Topdog.za.net

EPEL Repository

OpenVPN 2 is available for Centos from the EPEL repository, so you need to have EPEL enabled.

If you do not have EPEL enabled run:

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Installation

To install OpenVPN run:

yum install openvpn lzo -y

Configuration

Setup the SSL CA and keys:

cp -r /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/open-rsa

Create and customize the vars file /etc/openvpn/open-rsa/vars, Make sure you change the KEY_ values to your own settings

export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="/etc/openvpn/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="ZA"
export KEY_PROVINCE="Gauteng"
export KEY_CITY="Johannesburg"
export KEY_ORG="Topdog-software"
export KEY_EMAIL="andrew@topdog.za.net"
export KEY_CN="Topdog-software OpenVPN CA"
export KEY_NAME="tdss"
export KEY_OU="Topdog-software"

Create the keys directory:

mkdir /etc/openvpn/keys

Create the CA:

cd /etc/openvpn/open-rsa
source ./vars
./clean-all
./build-ca

Create the servers SSL certificate (replace vpn.home.topdog-software.com with name of your server):

./build-key-server vpn.home.topdog-software.com

Generate Diffie Hellman parameters:

./build-dh

Create the leases file:

touch /etc/openvpn/ipp.txt

Create the configuration file /etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/vpn.home.topdog-software.com.crt
key keys/vpn.home.topdog-software.com.key
dh keys/dh1024.pem
cipher AES-128-CBC
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

Create iptables rules to allow traffic through:

*filter
..
..
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT

Enable packet forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Make it permanent add the following to /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Your OpenVPN should be ready to go, start OpenVPN:

service openvpn start

Client configuration

Each client requires a certificate & key pairing, lets create one:

./build-key client1.home.topdog-software.com

Copy the client1.home.topdog-software.com.crt, ca.crt and client1.home.topdog-software.com.key files to the OpenVPN keys directory on the client.

Create the client OpenVPN configuration /etc/openvpn/server.conf:

remote vpn.home.topdog-software.com 1194
client 
remote-cert-tls server 
dev tun0 
proto udp
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
float 
ca keys/ca.crt 
cert keys/client1.home.topdog-software.com.crt
key keys/client1.home.topdog-software.com.key
cipher AES-128-CBC
comp-lzo
status /var/log/openvpn-client.log

Static addresses

If you want some clients to get static addresses:

mkdir /etc/openvpn/ccd

Create a client file for each of the clients you want to get a static address in /etc/openvpn/ccd the file name should match the CN in the client certificate.

ifconfig-push 10.0.0.2 10.0.0.1