Installation/Setup and Configure an OpenVPN Server on CentOS/RHEL 6.3


OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol[2] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

This article will guide you through the installation and configuration steps of OpenVPN server on CentOS 6.3. Also we will guide you how to configure OpenVPN client for Windows, OS X, or Linux.

Installation Steps

1) Install the OS CentOS/RHEL 6.3.

2) Proceed to update and upgrade your server, but not necessary.

   yum upgrade
Installation Prerequisite
   yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

We need to install Extra Packages for Enterprise Linux (EPEL) Repository to install OpenVPN and other lzo and pkcs11-helper package.

   rpm -ivh
   yum install openvpn


a) Using Easy-RSA to generate Keys and Certificate

We need to copy sample scripts that is required to generate keys and certificate that are already shipped with OpenVPN package.

   mkdir -p /etc/openvpn/easy-rsa/keys
   cp -rfv /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Once we have copied respective script to there appropriate location, now we need to setup up the environment variable that would be used to generate the certificate.
For that we need to modify the “KEY_” variables, located at the bottom of the file (/etc/openvpn/easy-rsa/vars).

   vi /etc/openvpn/easy-rsa/vars

   export KEY_COUNTRY="US"
   export KEY_PROVINCE="NY"
   export KEY_CITY="New York"
   export KEY_ORG="Organization Name"
   export KEY_EMAIL=""
   export KEY_NAME=server
   export KEY_OU=server

Sometime it is seen that OpenVPN fails to recognise OpenSSL version on CentOS. So to avoid the confusion we will manually copy the required OpenSSL configuration file.

   cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Also Change following line in file “vars” from:

   vi /etc/openvpn/easy-rsa/vars

   export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
   export KEY_CONFIG=/etc/openvpn/easy-rsa/openssl.cnf

Based on the above configuration and info we need to build our Certificate Authority (CA). Navigate to easy-rsa directory and make all files in the directory executable.

   cd /etc/openvpn/easy-rsa
   chmod +x *
   source ./vars

Now create Diffie Hellman key exchange files using the build-dh script and TA secret key as well.

   openvpn --genkey --secret keys/ta.key

Once we have successfully build our own Certificate Authority (CA) and created DH key and generated TA secret, now is the time to create OpenVPN Server certificate and copy all the file to /etc/openvpn directory (/etc/openvpn):

   ./build-key-server server
   cd /etc/openvpn/easy-rsa/keys
   cp ca.crt server.crt server.key dh1024.pem ta.key /etc/openvpn

b) OpenVPN Config

Now copy the sample configuration file shipped with Open-VPN package to destination folder (/etc/openvpn) and modify it.

   cp -v /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn
   vim /etc/openvpn/server.conf

Uncomment the “push parameter that allows traffic on client system to be routed via OpenVPN box.

   push "redirect-gateway def1 bypass-dhcp"

Also we need to push rules that allows DNS queries to Public DNS Server of Google.

   push "dhcp-option DNS"
   push "dhcp-option DNS"

Let OpenVPN drops privileges after startup to enhance security. Uncomment the relevant “user” and “group” lines.

   user nobody
   group nobody

Final OpenVPN Server Config file will look like:

   mode server
   port 1194 		## default openvpn port
   proto udp
   dev tun 		## If you need multiple tap devices, add them here

   #certificates and encryption
   ca ca.crt
   cert server.crt
   key server.key   	# This file should be kept secret
   dh dh1024.pem
   tls-auth ta.key 0    # This file is secret
   cipher BF-CBC        # Blowfish (default)
   push "redirect-gateway def1 bypass-dhcp"
   push "route"
   push "dhcp-option DNS"
   push "dhcp-option DNS"
   push "dhcp-option DOMAIN"
   user openvpn
   group openvpn
   keepalive 10 120
   status /var/log/openvpn-status.log
   verb 3

c) System Config

We need to enable IP Forwarding as it will forward client packet via the VPN Box to internal network.

   vi /etc/sysctl.conf:

   net.ipv4.ip_forward = 1

To enable the changes

   sysctl -p /etc/sysctl.conf

Implement an iptables rules to allow routing of Subnet forward packet by respective interface and allowing port 1194, save the iptables rule and restart it:

   iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
   iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT 
   iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT 
   iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
   service iptables save
   service iptables restart

Now start the service, and enable it on boot as well.

   service openvpn start
   chkconfig openvpn on

OpenVPN Client and there configuration.

Now we will create client certificates on OpenVPN server to authenticate:

   cd /etc/openvpn/easy-rsa
   source ./vars
   ./build-key client

Note: You can replace “client” with other name that we can identify it like hostname of client or username that need to connect.

Now we need to copy necessary client certificate (ca.crt, ta.key, client.crt and client.key) from OpenVPN server to the openvpn client machine.

   cd /etc/openvpn/easy-rsa/keys/
   tar -cvf /tmp/client-ssl-bundle.tar ca.crt ta.key client.crt client.key
   scp :/tmp/client-ssl-bundle.tar .

Now we will prepare client configuration file that would be used to connect to OpenVPN Server.

   vi client.ovpn

   dev tun
   proto udp
   remote  1194

   # Client does not need to bind to a specific local port
   resolv-retry infinite

   # SSL/TLS parameters - files created previously
   ca ca.crt
   cert client.crt
   key client.key

   # Since we specified the tls-auth for server, we need it for the client
   # note: 0 = server, 1 = client
   tls-auth ta.key 1
   # Specify same cipher as server
   cipher BF-CBC
   # Use compression
   # Log verbosity (to help if there are problems)
   verb 3

Note: *) Replace the name of VPN “client” key that you have generated using build-key command.
*) Replace client.ovpn, where “client” should match the name of the client being deployed using build-key command.
*) Also place the VPN Server IP at OpenVPN SERVER IP remote parameter.

Open VPN clients Software:

Windows: OpenVPN Community Edition binaries
Mac OS X: Tunnelblick
Linux: openvpn client

On Windows/Mac OS X we need to copy the OpenVPN client config (client.ovpn) and certificate to following location:

   Windows:	C:\Program Files\OpenVPN\config
   Mac OS X:	~/Library/Application Support/Tunnelblick/Configurations

On Linux we can copy it to any location, only thing that we need to do is to pass the –config parameter while starting openvpn

   sudo openvpn --config ~/path/to/client.ovpn

Congratulations! Now you are connected to OpenVPN Server, grap a glass of bear and enjoy it.