login: root

root@gibson:~# ▌

Openvpn centos 6.4 x64 with certificates

by

nsc
in

Renewed POST with new info, as openvpn package changed, not everything in old tutorial is true now :)
This tutorial is based by old one


Default centos repositoryt doesn’t have openvpn package, so lets add epel repository first.
I downloaded it from this mirror here.

yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

(link may be different depending on latest release version, currently file is epel-release-6-8.noarch.rpm)

After that, You can install openvpn and easy-rsa packages:

yum install openvpn.x86_64 easy-rsa.noarch


create directory for OpenVPN keys:

mkdir /etc/openvpn/keys


cd to easy-rsa subdirectory:

cd /usr/share/easy-rsa/2.0


edit vars file, to reflect Your needs

vim vars



I noticed that PKCS11_MODULE_PATH and PKCS11_PIN are mentioned 2 times. Leave those with “dummy”.
So comment out those other ones:

#export PKCS11_MODULE_PATH=changeme
#export PKCS11_PIN=1234


Also You want to change default KEYS export directory:

export KEY_DIR="/etc/openvpn/keys"


This info should be clear by default, anyway, You’ll be asked about all of them later.
These will be “default” values when generating certificates.

export KEY_COUNTRY="NL"                # Your coutry
export KEY_PROVINCE="n/a"              # state
export KEY_CITY="loginroot.com city"   # city name
export KEY_ORG="loginroot.com"         # organization name
export KEY_EMAIL="emailforspambots@loginroot.com"  # mail
#export KEY_EMAIL=mail@host.domain     # seems like duplicate one - comment out 
export KEY_CN=loginroot.com            # Canonical Name ( i.e. my.hostname.tld )
export KEY_NAME=loginroot.com          # Key name ( i.e. my.hostname.tld )
export KEY_OU=private                  # Organization Unit - ( i.e. private)


make symbolic link of openssl config

ln -s openssl-1.0.0.cnf openssl.cnf


Initialize the public-key infastructure:

source vars
./clean-all


Creating Certificate Authority:

./build-ca

output:

# ./build-ca 
Generating a 1024 bit RSA private key
...++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [loginroot.com city]:
Organization Name (eg, company) [loginroot.com]:
Organizational Unit Name (eg, section) [private]:
Common Name (eg, your name or your server's hostname) [nl.loginroot.com]:
Name [loginroot.com]:
Email Address [emailforspambots@loginroot.com]:


Server certificate:

./build-key-server server

output:

# ./build-key-server server
Generating a 1024 bit RSA private key
.........++++++
............................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [NL]:NL
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [loginroot.com]:
Organization Name (eg, company) [loginroot.com]:none
Organizational Unit Name (eg, section) [loginroot]:none
Common Name (eg, your name or your server's hostname) [server]:nl.loginroot.com
Name [nsc]:
Email Address [hidden-mail-address@loginroot.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 
An optional company name []:
Using configuration from /etc/openvpn/open-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :PRINTABLE:'n/a'
localityName          :PRINTABLE:'loginroot.com'
organizationName      :PRINTABLE:'none'
organizationalUnitName:PRINTABLE:'none'
commonName            :PRINTABLE:'nl.loginroot.com'
name                  :PRINTABLE:'nsc'
emailAddress          :IA5STRING:'mailforspambots@loginroot.com'
Certificate is to be certified until Sep 27 16:19:09 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


Also You have to create own certificates for each OpenVPN client:

cd /usr/share/easy-rsa/2.0
./build-key myLaptop

The same principle as with generating certificate for server.
All generated certificates are located in /etc/openvpn/keys directory(we noted that in “vars” file)

Add file containing Diffie Hellman parameters

openssl dhparam -out /etc/openvpn/keys/dh1024.pem 1024


My exemplary /etc/openvpn/openvpn.conf

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client #to be able to see other connected clients
;duplicate-cn #if few devices uses same common name on certificates
keepalive 10 120
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
mute 20

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3


add rule to forward and save it:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save


also enable forwarding in kernel (edit /etc/sysctl.conf):

net.ipv4.ip_forward = 1


and apply kernel settings:

sysctl -p


start openvpn service and You’re ready to go!

service openvpn start


p.s. don’t forget to unblock firewall if You are using it, port as in config is 1194

Comments

4 responses to “Openvpn centos 6.4 x64 with certificates”

  1. norbuurgen@hotmail.com Avatar
    norbuurgen@hotmail.com

    did this work for you?

    Reply
    1. nsc Avatar
      nsc

      is this rhetorical question?
      Yes it did, 2days ago.

      What error did You get?

      Reply
  2. Cristian Silaghi Avatar
    Cristian Silaghi

    Can anybody help me? I have CentOS 6.5 x64 and I only get errors and I cannot make it work. ;)

    nsc, can you leave your email or can I contact you? :) I want to talk in private. :D

    Reply
    1. nsc Avatar
      nsc

      nsc loginroot com, You know the missing symbols :)

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.