Installing OpenVPN 2.2 on CentOS 6.3 64bit

This post is just an update of a previous post that used CentOS 5.7 and OpenVPN 2.2 ( The basic instructions are the same, however this post uses some newer packages which may have been relocated to new URLs. Again this blog and the posts are mostly for my own reference and not intended as step-by-step instuctions for other systems/network administrators

Install RPMForge or RepoForge as it’s now known[1]

  1. wget
  2. rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
  3. yum update

Install and set-up the OpenVPN Server[2]

  1. yum -y install openvpn 
  2. cd /etc/openvpn/
  3. cp /usr/share/doc/openvpn-*/sample-config-files/server.conf .
  4. mkdir -p /etc/openvpn/easy-rsa/keys
  5. cd /etc/openvpn/easy-rsa
  6. cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
  7. chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req

 Set-up the OpenVPN Server environment, keys and certificates

vi /etc/openvpn/easy-rsa/vars

  1. Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
  2. Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
  3. I used  PKCS11_MODULE_PATH=/ and a random PIN value

Create a link to the openssl config file as openssl.cnf

  1. ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf   

Create certificate for the server

  1. ./build-key-server NAME_OF_SERVER
  2. Answer the questions and commit the certificate into the database

Create the Diffie Hellman files

  1. These files are used for the actual key exchange to ensure the confidentiality over an insecure channel. Based on the length of the key used (KEY_SIZE) it may take a while.
  2. ./build-dh

Create the certificate for each client

  1. ./build-key CLIENT

Edit the server configuration file 

vi /etc/openvpn/server.conf


  1. local
  2. proto
  3. dev
  4. port
  5. ca
  6. cert
  7. key
  8. dh
  9. max-clients
  10. user
  11. group
  12. log-append
  13. verb

Start everything

  1. /etc/rc.d/init/openvpn start
  2. chkconfig –level 235 openvpn on

Future post may include instructions on configuration of client as well as set-up of firewall rules for specific topologies (time permitting)



See also