Installing and confiugring OpenVPN

In one of the posts we discussed installing and configuring PPTP VPN, which is very simple but not so secured i believe. Still you can use it to connect your office LAN but not secured, simply go to network connctions >> connect to office network >> enter server IP, username, password and hit enter. That's it. Security is lacking. Open VPN is one of the alternative for it which is open source. Let's try it.

Before starting the process, you need to have a CentOS/RHEL 6.3 box with EPEL repo installed on it.  Download it here  or using wget. 

[root@vpn]# wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Now install openvpn

[root@vpn]# yum install openvpn

Installation is done, now we have to generate certificates and keys to let the vpn use log in through and for security as well.

[root@vpn]# cd /usr/share/openvpn/easy-rsa/2.0/
[root@vpn 2.0]# source ./vars

Note : if you get

**************************************************************
  No /usr/share/openvpn/easy-rsa/2.0/openssl.cnf file could be found
  Further invocations will fail
**************************************************************
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/openvpn/easy-rsa/2.0/keys

Just check the available openssl files, i have around 3 versions of openssl available, i renamed latest version of openssl-1.0.0.cnf to openssl.cnf and rerun the command.

[root@vpn 2.0]# mv openssl-1.0.0.cnf openssl.cnf

NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/openvpn/easy-rsa/2.0/keys

[root@vpn 2.0]# ./clean-all

[root@vpn 2.0]# ./build-ca

Generating a 1024 bit RSA private key

......................++++++

..........++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:IN

State or Province Name (full name) [CA]:DL

Locality Name (eg, city) [SanFrancisco]:DL

Organization Name (eg, company) [Fort-Funston]:GIL.COM

Organizational Unit Name (eg, section) [changeme]:IT

Common Name (eg, your name or your server's hostname) [changeme]:vpn

Name [changeme]:vpn

Email Address [mail@host.domain]:admin@gil.com


[root@nfs62 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.........+.................................................................................+..........................................................................................+.............+..................................................................+........................+......................................................................+....+.......................................................+...............+........................................................................+..................+...................................................................................................................................+.....................+..................................+....................+..........................+...................+.....................................+.+................+.....................+.........................+.......................................................................................................................................................................................................+......................+.....................................................++*++*++*

Once above process done, we have to create key for our new openvpn server.

[root@vpn 2.0]# ./build-key-server gil_vpn_server

Generating a 1024 bit RSA private key
.............++++++
..................++++++
writing new private key to 'gil_vpn_server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:DL
Locality Name (eg, city) [SanFrancisco]:DL
Organization Name (eg, company) [Fort-Funston]:GIL.COM
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [gil_vpn_server]:gil_vpn_server
Name [changeme]:gil_vpn_server
Email Address [mail@host.domain]:admin@gil.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'DL'
localityName          :PRINTABLE:'DL'
organizationName      :PRINTABLE:'GIL.COM'
organizationalUnitName:PRINTABLE:'IT'
commonName            :T61STRING:'gil_vpn_server'
name                  :T61STRING:'gil_vpn_server'
emailAddress          :IA5STRING:'admin@gil.com'
Certificate is to be certified until Jan 30 10:49:06 2023 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Note :  Leave password options blank and hit enter enter.

Once certificates and keys are generated for server, we have to genrate keys and certificates for vpn client. The keys and certificates we are going to create now will help a vpn client get authenticated by our vpn server and will allowed to log in. Lets create one.

[root@vpn 2.0]# ./build-key network-admin

Generating a 1024 bit RSA private key
..................++++++
..++++++
writing new private key to 'network-admin.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:DL
Locality Name (eg, city) [SanFrancisco]:DL
Organization Name (eg, company) [Fort-Funston]:GIL.COM
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [network-admin]:network-admin                                                                             
Name [changeme]:network-admin
Email Address [mail@host.domain]:admin@gil.com

stateOrProvinceName   :PRINTABLE:'DL'
localityName          :PRINTABLE:'DL'
organizationName      :PRINTABLE:'GIL.COM'
organizationalUnitName:PRINTABLE:'IT'
commonName            :PRINTABLE:'network-admin'
name                  :PRINTABLE:'network-admin'
emailAddress          :IA5STRING:'admin@gil.com'
Certificate is to be certified until Jan 30 11:01:43 2023 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Done certificate has been created for the user network-admin, repeat these steps for the next users.
Once the users are created we need to move all the certificates and keys generated in the above process to /etc/openvpn folder.

[root@vpn 2.0]#  pwd

[root@vpn 2.0]# /usr/share/openvpn/easy-rsa/2.0/keys

[root@vpn 2.0]# cp -rvf ca.crt ca.key gil_vpn_server.crt gil_vpn_server key dh1024.pem /etc/openvpn/

`ca.crt' -> `/etc/openvpn/ca.crt'
`ca.key' -> `/etc/openvpn/ca.key'
`gil_vpn_server.crt' -> `/etc/openvpn/gil_vpn_server.crt'
`gil_vpn_server.key' -> `/etc/openvpn/gil_vpn_server.key'
`dh1024.pem' -> `/etc/openvpn/dh1024.pem'

Copy server.conf file from sample-config-files directory shown and edit as below.

[root@vpn 2.0]# cp -rvf /usr/share/doc/openvpn/sample-config-files/server.conf /etc/openvpn/

ca ca.crt

cert gil_vpn_server.crt

key gil_vpn_server.key

server 10.10.10.0 255.255.255.0 

push "route 192.168.80.254 255.255.255.0"

push "dhcp-option DNS 192.168.80.2"
push "redirect-gateway def1 bypass-dhcp"

NOTE: 

• 10.0.0.0 is the subnet from which vpn clients will be assigned ips from.
• 192.168.80.254 is the vpn server ip, if you have another gateway add the same string below it and give your gateway ip there.
• 192.168.80.2  is the my local DNS ip.

Done, simply restart the openvpn service. and make it start at boot using chkconfig,
Note: if you forget either route or redirect-gateway you can't communicate your lan via vpn.

192.168.80.254 is your vpn server's local ip which is going to be gateway for the pc's connected via vpn.
At the end configure iptableas and enable ip forwarding in kernel.

[root@vpn]# /etc/init.d/openvpn start
[root@vpn]# chkconfig openvpn on
[root@vpn]# echo 1> /proc/sys/net/ipv4/ip_forward
[root@vpn]# iptables -t nat -A POSTROUTING -j MASQUERDE
[root@vpn]# /etc/init.d/iptables save

Note : if the service failed to start, check /var/log/messages to find the cause, most probably it could be because of wrong, sub net, just make sure subnet is correct and then restart the service.

Enjoy
gil ...