OpenVPN is one of the open source applications that allows you to create your own Virtual Private Network. We are not going to cover all the topics regarding VPNs, but for short these are used to transfer data from point A to point B in a secure way. Of course this allows us to bypass some firewalls and proxies, so this is one of the reasons we chose to use TCP port 443 (which is the default port for HTTPS and it’s almost never filtered) instead of default port for OpenVPN which is UDP 1194.
I am going to set up a GNU/Linux machine, running CentOS 6 as the OpenVPN server.
OpenVPN Server Setup
Note: You must already have CentOS installed and you also must have a working connection, if you don’t know how to do this, check out How to install Red Hat in 50 easy steps!
1. Disable SELinux and reboot the system!
[root@centos ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config [root@centos ~]# reboot && exit
2. Install the EPEL repository.
[root@centos ~]# rpm -ivh http://mirrors.n-ix.net/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
3. Update the packages:
[root@centos ~]# yum -y update
4. Install OpenVPN and easy-rsa:
Note: Since OpenVPN version 2.3.2 “easy-rsa” is no longer bundled with OpenVPN and you need to install it from a different source, fortunately it is also available in EPEL repository.[root@centos ~]# yum -y install openvpn easy-rsa
5. Navigate to the easy-rsa tools directory:
[root@centos ~]# cd /usr/share/easy-rsa/2.0
6. Edit the vars file to match your data:
[root@centos 2.0]# vi vars
Find the following line
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
and replace it with:
export KEY_CONFIG=/usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
You may edit any other variable to match your needs, but these are the only ones of interest:
export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="NewYork" export KEY_ORG="VPN" export KEY_EMAIL="[email protected]" export KEY_OU="AlphaUnit"
7. Clean any previous info:
[root@centos 2.0]# ./clean-all
8. Source the variable environment:
[root@centos 2.0]# source ./vars
9. Build the Certificate of Authority:
[root@centos 2.0]# ./build-ca
10. Build the Diffie Hellman file (if you want more info about this, read the OpenVPN manual):
[root@centos 2.0]# ./build-dh
11. Create the Server Certificate and key:
[root@centos 2.0]# ./build-key-server openvpnserver
12. Copy the CA certificate file to OpenVPN configuration directory:
[root@centos 2.0]# cp keys/ca.crt /etc/openvpn/
13. Copy the server certificate to OpenVPN configuration directory:
[root@centos 2.0]# cp keys/openvpnserver.crt /etc/openvpn/
14. Copy the server key to OpenVPN configuration directory:
[root@centos 2.0]# cp keys/openvpnserver.key /etc/openvpn/
15. Copy the Diffie Hellman file to OpenVPN configuration directory:
[root@centos 2.0]# cp keys/dh1024.pem /etc/openvpn/
16. Create the OpenVPN configuration file
[root@centos 2.0]# vi /etc/openvpn/server.conf
and append the following content to it (make sure you replace SERVER_IP_ADDRESS with the actual public IP address of your server):
local SERVER_IP_ADDRESS port 443 proto tcp dev tun ca ca.crt cert openvpnserver.crt key openvpnserver.key dh dh1024.pem server 192.168.85.0 255.255.255.0 ifconfig-pool-persist ipp.txt management localhost 7505 push "redirect-gateway" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" cipher AES-256-CBC keepalive 10 120 comp-lzo max-clients 10 persist-key persist-tun status openvpn-status.log log openvpn.log verb 3
17. Start the OpenVPN server:
[root@centos 2.0]# service openvpn restart
If everything is ok, you should see the following message:
Starting openvpn:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â [Â OKÂ ]
18. Make sure that openvpn interface is up and running
[root@centos 2.0]# ifconfig -a |grep -A 7 tun0
tun0Â Â Â Â Â Link encap:UNSPECÂ HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.85.1Â P-t-P:192.168.85.2Â Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICASTÂ MTU:1500Â Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b)Â TX bytes:0 (0.0 b)
19. Enable IP forwarding and set proper rule in the firewall that masquerades the traffic routed through the Virtual Private Network
[root@centos 2.0]# echo "1" > /proc/sys/net/ipv4/ip_forwardNote: To make this change persistent after reboot, insert the following line in /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@centos 2.0]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[root@centos 2.0]# service iptables save
20. It is time to create several certificates/keys pairs for the clients
Note: You need to provide to each client the following:- ca.crt (Certificate of Authority) – this file is common
- clientname.crt (client certificate) – this is private, not to be shared with anybody else
- clientname.key (client private key) – this is private, not to be shared with anybody else
To create the client certificate, navigate to /usr/share/easy-rsa/2.0 if you happen to be inside a different directory and issue the following commands:
[root@centos 2.0]# source ./vars
[root@centos 2.0]# ./build-key clientname
Note: Repeat the last step to create a key/certificate pair for each client and provide the files to the client using a secure method (I suggest using SCP, SFTP email or FTPS)
OpenVPN is one of the open source applications that allows you to create your own Virtual Private Network. We are not going to cover all the topics regarding VPNs, but for short these are used to transfer data from point A to point B in a secure way. Of course this allows us to bypass some firealls, proxies, etc.
I am going to set up a GNU/Linux machine, running CentOS 6.2 as the OpenVPN server and a Windows machine as a client.
SERVER
1. Install the EPEL repository.
rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm
2. Update the packages:
yum -y update
3. Install OpenVPN:
yum -y install openvpn
4. Navigate to the certificate tools directory:
cd /usr/share/openvpn/easy-rsa/2.0
5. Copy the openssl-1.0.0 configuration file to openssl.cnf:
cp openssl-1.0.0.cnf openssl.cnf
6. Edit the vars file to match your data:
vim vars
You may edit any other variable to match your needs, but these are the only ones of interest:
export KEY_COUNTRY="RO" export KEY_PROVINCE="BV" export KEY_CITY="Brasov" export KEY_ORG="ADesigns" export KEY_EMAIL="[email protected]"
6. Clean any previous info:
./clean-all
7. Source the variable environment:
source ./vars
8. Build the Certificate of Authority:
./build-ca
9. Build the Diffie Hellman file (if you want more info about this, read the OpenVPN manual):
./build-dh
10. Create the Server Certificate and key:
./build-key-server SERVER_NAME
11. Copy the CA certificate file to OpenVPN configuration directory:
cp keys/ca.crt /etc/openvpn/
12. Copy the server certificate to OpenVPN configuration directory:
cp keys/hebe.crt /etc/openvpn/
13. Copy the server key to OpenVPN configuration directory:
cp keys/hebe.key /etc/openvpn/
14. Copy the Diffie Hellman file to OpenVPN configuration directory:
cp keys/dh1024.pem /etc/openvpn/
15. Create the OpenVPN configuration file:
vim /etc/openvpn/SERVER_NAME.conf
and append the following content to it:
local SERVER_IP_ADDRESS port 443 proto tcp dev tun ca ca.crt cert SERVER_NAME.crt key SERVER_NAME.key dh dh1024.pem server 192.168.85.0 255.255.255.0 ifconfig-pool-persist ipp.txt management localhost 7505 push "redirect-gateway" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" #user nobody #group nobody cipher AES-256-CBC keepalive 10 120 comp-lzo max-clients 10 persist-key persist-tun status openvpn-status.log verb 3
16. Start the OpenVPN server:
service openvpn restart
If everything is ok, you should see the following message:
Starting openvpn:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â [Â OKÂ ]
CLIENT
Navigate to the OpenVPN site, go to the Community Section and download the Windows installer: http://openvpn.net/index.php/open-source/downloads.html
Create a new file called whatever.ovpn
client
dev tun
proto tcp-client
remote 83.103.190.171 443
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
ca “C:\\Program Files (x86)\\OpenVPN\\config\\ca.crt”
cert “C:\\Program Files (x86)\\OpenVPN\\config\\annamaria.crt”
key “C:\\Program Files (x86)\\OpenVPN\\config\\annamaria.key”
cipher AES-256-CBC
comp-lzo
verb 3
After following this guide I can connect to the vpn but can’t connect to the internet. Any ideas on how to fix this would be appreciated! I noticed using the vpn I can connect to my server cp ip using Firefox but can’t connect to any websites.
Hi, please try to ping 8.8.8.8 (google public dns) and see if you get there.
Did you enable ip_forwarding on the server? (can you ssh to the server?)
cp keys/dh1024.pem /etc/openvpn/
cp: cannot stat `keys/dh1024.pem’: No such file or directory
Can someone help me?
Issue
pwdand provide here the output, make sure you’re in the right directory.When I do service openvpn restart it comes up with failed – what do I do?
What do the logs say? check out these files in /etc/openvpn/
openvpn-status.log
openvpn.log
You should use tail on these to see the messages:
I have followed all the steps and the Linux CentOS server seems to be operating as normal but when I try to connect to the server with OpenVPN GUI it just sticks on Current State: Connecting then it goes Reconnecting over and over again.
Any ideas? Cheers!
Also gives this error in the OpenVPN GUI console before trying to reconnect again.
Fri Nov 06 14:24:20 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov 06 14:24:20 2015 TLS Error: TLS handshake failed
Rhys, you have set up to use TLS in GUI. Disable TLS and try again.