10/31/2011

Installing OpenVPN 2.2 on Centos 5.7

OpenVPN is an SSL based VPN. There are other VPN solutions such as IPsec, etc. but OpenVPN provides a cost effective alternative. I like OpenVPN as it support two-way authentication, i.e. both the client and server authenticate using certificates. To install OpeVPN on CentOS we need a number of cryptographic libraries. The simplest way is to use the DAG/RPMForge repository.

Set-up the RPMForge repository [1], as this contains the packages necessary for the installation and the instructions are provided below. The instructions below are just to document this specific installation and therefore this blog post is not to be misinterpreted as a best practises guide. The instructions are adapted from the OpenVPN website [2], but this blog post is intended more as a quick and dirty guide to getting OpenVPN running on CentOS 5.7. Additionally the set-up and configuration of the client is considered beyond the scope of this blog post.

  1. Install packages
    1. rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
    2. yum -y update
    3. yum -y openvpn
  2. Set-up configuration files
    1. cd /etc/openvpn/
    2. cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf .
    3. mkdir -p /etc/openvpn/easy-rsa/keys
    4. cd /etc/openvpn/easy-rsa
    5. cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
    6. chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req
  3. Edit the PKI configuration
    1. vi /etc/openvpn/easy-rsa/vars
      1. Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
      2. Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
  4. Set-up the PKI infrastructure. This involves make a certificate authority and then generate the server certificate and any client machine certificates
    1. Create the certificate authority
      1. . ./vars
      2. ./clean-all
      3. ./build-ca
      4. The CA key and certificate should not be in the keys directory inside the easy-rsa directory.
    2. Create certificate for the server
      1. ./build-key-server NAME_OF_SERVER
      2. Answer the questions and commit the certificate into the database
    3. Create the Diffie Hellman files
      1. These files are used for the actual key exchange to ensure the confidentiality over an insecure channel, aka the Internet. Based on the length of the key used (KEY_SIZE) it may take a while.
      2. ./build-dh
    4. Create the certificate for each client
      1. When doing this for clients, I generate one for each device a client may use, that way if a device is stolen or goes missing, I only have to revoke a single certificate and the others keep working as they do. Not sure if this a good approach, but its definitely my quick and dirty (lazy) approach.
      2. ./build-key LAPTOP
      3. ./build-key HOME-DESKTOP
      4. ./build-key PDA
  5. Edit the server configuration file 
    1. vi /etc/openvpn/server.conf
    2. Check/change
      1. local
      2. proto
      3. dev
      4. port
      5. ca
      6. cert
      7. key
      8. dh
      9. max-clients
      10. user
      11. group
      12. log-append
      13. verb
  6. Start everything
    1. /etc/rc.d/init/openvpn start
    2. chkconfig --level 235 openvpn on
Possible Errors:
  1. If the OpenVPN server fails to start, ensure that logging is enabled, i.e. refer to log-append in the configuration file and examine the log. A common error is that OpenVPN fails to open certain files, check that the paths to these files are specified correctly.
References:

11 comments:

  1. Hey thanks for this. But I ended up with some errors. I tried fixing them but to no success. I Googled more and I found this: http://www.l337fx.com/openvpn-vz-vps-bash-script-centos.html

    Does that bash script would work ? Please help ! I really need the OpenVPN to be installed :(
    Oh and my OS is CentOS 6

    ReplyDelete
  2. Hi,

    The script appears to create the server configuration file (server.conf) and then generates the server keys, etc. i.e. Steps 5 and 4 above, respectively.

    The setup above is only intended to provide a key hole into your DMZ, following which you can manually connect to your internal servers.

    The script that you references, turns on IP forwarding and source NAT, which allows you to route traffic through the VPN box, I am not sure if this is what you desire in your configuration?

    The script is quite nice, since it also generates the client configuration and packages the respective keys and certificates for easy deployment.

    If you are able to let me know what the exact errors were I may be able to help with some troubleshooting.

    Sincerely
    Kush

    ReplyDelete
  3. ./build-key LAPTOP
    ./build-key HOME-DESKTOP
    ./build-key PDA

    LAPTOP, is this windows host name?

    ReplyDelete
    Replies
    1. Hi,

      Yes these are machine names, people usually use the hostname or the name of the primary user using that certificate and key, or you can use any arbitrary value that will help you uniquely identify the client entity that certificate and key will be associated to.

      Sincerely
      Kush

      Delete
    2. But if someone has stolen my *.key and *.crt in laptop, how can I do a security for this issue? Could OpenVPN use mac address to filter client accessing?

      Delete
    3. Hi,

      If the credentials are stolen you can revoke them from the server. This would prevent the stolen credentials from authenticating successfully. You can use the "revoke-full" shell script to do this.

      For MAC address filtering it's probably best to do it at the kernel level using something like IPTABLES. Having said that, MAC address spoofing is trivial these days, so beaware.

      Hope this helps?

      Cheers
      K

      Delete
  4. I have followed up your instructions, it is success to connect with OpenVPN 2.2.2 and I am using CentOS 6.2, now I have questions need to ask you:

    Networking background:
    1. My OpenVPN Server (.203) is under subnet: 10.1.101.0/24
    2. The client (.74) is under subnet: 192.168.13.0/24
    3. PAT is from 10.1.101.0/24 to 192.168.13.0/24
    4. Port Mapping is from 192.168.13.242:1194 to 10.1.101.203:1194
    5. OpenVPN has only standard config. and set 'push "redirect-gateway def1 bypass-dhcp' in server.conf

    Question lists:
    1. How could I implement split tunnel for the client?
    2. How could I access 10.1.101.0/24 from the client? I can just access 10.1.101.203 after connected.
    3. How could I set different access lists for every client?

    ReplyDelete
    Replies
    1. Hi,

      1. Can you please explain what you mean by split tunnel?
      2. To access the 10.1.101.0/24 network, you need to push that route through the tunnel to the client, in the config put the following line;

      push "route 10.1.101.0 255.255.255.0"

      3. I am not sure what you mean by access list? If you are thinking in terms of Cisco access-lists, then it's probably easier to do this using something like IPTABLES to restrict traffic through the tunnel. If you need to push different routes to different clients then you can use specific client configurations (refer to the client-config-dir directive in the server configuration file)

      Cheers
      K

      Delete
  5. Heya, thanks for the excellent howto. Being the third, it was the first that worked with current stuff!

    More information on setting up Win/Lin/Mac clients would be nice, I got the server started alright (after finding the file server.key / server.crt actually called the literal name of the server, EG: office.mydomain.com.crt) but now I'm struggling a bit to get the clients set up. (Right now on Linux, Windows next)

    ReplyDelete
    Replies
    1. Hi Ben,

      Thanks for the comment. I recently put up some instructions on setting up OpenVPN 2.2.2 on CentOS 6.3 (http://nkush.blogspot.com.au/2012/08/installing-openvpn-22-on-centos-63-64bit.html).

      I shall take on your comments and try to put up instructions for setting up the client. I also plan to include further instructions on specific iptables rules to allow specific topologies with OpenVPN.

      Cheers
      K

      Delete
  6. Instruction 2.6 should read "clean-all " instead of "clean-all,":
    chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req

    ReplyDelete