How to install and configure OpenVPN server on CentOS

OpenVPN is one of the open source applications that allows you to create your own Virtual Private Network. We are not going to cover all the topics regarding VPNs, but for short these are used to transfer data from point A to point B in a secure way. Of course this allows us to bypass some firewalls and proxies, so this is one of the reasons we chose to use TCP port 443 (which is the default port for HTTPS and it’s almost never filtered) instead of default port for OpenVPN which is UDP 1194.

I am going to set up a GNU/Linux machine, running CentOS 6 as the OpenVPN server.

OpenVPN Server Setup

Note: You must already have CentOS installed and you also must have a working connection, if you don’t know how to do this, check out How to install Red Hat in 50 easy steps!

1. Disable SELinux and reboot the system!

[[email protected] ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[[email protected] ~]# reboot && exit

2. Install the EPEL repository.

[[email protected] ~]# rpm -ivh http://mirrors.n-ix.net/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

3. Update the packages:

[[email protected] ~]# yum -y update

4. Install OpenVPN and easy-rsa:

Note: Since OpenVPN version 2.3.2 “easy-rsa” is no longer bundled with OpenVPN and you need to install it from a different source, fortunately it is also available in EPEL repository.
[[email protected] ~]# yum -y install openvpn easy-rsa

5. Navigate to the easy-rsa tools directory:

[[email protected] ~]# cd /usr/share/easy-rsa/2.0

6. Edit the vars file to match your data:

[[email protected] 2.0]# vi vars

Find the following line

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

and replace it with:

export KEY_CONFIG=/usr/share/easy-rsa/2.0/openssl-1.0.0.cnf

You may edit any other variable to match your needs, but these are the only ones of interest:

export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="NewYork"
export KEY_ORG="VPN"
export KEY_EMAIL="[email protected]"
export KEY_OU="AlphaUnit"

7. Clean any previous info:

[[email protected] 2.0]# ./clean-all

8. Source the variable environment:

[[email protected] 2.0]# source ./vars

9. Build the Certificate of Authority:

[[email protected] 2.0]# ./build-ca

10. Build the Diffie Hellman file (if you want more info about this, read the OpenVPN manual):

[[email protected] 2.0]# ./build-dh

11. Create the Server Certificate and key:

[[email protected] 2.0]# ./build-key-server openvpnserver

12. Copy the CA certificate file to OpenVPN configuration directory:

[[email protected] 2.0]# cp keys/ca.crt /etc/openvpn/

13. Copy the server certificate to OpenVPN configuration directory:

[[email protected] 2.0]# cp keys/openvpnserver.crt /etc/openvpn/

14. Copy the server key to OpenVPN configuration directory:

[[email protected] 2.0]# cp keys/openvpnserver.key /etc/openvpn/

15. Copy the Diffie Hellman file to OpenVPN configuration directory:

[[email protected] 2.0]# cp keys/dh1024.pem /etc/openvpn/

16. Create the OpenVPN configuration file

[[email protected] 2.0]# vi /etc/openvpn/server.conf 

and append the following content to it (make sure you replace SERVER_IP_ADDRESS with the actual public IP address of your server):

local SERVER_IP_ADDRESS
port 443
proto tcp
dev tun
ca ca.crt
cert openvpnserver.crt
key openvpnserver.key
dh dh1024.pem
server 192.168.85.0 255.255.255.0
ifconfig-pool-persist ipp.txt
management localhost 7505
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
cipher AES-256-CBC
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3

17. Start the OpenVPN server:

[[email protected] 2.0]# service openvpn restart

If everything is ok, you should see the following message:
Starting openvpn:                                          [  OK  ]

18. Make sure that openvpn interface is up and running

[[email protected] 2.0]# ifconfig -a |grep -A 7 tun0

 

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.85.1  P-t-P:192.168.85.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

19. Enable IP forwarding and set proper rule in the firewall that masquerades the traffic routed through the Virtual Private Network

[[email protected] 2.0]# echo "1" > /proc/sys/net/ipv4/ip_forward
Note: To make this change persistent after reboot, insert the following line in /etc/sysctl.conf
net.ipv4.ip_forward=1

 

[[email protected] 2.0]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

 

[[email protected] 2.0]# service iptables save

20. It is time to create several certificates/keys pairs for the clients

Note: You need to provide to each client the following:
  • ca.crt (Certificate of Authority) – this file is common
  • clientname.crt (client certificate) – this is private, not to be shared with anybody else
  • clientname.key (client private key) – this is private, not to be shared with anybody else

To create the client certificate, navigate to /usr/share/easy-rsa/2.0 if you happen to be inside a different directory and issue the following commands:

[[email protected] 2.0]# source ./vars
[[email protected] 2.0]# ./build-key clientname

Note: Repeat the last step to create a key/certificate pair for each client and provide the files to the client using a secure method (I suggest using SCP, SFTP email or FTPS)

OpenVPN is one of the open source applications that allows you to create your own Virtual Private Network. We are not going to cover all the topics regarding VPNs, but for short these are used to transfer data from point A to point B in a secure way. Of course this allows us to bypass some firealls, proxies, etc.

I am going to set up a GNU/Linux machine, running CentOS 6.2 as the OpenVPN server and a Windows machine as a client.

SERVER

1. Install the EPEL repository.


rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm

2. Update the packages:


yum -y update

3. Install OpenVPN:


yum -y install openvpn

4. Navigate to the certificate tools directory:


cd /usr/share/openvpn/easy-rsa/2.0

5. Copy the openssl-1.0.0 configuration file to openssl.cnf:


cp openssl-1.0.0.cnf openssl.cnf

6. Edit the vars file to match your data:


vim vars

You may edit any other variable to match your needs, but these are the only ones of interest:


 export KEY_COUNTRY="RO"
 export KEY_PROVINCE="BV"
 export KEY_CITY="Brasov"
 export KEY_ORG="ADesigns"
 export KEY_EMAIL="[email protected]"

6. Clean any previous info:


./clean-all

7. Source the variable environment:


source ./vars

8. Build the Certificate of Authority:


./build-ca

9. Build the Diffie Hellman file (if you want more info about this, read the OpenVPN manual):


./build-dh

10. Create the Server Certificate and key:


./build-key-server SERVER_NAME

11. Copy the CA certificate file to OpenVPN configuration directory:

 cp keys/ca.crt /etc/openvpn/ 

12. Copy the server certificate to OpenVPN configuration directory:

 cp keys/hebe.crt /etc/openvpn/ 

13. Copy the server key to OpenVPN configuration directory:

 cp keys/hebe.key /etc/openvpn/ 

14. Copy the Diffie Hellman file to OpenVPN configuration directory:

 cp keys/dh1024.pem /etc/openvpn/ 

15. Create the OpenVPN configuration file:

 vim /etc/openvpn/SERVER_NAME.conf 

and append the following content to it:

 local SERVER_IP_ADDRESS
 port 443
 proto tcp
 dev tun
 ca ca.crt
 cert SERVER_NAME.crt
 key SERVER_NAME.key
 dh dh1024.pem
 server 192.168.85.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 management localhost 7505
 push "redirect-gateway"
 push "dhcp-option DNS 8.8.8.8"
 push "dhcp-option DNS 8.8.4.4"
 #user nobody
 #group nobody
 cipher AES-256-CBC
 keepalive 10 120
 comp-lzo
 max-clients 10
 persist-key
 persist-tun
 status openvpn-status.log
 verb 3

16. Start the OpenVPN server:

 service openvpn restart 

If everything is ok, you should see the following message:
Starting openvpn:                                          [  OK  ]

CLIENT

Navigate to the OpenVPN site, go to the Community Section and download the Windows installer: http://openvpn.net/index.php/open-source/downloads.html

Create a new file called whatever.ovpn

client
dev tun
proto tcp-client
remote 83.103.190.171 443
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
ca “C:\\Program Files (x86)\\OpenVPN\\config\\ca.crt”
cert “C:\\Program Files (x86)\\OpenVPN\\config\\annamaria.crt”
key “C:\\Program Files (x86)\\OpenVPN\\config\\annamaria.key”
cipher AES-256-CBC
comp-lzo
verb 3

Leave a Reply

Your email address will not be published. Required fields are marked *