This post is strictly geeky stuff so feel free to skip and check out the poetry and short stories instead (don’t leave until you do! Thanks!)<\/p>\n
A friend\/colleague contacted me a couple of days ago and asked if I know how to set up an OpenVPN server. He said he took a look at the website (openvpn.net) and that the instructions there are not that easy to follow. Nothing challenges me more than getting IT-related stuff to work – figuring stuff out. And also, he said there might be some $$ involved.
\nI knew what OpenVPN was but had never set up a server before. It took 2 days and nights to figure the stuff out completely. One thing I don’t like is having to repeat the same process for the same thing in future, so I almost always “document” the procedure(s).<\/p>\n
Once it is nicely summarized (as below), it then looks quite easy, but it is not! (stroking my own ego a little :-).<\/p>\n
Let’s go!<\/p>\n
Setting up an OpenVPN access server on Linux (with a Windows Client)<\/strong><\/p>\n 1. Install Open-VPN server # yum install openssl-devel lzo-devel pam-devel 2. Copy or create \/etc\/init.d\/openvpn (so you can use the service command to control the service)<\/p>\n 3. Install\/download EasyRSA for creating the CA (Ceritification Authority) as well as certificates for clients:<\/p>\n download scripts package from https:\/\/github.com\/OpenVPN\/easy-rsa<\/p>\n cd \/tmp 4. Copy the sample config files folder to \/etc\/openvpn 5. You should edit openvpn-shutdown and change the line “killall -TERM openvpn” to “killall -TERM \/usr\/sbin\/openvpn” 6. You have to edit the server.conf to reflect the location of files relative to the \/etc\/opevpn folder. 7. This option in server.conf is to protected against DDoS (either follow the instructions or comment it out) 8. The 3 lines below are at the bottom of file openvpn-startup. Comment them out or create the vpn*.conf files. 9. Creating the various certificates:<\/p>\n # cd \/etc\/openvpn\/easyrsa3\/<\/p>\n [root@gfs2 easyrsa3]# cp vars.example vars<\/p>\n 10. Edit the vars file and set the following variables according to your needs:<\/p>\n [root@gfs2 easyrsa3]# vi vars<\/p>\n set_var EASYRSA_REQ_COUNTRY “NG” [root@gfs2 easyrsa3]#<\/p>\n 11. Initialize the PKI (you only need to do this once for a fresh setup):<\/p>\n [root@gfs2 easyrsa3]# .\/easyrsa init-pki<\/p>\n 12. Create the CA: [root@gfs2 easyrsa3]# .\/easyrsa build-ca<\/p>\n 13. Remove the passphrase (because we are running openvpn daemon non-interactively so no way to enter the phrase) # cd \/etc\/openvpn\/easyrsa3\/pki\/private 14. Generate the Diffie hellman parameters (DH): 15. Generate the CRL: 16. Generate a certificate for the server (use any passphrase. We will remove it): [root@gfs2 easyrsa3]# .\/easyrsa build-server-full gfs2 17. Copy all the files to your \/etc\/openvpn\/ folder 18. Edit server.conf in \/etc\/openvpn\/ and make the necessary changes. The 3 lines in server.conf show below reflects the files created above: 19. Generate certificates for your clients (repeat for various clients using unique names in the process): # cd \/etc\/openvpn\/easyrsa3 20. Remove the passphrase on the certificate (you will be prompted for the same passphrase you used above): 21. Copy\/Send the necessary certificates to the client (should be done as securely as possible) 22. On my sample Windows client. I am using SecurePoint SSL VPN v2 23. Suggested optional step: to configure OpenVPN to log into it’s own log file and not \/var\/log\/messages (especially if you are debugging issues.) log-append \/var\/log\/openvpn.log<\/p>\n 24. Optionally install Web-pased connection monitor<\/p>\n – Download it from https:\/\/github.com\/furlongm\/openvpn-monitor\/<\/p>\n – You need to install the semanticversion package to run the openvpn-monitor successfully<\/p>\n – Use pip to install the semantic_version package: Alternatively if for some reason you can’t install pip, you can install the semantic_version “manually” with python:<\/p>\n # cd \/tmp – Then continue with installation instructions on the openvpn-monitor webpage above (start from the section for your Operating System)<\/p>\n NOTE: on RHEL\/CentOS 6.x, you may need to edit \/var\/www\/html\/openvpn-monitor\/openvpn-monitor.conf and enter the coordinates of your starting point (probably the location of your server). You can get the “DD coordinates” (for longitude and latitude) for your location (I was able to get the coords for my campus) from http:\/\/latitude.to\/ for example. You can also try https:\/\/www.distancesto.com\/coordinates.php<\/p>\n 25. Restart (start) the OpenVPN service (any errors will be in file \/var\/log\/messages) – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – 1. You may need to enable ipv4 forwarding if you want the remote clients to connect to other systems on the network of the VPN access server. The community version seems to do this by default but not sure of the commercial version (“sysctl -w net.ipv4.ip_forward=1” ) 2. GUI for OpenVPN server on Windows: 3. Alternative GUI-based way to control OpenVPN via Webmin module. Not worth the trouble as the developer’s website is not in English and not sure how up to date the module is. Not recommended.<\/p>\n yum install perl 4. There are various other options you may need to change in server.conf (and which must match on the client as well) to further optimize your setup.<\/p>\n 5. Systems used in the config above (3x VMs running on VMWare workstation 12.5.2 on a HP EliteBook 840 – Windows 7, 16GB RAM, Intel Core i7 vPro): 6. Some other install guide: 7. There several other clients for Windows, MAC, etc on the Internet. Some are free (open source\/closed-source) and some are commercial\/proprietary. Each has it’s own idiosyncrasies. I found it difficult getting the OpenVPN client to work with the OpenVPN server I set up above, but it worked seamlessly with their own OpenVPN AS VPN server (the commercial version of the OpenVPN server that comes with a management GUI).<\/p>\n 8. Keywords or Tags: PKI,SecurePoint,OpenVPN,VPN,Diffie hellman,EasyRSA,RedHat,rpmbuild,github,Linux<\/p>\n 9. The content of the \/etc\/init.d\/openvpn service control script. You can add the service to run-levels 345 so it starts automatically whenever you (re)start the server (command “chkconfig –add openvpn”).<\/p>\n #!\/bin\/sh # Contributed to the OpenVPN project by # To install: # To uninstall: # Author’s Notes: # Location of openvpn binary # Lockfile # PID directory # Our working directory # Source function library. # Source networking configuration. # Check that networking is up. # Check that binary exists # See how we were called. \/sbin\/modprobe tun >\/dev\/null 2>&1<\/p>\n # From a security perspective, I think it makes #echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/p>\n # Run startup script, if defined if [ ! -d $piddir ]; then if [ -f $lock ]; then rm -f $piddir\/*.pid # Start every .conf in $work and run .sh if exists if [ $errors = 1 ]; then if [ $successes = 1 ]; then # Run shutdown script, if defined success; echo This post is strictly geeky stuff so feel free to skip and check out the poetry and short stories instead (don’t leave until you do! Thanks!) A friend\/colleague contacted me a couple of days ago and asked if I know … Continue reading
\nNOTE: The \/etc\/init.d\/openvpn service control script comes from the openvpn-AS server package but it’s easy
\nto create one. I have attached a copy (should be in the same directory as this howto)<\/p>\n
\n# yum install rpm-build
\n# rpmbuild -tb openvpn-2.4.0.tar.gz
\n# rpm -Uvh \/root\/rpmbuild\/RPMS\/x86_64\/openvpn-2.4.0-1.x86_64.rpm<\/p>\n
\nunzip easy-rsa-master.zip
\ncp -R \/tmp\/easy-rsa-master\/easyrsa3 \/etc\/openvpn\/<\/p>\n
\ncp \/usr\/share\/doc\/openvpn-2.4.0\/sample\/sample-config-files\/server.conf \/etc\/openvpn\/
\ncp \/usr\/share\/doc\/openvpn-2.4.0\/sample\/sample-config-files\/client.conf \/etc\/openvpn\/
\ncp \/usr\/share\/doc\/openvpn-2.4.0\/sample\/sample-config-files\/openvpn-startup.sh \/etc\/openvpn\/openvpn-startup
\ncp \/usr\/share\/doc\/openvpn-2.4.0\/sample\/sample-config-files\/openvpn-shutdown.sh \/etc\/openvpn\/openvpn-shutdown<\/p>\n
\n(reason is that when you use “service openvpn restart|shutdown”, killall kills the service command as well)<\/p>\n
\nFor example, the entry “dh dh2048.pem” in server.conf needs to reflect where you actually put the dh2048.pem file.
\nIf you put the files directly in \/etc\/openvpn then nothing needs to change, but if you decide for management
\npurposes to put the file in a subfolder (e.g., in \/etc\/openvpn\/keys\/ then the entry in server.conf would be “dh keys\/dh2048.pem”) the entries would have to change. Same applies to entries for “ca”, “cert”, and “key”.<\/p>\n
\ntls-auth ta.key 0 # This file is secret<\/p>\n
\nI don’t think they are needed unless you have a need to have deamons with different configs e.g., say a deamon for different companies connecting to your server.
\nopenvpn –cd $dir –daemon –config vpn1.conf
\nopenvpn –cd $dir –daemon –config vpn2.conf
\nopenvpn –cd $dir –daemon –config vpn2.conf<\/p>\n
\nset_var EASYRSA_REQ_PROVINCE “LA”
\nset_var EASYRSA_REQ_CITY “Lagos”
\nset_var EASYRSA_REQ_ORG “Samson Inc.”
\nset_var EASYRSA_REQ_EMAIL “sam@company.net”
\nset_var EASYRSA_REQ_OU “IT Organizational Unit”
\nset_var EASYRSA_REQ_CN=gfs2.company.com
\nset_var EASYRSA_REQ_NAME=server<\/p>\n
\nAnswer 2 questions below (Common Name e.g., the name of the server, and the PEM passphrase – use any phrase)<\/p>\n
\nYou will be prompted for the same passphrase you entered above when creating the certificate:<\/p>\n
\n# openssl rsa -in ca.key -out ca.key2
\n[root@gfs2 private]# mv ca.key ca.key.org
\n[root@gfs2 private]# mv ca.key2 ca.key
\n[root@gfs2 private]# cd \/etc\/openvpn\/easyrsa3\/<\/p>\n
\n[root@gfs2 easyrsa3]# .\/easyrsa gen-dh<\/p>\n
\n[root@gfs2 easyrsa3]# .\/easyrsa gen-crl<\/p>\n
\nIn the example below, gfs2 is the name of my server.<\/p>\n
\n# cd \/tmp\/easy-rsa-master\/easyrsa3\/pki\/private\/
\n# openssl rsa -in gfs2.key -out gfs2.key2
\n# mv gfs2.key gfs2.key.org
\n# mv gfs2.key2 gfs2.key<\/p>\n
\n[root@gfs2 easyrsa3]# cd \/etc\/openvpn\/
\n[root@gfs2 openvpn]# cp easyrsa3\/pki\/crl.pem .
\n[root@gfs2 openvpn]# cp easyrsa3\/pki\/dh.pem .
\n[root@gfs2 openvpn]# cp easyrsa3\/pki\/ca.crt .
\n[root@gfs2 openvpn]# cp easyrsa3\/pki\/private\/ca.key .
\n[root@gfs2 openvpn]# cp easyrsa3\/pki\/private\/gfs2.key .
\n[root@gfs2 openvpn]# cp easyrsa3\/pki\/issued\/gfs2.crt .
\n[root@gfs2 openvpn]# cp easyrsa3\/pki\/ca.crt \/etc\/openvpn\/clients\/<\/p>\n
\nca ca.crt
\ncert gfs2.crt
\nkey gfs2.key<\/p>\n
\nYou will be prompted for a passphrase. Use any, we will remove it. In the example below, remoteclient1 is the name of a unique CN (Common Name) I am using for a client. Note that this does not have to be the actual name on the client.
\nBut it is this name you will enter in the configuration of your VPN client on your remote client. This will then
\nallow the OpenVPN server to match the name to a specific configuration (if any) and client certificates on the server.<\/p>\n
\n[root@gfs2 easyrsa3]# .\/easyrsa build-client-full remoteclient1
\n[root@gfs2 easyrsa3]# cd pki\/private\/<\/p>\n
\n[root@gfs2 private]# openssl rsa -in remoteclient1.key -out remoteclient1.key2
\n[root@gfs2 private]# mv remoteclient1.key remoteclient1.key.org
\n[root@gfs2 private]# mv remoteclient1.key2 remoteclient1.key
\n[root@gfs2 private]# cp remoteclient1.key \/etc\/openvpn\/clients\/
\n[root@gfs2 private]# cp ..\/issued\/remoteclient1.crt \/etc\/openvpn\/clients\/<\/p>\n
\nca.crt, remoteclient1.crt and remoteclient1.key (for my sample client)<\/p>\n
\n– I downloaded version 2.0.18 from https:\/\/sourceforge.net\/projects\/securepoint\/
\n– Install it and run it.
\n– In the system-tray, right-click on the icon and choose “show window” from the menu
\n– Click on the settings icon (gear wheel in the lowe right-hand corner of the application window) and choose “New” fro the menu.
\n– Follow the wizard to create a new VPN connection.
\n– give the config a name; next;
\n– enter the IP address of FQDN of the VPN access server and change the port and protocol if necessary (must match the one on the server as defined in server.conf); next
\n– you are prompted for the location of 3 files you transferred to the client above: “Root CA:”; “Certificate:”; and “Key:”
\n“Root CA:” = ca.crt; “Certificate:” = remoteclient1.crt; and “Key:” = remoteclient1.key
\n– the “Advanced Settings” screen is next. IMPORTANT: You have to change the cipher (defaul is “Standard”) to the one configured in the server.conf file on the VPN access server. Current default is AES-256-CBC. If you don’t change it, you will still get connected but no real traffic will flow over the VPN (you won’t get any service or connectivity). You can also “Comp-LZO” compression; next
\n– Conclusion screen shows you a summary of your choices. Click the “Finish” button if everything looks OK
\n– Your new VPN connection config will appear in the Window of the VPN client. Right-click on it and choose “Connect”
\n– The next 2 screens will ask for your username and password. Both answers are the name of the client we used to create the certificate which is remoteclient1. You can also select the “Save Data” on both questions to have the VPN client remember your answers.
\n– The VPN connection to the server should be established once you press OK for the 2 questions above.<\/p>\n
\nEdit server.conf and change the log-append line (it is likely to be commented out. So remove the “;” at the begining of the line).<\/p>\n
\n# yum install python-pip
\n# pip install semantic_version<\/p>\n
\n# git clone git:\/\/github.com\/rbarrois\/python-semanticversion.git
\n# cd python-semanticversion
\n# python setup.py install<\/p>\n
\n# service openvpn restart<\/p>\n
\nNOTES:<\/p>\n
\nYou will also need to edit server.conf and use the “push route” option so that the routes to (private) subnets “behind” the VPN server is sent to the clients if required (so the clients can reach other systems on those private subnets)<\/p>\n
\ndownload from https:\/\/github.com\/OpenVPN\/openvpn-gui<\/p>\n
\nyum install perl-Net-SSLeay
\nwget http:\/\/prdownloads.sourceforge.net\/webadmin\/webmin-1.831-1.noarch.rpm
\nrpm -Uvh wget webmin-1.831-1.noarch.rpm
\ndownload openvpn-2.6.wbm.gz from http:\/\/www.openit.it\/index.php\/it\/openvpnadmin and use Webmin to install it.
\nThe module can generate certificates but I found it much more troublesome than the direct approach I used above.<\/p>\n
\na. Red Hat Enterprise Linux Server release 6.3 – OpenVPN 2.4.0 access server
\nb. Windows 8 (VPN client)
\nc. Windows XP (system “behind” VPN server on a private subnet)<\/p>\n
\nhttp:\/\/www.ciscopress.com\/articles\/article.asp?p=605499
\nhttps:\/\/help.ubuntu.com\/lts\/serverguide\/openvpn.html
\nhttps:\/\/openvpn.net\/index.php\/open-source\/documentation\/howto.html#security
\nhttps:\/\/openvpn.net\/index.php\/access-server\/docs\/quick-start-guide.html
\nhttps:\/\/openvpn.net\/index.php\/open-source\/documentation\/howto.html#install
\nhttps:\/\/www.digitalocean.com\/community\/tutorials\/how-to-setup-and-configure-an-openvpn-server-on-centos-6<\/p>\n
\n#
\n# openvpn This shell script takes care of starting and stopping
\n# openvpn on RedHat or other chkconfig-based system.
\n#
\n# chkconfig: 345 24 76
\n#
\n# description: OpenVPN is a robust and highly flexible tunneling application \\
\n# that uses all of the encryption, authentication, and \\
\n# certification features of the OpenSSL library to securely \\
\n# tunnel IP networks over a single UDP port.
\n#<\/p>\n
\n# Douglas Keller <doug_at_voidstar.dyndns.org>
\n# 2002.05.15<\/p>\n
\n# copy this file to \/etc\/rc.d\/init.d\/openvpn
\n# shell> chkconfig –add openvpn
\n# shell> mkdir \/etc\/openvpn
\n# make .conf or .sh files in \/etc\/openvpn (see below)<\/p>\n
\n# run: chkconfig –del openvpn<\/p>\n
\n#
\n# I have created an \/etc\/init.d init script and enhanced openvpn.spec to
\n# automatically register the init script. Once the RPM is installed you
\n# can start and stop OpenVPN with “service openvpn start” and “service
\n# openvpn stop”.
\n#
\n# The init script does the following:
\n#
\n# – Starts an openvpn process for each .conf file it finds in
\n# \/etc\/openvpn.
\n#
\n# – If \/etc\/openvpn\/xxx.sh exists for a xxx.conf file then it executes
\n# it before starting openvpn (useful for doing openvpn –mktun…).
\n#
\n# – In addition to start\/stop you can do:
\n#
\n# service openvpn reload – SIGHUP
\n# service openvpn reopen – SIGUSR1
\n# service openvpn status – SIGUSR2
\n#
\n# Modifications:
\n#
\n# 2003.05.02
\n# * Changed == to = for sh compliance (Bishop Clark).
\n# * If condrestart|reload|reopen|status, check that we were
\n# actually started (James Yonan).
\n# * Added lock, piddir, and work variables (James Yonan).
\n# * If start is attempted twice, without an intervening stop, or
\n# if start is attempted when previous start was not properly
\n# shut down, then kill any previously started processes, before
\n# commencing new start operation (James Yonan).
\n# * Do a better job of flagging errors on start, and properly
\n# returning success or failure status to caller (James Yonan).
\n#
\n# 2005.04.04
\n# * Added openvpn-startup and openvpn-shutdown script calls
\n# (James Yonan).
\n#<\/p>\n
\nopenvpn=””
\nopenvpn_locations=”\/usr\/sbin\/openvpn \/usr\/local\/sbin\/openvpn”
\nfor location in $openvpn_locations
\ndo
\nif [ -f “$location” ]
\nthen
\nopenvpn=$location
\nfi
\ndone<\/p>\n
\nlock=”\/var\/lock\/subsys\/openvpn”<\/p>\n
\npiddir=”\/var\/run\/openvpn”<\/p>\n
\nwork=\/etc\/openvpn<\/p>\n
\n. \/etc\/rc.d\/init.d\/functions<\/p>\n
\n. \/etc\/sysconfig\/network<\/p>\n
\nif [ ${NETWORKING} = “no” ]
\nthen
\necho “Networking is down”
\nexit 0
\nfi<\/p>\n
\nif ! [ -f $openvpn ]
\nthen
\necho “openvpn binary not found”
\nexit 0
\nfi<\/p>\n
\ncase “$1″ in
\nstart)
\necho -n $”Starting openvpn: ”<\/p>\n
\n# sense to remove this, and have users who need
\n# it explictly enable in their –up scripts or
\n# firewall setups.<\/p>\n
\nif [ -f $work\/openvpn-startup ]; then
\n$work\/openvpn-startup
\nfi<\/p>\n
\nmkdir $piddir
\nfi<\/p>\n
\n# we were not shut down correctly
\nfor pidf in `\/bin\/ls $piddir\/*.pid 2>\/dev\/null`; do
\nif [ -s $pidf ]; then
\nkill `cat $pidf` >\/dev\/null 2>&1
\nfi
\nrm -f $pidf
\ndone
\nrm -f $lock
\nsleep 2
\nfi<\/p>\n
\ncd $work<\/p>\n
\nerrors=0
\nsuccesses=0
\nfor c in `\/bin\/ls *.conf 2>\/dev\/null`; do
\nbn=${c%%.conf}
\nif [ -f “$bn.sh” ]; then
\n. .\/$bn.sh
\nfi
\nrm -f $piddir\/$bn.pid
\n$openvpn –daemon –writepid $piddir\/$bn.pid –config $c –cd $work
\nif [ $? = 0 ]; then
\nsuccesses=1
\nelse
\nerrors=1
\nfi
\ndone<\/p>\n
\nfailure; echo
\nelse
\nsuccess; echo
\nfi<\/p>\n
\ntouch $lock
\nfi
\n;;
\nstop)
\necho -n $”Shutting down openvpn: ”
\nfor pidf in `\/bin\/ls $piddir\/*.pid 2>\/dev\/null`; do
\nif [ -s $pidf ]; then
\nkill `cat $pidf` >\/dev\/null 2>&1
\nfi
\nrm -f $pidf
\ndone<\/p>\n
\nif [ -f $work\/openvpn-shutdown ]; then
\n$work\/openvpn-shutdown
\nfi<\/p>\n
\nrm -f $lock
\n;;
\nrestart)
\n$0 stop
\nsleep 2
\n$0 start
\n;;
\nreload)
\nif [ -f $lock ]; then
\nfor pidf in `\/bin\/ls $piddir\/*.pid 2>\/dev\/null`; do
\nif [ -s $pidf ]; then
\nkill -HUP `cat $pidf` >\/dev\/null 2>&1
\nfi
\ndone
\nelse
\necho “openvpn: service not started”
\nexit 1
\nfi
\n;;
\nreopen)
\nif [ -f $lock ]; then
\nfor pidf in `\/bin\/ls $piddir\/*.pid 2>\/dev\/null`; do
\nif [ -s $pidf ]; then
\nkill -USR1 `cat $pidf` >\/dev\/null 2>&1
\nfi
\ndone
\nelse
\necho “openvpn: service not started”
\nexit 1
\nfi
\n;;
\ncondrestart)
\nif [ -f $lock ]; then
\n$0 stop
\n# avoid race
\nsleep 2
\n$0 start
\nfi
\n;;
\nstatus)
\nif [ -f $lock ]; then
\nfor pidf in `\/bin\/ls $piddir\/*.pid 2>\/dev\/null`; do
\nif [ -s $pidf ]; then
\nkill -USR2 `cat $pidf` >\/dev\/null 2>&1
\nfi
\ndone
\necho “Status written to \/var\/log\/messages”
\nelse
\necho “openvpn: service not started”
\nexit 1
\nfi
\n;;
\n*)
\necho “Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}”
\nexit 1
\n;;
\nesac
\nexit 0<\/p>\n","protected":false},"excerpt":{"rendered":"