OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).
OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.
This article will guide you through the installation and configuration steps of OpenVPN server on CentOS 6.3. Also we will guide you how to configure OpenVPN client for Windows, OS X, or Linux.
1) Install the OS CentOS/RHEL 6.3.
2) Proceed to update and upgrade your server, but not necessary.
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
We need to install Extra Packages for Enterprise Linux (EPEL) Repository to install OpenVPN and other lzo and pkcs11-helper package.
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm yum install openvpn
a) Using Easy-RSA to generate Keys and Certificate
We need to copy sample scripts that is required to generate keys and certificate that are already shipped with OpenVPN package.
mkdir -p /etc/openvpn/easy-rsa/keys cp -rfv /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Once we have copied respective script to there appropriate location, now we need to setup up the environment variable that would be used to generate the certificate.
For that we need to modify the “KEY_” variables, located at the bottom of the file (/etc/openvpn/easy-rsa/vars).
vi /etc/openvpn/easy-rsa/vars export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York" export KEY_ORG="Organization Name" export KEY_EMAIL="email@example.com" export KEY_CN=droplet.example.com export KEY_NAME=server export KEY_OU=server
Sometime it is seen that OpenVPN fails to recognise OpenSSL version on CentOS. So to avoid the confusion we will manually copy the required OpenSSL configuration file.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Also Change following line in file “vars” from:
vi /etc/openvpn/easy-rsa/vars export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` To: export KEY_CONFIG=/etc/openvpn/easy-rsa/openssl.cnf
Based on the above configuration and info we need to build our Certificate Authority (CA). Navigate to easy-rsa directory and make all files in the directory executable.
cd /etc/openvpn/easy-rsa chmod +x * source ./vars ./clean-all ./build-ca
Now create Diffie Hellman key exchange files using the build-dh script and TA secret key as well.
./build-dh openvpn --genkey --secret keys/ta.key
Once we have successfully build our own Certificate Authority (CA) and created DH key and generated TA secret, now is the time to create OpenVPN Server certificate and copy all the file to /etc/openvpn directory (/etc/openvpn):
./build-key-server server cd /etc/openvpn/easy-rsa/keys cp ca.crt server.crt server.key dh1024.pem ta.key /etc/openvpn
b) OpenVPN Config
Now copy the sample configuration file shipped with Open-VPN package to destination folder (/etc/openvpn) and modify it.
cp -v /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn vim /etc/openvpn/server.conf
Uncomment the “push parameter that allows traffic on client system to be routed via OpenVPN box.
push "redirect-gateway def1 bypass-dhcp"
Also we need to push rules that allows DNS queries to Public DNS Server of Google.
push "dhcp-option DNS 184.108.40.206" push "dhcp-option DNS 220.127.116.11"
Let OpenVPN drops privileges after startup to enhance security. Uncomment the relevant “user” and “group” lines.
user nobody group nobody
Final OpenVPN Server Config file will look like:
mode server tls-server port 1194 ## default openvpn port proto udp dev tun ## If you need multiple tap devices, add them here persist-key persist-tun #certificates and encryption ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem tls-auth ta.key 0 # This file is secret cipher BF-CBC # Blowfish (default) comp-lzo ifconfig 10.8.0.1 10.8.0.2 server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "route 10.240.0.0 255.255.248.0" push "dhcp-option DNS 18.104.22.168" push "dhcp-option DNS 22.214.171.124" push "dhcp-option DOMAIN example.com" user openvpn group openvpn keepalive 10 120 status /var/log/openvpn-status.log verb 3
c) System Config
We need to enable IP Forwarding as it will forward client packet via the VPN Box to internal network.
vi /etc/sysctl.conf: net.ipv4.ip_forward = 1
To enable the changes
sysctl -p /etc/sysctl.conf
Implement an iptables rules to allow routing of Subnet forward packet by respective interface and allowing port 1194, save the iptables rule and restart it:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT service iptables save service iptables restart
Now start the service, and enable it on boot as well.
service openvpn start chkconfig openvpn on
OpenVPN Client and there configuration.
Now we will create client certificates on OpenVPN server to authenticate:
cd /etc/openvpn/easy-rsa source ./vars ./build-key client
Note: You can replace “client” with other name that we can identify it like hostname of client or username that need to connect.
Now we need to copy necessary client certificate (ca.crt, ta.key, client.crt and client.key) from OpenVPN server to the openvpn client machine.
cd /etc/openvpn/easy-rsa/keys/ tar -cvf /tmp/client-ssl-bundle.tar ca.crt ta.key client.crt client.key scp :/tmp/client-ssl-bundle.tar .
Now we will prepare client configuration file that would be used to connect to OpenVPN Server.
vi client.ovpn dev tun proto udp remote 1194 pull # Client does not need to bind to a specific local port nobind resolv-retry infinite persist-key persist-tun # SSL/TLS parameters - files created previously ca ca.crt cert client.crt key client.key # Since we specified the tls-auth for server, we need it for the client # note: 0 = server, 1 = client tls-client tls-auth ta.key 1 # Specify same cipher as server cipher BF-CBC # Use compression comp-lzo # Log verbosity (to help if there are problems) verb 3
Note: *) Replace the name of VPN “client” key that you have generated using build-key command.
*) Replace client.ovpn, where “client” should match the name of the client being deployed using build-key command.
*) Also place the VPN Server IP at OpenVPN SERVER IP remote parameter.
Open VPN clients Software:
On Windows/Mac OS X we need to copy the OpenVPN client config (client.ovpn) and certificate to following location:
Windows: C:\Program Files\OpenVPN\config Mac OS X: ~/Library/Application Support/Tunnelblick/Configurations
On Linux we can copy it to any location, only thing that we need to do is to pass the –config parameter while starting openvpn
sudo openvpn --config ~/path/to/client.ovpn
Congratulations! Now you are connected to OpenVPN Server, grap a glass of bear and enjoy it.