Setup OpenVPN 2.3.6 on CentOS 6.5

Since OpenVPN 2.3.x release there’s no more easy-rsa scripts in /usr/share. So you have to use different approach to setup OpenVPN. It’s easy when you know all the steps.

First let’s install openvpn itself:

[[email protected] ~]# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
[[email protected] ~]# yum install openvpn wget
[[email protected] ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
[[email protected] ~]# mkdir /var/log/openvpn
[[email protected] ~]# chown nobody:nobody /var/log/openvpn

We’ll get back to server.conf a bit later, after creating all necessary keys and certificates created.

Easy-rsa setup

Now let’s download keytool and generate all required keys and certificates:

[[email protected] ~]# cd /etc/openvpn
# You can get latest version from: https://github.com/OpenVPN/easy-rsa/releases
[[email protected] openvpn]# wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.0-rc2/EasyRSA-3.0.0-rc2.tgz
[[email protected] openvpn]# tar xzf EasyRSA-3.0.0-rc2.tgz
[[email protected] openvpn]# mv EasyRSA-3.0.0-rc2 server
[[email protected] openvpn]# cd server/
[[email protected] server]# ./easyrsa init-pki
[[email protected] server]# ./easyrsa build-ca
[[email protected] server]# ./easyrsa gen-dh
[[email protected] server]# ./easyrsa build-server-full server nopass
[[email protected] server]# cp /etc/openvpn/server/pki/ca.crt /etc/openvpn/
[[email protected] server]# cp /etc/openvpn/server/pki/issued/server.crt /etc/openvpn/
[[email protected] server]# cp /etc/openvpn/server/pki/dh.pem /etc/openvpn/
[[email protected] server]# cp /etc/openvpn/server/pki/private/server.key /etc/openvpn/

If you plan to grant and revoke access, you have to generate CRL and use it in server.conf.

Web hosting offer – €12/year

Create client certificate and keys

In order to create certificates and keys for client you can use this simple oneliner:

#Don't forget to set desired username in 'user' variable:
[[email protected] ~]# user="username"; cd /etc/openvpn/server; ./easyrsa build-client-full $user nopass; tar -czvf /root/$user.tar.gz -C /etc/openvpn/server/pki/private/ $user.key -C /etc/openvpn/server/pki/issued/ $user.crt -C /etc/openvpn/server/pki/ ca.crt dh.pem

Now you can just grab that archive from the server using scp.

configure server.conf

Now let’s get back to the main part. Your server.conf should have at least these things set:

port 1194
proto udp
dev tun
ca /etc/openvpn/server/pki/ca.crt
cert /etc/openvpn/server/pki/issued/server.crt
key /etc/openvpn/server/pki/private/server.key  # This file should be kept secret
dh /etc/openvpn/server/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
verb 3

Here’s the sample client config which should work in this case:

client
dev tun
proto udp
remote xx.xx.xx.xx 1194 #replace with your server's IP
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert username.crt
key username.key
dh trinyte/dh.pem
comp-lzo
verb 4

Save it as name.ovpn.

Also we have to setup masquerading for VPN subnet and enable ip_forward in kernel:

[[email protected] ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
[[email protected] ~]# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
[[email protected] ~]# iptables -A INPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT
[[email protected] ~]# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
[[email protected] ~]# /etc/init.d/iptables save
[[email protected] ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[[email protected] ~]# sysctl -p

Now chown all files and restart openvpn:

[[email protected] ~]# chown nobody:nobody -R /etc/openvpn
[[email protected] ~]# /etc/init.d/openvpn

 

Revoke access and generate CRL:

#To revoke access use:
[[email protected] ~]# cd /etc/openvpn/server
[[email protected] server]# ./easyrsa revoke username
[[email protected] server]# ./easyrsa gen-crl

#Add to server.conf and restart openvpn:
[[email protected] server]# echo "crl-verify /etc/openvpn/server/pki/crl.pem
[[email protected] server]# chown nobody:nobody -R /etc/openvpn/
[[email protected] server]# /etc/init.d/openvpn restart