Install OpenVPN on CentOS

juaribd

Newbie
This tutorial is for home users who have a spare system to run OpenVPN on. In this tutorial, Windows 7 is used for the client connecting to the VPN.

If you face a problem with this How-To , please reply with specific data and I will try to help.

At first, install Centos on your VPS and Forward UDP port 1194 to the VPN server. This is only necessary if your network has a firewall protecting it.

Add RPMForge Yum Repository

For x86 (32-bit) systems
For x64 (64-bit) systems
Code:
rpm -Uhv http://mirror.clarkson.edu/rpmforge/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

Configure iptables
Create iptables_set.sh, chmod +x iptables_set.sh, and run the script.
  • Note: The following will work but you may wish to change the source address from 10.10.9.0/24 to the network range of your choosing based on your network.
Code:
#!/bin/bash
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.10.9.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.10.9.0/24 -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/iptables -L -v
Configure Kernel
Edit
Code:
/etc/sysctl.conf

Code:
net.ipv4.ip_forward = 1
Make the changes active

  • sysctl -p
Install OpenVPN Server
Install openvpn

  • yum install openvpn
Configure openvpn to start on boot

  • chkconfig --levels 345 openvpn on
Generate RSA Keys
Copy the
Code:
easy-rsa
directory

  • cp -r /usr/share/doc/openvpn-2.1.4/easy-rsa/ /etc/openvpn/
Modify the
Code:
easy-rsa
parameter settings

  • cd /etc/openvpn/easy-rsa/2.0/
  • Edit the bottom fields in
    vars

  • with your information
Code:
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid. ?This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="Potsdam"
export KEY_ORG="Home"
export KEY_EMAIL="[email protected]"
Make all files in the directory executable

  • chmod +x ./*
Build the Certificate Authority Key and use all defaults except the common name for the server

  • . ./vars./build-ca
Code:
Generating a 1024 bit RSA private key
..................++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Home CA]:openvpn
Name []:
Email Address [[email protected]]:
Generate the VPN server key

  • ./build-key-server server
Code:
Generating a 1024 bit RSA private key
.................++++++
..............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName ? ? ? ? ??:PRINTABLE:'US'
stateOrProvinceName ??:PRINTABLE:'NY'
localityName ? ? ? ? ?:PRINTABLE:'Potsdam'
organizationName ? ? ?:PRINTABLE:'Home'
commonName ? ? ? ? ? ?:PRINTABLE:'server'
emailAddress ? ? ? ? ?:IA5STRING:'[email protected]'
Certificate is to be certified until Apr 14 00:07:10 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Build the first client key (Repeat this process if you wish to have more than one client)

  • ./build-key client1
Code:
Generating a 1024 bit RSA private key
....................................++++++
.................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName ? ? ? ? ??:PRINTABLE:'US'
stateOrProvinceName ??:PRINTABLE:'NY'
localityName ? ? ? ? ?:PRINTABLE:'Potsdam'
organizationName ? ? ?:PRINTABLE:'Home'
commonName ? ? ? ? ? ?:PRINTABLE:'client1'
emailAddress ? ? ? ? ?:IA5STRING:'[email protected]'
Certificate is to be certified until Apr 14 00:07:42 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Build the remaining keys

  • ./build-dhopenvpn --genkey --secret keys/ta.key
Copy all keys into the OpenVPN directory

  • cp keys/ca.crt keys/ca.key keys/dh1024.pem keys/server.crt keys/server.csr keys/server.key keys/ta.key /etc/openvpn/
Copy the sample server configuration file and configure as necessary

  • cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
Code:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key ?# This file should be kept secret
tls-auth ta.key 0
dh dh1024.pem
server 10.10.9.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Start OpenVPN
Start the OpenVPN service

  • service openvpn start
Install the Client
Download and install the latest Windows client with all default options
Copy the following files from the
Code:
/etc/openvpn/easy-rsa/2.0/keys/
directory on the server to
Code:
C:\Program Files (x86)\OpenVPN\config\
on the client. (Note: The directory will be in "C:\Program Files" on a x86 Windows client)
  • ca.crt
  • client1.crt
  • client1.key
  • ta.key
Create
Code:
client1.ovpn
in the same config directory as the keys
Code:
client
dev tun
proto udp
remote SERVER_DNS_OR_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
ns-cert-type server
comp-lzo
verb 3
keepalive 10 120
route-method exe
route-delay 2
Run OpenVPN GUI (Right click and choose "Run as administrator" otherwise the client will not connect properly)
Double click the OpenVPN GUI icon in the notification area of the taskbar to connect.

Hope you can start and connect to the VPN. Thanks
 
Top