Install OpenVPN on CentOS 5
1. Introduction
1.1. Draft
This page is draft. Please send suggestions and/or corrections to EdHeron.
1.2. About
This document intends to be a cheat sheet for installing OpenVPN on CentOS 5.
1.3. Prerequisites
Up to date CentOS 5 is recommended.
1.4. Disclaimer
There are no gaurantees. If your system breaks, you get to keep both pieces.
2. Install Software
OpenVPN is not part of the Upstream Vendor release. Friendly people have compiled it, built RPMs and put it where it can be shared.
2.1. Add RPMForge Repository
Information about Repositories can be found at Available Repositories for CentOS.
A How to for adding the RPMForge Repository can be found at Installing RPMForge.
2.2. Optional-Recommended: Disable Repository
There are many packages in 3rd Party Repositories. Some are replacements for official packages. It might not be desirable to install the 3rd party package when installing a package. Disabling a repository prevents it from being used accidentally.
Disabling the RPMForge Repository can be done with
sed --in-place "s/\\(.*enabled.*=\\).*/\1 0/" /etc/yum.repos.d/rpmforge.repo
2.3. Install OpenVPN
Once the RPMForge repository has been added, installing OpenVPN is as simple as
yum --enablerepo rpmforge install openvpn
3. Certificates
3.1. Setup Directory
A certificate creation directory is only needed in one place. This is recommended on an administrative machine with higher access controls possibly including physical access restrictions. Backups are required. If the certificate authority key file is acquired by the wrong people, keys can be created giving those people access to your VPN. Also, if the certificate authority key file is misplaced, a new certificate authority key file must be created forcing the recreation of all existing signed certificates.
The certificate creation scripts are in /usr/share/doc/openvpn-*/easy-rsa/. There are multiple versions of the scripts. We are using version 2. Copy the files in that directory to someplace that won't be changed or lost by upgrades.
mkdir ~/easy-rsa cp -Rv /usr/share/doc/openvpn-*/easy-rsa/2.0/* ~/easy-rsa/
Go to that directory
cd ~/easy-rsa
Edit vars for your need. Specifically, modify KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL.
3.2. Setup Environment
Anytime you use the easy-rsa scripts, move to the directory and setup the environment
cd ~/easy-rsa . ./vars
3.3. Clean Key Directory
Create a clean key directory to store the created keys. This needs to be done once, otherwise you lose your existing certificates.
. ./clean-all
3.4. Diffie Hellman File
Diffie Hellman parameters are used to exchange encryption certificates relatively securely over an insecure medium.
The file is created with
. ./build-dh
It is needed by all servers and clients.
3.5. Certificate Authority Creation
In order to setup mutual trust, a master key must be created to sign all certificates. It will be used to sign other certificates.
. ./build-ca
The files named ca.key and ca.crt should have been created in keys/. The file ca.key is your private key and doesn't need to be anywhere but here. The file ca.crt will need to available on all computers making or receiving OpenVPN connections.
4. Server Setup
4.1. Certificate Creation
From our easy-rsa directory, after running the vars script if needed, run the server key creation script with the common name of the server and enter any other information requested. For example, we might call the server, main.
. ./build-key-server main
The files main.key, main.csr and main.crt should have been created in keys/. The key file is the private key. The csr file is an intermediate file, a certificate sign request. The crt file is the certificate.
4.2. Configuration File
The configuration file controls all aspects of the OpenVPN endpoint. It is stored in /etc/openvpn/ and can be named almost anything as long as it ends with .conf. Since each endpoint is slightly unique, a name can be chosen to make it easier to manage them. To continue our previous example, using main.conf is recommended.
4.2.1. Tun vs Tap
There are many ways to configure a server. Tun or Tap can be the biggest decision.
Tun is used to create a unique subnet tunnel between the ends of the VPN. Choosing a network to assign to each server is needed.
Tap is used to tap into the existing network and give the remote end a local IP address. Tap requires some coordination between the local address allocation (DHCP?) and the OpenVPN server. Usually by reserving an IP range for remote users. The major advantage to using tap is that network broadcasts can go to the remote endpoints.
Here, we will use Tun as it is not dependant on the local network configuration except that it does not overlap.
tun
4.2.2. Port Number
The default port number is 1194. However, some wi-fi hot spots, and possibly other ISP's, restrict port 1194. One example is my local Dunkin Donuts. We'll use the default here, for now.
port 1194
4.2.3. UDP vs TCP
UDP uses less bandwidth but using TCP could keep the VPN up on an unreliable connection. We'll use UDP unless we experience an issue.
proto udp
4.2.4. Client Communication
To allow clients to 'see' each other, add
client-to-client
4.2.5. Compress Packets
To reduce bandwidth, use compression with
comp-lzo
4.2.6. Specify Diffie Hellman File
Add
dh dh1024.pem
4.2.7. Add Keep Alive
To help detect abandoned connections, add
keepalive 10 120
4.2.8. Downgrade User
To reduce the security risk, change the user of OpenVPN to nobody. To reduce the user level, add
user nobody group nobody
4.2.9. Survive Restart
Attempt to survive restarts by remembering information that might only be accessible on startup, add
persist-key persist-tun
4.2.10. Log Status
To set a status file, add
status openvpn-status.log
4.2.11. Set Logging Level
To set the logging level, add
verb 3
4.2.12. Maintain Client IPs
To create a file to record client IP's so they can persist between connections and server reboots, add
ifconfig-pool-persist ipp.txt
4.2.13. Specify Certificate Files
The server needs access to the certificate authority certificate and it's own key and certificate files. Add
ca ca.crt cert main.crt key main.key
4.2.14. Optional: Local IP Address
The server will bind to all local IP addresses unless it is restricted. It bothers me to bind to the loopback and internal interfaces.
Specify the external IP Address, add
local xxx.xxx.xxx.xxx
4.2.15. Set Tunnel Network
This needs to be unique to this server. Each endpoint/user is assigned a 2 bit subnet (4 addresses), so a standard 24 bit network number allows 64 endpoints. If more endpoints are required, use a larger network.
For a maximum of 64 remote endpoints, we might add
server 192.168.5.0 255.255.255.0
For more endpoints, we might add
server 10.5.0.0 255.255.0.0
4.2.16. Add local Route
To let the remote endpoint know what's here, add the local network and netmask
push "route 192.168.1.0 255.255.255.0"
4.2.17. Add Local DNS Server
To let the remote endpoint know about an internal DNS server, add that machine's IP address
push "dhcp-option DNS 192.168.1.251"
4.2.18. Add local WINS Server
To let the remote endpoint know about a local WINS server to allow MS Windows clients to browse for resources, add the server's IP address
push "dhcp-option WINS 192.168.1.201"
4.2.19. Summary
Our example configuration file, main.conf might now look like
tun port 1194 proto udp client-to-client comp-lzo dh dh1024.pem keepalive 10 120 user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 ifconfig-pool-persist ipp.txt ca ca.crt cert main.crt key main.key local xxx.xxx.xxx.xxx server 192.168.5.0 255.255.255.0 push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 192.168.1.251" push "dhcp-option WINS 192.168.1.201"
4.3. Install Files on Server
To setup an OpenVPN server,
* Install the RPMForge repository
* Install OpenVPN
* Copy ca.crt, main.key, main.crt, dh1024.pem, main.conf to /etc/openvpn/
* Start OpenVPN
service openvpn start
* Activate openvpn on boot
chkconfig openvpn on
5. Client Setup
In this case, we are setting up a client that doesn't have a local routed network. This is useful for road warriors. We are just describing the process for CentOS clients. Please view the OpenVPN HowTo for information about MS Windows Clients. Also, it is possible to setup OpenVPN on a jailbroken iPad, which is beyond the scope of this article.
5.1. Certificate Creation
From our easy-rsa directory, after running the vars script if needed, run the key creation script with the common name of the client and enter any other information requested. For example, we might call the client, ed.
. ./build-key ed
The files ed.key, ed.csr and ed.crt should have been created in keys/. The key file is the private key. The csr file is an intermediate file, a certificate sign request. The crt file is the certificate.
5.2. Configuration File
The configuration must mirror the server configuration and include some client specific options. Since it is used to connect to a specific server, it can be named using the client and server names, for example, ed-main.conf. This allows the client to connect to multiple servers.
5.2.1. Mirror Server Config
The settings that must match, from our example
dev tun proto udp comp-lzo
5.2.2. Specify Client
Use the client option to indicate we are a client, add
client
5.2.3. Port Number
The client does not need to specify a port. In fact, if we might not want to for several reasons I won't go into in this article.
nobind
5.2.4. Downgrade User
These are similar to the server and for the same reason, though they are not required to match, add
user nobody group nobody
5.2.5. Survive Restart
Attempt to survive restarts by remembering information that might only be accessible on startup, add
persist-key persist-tun
5.2.6. Specify Certificate Files
The client needs access to the certificate authority certificate and it's own key and certificate files. Add
ca ca.crt cert ed.crt key ed.key
5.2.7. DNS Retry
If the server is specified using a host name, extending the resolv retry might be useful. Add
resolv-retry infinite
5.2.8. Server Address
The server address can be specified using IP address or name, as long as the name can be resolved. IP address might connect faster, but can't be used if the server's IP address changes. Include server port.
remote xxx.xxx.xxx.xxx 1194
5.2.9. Require Remote to be Server
Require that remote certificate have server flag, add
ns-cert-type server
5.2.10. Summary
Our example configuration file, ed.conf, might look like
dev tun proto udp comp-lzo client nobind user nobody group nobody persist-key persist-tun ca ca.crt cert ed.crt key ed.key resolv-retry infinite remote xxx.xxx.xxx.xxx 1194 ns-cert-type server
5.3. Install Files on Client
To setup an OpenVPN client,
* Install the RPMForge repository
* Install OpenVPN
* Copy ca.crt, ed.key, ed.crt, dh1024.pem, ed-main.conf to /etc/openvpn/
* Start OpenVPN
service openvpn start
* Activate OpenVPN on boot
chkconfig openvpn on