How to install, setup and configure an OpenVPN Service on CentOS 5

 

In this tutorial, we will learn how to install, setup and configure an OpenVPN Service on CentOS 5 as well as configuring the firewall to allow vpn traffic. Clients configuration will be done in the linked article, available at the bottom of this tutorial.


Topology used in this scenario:

1 Ethernet card (eth0) connected to a router, which forward all connection on port 1723 for UDP and TCP protocol to our server internal IP.
Internet IP: 1.2.3.4
Internal IP: 192.168.0.2
Existing Subnet: 192.168.0.0/24
New VPN Subnet: 172.16.0.0/24

Installation:

1) To begin, we need to make sure we have the RPMForge repository installed and activated.

2) If you have SELinux enabled and enforcing, you will need to run this:

semanage port -a -t openvpn_port_t -p tcp 1723
semanage port -a -t openvpn_port_t -p udp 1723

3) Install OpenVPN via yum. This will make sure that the following package are installed: openvpn, lzo, pkcs11-helper

yum install openvpn

4) Copy the easy-rsa directory from the template to your /etc/openvpn (please change the version number according to your version of openvpn)

cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/

5) Change permissions

chmod +rwx *

6) Edit the configuration file /etc/openvpn/easy-rsa/2.0/vars with your favorite editor such as `nano` or `vi`, and change the values at the complete bottom to correspond with your own informations and make sure you save a copie somewhere. (from KEY_COUNTRY up to KEY_OU)

nano /etc/openvpn/easy-rsa/2.0/vars

example:
KEY_COUNTRY="CA"
KEY_PROVINCE="QC"
KEY_CITY="Montreal"
KEY_ORG="CompanyName"
KEY_EMAIL="your@email.com"
KEY_EMAIL=your@email.com
KEY_CN=server.hostname.com
KEY_NAME=server.hostname.com
KEY_OU=OrganisationUnitName

7) Source the configuration file `vars` with the following command and clean-all

source /etc/openvpn/easy-rsa/2.0/vars
/etc/openvpn/easy-rsa/2.0/clean-all

8) Once we reach this step, openvpn has been installed and initially configured. Now we have to build our CA Certificate, our Server Certificate and our Client Certificate.


9) Start by building the CA Certificate with the command:

/etc/openvpn/easy-rsa/2.0/build-ca

This step will ask your information for the CA Certificate Authority that we are creating, if we configured the `vars` configuration file in step 6, the default values provided between ‘[‘ and ‘]’ for each value should be fine. Otherwise change accordingly.

10) It is time now to create the Server Certificate with our newly created CA Authority Certificate. Run the following command (and replace `server.hostname.com` with your server hostname):

/etc/openvpn/easy-rsa/2.0/build-key-server server.hostname.com

This will print a summary of the certificate to be created and ask you to confirm that you want to “Sign the certificate” which you will say YES ot ‘y’
Finally, it will ask you to confirm to commit the change, which again, you will say YES or ‘y’

11) Now we have to edit our main configuration file at /etc/openvpn/openvpn.conf with our favorite editor such as `nano` or `vi`,
(change server.hostname.com for the value used while building the server certificate at step 10)

nano /etc/openvpn/openvpn.conf

example: 

port 1723
proto udp # UDP is faster than TCP
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.hostname.com.crt
key /etc/openvpn/keys/server.hostname.com.key
dh /etc/openvpn/keys/dh1024.pem
cipher BF-CBC
comp-lzo
server 172.16.0.0 255.255.255.0
push "dhcp-option DNS 4.2.2.2" # Change these to your own DNS Server for even greater security
push "dhcp-option DNS 4.2.2.1" # Change these to your own DNS Server for even greater security
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3

12) Create the directory to hold our created keys and certificates, make it private and move them into it:

mkdir /etc/openvpn/keys/
chmod 0700 /etc/openvpn/keys/
mv /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,ca.key,server.hostname.com.crt,server.hostname.com.key} /etc/openvpn/keys/

13) Create the DH and move it.

/etc/openvpn/easy-rsa/2.0/build-dh
mv /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/keys/

14) Make sure that the OpenVPN Service start at boot time

chkconfig openvpn on

15) That it! The OpenVPN Service is now ready to be executed.

/etc/init.d/openvpn start

16) For the Firewall configuration, you need to run the following commands:

/sbin/iptables -A INPUT -d 1.2.3.4 -i eth0 -p udp -m udp --dport 1723 -j ACCEPT
/sbin/iptables -A OUTPUT -s 1.2.3.4 -d 172.16.0.0/255.255.255.0 -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -s 1.2.3.4 -d 172.16.0.0/255.255.255.0 -o tun0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables-save > /etc/sysconfig/iptables
/sbin/service iptables restart

We still have to create the client certificate and configure the client to connect to our OpenVPN Service.


You can read up the linked article ‘How to install OpenvVPN on Microsoft Windows 7 using Certificates‘ to see how to create client certificate and connect the client to our OpenVPN Service.