Since OpenVPN 2.3.x release there’s no more easy-rsa scripts in /usr/share. So you have to use different approach to setup OpenVPN. It’s easy when you know all the steps.
First let’s install openvpn itself:
|
1 2 3 4 5 |
[root@openvpn ~]# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm [root@openvpn ~]# yum install openvpn wget [root@openvpn ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn [root@openvpn ~]# mkdir /var/log/openvpn [root@openvpn ~]# chown nobody:nobody /var/log/openvpn |
We’ll get back to server.conf a bit later, after creating all necessary keys and certificates created.
EASY-RSA SETUP
Now let’s download keytool and generate all required keys and certificates:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[root@openvpn ~]# cd /etc/openvpn # You can get latest version from: https://github.com/OpenVPN/easy-rsa/releases [root@openvpn openvpn]# wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.0-rc2/EasyRSA-3.0.0-rc2.tgz [root@openvpn openvpn]# tar xzf EasyRSA-3.0.0-rc2.tgz [root@openvpn openvpn]# mv EasyRSA-3.0.0-rc2 server [root@openvpn openvpn]# cd server/ [root@openvpn server]# ./easyrsa init-pki [root@openvpn server]# ./easyrsa build-ca [root@openvpn server]# ./easyrsa gen-dh [root@openvpn server]# ./easyrsa build-server-full server nopass [root@openvpn server]# cp /etc/openvpn/server/pki/ca.crt /etc/openvpn/ [root@openvpn server]# cp /etc/openvpn/server/pki/issued/server.crt /etc/openvpn/ [root@openvpn server]# cp /etc/openvpn/server/pki/dh.pem /etc/openvpn/ [root@openvpn server]# cp /etc/openvpn/server/pki/private/server.key /etc/openvpn/ |
If you plan to grant and revoke access, you have to generate CRL and use it in server.conf.
CREATE CLIENT CERTIFICATE AND KEYS
In order to create certificates and keys for client you can use this simple oneliner:
|
1 2 |
#Don't forget to set desired username in 'user' variable: [root@openvpn ~]# user="username"; cd /etc/openvpn/server; ./easyrsa build-client-full $user nopass; tar -czvf /root/$user.tar.gz -C /etc/openvpn/server/pki/private/ $user.key -C /etc/openvpn/server/pki/issued/ $user.crt -C /etc/openvpn/server/pki/ ca.crt dh.pem |
Now you can just grab that archive from the server using scp.
CONFIGURE SERVER.CONF
Now let’s get back to the main part. Your server.conf should have at least these things set:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
port 1194 proto udp dev tun ca /etc/openvpn/server/pki/ca.crt cert /etc/openvpn/server/pki/issued/server.crt key /etc/openvpn/server/pki/private/server.key # This file should be kept secret dh /etc/openvpn/server/pki/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log verb 3 |
Here’s the sample client config which should work in this case:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
client dev tun proto udp remote xx.xx.xx.xx 1194 #replace with your server's IP resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert username.crt key username.key dh trinyte/dh.pem comp-lzo verb 4 |
Save it as name.ovpn.
Also we have to setup masquerading for VPN subnet and enable ip_forward in kernel:
|
1 2 3 4 5 6 7 |
[root@openvpn ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE [root@openvpn ~]# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited [root@openvpn ~]# iptables -A INPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT [root@openvpn ~]# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited [root@openvpn ~]# /etc/init.d/iptables save [root@openvpn ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf [root@openvpn ~]# sysctl -p |
For OpenVZ VMs use following iptables rules (where xxx.xxx.xxx.xxx is your EXTERNAL IP address of VM):
|
1 2 3 4 5 6 7 8 |
[root@openvpn ~]# iptables -A POSTROUTING -j SNAT --to-source xxx.xxx.xxx.xxx [root@openvpn ~]# iptables -A FORWARD -i tun0 -j ACCEPT [root@openvpn ~]# iptables -A FORWARD -o venet0 -m state --state NEW -j ACCEPT [root@openvpn ~]# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT [root@openvpn ~]# iptables -A INPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT [root@openvpn ~]# /etc/init.d/iptables save [root@openvpn ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf [root@openvpn ~]# sysctl -p |
Now chown all files and restart openvpn:
|
1 2 |
[root@openvpn ~]# chown nobody:nobody -R /etc/openvpn [root@openvpn ~]# /etc/init.d/openvpn |
REVOKE ACCESS AND GENERATE CRL:
|
1 2 3 4 5 6 7 8 9 |
#To revoke access use: [root@openvpn ~]# cd /etc/openvpn/server [root@openvpn server]# ./easyrsa revoke username [root@openvpn server]# ./easyrsa gen-crl #Add to server.conf and restart openvpn: [root@openvpn server]# echo "crl-verify /etc/openvpn/server/pki/crl.pem [root@openvpn server]# chown nobody:nobody -R /etc/openvpn/ [root@openvpn server]# /etc/init.d/openvpn restart |