OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.
OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features. More info about OpenVPN
Install OpenVPN on CentOS 5.x/6.0/6.1/6.2/6.3/6.4/6.5
Before we begin, you’ll need to have the Extra Packages for Enterprise Linux (EPEL) Repository enabled on your server.
Enable Epel repository on CentOS 5.x/6.x
# yum update
Verify Tun/Tap Is Installed:
# cat /dev/net/tun
Should return a similar line:
cat: /dev/net/tun: File descriptor in bad state
Install the OpenVPN package from EPEL:
# yum install openvpn -y
Configure OpenVPN on CentOS 5.x/6.0/6.1/6.2/6.3/6.4/6.5
Copy sample openVPN configuration file to /etc/opnvpn
# cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
Edit /etc/openvpn/server.conf file
# nano /etc/openvpn/server.conf
Uncomment the “push” parameter which causes traffic on our client systems to be routed through OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
Also uncoment following line:
user nobody group nobody push "dhcp-option DNS 184.108.40.206" push "dhcp-option DNS 220.127.116.11"
Generating Keys and Certificates Using easy-rsa
Now that we’ve finished modifying the configuration file, we’ll generate the required keys and certificates. Create the required folder and copy the files over.
# mkdir -p /etc/openvpn/easy-rsa/keys
Download required scripts and certificates:
# cd /tmp # wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz # tar -xvf easy-rsa-2.2.0_master.tar.gz # cp /tmp/easy-rsa-2.2.0_master/easy-rsa/2.0/* /etc/openvpn/easy-rsa
With the files in the desired location, we’ll edit the “vars” file which provides the easy-rsa scripts with required information.
# nano /etc/openvpn/easy-rsa/vars
We’re looking to modify the “KEY_” variables, located at the bottom of the file. The variable names are fairly descriptive and should be filled out with the applicable information.
Once completed, the bottom of your “vars” file should appear similar to the following:
export KEY_ORG="Lin tut"
export KEY_EMAIL="[email protected]"
export [email protected]
We’ll now change into our working directory and build our Certificate Authority, or CA, based on the information provided above.
cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca
Now that we have our CA, we’ll create our certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.
We’re also going to need to generate our Diffie Hellman key exchange files using the build-dh script and copy all of our files into /etc/openvpn as follows:
./build-dh cd /etc/openvpn/easy-rsa/keys cp dh1024.pem ca.crt server.crt server.key /etc/openvpn
In order to allow clients to authenticate, we’ll need to create client certificates. You can repeat this as necessary to generate a unique certificate and key for each client or device. If you plan to have more than a couple certificate pairs be sure to use descriptive filenames.
cd /etc/openvpn/easy-rsa ./build-key client
Routing Configuration and Starting OpenVPN Server
Enable IP Forwarding in sysctl:
nano -w /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1
Apply our new sysctl settings.
# sysctl -p # service openvpn start # chkconfig openvpn on
Create an iptables rule to allow proper routing of our VPN subnet.
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE # service iptables save
Configuring OpenVPN Client
Finally lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:
remote ip.add.re.ss 1194 # - Your server IP and OpenVPN Port
Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer.
Also check out How to install PPTP VPN server in RHEL/Centos 6.4 Linux