OPEN VPN Server Installation and Configuration on Centos 6.5 (PART-I)

OPEN VPN Server Installation and Configuration on Centos 6.5 (PART-I)

by -
0 853

OpenVPN is a open-source software application that is used to implement virtual private network (VPN) techniques for secure point-to-point connections in remote access facilities.

OPEN VPN SERVER INSTALLATION:

Open vpn Server and client should have same Date and time , only after this can proceed.

To install OpenVPN in a RHEL/CentOS 6.5 server, you will have to enable the EPEL repository.

I have installed Centos 6.5 with Basic server option.

First of all Disabled SELinux.

Install and Enable Epel repository:
## RHEL/CentOS 6 64-Bit ##
[root@pc1 ~]# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Install the following packages:

[root@pc1 ~]# yum install pam-devel openssl-devel zlib-devel gcc make rpm-build
[root@pc1 ~]# yum install openvpn easy-rsa

When the installation completes, move to the sample configuration files directory of openvpn and copy the server.conf file to /etc/openvpn::

[root@pc1 ~]# cd /usr/share/doc/openvpn-2.3.10/sample/sample-config-files/
[root@pc1 sample-config-files]# cp server.conf /etc/openvpn

Generate Keys and Certificates:

The easy-rsa package provides several scripts , located inside /usr/share/easy-rsa/2.0 after installation to generate keys and certificates. For our convenience, we are going to copy those files into /etc/openvpn/rsa (you need to create this directory first). Enter y if prompted to overwrite the existing files:

The easy-rsa scripts are located under /usr/share/easy-rsa/ directory. Make a directory easy-rsa inside the /etc/openvpn directory and copy the scripts to that directory as shown below:

[root@pc1 ~]# mkdir –p /etc/openvpn/easy-rsa
[root@pc1 ~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Copy openssl-1.0.0.cnf file to openssl.cnf:

[root@pc1 ~]# cd /etc/openvpn/easy-rsa/
[root@pc1 easy-rsa]# cp openssl-1.0.0.cnf  openssl.cnf

Next, we will use the parameters in /etc/openvpn/easy-rsa/vars to indicate the values for our keys and Certificates during generating. Change the values according to your needs (fields are self-explanatory):

[root@pc1 ~]# vi /etc/openvpn/easy-rsa/vars
export EASY_RSA=”/etc/openvpn/easy-rsa”  (put here easy-rsa path)

And source the vars file to export the variables and their values to the current environment(you will need them in the next step).

[root@pc1 ~]# cd /etc/openvpn/easy-rsa
[root@pc1 easy-rsa]# source vars
[root@pc1 easy-rsa]# chmod 755 *
[root@pc1 easy-rsa]# ./vars
[root@pc1 easy-rsa]# mkdir keys
[root@pc1 easy-rsa]# source vars
[root@vpn easy-rsa]# ./clean-all

Generate CA Certificate and CA key:

[root@vpn easy-rsa]# ./build-ca
Generating a 2048 bit RSA private key
………………………………………………………………………………..+++
writing new private key to ‘ca.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:DL
Locality Name (eg, city) [SanFrancisco]:Delhi
Organization Name (eg, company) [Fort-Funston]:kvit
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:IT
Common Name (eg, your name or your server’s hostname) [Fort-Funston CA]:openpath
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:it@kvit.in

[root@vpn easy-rsa]# cd keys/
You will notice ca certificate and key is generated here.

[root@vpn keys]# ls
ca.crt  ca.key  index.txt  serial

====================================================================================
Next, we will create the key and the certificate for the server itself.
[root@vpn easy-rsa]# ./build-key-server server
Generating a 2048 bit RSA private key

writing new private key to ‘server.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:DL
Locality Name (eg, city) [SanFrancisco]:delhi
Organization Name (eg, company) [Fort-Funston]:kvit
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:it
Common Name (eg, your name or your server’s hostname) [server]:server
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:it@kvit.in
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’IN’
stateOrProvinceName   :PRINTABLE:’DL’
localityName          :PRINTABLE:’delhi’
organizationName      :PRINTABLE:’kvit’
organizationalUnitName:PRINTABLE:’it’
commonName            :PRINTABLE:’server’
name                  :PRINTABLE:’EasyRSA’
emailAddress          :IA5STRING:’it@kvit.in’
Certificate is to be certified until Apr  5 15:34:24 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@vpn easy-rsa]# cd keys/

Server key and certificate is created:
[root@vpn keys]# ls
01.pem  ca.crt  ca.key  index.txt  index.txt.attr  index.txt.old  serial  serial.old  server.crt  server.csr  server.key

====================================================================================
Next, generate the Diffie-Hellman file used for information exchange to complement RSA (this will take quite some time). This will create a file named dh2048.pem inside /etc/openvpn/easy-rsa/keys:

[root@pc1 easy-rsa]# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
File is created with name  dh2048.pem :
[root@pc1 keys]# ls
01.pem  ca.key      index.txt       index.txt.old  serial.old  server.csr
ca.crt  dh2048.pem  index.txt.attr  serial         server.crt  server.key

======================================================================================
Finally, create separate certificate files for each client that will use your VPN server (change client to a name of your choosing):

Here, I am creating certificate and key for client named window:
[root@vpn easy-rsa]# ./build-key window
Generating a 2048 bit RSA private key
………….+++
writing new private key to ‘window.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:DL
Locality Name (eg, city) [SanFrancisco]:delhi
Organization Name (eg, company) [Fort-Funston]:kvit
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:it
Common Name (eg, your name or your server’s hostname) [window]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:it@kvit.in
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’IN’
stateOrProvinceName   :PRINTABLE:’DL’
localityName          :PRINTABLE:’delhi’
organizationName      :PRINTABLE:’kvit’
organizationalUnitName:PRINTABLE:’it’
commonName            :PRINTABLE:’window’
name                  :PRINTABLE:’EasyRSA’
emailAddress          :IA5STRING:’it@kvit.in’
Certificate is to be certified until Apr  5 15:35:10 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Here we can see that certificate and key is generated for client named window.
[root@vpn keys]# ls
01.pem  ca.crt  dh2048.pem  index.txt.attr      index.txt.old  serial.old  server.csr  window.crt  window.key 02.pem  ca.key  index.txt   index.txt.attr.old  serial         server.crt  server.key  window.csr

The above step will create a certificate and key for a client window. Later on this tutorial we will download these files to a client that will use them to connect to the VPN server.

===================================================================================
Now, Configure the OpenVPN Server:
[root@pc1 ~]# vim /etc/openvpn/server.conf

At line 32 port no. is mentioned, if you want to change the default port you can change from here, but we are using the default port here:
port 1194

At line 35 and 36 ,we are using the default udp protocol here:
;proto tcp
proto udp

At line 52 uncomment and change device from tap to tap0 and comment dev tun:
dev tap0
;dev tun

At line 78 to 80 and at line 85 put the path of certificate and keys:
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

At line 101;This will be the network address used for virtual interface used for VPN access:The server will take 10.8.0.1 for itself; the rest will be made available to clients. Each client will be able to reach the server on 10.8.0.1.
server 10.8.0.0 255.255.255.0

At line 209 uncomment it to permit connections among clients. Uncomment this directive to allow different clients to be able to “see” each other. By default, clients will only see the server.
client-to-client

# line 280: change
status /var/log/openvpn-status.log

# line 289: uncomment and specify logs
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log

Now, to check configuration file, run:
[root@vpn ~]# openvpn –config /etc/openvpn/server.conf
[root@vpn ~]# service  openvpn restart
[root@vpn ~]# chkconfig openvpn on

And then check logs:
[root@vpn ~]# tail -f /var/log/openvpn.log

Check through ifconfig, virtual device tap0 is created:
[root@vpn ~]# ifconfig
tap0      Link encap:Ethernet  HWaddr 06:29:D4:2F:A5:E1
inet addr:10.8.0.1  Bcast:10.8.0.255  Mask:255.255.255.0

Next, do the IP Forwarding on VPN server:
[root@vpn ~]# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1

Set the rule for public ip address:
[root@vpn ~]# iptables -t nat -A POSTROUTING -s 10.10.0.2/8 -j MASQUERADE

Tun device ip forwarding in iptables:
[root@vpn ~]# iptables -A INPUT -i tap+ -j ACCEPT
[root@vpn ~]# iptables -A FORWARD -i tap+ -j ACCEPT

Download PDF

NO COMMENTS

Leave a Reply

Required Captcha *