What is a VPN?
VPN stands for virtual private network. It allows you to connect securely to a private network via internet and work as if you were a part of that network. It is based on the client/server architecture and it works on almost all platforms including FreeBSD, Linux, Windows and MAC OS X. It allows you to work from home as if you were in the office. Virtual private networks help distant colleagues work together, much like desktop sharing.
Installing Open VPN at the server
Open VPN requires lzo real time compression library and hence install it first if it is not already present.
There are three ways to install Open VPN
a) Using YUM
yum install openvpn -y
b) Installation via rpm
First download and install lzo.
wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/SRPMS/02-3.el5.kb.src.rpm
rpm -ivh lzo-2.02-3.el5.kb.src.rpm
Then download and install open vpn
wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/SRPMS/n-2.1-0.20.rc4.el5.kb.src.rpm
rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.src.rpm
-
Installation via source
Installing lzo
cd /usr/local/
wget http://www.oberhumer.com/opensource/lzo/download/LZO-v1/lzo-1.08.tar.gz
tar -xzvf lzo-1.08.tar.gz
cd lzo-1.08
./configure –prefix=/usr
make -j4
make install
Now install Open VPN
cd /usr/local/
wget http://openvpn.net/release/openvpn-2.1_rc7.tar.gz
cd openvpn-2.1_rc7
./configure –prefix=/usr
make -j4
make install
We can choose any of the installation methods specified above. Yum installation is easiest of them while source installation will provide you more control on the installation. Once the installation(using Yum or RPM) is over you can see the configuration and binaries at the path /usr/share/doc/openvpn-2.1/easy-rsa.
Copy this folder to the /etc directory.
mkdir /etc/openvpn
cp -R /usr/share/doc/openvpn-2.1/easy-rsa /etc/openvpn
We need to give full permission to all the scripts in this folder.
cd /etc/openvpn/easy-rsa/2.0
chmod 777 *
Create Keys on Server
There are two ways by which you can make sure of the authentication against the server and clients. First is by generating a a key file and distributing it to the server and clients. While this is easy, it is a potential risk and we wont be dealing with it here.
Another method is by using the public key infrastructure (PKI). In this method, there will be three certificates.
1) Master certficate & key which is placed in vpn server
2) Server certificate & key which is placed in vpn server
3) Client certificate & key which is placed in vpn client
We will generate the master certificate below. The server will only accept the certificates from those clients which are signed by the master certificate authority. The server and client certs are intended for providing a secure communication channel.
Generate the master Certificate Authority (CA) certificate & key
The scripts in the easy-rsa folder are used for generating keys. The keys will be placed in /etc/openvpn/keys. This folder wil not be present by default, hence we first need to manually create the folder.
mkdir /etc/openvpn/keys
In order to generate the master certificate, we first need to edit the vars configurations file.
cd /etc/openvpn/easy-rsa/2.0
vi vars
Edit the following values to suit your requirements. I am giving test details here. Do not leave any of those fields, blank as the cert will be generated based on these values. Once modified, save and quit the file.
export KEY_DIR=”/etc/openvpn/keys”
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
“
Now, we will start creating the cert and key.
. ./vars
./clean-all # This will delete all the existing files in the key folder
./build-ca # We are going to build the CA. You can just continue by hitting Enter until you reach the field for common name. All other fields will be populated by default from the entries you gave in the vars file.
-bash-3.1# ./build-ca
Generating a 1024 bit RSA private key
………………………++++++
………..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [Fort-Funston CA]: server.ca
Email Address [
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
]:
It is important that you give a unique common name for this paramaeter. Here I have given the name as server.ca. It is better to follow the format hostname.ca. Now that the master certificate has been generated we shall proceed to generate the server certificate.
Generate certificate & key for server
./build-key-server server
As in the master certificate almost all paramaters are taken by default from the vars file. The only details that you need to provide is again the common name. Here I have given it as server. You can then continue hitting enter, until you reach ‘ Sign the certificate? ‘ field. Type ‘y’ and hit enter. Next it will ask ‘1 out of 1 certificate requests certified, commit?’. Again type ‘y’ and hit enter. A sample server certificate generation is shown below.
=========================================
-bash-3.1# ./build-key-server server
Generating a 1024 bit RSA private key
……++++++
………………………++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [server]:server
Email Address [
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’US’
stateOrProvinceName :PRINTABLE:’CA’
localityName :PRINTABLE:’SanFrancisco’
organizationName :PRINTABLE:’Fort-Funston’
commonName :PRINTABLE:’serve.key’
emailAddress :IA5STRING:’
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
‘
Certificate is to be certified until Jul 1 04:00:18 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Generate certificate & key for client
Now we proceed to create the certificate and key for client. It is exactly the same process as above and make sure that there also you give a unique common name. You can create as many keys as there are clients for the server.
./build-key client1
Here I am generating the certificate for the client named client1.Give the common name and proceed as you did in server certificate. A sample certificate generation is pasted below.
-bash-3.1# ./build-key client1
Generating a 1024 bit RSA private key
…………..++++++
………………………………………………..++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [client1]:client1
Email Address [
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’US’
stateOrProvinceName :PRINTABLE:’CA’
localityName :PRINTABLE:’SanFrancisco’
organizationName :PRINTABLE:’Fort-Funston’
commonName :PRINTABLE:’dkp1′
emailAddress :IA5STRING:’
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
‘
Certificate is to be certified until Jul 1 04:02:10 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database Updated
==========================
Generate Diffie Hellman parameters
Next we proceed to generate the Diffie Hellman parameters. Diffie-Hellman (D-H) is a public key algorithm used for producing a shared secret key.
The script for genreating D-H parameters is ./build-dh
========================
-bash-3.1# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
…………………………….+……….++*++*++*
=========================
Configuring the Open VPN client
Upload the ca.crt, client1.crt and client1.key to the client machine.
Now that the client and server side configurations are over, we shall proceed with editing the configration files, which is the most important part.
Creating configuration files for server and clients
Server configuration file
Sample configuration files will be available at /usr/share/doc/openvpn-2.1/sample-config-files. The server.conf is the server configuration file and you can copy it to /etc/openvpn and modify as needed.
cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn
A sample configuration file is given below. The fields which you need to edit are the ones which have been explained with a # mark to the right.
=========================
port 1194
proto tcp
dev tun
ca keys/ca.crt # path to the CA.crt file
cert keys/server.crt # path to the server certificate
key keys/server.key # path to the server key file
dh keys/dh1024.pem # path to the generated D-H parameters
mode server # implements multi-client server capability
tls-server
tls-cipher DHE-RSA-AES256-SHA
server 192.168.1.0 255.255.255.0 # here give the private network address in the server and its mask.
client-config-dir ccd
#########
######### Put your Public DNS Servers here
#########
#push “dhcp-option DNS 210.80.150.4”
#push “dhcp-option DNS 202.155.174.4”
push “route 192.168.1.0 255.255.255.0” # The OpenVPN server can push routes, DNS server IP addresses and other configuration details to the clients.
ifconfig-pool-persist ipp.txt
push “redirect-gateway”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3
========================
Once the configuration is over, create the file ipp.txt which contains the client IP addresses list.
cd /etc/openvpn
touch ipp.txt
A sample ipp.txt file is as follows.
-bash-3.1# cat ipp.txt
test1.com.client,192.168.1.4
Next, touch a file for the logs.
touch server-tcp.log
Client configuration file
Once the server and client side configurations are over, we can start the open vpn server.
/etc/rc.d/init.d/openvpn start
