**Renewed POST with new info, as openvpn package changed, not everything in old tutorial is true now :)
This tutorial is based by old one
Default centos repositoryt doesn’t have openvpn package, so lets add epel repository first.
I downloaded it from this mirror here.
1
|
yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rp
|
(link may be different depending on latest release version, currently file is epel-release-6-8.noarch.rpm)
After that, You can install openvpn and easy-rsa packages:
1
|
yum install openvpn.x86_64 easy-rsa.noarc
|
create directory for OpenVPN keys:
cd to easy-rsa subdirectory:
1
|
cd /usr/share/easy-rsa/2.
|
edit vars file, to reflect Your needs
I noticed that PKCS11_MODULE_PATH and PKCS11_PIN are mentioned 2 times. Leave those with ‘dummy’.
So comment out those other ones:
1
2
|
#export PKCS11_MODULE_PATH=changeme
#export PKCS11_PIN=1234
|
Also You want to change default KEYS export directory:
1
|
export KEY_DIR="/etc/openvpn/keys"
|
This info should be clear by default, anyway, You’ll be asked about all of them later.
These will be ‘default’ values when generating certificates.
1
2
3
4
5
6
7
8
9
|
export KEY_COUNTRY="NL" # Your coutry
export KEY_PROVINCE="n/a" # state
export KEY_CITY="loginroot.com city" # city name
export KEY_ORG="loginroot.com" # organization name
export KEY_EMAIL="emailforspambots@loginroot.com" # mail
#export KEY_EMAIL=mail@host.domain # seems like duplicate one - comment out
export KEY_CN=loginroot.com # Canonical Name ( i.e. my.hostname.tld )
export KEY_NAME=loginroot.com # Key name ( i.e. my.hostname.tld )
export KEY_OU=private # Organization Unit - ( i.e. private)
|
make symbolic link of openssl config
1
|
ln -s openssl-1.0.0.cnf openssl.cn
|
Initialize the public-key infastructure:
1
2
3
|
source vars
./clean-all
|
Creating Certificate Authority:
output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
# ./build-ca
Generating a 1024 bit RSA private key
...++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [loginroot.com city]:
Organization Name (eg, company) [loginroot.com]:
Organizational Unit Name (eg, section) [private]:
Common Name (eg, your name or your server's hostname) [nl.loginroot.com]:
Name [loginroot.com]:
Email Address [emailforspambots@loginroot.com]:
|
Server certificate:
1
2
|
./build-key-server server
|
output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
# ./build-key-server server
Generating a 1024 bit RSA private key
.........++++++
............................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [NL]:NL
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [loginroot.com]:
Organization Name (eg, company) [loginroot.com]:none
Organizational Unit Name (eg, section) [loginroot]:none
Common Name (eg, your name or your server's hostname) [server]:nl.loginroot.com
Name [nsc]:
Email Address [hidden-mail-address@loginroot.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/open-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'NL'
stateOrProvinceName :PRINTABLE:'n/a'
localityName :PRINTABLE:'loginroot.com'
organizationName :PRINTABLE:'none'
organizationalUnitName:PRINTABLE:'none'
commonName :PRINTABLE:'nl.loginroot.com'
name :PRINTABLE:'nsc'
emailAddress :IA5STRING:'mailforspambots@loginroot.com'
Certificate is to be certified until Sep 27 16:19:09 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Update
|
Also You have to create own certificates for each OpenVPN client:
1
2
3
|
cd /usr/share/easy-rsa/2.0
./build-key myLaptop
|
The same principle as with generating certificate for server.
All generated certificates are located in /etc/openvpn/keys directory(we noted that in ‘vars’ file)
Add file containing Diffie Hellman parameters
1
2
|
openssl dhparam -out /etc/openvpn/keys/dh1024.pem 1024
|
My exemplary /etc/openvpn/openvpn.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client #to be able to see other connected clients
;duplicate-cn #if few devices uses same common name on certificates
keepalive 10 120
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
mute 20
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
|
add rule to forward and save it:
1
2
|
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
|
also enable forwarding in kernel (edit /etc/sysctl.conf):
1
|
net.ipv4.ip_forward = 1
|
and apply kernel settings:
start openvpn service and You’re ready to go!
p.s. don’t forget to unblock firewall if You are using it, port as in config is 1194