How to setup OpenVPN on CentOS6

Introduction

This article will guide you through the installation and configuration of OpenVPN on a CentOS 6 server. The preferred OpenVPN version is 2.3.3 as that is the most recent one and, more importantly, the only version which has a fix for the Heartbleed bug.

Step 1 – install OpenVPN

Currently the OpenVPN RPM in EPEL has not yet been updated to version 2.3.3. You can either wait for it to be updated (together with pkcs11-helper version 1.11) or create your own RPMs.

Step 2 – get the EasyRSA scripts

Since the key generation scripts in eay-rsa/ were removed from OpenVPN you have to get them separately:

If you create your own OpenVPN RPM it makes sense to include EasyRSA in it.

Step 3 – edit vars in easy-rsa/

Open /etc/openvpn/easy-rsa/vars in your favorite editor and change

to

Next edit the following fields to your liking. Just don’t leave any blank.

Step 4 – create the CA certificate

Press enter at each question if the default is acceptable or change it to your liking. Don’t leave any field empty.

Step 5 – create the server certificate

Press enter at each question if the default is acceptable or change it to your liking. Don’t leave any default empty.

Answer these questions with yes:

Step 6 – create the client certificate

Answer these questions with yes:

If you need a PKCS12 file (a .p12), follow these steps:

Answer these questions with yes:

Next you are asked for a password to secure the .p12 file. Make sure you provide a secure password and store it in a safe place like in Pass, KeePassX or LastPass.

Once the client key is generated, copy it to the host that needs access to the OpenVPN server.

Step 7 – create the DH key

Step 8 – create the tls-auth key (ta.key)

Step 9 – create /etc/openvpn/server.conf

Open your favourite editor and save the config below to /etc/openvpn/server.conf

/etc/openvpn/server.conf:

Do not forget to change ‘SERVER_VPN_NET, ‘SERVER_VPN_NET_NETMASK’, ‘SERVER_NET’, ‘SERVER_NET_NETMASK’, ‘YOUR_DNS_SERVER’ and ‘YOUR_DOMAIN’. Examples below each line/section.

Step 10 – start OpenVPN and check log

In one terminal open the openvpn.log:

And in another terminal start the openvpn service:

Step 11 – enable IP forwarding

Enable IP forwarding so packets from your VPN subnet can be forwarded to the network behind the OpenVPN server.

Open /etc/sysctl.conf in your favourite editor and change:

to

Activate IP forwarding:

Step 12 – setup Masquerading

Make sure that the VPN subnet and interfaces used below are correct for your server.

Restart the iptables service:

Done.

How to reduce in size, shrink, optimize a pdf

For administrative purposes I scan all important paper documents to pdf. Sometimes those pdf files are quite big. Here are a few ways you can reduce in size, shrink and optimize a pdf.

Use pdf2ps and ps2pdf

The simplest way is to use the pdf2ps and ps2pdf (ps2pdf14) commands. They are part of the Ghostscript package so make sure you have ghostscript installed:

Next let’s see the results when using this on a 11MB pdf file called big.pdf

So the size went down from 11MB to 9,1MB. That’s not a very big improvement. As you can imagine results vary. At times these default commands can significantly reduce the size and sometimes not. If not, there are more tricks.

Use ps2pdf with options

If the reduction in size is not enough then it’s time to look at some of the ps2pdf options. man ps2pdf has a very long list of options with which you can experiment. The option that has a significant impact on the size of a pdf is -dPDFSETTINGS=…

The PDFSETTINGS option can be set to:

  1. /screen – for low-resolution output similar to the Acrobat Distiller “Screen Optimized” setting
  2. /ebook for medium-resolution output similar to the Acrobat Distiller “eBook” setting
  3. /printer for output similar to the Acrobat Distiller “Print Optimized” setting
  4. /prepress for output similar to Acrobat Distiller “Prepress Optimized” setting
  5. /default for a wide variety of uses, possibly at the expense of a larger output file

For a long list of ps2pdf options check out the ps2pdf page

Let’s try the /ebook option and see what the results are:

The size of the pdf went down from 11M to below 2M.

Other ways

Ghostscript (gs) is the de facto pdf read/write engine in the Linux world. So all other ways to process a pdf file are basically using that.

Shrinkpdf
Shrinkpdf (available here) is a nice script to process pdf files with pre-determined settings.

The Ghostscript gs command
You can also directly use the Ghostscript gs command which pfd2ps, ps2pdf and shrinkpdf use. For example to convert a postscript (ps) file to a pdf with Ghostscript’s gs command:

How to setup OpenVPN on Fedora 19

Here is a quick howto setup OpenVPN on Fedora 19. For the sake of simplicity all steps are performed as root.

Install openvpn and easy-rsa:

Create the keys/ dir:

Create empty openvpn log files:

If you already have keys then copy them to /etc/openvpn/keys. If not then you will need to generate them. Read /usr/share/doc/easy-rsa-2.2.0/doc/README-2.0 for instructions how to do that.

Also generate the dh and ta keys:

Create a configuration called my-vpn.conf which uses TLS. It’s ok to call the config file something else but make sure to replace my-vpn in further steps below with the name you have chosen for your config file:

IMPORTANT: change the following settings above for your situation:
– server 10.0.1.0 255.255.255.0
– push “dhcp-option DOMAIN example.org”
– push “dhcp-option SEARCH example.org”

Make sure ipp.txt exists:

Set proper ownership of the openvpn directory, config files and keys:

Reset the SELinux labels:

Now setup systemd so openvpn starts at boot. For background information see this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=744244

Start the openvpn my-vpn service:

And check if it started ok:

Which should say something like this:

Next copy your client1.key, client1.crt, ca.crt and ta.key to ~/.cert/ on the client box that will access the OpenVPN server. If your client is also a recent Fedora box and you use NetworkManager then you can create a small config file with the proper settings to access your OpenVPN server and import it in NetworkManager.

The client config VPN for NetworkManager looks like this:

IMPORTANT: replace the entries between < ...> with your settings:
– remote <your-openvpn-server> 1194
– ca /home/<you>/.cert/ca.crt
– cert /home/<you>/.cert/client1.crt
– key /home/<you>/.cert/client1.key

Now import this file into NetworkManager by going to:

On your OpenVPN server make sure that port 1194 (or whatever port you chose) is open in the firewall.
Finally on your client box click on the NetworkManager icon in the top menu bar and select my-vpn. Enjoy your new secure VPN connection. Comments and enhancements always welcome.