Note:
Here I am taking 192.168.900.2 as my public IP, 192.168.1.2 as my Openvpn
Server Static IP.
VPN Server Side Configuration
OpenVPN and it’s dependencies are not available in the CentOS default
repositories. So, we should install the “EPEL” repository in order to install
OpenVPN and its dependencies.
# yum install epel-release -y
Update the system packages by using the following command:
# yum update
Install the OpenVPN and easy-rsa packages by using the following
command:
# yum install openvpn easy-rsa -y
The easy-rsa scripts are located by default in the /usr/share/easy-rsa/
directory. Make a directory
/easy-rsa/keys inside the /etc/openvpn directory and copy the scripts to
that directory as shown
below:
# mkdir -p /etc/openvpn/easy-rsa/keys
# cp -rf /usr/share/easy-rsa/2.0/*
/etc/openvpn/easy-rsa/
Generate CA Certificate and CA key
Edit file /etc/openvpn/easy-rsa/2.0/vars, And, change the values that
matches with your country, state, city, mail id etc.
# vi /etc/openvpn/easy-rsa/vars
:se nu
Then press insert goto
Line no 64: export KEY_COUNTRY="IN"
Line no 65: export KEY_PROVINCE="MH"
Line no 66: export KEY_CITY="Mumbai"
Line no 67: export KEY_ORG="aamum"
Line no 68: export KEY_EMAIL="test@aamum.com"
Line no 69: export KEY_OU="ITsupport"
Press Esc and :wq enter
Go to the openvpn/easy-rsa directory:
# cd /etc/openvpn/easy-rsa/
# cp openssl-1.0.0.cnf openssl.cnf
Enter the following commands one by one to initialize the certificate
authority:
# source ./vars
Run the above command and you will get the following message:
NOTE: If you run ./clean-all, I will be doing a rm -rf on
/etc/openvpn/easy-rsa/keys
It’s recommended to run “./clean-all” right away to ensure that we have
a clean certificate setup:
# ./clean-all
Now you have to generate a “Certificate Authority (ca)” file. you will
be asked for country name etc. that you edited in the “vars” file. you can hit
“Enter” to accept your default values.
Then, generate CA certificate and CA key by using the following command:
# ./build-ca
Sample output:
Generating a 2048 bit RSA private key
......................................................+++
............................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ---->
Press Enter
State or Province Name (full name) [MH]: ---->
Press Enter
Locality Name (eg, city) [Mumbai]: ---->
Press Enter
Organization Name (eg, company) [AAMUM]: ---->
Press Enter
Organizational Unit Name (eg, section) [ITsupport]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [AAMUM CA]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [test@aamum.com]: ---->
Press Enter
We have now generated the CA certificate and CA key.
Then create
certificate and key for server using the following command:
# ./build-key-server server
Sample output:
Generating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ---->
Press Enter
State or Province Name (full name) [MH]: ---->
Press Enter
Locality Name (eg, city) [Mumbai]: ---->
Press Enter
Organization Name (eg, company) [AAMUM]: ---->
Press Enter
Organizational Unit Name (eg, section) [server]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [server]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [test@aamum.com]: ---->
Press Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: dcmumvpn@123#
An optional company name []: ---->
Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'IN'
stateOrProvinceName
:PRINTABLE:'MH'
localityName
:PRINTABLE:'Mumbai'
organizationName
:PRINTABLE:'AAMUM'
organizationalUnitName:PRINTABLE:'ITsupport'
commonName
:PRINTABLE:'server'
name
:PRINTABLE:'EasyRSA'
emailAddress
:IA5STRING:'test@aamum.com'
Certificate is to be certified until Dec 27 09:33:06 2027 GMT (3650
days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Create certificate and key for VPN clients using the following command:
# ./build-key client
Note: Here
client is client’s name
If you want to create certificate and key files for each client, you
should replace the client
parameter with an unique identifier.
Sample output:
Generating a 2048 bit RSA private key
.........+++
...................+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]: ---->
Press Enter
State or Province Name (full name) [MH]: ---->
Press Enter
Locality Name (eg, city) [Mumbai]: ---->
Press Enter
Organization Name (eg, company) [AAMUM]: ---->
Press Enter
Organizational Unit Name (eg, section) [ITsupport]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [client]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [test@aamum.com]: ---->
Press Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:client@123#
An optional company name []: ---->
Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'IN'
stateOrProvinceName
:PRINTABLE:'MH'
localityName
:PRINTABLE:'Mumbai'
organizationName :PRINTABLE:'AAMUM'
organizationalUnitName:PRINTABLE:'ITsupport'
commonName
:PRINTABLE:'client'
name
:PRINTABLE:'EasyRSA'
emailAddress
:IA5STRING:'test@aamum.com'
Certificate is to be certified until Dec 27 09:43:18 2027 GMT (3650
days)
Sign the certificate? [y/n]:y ---->
Type Y and Press Enter
1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
Write out database with 1 new entries
Data Base Updated
Generate Diffie Hellman Parameter by using the following command:
# ./build-dh
Sample output:
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................+................................................................................................................................................................................................+................................................................+...........+......................................................................................................................+....................+...............................................................................................................................................+.....................................................................................................+.........................................................................................................................................................+.................................................................................................................................................................................................................................................................................................................+.............................................++*++*
Configuring VPN Server
Now, we have to configure our VPN server. Copy the file server.conf file
to /etc/openvpn/
directory.
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf
/etc/openvpn/
Edit file server.conf,
# vi /etc/openvpn/server.conf
:se nu
Find and uncomment the following lines to route client systems traffic
through OpenVPN server.
[...]
Line 92: topology subnet ----> Uncomment
Line 192: push "redirect-gateway def1 bypass-dhcp" ----> Uncomment
Line 200: push "dhcp-option DNS 192.168.900.1" ----> Uncomment and Type Your Router Public IP DNS
Line 201: push "dhcp-option DNS 8.8.8.8" ----> Uncomment and Type Your Router Public IP DNS
Line 255: auth SHA512 ----> add a
line for sha512 algorithm (Openssl) or you can use SHA256
Line 263: comp-lzo ----> Uncomment
Line 274: user nobody ----> Uncomment
Line 275: group nobody ----> Uncomment
Line 276: sndbuf 0 ----> add a line
Line 277: rcvbuf 0 ----> add a line
Line 276: sndbuf 0 ----> add a line
Line 277: rcvbuf 0 ----> add a line
Press Esc and :wq enter
Note: sndbuf 0 rcvbuf 0 This will prevent OpenVPN from tweaking the buffer size between the server and the client. It will be determined by the OS. Windows users who connect to a Linux server will experience faster speeds.
Check the line 245: tls-auth ta.key 0
You need to generate ta.key
# cd /etc/openvpn
# openvpn --genkey --secret ta.key
The necessary keys and certificates will be generated in the
/etc/openvpn/easy-rsa/keys/
directory. Copy the following certificate and key files to the
/etc/openvpn/ directory.
ca.crt
dh2048.pem
server.crt
server.key
Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following
command to transfer the
above files to /etc/openvpn/ directory.
# cd /etc/openvpn/easy-rsa/keys/
# cp dh2048.pem ca.crt server.crt server.key
/etc/openvpn/
IP forwarding and routing Configuration (Server Side)
Edit sysctl.conf file,
# vi /etc/sysctl.conf
Find the following line and set value “1” to enable IP forwarding.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Run the following command to apply the sysctl changes.
# sysctl –p
(or)
# sysctl –w net.ipv4.ip_forward = 1
Find the Ethernet interface name
# ifconfig
lo Link encap:Local
Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128
Scope:Host
UP LOOPBACK RUNNING MTU:65536
Metric:1
RX packets:20001
errors:0 dropped:0 overruns:0 frame:0
TX packets:20001
errors:0 dropped:0 overruns:0 carrier:0
collisions:0
txqueuelen:0
RX bytes:3827043 (3.6
MiB) TX bytes:3827043 (3.6 MiB)
p4p1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet
addr:192.168.1.2 Bcast:192.168.1.255
Mask:255.255.255.0
inet6 addr:
fe80::d267:e5ff:fe01:e3af/64 Scope:Link
UP BROADCAST RUNNING
MULTICAST MTU:1500 Metric:1
RX packets:7602081
errors:0 dropped:0 overruns:0 frame:0
TX packets:5091513
errors:0 dropped:0 overruns:0 carrier:0
collisions:0
txqueuelen:1000
RX bytes:4486563045 (4.1
GiB) TX bytes:4258066496 (3.9 GiB)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING
NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0
dropped:0 overruns:0 frame:0
TX packets:0 errors:0
dropped:0 overruns:0 carrier:0
collisions:0
txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Note:
Here p4p1 is my Ethernet interface.
Adjust iptables to forward traffic through VPN properly.Enter the
following commands one by one:
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o p4p1
-j MASQUERADE
Save the iptables changes using command:
# service iptables save
# service iptables restart
Finally, start openvpn service and make it to start automatically on
every reboot using the
following commands:
# service openvpn start
# chkconfig openvpn on
Note: Make sure you have enable port forward (192.168.1.2 1194) on your router.
Create a Client Configuration file on server side
Copy and edit the client.conf file. We need this file to be transferred
to the VPN
clients. First copy the file to any location (ex. /home directory).
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf
/home/
Edit file client.conf, and Set the VPN server host name/IP address:
# vi /home/client.conf
:se nu
Line 42: remote 192.168.900.2 1194 ----> Type Your Router Public IP
Line 121: com-lzo ---->Uncomment
Line 122: auth SHA512 ----> add a
line for sha512 algorithm (Openssl)
Line 123: sndbuf 0 ----> add a line
Line 124: rcvbuf 0 ----> add a line
Press Esc :wq enter
Line 124: rcvbuf 0 ----> add a line
Press Esc :wq enter
Note:
Here 192.168.900.2 is my Server side Router public IP address. Next, Copy the
client.conf file to your client system. make sure you have installed openvpn
package on your client system
Copy client.conf to the remote VPN
client PC by using the following command
# cd /home
# scp client.conf root@192.168.2.5:/etc/openvpn
Note: Here
192.168.2.5 is my VPN client PC
Copy all client’s certificates and keys to the remote VPN client PC, for
authenticate the VPN server. In our case, we have generated certificates and
keys to only one client, so we have to copy the following files to the VPN
client.
ca.crt
client.crt
client.key
ta.key
Note: Make
sure you have installed openvpn package on your client system. Then, copy the above
files to your VPN client system, using the following command:
# cd /etc/openvpn/
# scp ca.crt client.crt client.key ta.key
root@192.168.2.5:/etc/openvpn
Copy the keys with caution. If anyone has chances to get the keys, they
can easily intrude and get full access to your virtual private network.
VPN Client Side Configuration
Here, I use CentOS 6.9 as my VPN client system. And, it’s Local IP
address is 192.168.2.5/24.
Install OpenVPN package
# yum install openvpn -y
After installing openvpn, start the service and make it to run
automatically on every reboot.
# service openvpn start
# chkconfig openvpn on
Now, check if tun0(VPN interface) is created.
# ifconfig
lo Link encap:Local
Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128
Scope:Host
UP LOOPBACK RUNNING MTU:65536
Metric:1
RX packets:20001
errors:0 dropped:0 overruns:0 frame:0
TX packets:20001
errors:0 dropped:0 overruns:0 carrier:0
collisions:0
txqueuelen:0
RX bytes:3827043 (3.6
MiB) TX bytes:3827043 (3.6 MiB)
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet
addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr:
fe80::d267:e5ff:fe01:e3af/64 Scope:Link
UP BROADCAST RUNNING
MULTICAST MTU:1500 Metric:1
RX packets:7602081
errors:0 dropped:0 overruns:0 frame:0
TX packets:5091513
errors:0 dropped:0 overruns:0 carrier:0
collisions:0
txqueuelen:1000
RX bytes:4486563045 (4.1
GiB) TX bytes:4258066496 (3.9 GiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.7 P-t-P:10.8.0.5
Mask:255.255.255.255
UP POINTOPOINT RUNNING
NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0
overruns:0 frame:0
TX packets:0 errors:0
dropped:0 overruns:0 carrier:0
collisions:0
txqueuelen:100
RX bytes:0 (0.0 b) TX
bytes:0 (0.0 b)
As you see in the above output, the VPN server has automatically
assigned IP address 10.8.0.7 to
my VPN client.
Check if you can ping your VPN server from client system. 10.8.0.1 is my VPN server tun0 address.
# ping 10.8.0.1
Sample output:
PING 10.8.0.1 (10.8.0.1) 57(85) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=9.61 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=7.17 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=4.87 ms
That’s it. Now the VPN server and client are ready. Connect to your VPN
server securely.
For Windows Client:
First we need to copy and edit the client.conf file as client.ovpn. We
need this file to be transferred to the VPN clients.
First copy the file to any location (ex. /home directory).
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf
/home/client.ovpn
# vi /home/client.ovpn
:se nu
Line 42: remote 192.168.900.2 1194 ----> Type Your Router Public IP
Line 121: com-lzo ---->Uncomment
Line 122: auth SHA512 ----> add a
line for sha512 algorithm (Openssl)
Line 108: tls-auth ta.key 1
## go to Line 108: tls-auth
ta.key 1 remove and replace
<tls-auth>
-----BEGIN CERTIFICATE-----
Open ta.key and paste it here
-----END CERTIFICATE-----
</tls-auth>
##Find ca ca.crt and replace
<ca>
-----BEGIN CERTIFICATE-----
Open ca.crt and paste it here
-----END CERTIFICATE-----
</ca>
##Find cert client.crt and replace
<cert>
-----BEGIN CERTIFICATE-----
Open client.crt and paste it here
-----END CERTIFICATE-----
</cert>
##Find key client.key and replace
<key>
-----BEGIN CERTIFICATE-----
Open client.key and paste it here
-----END CERTIFICATE-----
</key>
:wq
Copy client.ovpn to the VPN client-pc C:\Program Files\openvpn\config\client.ovpn
Note:
Here 192.168.900.2 is my Server side Router public IP address. Make sure you
have installed openvpn Software on your client system.
To Remove Client access to VPN server side
If you want to remove a user’s access to the VPN server, enter the
following command:
. /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/revoke-full client
The above commands remove the user who have the certificate to access
the VPN server.