OpenVPN is an SSL based VPN. There are other VPN solutions such as IPsec, etc. but OpenVPN provides a cost effective alternative. I like OpenVPN as it support two-way authentication, i.e. both the client and server authenticate using certificates. To install OpeVPN on CentOS we need a number of cryptographic libraries. The simplest way is to use the DAG/RPMForge repository.
Set-up the RPMForge repository , as this contains the packages necessary for the installation and the instructions are provided below. The instructions below are just to document this specific installation and therefore this blog post is not to be misinterpreted as a best practises guide. The instructions are adapted from the OpenVPN website , but this blog post is intended more as a quick and dirty guide to getting OpenVPN running on CentOS 5.7. Additionally the set-up and configuration of the client is considered beyond the scope of this blog post.
- rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
- yum -y update
- yum -y openvpn
Set-up configuration files
- cd /etc/openvpn/
- cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf .
- mkdir -p /etc/openvpn/easy-rsa/keys
- cd /etc/openvpn/easy-rsa
- cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
- chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req
Edit the PKI configuration
- Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
- Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
Set-up the PKI infrastructure. This involves make a certificate authority and then generate the server certificate and any client machine certificates
Create the certificate authority
- . ./vars
- The CA key and certificate should not be in the keys directory inside the easy-rsa directory.
Create certificate for the server
- ./build-key-server NAME_OF_SERVER
- Answer the questions and commit the certificate into the database
Create the Diffie Hellman files
- These files are used for the actual key exchange to ensure the confidentiality over an insecure channel, aka the Internet. Based on the length of the key used (KEY_SIZE) it may take a while.
Create the certificate for each client
- When doing this for clients, I generate one for each device a client may use, that way if a device is stolen or goes missing, I only have to revoke a single certificate and the others keep working as they do. Not sure if this a good approach, but its definitely my quick and dirty (lazy) approach.
- ./build-key LAPTOP
- ./build-key HOME-DESKTOP
- ./build-key PDA
Edit the server configuration file
- /etc/rc.d/init/openvpn start
- chkconfig –level 235 openvpn on
- If the OpenVPN server fails to start, ensure that logging is enabled, i.e. refer to log-append in the configuration file and examine the log. A common error is that OpenVPN fails to open certain files, check that the paths to these files are specified correctly.