{"id":136,"date":"2015-04-03T21:19:05","date_gmt":"2015-04-03T21:19:05","guid":{"rendered":"https:\/\/www.nonamehosts.com\/blog\/?p=136"},"modified":"2015-04-03T21:19:05","modified_gmt":"2015-04-03T21:19:05","slug":"setup-openvpn-2-3-6-on-centos-6-5","status":"publish","type":"post","link":"https:\/\/www.nonamehosts.com\/blog\/tutorials\/setup-openvpn-2-3-6-on-centos-6-5\/","title":{"rendered":"Setup OpenVPN 2.3.6 on CentOS 6.5"},"content":{"rendered":"

Since OpenVPN 2.3.x release there’s no more easy-rsa scripts in \/usr\/share. So you have to use different approach to setup OpenVPN. It’s easy when you know all the steps.<\/p>\n

<\/p>\n

First let’s install openvpn itself:<\/p>\n

[root@openvpn ~]# rpm -Uvh http:\/\/dl.fedoraproject.org\/pub\/epel\/6\/x86_64\/epel-release-6-8.noarch.rpm\n[root@openvpn ~]# yum install openvpn wget\n[root@openvpn ~]# cp \/usr\/share\/doc\/openvpn-*\/sample\/sample-config-files\/server.conf \/etc\/openvpn\n[root@openvpn ~]# mkdir \/var\/log\/openvpn\n[root@openvpn ~]# chown nobody:nobody \/var\/log\/openvpn<\/pre>\n
We’ll get back to server.conf a bit later, after creating all necessary keys and certificates created.<\/p>\n
Easy-rsa setup<\/h3>\n
Now let’s download keytool and generate all required keys and certificates:<\/p>\n
[root@openvpn ~]# cd \/etc\/openvpn\n# You can get latest version from: https:\/\/github.com\/OpenVPN\/easy-rsa\/releases\n[root@openvpn openvpn]# wget https:\/\/github.com\/OpenVPN\/easy-rsa\/releases\/download\/v3.0.0-rc2\/EasyRSA-3.0.0-rc2.tgz\n[root@openvpn openvpn]# tar xzf EasyRSA-3.0.0-rc2.tgz\n[root@openvpn openvpn]# mv EasyRSA-3.0.0-rc2 server\n[root@openvpn openvpn]# cd server\/\n[root@openvpn server]# .\/easyrsa init-pki\n[root@openvpn server]# .\/easyrsa build-ca\n[root@openvpn server]# .\/easyrsa gen-dh\n[root@openvpn server]# .\/easyrsa build-server-full server nopass\n[root@openvpn server]# cp \/etc\/openvpn\/server\/pki\/ca.crt \/etc\/openvpn\/\n[root@openvpn server]# cp \/etc\/openvpn\/server\/pki\/issued\/server.crt \/etc\/openvpn\/\n[root@openvpn server]# cp \/etc\/openvpn\/server\/pki\/dh.pem \/etc\/openvpn\/\n[root@openvpn server]# cp \/etc\/openvpn\/server\/pki\/private\/server.key \/etc\/openvpn\/<\/pre>\n
If you plan to grant and revoke access, you have to generate CRL and use it in server.conf.<\/p>\n
\"\"<\/a>
Web hosting offer – \u20ac12\/year<\/figcaption><\/figure>\n
Create client certificate and keys<\/h3>\n
In order to create certificates and keys for client you can use this simple oneliner:<\/p>\n
#Don't forget to set desired username in 'user' variable:\n[root@openvpn ~]# user=\"username\"; cd \/etc\/openvpn\/server; .\/easyrsa build-client-full $user nopass; tar -czvf \/root\/$user.tar.gz -C \/etc\/openvpn\/server\/pki\/private\/ $user.key -C \/etc\/openvpn\/server\/pki\/issued\/ $user.crt -C \/etc\/openvpn\/server\/pki\/ ca.crt dh.pem<\/pre>\n
Now you can just grab that archive from the server using scp.<\/p>\n
configure server.conf<\/h3>\n
Now let’s get back to the main part. Your server.conf should have at least these things set:<\/p>\n
port 1194\nproto udp\ndev tun\nca \/etc\/openvpn\/server\/pki\/ca.crt\ncert \/etc\/openvpn\/server\/pki\/issued\/server.crt\nkey \/etc\/openvpn\/server\/pki\/private\/server.key  # This file should be kept secret\ndh \/etc\/openvpn\/server\/pki\/dh.pem\nserver 10.8.0.0 255.255.255.0\nifconfig-pool-persist ipp.txt\nkeepalive 10 120\ncomp-lzo\nuser nobody\ngroup nobody\npersist-key\npersist-tun\nstatus \/var\/log\/openvpn\/openvpn-status.log\nlog         \/var\/log\/openvpn\/openvpn.log\nverb 3<\/pre>\n
Here’s the sample client config which should work in this case:<\/p>\n
client\ndev tun\nproto udp\nremote xx.xx.xx.xx 1194 #replace with your server's IP\nresolv-retry infinite\nnobind\npersist-key\npersist-tun\nca ca.crt\ncert username.crt\nkey username.key\ndh trinyte\/dh.pem\ncomp-lzo\nverb 4<\/pre>\n
Save it as name.ovpn.<\/p>\n
Also we have to setup masquerading for VPN subnet and enable ip_forward in kernel:<\/p>\n
[root@openvpn ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\n[root@openvpn ~]# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited\n[root@openvpn ~]# iptables -A INPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT\n[root@openvpn ~]# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited\n[root@openvpn ~]# \/etc\/init.d\/iptables save\n[root@openvpn ~]# echo \"net.ipv4.ip_forward = 1\" >> \/etc\/sysctl.conf\n[root@openvpn ~]# sysctl -p<\/pre>\n
Now chown all files and restart openvpn:<\/p>\n
[root@openvpn ~]# chown nobody:nobody -R \/etc\/openvpn\n[root@openvpn ~]# \/etc\/init.d\/openvpn<\/pre>\n
 <\/p>\n
Revoke access and generate CRL:<\/h3>\n
#To revoke access use:\n[root@openvpn ~]# cd \/etc\/openvpn\/server\n[root@openvpn server]# .\/easyrsa revoke username\n[root@openvpn server]# .\/easyrsa gen-crl\n\n#Add to server.conf and restart openvpn:\n[root@openvpn server]# echo \"crl-verify \/etc\/openvpn\/server\/pki\/crl.pem\n[root@openvpn server]# chown nobody:nobody -R \/etc\/openvpn\/\n[root@openvpn server]# \/etc\/init.d\/openvpn restart\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Since OpenVPN 2.3.x release there’s no more easy-rsa scripts in \/usr\/share. So you have to use different approach to setup OpenVPN. It’s easy when you know all the steps.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[16,17,19,24,36,37,46,57,68,72,89,99,115,118,141],"class_list":["post-136","post","type-post","status-publish","format-standard","hentry","category-tutorials","tag-build-client-full","tag-build-server-full","tag-centos","tag-crl","tag-easy-rsa","tag-easyrsa","tag-gen-crl","tag-howto","tag-linux","tag-masquerade","tag-openvpn","tag-pki","tag-server","tag-setup","tag-vpn"],"_links":{"self":[{"href":"https:\/\/www.nonamehosts.com\/blog\/wp-json\/wp\/v2\/posts\/136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nonamehosts.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nonamehosts.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nonamehosts.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nonamehosts.com\/blog\/wp-json\/wp\/v2\/comments?post=136"}],"version-history":[{"count":0,"href":"https:\/\/www.nonamehosts.com\/blog\/wp-json\/wp\/v2\/posts\/136\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.nonamehosts.com\/blog\/wp-json\/wp\/v2\/media?parent=136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nonamehosts.com\/blog\/wp-json\/wp\/v2\/categories?post=136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nonamehosts.com\/blog\/wp-json\/wp\/v2\/tags?post=136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}