What is VPN?
A VPN (Virtual Private Network) is a way to securely extend a private network across the internet to another location. The client computer (in this case your computer) makes an encrypted connection to a server which acts as a normal network connection. This technique is usually used in companies to allow their employees to securely connect to their work network from anywhere in the world.
VPNs provide security through tunneling protocols. The security model provides confidentiality which encrypts the data and protect it from being sniffed out, integrity which prevent the data from being tampered with and authentication which allow only authenticated users with a username and password to connect to the vpn server.
When a VPN connection is established, it can be considered like having an Ethernet cable connected to the other machine, just a little bit slower since it is going over the internet.
What is OpenVPN?
OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point oconnections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.
Requirements
- Server:
- Linux CentOS 6 Operating System
- Root access
- Client:
- Windows Operating System
Installing OpenVPN on CentOS 6
Make sure Tun/Tap is enabledcat /dev/net/tunIf Tun/Tap is enabled and active you will see the following message:
cat: /dev/net/tun: File descriptor in bad stateIf you don't see the above message, you will have to enable Tun/Tap or ask your host to enable it for you.
Install the following packages
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
Download LZO RPM and Configure the Repo
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
For CentOS 6 - 32 bit:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpmFor CentOS 6 - 64 bit:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Build the RPM
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*
Install OpenVPN
yum install openvpn -y
Copy the easy-rsa folder to /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
Edit the vars file:
vi /etc/openvpn/easy-rsa/2.0/varsReplace the line:
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`by
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnfand save (:w) and quit editing the file (:q)
Create the SSL Certificate
Create the SSL Certificatecd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
Build your own root Certificate Authority (CA), you will be prompted to enter the Country name, State, City, Organization, Common, Email. You can enter any random data or leave them blank.
./build-ca
Build your Key Server, you will be prompted to enter the same info as before, you can leave them blank. The only 2 required are sign the certificate (choose "y") and 1 out of 1 certificate requests (choose "y")
./build-key-server server
sign the certificate: y
1 out of 1 certificate requests: y
Build Diffie Hellman Parameters (necessary for the server end of a SSL/TLS connection).
./build-dh
Configuring OpenVPN
Create the configuration file:vi /etc/openvpn/server.conf
Copy/paste the following, you can choose any port number you want:
port 1194 #- portand save (:w) and quit editing the file (:q)
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
Start OpenVPN
service openvpn start
Enable IP Forwarding
vi /etc/sysctl.confChange
net.ipv4.ip_forward = 0to
net.ipv4.ip_forward = 1and save (:w) and quit editing the file (:q)
Run sysctl to configure kernel parameters at runtime and make the changes take effect immediately
sysctl -p
Create a linux username to use it with VPN
useradd userone -s /bin/falseAnd set the password
passwd userone
If you want the OpenVPN to start after every reboot, issue the following command
chkconfig openvpn on
Configuring IPTables and CSF
If you are running Xen or KVM, issue this command:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADEIf you are running OpenVZ, run the following command, make sure to replace xxx.xxx.xxx.xxx by your server's IP address:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source xxx.xxx.xxx.xxx
Save ip tables
service iptables save
If you have CSF/LFD installed on your server, you will have to create a new file to add new rules to your IP tables.
vi /etc/csf/csfpre.sh
Copy Paste the following into csfpre.sh, make sure to replace xxx.xxx.xxx.xxx by your server's IP address:
iptables -A INPUT -j ACCEPT -s 10.8.0.0/24 -i tun0and save (:w) and quit editing the file (:q)
iptables -A OUTPUT -j ACCEPT -s 10.8.0.0/24 -o tun0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i tun0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o tun0
iptables -t nat --flush
iptables -t nat -A POSTROUTING -o venet0 -s 10.8.0.0/24 -j SNAT --to xxx.xxx.xxx
Modify CSF configuration file to allow the port number you chose earlier
vi /etc/csf/csf.confand save (:w) and quit editing the file (:q)
Restart CSF
csf -r
Downloading, installing and configuring the client
Download the windows installer openVPN from openvpn.netInstall the application
Go to Config directory where you installed OpenVPN (C:\Program Files (x86)\OpenVPN\config by default)
Create a new file called server.ovpn and open it with any text editor.
Paste the following into your server.ovpn, make sure to replace xxx.xxx.xxx.xxx by your server's IP address, and replace 1194 by the port number you chose earlier.
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
Download the ca.crt and copy it to the same folder as server.ovpn
If you can't download ca.crt, open it from your server
vi /etc/openvpn/easy-rsa/2.0/keys/ca.crtCopy it's content, create a new text file in your config directory and paste it. Rename the text file to ca.crt
Open the client, make sure to run as administrator, and enter the username and password you created earlier.
If you would like to save the username and password to prevent authenticating everytime you want to establish a VPN connection, you can achieve so by creating a new text file, name it anything you want with an extension of your choice. I will create my file with the name login.conf. Open this file with a text editor, on the first line enter the username, and on the second line the password.
For example, create a file called login.conf, open it with a text editor and write the following:
usernamewhere username is the username and GJASk2398nm$^2389hknasDG is the password.
GJASk2398nm$^2389hknasDG
Save that file (login.conf) in the same folder as server.ovpn (that is in the config folder (C:\Program Files (x86)\OpenVPN\config by default))
Open your server.ovpn file, and next to auth-user-pass, add login.conf, so the line would become like this:
auth-user-pass login.conf
Or, enable the EPEL or rpmforge repo and 'yum install openvpn'.
ReplyDeleteThanks for the post.
ReplyDeleteOn a CentOS6 x86, I setup the openVPN according to this article.
It seems I'm able to connect to the server after configuring vpn client in Tomato (1.28), but I can't open any web pages. While connected, I can ping servers, I can ssh into servers, but webpages aren't opening.
csf seems to be enabled, and disabling csf didn't seem to make a difference.
Any ideas?
Thanks!
Jason