login: root

root@gibson:~# ▌

how to: create openvpn centos 6.3 x64 with certificates

by

nsc
in

Some parts of this tutorial are not working anymore. New version available here

Default centos repositoryt doesn’t have openvpn package, so lets add epel repository first.
I downloaded it from this mirror here.

downloading repo:

# wget http://mirror.duomenucentras.lt/epel/6/x86_64/epel-release-6-7.noarch.rpm

and installing repo:

# yum localinstall epel-release-6-7.noarch.rpm

After that, You can install openvpn package:

# yum install openvpn.x86_64


cd to easy-rsa subdirectory in openvpn catalog.
In my case it was: /usr/share/openvpn/easy-rsa. And copy that dir to /etc/openvpn, that our files wouldn’t be overwritten on updates.

cd /usr/share/openvpn/easy-rsa
cp 2.0 /etc/openvpn/open-rsa -r 
cd /etc/openvpn/open-rsa

edit vars file, to reflect Your needs

vim vars

i notice’d that PKCS11_MODULE_PATH and PKCS11_PIN are mentioned 2 times. Leave those which are with “dummy”.
Comment out the rest:

#export PKCS11_MODULE_PATH=changeme
#export PKCS11_PIN=1234

also changed default keys export directory, to make easier in future to maintain keys
create dir /etc/openvpn/keys and in config file:

export KEY_DIR="/etc/openvpn/keys"

make symbolic link of openssl config

ln -s openssl-1.0.0.cnf openssl.cnf

Initialize the public-key infastructure:

./vars
./clean-all
./build-ca

output:

# ./build-ca 
Generating a 1024 bit RSA private key
...++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [loginroot.com]:
Organization Name (eg, company) [loginroot.com]:
Organizational Unit Name (eg, section) [loginroot]:n/a
Common Name (eg, your name or your server's hostname) [loginroot]:nl.loginroot.com
Name [loginroot]:nsc
Email Address [emailforspambots@loginroot.com]:

Let’s generate Server certificate:

./build-key-server server

output:

 ./build-key-server server
Generating a 1024 bit RSA private key
.........++++++
............................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [NL]:NL
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [loginroot.com]:
Organization Name (eg, company) [loginroot.com]:none
Organizational Unit Name (eg, section) [loginroot]:none
Common Name (eg, your name or your server's hostname) [server]:nl.loginroot.com
Name [nsc]:
Email Address [nsc@loginroot.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 
An optional company name []:
Using configuration from /etc/openvpn/open-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :PRINTABLE:'n/a'
localityName          :PRINTABLE:'loginroot.com'
organizationName      :PRINTABLE:'none'
organizationalUnitName:PRINTABLE:'none'
commonName            :PRINTABLE:'nl.loginroot.com'
name                  :PRINTABLE:'nsc'
emailAddress          :IA5STRING:'mailforspambots@loginroot.com'
Certificate is to be certified until Sep 27 16:19:09 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

my openvpn config file /etc/server.conf:

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client #to be able to see other connected clients
;duplicate-cn #if few devices uses same common name on certificates
keepalive 10 120
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
mute 20

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

restart openvpn service and You’re ready to go!

Some parts of this tutorial are not working anymore. New version available here

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.