1
OpenVPN : Configure VPN Server
[1]
Install OpenVPN to Configure Virtual Private Network.
This example is based on the environment like follows.
Configure OpenVPN with bridge mode, br0 and tap0 on the OpenVPN server is generated automatically by the service, IP address of tap0 on the Clients is assigned by OpenVPN server. Clients can access to any computer on the same local network after connecting with VPN.
Before configuration, it's necessarry to configure IP Masquerading on the gateway router.
For the case of example below, connections to x.x.x.x:1194 are forwarded to 192.168.0.30:1194.
+----------------------+ | [ OpenVPN Server ] | tap0| dlp.srv.world |eth0 | | +-----------+----------+ 192.168.0.30:1194|br0 | 192.168.0.1| +------+-----+ -------------------| Router |--------------------- +------+-----+ |x.x.x.x:1194 +---------------+--------------+ Internet | | ----------+------------------------------+------------ | +------------------+ | | tap0| |eth0 | +-----+ VPN Client +-----+ 192.168.0.x| |10.0.0.10 +------------------+
Install OpenVPN.
# install from EPEL
[root@dlp ~]# yum --enablerepo=epel -y install openvpn easy-rsa net-tools bridge-utils
[2]
Create CA certificates.
[root@dlp ~]# cd /usr/share/easy-rsa/2.0
[root@dlp 2.0]# vi vars
# line 64: change to your own environment
export KEY_COUNTRY="JP"
export KEY_PROVINCE="Hiroshima"
export KEY_CITY="Hiroshima"
export KEY_ORG="GTS"
export KEY_EMAIL="root@dlp.srv.world"
export KEY_OU="Server_World"
[root@dlp 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
[root@dlp 2.0]# ./clean-all
[root@dlp 2.0]# ./build-ca
Generating a 2048 bit RSA private key ..............+++ ...+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [JP]: # Enter
State or Province Name (full name) [Hiroshima]: # Enter
Locality Name (eg, city) [Hiroshima]: # Enter
Organization Name (eg, company) [GTS]: # Enter
Organizational Unit Name (eg, section) [Server_World]: # Enter
Common Name (eg, your name or your server's hostname) [GTS CA]: # Enter
Name [EasyRSA]:Server-CA# change to any name you like
Email Address [root@dlp.srv.world]: # Enter
[3]
Create server certificates.
[root@dlp ~]# cd /usr/share/easy-rsa/2.0
[root@dlp 2.0]# ./build-key-server server
Generating a 2048 bit RSA private key .................................................+++ .................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [JP]: # Enter
State or Province Name (full name) [Hiroshima]: # Enter
Locality Name (eg, city) [Hiroshima]: # Enter
Organization Name (eg, company) [GTS]: # Enter
Organizational Unit Name (eg, section) [Server_World]: # Enter
Common Name (eg, your name or your server's hostname) [server]: # Enter
Name [EasyRSA]:Server-CRT# change to any name you like
Email Address [root@dlp.srv.world]: # Enter
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok
The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'GTS' organizationalUnitName:T61STRING:'Server_World' commonName :PRINTABLE:'server' name :PRINTABLE:'Server-CRT' emailAddress :IA5STRING:'root@dlp.srv.world' Certificate is to be certified until Jun 23 05:59:34 2025 GMT (3650 days)
# confirm settings and proceed with yes
Sign the certificate? [y/n]: y
# proceed with yes
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
[4]
Generate Diffie Hellman ( DH ) parameter.
[root@dlp ~]# cd /usr/share/easy-rsa/2.0
[root@dlp 2.0]# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
[5]
Create client certificates.
[root@dlp ~]# cd /usr/share/easy-rsa/2.0
[root@dlp 2.0]# ./build-key client01
Generating a 2048 bit RSA private key ............+++ .......................................................+++ writing new private key to 'client01.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [JP]: # Enter
State or Province Name (full name) [Hiroshima]: # Enter
Locality Name (eg, city) [Hiroshima]: # Enter
Organization Name (eg, company) [GTS]: # Enter
Organizational Unit Name (eg, section) [Server_World]: # Enter
Common Name (eg, your name or your server's hostname) [client01]: # Enter
Name [EasyRSA]:client01# change to any name you like
Email Address [root@dlp.srv.world]: # Enter
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'GTS' organizationalUnitName:T61STRING:'Server_World' commonName :PRINTABLE:'client01' name :PRINTABLE:'client01' emailAddress :IA5STRING:'root@dlp.srv.world' Certificate is to be certified until Jun 23 06:01:37 2025 GMT (3650 days)
# confirm settings and proceed with yes
Sign the certificate? [y/n]: y
# proceed with yes
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
[6]
Configure and start OpenVPN server.
[root@dlp ~]# cp -pR /usr/share/easy-rsa/2.0/keys /etc/openvpn/keys
[root@dlp ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
[root@dlp ~]# vi /etc/openvpn/server.conf
# line 32: change if need (listening port)
port 1194
# line 35: uncomment tcp and comment out udp
proto tcp
;proto udp
# line 52: change to tap which uses bridge mode
dev tap0
;dev tun
# line 78: change path for certificates
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
# line 85: change path for certificates
dh keys/dh2048.pem
# line 101: comment out
;server 10.8.0.0 255.255.255.0
# line 120: uncomment and change ⇒ [VPN server's IP] [subnetmask] [the range of IP for client]
server-bridge 192.168.0.30 255.255.255.0 192.168.0.150 192.168.0.199
# line 231: keepalive settings
keepalive 10 120
# line 256: enable compress
comp-lzo
# line 274: enable persist options
persist-key
persist-tun
# line 289: uncomment and specify logs
log /var/log/openvpn.log
log-append /var/log/openvpn.log
# line 299: specify log level (0 - 9, 9 means debug lebel)
verb 3
[root@dlp ~]# cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-start /etc/openvpn/openvpn-startup
[root@dlp ~]# cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-stop /etc/openvpn/openvpn-shutdown
[root@dlp ~]# chmod 755 /etc/openvpn/openvpn-startup /etc/openvpn/openvpn-shutdown
[root@dlp ~]# vi /etc/openvpn/openvpn-startup
# line 17-20: change
eth="eth0" # change if need
eth_ip="192.168.0.30"# IP for bridge interface
eth_netmask="255.255.255.0"# subnet mask
eth_broadcast="192.168.0.255"# broadcast address
# add follows to the end: define gateway
eth_gw="192.168.0.1"
route add default gw $eth_gw
[root@dlp ~]# cp /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/openvpn-bridge.service
[root@dlp ~]# vi /usr/lib/systemd/system/openvpn-bridge.service
# change like follows in [Service] section
[Service]
PrivateTmp=true
Type=forking
PIDFile=/var/run/openvpn/openvpn.pid
ExecStartPre=/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
ExecStartPre=/etc/openvpn/openvpn-startup
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/openvpn.pid --cd /etc/openvpn/ --config server.conf
ExecStopPost=/etc/openvpn/openvpn-shutdown
ExecStopPost=/bin/echo 0 > /proc/sys/net/ipv4/ip_forward
[root@dlp ~]# systemctl start openvpn-bridge
[ 1367.964300] device tap0 entered promiscuous mode
[ 1367.967487] IPv6: ADDRCONF(NETDEV_UP): tap0: link is not ready
[ 1367.971388] br0: port 1(eth0) entered forwarding state
[ 1367.972534] br0: port 1(eth0) entered forwarding state
[ 1368.006320] IPv6: ADDRCONF(NETDEV_CHANGE): tap0: link becomes ready
[ 1368.007546] br0: port 2(tap0) entered forwarding state
[ 1368.008452] br0: port 2(tap0) entered forwarding state
[root@dlp ~]# systemctl enable openvpn-bridge
[7]
Transfer files "ca.crt", "client01.crt", "client01.key" which are under the "/etc/openvpn/keys" to client computer to connect to OpenVPN Server.