8/08/2012

Installing OpenVPN 2.2 on CentOS 6.3 64bit

This post is just an update of a previous post that used CentOS 5.7 and OpenVPN 2.2 (http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.html). The basic instructions are the same, however this post uses some newer packages which may have been relocated to new URLs. Again this blog and the posts are mostly for my own reference and not intended as step-by-step instuctions for other systems/network administrators

Install RPMForge or RepoForge as it's now known[1]
  1. wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
  2. rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
  3. yum update
Install and set-up the OpenVPN Server[2]
  1. yum -y install openvpn 
  2. cd /etc/openvpn/
  3. cp /usr/share/doc/openvpn-*/sample-config-files/server.conf .
  4. mkdir -p /etc/openvpn/easy-rsa/keys
  5. cd /etc/openvpn/easy-rsa
  6. cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
  7. chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req
 Set-up the OpenVPN Server environment, keys and certificates
  1. vi /etc/openvpn/easy-rsa/vars
    1. Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
    2. Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
    3. I used  PKCS11_MODULE_PATH=/ and a random PIN value
  2. Create a link to the openssl config file as openssl.cnf
    1. ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf   
  3. Create certificate for the server
    1. ./build-key-server NAME_OF_SERVER
    2. Answer the questions and commit the certificate into the database
  4. Create the Diffie Hellman files
    1. These files are used for the actual key exchange to ensure the confidentiality over an insecure channel. Based on the length of the key used (KEY_SIZE) it may take a while.
    2. ./build-dh
  5. Create the certificate for each client
    1. ./build-key CLIENT
  6. Edit the server configuration file 
    1. vi /etc/openvpn/server.conf
    2. Check/change
      1. local
      2. proto
      3. dev
      4. port
      5. ca
      6. cert
      7. key
      8. dh
      9. max-clients
      10. user
      11. group
      12. log-append
      13. verb
  7. Start everything
    1. /etc/rc.d/init/openvpn start
    2. chkconfig --level 235 openvpn on
Future post may include instructions on configuration of client as well as set-up of firewall rules for specific topologies (time permitting)

References
  1. http://wiki.centos.org/AdditionalResources/Repositories/RPMForge/#head-f0c3ecee3dbb407e4eed79a56ec0ae92d1398e01
  2. http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.htm 
Labels: , , , , , , , , ,

5 comments:

  1. Mohamad ZaimSaturday, 27 October 2012 at 17:55:00 GMT+10

    Not WorkingCommand :
    ========================
    yum -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
    ==========================
    cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf
    =========================

    ReplyDelete
    Replies
    1. mshutovThursday, 1 November 2012 at 17:09:00 GMT+10

      change yum here to rpm
      and 2.2.0 in second to * or find correct folder in /usr/share/doc

      Delete
  2. KimThursday, 14 March 2013 at 09:23:00 GMT+10

    cp -rf /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/* .
    cp: cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/*': No such file or directory

    ReplyDelete
    Replies
    1. kushSaturday, 16 March 2013 at 15:37:00 GMT+10

      Hi Kim,

      Thanks for the comment. The current version of OpenVPN is 2.3, you may have a different version of the directory, e.g. openvpn-2.3..0 or something.

      Please check the directory before copying the files manually.

      Hope this helped.

      Cheers
      Kush

      Delete
  3. kushThursday, 12 June 2014 at 00:40:00 GMT+10

    There is a mistake in the instructions, prior to step 3, you need to execute "./build-ca". Sorry for any inconvenience caused.

    ReplyDelete

Subscribe to: Post Comments (Atom)