Openvpn centos 6.4 x64 with certificates

Renewed POST with new info, as openvpn package changed, not everything in old tutorial is true now :)
This tutorial is based by old one


Default centos repositoryt doesn’t have openvpn package, so lets add epel repository first.
I downloaded it from this mirror here.

yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

(link may be different depending on latest release version, currently file is epel-release-6-8.noarch.rpm)

After that, You can install openvpn and easy-rsa packages:

yum install openvpn.x86_64 easy-rsa.noarch

create directory for OpenVPN keys:

mkdir /etc/openvpn/keys

cd to easy-rsa subdirectory:

cd /usr/share/easy-rsa/2.0

edit vars file, to reflect Your needs

vim vars

I noticed that PKCS11_MODULE_PATH and PKCS11_PIN are mentioned 2 times. Leave those with “dummy”.
So comment out those other ones:

#export PKCS11_MODULE_PATH=changeme
#export PKCS11_PIN=1234

Also You want to change default KEYS export directory:

export KEY_DIR="/etc/openvpn/keys"

This info should be clear by default, anyway, You’ll be asked about all of them later.
These will be “default” values when generating certificates.

export KEY_COUNTRY="NL"                # Your coutry
export KEY_PROVINCE="n/a"              # state
export KEY_CITY="loginroot.com city"   # city name
export KEY_ORG="loginroot.com"         # organization name
export KEY_EMAIL="emailforspambots@loginroot.com"  # mail
#export KEY_EMAIL=mail@host.domain     # seems like duplicate one - comment out 
export KEY_CN=loginroot.com            # Canonical Name ( i.e. my.hostname.tld )
export KEY_NAME=loginroot.com          # Key name ( i.e. my.hostname.tld )
export KEY_OU=private                  # Organization Unit - ( i.e. private)

make symbolic link of openssl config

ln -s openssl-1.0.0.cnf openssl.cnf

Initialize the public-key infastructure:

source vars
./clean-all

Creating Certificate Authority:

./build-ca

output:

# ./build-ca 
Generating a 1024 bit RSA private key
...++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [loginroot.com city]:
Organization Name (eg, company) [loginroot.com]:
Organizational Unit Name (eg, section) [private]:
Common Name (eg, your name or your server's hostname) [nl.loginroot.com]:
Name [loginroot.com]:
Email Address [emailforspambots@loginroot.com]:

Server certificate:

./build-key-server server

output:

# ./build-key-server server
Generating a 1024 bit RSA private key
.........++++++
............................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [NL]:NL
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [loginroot.com]:
Organization Name (eg, company) [loginroot.com]:none
Organizational Unit Name (eg, section) [loginroot]:none
Common Name (eg, your name or your server's hostname) [server]:nl.loginroot.com
Name [nsc]:
Email Address [hidden-mail-address@loginroot.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 
An optional company name []:
Using configuration from /etc/openvpn/open-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :PRINTABLE:'n/a'
localityName          :PRINTABLE:'loginroot.com'
organizationName      :PRINTABLE:'none'
organizationalUnitName:PRINTABLE:'none'
commonName            :PRINTABLE:'nl.loginroot.com'
name                  :PRINTABLE:'nsc'
emailAddress          :IA5STRING:'mailforspambots@loginroot.com'
Certificate is to be certified until Sep 27 16:19:09 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Also You have to create own certificates for each OpenVPN client:

cd /usr/share/easy-rsa/2.0
./build-key myLaptop

The same principle as with generating certificate for server.
All generated certificates are located in /etc/openvpn/keys directory(we noted that in “vars” file)

Add file containing Diffie Hellman parameters

openssl dhparam -out /etc/openvpn/keys/dh1024.pem 1024

My exemplary /etc/openvpn/openvpn.conf

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client #to be able to see other connected clients
;duplicate-cn #if few devices uses same common name on certificates
keepalive 10 120
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
mute 20

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

add rule to forward and save it:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save

also enable forwarding in kernel (edit /etc/sysctl.conf):

net.ipv4.ip_forward = 1

and apply kernel settings:

sysctl -p

start openvpn service and You’re ready to go!

service openvpn start

p.s. don’t forget to unblock firewall if You are using it, port as in config is 1194