Note: Some parts of this tutorial are not working anymore. New version available here
Default centos repositoryt doesn’t have openvpn package, so lets add epel repository first.
I downloaded it from this mirror here.
downloading repo:
1
|
# wget http://mirror.duomenucentras.lt/epel/6/x86_64/epel-release-6-7.noarch.rp
|
and installing repo:
1
|
# yum localinstall epel-release-6-7.noarch.rp
|
After that, You can install openvpn package:
1
|
# yum install openvpn.x86_6
|
cd to easy-rsa subdirectory in openvpn catalog.
In my case it was: /usr/share/openvpn/easy-rsa. And copy that dir to /etc/openvpn, that our files wouldn’t be overwritten on updates.
1
2
3
|
cd /usr/share/openvpn/easy-rsa
cp 2.0 /etc/openvpn/open-rsa -r
cd /etc/openvpn/open-rsa
|
edit vars file, to reflect Your needs
i notice’d that PKCS11_MODULE_PATH and PKCS11_PIN are mentioned 2 times. Leave those which are with ‘dummy’.
Comment out the rest:
1
2
|
#export PKCS11_MODULE_PATH=changeme
#export PKCS11_PIN=1234
|
also changed default keys export directory, to make easier in future to maintain keys
create dir /etc/openvpn/keys and in config file:
1
|
export KEY_DIR="/etc/openvpn/keys"
|
make symbolic link of openssl config
1
|
ln -s openssl-1.0.0.cnf openssl.cnf
|
Initialize the public-key infastructure:
1
2
3
|
./vars
./clean-all
./build-ca
|
output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
# ./build-ca
Generating a 1024 bit RSA private key
...++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [loginroot.com]:
Organization Name (eg, company) [loginroot.com]:
Organizational Unit Name (eg, section) [loginroot]:n/a
Common Name (eg, your name or your server's hostname) [loginroot]:nl.loginroot.com
Name [loginroot]:nsc
Email Address [emailforspambots@loginroot.com]:
|
Let’s generate Server certificate:
1
|
./build-key-server server
|
output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
./build-key-server server
Generating a 1024 bit RSA private key
.........++++++
............................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [NL]:NL
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [loginroot.com]:
Organization Name (eg, company) [loginroot.com]:none
Organizational Unit Name (eg, section) [loginroot]:none
Common Name (eg, your name or your server's hostname) [server]:nl.loginroot.com
Name [nsc]:
Email Address [nsc@loginroot.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/open-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'NL'
stateOrProvinceName :PRINTABLE:'n/a'
localityName :PRINTABLE:'loginroot.com'
organizationName :PRINTABLE:'none'
organizationalUnitName:PRINTABLE:'none'
commonName :PRINTABLE:'nl.loginroot.com'
name :PRINTABLE:'nsc'
emailAddress :IA5STRING:'mailforspambots@loginroot.com'
Certificate is to be certified until Sep 27 16:19:09 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
|
my openvpn config file /etc/server.conf:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client #to be able to see other connected clients
;duplicate-cn #if few devices uses same common name on certificates
keepalive 10 120
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
mute 20
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
|
restart openvpn service and You’re ready to go!
Note: Some parts of this tutorial are not working anymore. New version available here