I. Setting up OpenVPN Server on CentOS-6.5 (running as a Openstack cloud instance). The setup may just work the same on other *nix based systems.
A. OpenVPN Server
1. Download and Install the EPEL repo which would provide OpenVPN rpm;
(Epel repo: http://dl.fedoraproject.org/pub/epel/6/x86_64/)
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm .
# rpm -ivh epel-release-6-8.noarch.rpm
2. Install openvpn and easy-rsa (RSA key management package)
# yum -y install openvpn easy-rsa
3. # mkdir -p /etc/openvpn/easy-rsa/keys
# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
B. Generate CA Certificate and CA key
4. Open /etc/openvpn/easy-rsa/vars and set the following attributes which we would use later on Certificates and keys;
# vi /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="IN"
export KEY_PROVINCE="WB"
export KEY_CITY="KOL"
export KEY_ORG="IT"
export KEY_EMAIL="tu.bijit@gmail.com"
export KEY_OU="MyOrganizationalUnit"
5. Copy the required OpenSSL configuration file which OpenVPN might fail to detect;
# cd /etc/openvpn/easy-rsa/
# cp openssl-1.0.0.cnf openssl.cnf
6. Now, lets build our Certificate Authority (CA) based on the information provided in /etc/openvpn/easy-rsa/vars.
# source ./vars
# ./clean-all
# ./build-ca
7. Generate certificate for the OpenVPN server. Respond "Yes" when prompted for build-key-server to commit.
# ./build-key-server server
8. Generate the same for Client (which we would be copying to client later):
# ./build-key client
9. Generate Diffie Hellman key exchange files using the build-dh script;
# ./build-dh
10. In the above step, the necessary keys and certificates will be generated in the /etc/openvpn/easy-rsa/keys/ directory. Copy the following certificate and key files to the /etc/openvpn/ directory.
ca.crt
dh2048.pem (please make changes in the server.conf when needed)
server.crt
server.key
# cd /etc/openvpn/easy-rsa/keys/; cp ca.crt dh2048.pem server.crt server.key /etc/openvpn/
11. Copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. Since, we have generated certificates and keys for only one client, so we have to copy the following files (or its contents, keep the name exactly the same) to the VPN client.
ca.crt
client.crt
client.key
C. Configuring VPN Server
12. OpenVPN comes with a sample configuration file, copy that file to /etc/openvpn;
# cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
15. Open /etc/openvpn/server.conf and make the follwoing changes;
Do the following;
i. Uncomment ( This is route all the traffic from Client through VPN):
push "redirect-gateway def1 bypass-dhcp"
ii. Use VPN to use opendns servers:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
iii. Uncomment the following to reduce the OpenVPN daemon's privileges after initialization.
user nobody
group nobody
D. IP forwarding and routing Configuration:
13. vi /etc/sysctl.conf
Find the following line and set value “1” to enable IP forwarding.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Run the following command to apply the sysctl changes.
# sysctl -p
14. iptables rules:
i. Allow proper routing of our VPN subnet,assuming 10.8.0.0/24 is used in /etc/openvpn/server.conf
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
ii. Allow port 1194 of openvpn to let traffic come in (iptables -L --line-numbers; iptables -I INPUT -p udp --dport 1194 -j ACCEPT)
# iptables -I INPUT 4 -p udp --dport 1194 -j ACCEPT
# service iptables save
15. # service openvpn start
16. Check if the OpenVPN is listening on port 1194 (UDP port by default, you can change that to TCP in /etc/server.conf)
# netstat -uapn | grep openvpn
udp 0 0 0.0.0.0:1194 0.0.0.0:* 11577/openvpn
17. Check interface VPN is using (tun0 is in our case, "dev tun" will create a routed IP tunnel,);
# ip addr show
1: lo: mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1450 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:7e:11:4a brd ff:ff:ff:ff:ff:ff
inet 172.16.20.8/24 brd 172.16.20.255 scope global eth0
inet6 fe80::f816:3eff:fe7e:114a/64 scope link
valid_lft forever preferred_lft forever
3: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
18. In certain cases, once VPN client connects to the VPN server, one might face loss of internet connectivity (was in my case); Following IPTABLES rules would be required to proper routing (as client changes the Gateway to VPN, which should be properly forwarded to access the LAN on the VPN server (you may use the specific LAN IP in the destination, here I used entire network in the destination)
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# service iptables save
II. OpenVPN Client (On Windows)
1. On Windows, one can download OpenVPN GUI for Windows;
http://openvpn.se/
2. Make sure we copied the following files from the server which were generated using "./build-key" earlier.
ca.crt
client.crt
client.key
3. Create a new file called client.ovpn, where "client" should match the name of the client being deployed (from build-key) with following contents;
remote x.x.x.x 1194
# Path to certificates (in windows as follows)
ca "C:\\MyVPN\\ca.crt"
cert "C:\\MyVPN\\client.crt"
key "C:\\MyVPN\\client.key"
4. Save and connect to VPN server using client config file.
III. OpenVPN Client (On Linux, CentOS release 6.5 (Final): 1. Download and install OpenVPN package. You would be required to setup EPEL repo as discussed
before. 2. Copy the sample Openvpn client configuration to your desired locaton; # cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf . 3. Copy the following files from the server which were generated using "./build-key" earlier. ca.crt client.crt client.key 4. Provide the following information in "client.conf"; remote x.x.x.x 1194 ca ca.crt cert client.crt key client.key 5. Connect to the OpenVPN server as; # openvpn client.conf &
A. OpenVPN Server
1. Download and Install the EPEL repo which would provide OpenVPN rpm;
(Epel repo: http://dl.fedoraproject.org/pub/epel/6/x86_64/)
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm .
# rpm -ivh epel-release-6-8.noarch.rpm
2. Install openvpn and easy-rsa (RSA key management package)
# yum -y install openvpn easy-rsa
3. # mkdir -p /etc/openvpn/easy-rsa/keys
# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
B. Generate CA Certificate and CA key
4. Open /etc/openvpn/easy-rsa/vars and set the following attributes which we would use later on Certificates and keys;
# vi /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="IN"
export KEY_PROVINCE="WB"
export KEY_CITY="KOL"
export KEY_ORG="IT"
export KEY_EMAIL="tu.bijit@gmail.com"
export KEY_OU="MyOrganizationalUnit"
5. Copy the required OpenSSL configuration file which OpenVPN might fail to detect;
# cd /etc/openvpn/easy-rsa/
# cp openssl-1.0.0.cnf openssl.cnf
6. Now, lets build our Certificate Authority (CA) based on the information provided in /etc/openvpn/easy-rsa/vars.
# source ./vars
# ./clean-all
# ./build-ca
7. Generate certificate for the OpenVPN server. Respond "Yes" when prompted for build-key-server to commit.
# ./build-key-server server
8. Generate the same for Client (which we would be copying to client later):
# ./build-key client
9. Generate Diffie Hellman key exchange files using the build-dh script;
# ./build-dh
10. In the above step, the necessary keys and certificates will be generated in the /etc/openvpn/easy-rsa/keys/ directory. Copy the following certificate and key files to the /etc/openvpn/ directory.
ca.crt
dh2048.pem (please make changes in the server.conf when needed)
server.crt
server.key
# cd /etc/openvpn/easy-rsa/keys/; cp ca.crt dh2048.pem server.crt server.key /etc/openvpn/
11. Copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. Since, we have generated certificates and keys for only one client, so we have to copy the following files (or its contents, keep the name exactly the same) to the VPN client.
ca.crt
client.crt
client.key
C. Configuring VPN Server
12. OpenVPN comes with a sample configuration file, copy that file to /etc/openvpn;
# cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
15. Open /etc/openvpn/server.conf and make the follwoing changes;
Do the following;
i. Uncomment ( This is route all the traffic from Client through VPN):
push "redirect-gateway def1 bypass-dhcp"
ii. Use VPN to use opendns servers:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
iii. Uncomment the following to reduce the OpenVPN daemon's privileges after initialization.
user nobody
group nobody
D. IP forwarding and routing Configuration:
13. vi /etc/sysctl.conf
Find the following line and set value “1” to enable IP forwarding.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Run the following command to apply the sysctl changes.
# sysctl -p
14. iptables rules:
i. Allow proper routing of our VPN subnet,assuming 10.8.0.0/24 is used in /etc/openvpn/server.conf
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
ii. Allow port 1194 of openvpn to let traffic come in (iptables -L --line-numbers; iptables -I INPUT
# iptables -I INPUT 4 -p udp --dport 1194 -j ACCEPT
# service iptables save
15. # service openvpn start
16. Check if the OpenVPN is listening on port 1194 (UDP port by default, you can change that to TCP in /etc/server.conf)
# netstat -uapn | grep openvpn
udp 0 0 0.0.0.0:1194 0.0.0.0:* 11577/openvpn
17. Check interface VPN is using (tun0 is in our case, "dev tun" will create a routed IP tunnel,);
# ip addr show
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0:
link/ether fa:16:3e:7e:11:4a brd ff:ff:ff:ff:ff:ff
inet 172.16.20.8/24 brd 172.16.20.255 scope global eth0
inet6 fe80::f816:3eff:fe7e:114a/64 scope link
valid_lft forever preferred_lft forever
3: tun0:
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
18. In certain cases, once VPN client connects to the VPN server, one might face loss of internet connectivity (was in my case); Following IPTABLES rules would be required to proper routing (as client changes the Gateway to VPN, which should be properly forwarded to access the LAN on the VPN server (you may use the specific LAN IP in the destination, here I used entire network in the destination)
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# service iptables save
II. OpenVPN Client (On Windows)
1. On Windows, one can download OpenVPN GUI for Windows;
http://openvpn.se/
2. Make sure we copied the following files from the server which were generated using "./build-key" earlier.
ca.crt
client.crt
client.key
3. Create a new file called client.ovpn, where "client" should match the name of the client being deployed (from build-key) with following contents;
remote x.x.x.x 1194
# Path to certificates (in windows as follows)
ca "C:\\MyVPN\\ca.crt"
cert "C:\\MyVPN\\client.crt"
key "C:\\MyVPN\\client.key"
4. Save and connect to VPN server using client config file.
III. OpenVPN Client (On Linux, CentOS release 6.5 (Final): 1. Download and install OpenVPN package. You would be required to setup EPEL repo as discussed
before. 2. Copy the sample Openvpn client configuration to your desired locaton; # cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf . 3. Copy the following files from the server which were generated using "./build-key" earlier. ca.crt client.crt client.key 4. Provide the following information in "client.conf"; remote x.x.x.x 1194 ca ca.crt cert client.crt key client.key 5. Connect to the OpenVPN server as; # openvpn client.conf &
