OpenVPN : Install
2015/03/31 |
Install OpenVPN to Configure Virtual Private Network.
This example is based on the environment like follows.
Configure OpenVPN with bridge mode, br0 and tap0 on the OpenVPN server is generated automatically by the service, IP address of tap0 on the Clients is assigned by OpenVPN server. Clients can access to any computer on the same local network after connecting with VPN. Before configuration, it's necessarry to configure IP Masquerading on the gateway router. For the case of example below, connections to x.x.x.x:1194 are forwarded to 192.168.0.30:1194. +----------------------+ | [ OpenVPN Server ] | tap0| dlp.srv.world |eth0 | | +-----------+----------+ 192.168.0.30:1194|br0 | 192.168.0.1| +------+-----+ -------------------| Router |--------------------- +------+-----+ |x.x.x.x:1194 +---------------+--------------+ Internet | | ----------+------------------------------+------------ | +------------------+ | | tap0| |eth0 | +-----+ VPN Client +-----+ 192.168.0.x| |10.0.0.10 +------------------+ |
[1] | Install OpenVPN. |
# install from EPEL [root@dlp ~]# yum --enablerepo=epel -y install openvpn easy-rsa bridge-utils
|
[2] | Create CA certificates. |
[root@dlp ~]# cd /usr/share/easy-rsa/2.0
[root@dlp 2.0]#
vi vars # line 64: change to your own environment export KEY_COUNTRY=" JP "export KEY_PROVINCE=" Hiroshima "export KEY_CITY=" Hiroshima "export KEY_ORG=" GTS "export KEY_EMAIL=" root@dlp.srv.world "export KEY_OU=" Server_World "
source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys [root@dlp 2.0]# ./clean-all [root@dlp 2.0]# ./build-ca Generating a 2048 bit RSA private key ..............+++ ...+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) [Server_World]: # Enter Common Name (eg, your name or your server's hostname) [GTS CA]: # Enter Name [EasyRSA]: Server-CA # change to any name you like Email Address [root@dlp.srv.world]: # Enter |
[3] | Create server certificates. |
[root@dlp ~]# cd /usr/share/easy-rsa/2.0 [root@dlp 2.0]# ./build-key-server server Generating a 2048 bit RSA private key .................................................+++ .................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) [Server_World]: # Enter Common Name (eg, your name or your server's hostname) [server]: # Enter Name [EasyRSA]: Server-CRT # change to any name you like Email Address [root@dlp.srv.world]: # Enter Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'GTS' organizationalUnitName:T61STRING:'Server_World' commonName :PRINTABLE:'server' name :PRINTABLE:'Server-CRT' emailAddress :IA5STRING:'root@dlp.srv.world' Certificate is to be certified until Mar 28 12:30:50 2025 GMT (3650 days) # confirm settings and proceed with yes Sign the certificate? [y/n]: y # proceed with yes 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entries Data Base Updated |
[4] | Generate Diffie Hellman ( DH ) parameter. |
[root@dlp ~]# cd /usr/share/easy-rsa/2.0 [root@dlp 2.0]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time |
[5] | Create client certificates. |
[root@dlp ~]# cd /usr/share/easy-rsa/2.0 [root@dlp 2.0]# ./build-key client01 Generating a 2048 bit RSA private key ............+++ .......................................................+++ writing new private key to 'client01.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) [Server_World]: # Enter Common Name (eg, your name or your server's hostname) [client01]: # Enter Name [EasyRSA]: client01 # change to any name you like Email Address [root@dlp.srv.world]: # Enter Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'GTS' organizationalUnitName:T61STRING:'Server_World' commonName :PRINTABLE:'client01' name :PRINTABLE:'client01' emailAddress :IA5STRING:'root@dlp.srv.world' Certificate is to be certified until Mar 28 12:40:16 2025 GMT (3650 days) # confirm settings and proceed with yes Sign the certificate? [y/n]: y # proceed with yes 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entries Data Base Updated |
[6] | Configure and start OpenVPN server. |
[root@dlp ~]# cp -pR /usr/share/easy-rsa/2.0/keys /etc/openvpn/keys [root@dlp ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
[root@dlp ~]#
vi /etc/openvpn/server.conf # line 32: change if need (listening port) port 1194 # line 35: uncomment tcp and comment out udp proto tcp ; proto udp
# line 52: change to tap which uses bridge mode dev tap0 ; dev tun
# line 78: change path for certificates ca keys/ca.crt cert keys/server.crt key keys/server.key
# line 85: change path for certificates dh keys/dh2048.pem
# line 101: comment out ; server 10.8.0.0 255.255.255.0
# line 120: uncomment and change ⇒ [VPN server's IP] [subnetmask] [the range of IP for client] server-bridge 192.168.0.30 255.255.255.0 192.168.0.150 192.168.0.199
# line 231: keepalive settings keepalive 10 120 # line 256: enable compress comp-lzo # line 274: enable persist options persist-key persist-tun # line 289: uncomment and specify logs log /var/log/openvpn.log log-append /var/log/openvpn.log
# line 299: specify log level (0 - 9, 9 means debug lebel) verb 3 cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-start /etc/openvpn/openvpn-startup [root@dlp ~]# cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-stop /etc/openvpn/openvpn-shutdown [root@dlp ~]# chmod 755 /etc/openvpn/openvpn-startup /etc/openvpn/openvpn-shutdown
[root@dlp ~]#
vi /etc/openvpn/openvpn-startup # line 17-20: change eth="eth0" # change if need eth_ip=" 192.168.0.30 "# IP for bridge interface eth_netmask=" 255.255.255.0 "# subnet mask eth_broadcast=" 192.168.0.255 "# broadcast address # add follows to the end: define gateway
eth_gw="192.168.0.1"
route add default gw $eth_gw
[root@dlp ~]#
vi /etc/rc.d/init.d/openvpn # line 133: uncomment echo 1 > /proc/sys/net/ipv4/ip_forward /etc/rc.d/init.d/openvpn start Starting openvpn: Wed Apr 1 20:44:57 2015 TUN/TAP device tap0 opened Wed Apr 1 20:44:57 2015 Persist state set to: ON device tap0 entered promiscuous mode br0: port 2(tap0) entering forwarding state br0: port 1(eth0) entering forwarding state [ OK ] [root@dlp ~]# chkconfig openvpn on
|
[7] |
Transfer files "ca.crt", "client01.crt", "client01.key" which are under the "/etc/openvpn/keys" to client computer to connect to OpenVPN Server.
|