How to setup OpenVPN on CentOS6

Introduction

This article will guide you through the installation and configuration of OpenVPN on a CentOS 6 server. The preferred OpenVPN version is 2.3.3 as that is the most recent one and, more importantly, the only version which has a fix for the Heartbleed bug.

Step 1 – install OpenVPN

Currently the OpenVPN RPM in EPEL has not yet been updated to version 2.3.3. You can either wait for it to be updated (together with pkcs11-helper version 1.11) or create your own RPMs.

Step 2 – get the EasyRSA scripts

Since the key generation scripts in eay-rsa/ were removed from OpenVPN you have to get them separately:

If you create your own OpenVPN RPM it makes sense to include EasyRSA in it.

Step 3 – edit vars in easy-rsa/

Open /etc/openvpn/easy-rsa/vars in your favorite editor and change

to

Next edit the following fields to your liking. Just don’t leave any blank.

Step 4 – create the CA certificate

Press enter at each question if the default is acceptable or change it to your liking. Don’t leave any field empty.

Step 5 – create the server certificate

Press enter at each question if the default is acceptable or change it to your liking. Don’t leave any default empty.

Answer these questions with yes:

Step 6 – create the client certificate

Answer these questions with yes:

If you need a PKCS12 file (a .p12), follow these steps:

Answer these questions with yes:

Next you are asked for a password to secure the .p12 file. Make sure you provide a secure password and store it in a safe place like in Pass, KeePassX or LastPass.

Once the client key is generated, copy it to the host that needs access to the OpenVPN server.

Step 7 – create the DH key

Step 8 – create the tls-auth key (ta.key)

Step 9 – create /etc/openvpn/server.conf

Open your favourite editor and save the config below to /etc/openvpn/server.conf

/etc/openvpn/server.conf:

Do not forget to change ‘SERVER_VPN_NET, ‘SERVER_VPN_NET_NETMASK’, ‘SERVER_NET’, ‘SERVER_NET_NETMASK’, ‘YOUR_DNS_SERVER’ and ‘YOUR_DOMAIN’. Examples below each line/section.

Step 10 – start OpenVPN and check log

In one terminal open the openvpn.log:

And in another terminal start the openvpn service:

Step 11 – enable IP forwarding

Enable IP forwarding so packets from your VPN subnet can be forwarded to the network behind the OpenVPN server.

Open /etc/sysctl.conf in your favourite editor and change:

to

Activate IP forwarding:

Step 12 – setup Masquerading

Make sure that the VPN subnet and interfaces used below are correct for your server.

Restart the iptables service:

Done.

How to setup OpenVPN on Fedora 19

Here is a quick howto setup OpenVPN on Fedora 19. For the sake of simplicity all steps are performed as root.

Install openvpn and easy-rsa:

Create the keys/ dir:

Create empty openvpn log files:

If you already have keys then copy them to /etc/openvpn/keys. If not then you will need to generate them. Read /usr/share/doc/easy-rsa-2.2.0/doc/README-2.0 for instructions how to do that.

Also generate the dh and ta keys:

Create a configuration called my-vpn.conf which uses TLS. It’s ok to call the config file something else but make sure to replace my-vpn in further steps below with the name you have chosen for your config file:

IMPORTANT: change the following settings above for your situation:
– server 10.0.1.0 255.255.255.0
– push “dhcp-option DOMAIN example.org”
– push “dhcp-option SEARCH example.org”

Make sure ipp.txt exists:

Set proper ownership of the openvpn directory, config files and keys:

Reset the SELinux labels:

Now setup systemd so openvpn starts at boot. For background information see this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=744244

Start the openvpn my-vpn service:

And check if it started ok:

Which should say something like this:

Next copy your client1.key, client1.crt, ca.crt and ta.key to ~/.cert/ on the client box that will access the OpenVPN server. If your client is also a recent Fedora box and you use NetworkManager then you can create a small config file with the proper settings to access your OpenVPN server and import it in NetworkManager.

The client config VPN for NetworkManager looks like this:

IMPORTANT: replace the entries between < ...> with your settings:
– remote <your-openvpn-server> 1194
– ca /home/<you>/.cert/ca.crt
– cert /home/<you>/.cert/client1.crt
– key /home/<you>/.cert/client1.key

Now import this file into NetworkManager by going to:

On your OpenVPN server make sure that port 1194 (or whatever port you chose) is open in the firewall.
Finally on your client box click on the NetworkManager icon in the top menu bar and select my-vpn. Enjoy your new secure VPN connection. Comments and enhancements always welcome.