OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features. More info about OpenVPN
Install OpenVPN on CentOS 5.x/6.0/6.1/6.2/6.3/6.4/6.5
Before we begin, you’ll need to have the Extra Packages for Enterprise Linux (EPEL) Repository enabled on your server.
Enable Epel repository on CentOS 5.x/6.x
# yum update
Verify Tun/Tap Is Installed:
# cat /dev/net/tun
Should return a similar line:
cat: /dev/net/tun: File descriptor in bad state
Install the OpenVPN package from EPEL:
# yum install openvpn -y
Configure OpenVPN on CentOS 5.x/6.0/6.1/6.2/6.3/6.4/6.5
Copy sample openVPN configuration file to /etc/opnvpn
# cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
Edit /etc/openvpn/server.conf file
# nano /etc/openvpn/server.conf
Uncomment the “push” parameter which causes traffic on our client systems to be routed through OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
Also uncoment following line:
user nobody group nobody push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168"
Generating Keys and Certificates Using easy-rsa
Now that we’ve finished modifying the configuration file, we’ll generate the required keys and certificates. Create the required folder and copy the files over.
# mkdir -p /etc/openvpn/easy-rsa/keys
Download required scripts and certificates:
# cd /tmp # wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz # tar -xvf easy-rsa-2.2.0_master.tar.gz # cp /tmp/easy-rsa-2.2.0_master/easy-rsa/2.0/* /etc/openvpn/easy-rsa
With the files in the desired location, we’ll edit the “vars” file which provides the easy-rsa scripts with required information.
# nano /etc/openvpn/easy-rsa/vars
We’re looking to modify the “KEY_” variables, located at the bottom of the file. The variable names are fairly descriptive and should be filled out with the applicable information.
Once completed, the bottom of your “vars” file should appear similar to the following:
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Lin tut" export KEY_EMAIL="[email protected]" export KEY_EMAIL=[email protected] export KEY_CN=changeme export KEY_NAME=changeme export KEY_OU=changeme export PKCS11_MODULE_PATH=changeme
We’ll now change into our working directory and build our Certificate Authority, or CA, based on the information provided above.
cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca
Now that we have our CA, we’ll create our certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.
We’re also going to need to generate our Diffie Hellman key exchange files using the build-dh script and copy all of our files into /etc/openvpn as follows:
./build-dh cd /etc/openvpn/easy-rsa/keys cp dh1024.pem ca.crt server.crt server.key /etc/openvpn
cd /etc/openvpn/easy-rsa ./build-key client
Routing Configuration and Starting OpenVPN Server
Enable IP Forwarding in sysctl:
nano -w /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1
Apply our new sysctl settings.
# sysctl -p # service openvpn start # chkconfig openvpn on
Create an iptables rule to allow proper routing of our VPN subnet.
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # service iptables save
Configuring OpenVPN Client
Finally lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:
client dev tun proto udp remote ip.add.re.ss 1194 # - Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3
Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer.
Also check out How to install PPTP VPN server in RHEL/Centos 6.4 Linux