How to Setup and Configure an OpenVPN Server on CentOS
Enabled Extra Packages for Enterprise Linux (EPEL) Repository:
$ sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Install
$ sudo yum install openvpn -y
copy the configuration file to its destination:
$ sudo cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn
uncomment the "push" parameter so traffic on our client systems to be routed through OpenVPN.
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
route DNS queries to opendns.com and Google's Public DNS servers.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
$ sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Install
$ sudo yum install openvpn -y
copy the configuration file to its destination:
$ sudo cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn
uncomment the "push" parameter so traffic on our client systems to be routed through OpenVPN.
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
route DNS queries to opendns.com and Google's Public DNS servers.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
Let OpenVPN drop privileges after startup
user nobody
group nobody
Generating Keys and Certificates Using easy-rsa
$ sudo yum -y install easy-rsa
$ sudo cp -R /usr/share/easy-rsa/ /etc/openvpn/
$ cd /etc/openvpn/easy-rsa/2.0
$ sudo cp vars vars.bak
$ mkdir -p /etc/openvpn/easy-rsa/keys
Edit vars ( only need to change the 2 blue lines )
export KEY_COUNTRY="CA"
export KEY_PROVINCE="ON"
export KEY_CITY="Toronto"
export KEY_ORG="goyun.info"
export KEY_EMAIL="it@goyun.info"
export KEY_EMAIL=it@goyun.info
export KEY_CN=it.goyun.info
export KEY_NAME=it
export KEY_OU=it
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
build Certificate Authority, or CA
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
[root@stg 2.0]# ./clean-all
[root@stg 2.0]# ./build-ca
Generating a 1024 bit RSA private key
............................++++++
..............++++++
writing new private key to 'ca.key'
create certificate for the OpenVPN server.
# ./build-key-server it
Generating a 1024 bit RSA private key
.................++++++
.................++++++
writing new private key to 'it.key'
Use any name you want instead of "it", but make sure that when asked for the Common Name that you enter the exact same name. When asked to sign and to commit the new certificate, answer "y" to both questions.
build one client key/certificate pair. Same procedure (and once again pay attention to the Common Name, which must match the name you are specifying here instead of vpn-client1):
# ./build-key vpn-client1
Generating a 1024 bit RSA private key
..............++++++
...++++++
writing new private key to 'vpn-client1.key'
-----
generate Diffie Hellman key exchange files using the build-dh script
# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
............................................................+..+..............................+.........................+..................+.................................................................................+..............................+...........................................+...................+.....................+.+...............+..............+......................+................................................................................+.+................................................+....................+.......+........................................+...............................++*++*++*
Create an iptables rule to allow proper routing of VPN subnet.
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
enable IP Forwarding in sysctl:
in /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
cp keys files to the same as server.conf
# cp easy-rsa/keys/* ./
apply new sysctl settings. Start the server and assure that it starts automatically on boot:
sysctl -p
service openvpn start
chkconfig openvpn on
Comments
Post a Comment