A VPN (Virtual Private Network) is a way to securely extend a private network across the internet to another location. The client computer (in this case your computer) makes an encrypted connection to a server which acts as a normal network connection. This technique is usually used in companies to allow their employees to securely connect to their work network from anywhere in the world.
WHAT IS OPENVPN?
REQUIREMENTS
- Server:
- Linux CentOS 6 Operating System
- Root access
- Client:
- Windows Operating System
INSTALLING OPENVPN ON CENTOS 6
Make sure Tun/Tap is enabled
cat /dev/net/tun
If Tun/Tap is enabled and active you will see the following message:
cat: /dev/net/tun: File descriptor in bad state
If you don’t see the above message, you will have to enable Tun/Tap or ask your host to enable it for you.
Install the following packages
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
Download LZO RPM and Configure the Repo
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
For CentOS 6 – 32 bit:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm
For CentOS 6 – 64 bit:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Build the RPM
rpmbuild –rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*
Install OpenVPN
yum install openvpn -y
Copy the easy-rsa folder to /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
Edit the vars file:
vi /etc/openvpn/easy-rsa/2.0/vars
Replace the line:
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
by
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
and save (:w) and quit editing the file (:q)
CREATE THE SSL CERTIFICATE
Create the SSL Certificate
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
Build your own root Certificate Authority (CA), you will be prompted to enter the Country name, State, City, Organization, Common, Email. You can enter any random data or leave them blank.
./build-ca
Build your Key Server, you will be prompted to enter the same info as before, you can leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)
./build-key-server server
sign the certificate: y
1 out of 1 certificate requests: y
Build Diffie Hellman Parameters (necessary for the server end of a SSL/TLS connection).
./build-dh
CONFIGURING OPENVPN
Create the configuration file:
vi /etc/openvpn/server.conf
Copy/paste the following, you can choose any port number you want:
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push “redirect-gateway def1”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
and save (:w) and quit editing the file (:q)
Start OpenVPN
service openvpn start
Enable IP Forwarding
vi /etc/sysctl.conf
Change
net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1
and save (:w) and quit editing the file (:q)
Run sysctl to configure kernel parameters at runtime and make the changes take effect immediately
sysctl -p
Create a linux username to use it with VPN
useradd userone -s /bin/false
And set the password
passwd userone
If you want the OpenVPN to start after every reboot, issue the following command
chkconfig openvpn on
CONFIGURING IPTABLES AND CSF
If you are running Xen or KVM, issue this command:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
If you are running OpenVZ, run the following command, make sure to replacexxx.xxx.xxx.xxx by your server’s IP address:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT –to-sourcexxx.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-sourcexxx.xxx.xxx.xxx
Save ip tables
service iptables save
If you have CSF/LFD installed on your server, you will have to create a new file to add new rules to your IP tables.
vi /etc/csf/csfpre.sh
Copy Paste the following into csfpre.sh, make sure to replace xxx.xxx.xxx.xxx by your server’s IP address:
iptables -A INPUT -j ACCEPT -s 10.8.0.0/24 -i tun0
iptables -A OUTPUT -j ACCEPT -s 10.8.0.0/24 -o tun0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i tun0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o tun0
iptables -t nat –flush
iptables -t nat -A POSTROUTING -o venet0 -s 10.8.0.0/24 -j SNAT –toxxx.xxx.xxx
and save (:w) and quit editing the file (:q)
Modify CSF configuration file to allow the port number you chose earlier
vi /etc/csf/csf.conf
and save (:w) and quit editing the file (:q)
Restart CSF
csf -r
DOWNLOADING, INSTALLING AND CONFIGURING THE CLIENT
Download the windows installer openVPN from openvpn.net
Install the application
Go to Config directory where you installed OpenVPN (C:\Program Files (x86)\OpenVPN\config by default)
Create a new file called server.ovpn and open it with any text editor.
Paste the following into your server.ovpn, make sure to replace xxx.xxx.xxx.xxx by your server’s IP address, and replace 1194 by the port number you chose earlier.
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
Download the ca.crt and copy it to the same folder as server.ovpn
If you can’t download ca.crt, open it from your server
vi /etc/openvpn/easy-rsa/2.0/keys/ca.crt
Copy it’s content, create a new text file in your config directory and paste it. Rename thetext file to ca.crt
Open the client, make sure to run as administrator, and enter the username and password you created earlier.
If you would like to save the username and password to prevent authenticating everytime you want to establish a VPN connection, you can achieve so by creating a new text file, name it anything you want with an extension of your choice. I will create my file with the name login.conf. Open this file with a text editor, on the first line enter the username, and on the second line the password.
For example, create a file called login.conf, open it with a text editor and write the following:
username
GJASk2398nm$^2389hknasDG
where username is the username and GJASk2398nm$^2389hknasDG is the password.
Save that file (login.conf) in the same folder as server.ovpn (that is in the config folder (C:\Program Files (x86)\OpenVPN\config by default))
Open your server.ovpn file, and next to auth-user-pass, add login.conf, so the line would become like this:
auth-user-pass login.conf