English | 
Deutsch
On this page
OpenVPN Server On CentOS 5.2
So your users need access to Exchange and data from outside your organisation. Sure you can set up RPC over HTTPS and various other tools to access the data. I just find OpenVPN very good, convenient and reliable.
And after battling to find a good simple HOWTO, I put this together. It's a quick and nasty but it works!:)
Firstly, ensure you are root, and just in case the OpenVPN is not in the base repository, add the rpmforge repo (these steps you can find elsewhere).
If you use selinux you will need this:
#semanage port -a -t openvpn_port_t -p tcp 1723yum install openvpn
cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
. ../vars
chmod +rwx *
./clean-all
source ./vars
vi ../vars
(At the bottom of the files change the values to match the site.)
vi vars
(At the bottom of the files change the values to match the site.)
./build-ca
(This builds the CA certificate.)
source ./vars
./clean-all
./build-ca
./build-key-server server
(This builds the server.key file.)
vi /etc/openvpn/openvpn.conf
(For slow lines UDP is faster. Use the below as a starting point:)
port 1723 # (1194 is the default but on some APN networks this is blocked) proto tcp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem server 172.16.0.0 255.255.255.0 push "dhcp-option DNS 192.168.168.1" push "dhcp-option DNS 168.210.2.2" #push "dhcp-option WINS 192.168.1.2" push "route 192.168.168.0 255.255.255.0" ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group users persist-key persist-tun status openvpn-status.log verb 3 client-to-client duplicate-cn # (this means several users can use the same key)
cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/
./build-dh (builds the dh1024)
cp keys/dh1024.pem /etc/openvpn/
/etc/init.d/openvpn start
chkconfig --list | grep vpn
(Make sure it is set to start at boot.)
./build-key <name>
(Repeat and rinse if you want several individual client keys.)
cd keys/
zip keys.zip ca.crt ca.key <name>.crt <name>.csr <name>.key
yum install -y nail
nail -s “Keys" -a keys.zip [email protected]
netstat -ntpl | grep 1723
Set the iptables firewall rules to allow with these rules:
# External Interface for VPN
# VPN Interface
VPNIF="tun0"
VPNNET="172.16.0.0/24"
VPNIP="172.16.0.1"
### OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT
# OpenVPN
$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT
Follow the client side instructions from here...
Installing OpenVPN GUI On Windows XP / Vista
Once the OpenVPN server has been setup and the client key(s) made available to you for installation, follow these steps to roll the VPN out to the clients:
-Download the client software here: http://www.openvpn.se/. The tested version is 1.0.3. Version 2.0.9 works on Vista with the following in the client.ovpn file:
route-method exeroute-delay 2
-Install the program.
-Under C:\Program Files\OpenVPN\config place the following:
ca.crt
ca.key
client.ovpn (you might need to edit this file later)
<name>.crt (eg. johnl.crt)
<name>.csr
<name>.key
-Edit the client.ovpn file and ensure that the following fields match up for the site / user:
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote <myserver> 1723 ;remote my-server-2 1194 # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert <name>.crt key <name>.key
-Start OpenVPN and the client machine should connect. This is done by right clicking the OpenVPN in the task tray and clicking 'connect' or after starting the program via the start menu.
Suggested articles
34 Comment(s)
Comments
Hi, nice post!
Just wanted to let you know that your first iptables-rule repeats itself:
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
Is it just a double pasting error or was the second line supposed to do something else?
what's up with all the iptables definitions extif extip universe and all that?
Thank you very much.
I made it working.
Openvpn is the best ;-)=)
Hi Guys,
Thanks for your input. I have updated the intro accordingly. Mirostz - I have never used that command to check my server so not sure why you are getting this error.
Perhaps check a few basics like does the service start successfully?
Check that the service is running on the correct port - in your case a 'netstat -ntlp | grep 1194'. On one of my setups (using port 1723) it looks like so:
[[email protected] ~]# netstat -ntlp | grep 1723tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 2310/openvpn
[[email protected] ~]#
Check for any messages in messages like 'grep vpn /var/log/messages'
Let us know if you get any further:)
Cameron
Hi Barik,
I have seen this before and frankly I just followed the hints the message gave me. Unfortunately I can't give you a concrete answer as firstly I don't have a test box to replicate your situation and secondly most of my setups are one key/multi user. I know thats not ideal but it works.
Try follow the hints they give you and I will gladly update the howto if you come right.
C
Thanks, I have added this to the howto...
And You do it incorrectly, this should be: . ../vars not: ../vars
Yes I realised that last night but was rushing:)
Thanks again, I have changed it.
C
thanks so much for this how to, i now have my centos 5.3 running openvpn. but i am having problem connecting to it using my window client. pls can you me out.
There is a typo in your how-to. You probably mean mail and not nail
yum install -y nail
nail -s “Keys" -a keys.zip [email protected]
Hi,
No, I meant nail:) I normally find it handy for sending attachments quickly and I guess it's just a habit...
C
The ./build-key newuser should work on it's own.
Are their any messages in the logs?
Also you may have to hash out "duplicate-cn"?
C
Hi ,
Thank you for your quick response.
here is what happens when I do ./buil-key newuser
cd /etc/openvpn/easy-rsa/2.0/
[[email protected] 2.0]# ./build-key newuser1
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
[[email protected] 2.0]#
Hi ,
I would like to ask here , if it possible. How to add additional keys for new users to the operation system
Currently I have openvpn 2.0.9 on Centos 5.2 and all seems to be working fine , yes including iptables. The problem I currently have is how to add additional users to the system.
This is what I do
1. cd /etc/openvpn/easy-rsa/2.0
2 ./clean-all
3. source./vars
4. ./build-ca
5. ./build-key newuser
6. ./build-dh
7. cp keys/dh1024.pem /etc/openvpn
Am I missing something ?
Thank you guys
Why you disable SELINUX? CentOS 5.2 include selinux policy also for OpenVPN. Selinux works great with OpenVPN with default install. If you change port, you need only add this port to selinux context:
#semanage port -a -t openvpn_port_t -p tcp 1723
PS: SELINUX is great security enhancement for linux and I dont know why most people turn it off after install.
I have problems with aplying firewall rules, could you describe it better please?
Hi,
Essentially you just need to allow in, out and forwarding of all traffic on port 1723, and possibly your tun0 interface (if you use multiple interfaces).
Otherwise try turning off the firewall temporarily to test the VPN is actually working. In this howto I described using a script for your firewall although the default centos setup will use /etc/sysconfig/iptables.
C
You could just use http://www.smoothwall.org/ smoothwall express
what has smoothwall firewall to do with VPN server system? If your post was about VPN - I don't understand it. If it was about SELinux - I still don't understand it.
You don't need to chmod +x ./vars, you should only do:
$ . ./vars
This is include to vars included in file "vars" :)
Thanks dzikus, I have changed the howto accordingly:)
Hello guys I have a very strange problem i can not find anything about it in google. So i want to ask here can someone help me. I have installed and configured everything as i should lzo and openvpn are installed. I have generated all the keys for the server and i have done the server.conf file like this:
dev tun
proto tcp
port 1194
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push “redirect-gateway def1?
#log-append /var/log/openvpn
comp-lzo
my crt and key files are in the same directory as my config file. but when i do
]# openvpn –config server.conf
Options error: Unrecognized option or missing parameter(s) in server.conf:5: ca (2.0.9)
Use –help for more information.
I get this unusual error and i can not find out why it this happening whats wrong with ca ca.crt line
Please help me.
The author may wish to edit the HOWTO to point out that in the first steps, the user must at least "sudo" if not su - .
ENG
Instead of using the clients of 3 separate files (ca, cert, key) you can use a common file format PKCS12. To do this, generate a key client comand:
build-key-pkcs12 client1
This will create a normal set of files, and a new file .p12 - it is this combined file.It can be used in the client configuration file as a single comand: pkcs12 client1
Warning: don't set a password when generate key.
RU
?????? ????????????? ?? ???????? 3-?? ?????????? ?????? (ca, cert, key) ????? ???????????? ?????? ???? ??????? PKCS12. ??? ????? ???? ???????????? ???? ??????? ????????:
build-key-pkcs12 client1
????? ?????? ? ??????? ???????? ??????, ? ????? ???? .p12 - ??? ? ???? ???? ??????????????? ????. ??? ????? ???????????? ? ??????? ??????? ????? ???????? pkcs12 ?????? ???? ?????? ca, cert, key.
????? ??? ????????? ????? ????? ????? ?????? ?????? ??? ?????? ?????????? ?????, ? ????? ?????? ?????? ??? ??? ????????? ?????????? ????? ????????????? ?????? ??? ??????? ? ?????????? ????? (????????! ??? ?????? ?????? ??? ??????? ???????, ?.?. ?? ?? ?????? ????????? ?????? ? ?? ?????? ?????????? ??????????.). ??????? ????? ????? ?????, ??? ???????????? ????? ????? ?????????????? ????????/???????/?????????? ?????? ?????? ?????????? ?????.
Thanks.
I am aware of the EPEL repos but did not need them for this setup.
Best Regards
C
Hello m8, nice tutorial ... you are missing rpm -ihv ftp://ftp.univie.ac.at/systems/linux/fedora/epel/5/i386/epel-release-5-2.noarch.rpm before yum install openvpn
Nice tutorial???
It should be forbidden to allow this kind of tutorial...
1) we build two times the ca keys... Why??
2) "UDP is faster on slow lines...". Lol, you did not understand the transport layer. UDP is *always* faster, because it works with datagrams (like IP). REMEMBER WORKING WITH TCP over TCP is an HERESY. And this tutorial use TCP!! Imagine an error of transmission in your TCP tunnel, it is restransmitted inside the tunnel of course, but the TCP packets encapsulating your tunnel are re-transmitted too.....
3) The better for the end. When you archive your keys for your clients, I recommend you to NOT provide the root ca.key (key signing machine only!!!)
If you did not understand these comments, don't install a VPN...
wow. what a douche reply. Work on your engrish before insulting people.
I've installed openvpn on my server everything is setup correctly and i've also created client key on server.
But the problem is when I setup openvpn client on windows it's gives following error. I've copied all key,crt,csr files to openvpn config folder on windows machine
here is error
OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '3514370b'
Expected Remote Options hash (VER=V4): '239669a8'
UDPv4 link local: [undef]
UDPv4 link remote: 172.16.0.1:1723
so is there any configuration remain on server side
which ip address i should use in openvpn.conf file and which ip i should use in windows machine for client.ovpn file
suppose my server ip is 192.168.1.1, so tell me should i use this ip for openvpn.conf server parameter as well as for remote parameter for windows machine in client.ovpn file in config folder.
Please help !!
I want to know if I want to user logon with username & password, how should I do ???
And I found the Anonymous VPN service provider for commercial.
now i use openvpn from 13 site '
and this good new . there are stabil ...
thank you
Thanks. However client configuration is way incomplete
Revoking a certificate means to invalidate a previously signed certificate so that it can no longer be used for authentication purposes.
Typical reasons for wanting to revoke a certificate include:
* The private key associated with the certificate is compromised or stolen.
* The user of an encrypted private key forgets the password on the key.
* You want to terminate a VPN user's access.
As an example, we will revoke the client2 certificate, which we generated above in the "key generation".
First open up a shell or command prompt window and cd to the easy-rsa directory as you did in the "key generation". On Linux/BSD/Unix:
. ./vars
./revoke-full client2
The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
openvpn.conf
crl-verify /etc/openvpn/crl/crl.pem
Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped.
get info from openvpn.net
Pls let me know OpenVPN support dynamic ip address or not .