Some parts of this tutorial are not working anymore. New version available here
Default centos repositoryt doesn’t have openvpn package, so lets add epel repository first.
I downloaded it from this mirror here.
downloading repo:
1 |
# wget http://mirror.duomenucentras.lt/epel/6/x86_64/epel-release-6-7.noarch.rpm |
and installing repo:
1 |
# yum localinstall epel-release-6-7.noarch.rpm |
After that, You can install openvpn package:
1 |
# yum install openvpn.x86_64 |
cd to easy-rsa subdirectory in openvpn catalog.
In my case it was: /usr/share/openvpn/easy-rsa. And copy that dir to /etc/openvpn, that our files wouldn’t be overwritten on updates.
1 2 3 |
cd /usr/share/openvpn/easy-rsa cp 2.0 /etc/openvpn/open-rsa -r cd /etc/openvpn/open-rsa |
edit vars file, to reflect Your needs
1 |
vim vars |
i notice’d that PKCS11_MODULE_PATH and PKCS11_PIN are mentioned 2 times. Leave those which are with “dummy”.
Comment out the rest:
1 2 |
#export PKCS11_MODULE_PATH=changeme #export PKCS11_PIN=1234 |
also changed default keys export directory, to make easier in future to maintain keys
create dir /etc/openvpn/keys and in config file:
1 |
export KEY_DIR="/etc/openvpn/keys" |
make symbolic link of openssl config
1 |
ln -s openssl-1.0.0.cnf openssl.cnf |
Initialize the public-key infastructure:
1 2 3 |
./vars ./clean-all ./build-ca |
output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# ./build-ca Generating a 1024 bit RSA private key ...++++++ .................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [NL]: State or Province Name (full name) [n/a]: Locality Name (eg, city) [loginroot.com]: Organization Name (eg, company) [loginroot.com]: Organizational Unit Name (eg, section) [loginroot]:n/a Common Name (eg, your name or your server's hostname) [loginroot]:nl.loginroot.com Name [loginroot]:nsc Email Address [emailforspambots@loginroot.com]: |
Let’s generate Server certificate:
1 |
./build-key-server server |
output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
./build-key-server server Generating a 1024 bit RSA private key .........++++++ ............................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [NL]: string is too short, it needs to be at least 2 bytes long Country Name (2 letter code) [NL]:NL State or Province Name (full name) [n/a]: Locality Name (eg, city) [loginroot.com]: Organization Name (eg, company) [loginroot.com]:none Organizational Unit Name (eg, section) [loginroot]:none Common Name (eg, your name or your server's hostname) [server]:nl.loginroot.com Name [nsc]: Email Address [nsc@loginroot.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/open-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NL' stateOrProvinceName :PRINTABLE:'n/a' localityName :PRINTABLE:'loginroot.com' organizationName :PRINTABLE:'none' organizationalUnitName:PRINTABLE:'none' commonName :PRINTABLE:'nl.loginroot.com' name :PRINTABLE:'nsc' emailAddress :IA5STRING:'mailforspambots@loginroot.com' Certificate is to be certified until Sep 27 16:19:09 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
my openvpn config file /etc/server.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
port 1194 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-to-client #to be able to see other connected clients ;duplicate-cn #if few devices uses same common name on certificates keepalive 10 120 max-clients 5 user nobody group nobody persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log mute 20 # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 |
restart openvpn service and You’re ready to go!
Some parts of this tutorial are not working anymore. New version available here