Install OpenVPN on CentOS 5

From CSLabsWiki
Revision as of 12:12, 28 April 2011 by Mccarrms (talk | contribs)

Jump to: navigation, search

This page summarizes how to perform a basic installation of OpenVPN on CentOS 5. This tutorial assumes you have root/sudo access and have SELinux set to permissive or disabled.

This tutorial is geared more towards home users who have a spare system to run OpenVPN on. In this tutorial, Windows 7 is used for the client connecting to the VPN but minor adjustments would allow for a Linux or Mac client.

If you notice a problem with this How-To or would like to provide feedback, please email Matt.

Prerequisets

  • Install CentOS 5
  • Forward UDP port 1194 to the VPN server. This is only necessary if your network has a firewall protecting it.

Install

Add RPMForge Yum Repository

For x86 (32-bit) systems

For x64 (64-bit) systems

Configure iptables

Create iptables_set.sh, chmod +x iptables_set.sh, and run the script.

  • Note: The following will work but you may wish to change the source address from 10.10.9.0/24 to the network range of your choosing based on your network.
#!/bin/bash
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.10.9.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.10.9.0/24 -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/iptables -L -v

Configure Kernel

Edit /etc/sysctl.conf

net.ipv4.ip_forward = 1

Make the changes active

  • sysctl -p

Install OpenVPN Server

Install openvpn

  • yum install openvpn

Configure openvpn to start on boot

  • chkconfig --levels 345 openvpn on

Generate RSA Keys

Copy the easy-rsa directory

  • cp -r /usr/share/doc/openvpn-2.1.4/easy-rsa/ /etc/openvpn/

Modify the easy-rsa parameter settings

  • cd /etc/openvpn/easy-rsa/2.0/
  • Edit the bottom fields in vars with your information
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="Potsdam"
export KEY_ORG="Home"
export KEY_EMAIL="mccarrms@clarkson.edu"

Make all files in the directory executable

  • chmod +x ./*

Build the Certificate Authority Key and use all defaults except the common name for the server

  • . ./vars
  • ./build-ca
Generating a 1024 bit RSA private key
..................++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Home CA]:openvpn
Name []:
Email Address [mccarrms@clarkson.edu]:

Generate the VPN server key

  • ./build-key-server server
Generating a 1024 bit RSA private key
.................++++++
..............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [mccarrms@clarkson.edu]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'NY'
localityName          :PRINTABLE:'Potsdam'
organizationName      :PRINTABLE:'Home'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'mccarrms@clarkson.edu'
Certificate is to be certified until Apr 14 00:07:10 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Build the first client key (Repeat this process if you wish to have more than one client)

  • ./build-key client1
Generating a 1024 bit RSA private key
....................................++++++
.................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address [mccarrms@clarkson.edu]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'NY'
localityName          :PRINTABLE:'Potsdam'
organizationName      :PRINTABLE:'Home'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'mccarrms@clarkson.edu'
Certificate is to be certified until Apr 14 00:07:42 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Build the remaining keys

  • ./build-dh
  • openvpn --genkey --secret ta.key

Copy all keys into the OpenVPN directory

  • cp ca.crt ca.key dh1024.pem server.crt server.csr server.key ta.key /etc/openvpn/

Copy the sample server configuration file and configure as necessary

  • cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
tls-auth ta.key 0
dh dh1024.pem
server 10.10.9.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
</code>

Start OpenVPN

Start the OpenVPN service

  • <code>service openvpn start