Install OpenVPN on CentOS 5

Introduction

Draft

This page is draft. Please send suggestions and/or corrections to EdHeron.

About

This document intends to be a cheat sheet for installing OpenVPN on CentOS 5.

Prerequisites

Up to date CentOS 5 is recommended.

Disclaimer

There are no gaurantees. If your system breaks, you get to keep both pieces.

Install Software

OpenVPN is not part of the Upstream Vendor release. Friendly people have compiled it, built RPMs and put it where it can be shared.

Add RPMForge Repository

Information about Repositories can be found at Available Repositories for CentOS.

A How to for adding the RPMForge Repository can be found at Installing RPMForge.

Optional-Recommended: Disable Repository

There are many packages in 3rd Party Repositories. Some are replacements for official packages. It might not be desirable to install the 3rd party package when installing a package. Disabling a repository prevents it from being used accidentally.

Disabling the RPMForge Repository can be done with

sed --in-place "s/\\(.*enabled.*=\\).*/\1 0/" /etc/yum.repos.d/rpmforge.repo

Install OpenVPN

Once the RPMForge repository has been added, installing OpenVPN is as simple as

yum --enablerepo rpmforge install openvpn

Certificates

Setup Directory

A certificate creation directory is only needed in one place. This is recommended on an administrative machine with higher access controls possibly including physical access restrictions. Backups are required. If the certificate authority key file is acquired by the wrong people, keys can be created giving those people access to your VPN. Also, if the certificate authority key file is misplaced, a new certificate authority key file must be created forcing the recreation of all existing signed certificates.

The certificate creation scripts are in /usr/share/doc/openvpn-*/easy-rsa/. There are multiple versions of the scripts. We are using version 2. Copy the files in that directory to someplace that won't be changed or lost by upgrades.

mkdir ~/easy-rsa
cp -Rv /usr/share/doc/openvpn-*/easy-rsa/2.0/* ~/easy-rsa/

Go to that directory

cd ~/easy-rsa

Edit vars for your need. Specifically, modify KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL.

Setup Environment

Anytime you use the easy-rsa scripts, move to the directory and setup the environment

cd ~/easy-rsa
. ./vars

Clean Key Directory

Create a clean key directory to store the created keys. This needs to be done once, otherwise you lose your existing certificates.

. ./clean-all

Diffie Hellman File

Diffie Hellman parameters are used to exchange encryption certificates relatively securely over an insecure medium.

The file is created with

. ./build-dh

It is needed by all servers and clients.

Certificate Authority Creation

In order to setup mutual trust, a master key must be created to sign all certificates. It will be used to sign other certificates.

. ./build-ca

The files named ca.key and ca.crt should have been created in keys/. The file ca.key is your private key and doesn't need to be anywhere but here. The file ca.crt will need to available on all computers making or receiving OpenVPN connections.

Server Setup

Certificate Creation

From our easy-rsa directory, after running the vars script if needed, run the server key creation script with the common name of the server and enter any other information requested. For example, we might call the server, main.

. ./build-key-server main

The files main.key, main.csr and main.crt should have been created in keys/. The key file is the private key. The csr file is an intermediate file, a certificate sign request. The crt file is the certificate.

Configuration File

The configuration file controls all aspects of the OpenVPN endpoint. It is stored in /etc/openvpn/ and can be named almost anything as long as it ends with .conf. Since each endpoint is slightly unique, a name can be chosen to make it easier to manage them. To continue our previous example, using main.conf is recommended.

Tun vs Tap

There are many ways to configure a server. Tun or Tap can be the biggest decision.

Tun is used to create a unique subnet tunnel between the ends of the VPN. Choosing a network to assign to each server is needed.

Tap is used to tap into the existing network and give the remote end a local IP address. Tap requires some coordination between the local address allocation (DHCP?) and the OpenVPN server. Usually by reserving an IP range for remote users. The major advantage to using tap is that network broadcasts can go to the remote endpoints.

Here, we will use Tun as it is not dependant on the local network configuration except that it does not overlap.

tun

Port Number

The default port number is 1194. However, some wi-fi hot spots, and possibly other ISP's, restrict port 1194. One example is my local Dunkin Donuts. We'll use the default here, for now.

port 1194

UDP vs TCP

UDP uses less bandwidth but using TCP could keep the VPN up on an unreliable connection. We'll use UDP unless we experience an issue.

proto udp

Client Communication

To allow clients to 'see' each other, add

client-to-client

Compress Packets

To reduce bandwidth, use compression with

comp-lzo

Specify Diffie Hellman File

Add

dh dh1024.pem

Add Keep Alive

To help detect abandoned connections, add

keepalive 10 120

Downgrade User

To reduce the security risk, change the user of OpenVPN to nobody. To reduce the user level, add

user nobody
group nobody

Survive Restart

Attempt to survive restarts by remembering information that might only be accessible on startup, add

persist-key
persist-tun

Log Status

To set a status file, add

status openvpn-status.log

Set Logging Level

To set the logging level, add

verb 3

Maintain Client IPs

To create a file to record client IP's so they can persist between connections and server reboots, add

ifconfig-pool-persist ipp.txt

Specify Certificate Files

The server needs access to the certificate authority certificate and it's own key and certificate files. Add

ca ca.crt
cert main.crt
key main.key

Optional: Local IP Address

The server will bind to all local IP addresses unless it is restricted. It bothers me to bind to the loopback and internal interfaces.

Specify the external IP Address, add

local xxx.xxx.xxx.xxx

Set Tunnel Network

This needs to be unique to this server. Each endpoint/user is assigned a 2 bit subnet (4 addresses), so a standard 24 bit network number allows 64 endpoints. If more endpoints are required, use a larger network.

For a maximum of 64 remote endpoints, we might add

server 192.168.5.0 255.255.255.0

For more endpoints, we might add

server 10.5.0.0 255.255.0.0

Add local Route

To let the remote endpoint know what's here, add the local network and netmask

push "route 192.168.1.0 255.255.255.0"

Add Local DNS Server

To let the remote endpoint know about an internal DNS server, add that machine's IP address

push "dhcp-option DNS 192.168.1.251"

Add local WINS Server

To let the remote endpoint know about a local WINS server to allow MS Windows clients to browse for resources, add the server's IP address

push "dhcp-option WINS 192.168.1.201"

Summary

Our example configuration file, main.conf might now look like

tun
port 1194
proto udp
client-to-client
comp-lzo
dh dh1024.pem
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
ifconfig-pool-persist ipp.txt
ca ca.crt
cert main.crt
key main.key
local xxx.xxx.xxx.xxx
server 192.168.5.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.251"
push "dhcp-option WINS 192.168.1.201"

Install Files on Server

To setup an OpenVPN server,

* Install the RPMForge repository

* Install OpenVPN

* Copy ca.crt, main.key, main.crt, dh1024.pem, main.conf to /etc/openvpn/

* Start OpenVPN

service openvpn start

* Activate openvpn on boot

chkconfig openvpn on

Client Setup

In this case, we are setting up a client that doesn't have a local routed network. This is useful for road warriors. We are just describing the process for CentOS clients. Please view the OpenVPN HowTo for information about MS Windows Clients. Also, it is possible to setup OpenVPN on a jailbroken iPad, which is beyond the scope of this article.

Certificate Creation

From our easy-rsa directory, after running the vars script if needed, run the key creation script with the common name of the client and enter any other information requested. For example, we might call the client, ed.

. ./build-key ed

The files ed.key, ed.csr and ed.crt should have been created in keys/. The key file is the private key. The csr file is an intermediate file, a certificate sign request. The crt file is the certificate.

Configuration File

The configuration must mirror the server configuration and include some client specific options. Since it is used to connect to a specific server, it can be named using the client and server names, for example, ed-main.conf. This allows the client to connect to multiple servers.

Mirror Server Config

The settings that must match, from our example

dev tun
proto udp
comp-lzo

Specify Client

Use the client option to indicate we are a client, add

client

Port Number

The client does not need to specify a port. In fact, if we might not want to for several reasons I won't go into in this article.

nobind

Downgrade User

These are similar to the server and for the same reason, though they are not required to match, add

user nobody
group nobody

Survive Restart

Attempt to survive restarts by remembering information that might only be accessible on startup, add

persist-key
persist-tun

Specify Certificate Files

The client needs access to the certificate authority certificate and it's own key and certificate files. Add

ca ca.crt
cert ed.crt
key ed.key

DNS Retry

If the server is specified using a host name, extending the resolv retry might be useful. Add

resolv-retry infinite

Server Address

The server address can be specified using IP address or name, as long as the name can be resolved. IP address might connect faster, but can't be used if the server's IP address changes. Include server port.

remote xxx.xxx.xxx.xxx 1194

Require Remote to be Server

Require that remote certificate have server flag, add

ns-cert-type server

Summary

Our example configuration file, ed.conf, might look like

dev tun
proto udp
comp-lzo
client
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert ed.crt
key ed.key
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194
ns-cert-type server

Install Files on Client

To setup an OpenVPN client,

* Install the RPMForge repository

* Install OpenVPN

* Copy ca.crt, ed.key, ed.crt, dh1024.pem, ed-main.conf to /etc/openvpn/

* Start OpenVPN

service openvpn start

* Activate OpenVPN on boot

chkconfig openvpn on

Additional Information

OpenVPN HowTo What is Diffie Hellman?

EdHeron/CentOS5OpenVPN (last edited 2014-01-17 23:35:41 by EdHeron)