Renewed POST with new info, as openvpn package changed, not everything in old tutorial is true now :)
This tutorial is based by old one
Default centos repositoryt doesn’t have openvpn package, so lets add epel repository first.
I downloaded it from this mirror here.
yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
(link may be different depending on latest release version, currently file is epel-release-6-8.noarch.rpm)
After that, You can install openvpn and easy-rsa packages:
yum install openvpn.x86_64 easy-rsa.noarch
create directory for OpenVPN keys:
cd to easy-rsa subdirectory:
edit vars file, to reflect Your needs
I noticed that PKCS11_MODULE_PATH and PKCS11_PIN are mentioned 2 times. Leave those with “dummy”.
So comment out those other ones:
#export PKCS11_MODULE_PATH=changeme #export PKCS11_PIN=1234
Also You want to change default KEYS export directory:
This info should be clear by default, anyway, You’ll be asked about all of them later.
These will be “default” values when generating certificates.
export KEY_COUNTRY="NL" # Your coutry export KEY_PROVINCE="n/a" # state export KEY_CITY="loginroot.com city" # city name export KEY_ORG="loginroot.com" # organization name export KEY_EMAIL="email@example.com" # mail #export KEY_EMAILfirstname.lastname@example.org # seems like duplicate one - comment out export KEY_CN=loginroot.com # Canonical Name ( i.e. my.hostname.tld ) export KEY_NAME=loginroot.com # Key name ( i.e. my.hostname.tld ) export KEY_OU=private # Organization Unit - ( i.e. private)
make symbolic link of openssl config
ln -s openssl-1.0.0.cnf openssl.cnf
Initialize the public-key infastructure:
source vars ./clean-all
Creating Certificate Authority:
# ./build-ca Generating a 1024 bit RSA private key ...++++++ .................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [NL]: State or Province Name (full name) [n/a]: Locality Name (eg, city) [loginroot.com city]: Organization Name (eg, company) [loginroot.com]: Organizational Unit Name (eg, section) [private]: Common Name (eg, your name or your server's hostname) [nl.loginroot.com]: Name [loginroot.com]: Email Address [email@example.com]:
# ./build-key-server server Generating a 1024 bit RSA private key .........++++++ ............................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [NL]: string is too short, it needs to be at least 2 bytes long Country Name (2 letter code) [NL]:NL State or Province Name (full name) [n/a]: Locality Name (eg, city) [loginroot.com]: Organization Name (eg, company) [loginroot.com]:none Organizational Unit Name (eg, section) [loginroot]:none Common Name (eg, your name or your server's hostname) [server]:nl.loginroot.com Name [nsc]: Email Address [firstname.lastname@example.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : Using configuration from /etc/openvpn/open-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NL' stateOrProvinceName :PRINTABLE:'n/a' localityName :PRINTABLE:'loginroot.com' organizationName :PRINTABLE:'none' organizationalUnitName:PRINTABLE:'none' commonName :PRINTABLE:'nl.loginroot.com' name :PRINTABLE:'nsc' emailAddress :IA5STRING:'email@example.com' Certificate is to be certified until Sep 27 16:19:09 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Also You have to create own certificates for each OpenVPN client:
cd /usr/share/easy-rsa/2.0 ./build-key myLaptop
The same principle as with generating certificate for server.
All generated certificates are located in /etc/openvpn/keys directory(we noted that in “vars” file)
Add file containing Diffie Hellman parameters
openssl dhparam -out /etc/openvpn/keys/dh1024.pem 1024
My exemplary /etc/openvpn/openvpn.conf
port 1194 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 184.108.40.206" push "dhcp-option DNS 220.127.116.11" client-to-client #to be able to see other connected clients ;duplicate-cn #if few devices uses same common name on certificates keepalive 10 120 max-clients 5 user nobody group nobody persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log mute 20 # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3
add rule to forward and save it:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE service iptables save
also enable forwarding in kernel (edit /etc/sysctl.conf):
net.ipv4.ip_forward = 1
and apply kernel settings:
start openvpn service and You’re ready to go!
service openvpn start
p.s. don’t forget to unblock firewall if You are using it, port as in config is 1194