Setup OpenVPN 2.3.6 on CentOS 6.5

Since OpenVPN 2.3.x release there’s no more easy-rsa scripts in /usr/share. So you have to use different approach to setup OpenVPN. It’s easy when you know all the steps.

First let’s install openvpn itself:

[root@openvpn ~]# rpm -Uvh
[root@openvpn ~]# yum install openvpn wget
[root@openvpn ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
[root@openvpn ~]# mkdir /var/log/openvpn
[root@openvpn ~]# chown nobody:nobody /var/log/openvpn

We’ll get back to server.conf a bit later, after creating all necessary keys and certificates created.

Easy-rsa setup

Now let’s download keytool and generate all required keys and certificates:

[root@openvpn ~]# cd /etc/openvpn
# You can get latest version from:
[root@openvpn openvpn]# wget
[root@openvpn openvpn]# tar xzf EasyRSA-3.0.0-rc2.tgz
[root@openvpn openvpn]# mv EasyRSA-3.0.0-rc2 server
[root@openvpn openvpn]# cd server/
[root@openvpn server]# ./easyrsa init-pki
[root@openvpn server]# ./easyrsa build-ca
[root@openvpn server]# ./easyrsa gen-dh
[root@openvpn server]# ./easyrsa build-server-full server nopass
[root@openvpn server]# cp /etc/openvpn/server/pki/ca.crt /etc/openvpn/
[root@openvpn server]# cp /etc/openvpn/server/pki/issued/server.crt /etc/openvpn/
[root@openvpn server]# cp /etc/openvpn/server/pki/dh.pem /etc/openvpn/
[root@openvpn server]# cp /etc/openvpn/server/pki/private/server.key /etc/openvpn/

If you plan to grant and revoke access, you have to generate CRL and use it in server.conf.

Web hosting offer – €12/year

Create client certificate and keys

In order to create certificates and keys for client you can use this simple oneliner:

#Don't forget to set desired username in 'user' variable:
[root@openvpn ~]# user="username"; cd /etc/openvpn/server; ./easyrsa build-client-full $user nopass; tar -czvf /root/$user.tar.gz -C /etc/openvpn/server/pki/private/ $user.key -C /etc/openvpn/server/pki/issued/ $user.crt -C /etc/openvpn/server/pki/ ca.crt dh.pem

Now you can just grab that archive from the server using scp.

configure server.conf

Now let’s get back to the main part. Your server.conf should have at least these things set:

port 1194
proto udp
dev tun
ca /etc/openvpn/server/pki/ca.crt
cert /etc/openvpn/server/pki/issued/server.crt
key /etc/openvpn/server/pki/private/server.key  # This file should be kept secret
dh /etc/openvpn/server/pki/dh.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nobody
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
verb 3

Here’s the sample client config which should work in this case:

dev tun
proto udp
remote xx.xx.xx.xx 1194 #replace with your server's IP
resolv-retry infinite
ca ca.crt
cert username.crt
key username.key
dh trinyte/dh.pem
verb 4

Save it as name.ovpn.

Also we have to setup masquerading for VPN subnet and enable ip_forward in kernel:

[root@openvpn ~]# iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
[root@openvpn ~]# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
[root@openvpn ~]# iptables -A INPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT
[root@openvpn ~]# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
[root@openvpn ~]# /etc/init.d/iptables save
[root@openvpn ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@openvpn ~]# sysctl -p

Now chown all files and restart openvpn:

[root@openvpn ~]# chown nobody:nobody -R /etc/openvpn
[root@openvpn ~]# /etc/init.d/openvpn


Revoke access and generate CRL:

#To revoke access use:
[root@openvpn ~]# cd /etc/openvpn/server
[root@openvpn server]# ./easyrsa revoke username
[root@openvpn server]# ./easyrsa gen-crl

#Add to server.conf and restart openvpn:
[root@openvpn server]# echo "crl-verify /etc/openvpn/server/pki/crl.pem
[root@openvpn server]# chown nobody:nobody -R /etc/openvpn/
[root@openvpn server]# /etc/init.d/openvpn restart