Scientific Linux 6
Sponsored Link

Install/Configure OpenVPN2011/05/30

 
Install OpenVPN to Configure Virtual Private Network.
This example shows to configure on the environment like follows. ( use Bridge mode ) ( [172.16.2.1] is actually for private IP addtess, though, replace it to your global IP address. )
(1) VPN Server
    [172.16.2.1]
- Global IP address

    [10.0.0.50]
- eth0 ( real IP address )

    [10.0.0.60]
- br0 - set new as a Bridge

(2) VPN Client(Windows)
    [192.168.0.244]
- real IP address

    [10.0.0.??]
- automatically set from VPN Server

By the way, it's neccesary to set some settings on your router for NAT/Port forwarding. The used protocol and listening port by default on VPN server is UDP/1194. Speaking on an example on here, requests to 1194 with UDP from internet is needed to forward to 10.0.0.60:1194 in LAN.
[1] Install and Configure OpenVPN
[root@vpn ~]#
yum --enablerepo=epel -y install openvpn bridge-utils
 
# install from EPEL
[root@vpn ~]#
cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/

[root@vpn ~]#
vi /etc/openvpn/server.conf
# line 53: change

dev
tap0
# line 78: change like follows

ca
/etc/openvpn/easy-rsa/keys/ca.crt

cert
/etc/openvpn/easy-rsa/keys/server.crt

key
/etc/openvpn/easy-rsa/keys/server.key
# line 87: change

dh
/etc/openvpn/easy-rsa/keys/dh1024.pem
# line 96: make it comment

#
server 10.8.0.0 255.255.255.0
# line 103: make it comment

#
ifconfig-pool-persist ipp.txt
# line 115: uncomment and chnage ( [VPN server's IP] [subnetmask] [the range of IP for client] )

server-bridge
10.0.0.60 255.255.255.0 10.0.0.200 10.0.0.254
# line 138: add ( [network VPN server in] [subnetmask] )

push "route 10.0.0.0 255.255.255.0"
# line 275: change

status
/var/log/openvpn-status.log
# line 284: uncomment and change

log
/var/log/openvpn.log

log-append
/var/log/openvpn.log
[2] Create CA certificate and CA key.
[root@vpn ~]#
cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa

[root@vpn ~]#
cd /etc/openvpn/easy-rsa

[root@vpn easy-rsa]#
mkdir keys

[root@vpn easy-rsa]#
vi vars
# line 64: change to your environment

export KEY_COUNTRY="
JP
"
export KEY_PROVINCE="
Hiroshima
"
export KEY_CITY="
Hiroshima
"
export KEY_ORG="
GTS
"
export KEY_EMAIL="
xxx@srv.world
"
[root@vpn easy-rsa]#
source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@vpn easy-rsa]#
./clean-all

[root@vpn easy-rsa]#
./build-ca

Generating a 1024 bit RSA private key
.................++++++
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
# Enter

State or Province Name (full name) [Hiroshima]:
# Enter

Locality Name (eg, city) [Hiroshima]:
# Enter

Organization Name (eg, company) [GTS]:
# Enter

Organizational Unit Name (eg, section) []:
# Enter

Common Name (eg, your name or your server's hostname) [GTS CA]:
vpn.srv.world
 
# input FQDN

Name []:
server-ca
 
# set

Email Address [xxx@srv.world]:
# Enter
[3]
ca.crt
is created under "/etc/openvpn/easy-rsa/keys", transfer it to your client PC via FTP or SFTP and so on.
[4] Create certificate and key for server.
[root@vpn easy-rsa]#
./build-key-server server

Generating a 1024 bit RSA private key
........++++++
.......++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
# Enter

State or Province Name (full name) [Hiroshima]:
# Enter

Locality Name (eg, city) [Hiroshima]:
# Enter

Organization Name (eg, company) [GTS]:
# Enter

Organizational Unit Name (eg, section) []:
# Enter

Common Name (eg, your name or your server's hostname) [server]:
vpn.srv.world
 
# input FQDN

Name []:
server
 
# set

Email Address [xxx@srv.world]:
# Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'JP'

stateOrProvinceName
:PRINTABLE:'Hiroshima'

localityName
:PRINTABLE:'Hiroshima'

organizationName
:PRINTABLE:'GTS'

commonName
:PRINTABLE:'vpn.srv.world'

name
:PRINTABLE:'server'

emailAddress
:IA5STRING:'xxx@srv.world'

Certificate is to be certified until May 17 20:20:18 2021 GMT (3650 days)
Sign the certificate? [y/n]:
y
1 out of 1 certificate requests certified, commit? [y/n]
y

Write out database with 1 new entries
Data Base Updated
[5] Generate Diffie Hellman ( DH ) parameter.
[root@vpn easy-rsa]#
./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
[6] Create certificate and key for client.
[root@vpn easy-rsa]#
./build-key-pass client

Generating a 1024 bit RSA private key
..................++++++
..................++++++
writing new private key to 'client.key'
Enter PEM pass phrase:
# set pass-phrase

Verifying - Enter PEM pass phrase:
# confirm

-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
# Enter

State or Province Name (full name) [Hiroshima]:
# Enter

Locality Name (eg, city) [Hiroshima]:
# Enter

Organization Name (eg, company) [GTS]:
# Enter

Organizational Unit Name (eg, section) []:
# Enter

Common Name (eg, your name or your server's hostname) [client]:
vpn.srv.world
 
# input FQDN

Name []:
client
# set

Email Address [xxx@srv.world]:
# Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'JP'

stateOrProvinceName
:PRINTABLE:'Hiroshima'

localityName
:PRINTABLE:'Hiroshima'

organizationName
:PRINTABLE:'GTS'

commonName
:PRINTABLE:'vpn.srv.world'

name
:PRINTABLE:'client'

emailAddress
:IA5STRING:'xxx@srv.world'

Certificate is to be certified until May 17 20:33:28 2021 GMT (3650 days)
Sign the certificate? [y/n]:
y

1 out of 1 certificate requests certified, commit? [y/n]
y

Write out database with 1 new entries
Data Base Updated
[7]
client.crt
and
client.key
are created under "/etc/openvpn/easy-rsa/keys", transfer them to your client PC via FTP or SFTP and so on.
[8] Start OpenVPN
[root@vpn ~]#
cp /usr/share/doc/openvpn-*/sample-scripts/bridge-stop /etc/openvpn/

[root@vpn ~]#
cp /usr/share/doc/openvpn-*/sample-scripts/bridge-start /etc/openvpn/

[root@vpn ~]#
chmod 755 /etc/openvpn/bridge-start

[root@vpn ~]#
chmod 755 /etc/openvpn/bridge-stop

[root@vpn ~]#
vi /etc/openvpn/bridge-start
# line 17-20: change

eth="eth0"
# chnage if needed

eth_ip="
10.0.0.60
"
# IP address for bridge

eth_netmask="
255.255.255.0
"
# subnetmask

eth_broadcast="
10.0.0.255
"
# broadcast address
[root@vpn ~]#
vi /etc/rc.d/init.d/openvpn
  start)
   echo -n $"Starting openvpn: "
  
# line 126: add

  
/etc/openvpn/bridge-start
  
# line 205: add

  
/etc/openvpn/bridge-stop

   success; echo
   rm -f $lock
[root@vpn ~]#
/etc/rc.d/init.d/openvpn start

Starting openvpn: tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Mon May 30 22:48:15 2011 TUN/TAP device tap0 opened
Mon May 30 22:48:15 2011 Persist state set to: ON
Bridge firewalling registered
device eth1 entered promiscuous mode
device tap0 entered promiscuous mode
br0: port 2(tap0) entering learning state
br0: port 1(eth1) entering learning state
[ OK ]
[root@vpn ~]#
chkconfig openvpn on
Matched Content