Difference between revisions of "Install OpenVPN on CentOS 5"

From CSLabsWiki
Jump to: navigation, search
m (Created page with "This page summarizes how to perform a basic installation of OpenVPN on CentOS 5. This tutorial assumes you have root/sudo access and have SELinux set to permissive or disabled. ...")
 
m
Line 59: Line 59:
 
*<code>yum install openvpn</code>
 
*<code>yum install openvpn</code>
  
 +
Configure openvpn to start on boot
 +
*<code>chkconfig --levels 345 openvpn on</code>
  
 +
====Generate RSA Keys====
 +
Copy the <code>easy-rsa</code> directory
 +
*<code>cp -r /usr/share/doc/openvpn-2.1.4/easy-rsa/ /etc/openvpn/</code>
 +
 +
Modify the <code>easy-rsa</code> parameter settings
 +
*<code>cd /etc/openvpn/easy-rsa/2.0/</code>
 +
*Edit the bottom fields in <code>vars</code> with your information
 +
<code><pre>
 +
# easy-rsa parameter settings
 +
 +
# NOTE: If you installed from an RPM,
 +
# don't edit this file in place in
 +
# /usr/share/openvpn/easy-rsa --
 +
# instead, you should copy the whole
 +
# easy-rsa directory to another location
 +
# (such as /etc/openvpn) so that your
 +
# edits will not be wiped out by a future
 +
# OpenVPN package upgrade.
 +
 +
# This variable should point to
 +
# the top level of the easy-rsa
 +
# tree.
 +
export EASY_RSA="`pwd`"
 +
 +
#
 +
# This variable should point to
 +
# the requested executables
 +
#
 +
export OPENSSL="openssl"
 +
export PKCS11TOOL="pkcs11-tool"
 +
export GREP="grep"
 +
 +
 +
# This variable should point to
 +
# the openssl.cnf file included
 +
# with easy-rsa.
 +
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
 +
 +
# Edit this variable to point to
 +
# your soon-to-be-created key
 +
# directory.
 +
#
 +
# WARNING: clean-all will do
 +
# a rm -rf on this directory
 +
# so make sure you define
 +
# it correctly!
 +
export KEY_DIR="$EASY_RSA/keys"
 +
 +
# Issue rm -rf warning
 +
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
 +
 +
# PKCS11 fixes
 +
export PKCS11_MODULE_PATH="dummy"
 +
export PKCS11_PIN="dummy"
 +
 +
# Increase this to 2048 if you
 +
# are paranoid.  This will slow
 +
# down TLS negotiation performance
 +
# as well as the one-time DH parms
 +
# generation process.
 +
export KEY_SIZE=1024
 +
 +
# In how many days should the root CA key expire?
 +
export CA_EXPIRE=3650
 +
 +
# In how many days should certificates expire?
 +
export KEY_EXPIRE=3650
 +
 +
# These are the default values for fields
 +
# which will be placed in the certificate.
 +
# Don't leave any of these fields blank.
 +
export KEY_COUNTRY="US"
 +
export KEY_PROVINCE="NY"
 +
export KEY_CITY="Potsdam"
 +
export KEY_ORG="Home"
 +
export KEY_EMAIL="mccarrms@clarkson.edu"
 +
</pre></code>
 +
 +
Make all files in the directory executable
 +
*<code>chmod +x ./*</code>
 +
 +
Build the Certificate Authority Key and use all defaults except the common name for the server
 +
*<code>. ./vars</code>
 +
*<code>./build-ca</code>
 +
<code><pre>
 +
Generating a 1024 bit RSA private key
 +
..................++++++
 +
.............++++++
 +
writing new private key to 'ca.key'
 +
-----
 +
You are about to be asked to enter information that will be incorporated
 +
into your certificate request.
 +
What you are about to enter is what is called a Distinguished Name or a DN.
 +
There are quite a few fields but you can leave some blank
 +
For some fields there will be a default value,
 +
If you enter '.', the field will be left blank.
 +
-----
 +
Country Name (2 letter code) [US]:
 +
State or Province Name (full name) [NY]:
 +
Locality Name (eg, city) [Potsdam]:
 +
Organization Name (eg, company) [Home]:
 +
Organizational Unit Name (eg, section) []:
 +
Common Name (eg, your name or your server's hostname) [Home CA]:openvpn
 +
Name []:
 +
Email Address [mccarrms@clarkson.edu]:
 +
</pre></code>
 +
 +
Generate the VPN server key
 +
*<code>./build-key-server server</code>
 +
<code><pre>
 +
Generating a 1024 bit RSA private key
 +
.................++++++
 +
..............++++++
 +
writing new private key to 'server.key'
 +
-----
 +
You are about to be asked to enter information that will be incorporated
 +
into your certificate request.
 +
What you are about to enter is what is called a Distinguished Name or a DN.
 +
There are quite a few fields but you can leave some blank
 +
For some fields there will be a default value,
 +
If you enter '.', the field will be left blank.
 +
-----
 +
Country Name (2 letter code) [US]:
 +
State or Province Name (full name) [NY]:
 +
Locality Name (eg, city) [Potsdam]:
 +
Organization Name (eg, company) [Home]:
 +
Organizational Unit Name (eg, section) []:
 +
Common Name (eg, your name or your server's hostname) [server]:
 +
Name []:
 +
Email Address [mccarrms@clarkson.edu]:
 +
 +
Please enter the following 'extra' attributes
 +
to be sent with your certificate request
 +
A challenge password []:
 +
An optional company name []:
 +
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
 +
Check that the request matches the signature
 +
Signature ok
 +
The Subject's Distinguished Name is as follows
 +
countryName          :PRINTABLE:'US'
 +
stateOrProvinceName  :PRINTABLE:'NY'
 +
localityName          :PRINTABLE:'Potsdam'
 +
organizationName      :PRINTABLE:'Home'
 +
commonName            :PRINTABLE:'server'
 +
emailAddress          :IA5STRING:'mccarrms@clarkson.edu'
 +
Certificate is to be certified until Apr 14 00:07:10 2021 GMT (3650 days)
 +
Sign the certificate? [y/n]:y
 +
 +
 +
1 out of 1 certificate requests certified, commit? [y/n]y
 +
Write out database with 1 new entries
 +
Data Base Updated
 +
</pre></code>
 +
 +
Build the first client key (Repeat this process if you wish to have more than one client)
 +
*<code>./build-key client1</code>
 +
<code><pre>
 +
Generating a 1024 bit RSA private key
 +
....................................++++++
 +
.................++++++
 +
writing new private key to 'client1.key'
 +
-----
 +
You are about to be asked to enter information that will be incorporated
 +
into your certificate request.
 +
What you are about to enter is what is called a Distinguished Name or a DN.
 +
There are quite a few fields but you can leave some blank
 +
For some fields there will be a default value,
 +
If you enter '.', the field will be left blank.
 +
-----
 +
Country Name (2 letter code) [US]:
 +
State or Province Name (full name) [NY]:
 +
Locality Name (eg, city) [Potsdam]:
 +
Organization Name (eg, company) [Home]:
 +
Organizational Unit Name (eg, section) []:
 +
Common Name (eg, your name or your server's hostname) [client1]:
 +
Name []:
 +
Email Address [mccarrms@clarkson.edu]:
 +
 +
Please enter the following 'extra' attributes
 +
to be sent with your certificate request
 +
A challenge password []:
 +
An optional company name []:
 +
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
 +
Check that the request matches the signature
 +
Signature ok
 +
The Subject's Distinguished Name is as follows
 +
countryName          :PRINTABLE:'US'
 +
stateOrProvinceName  :PRINTABLE:'NY'
 +
localityName          :PRINTABLE:'Potsdam'
 +
organizationName      :PRINTABLE:'Home'
 +
commonName            :PRINTABLE:'client1'
 +
emailAddress          :IA5STRING:'mccarrms@clarkson.edu'
 +
Certificate is to be certified until Apr 14 00:07:42 2021 GMT (3650 days)
 +
Sign the certificate? [y/n]:y
 +
 +
 +
1 out of 1 certificate requests certified, commit? [y/n]y
 +
Write out database with 1 new entries
 +
Data Base Updated
 +
</pre></code>
 +
 +
Build the remaining keys
 +
*<code>./build-dh</code>
 +
*<code>openvpn --genkey --secret ta.key</code>
 +
 +
Copy all keys into the OpenVPN directory
 +
*<code>cp ca.crt ca.key dh1024.pem server.crt server.csr server.key ta.key /etc/openvpn/</code>
 +
 +
Copy the sample server configuration file and configure as necessary
 +
*<code>cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/</code>
 +
<code><pre>
 +
port 1194
 +
proto udp
 +
dev tun
 +
ca ca.crt
 +
cert server.crt
 +
key server.key  # This file should be kept secret
 +
tls-auth ta.key 0
 +
dh dh1024.pem
 +
server 10.10.9.0 255.255.255.0
 +
ifconfig-pool-persist ipp.txt
 +
push "redirect-gateway def1 bypass-dhcp"
 +
push "dhcp-option DNS 208.67.222.222"
 +
push "dhcp-option DNS 208.67.220.220"
 +
keepalive 10 120
 +
comp-lzo
 +
user nobody
 +
group nobody
 +
persist-key
 +
persist-tun
 +
status openvpn-status.log
 +
verb 3
 +
</code></pre>
 +
 +
====Start OpenVPN====
 +
Start the OpenVPN service
 +
*<code>service openvpn start</code>
  
  
 
[[Category:How-Tos]]
 
[[Category:How-Tos]]

Revision as of 13:12, 28 April 2011

This page summarizes how to perform a basic installation of OpenVPN on CentOS 5. This tutorial assumes you have root/sudo access and have SELinux set to permissive or disabled.

This tutorial is geared more towards home users who have a spare system to run OpenVPN on. In this tutorial, Windows 7 is used for the client connecting to the VPN but minor adjustments would allow for a Linux or Mac client.

If you notice a problem with this How-To or would like to provide feedback, please email Matt.

Prerequisets

  • Install CentOS 5
  • Forward UDP port 1194 to the VPN server. This is only necessary if your network has a firewall protecting it.

Install

Add RPMForge Yum Repository

For x86 (32-bit) systems

For x64 (64-bit) systems

Configure iptables

Create iptables_set.sh, chmod +x iptables_set.sh, and run the script.

  • Note: The following will work but you may wish to change the source address from 10.10.9.0/24 to the network range of your choosing based on your network.
#!/bin/bash
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.10.9.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.10.9.0/24 -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/iptables -L -v

Configure Kernel

Edit /etc/sysctl.conf

net.ipv4.ip_forward = 1

Make the changes active

  • sysctl -p

Install OpenVPN Server

Install openvpn

  • yum install openvpn

Configure openvpn to start on boot

  • chkconfig --levels 345 openvpn on

Generate RSA Keys

Copy the easy-rsa directory

  • cp -r /usr/share/doc/openvpn-2.1.4/easy-rsa/ /etc/openvpn/

Modify the easy-rsa parameter settings

  • cd /etc/openvpn/easy-rsa/2.0/
  • Edit the bottom fields in vars with your information
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="Potsdam"
export KEY_ORG="Home"
export KEY_EMAIL="mccarrms@clarkson.edu"

Make all files in the directory executable

  • chmod +x ./*

Build the Certificate Authority Key and use all defaults except the common name for the server

  • . ./vars
  • ./build-ca
Generating a 1024 bit RSA private key
..................++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Home CA]:openvpn
Name []:
Email Address [mccarrms@clarkson.edu]:

Generate the VPN server key

  • ./build-key-server server
Generating a 1024 bit RSA private key
.................++++++
..............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [mccarrms@clarkson.edu]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'NY'
localityName          :PRINTABLE:'Potsdam'
organizationName      :PRINTABLE:'Home'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'mccarrms@clarkson.edu'
Certificate is to be certified until Apr 14 00:07:10 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Build the first client key (Repeat this process if you wish to have more than one client)

  • ./build-key client1
Generating a 1024 bit RSA private key
....................................++++++
.................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address [mccarrms@clarkson.edu]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'NY'
localityName          :PRINTABLE:'Potsdam'
organizationName      :PRINTABLE:'Home'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'mccarrms@clarkson.edu'
Certificate is to be certified until Apr 14 00:07:42 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Build the remaining keys

  • ./build-dh
  • openvpn --genkey --secret ta.key

Copy all keys into the OpenVPN directory

  • cp ca.crt ca.key dh1024.pem server.crt server.csr server.key ta.key /etc/openvpn/

Copy the sample server configuration file and configure as necessary

  • cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
tls-auth ta.key 0
dh dh1024.pem
server 10.10.9.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
</code>

Start OpenVPN

Start the OpenVPN service

  • <code>service openvpn start