Install OpenVPN on CentOS 5

From CSLabsWiki
Jump to: navigation, search


This page summarizes how to perform a basic installation of OpenVPN on CentOS 5. This tutorial assumes you have root/sudo access and have SELinux set to permissive or disabled.

This tutorial is geared more towards home users who have a spare system to run OpenVPN on. In this tutorial, Windows 7 is used for the client connecting to the VPN but minor adjustments would allow for a Linux or Mac client.

If you notice a problem with this How-To or would like to provide feedback, please email Matt.

Prerequisets

  • Install CentOS 5
  • Forward UDP port 1194 to the VPN server. This is only necessary if your network has a firewall protecting it.

Install the Server

Add RPMForge Yum Repository

For x86 (32-bit) systems

For x64 (64-bit) systems

Configure iptables

Create iptables_set.sh, chmod +x iptables_set.sh, and run the script.

  • Note: The following will work but you may wish to change the source address from 10.10.9.0/24 to the network range of your choosing based on your network.
#!/bin/bash
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.10.9.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.10.9.0/24 -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/iptables -L -v

Configure Kernel

Edit /etc/sysctl.conf

net.ipv4.ip_forward = 1

Make the changes active

  • sysctl -p

Install OpenVPN Server

Install openvpn

  • yum install openvpn

Configure openvpn to start on boot

  • chkconfig --levels 345 openvpn on

Generate RSA Keys

Copy the easy-rsa directory

  • cp -r /usr/share/doc/openvpn-2.1.4/easy-rsa/ /etc/openvpn/

Modify the easy-rsa parameter settings

  • cd /etc/openvpn/easy-rsa/2.0/
  • Edit the bottom fields in vars with your information
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="Potsdam"
export KEY_ORG="Home"
export KEY_EMAIL="mccarrms@clarkson.edu"

Make all files in the directory executable

  • chmod +x ./*

Build the Certificate Authority Key and use all defaults except the common name for the server

  • . ./vars
  • ./build-ca
Generating a 1024 bit RSA private key
..................++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Home CA]:openvpn
Name []:
Email Address [mccarrms@clarkson.edu]:

Generate the VPN server key

  • ./build-key-server server
Generating a 1024 bit RSA private key
.................++++++
..............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [mccarrms@clarkson.edu]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'NY'
localityName          :PRINTABLE:'Potsdam'
organizationName      :PRINTABLE:'Home'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'mccarrms@clarkson.edu'
Certificate is to be certified until Apr 14 00:07:10 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Build the first client key (Repeat this process if you wish to have more than one client)

  • ./build-key client1
Generating a 1024 bit RSA private key
....................................++++++
.................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address [mccarrms@clarkson.edu]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'NY'
localityName          :PRINTABLE:'Potsdam'
organizationName      :PRINTABLE:'Home'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'mccarrms@clarkson.edu'
Certificate is to be certified until Apr 14 00:07:42 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Build the remaining keys

  • ./build-dh
  • openvpn --genkey --secret keys/ta.key

Copy all keys into the OpenVPN directory

  • cp keys/ca.crt keys/ca.key keys/dh1024.pem keys/server.crt keys/server.csr keys/server.key keys/ta.key /etc/openvpn/

Copy the sample server configuration file and configure as necessary

  • cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
tls-auth ta.key 0
dh dh1024.pem
server 10.10.9.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Start OpenVPN

Start the OpenVPN service

  • service openvpn start

Install the Client

Download and install the latest Windows client with all default options

Copy the following files from the /etc/openvpn/easy-rsa/2.0/keys/ directory on the server to C:\Program Files (x86)\OpenVPN\config\ on the client. (Note: The directory will be in "C:\Program Files" on a x86 Windows client)

  • ca.crt
  • client1.crt
  • client1.key
  • ta.key

Create client1.ovpn in the same config directory as the keys

client
dev tun
proto udp
remote SERVER_DNS_OR_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
ns-cert-type server
comp-lzo
verb 3
keepalive 10 120
route-method exe
route-delay 2

Run OpenVPN GUI (Right click and choose "Run as administrator" otherwise the client will not connect properly)

Double click the OpenVPN GUI icon in the notification area of the taskbar to connect

Browse to http://www.whatismyip.com to verify that your traffic is going through the VPN server