
proto tcp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.10.10.0 255.255.255.0
ifconfig 10.10.10.1 255.255.255.0
push "dhcp-option DNS 192.168.1.2" #IP of your DNS server
push "dhcp-option WINS 192.168.1.2"IP of you WINS server
push "route 192.168.1.0 255.255.255.0 10.10.10.1"
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-server
tls-auth ta.key 0
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 1
client-to-client
Copy the necessaery key and certificate files to /ect/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/ta.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/
On the client side edit the configfile /etc/openvpn/server.conf if the client is a Windows machine please read the documentation)
client
proto tcp
dev tap
port 1194
remote REMOTEHOST FQDN or IP
tls-client
ca ca.crt
cert vpnclient1.crt
key vpnclient1.key
tls-auth ta.key 1
comp-lzo
pull
verb 1
and place the necessary key and crt files in the directory /ect/openvpn/. To forward the VPN traffic to your LAN we need to configure iptables and enable forwarding. A sample firewall script looks like this:
#!/bin/bash
# Basic Firewall script for OpenVPN

IPT="/sbin/iptables" #Path to iptables binary
LAN="eth0" #Your LAN interface
VNET="10.10.10.0/24" #VPN network
VPNIF="tap+" #VPN tap interfaces

echo 1 > /proc/sys/net/ipv4/ip_forward

#Flush existing rules
$IPT -P INPUT ACCEPT
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t nat -F

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -i $VPNIF -j ACCEPT
$IPT -A FORWARD -i $VPNIF -j ACCEPT
$IPT -t nat -A POSTROUTING -s $VNET -o $LAN -j MASQUERADE
Note that forwarding can also be enabled by editing /etc/sysctl.conf and change the line
net.ipv4.ip_forward = 0
into
net.ipv4.ip_forward = 1
 

Please login first before adding a comment.

Search






You are here: Home Howtos and FAQs VPN How to setup an OpenVPN server?