Openvpn centos 6.4 x64 with certificates



Renewed POST with new info, as openvpn package changed, not everything in old tutorial is true now :)
This tutorial is based by old one

Default centos repositoryt doesn’t have openvpn package, so lets add epel repository first.
I downloaded it from this mirror here.

yum install

(link may be different depending on latest release version, currently file is epel-release-6-8.noarch.rpm)

After that, You can install openvpn and easy-rsa packages:

yum install openvpn.x86_64 easy-rsa.noarch

create directory for OpenVPN keys:

mkdir /etc/openvpn/keys

cd to easy-rsa subdirectory:

cd /usr/share/easy-rsa/2.0

edit vars file, to reflect Your needs

vim vars

I noticed that PKCS11_MODULE_PATH and PKCS11_PIN are mentioned 2 times. Leave those with “dummy”.
So comment out those other ones:

#export PKCS11_MODULE_PATH=changeme
#export PKCS11_PIN=1234

Also You want to change default KEYS export directory:

export KEY_DIR="/etc/openvpn/keys"

This info should be clear by default, anyway, You’ll be asked about all of them later.
These will be “default” values when generating certificates.

export KEY_COUNTRY="NL"                # Your coutry
export KEY_PROVINCE="n/a"              # state
export KEY_CITY=" city"   # city name
export KEY_ORG=""         # organization name
export KEY_EMAIL=""  # mail
#export KEY_EMAIL=mail@host.domain     # seems like duplicate one - comment out 
export            # Canonical Name ( i.e. my.hostname.tld )
export          # Key name ( i.e. my.hostname.tld )
export KEY_OU=private                  # Organization Unit - ( i.e. private)

make symbolic link of openssl config

ln -s openssl-1.0.0.cnf openssl.cnf

Initialize the public-key infastructure:

source vars

Creating Certificate Authority:



# ./build-ca 
Generating a 1024 bit RSA private key
writing new private key to 'ca.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [NL]:
State or Province Name (full name) [n/a]:
Locality Name (eg, city) [ city]:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) [private]:
Common Name (eg, your name or your server's hostname) []:
Name []:
Email Address []:

Server certificate:

./build-key-server server


# ./build-key-server server
Generating a 1024 bit RSA private key
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [NL]:
string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [NL]:NL
State or Province Name (full name) [n/a]:
Locality Name (eg, city) []:
Organization Name (eg, company) []:none
Organizational Unit Name (eg, section) [loginroot]:none
Common Name (eg, your name or your server's hostname) [server]
Name [nsc]:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 
An optional company name []:
Using configuration from /etc/openvpn/open-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :PRINTABLE:'n/a'
localityName          :PRINTABLE:''
organizationName      :PRINTABLE:'none'
commonName            :PRINTABLE:''
name                  :PRINTABLE:'nsc'
emailAddress          :IA5STRING:''
Certificate is to be certified until Sep 27 16:19:09 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Also You have to create own certificates for each OpenVPN client:

cd /usr/share/easy-rsa/2.0
./build-key myLaptop

The same principle as with generating certificate for server.
All generated certificates are located in /etc/openvpn/keys directory(we noted that in “vars” file)

Add file containing Diffie Hellman parameters

openssl dhparam -out /etc/openvpn/keys/dh1024.pem 1024

My exemplary /etc/openvpn/openvpn.conf

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS"
push "dhcp-option DNS"
client-to-client #to be able to see other connected clients
;duplicate-cn #if few devices uses same common name on certificates
keepalive 10 120
max-clients 5
user nobody
group nobody
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
mute 20

# Set the appropriate level of log
# file verbosity.
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

add rule to forward and save it:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
service iptables save

also enable forwarding in kernel (edit /etc/sysctl.conf):

net.ipv4.ip_forward = 1

and apply kernel settings:

sysctl -p

start openvpn service and You’re ready to go!

service openvpn start

p.s. don’t forget to unblock firewall if You are using it, port as in config is 1194


4 responses to “Openvpn centos 6.4 x64 with certificates”

    1. is this rhetorical question?
      Yes it did, 2days ago.

      What error did You get?

  1. Can anybody help me? I have CentOS 6.5 x64 and I only get errors and I cannot make it work. ;)

    nsc, can you leave your email or can I contact you? :) I want to talk in private. :D

    1. nsc loginroot com, You know the missing symbols :)

Leave a Reply to Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.