This post is just an update of a previous post that used CentOS 5.7 and OpenVPN 2.2 (http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.html). The basic instructions are the same, however this post uses some newer packages which may have been relocated to new URLs. Again this blog and the posts are mostly for my own reference and not intended as step-by-step instuctions for other systems/network administrators
Install RPMForge or RepoForge as it’s now known[1]
- wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
- rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
- yum update
Install and set-up the OpenVPN Server[2]
- yum -y install openvpn
- cd /etc/openvpn/
- cp /usr/share/doc/openvpn-*/sample-config-files/server.conf .
- mkdir -p /etc/openvpn/easy-rsa/keys
- cd /etc/openvpn/easy-rsa
- cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
- chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req
Set-up the OpenVPN Server environment, keys and certificates
vi /etc/openvpn/easy-rsa/vars
- Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
- Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
- I used PKCS11_MODULE_PATH=/ and a random PIN value
Create a link to the openssl config file as openssl.cnf
- ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Create certificate for the server
- ./build-key-server NAME_OF_SERVER
- Answer the questions and commit the certificate into the database
Create the Diffie Hellman files
- These files are used for the actual key exchange to ensure the confidentiality over an insecure channel. Based on the length of the key used (KEY_SIZE) it may take a while.
- ./build-dh
Create the certificate for each client
- ./build-key CLIENT
Edit the server configuration file
vi /etc/openvpn/server.conf
Check/change
- local
- proto
- dev
- port
- ca
- cert
- key
- dh
- max-clients
- user
- group
- log-append
- verb
Start everything
- /etc/rc.d/init/openvpn start
- chkconfig –level 235 openvpn on
Future post may include instructions on configuration of client as well as set-up of firewall rules for specific topologies (time permitting)
References
- http://wiki.centos.org/AdditionalResources/Repositories/RPMForge/#head-f0c3ecee3dbb407e4eed79a56ec0ae92d1398e01
- http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.htm