8/08/2012

Installing OpenVPN 2.2 on CentOS 6.3 64bit

This post is just an update of a previous post that used CentOS 5.7 and OpenVPN 2.2 (http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.html). The basic instructions are the same, however this post uses some newer packages which may have been relocated to new URLs. Again this blog and the posts are mostly for my own reference and not intended as step-by-step instuctions for other systems/network administrators

Install RPMForge or RepoForge as it's now known[1]
  1. wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
  2. rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
  3. yum update
Install and set-up the OpenVPN Server[2]
  1. yum -y install openvpn 
  2. cd /etc/openvpn/
  3. cp /usr/share/doc/openvpn-*/sample-config-files/server.conf .
  4. mkdir -p /etc/openvpn/easy-rsa/keys
  5. cd /etc/openvpn/easy-rsa
  6. cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
  7. chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req
 Set-up the OpenVPN Server environment, keys and certificates
  1. vi /etc/openvpn/easy-rsa/vars
    1. Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
    2. Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
    3. I used  PKCS11_MODULE_PATH=/ and a random PIN value
  2. Create a link to the openssl config file as openssl.cnf
    1. ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf   
  3. Create certificate for the server
    1. ./build-key-server NAME_OF_SERVER
    2. Answer the questions and commit the certificate into the database
  4. Create the Diffie Hellman files
    1. These files are used for the actual key exchange to ensure the confidentiality over an insecure channel. Based on the length of the key used (KEY_SIZE) it may take a while.
    2. ./build-dh
  5. Create the certificate for each client
    1. ./build-key CLIENT
  6. Edit the server configuration file 
    1. vi /etc/openvpn/server.conf
    2. Check/change
      1. local
      2. proto
      3. dev
      4. port
      5. ca
      6. cert
      7. key
      8. dh
      9. max-clients
      10. user
      11. group
      12. log-append
      13. verb
  7. Start everything
    1. /etc/rc.d/init/openvpn start
    2. chkconfig --level 235 openvpn on
Future post may include instructions on configuration of client as well as set-up of firewall rules for specific topologies (time permitting)

References
  1. http://wiki.centos.org/AdditionalResources/Repositories/RPMForge/#head-f0c3ecee3dbb407e4eed79a56ec0ae92d1398e01
  2. http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.htm 

5 comments:

  1. Not WorkingCommand :
    ========================
    yum -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
    ==========================
    cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf
    =========================

    ReplyDelete
    Replies
    1. change yum here to rpm
      and 2.2.0 in second to * or find correct folder in /usr/share/doc

      Delete
  2. cp -rf /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/* .
    cp: cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/*': No such file or directory

    ReplyDelete
    Replies
    1. Hi Kim,

      Thanks for the comment. The current version of OpenVPN is 2.3, you may have a different version of the directory, e.g. openvpn-2.3..0 or something.

      Please check the directory before copying the files manually.

      Hope this helped.

      Cheers
      Kush

      Delete
  3. There is a mistake in the instructions, prior to step 3, you need to execute "./build-ca". Sorry for any inconvenience caused.

    ReplyDelete