{"id":734,"date":"2014-07-14T15:42:29","date_gmt":"2014-07-14T08:42:29","guid":{"rendered":"http:\/\/whplus.com\/blog\/?p=734"},"modified":"2015-01-29T17:03:01","modified_gmt":"2015-01-29T10:03:01","slug":"setup-and-configure-an-openvpn-server-on-centos-6","status":"publish","type":"post","link":"https:\/\/www.whplus.com\/blog\/2014\/07\/14\/setup-and-configure-an-openvpn-server-on-centos-6.html","title":{"rendered":"Setup and Configure an OpenVPN Server on CentOS 6"},"content":{"rendered":"

This article will guide you through the setup and configuration of OpenVPN server on your CentOS 6 cloud server. We also cover how to configure openvpn client to connect to your newly installed OpenVPN server.<\/p>\n

Before we begin, you’ll need to have the Extra Packages for Enterprise Linux (EPEL) Repository enabled on your cloud server. This is a third party repository offered by the Fedora Project which will provide the OpenVPN package.<\/p>\n

wget http:\/\/dl.fedoraproject.org\/pub\/epel\/6\/i386\/epel-release-6-8.noarch.rpm
\nrpm -Uvh epel-release-6-8.noarch.rpm<\/code><\/p>\n

Initial OpenVPN Configuration<\/strong>
\nFirst, install the OpenVPN and easy-rsa packages :<\/p>\n

yum -y install openvpn easy-rsa<\/code>
\n<\/p>\n

OpenVPN ships with only a sample configuration, so we will copy the configuration file to its destination:<\/p>\n

cp \/usr\/share\/doc\/openvpn-*\/sample\/sample-config-files\/server.conf \/etc\/openvpn\/<\/code><\/p>\n

Now that we have the file in the proper location, open it for editing:<\/p>\n

nano -w \/etc\/openvpn\/server.conf<\/code><\/p>\n

Our first change will be to uncomment the “push” parameter which causes traffic on our client systems to be routed through OpenVPN.<\/p>\n

push \"redirect-gateway def1 bypass-dhcp\"<\/code><\/p>\n

We’ll also want to change the section that immediately follows route DNS queries to Google’s Public DNS servers.<\/p>\n

push \"dhcp-option DNS 8.8.8.8\"
\npush \"dhcp-option DNS 8.8.4.4\"<\/code><\/p>\n

In addition, to enhance security, make sure OpenVPN drops privileges after startup. Uncomment the relevant “user” and “group” lines.<\/p>\n

user nobody
\ngroup nobody<\/code><\/p>\n

Generating Keys and Certificates Using easy-rsa<\/p>\n

Now that we’ve finished modifying the configuration file, we’ll generate the required keys and certificates. As with the configuration file, OpenVPN places the required scripts in the documentation folder by default. Create the required folder and copy the files over.<\/p>\n

mkdir -p \/etc\/openvpn\/easy-rsa\/keys
\ncp -rf \/usr\/share\/openvpn\/easy-rsa\/2.0\/* \/etc\/openvpn\/easy-rsa<\/code><\/p>\n

With the files in the desired location, we’ll edit the “vars” file which provides the easy-rsa scripts with required information.<\/p>\n

nano -w \/etc\/openvpn\/easy-rsa\/vars<\/code><\/p>\n

We’re looking to modify the “KEY_” variables, located at the bottom of the file. The variable names are fairly descriptive and should be filled out with the applicable information.<\/p>\n

Once completed, the bottom of your “vars” file should appear similar to the following:<\/p>\n

export KEY_COUNTRY=\"US\"
\nexport KEY_PROVINCE=\"NY\"
\nexport KEY_CITY=\"New York\"
\nexport KEY_ORG=\"Organization Name\"
\nexport KEY_EMAIL=\"administrator@example.com\"
\nexport KEY_CN=droplet.example.com
\nexport KEY_NAME=server
\nexport KEY_OU=server
\n<\/code>
\nOpenVPN might fail to properly detect the OpenSSL version on CentOS 6. As a precaution, manually copy the required OpenSSL configuration file.<\/p>\n

cp \/etc\/openvpn\/easy-rsa\/openssl-1.0.0.cnf \/etc\/openvpn\/easy-rsa\/openssl.cnf<\/code><\/p>\n

We’ll now change into our working directory and build our Certificate Authority, or CA, based on the information provided above.<\/p>\n

cd \/etc\/openvpn\/easy-rsa
\nsource .\/vars
\n.\/clean-all
\n.\/build-ca<\/code><\/p>\n

Now that we have our CA, we’ll create our certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.<\/p>\n

.\/build-key-server server<\/code><\/p>\n

We’re also going to need to generate our Diffie Hellman key exchange files using the build-dh script and copy all of our files into \/etc\/openvpn as follows:<\/p>\n

.\/build-dh
\ncd \/etc\/openvpn\/easy-rsa\/keys
\ncp dh2048.pem ca.crt server.crt server.key \/etc\/openvpn
\n<\/code>
\nIn order to allow clients to authenticate, we’ll need to create client certificates. You can repeat this as necessary to generate a unique certificate and key for each client or device. If you plan to have more than a couple certificate pairs be sure to use descriptive filenames.<\/p>\n

cd \/etc\/openvpn\/easy-rsa
\n.\/build-key client
\n<\/code>
\nRouting Configuration and Starting OpenVPN Server<\/p>\n

Create an iptables rule to allow proper routing of our VPN subnet.<\/p>\n

Xen and KVM users use:
\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE<\/code><\/p>\n

And for OpenVZ use these two instead:
\niptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123<\/code>
\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to-source 123.123.123.123<\/code><\/p>\n

Do not forget to replace 123.123.123.123 with your server IP.
\nNow save that iptables rules:
\nservice iptables save<\/code><\/p>\n

Then, enable IP Forwarding in sysctl:<\/p>\n

nano -w \/etc\/sysctl.conf<\/code><\/p>\n

# Controls IP packet forwarding
\nnet.ipv4.ip_forward = 1<\/code><\/p>\n

Finally, apply our new sysctl settings. Start the server and assure that it starts automatically on boot:<\/p>\n

sysctl -p
\nservice openvpn start
\nchkconfig openvpn on
\n<\/code>
\nYou now have a working OpenVPN server. In the following steps, we’ll discuss how to properly configure your client.<\/p>\n

Configuring OpenVPN Client<\/strong><\/p>\n

Now that your OpenVPN server is online, lets configure your client to connect. The steps are largely the same regardless of what operating system you have.<\/p>\n

In order to proceed, we will need to retrieve the ca.crt, client.crt and client.key files from the remote server. Simply use your favorite SFTP\/SCP (Secure File Transfer Protocol\/Secure Copy) client and move them to a local directory. You can alternatively open the files in nano and copy the contents to local files manually. Be aware that the client.crt and client.key files will are automatically named based on the parameters used with “.\/build-key” earlier. All of the necessary files are located in \/etc\/openvpn\/easy-rsa\/keys<\/p>\n

nano -w \/etc\/openvpn\/easy-rsa\/keys\/ca.crt
\nnano -w \/etc\/openvpn\/easy-rsa\/keys\/client.crt
\nnano -w \/etc\/openvpn\/easy-rsa\/keys\/client.key
\n<\/code>
\nWith our certificates now on our client system, we’ll create another new file called client.ovpn, where “client” should match the name of the client being deployed (from build-key), the contents should be as follows, substituting “x.x.x.x” with your cloud servers IP address, and with the appropriate files pasted into the designated areas. Include only the contents starting from the “BEGIN” header line, to the “END” line, as demonstrated below. Be sure to keep these files as confidential as you would any authentication token.<\/p>\n

client
\ndev tun
\nproto udp
\nremote x.x.x.x 1194
\nresolv-retry infinite
\nnobind
\npersist-key
\npersist-tun
\ncomp-lzo
\nverb 3
\n
\nContents of ca.crt
\n<\/ca>
\n
\nContents of client.crt
\n<\/cert>
\n
\nContents of client.key
\n<\/key>
\n<\/code><\/p>\n

As all of the required information to establish a connection is now centralized in the .ovpn file, we can now deploy it on our client system.<\/p>\n

On Windows, regardless of edition, you will need the official OpenVPN Community Edition binaries which come prepackaged with a GUI. The only step required post-installation is to place your .ovpn configuration file into the proper directory (C:\\Program Files\\OpenVPN\\config) and click connect in the GUI. OpenVPN GUI on Windows must be executed with administrative privileges.<\/p>\n","protected":false},"excerpt":{"rendered":"

This article will guide you through the setup and configuration of OpenVPN server on your CentOS 6 cloud server. We also cover how to configure openvpn client to connect to your newly installed OpenVPN server. Before we begin, you’ll need to have the Extra Packages for Enterprise Linux (EPEL) Repository enabled on your cloud server.\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-734","post","type-post","status-publish","format-standard","hentry","category-tutorial"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts\/734","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/comments?post=734"}],"version-history":[{"count":5,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts\/734\/revisions"}],"predecessor-version":[{"id":759,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts\/734\/revisions\/759"}],"wp:attachment":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/media?parent=734"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/categories?post=734"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/tags?post=734"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}