Renewed POST with new info, as openvpn package changed, not everything in old tutorial is true now :)
This tutorial is based by old one
Default centos repositoryt doesn’t have openvpn package, so lets add epel repository first.
I downloaded it from this mirror here.
1 |
yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm |
(link may be different depending on latest release version, currently file is epel-release-6-8.noarch.rpm)
After that, You can install openvpn and easy-rsa packages:
1 |
yum install openvpn.x86_64 easy-rsa.noarch |
create directory for OpenVPN keys:
1 |
mkdir /etc/openvpn/keys |
cd to easy-rsa subdirectory:
1 |
cd /usr/share/easy-rsa/2.0 |
edit vars file, to reflect Your needs
1 |
vim vars |
I noticed that PKCS11_MODULE_PATH and PKCS11_PIN are mentioned 2 times. Leave those with “dummy”.
So comment out those other ones:
1 2 |
#export PKCS11_MODULE_PATH=changeme #export PKCS11_PIN=1234 |
Also You want to change default KEYS export directory:
1 |
export KEY_DIR="/etc/openvpn/keys" |
This info should be clear by default, anyway, You’ll be asked about all of them later.
These will be “default” values when generating certificates.
1 2 3 4 5 6 7 8 9 |
export KEY_COUNTRY="NL" # Your coutry export KEY_PROVINCE="n/a" # state export KEY_CITY="loginroot.com city" # city name export KEY_ORG="loginroot.com" # organization name export KEY_EMAIL="emailforspambots@loginroot.com" # mail #export KEY_EMAIL=mail@host.domain # seems like duplicate one - comment out export KEY_CN=loginroot.com # Canonical Name ( i.e. my.hostname.tld ) export KEY_NAME=loginroot.com # Key name ( i.e. my.hostname.tld ) export KEY_OU=private # Organization Unit - ( i.e. private) |
make symbolic link of openssl config
1 |
ln -s openssl-1.0.0.cnf openssl.cnf |
Initialize the public-key infastructure:
1 2 |
source vars ./clean-all |
Creating Certificate Authority:
1 |
./build-ca |
output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# ./build-ca Generating a 1024 bit RSA private key ...++++++ .................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [NL]: State or Province Name (full name) [n/a]: Locality Name (eg, city) [loginroot.com city]: Organization Name (eg, company) [loginroot.com]: Organizational Unit Name (eg, section) [private]: Common Name (eg, your name or your server's hostname) [nl.loginroot.com]: Name [loginroot.com]: Email Address [emailforspambots@loginroot.com]: |
Server certificate:
1 |
./build-key-server server |
output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
# ./build-key-server server Generating a 1024 bit RSA private key .........++++++ ............................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [NL]: string is too short, it needs to be at least 2 bytes long Country Name (2 letter code) [NL]:NL State or Province Name (full name) [n/a]: Locality Name (eg, city) [loginroot.com]: Organization Name (eg, company) [loginroot.com]:none Organizational Unit Name (eg, section) [loginroot]:none Common Name (eg, your name or your server's hostname) [server]:nl.loginroot.com Name [nsc]: Email Address [hidden-mail-address@loginroot.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/open-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NL' stateOrProvinceName :PRINTABLE:'n/a' localityName :PRINTABLE:'loginroot.com' organizationName :PRINTABLE:'none' organizationalUnitName:PRINTABLE:'none' commonName :PRINTABLE:'nl.loginroot.com' name :PRINTABLE:'nsc' emailAddress :IA5STRING:'mailforspambots@loginroot.com' Certificate is to be certified until Sep 27 16:19:09 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
Also You have to create own certificates for each OpenVPN client:
1 2 |
cd /usr/share/easy-rsa/2.0 ./build-key myLaptop |
The same principle as with generating certificate for server.
All generated certificates are located in /etc/openvpn/keys directory(we noted that in “vars” file)
Add file containing Diffie Hellman parameters
1 |
openssl dhparam -out /etc/openvpn/keys/dh1024.pem 1024 |
My exemplary /etc/openvpn/openvpn.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
port 1194 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-to-client #to be able to see other connected clients ;duplicate-cn #if few devices uses same common name on certificates keepalive 10 120 max-clients 5 user nobody group nobody persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log mute 20 # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 |
add rule to forward and save it:
1 2 |
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE service iptables save |
also enable forwarding in kernel (edit /etc/sysctl.conf):
1 |
net.ipv4.ip_forward = 1 |
and apply kernel settings:
1 |
sysctl -p |
start openvpn service and You’re ready to go!
1 |
service openvpn start |
p.s. don’t forget to unblock firewall if You are using it, port as in config is 1194
did this work for you?
is this rhetorical question?
Yes it did, 2days ago.
What error did You get?
Can anybody help me? I have CentOS 6.5 x64 and I only get errors and I cannot make it work. ;)
nsc, can you leave your email or can I contact you? :) I want to talk in private. :D
nsc loginroot com, You know the missing symbols :)