Comments on OpenVPN Server On CentOS 5.2
OpenVPN Server On CentOS 5.2 So your users need access to Exchange and data from outside your organisation. Sure you can set up RPC over HTTPS and various other tools to access the data. I just find OpenVPN very good, convenient and reliable.
34 Comment(s)
Comments
Hi, nice post!
Just wanted to let you know that your first iptables-rule repeats itself:
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
Is it just a double pasting error or was the second line supposed to do something else?
what's up with all the iptables definitions extif extip universe and all that?
Thank you very much.
I made it working.
Openvpn is the best ;-)=)
Hi Guys,
Thanks for your input. I have updated the intro accordingly. Mirostz - I have never used that command to check my server so not sure why you are getting this error.
Perhaps check a few basics like does the service start successfully?
Check that the service is running on the correct port - in your case a 'netstat -ntlp | grep 1194'. On one of my setups (using port 1723) it looks like so:
[root@fw1 ~]# netstat -ntlp | grep 1723tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 2310/openvpn
[root@fw1 ~]#
Check for any messages in messages like 'grep vpn /var/log/messages'
Let us know if you get any further:)
Cameron
Hi Barik,
I have seen this before and frankly I just followed the hints the message gave me. Unfortunately I can't give you a concrete answer as firstly I don't have a test box to replicate your situation and secondly most of my setups are one key/multi user. I know thats not ideal but it works.
Try follow the hints they give you and I will gladly update the howto if you come right.
C
Thanks, I have added this to the howto...
And You do it incorrectly, this should be: . ../vars not: ../vars
Yes I realised that last night but was rushing:)
Thanks again, I have changed it.
C
thanks so much for this how to, i now have my centos 5.3 running openvpn. but i am having problem connecting to it using my window client. pls can you me out.
There is a typo in your how-to. You probably mean mail and not nail
yum install -y nail
nail -s “Keys" -a keys.zip [email protected]
Hi,
No, I meant nail:) I normally find it handy for sending attachments quickly and I guess it's just a habit...
C
The ./build-key newuser should work on it's own.
Are their any messages in the logs?
Also you may have to hash out "duplicate-cn"?
C
Hi ,
Thank you for your quick response.
here is what happens when I do ./buil-key newuser
cd /etc/openvpn/easy-rsa/2.0/
[root@groundwork 2.0]# ./build-key newuser1
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
[root@groundwork 2.0]#
Hi ,
I would like to ask here , if it possible. How to add additional keys for new users to the operation system
Currently I have openvpn 2.0.9 on Centos 5.2 and all seems to be working fine , yes including iptables. The problem I currently have is how to add additional users to the system.
This is what I do
1. cd /etc/openvpn/easy-rsa/2.0
2 ./clean-all
3. source./vars
4. ./build-ca
5. ./build-key newuser
6. ./build-dh
7. cp keys/dh1024.pem /etc/openvpn
Am I missing something ?
Thank you guys
Why you disable SELINUX? CentOS 5.2 include selinux policy also for OpenVPN. Selinux works great with OpenVPN with default install. If you change port, you need only add this port to selinux context:
#semanage port -a -t openvpn_port_t -p tcp 1723
PS: SELINUX is great security enhancement for linux and I dont know why most people turn it off after install.
I have problems with aplying firewall rules, could you describe it better please?
Hi,
Essentially you just need to allow in, out and forwarding of all traffic on port 1723, and possibly your tun0 interface (if you use multiple interfaces).
Otherwise try turning off the firewall temporarily to test the VPN is actually working. In this howto I described using a script for your firewall although the default centos setup will use /etc/sysconfig/iptables.
C
You could just use http://www.smoothwall.org/ smoothwall express
what has smoothwall firewall to do with VPN server system? If your post was about VPN - I don't understand it. If it was about SELinux - I still don't understand it.
You don't need to chmod +x ./vars, you should only do:
$ . ./vars
This is include to vars included in file "vars" :)
Thanks dzikus, I have changed the howto accordingly:)
Hello guys I have a very strange problem i can not find anything about it in google. So i want to ask here can someone help me. I have installed and configured everything as i should lzo and openvpn are installed. I have generated all the keys for the server and i have done the server.conf file like this:
dev tun
proto tcp
port 1194
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push “redirect-gateway def1?
#log-append /var/log/openvpn
comp-lzo
my crt and key files are in the same directory as my config file. but when i do
]# openvpn –config server.conf
Options error: Unrecognized option or missing parameter(s) in server.conf:5: ca (2.0.9)
Use –help for more information.
I get this unusual error and i can not find out why it this happening whats wrong with ca ca.crt line
Please help me.
The author may wish to edit the HOWTO to point out that in the first steps, the user must at least "sudo" if not su - .
ENG
Instead of using the clients of 3 separate files (ca, cert, key) you can use a common file format PKCS12. To do this, generate a key client comand:
build-key-pkcs12 client1
This will create a normal set of files, and a new file .p12 - it is this combined file.It can be used in the client configuration file as a single comand: pkcs12 client1
Warning: don't set a password when generate key.
RU
?????? ????????????? ?? ???????? 3-?? ?????????? ?????? (ca, cert, key) ????? ???????????? ?????? ???? ??????? PKCS12. ??? ????? ???? ???????????? ???? ??????? ????????:
build-key-pkcs12 client1
????? ?????? ? ??????? ???????? ??????, ? ????? ???? .p12 - ??? ? ???? ???? ??????????????? ????. ??? ????? ???????????? ? ??????? ??????? ????? ???????? pkcs12 ?????? ???? ?????? ca, cert, key.
????? ??? ????????? ????? ????? ????? ?????? ?????? ??? ?????? ?????????? ?????, ? ????? ?????? ?????? ??? ??? ????????? ?????????? ????? ????????????? ?????? ??? ??????? ? ?????????? ????? (????????! ??? ?????? ?????? ??? ??????? ???????, ?.?. ?? ?? ?????? ????????? ?????? ? ?? ?????? ?????????? ??????????.). ??????? ????? ????? ?????, ??? ???????????? ????? ????? ?????????????? ????????/???????/?????????? ?????? ?????? ?????????? ?????.
Thanks.
I am aware of the EPEL repos but did not need them for this setup.
Best Regards
C
Hello m8, nice tutorial ... you are missing rpm -ihv ftp://ftp.univie.ac.at/systems/linux/fedora/epel/5/i386/epel-release-5-2.noarch.rpm before yum install openvpn
Nice tutorial???
It should be forbidden to allow this kind of tutorial...
1) we build two times the ca keys... Why??
2) "UDP is faster on slow lines...". Lol, you did not understand the transport layer. UDP is *always* faster, because it works with datagrams (like IP). REMEMBER WORKING WITH TCP over TCP is an HERESY. And this tutorial use TCP!! Imagine an error of transmission in your TCP tunnel, it is restransmitted inside the tunnel of course, but the TCP packets encapsulating your tunnel are re-transmitted too.....
3) The better for the end. When you archive your keys for your clients, I recommend you to NOT provide the root ca.key (key signing machine only!!!)
If you did not understand these comments, don't install a VPN...
wow. what a douche reply. Work on your engrish before insulting people.
I've installed openvpn on my server everything is setup correctly and i've also created client key on server.
But the problem is when I setup openvpn client on windows it's gives following error. I've copied all key,crt,csr files to openvpn config folder on windows machine
here is error
OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '3514370b'
Expected Remote Options hash (VER=V4): '239669a8'
UDPv4 link local: [undef]
UDPv4 link remote: 172.16.0.1:1723
so is there any configuration remain on server side
which ip address i should use in openvpn.conf file and which ip i should use in windows machine for client.ovpn file
suppose my server ip is 192.168.1.1, so tell me should i use this ip for openvpn.conf server parameter as well as for remote parameter for windows machine in client.ovpn file in config folder.
Please help !!
I want to know if I want to user logon with username & password, how should I do ???
And I found the Anonymous VPN service provider for commercial.
now i use openvpn from 13 site '
and this good new . there are stabil ...
thank you
Thanks. However client configuration is way incomplete
Revoking a certificate means to invalidate a previously signed certificate so that it can no longer be used for authentication purposes.
Typical reasons for wanting to revoke a certificate include:
* The private key associated with the certificate is compromised or stolen.
* The user of an encrypted private key forgets the password on the key.
* You want to terminate a VPN user's access.
As an example, we will revoke the client2 certificate, which we generated above in the "key generation".
First open up a shell or command prompt window and cd to the easy-rsa directory as you did in the "key generation". On Linux/BSD/Unix:
. ./vars
./revoke-full client2
The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
openvpn.conf
crl-verify /etc/openvpn/crl/crl.pem
Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped.
get info from openvpn.net
Pls let me know OpenVPN support dynamic ip address or not .