OpenVPN Server On CentOS 5.2

Want to support HowtoForge? Become a subscriber!
 
Submitted by linuxscooter (Contact Author) (Forums) on Thu, 2009-03-05 12:14. :: CentOS

OpenVPN Server On CentOS 5.2

So your users need access to Exchange and data from outside your organisation. Sure you can set up RPC over HTTPS and various other tools to access the data. I just find OpenVPN very good, convenient and reliable.

And after battling to find a good simple HOWTO, I put this together. It's a quick and nasty but it works!:)

Firstly, ensure you are root, and just in case the OpenVPN is not in the base repository, add the rpmforge repo (these steps you can find elsewhere).

If you use selinux you will need this:

#semanage port -a -t openvpn_port_t -p tcp 1723

yum install openvpn

cd /etc/openvpn/

cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/

cd /etc/openvpn/easy-rsa/2.0/

. ../vars

chmod +rwx *

./clean-all

source ./vars

vi ../vars

(At the bottom of the files change the values to match the site.)

vi vars

(At the bottom of the files change the values to match the site.)

./build-ca

(This builds the CA certificate.)

source ./vars

./clean-all

./build-ca

./build-key-server server

(This builds the server.key file.)

vi /etc/openvpn/openvpn.conf

(For slow lines UDP is faster. Use the below as a starting point:)

port 1723 # (1194 is the default but on some APN networks this is blocked)
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.16.0.0 255.255.255.0
push "dhcp-option DNS 192.168.168.1"
push "dhcp-option DNS 168.210.2.2"
#push "dhcp-option WINS 192.168.1.2"
push "route 192.168.168.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn # (this means several users can use the same key)  

cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/
./build-dh (builds the dh1024)
cp keys/dh1024.pem /etc/openvpn/
/etc/init.d/openvpn start
chkconfig --list | grep vpn

(Make sure it is set to start at boot.)

./build-key <name>

(Repeat and rinse if you want several individual client keys.)

cd keys/
zip keys.zip ca.crt ca.key <name>.crt <name>.csr <name>.key
yum install -y nail
nail -s “Keys" -a keys.zip me@mydomain.co.za

netstat -ntpl | grep 1723

Set the iptables firewall rules to allow with these rules:

        # External Interface for VPN
        # VPN Interface
        VPNIF="tun0"
        VPNNET="172.16.0.0/24"
        VPNIP="172.16.0.1"
        ### OpenVPN
       $IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
        $IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
        # Allow TUN interface connections to OpenVPN server
        $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
       $IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT
        # OpenVPN
        $IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j
ACCEPT
        $IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
       $IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
       $IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
       $IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT

Follow the client side instructions from here...

 

Installing OpenVPN GUI On Windows XP / Vista

Once the OpenVPN server has been setup and the client key(s) made available to you for installation, follow these steps to roll the VPN out to the clients:

-Download the client software here: http://www.openvpn.se/. The tested version is 1.0.3. Version 2.0.9 works on Vista with the following in the client.ovpn file:

route-method exe
route-delay 2

-Install the program.

-Under C:\Program Files\OpenVPN\config place the following:

ca.crt
ca.key
client.ovpn
(you might need to edit this file later)
<name>.crt (eg. johnl.crt)
<name>.csr
<name>.key

-Edit the client.ovpn file and ensure that the following fields match up for the site / user:

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <myserver> 1723
;remote my-server-2 1194
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert <name>.crt
key <name>.key

-Start OpenVPN and the client machine should connect. This is done by right clicking the OpenVPN in the task tray and clicking 'connect' or after starting the program via the start menu.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Castiel (registered user) on Fri, 2013-03-29 08:12.

Pls let me know OpenVPN support dynamic ip address or not .

 

Submitted by xrx (registered user) on Mon, 2011-04-04 14:30.
Revoking a certificate means to invalidate a previously signed certificate so that it can no longer be used for authentication purposes.

Typical reasons for wanting to revoke a certificate include:

    * The private key associated with the certificate is compromised or stolen.
    * The user of an encrypted private key forgets the password on the key.
    * You want to terminate a VPN user's access.

As an example, we will revoke the client2 certificate, which we generated above in the "key generation".
First open up a shell or command prompt window and cd to the easy-rsa directory as you did in the "key generation". On Linux/BSD/Unix:

. ./vars
./revoke-full client2

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:

openvpn.conf
crl-verify /etc/openvpn/crl/crl.pem

Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped.
 get info from openvpn.net
Submitted by pavels (not registered) on Thu, 2010-04-22 15:26.
Thanks. However client configuration is way incomplete
Submitted by Mochammad RIvai (not registered) on Wed, 2010-03-31 03:38.

now i use openvpn from 13 site '

 and this good new . there are stabil ...

thank you

Submitted by Anonymous VPN (not registered) on Fri, 2010-03-05 09:11.

I want to know if I want to user logon with username & password, how should I do ??? 

 

And I found the Anonymous VPN service provider for commercial.

 

Submitted by Daniel (not registered) on Thu, 2010-02-04 22:11.

 I've installed openvpn on my server everything is setup correctly and i've also created client key on server.

 

But the problem is when I setup openvpn client on windows  it's gives following error. I've copied all key,crt,csr  files to openvpn config folder on windows machine

 

here is error

OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '3514370b'
 Expected Remote Options hash (VER=V4): '239669a8'
UDPv4 link local: [undef]
 UDPv4 link remote: 172.16.0.1:1723

 

 

so is there any configuration remain on server side

 which ip address i should use in openvpn.conf file and which ip i should use in windows machine for client.ovpn file

 suppose my server ip is 192.168.1.1, so tell me should i use this ip for openvpn.conf  server parameter as well as for remote parameter for windows machine in client.ovpn file in config folder.

 

Please help !!

Submitted by c0mrade (registered user) on Thu, 2009-09-03 21:28.
Hello m8, nice tutorial ... you are missing rpm -ihv ftp://ftp.univie.ac.at/systems/linux/fedora/epel/5/i386/epel-release-5-2.noarch.rpm before yum install openvpn
Submitted by debian38 (not registered) on Mon, 2010-01-11 16:10.

Nice tutorial???

 It should be forbidden to allow this kind of tutorial... 

1) we build two times the ca keys... Why??

 2) "UDP is faster on slow lines...". Lol, you did not understand the transport layer. UDP is *always* faster, because it works with datagrams (like IP). REMEMBER WORKING WITH TCP over TCP is an HERESY. And this tutorial use TCP!! Imagine an error of transmission in your TCP tunnel, it is restransmitted inside the tunnel of course, but the TCP packets encapsulating your tunnel are re-transmitted too.....

 3) The better for the end. When you archive your keys for your clients, I recommend you to NOT provide the root ca.key (key signing machine only!!!)

 If you did not understand these comments, don't install a VPN...

Submitted by Anonymous (not registered) on Sun, 2011-04-10 19:43.
wow. what a douche reply. Work on your engrish before insulting people.
Submitted by linuxscooter (registered user) on Wed, 2009-11-11 14:40.

Thanks.

I am aware of the EPEL repos but did not need them for this setup.

Best Regards

C

Submitted by xrx (registered user) on Mon, 2009-07-27 09:29.

ENG


Instead of using the clients of 3 separate files (ca, cert, key) you can use a common file format PKCS12. To do this, generate a key client comand: 
build-key-pkcs12 client1 
This will create a normal set of files, and a new file .p12 - it is this combined file.It can be used in the client configuration file as a single comand: pkcs12 client1

Warning: don't set a password when generate key.

RU


Вместо использования на клиентах 3-ёх раздельных файлов (ca, cert, key) можно использовать единый файл формата PKCS12. Для этого надо генерировать ключ клиента командой:
build-key-pkcs12 client1
Будет создан и обычный комплект файлов, и новый файл .p12 - это и есть этот комбинированный файл. Его можно использовать в конфиге клиента одной командой pkcs12 вместо трёх команд ca, cert, key.
Также при генерации этому файлу можно задать пароль для защиты секретного ключа, в таком случае каждый раз при установке соединения будет запрашиваться пароль для доступа к секретному ключу (Внимание! Так нельзя делать при запуске сервиса, т.к. он не сможет запросить пароль и не сможет установить соединение.). Следует также иметь ввиду, что пользователь имеет право самостоятельно изменить/удалить/установить пароль защиты секретного ключа.

Submitted by Anonymous (not registered) on Sat, 2009-05-09 08:47.

Hi, nice post!

Just wanted to let you know that your first iptables-rule repeats itself:

$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
        $IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN

Is it just a double pasting error or was the second line supposed to do something else?

 

Submitted by Anonymous (not registered) on Thu, 2009-12-10 18:35.
what's up with all the iptables definitions extif extip universe and all that?
Submitted by barik (not registered) on Sun, 2009-03-15 04:05.

Hi ,

 I would like to ask here , if it possible. How to add additional keys for new users to the operation system

Currently I have openvpn 2.0.9 on Centos 5.2 and all seems to be working fine , yes including iptables. The problem I currently have is how to add additional users to the system.

This is what I do

1. cd /etc/openvpn/easy-rsa/2.0

2 ./clean-all

3. source./vars

4. ./build-ca

5.  ./build-key newuser

6. ./build-dh

7.  cp keys/dh1024.pem  /etc/openvpn

 

Am I missing something ?

 

Thank you guys

 

 

 

 

Submitted by linuxscooter (registered user) on Mon, 2009-03-16 11:24.

The ./build-key newuser should work on it's own.

Are their any messages in the logs?

Also you may have to hash out "duplicate-cn"?

C

Submitted by barik (not registered) on Mon, 2009-03-16 14:27.

Hi ,

Thank you for your quick response.

here is what happens when I do ./buil-key newuser

cd /etc/openvpn/easy-rsa/2.0/
[root@groundwork 2.0]# ./build-key newuser1
  Please edit the vars script to reflect your configuration,
  then source it with "source ./vars".
  Next, to start with a fresh PKI configuration and to delete any
  previous certificates and keys, run "./clean-all".
  Finally, you can run this tool (pkitool) to build certificates/keys.
[root@groundwork 2.0]# 

Submitted by linuxscooter (registered user) on Tue, 2009-03-17 12:30.

Hi Barik,

I have seen this before and frankly I just followed the hints the message gave me. Unfortunately I can't give you a concrete answer as firstly I don't have a test box to replicate your situation and secondly most of my setups are one key/multi user. I know thats not ideal but it works.

Try follow the hints they give you and I will gladly update the howto if you come right.

C

Submitted by barik (not registered) on Wed, 2009-04-01 03:00.

Thank you very much.

I made it working.

Openvpn is the best ;-)=)

Submitted by selinux (not registered) on Thu, 2009-03-12 10:15.

Why you disable SELINUX? CentOS 5.2 include selinux policy also for OpenVPN. Selinux works great with OpenVPN with default install. If you change port, you need only add this port to selinux context:

#semanage port -a -t openvpn_port_t -p tcp 1723

PS: SELINUX is great security enhancement for linux and I dont know why most people turn it off after install.

Submitted by linuxscooter (registered user) on Mon, 2009-03-16 09:38.
Thanks, I have added this to the howto...
Submitted by babyadministrator (not registered) on Tue, 2009-03-10 21:02.
You could just use http://www.smoothwall.org/  smoothwall express
Submitted by doman (not registered) on Thu, 2010-03-25 21:58.

what has smoothwall firewall to do with VPN server system? If your post was about VPN - I don't understand it. If it was about SELinux - I still don't understand it.

Submitted by Anonymous (not registered) on Mon, 2009-03-09 18:49.
I have problems with aplying firewall rules, could you describe it better please?
Submitted by linuxscooter (registered user) on Wed, 2009-03-11 11:12.

Hi,

Essentially you just need to allow in, out and forwarding of all traffic on port 1723, and possibly your tun0 interface (if you use multiple interfaces).

Otherwise try turning off the firewall temporarily to test the VPN is actually working. In this howto I described using a script for your firewall although the default centos setup will use /etc/sysconfig/iptables.

C

Submitted by Anonymous (not registered) on Fri, 2009-03-06 12:26.

There is a typo in your how-to. You probably mean mail and not nail

 yum install -y nail
nail -s “Keys" -a keys.zip me@mydomain.co.za

Submitted by linuxscooter (registered user) on Fri, 2009-03-06 17:26.

Hi,

No, I meant nail:) I normally find it handy for sending attachments quickly and I guess it's just a habit...

C

Submitted by Johann (not registered) on Thu, 2009-03-05 20:31.
The author may wish to edit the HOWTO to point out that in the first steps, the user must at least "sudo" if not su - .
Submitted by linuxscooter (registered user) on Thu, 2009-03-05 21:28.

Hi Guys,

Thanks for your input. I have updated the intro accordingly. Mirostz - I have never used that command to check my server so not sure why you are getting this error.

Perhaps check a few basics like does the service start successfully?

Check that the service is running on the correct port - in your case a 'netstat -ntlp | grep 1194'. On one of my setups (using port 1723) it looks like so:

[root@fw1 ~]# netstat -ntlp | grep 1723
tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      2310/openvpn        
[root@fw1 ~]#

Check for any messages in messages like 'grep vpn /var/log/messages'

Let us know if you get any further:)

Cameron

Submitted by mirostz (not registered) on Thu, 2009-03-05 15:27.

Hello guys I have a very strange problem i can not find anything about it in google. So i want to ask here can someone help me. I have installed and configured everything as i should lzo and openvpn are installed. I have generated all the keys for the server and i have done the server.conf file like this:
dev tun
proto tcp
port 1194

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

user nobody
group nogroup
server 10.8.0.0 255.255.255.0

persist-key
persist-tun

#status openvpn-status.log
#verb 3
client-to-client

push “redirect-gateway def1″

#log-append /var/log/openvpn
comp-lzo

my crt and key files are in the same directory as my config file. but when i do
]# openvpn –config server.conf
Options error: Unrecognized option or missing parameter(s) in server.conf:5: ca (2.0.9)
Use –help for more information.

I get this unusual error and i can not find out why it this happening whats wrong with ca ca.crt line
Please help me.

Submitted by dzikus (not registered) on Thu, 2009-03-05 13:52.

You don't need to chmod +x ./vars, you should only do:
 $ . ./vars
This is include to vars included in file "vars" :)

Submitted by linuxscooter (registered user) on Thu, 2009-03-05 15:36.

 Thanks dzikus, I have changed the howto accordingly:)

Submitted by dzikus (not registered) on Fri, 2009-03-06 12:43.

And You do it incorrectly, this should be: . ../vars not: ../vars

Submitted by linuxscooter (registered user) on Fri, 2009-03-06 17:24.

Yes I realised that last night but was rushing:)

Thanks again, I have changed it.

C

 

Submitted by Anonymous (not registered) on Wed, 2009-10-21 15:23.
thanks so much for this how to, i now have my centos 5.3 running openvpn. but i am having problem connecting to it using my window client. pls can you me out.