Since OpenVPN 2.3.x release there’s no more easy-rsa scripts in /usr/share. So you have to use different approach to setup OpenVPN. It’s easy when you know all the steps.
First let’s install openvpn itself:
[[email protected] ~]# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm [[email protected] ~]# yum install openvpn wget [[email protected] ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn [[email protected] ~]# mkdir /var/log/openvpn [[email protected] ~]# chown nobody:nobody /var/log/openvpn
We’ll get back to server.conf a bit later, after creating all necessary keys and certificates created.
Easy-rsa setup
Now let’s download keytool and generate all required keys and certificates:
[[email protected] ~]# cd /etc/openvpn # You can get latest version from: https://github.com/OpenVPN/easy-rsa/releases [[email protected] openvpn]# wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.0-rc2/EasyRSA-3.0.0-rc2.tgz [[email protected] openvpn]# tar xzf EasyRSA-3.0.0-rc2.tgz [[email protected] openvpn]# mv EasyRSA-3.0.0-rc2 server [[email protected] openvpn]# cd server/ [[email protected] server]# ./easyrsa init-pki [[email protected] server]# ./easyrsa build-ca [[email protected] server]# ./easyrsa gen-dh [[email protected] server]# ./easyrsa build-server-full server nopass [[email protected] server]# cp /etc/openvpn/server/pki/ca.crt /etc/openvpn/ [[email protected] server]# cp /etc/openvpn/server/pki/issued/server.crt /etc/openvpn/ [[email protected] server]# cp /etc/openvpn/server/pki/dh.pem /etc/openvpn/ [[email protected] server]# cp /etc/openvpn/server/pki/private/server.key /etc/openvpn/
If you plan to grant and revoke access, you have to generate CRL and use it in server.conf.
Create client certificate and keys
In order to create certificates and keys for client you can use this simple oneliner:
#Don't forget to set desired username in 'user' variable: [[email protected] ~]# user="username"; cd /etc/openvpn/server; ./easyrsa build-client-full $user nopass; tar -czvf /root/$user.tar.gz -C /etc/openvpn/server/pki/private/ $user.key -C /etc/openvpn/server/pki/issued/ $user.crt -C /etc/openvpn/server/pki/ ca.crt dh.pem
Now you can just grab that archive from the server using scp.
configure server.conf
Now let’s get back to the main part. Your server.conf should have at least these things set:
port 1194 proto udp dev tun ca /etc/openvpn/server/pki/ca.crt cert /etc/openvpn/server/pki/issued/server.crt key /etc/openvpn/server/pki/private/server.key # This file should be kept secret dh /etc/openvpn/server/pki/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log verb 3
Here’s the sample client config which should work in this case:
client dev tun proto udp remote xx.xx.xx.xx 1194 #replace with your server's IP resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert username.crt key username.key dh trinyte/dh.pem comp-lzo verb 4
Save it as name.ovpn.
Also we have to setup masquerading for VPN subnet and enable ip_forward in kernel:
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE [[email protected] ~]# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited [[email protected] ~]# iptables -A INPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT [[email protected] ~]# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited [[email protected] ~]# /etc/init.d/iptables save [[email protected] ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf [[email protected] ~]# sysctl -p
Now chown all files and restart openvpn:
[[email protected] ~]# chown nobody:nobody -R /etc/openvpn [[email protected] ~]# /etc/init.d/openvpn
Revoke access and generate CRL:
#To revoke access use: [[email protected] ~]# cd /etc/openvpn/server [[email protected] server]# ./easyrsa revoke username [[email protected] server]# ./easyrsa gen-crl #Add to server.conf and restart openvpn: [[email protected] server]# echo "crl-verify /etc/openvpn/server/pki/crl.pem [[email protected] server]# chown nobody:nobody -R /etc/openvpn/ [[email protected] server]# /etc/init.d/openvpn restart