Setup a OpenVPN server on Centos 6
February 02, 2013 at 07:40 AM | categories: Sysadmin, Tips, Security, Centos | View CommentsEPEL Repository
OpenVPN 2 is available for Centos from the EPEL repository, so you need to have EPEL enabled.
If you do not have EPEL enabled run:
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
Installation
To install OpenVPN run:
yum install openvpn lzo -y
Configuration
Setup the SSL CA and keys:
cp -r /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/open-rsa
Create and customize the vars
file /etc/openvpn/open-rsa/vars
,
Make sure you change the KEY_
values to your own settings
export EASY_RSA="`pwd`" export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="/etc/openvpn/keys" echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_SIZE=1024 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY="ZA" export KEY_PROVINCE="Gauteng" export KEY_CITY="Johannesburg" export KEY_ORG="Topdog-software" export KEY_EMAIL="andrew@topdog.za.net" export KEY_CN="Topdog-software OpenVPN CA" export KEY_NAME="tdss" export KEY_OU="Topdog-software"
Create the keys directory:
mkdir /etc/openvpn/keys
Create the CA:
cd /etc/openvpn/open-rsa
source ./vars
./clean-all
./build-ca
Create the servers SSL certificate (replace vpn.home.topdog-software.com
with
name of your server):
./build-key-server vpn.home.topdog-software.com
Generate Diffie Hellman parameters:
./build-dh
Create the leases file:
touch /etc/openvpn/ipp.txt
Create the configuration file /etc/openvpn/server.conf
:
port 1194 proto udp dev tun ca keys/ca.crt cert keys/vpn.home.topdog-software.com.crt key keys/vpn.home.topdog-software.com.key dh keys/dh1024.pem cipher AES-128-CBC server 10.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir ccd keepalive 10 120 comp-lzo persist-key persist-tun status /var/log/openvpn-status.log verb 3
Create iptables rules to allow traffic through:
*filter .. .. -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT -A FORWARD -i tun+ -o eth0 -j ACCEPT -A FORWARD -i eth0 -o tun+ -j ACCEPT
Enable packet forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
Make it permanent add the following to /etc/sysctl.conf
:
net.ipv4.ip_forward = 1
Your OpenVPN should be ready to go, start OpenVPN:
service openvpn start
Client configuration
Each client requires a certificate & key pairing, lets create one:
./build-key client1.home.topdog-software.com
Copy the client1.home.topdog-software.com.crt
, ca.crt
and
client1.home.topdog-software.com.key
files to the OpenVPN keys
directory on the client.
Create the client OpenVPN configuration /etc/openvpn/server.conf
:
remote vpn.home.topdog-software.com 1194 client remote-cert-tls server dev tun0 proto udp resolv-retry infinite nobind persist-key persist-tun float ca keys/ca.crt cert keys/client1.home.topdog-software.com.crt key keys/client1.home.topdog-software.com.key cipher AES-128-CBC comp-lzo status /var/log/openvpn-client.log
Static addresses
If you want some clients to get static addresses:
mkdir /etc/openvpn/ccd
Create a client file for each of the clients you want to get a static
address in /etc/openvpn/ccd
the file name should match the CN in
the client certificate.
ifconfig-push 10.0.0.2 10.0.0.1
blog comments powered by Disqus