How to setup OpenVPN on CentOS6

Introduction

This article will guide you through the installation and configuration of OpenVPN on a CentOS 6 server. The preferred OpenVPN version is 2.3.3 as that is the most recent one and, more importantly, the only version which has a fix for the Heartbleed bug.

Step 1 – install OpenVPN

Currently the OpenVPN RPM in EPEL has not yet been updated to version 2.3.3. You can either wait for it to be updated (together with pkcs11-helper version 1.11) or create your own RPMs.

Step 2 – get the EasyRSA scripts

Since the key generation scripts in eay-rsa/ were removed from OpenVPN you have to get them separately:

If you create your own OpenVPN RPM it makes sense to include EasyRSA in it.

Step 3 – edit vars in easy-rsa/

Open /etc/openvpn/easy-rsa/vars in your favorite editor and change

to

Next edit the following fields to your liking. Just don’t leave any blank.

Step 4 – create the CA certificate

Press enter at each question if the default is acceptable or change it to your liking. Don’t leave any field empty.

Step 5 – create the server certificate

Press enter at each question if the default is acceptable or change it to your liking. Don’t leave any default empty.

Answer these questions with yes:

Step 6 – create the client certificate

Answer these questions with yes:

If you need a PKCS12 file (a .p12), follow these steps:

Answer these questions with yes:

Next you are asked for a password to secure the .p12 file. Make sure you provide a secure password and store it in a safe place like in Pass, KeePassX or LastPass.

Once the client key is generated, copy it to the host that needs access to the OpenVPN server.

Step 7 – create the DH key

Step 8 – create the tls-auth key (ta.key)

Step 9 – create /etc/openvpn/server.conf

Open your favourite editor and save the config below to /etc/openvpn/server.conf

/etc/openvpn/server.conf:

Do not forget to change ‘SERVER_VPN_NET, ‘SERVER_VPN_NET_NETMASK’, ‘SERVER_NET’, ‘SERVER_NET_NETMASK’, ‘YOUR_DNS_SERVER’ and ‘YOUR_DOMAIN’. Examples below each line/section.

Step 10 – start OpenVPN and check log

In one terminal open the openvpn.log:

And in another terminal start the openvpn service:

Step 11 – enable IP forwarding

Enable IP forwarding so packets from your VPN subnet can be forwarded to the network behind the OpenVPN server.

Open /etc/sysctl.conf in your favourite editor and change:

to

Activate IP forwarding:

Step 12 – setup Masquerading

Make sure that the VPN subnet and interfaces used below are correct for your server.

Restart the iptables service:

Done.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.