Saturday, January 6, 2018

Setup and Configure OpenVPN Server On CentOS 6





Note: Here I am taking 192.168.900.2 as my public IP, 192.168.1.2 as my Openvpn Server Static IP.


VPN Server Side Configuration

OpenVPN and it’s dependencies are not available in the CentOS default repositories. So, we should install the “EPEL” repository in order to install OpenVPN and its dependencies.

# yum install epel-release -y

Update the system packages by using the following command:
# yum update

Install the OpenVPN and easy-rsa packages by using the following command:

# yum install openvpn easy-rsa -y

The easy-rsa scripts are located by default in the /usr/share/easy-rsa/ directory. Make a directory
/easy-rsa/keys inside the /etc/openvpn directory and copy the scripts to that directory as shown
below:

# mkdir -p /etc/openvpn/easy-rsa/keys
# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/


Generate CA Certificate and CA key
Edit file /etc/openvpn/easy-rsa/2.0/vars, And, change the values that matches with your country, state, city, mail id etc.
# vi /etc/openvpn/easy-rsa/vars

:se nu
Then press insert goto
Line no 64: export KEY_COUNTRY="IN"
Line no 65: export KEY_PROVINCE="MH"
Line no 66: export KEY_CITY="Mumbai"
Line no 67: export KEY_ORG="aamum"
Line no 68: export KEY_EMAIL="test@aamum.com"
Line no 69: export KEY_OU="ITsupport"

Press Esc and :wq enter

Go to the openvpn/easy-rsa directory:
# cd /etc/openvpn/easy-rsa/
# cp openssl-1.0.0.cnf openssl.cnf

Enter the following commands one by one to initialize the certificate authority:
 # source ./vars

Run the above command and you will get the following message:

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
It’s recommended to run “./clean-all” right away to ensure that we have a clean certificate setup:

# ./clean-all

Now you have to generate a “Certificate Authority (ca)” file. you will be asked for country name etc. that you edited in the “vars” file. you can hit “Enter” to accept your default values.

Then, generate CA certificate and CA key by using the following command:
# ./build-ca

Sample output:
Generating a 2048 bit RSA private key
......................................................+++
............................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ----> Press Enter
State or Province Name (full name) [MH]: ----> Press Enter
Locality Name (eg, city) [Mumbai]: ----> Press Enter
Organization Name (eg, company) [AAMUM]: ----> Press Enter
Organizational Unit Name (eg, section) [ITsupport]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [AAMUM CA]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [test@aamum.com]: ----> Press Enter
We have now generated the CA certificate and CA key. 

Then create certificate and key for server using the following command:
# ./build-key-server server

Sample output:
Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ----> Press Enter
State or Province Name (full name) [MH]: ----> Press Enter
Locality Name (eg, city) [Mumbai]: ----> Press Enter
Organization Name (eg, company) [AAMUM]: ----> Press Enter
Organizational Unit Name (eg, section) [server]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [server]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [test@aamum.com]: ----> Press Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: dcmumvpn@123#
An optional company name []: ----> Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'MH'
localityName          :PRINTABLE:'Mumbai'
organizationName      :PRINTABLE:'AAMUM'
organizationalUnitName:PRINTABLE:'ITsupport'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'test@aamum.com'
Certificate is to be certified until Dec 27 09:33:06 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Create certificate and key for VPN clients using the following command:
# ./build-key client

Note: Here client is client’s name
If you want to create certificate and key files for each client, you should replace the client
parameter with an unique identifier.
Sample output:
Generating a 2048 bit RSA private key
.........+++
...................+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ----> Press Enter
State or Province Name (full name) [MH]: ----> Press Enter
Locality Name (eg, city) [Mumbai]: ----> Press Enter
Organization Name (eg, company) [AAMUM]: ----> Press Enter
Organizational Unit Name (eg, section) [ITsupport]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [client]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [test@aamum.com]: ----> Press Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:client@123#
An optional company name []: ----> Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'MH'
localityName          :PRINTABLE:'Mumbai'
organizationName      :PRINTABLE:'AAMUM'
organizationalUnitName:PRINTABLE:'ITsupport'
commonName            :PRINTABLE:'client'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'test@aamum.com'
Certificate is to be certified until Dec 27 09:43:18 2027 GMT (3650 days)
Sign the certificate? [y/n]:y ----> Type Y and Press Enter

1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
Write out database with 1 new entries
Data Base Updated

Generate Diffie Hellman Parameter by using the following command:
# ./build-dh

Sample output:
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................+................................................................................................................................................................................................+................................................................+...........+......................................................................................................................+....................+...............................................................................................................................................+.....................................................................................................+.........................................................................................................................................................+.................................................................................................................................................................................................................................................................................................................+.............................................++*++*

Configuring VPN Server
Now, we have to configure our VPN server. Copy the file server.conf file to /etc/openvpn/
directory.
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/

Edit file server.conf,
# vi /etc/openvpn/server.conf
:se nu

Find and uncomment the following lines to route client systems traffic through OpenVPN server.
[...]

Line 92:   topology subnet ----> Uncomment
Line 192: push "redirect-gateway def1 bypass-dhcp"  ----> Uncomment
Line 200: push "dhcp-option DNS 192.168.900.1" ----> Uncomment and Type Your Router Public IP DNS
Line 201: push "dhcp-option DNS 8.8.8.8" ----> Uncomment and Type Your Router Public IP  DNS
Line 255: auth SHA512 ----> add a line for sha512 algorithm (Openssl) or you can use SHA256
Line 263: comp-lzo  ----> Uncomment
Line 274: user nobody ----> Uncomment
Line 275: group nobody  ----> Uncomment
Line 276: sndbuf 0  ----> add a line
Line 277: rcvbuf 0   ----> add a line

Press Esc and :wq enter
Note: sndbuf 0 rcvbuf 0 This will prevent OpenVPN from tweaking the buffer size between the server and the client. It will be determined by the OS. Windows users who connect to a Linux server will experience faster speeds.

Check the line 245: tls-auth ta.key 0
You need to generate ta.key

# cd /etc/openvpn
# openvpn --genkey --secret ta.key

The necessary keys and certificates will be generated in the /etc/openvpn/easy-rsa/keys/
directory. Copy the following certificate and key files to the /etc/openvpn/ directory.
ca.crt
dh2048.pem
server.crt
server.key

Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following command to transfer the
above files to /etc/openvpn/ directory.
# cd /etc/openvpn/easy-rsa/keys/
# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/


IP forwarding and routing Configuration (Server Side)
Edit sysctl.conf file,
# vi /etc/sysctl.conf
Find the following line and set value “1” to enable IP forwarding.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Run the following command to apply the sysctl changes.
# sysctl –p

(or)

# sysctl –w net.ipv4.ip_forward = 1
Find the Ethernet interface name

# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:20001 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20001 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3827043 (3.6 MiB)  TX bytes:3827043 (3.6 MiB)

p4p1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::d267:e5ff:fe01:e3af/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7602081 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5091513 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4486563045 (4.1 GiB)  TX bytes:4258066496 (3.9 GiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                                                      -00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Note: Here p4p1 is my Ethernet interface.

Adjust iptables to forward traffic through VPN properly.Enter the following commands one by one:
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o p4p1 -j MASQUERADE
Save the iptables changes using command:
# service iptables save
# service iptables restart

Finally, start openvpn service and make it to start automatically on every reboot using the
following commands:
# service openvpn start
# chkconfig openvpn on

Note: Make sure you have enable port forward (192.168.1.2 1194) on your router.

Create a Client Configuration file on server side

Copy and edit the client.conf file. We need this file to be transferred to the VPN
clients. First copy the file to any location (ex. /home directory).
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf /home/

Edit file client.conf, and Set the VPN server host name/IP address:
# vi /home/client.conf
:se nu

Line 42: remote 192.168.900.2 1194  ----> Type Your Router Public IP 
Line 121: com-lzo ---->Uncomment
Line 122: auth SHA512 ----> add a line for sha512 algorithm (Openssl)
Line 123: sndbuf 0  ----> add a line

Line 124: rcvbuf 0   ----> add a line
Press Esc :wq enter

Note: Here 192.168.900.2 is my Server side Router public IP address. Next, Copy the client.conf file to your client system. make sure you have installed openvpn package on your client system

Copy client.conf to the remote VPN client PC by using the following command
# cd /home
# scp client.conf root@192.168.2.5:/etc/openvpn

Note: Here 192.168.2.5 is my VPN client PC

Copy all client’s certificates and keys to the remote VPN client PC, for authenticate the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client.
ca.crt
client.crt
client.key
ta.key

Note: Make sure you have installed openvpn package on your client system. Then, copy the above files to your VPN client system, using the following command:
# cd /etc/openvpn/
# scp ca.crt client.crt client.key ta.key root@192.168.2.5:/etc/openvpn
Copy the keys with caution. If anyone has chances to get the keys, they can easily intrude and get full access to your virtual private network.




VPN Client Side Configuration

Here, I use CentOS 6.9 as my VPN client system. And, it’s Local IP address is 192.168.2.5/24.

Install OpenVPN package
# yum install openvpn -y

After installing openvpn, start the service and make it to run automatically on every reboot.
# service openvpn start
# chkconfig openvpn on

Now, check if tun0(VPN interface) is created.
# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:20001 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20001 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3827043 (3.6 MiB)  TX bytes:3827043 (3.6 MiB)

eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:192.168.2.5  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::d267:e5ff:fe01:e3af/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7602081 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5091513 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4486563045 (4.1 GiB)  TX bytes:4258066496 (3.9 GiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                                                      
          inet addr:10.8.0.7 P-t-P:10.8.0.5 Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

As you see in the above output, the VPN server has automatically assigned IP address 10.8.0.7 to
my VPN client. 

Check if you can ping your VPN server from client system. 10.8.0.1 is my VPN server tun0 address.
# ping 10.8.0.1

Sample output:
PING 10.8.0.1 (10.8.0.1) 57(85) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=9.61 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=7.17 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=4.87 ms
That’s it. Now the VPN server and client are ready. Connect to your VPN server securely.

For Windows Client:

First we need to copy and edit the client.conf file as client.ovpn. We need this file to be transferred to the VPN clients.
First copy the file to any location (ex. /home directory).
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf /home/client.ovpn

# vi /home/client.ovpn
:se nu

Line 42: remote 192.168.900.2 1194  ----> Type Your Router Public IP 
Line 121: com-lzo ---->Uncomment
Line 122: auth SHA512 ----> add a line for sha512 algorithm (Openssl)
Line 108: tls-auth ta.key 1

## go to Line 108: tls-auth ta.key 1 remove and replace
<tls-auth>
-----BEGIN CERTIFICATE-----
Open ta.key and paste it here
-----END CERTIFICATE-----
</tls-auth>

##Find ca ca.crt and replace
<ca>
-----BEGIN CERTIFICATE-----
Open ca.crt and paste it here
-----END CERTIFICATE-----
</ca>
##Find cert client.crt and replace
<cert>
-----BEGIN CERTIFICATE-----
Open client.crt and paste it here
-----END CERTIFICATE-----
</cert>
##Find key client.key and replace
<key>
-----BEGIN CERTIFICATE-----
Open client.key and paste it here
-----END CERTIFICATE-----
</key>

:wq

Copy client.ovpn to the VPN client-pc C:\Program Files\openvpn\config\client.ovpn

Note: Here 192.168.900.2 is my Server side Router public IP address. Make sure you have installed openvpn Software on your client system.

To Remove Client access to VPN server side
If you want to remove a user’s access to the VPN server, enter the following command:
. /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/revoke-full client
The above commands remove the user who have the certificate to access the VPN server.