Introduction
OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single TCP/UDP port. OpenVPN is developed by James Yonan of OpenVPN Technologies.
In this brief guide, let us setup OpenVPN server on CentOS 6.5, and connect from a remote client. For the purpose of this tutorial, I use two systems running with CentOS 6.5, one acts as VPN server and other one acts as VPN client.
Part One – VPN Server Side Configuration
Here, I use CentOS 6.5 as VPN server, and it’s actual IP address is 192.168.1.2/24.
Prerequisites
OpenVPN and it’s dependencies are not available in the CentOS default repositories. So, we should install the “EPEL” repository in order to install OpenVPN and its dependencies.
To enable EPEL repository On CentOS, refer the following link.
Also, update the system using the following command:
yum update
Install OpenVPN Software
Install the OpenVPN software using the following command:
yum install openvpn easy-rsa
The easy-rsa scripts are located by default in the /usr/share/easy-rsa/ directory. Make a directory /easy-rsa/keys inside the /etc/openvpn directory and copy the scripts to that directory as shown below:
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Go to the openvpn/easy-rsa directory:
cd /etc/openvpn/easy-rsa/
Enter the following commands one by one to initialize the certificate authority:
cp openssl-1.0.0.cnf openssl.cnf
source ./vars ./clean-all
Then, run the following command to generate CA certificate and CA key:
./build-ca
Sample output:
Generating a 2048 bit RSA private key
......................................................+++
............................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ----> Press Enter
State or Province Name (full name) [TN]: ----> Press Enter
Locality Name (eg, city) [Erode]: ----> Press Enter
Organization Name (eg, company) [Unixmen]: ----> Press Enter
Organizational Unit Name (eg, section) [server]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [Unixmen CA]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [sk@unixmen.com]: ----> Press Enter
We have now generated the CA certificate and CA key. Then create certificate and key for server using the following command:
./build-key-server server
Sample output:
Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ----> Press Enter
State or Province Name (full name) [TN]: ----> Press Enter
Locality Name (eg, city) [Erode]: ----> Press Enter
Organization Name (eg, company) [Unixmen]: ----> Press Enter
Organizational Unit Name (eg, section) [server]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [server]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [sk@unixmen.com]: ----> Press Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ----> Press Enter
An optional company name []: ----> Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'IN'
stateOrProvinceName :PRINTABLE:'TN'
localityName :PRINTABLE:'Erode'
organizationName :PRINTABLE:'Unixmen'
organizationalUnitName:PRINTABLE:'server'
commonName :PRINTABLE:'server'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'sk@unixmen.com'
Certificate is to be certified until Mar 23 12:21:34 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> Type Y and Press Enter
1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
Write out database with 1 new entries
Data Base Updated
Create certificate and key for VPN clients using the following command:
./build-key client
If you want to create certificate and key files for each client, you should replace the client parameter with an unique identifier.
Sample output:
Generating a 2048 bit RSA private key
.......+++
..................................................................................................+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ----> Press Enter
State or Province Name (full name) [TN]: ----> Press Enter
Locality Name (eg, city) [Erode]: ----> Press Enter
Organization Name (eg, company) [Unixmen]: ----> Press Enter
Organizational Unit Name (eg, section) [server]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [client]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [sk@unixmen.com]: ----> Press Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ----> Press Enter
An optional company name []: ----> Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'IN'
stateOrProvinceName :PRINTABLE:'TN'
localityName :PRINTABLE:'Erode'
organizationName :PRINTABLE:'Unixmen'
organizationalUnitName:PRINTABLE:'server'
commonName :PRINTABLE:'client'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'sk@unixmen.com'
Certificate is to be certified until Mar 23 12:23:44 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> Type Y and Press Enter
1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
Write out database with 1 new entries
Data Base Updated
Generate Diffie Hellman Parameter
Enter the following command to generate DH parameter.
./build-dh
Sample output:
Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time
The necessary keys and certificates will be generated in the /etc/openvpn/easy-rsa/keys/directory. Copy the following certificate and key files to the /etc/openvpn/ directory.
- ca.crt
- dh2048.pem
- server.crt
- server.key
Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following command to transfer the above files to /etc/openvpn/ directory.
cd /etc/openvpn/easy-rsa/keys/
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
And then, you must copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client.
- ca.crt
- client.crt
- client.key
As I mentioned before, I have another system running with CentOS 6.5 that acts as my VPN client. Make sure you have installed openvpn package on your client systems. Then, copy the above files to your VPN client system, using the following command:
scp ca.crt client.crt client.key root@192.168.1.101:/etc/openvpn
Copy the keys with caution. If anyone have chances to get the keys, they can easily intrude and get full access to your virtual private network.
Remove Client access to VPN server
If you want to remove a user’s access to the VPN server, enter the following command:
. /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/revoke-full client
The above commands remove the user who have the certificate to access the VPN server.
Configuring VPN Server
Now, we have to configure our VPN server. Copy the file server.conf file to /etc/openvpn/directory.
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
Edit file server.conf,
vi /etc/openvpn/server.conf
Find and uncomment the following lines to route client systems traffic through OpenVPN server.
[...]
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh2048.pem
[...]
push "redirect-gateway def1 bypass-dhcp"
[...]
Also, Uncomment and change the DNS servers to reflect your own DNS values. Here I am using Google public DNS servers.
[...]
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
[...]
Uncomment the following lines:
[...]
user nobody
group nobody
[...]
Save and close the file.
Then we need to copy and edit the client.conf file. We need this file to be transferred to the VPN clients. First copy the file to any location (ex. /home directory).
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf /home/
Edit file client.conf,
vi /home/client.conf
Set the VPN server host name/IP address:
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers.
remote 192.168.1.2 1194
Here 192.168.1.2 is my VPN server IP address. Next, Copy the client.conf file to your client system.
scp /home/client.conf root@192.168.1.101:/etc/openvpn
IP forwarding and routing Configuration
Edit sysctl.conf file,
vi /etc/sysctl.conf
Find the following line and set value “1” to enable IP forwarding.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Run the following command to apply the sysctl changes.
sysctl -p
Adjust iptables to forward traffic through VPN properly.
Enter the following commands one by one:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Save the iptables changes using command:
service iptables save
service iptables restart
Finally, start openvpn service and make it to start automatically on every reboot using the following commands:
service openvpn start
chkconfig openvpn on
Open VPN will run on UDP port 1194
At this time, you should have a working OpenVPN server. Next, let us move to client side configuration.
Verify if VPN interface(tun0) is created using ifconfig command:
ifconfig
Sample output:
eth0 Link encap:Ethernet HWaddr 08:00:27:46:36:62
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe46:3662/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:604 errors:0 dropped:0 overruns:0 frame:0
TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44166 (43.1 KiB) TX bytes:14434 (14.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Part Two – VPN Client side configuration
Here, I use CentOS 6.5 as my VPN client system. And, it’s actual IP address is 192.168.1.101/24.
Install OpenVPN
Enter the following command from the Terminal to install openvpn package.
yum install openvpn
After installing openvpn, start the service and make it to run automatically on every reboot.
service openvpn start
chkconfig openvpn on
Now, check if tun0(VPN interface) is created.
ifconfig
Sample output:
eth0 Link encap:Ethernet HWaddr 08:00:27:BE:25:49
inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:febe:2549/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:537 errors:0 dropped:0 overruns:0 frame:0
TX packets:387 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52177 (50.9 KiB) TX bytes:50170 (48.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
As you see in the above output, the VPN server has automatically assigned IP address 10.8.0.6 to my VPN client.
Check if you can ping your VPN server from client system.
ping 10.8.0.1
10.8.0.1 is my VPN server tun0 address.
Sample output:
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=9.61 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=7.17 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=4.87 ms
That’s it. Now the VPN server and client are ready. Connect to your VPN server securely. Happy VPNing!
Make VPN profile for client
Create new .ovpn file with the content below
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
Contents of ca.crt
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
Contents of client.crt
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN CERTIFICATE-----
Contents of client.key
-----END CERTIFICATE-----
</key>
Route all traffic via gateway with OpenVPN
In the VPN configure file ( file .ovpn) add new configure
redirect-gateway def1
"redirect-gateway def1" changes client routing table so that all traffic is directed via server. Without it only traffic sent to servers ip 10.8.0.0/24 will be sent there. Most materials in web recommend to add to server config push "redirect-gateway def1" but this is not working in some cases so better add this config directly to client.
Nhận xét
Đăng nhận xét