Wednesday, January 9, 2013

Installing and Configuring OpenVPN on CentOS 6


Open VPN Logo

What is VPN?

A VPN (Virtual Private Network) is a way to securely extend a private network across the internet to another location. The client computer (in this case your computer) makes an encrypted connection to a server which acts as a normal network connection. This technique is usually used in companies to allow their employees to securely connect to their work network from anywhere in the world.

VPNs provide security through tunneling protocols. The security model provides confidentiality which encrypts the data and protect it from being sniffed out, integrity which prevent the data from being tampered with and authentication which allow only authenticated users with a username and password to connect to the vpn server.

When a VPN connection is established, it can be considered like having an Ethernet cable connected to the other machine, just a little bit slower since it is going over the internet.


What is OpenVPN?

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point oconnections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.


Requirements

  • Server:
    • Linux CentOS 6 Operating System
    • Root access
  • Client:
    • Windows Operating System


Installing OpenVPN on CentOS 6

Make sure Tun/Tap is enabled
cat /dev/net/tun
If Tun/Tap is enabled and active you will see the following message:
cat: /dev/net/tun: File descriptor in bad state
If you don't see the above message, you will have to enable Tun/Tap or ask your host to enable it for you.

Install the following packages
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM and Configure the Repo
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

For CentOS 6 - 32 bit:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm
For CentOS 6 - 64 bit:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Build the RPM
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Install OpenVPN
yum install openvpn -y

Copy the easy-rsa folder to /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

Edit the vars file:
vi  /etc/openvpn/easy-rsa/2.0/vars
Replace the line:
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
by
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
and save (:w) and quit editing the file (:q)


Create the SSL Certificate

Create the SSL Certificate
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

Build your own root Certificate Authority (CA), you will be prompted to enter the Country name, State, City, Organization, Common, Email. You can enter any random data or leave them blank.
./build-ca

Build your Key Server, you will be prompted to enter the same info as before, you can leave them blank. The only 2 required are sign the certificate (choose "y") and 1 out of 1 certificate requests (choose "y")
./build-key-server server
sign the certificate: y
1 out of 1 certificate requests: y

Build Diffie Hellman Parameters (necessary for the server end of a SSL/TLS connection).
./build-dh


Configuring OpenVPN

Create the configuration file:
vi /etc/openvpn/server.conf

Copy/paste the following, you can choose any port number you want:
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
and save (:w) and quit editing the file (:q)

Start OpenVPN
 service openvpn start

Enable IP Forwarding
vi /etc/sysctl.conf
Change
net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1
and save (:w) and quit editing the file (:q)


Run sysctl to configure kernel parameters at runtime and make the changes take effect immediately
sysctl -p


Create a linux username to use it with VPN
useradd userone -s /bin/false
And set the password
passwd userone

If you want the OpenVPN to start after every reboot, issue the following command
chkconfig openvpn on


Configuring IPTables and CSF

If you are running Xen or KVM, issue this command:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
If you are running OpenVZ, run the following command, make sure to replace xxx.xxx.xxx.xxx by your server's IP address:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source xxx.xxx.xxx.xxx

Save ip tables
service iptables save

If you have CSF/LFD installed on your server, you will have to create a new file to add new rules to your IP tables.
vi /etc/csf/csfpre.sh

Copy Paste the following into csfpre.sh, make sure to replace xxx.xxx.xxx.xxx by your server's IP address:
iptables -A INPUT -j ACCEPT -s 10.8.0.0/24 -i tun0
iptables -A OUTPUT -j ACCEPT -s 10.8.0.0/24 -o tun0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i tun0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o tun0
iptables -t nat --flush
iptables -t nat -A POSTROUTING -o venet0 -s 10.8.0.0/24 -j SNAT --to xxx.xxx.xxx
and save (:w) and quit editing the file (:q)

Modify CSF configuration file to allow the port number you chose earlier
vi /etc/csf/csf.conf
and save (:w) and quit editing the file (:q)

Restart CSF
csf -r


Downloading, installing and configuring the client

Download the windows installer openVPN from openvpn.net

Install the application

Go to Config directory where you installed OpenVPN (C:\Program Files (x86)\OpenVPN\config by default)

Create a new file called server.ovpn and open it with any text editor.

Paste the following into your server.ovpn, make sure to replace xxx.xxx.xxx.xxx by your server's IP address, and replace 1194 by the port number you chose earlier.
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3

Download the ca.crt and copy it to the same folder as server.ovpn

If you can't download ca.crt, open it from your server
vi /etc/openvpn/easy-rsa/2.0/keys/ca.crt
Copy it's content, create a new text file in your config directory and paste it. Rename the text file to ca.crt


Open the client, make sure to run as administrator, and enter the username and password you created earlier.

If you would like to save the username and password to prevent authenticating everytime you want to establish a VPN connection, you can achieve so by creating a new text file, name it anything you want with an extension of your choice. I will create my file with the name login.conf. Open this file with a text editor, on the first line enter the username, and on the second line the password.

For example, create a file called login.conf, open it with a text editor and write the following:
username
GJASk2398nm$^2389hknasDG
where username is the username and GJASk2398nm$^2389hknasDG is the password.

Save that file (login.conf) in the same folder as server.ovpn (that is in the config folder (C:\Program Files (x86)\OpenVPN\config by default))

Open your server.ovpn file, and next to auth-user-pass, add login.conf, so the line would become like this:
auth-user-pass login.conf