Complete OpenVPN 2.0 and 2.2 Server Installation and Configuration Tutorial

Today i'm going to write about OpenVPN server and its implementation. OpenVPN is a stable VPN solution that use SSL/TLS encryption technologies with cost effective and ideal for IT companies.

This tutorial show you the step by step Installation and configuration of a perfect Open VPN Server in Linux. This OpenVPN server configuration tutorial Includes implementation of  OpenVPN server without bridging technology.
    The Requirement
      Build an Open VPN server in a linux distribution(CentOS), and allows clients systems from web(www) can connect to the Open VPN server and create an encrypted vpn tunnel with server and become a part of the local LAN of VPN server. So the other systems in the LAN and vpn client can communicate each other with no limits.
    You must have a latest fedora/CentOS machine, 2 NIC cards, Static Public ip address.


    Implementing environment
    OpenVPN server public ip address: 170.213.235.26
    OpenVPN server's LAN ip address: 192.168.10.50   
    (VPN server's LAN ip address range : 192.168.10.0/255.255.255.0) 
    Open VPN server's TAP interface ip address: 10.50.30.1 
    IP address range reserved for VPN clients :  10.50.30.0/255.255.255.0
    (Please note: this tutorial is based on redhat/fedora/centos)

    Step1: Installing OpenVPN server
    Install 2 required packages "openvpn" and "bridge-utils" (or install from epel repo)
    [root@server ~]# yum install openvpn
    [root@server ~]# yum install bridge-utils


    Or install from EPEL repository, Read my article about Install EPEL first

    [root@server ~]# yum --enablerepo=epel install openvpn
    [root@server ~]# yum --enablerepo=epel install bridge-utils


    Copy the main configuration file "server.conf"  to directory /etc/openvpn/
    (Replace x.x.x with exat OpenVPN directory name)
    [root@server ~]# cp /usr/share/doc/openvpn-x.x.x/sample-config-files/server.conf /etc/openvpn/

    Edit the server.conf file
    [root@server ~]# vi /etc/openvpn/server.conf

    #In 53rd line edit like below (tap "zero")
    dev tap0

    #In  78th, 79th, 80th lines, edit like below


    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/server.crt
    key /etc/openvpn/easy-rsa/keys/server.key 

    #In 87th line 
    dh /etc/openvpn/easy-rsa/keys/dh1024.pem

    #In the 96th line (specify reserving OpenVPN client address range)
    #This address range is assaigned to clients by server.
    server 10.50.30.0 255.255.255.0     

    #In the 103rd line Disable it by adding a "#"
    #ifconfig-pool-persist ipp.txt

    #In the 275th line edit like below
    status status.log 5

    #In the 276th line add the below
    status-version 2

    #In the 285th line enable the line by removing the ";"  and edit like below
    log-append /var/log/openvpn.log
    #Now save the server.conf file

    Step2: Create Certificate Authority(CA) Certificates and Keys


    Copy all the files in /usr/share/openvpn/easy-rsa/2.0  to /etc/openvpn/easy-rsa/
    [root@server ~]# cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa


    Change default directory to /etc/openvpn/easy-rsa/
    [root@server ~]# cd /etc/openvpn/easy-rsa/


    Create a Directory named "keys"
    [root@server easy-rsa]# mkdir keys


    #Edit the vars file and Add VPN Server's Organisation informations in line 64th to 68th.
    [root@server easy-rsa ]# vi vars

    export KEY_COUNTRY="USA"
    export KEY_PROVINCE="Newyork"                                    
    export KEY_CITY="NewYork"
    export KEY_ORG="Servercomputing"
    export KEY_EMAIL="na@na.com"# Now save the vars file

    Run the below commands
    [root@server easy-rsa]# source ./vars

    **************************************************************
      No /etc/openvpn/easy-rsa/openssl.cnf file could be found
      Further invocations will fail
    **************************************************************
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys


    Here the above command failed to ececute due to openssl.cnf is not found in the /etc/openvpn/easy-rsa directory.  You need to rename the file /etc/openvpn/easy-rsa/openssl-1.0.0.cnf to openssl.cnf.
    [root@server easy-rsa]#cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

    Now execute the "source ./vars" command again (see below)
    [root@server easy-rsa]# source ./vars
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

    [root@server easy-rsa]# ./clean-all

    [root@server easy-rsa]# ./build-ca

    Generating a 1024 bit RSA private key
    .....................++++++
    ...++++++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    #Press enterCountry Name (2 letter code) [US]:                    
    State or Province Name (full name) [Newyork]:  #Press enter      
    Locality Name (eg, city) [NewYork]:                  #Press enter
    Organization Name (eg, company) [Servercomputing]:    #Press enter
    Organizational Unit Name (eg, section) [changeme]:       #Press enter
    Common Name (eg, your name or your server's hostname) [changeme]:servercomputing                                         #Type "FQDN"
    Name [changeme]:server-ca                         #Type server-ca
    Email Address [mail@host.domain]:              #Press enter


    Now ca.crt and ca.key is created in /etc/openvpn/easy-rsa/keys/ directory.
    ca.crt is required in VPN client computer to make vpn connection to server. So transfer it to VPN client machine.

    Step3:  Create Server certificates and keys

    [root@server easy-rsa]# ./build-key-server server
    Generating a 1024 bit RSA private key
    ........................++++++
    ....................................++++++


    writing new private key to 'server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:                            #Press enter
    State or Province Name (full name) [Newyork]:          #Press enter
    Locality Name (eg, city) [NewYork]:                          #Press enter
    Organization Name (eg, company) [Servercomputing]:   #Press enter
    Organizational Unit Name (eg, section) [changeme]:      #Press enter
    Common Name (eg, your name or your server's hostname) [server]:servercomputing      #input FQDN
    Name [changeme]:server                 #Type "server"
    Email Address [mail@host.domain]:   #Press enter
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:12345                 #input any password 
    An optional company name []:          #Press enter
    Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :PRINTABLE:'Province'
    localityName          :PRINTABLE:'NewYork'
    organizationName      :PRINTABLE:'Servercomputing'
    organizationalUnitName:PRINTABLE:'changeme'
    commonName            :PRINTABLE:'servercomputig'
    name                  :PRINTABLE:'server'
    emailAddress          :IA5STRING:'mail@host.domain'
    Certificate is to be certified until Apr  1 07:37:52 2022 GMT (3650 days)
    Sign the certificate? [y/n]:y        #Press Y
    1 out of 1 certificate requests certified, commit? [y/n]y      #Press Y
    Write out database with 1 new entries
    Data Base Updated

    Step4    Generate a Diffie Hellman (DH) parameter

    Generate Diffie Hellman ( DH ) parameter
    [root@server easy-rsa]# ./build-dh
    Generating DH parameters, 1024 bit long safe prime, generator 2
    This is going to take a long time
    ..........................+.....................................................+.................................................+......................+.....................................+..........................................+..........
    (Will take about 20-30secs...)

    Step5 Generate Keys and Certificates for VPN clients

    Edit the vars file and add the VPN client's Country, Organisation, Email and other information. in line 64 to 68th.
    [root@server easy-rsa]# vim vars

    export KEY_COUNTRY="UK"
    export KEY_PROVINCE="Province"
    export KEY_CITY="London"
    export KEY_ORG="Servercomputing1"
    export KEY_EMAIL="na@na.com"
    # Now save the vars file

    [root@server easy-rsa]# source ./vars
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

    [root@server easy-rsa]# ./build-key-pass ukclient
    Generating a 1024 bit RSA private key
    ..............++++++
    ...++++++
    writing new private key to 'ukclient.key'
    Enter PEM pass phrase:                                 #Enter a password to authenticate for VPN client
    Verifying - Enter PEM pass phrase:                       #Re enter the password
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----

    Country Name (2 letter code) [UK]:                           #Press Enter
    State or Province Name (full name) [Province]:         #Press Enter
    Locality Name (eg, city) [London]:                            #Press Enter
    Organization Name (eg, company) [Servercomputing1]:      #Press Enter
    Organizational Unit Name (eg, section) [changeme]:           #Press Enter
    Common Name (eg, your name or your server's hostname) [ukclient]:London-UK     # a name to easily identify the VPN client
    Name [changeme]:ukclient                          # Same as in the command
    Email Address [mail@host.domain]:        #Press Enter
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:12345                      #type a password
    An optional company name []:                      #Press Enter
    Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'UK'
    stateOrProvinceName   :PRINTABLE:'Province'
    localityName          :PRINTABLE:'London'
    organizationName      :PRINTABLE:'Servercomputing1'
    organizationalUnitName:PRINTABLE:'changeme'
    commonName            :PRINTABLE:'London-UK'
    name                  :PRINTABLE:'ukclient'
    emailAddress          :IA5STRING:'mail@host.domain'
    Certificate is to be certified until Apr  1 10:04:09 2022 GMT (3650 days)
    Sign the certificate? [y/n]:y               #Press y
    1 out of 1 certificate requests certified, commit? [y/n]y               #Press y
    Write out database with 1 new entries
    Data Base Updated
    #ukclient.crt and ukclient.key is now created in /etc/openvpn/easy-rsa/keys/ directory
    transfer the two files to VPN clients           

    Step6:  Start OpenVPN Server

    [root@server easy-rsa]# service openvpn start
    Starting openvpn: [ OK ]

    Add OpenVPN to system Startup
    [root@server easy-rsa]# chkconfig openvpn on

    Step7: Client side Configuration
    Download and install the OpenVPN client installer file from the below Link
    OpenVPN client Download link (works with WindowsXP,Vista and Windows7)
    Note: Installing client and initializing the VPN connection requires Administrator privileges.

    After installatling OpenVPN client, Copy C:\Program Files\OpenVPN\sample-config\client.ovpn  to  C:\Program Files\OpenVPN\config\client.ovpn 
    And open the client.ovpn file and edit like below
    Click on screenshot to enlarge

    client
    proto tcp
    dev tap0
    remote 170.213.235.26 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert ukclient.crt
    key ukclient.key
    comp-lzo
    verb 3
    #And save the client.ovpn file
    #Note above 170.213.235.26 is OpenVPN server's WAN interface ip address and 1194 is the TCP port number which Server listens.

    Now copy the ca.crt (created in step2), ukclient.crt, ukclient.key (created in step 5) to C:\Program Files\OpenVPN\config\  folder



    Now double click on the OpenVPN GUI short cut on desktop and click on "connect" by right click on the openvpn client tray icon





    And input the password when prompted (password is configured in step5 as "PEM Pass phrase")


    Step8:  Test client-Server connectivity

    Test Connectivity by ping to server from client

    Step9:  Establish ip forwarding in Server

                    Now the connectivity is only between the VPN server anc VPN client. Other systems in the Servers's LAN cannot connect the VPN client and vice versa.
    But the ultimate goal is VPN client can access all other PCs in the Server's LAN range and also All the systems in LAN can access the VPN client also. To do this the OpenVPN server can act as a router to forward ip packets from LAN to VPN client.

    Run the following 4 commands   
    [root@server easy-rsa]# echo 1 > /proc/sys/net/ipv4/ip_forward
    [root@server easy-rsa]# iptables -I FORWARD -o tap0 -j ACCEPT
    [root@server easy-rsa]# service iptables save
    [root@server easy-rsa]# service iptables restart

    Now add the OpenVPN server's LAN ipaddress (192.168.10.50) as default gateway in all systems in the LAN.
    Now all the systems in the VPNServer's LAN can communicate with the VPN clients.
    Test it by ping to 10.50.30.2 from LAN systems....

    Thanks for visiting and add your comments...............

    Was this helpfull ?

    1 comments:

    EvanW said...
    This comment has been removed by the author.
    Related Posts Plugin for WordPress, Blogger...

     
    Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Bluehost Coupons