Installing and Configuring OpenVPN in Linux Servers

367

What is a VPN?

VPN stands for virtual private network. It allows you to connect securely to a private network via internet and work as if you were a part of that network. It is based on the client/server architecture and it works on almost all platforms including FreeBSD, Linux, Windows and MAC OS X. It allows you to work from home as if you were in the office. Virtual private networks help distant colleagues work together, much like desktop sharing.

Installing Open VPN at the server

Open VPN requires lzo real time compression library and hence install it first if it is not already present.

There are three ways to install Open VPN

a) Using YUM

yum install openvpn -y

b) Installation via rpm

First download and install lzo.

wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/SRPMS/02-3.el5.kb.src.rpm

rpm -ivh lzo-2.02-3.el5.kb.src.rpm

Then download and install open vpn

wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/SRPMS/n-2.1-0.20.rc4.el5.kb.src.rpm

rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.src.rpm

  1. Installation via source

Installing lzo

cd /usr/local/

wget http://www.oberhumer.com/opensource/lzo/download/LZO-v1/lzo-1.08.tar.gz

tar -xzvf lzo-1.08.tar.gz

cd lzo-1.08

./configure –prefix=/usr

make -j4

make install

Now install Open VPN

cd /usr/local/

wget http://openvpn.net/release/openvpn-2.1_rc7.tar.gz

cd openvpn-2.1_rc7

./configure –prefix=/usr

make -j4

make install

We can choose any of the installation methods specified above. Yum installation is easiest of them while source installation will provide you more control on the installation. Once the installation(using Yum or RPM) is over you can see the configuration and binaries at the path /usr/share/doc/openvpn-2.1/easy-rsa.

Copy this folder to the /etc directory.

mkdir /etc/openvpn

cp -R /usr/share/doc/openvpn-2.1/easy-rsa /etc/openvpn

We need to give full permission to all the scripts in this folder.

cd /etc/openvpn/easy-rsa/2.0

chmod 777 *

Create Keys on Server

There are two ways by which you can make sure of the authentication against the server and clients. First is by generating a a key file and distributing it to the server and clients. While this is easy, it is a potential risk and we wont be dealing with it here.

Another method is by using the public key infrastructure (PKI). In this method, there will be three certificates.

1) Master certficate & key which is placed in vpn server

2) Server certificate & key which is placed in vpn server

3) Client certificate & key which is placed in vpn client

We will generate the master certificate below. The server will only accept the certificates from those clients which are signed by the master certificate authority. The server and client certs are intended for providing a secure communication channel.

Generate the master Certificate Authority (CA) certificate & key

The scripts in the easy-rsa folder are used for generating keys. The keys will be placed in /etc/openvpn/keys. This folder wil not be present by default, hence we first need to manually create the folder.

mkdir /etc/openvpn/keys

In order to generate the master certificate, we first need to edit the vars configurations file.

cd /etc/openvpn/easy-rsa/2.0

vi vars

Edit the following values to suit your requirements. I am giving test details here. Do not leave any of those fields, blank as the cert will be generated based on these values. Once modified, save and quit the file.

export KEY_DIR=”/etc/openvpn/keys”

export KEY_COUNTRY=”US”

export KEY_PROVINCE=”CA”

export KEY_CITY=”SanFrancisco”

export KEY_ORG=”Fort-Funston”

export KEY_EMAIL=”
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Now, we will start creating the cert and key.

. ./vars

./clean-all # This will delete all the existing files in the key folder

./build-ca # We are going to build the CA. You can just continue by hitting Enter until you reach the field for common name. All other fields will be populated by default from the entries you gave in the vars file.

-bash-3.1# ./build-ca

Generating a 1024 bit RSA private key

………………………++++++

………..++++++

writing new private key to ‘ca.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [US]:

State or Province Name (full name) [CA]:

Locality Name (eg, city) [SanFrancisco]:

Organization Name (eg, company) [Fort-Funston]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) [Fort-Funston CA]: server.ca

Email Address [
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
]:

It is important that you give a unique common name for this paramaeter. Here I have given the name as server.ca. It is better to follow the format hostname.ca. Now that the master certificate has been generated we shall proceed to generate the server certificate.

Generate certificate & key for server

./build-key-server server

As in the master certificate almost all paramaters are taken by default from the vars file. The only details that you need to provide is again the common name. Here I have given it as server. You can then continue hitting enter, until you reach ‘ Sign the certificate? ‘ field. Type ‘y’ and hit enter. Next it will ask ‘1 out of 1 certificate requests certified, commit?’. Again type ‘y’ and hit enter. A sample server certificate generation is shown below.

=========================================

-bash-3.1# ./build-key-server server

Generating a 1024 bit RSA private key

……++++++

………………………++++++

writing new private key to ‘server.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [US]:

State or Province Name (full name) [CA]:

Locality Name (eg, city) [SanFrancisco]:

Organization Name (eg, company) [Fort-Funston]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) [server]:server

Email Address [
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :PRINTABLE:’US’

stateOrProvinceName :PRINTABLE:’CA’

localityName :PRINTABLE:’SanFrancisco’

organizationName :PRINTABLE:’Fort-Funston’

commonName :PRINTABLE:’serve.key’

emailAddress :IA5STRING:’
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Certificate is to be certified until Jul 1 04:00:18 2018 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Generate certificate & key for client

Now we proceed to create the certificate and key for client. It is exactly the same process as above and make sure that there also you give a unique common name. You can create as many keys as there are clients for the server.

./build-key client1

Here I am generating the certificate for the client named client1.Give the common name and proceed as you did in server certificate. A sample certificate generation is pasted below.

-bash-3.1# ./build-key client1

Generating a 1024 bit RSA private key

…………..++++++

………………………………………………..++++++

writing new private key to ‘client1.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [US]:

State or Province Name (full name) [CA]:

Locality Name (eg, city) [SanFrancisco]:

Organization Name (eg, company) [Fort-Funston]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) [client1]:client1

Email Address [
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
]:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :PRINTABLE:’US’

stateOrProvinceName :PRINTABLE:’CA’

localityName :PRINTABLE:’SanFrancisco’

organizationName :PRINTABLE:’Fort-Funston’

commonName :PRINTABLE:’dkp1′

emailAddress :IA5STRING:’
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Certificate is to be certified until Jul 1 04:02:10 2018 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Database Updated

==========================

Generate Diffie Hellman parameters

Next we proceed to generate the Diffie Hellman parameters. Diffie-Hellman (D-H) is a public key algorithm used for producing a shared secret key.

The script for genreating D-H parameters is ./build-dh

========================

-bash-3.1# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

…………………………….+……….++*++*++*

 

=========================

Configuring the Open VPN client

Upload the ca.crt, client1.crt and client1.key to the client machine.

Now that the client and server side configurations are over, we shall proceed with editing the configration files, which is the most important part.

Creating configuration files for server and clients

Server configuration file

Sample configuration files will be available at /usr/share/doc/openvpn-2.1/sample-config-files. The server.conf is the server configuration file and you can copy it to /etc/openvpn and modify as needed.

cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn

A sample configuration file is given below. The fields which you need to edit are the ones which have been explained with a # mark to the right.

=========================

port 1194

proto tcp

dev tun

ca keys/ca.crt # path to the CA.crt file

cert keys/server.crt # path to the server certificate

key keys/server.key # path to the server key file

dh keys/dh1024.pem # path to the generated D-H parameters

mode server # implements multi-client server capability

tls-server

tls-cipher DHE-RSA-AES256-SHA

server 192.168.1.0 255.255.255.0 # here give the private network address in the server and its mask.

client-config-dir ccd

#########

######### Put your Public DNS Servers here

#########

#push “dhcp-option DNS 210.80.150.4”

#push “dhcp-option DNS 202.155.174.4”

push “route 192.168.1.0 255.255.255.0” # The OpenVPN server can push routes, DNS server IP addresses and other configuration details to the clients.

ifconfig-pool-persist ipp.txt

push “redirect-gateway”

keepalive 10 120

comp-lzo

persist-key

persist-tun

status server-tcp.log

verb 3

========================

Once the configuration is over, create the file ipp.txt which contains the client IP addresses list.

cd /etc/openvpn

touch ipp.txt

A sample ipp.txt file is as follows.

-bash-3.1# cat ipp.txt

test1.com.client,192.168.1.4

Next, touch a file for the logs.

touch server-tcp.log

Client configuration file

Once the server and client side configurations are over, we can start the open vpn server.

/etc/rc.d/init.d/openvpn start