1

OpenVPN : Configure VPN Server

 

[1]

Install OpenVPN to Configure Virtual Private Network.

This example is based on the environment like follows.

Configure OpenVPN with bridge mode, br0 and tap0 on the OpenVPN server is generated automatically by the service, IP address of tap0 on the Clients is assigned by OpenVPN server. Clients can access to any computer on the same local network after connecting with VPN. 

Before configuration, it's necessarry to configure IP Masquerading on the gateway router.

For the case of example below, connections to x.x.x.x:1194 are forwarded to 192.168.0.30:1194.

             +----------------------+               | [  OpenVPN Server  ] |           tap0|     dlp.srv.world    |eth0               |                      |               +-----------+----------+          192.168.0.30:1194|br0                           |                192.168.0.1|                    +------+-----+ -------------------|   Router   |---------------------                    +------+-----+                           |x.x.x.x:1194           +---------------+--------------+    Internet           |                              | ----------+------------------------------+------------           |     +------------------+     |           | tap0|                  |eth0 |           +-----+    VPN Client    +-----+      192.168.0.x|                  |10.0.0.10                 +------------------+ 

Install OpenVPN.

# install from EPEL

[root@dlp ~]# yum --enablerepo=epel -y install openvpn easy-rsa net-tools bridge-utils

[2]

Create CA certificates.

[root@dlp ~]# cd /usr/share/easy-rsa/2.0 

[root@dlp 2.0]# vi vars

# line 64: change to your own environment

export KEY_COUNTRY="JP"

export KEY_PROVINCE="Hiroshima"

export KEY_CITY="Hiroshima"

export KEY_ORG="GTS"

export KEY_EMAIL="root@dlp.srv.world"

export KEY_OU="Server_World"

[root@dlp 2.0]# source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys

[root@dlp 2.0]# ./clean-all 

[root@dlp 2.0]# ./build-ca 

Generating a 2048 bit RSA private key ..............+++ ...+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [JP]: # Enter

State or Province Name (full name) [Hiroshima]: # Enter

Locality Name (eg, city) [Hiroshima]: # Enter

Organization Name (eg, company) [GTS]: # Enter

Organizational Unit Name (eg, section) [Server_World]: # Enter

Common Name (eg, your name or your server's hostname) [GTS CA]:   # Enter

Name [EasyRSA]:Server-CA# change to any name you like

Email Address [root@dlp.srv.world]: # Enter

[3]

Create server certificates.

[root@dlp ~]# cd /usr/share/easy-rsa/2.0 

[root@dlp 2.0]# ./build-key-server server 

Generating a 2048 bit RSA private key .................................................+++ .................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [JP]: # Enter

State or Province Name (full name) [Hiroshima]: # Enter

Locality Name (eg, city) [Hiroshima]: # Enter

Organization Name (eg, company) [GTS]: # Enter

Organizational Unit Name (eg, section) [Server_World]: # Enter

Common Name (eg, your name or your server's hostname) [server]:   # Enter

Name [EasyRSA]:Server-CRT# change to any name you like

Email Address [root@dlp.srv.world]: # Enter

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok

The Subject's Distinguished Name is as follows countryName           :PRINTABLE:'JP' stateOrProvinceName   :PRINTABLE:'Hiroshima' localityName          :PRINTABLE:'Hiroshima' organizationName      :PRINTABLE:'GTS' organizationalUnitName:T61STRING:'Server_World' commonName            :PRINTABLE:'server' name                  :PRINTABLE:'Server-CRT' emailAddress          :IA5STRING:'root@dlp.srv.world' Certificate is to be certified until Jun 23 05:59:34 2025 GMT (3650 days)

# confirm settings and proceed with yes

Sign the certificate? [y/n]: y

# proceed with yes

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

[4]

Generate Diffie Hellman ( DH ) parameter.

[root@dlp ~]# cd /usr/share/easy-rsa/2.0 

[root@dlp 2.0]# ./build-dh 

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

[5]

Create client certificates.

[root@dlp ~]# cd /usr/share/easy-rsa/2.0 

[root@dlp 2.0]# ./build-key client01 

Generating a 2048 bit RSA private key ............+++ .......................................................+++ writing new private key to 'client01.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

Country Name (2 letter code) [JP]: # Enter

State or Province Name (full name) [Hiroshima]: # Enter

Locality Name (eg, city) [Hiroshima]: # Enter

Organization Name (eg, company) [GTS]: # Enter

Organizational Unit Name (eg, section) [Server_World]: # Enter

Common Name (eg, your name or your server's hostname) [client01]:   # Enter

Name [EasyRSA]:client01# change to any name you like

Email Address [root@dlp.srv.world]: # Enter

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'JP' stateOrProvinceName   :PRINTABLE:'Hiroshima' localityName          :PRINTABLE:'Hiroshima' organizationName      :PRINTABLE:'GTS' organizationalUnitName:T61STRING:'Server_World' commonName            :PRINTABLE:'client01' name                  :PRINTABLE:'client01' emailAddress          :IA5STRING:'root@dlp.srv.world' Certificate is to be certified until Jun 23 06:01:37 2025 GMT (3650 days)

# confirm settings and proceed with yes

Sign the certificate? [y/n]: y

# proceed with yes

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

[6]

Configure and start OpenVPN server.

[root@dlp ~]# cp -pR /usr/share/easy-rsa/2.0/keys /etc/openvpn/keys 

[root@dlp ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/ 

[root@dlp ~]# vi /etc/openvpn/server.conf

# line 32: change if need (listening port)

port 1194

# line 35: uncomment tcp and comment out udp

proto tcp

;proto udp

# line 52: change to tap which uses bridge mode

dev tap0

;dev tun

# line 78: change path for certificates

ca keys/ca.crt

cert keys/server.crt

key keys/server.key

# line 85: change path for certificates

dh keys/dh2048.pem

# line 101: comment out

;server 10.8.0.0 255.255.255.0

# line 120: uncomment and change ⇒ [VPN server's IP] [subnetmask] [the range of IP for client]

server-bridge 192.168.0.30 255.255.255.0 192.168.0.150 192.168.0.199

# line 231: keepalive settings

keepalive 10 120

# line 256: enable compress

comp-lzo

# line 274: enable persist options

persist-key

persist-tun

# line 289: uncomment and specify logs

log /var/log/openvpn.log

log-append /var/log/openvpn.log

# line 299: specify log level (0 - 9, 9 means debug lebel)

verb 3

[root@dlp ~]# cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-start /etc/openvpn/openvpn-startup 

[root@dlp ~]# cp /usr/share/doc/openvpn-*/sample/sample-scripts/bridge-stop /etc/openvpn/openvpn-shutdown 

[root@dlp ~]# chmod 755 /etc/openvpn/openvpn-startup /etc/openvpn/openvpn-shutdown 

[root@dlp ~]# vi /etc/openvpn/openvpn-startup

# line 17-20: change

eth="eth0" # change if need

eth_ip="192.168.0.30"# IP for bridge interface

eth_netmask="255.255.255.0"# subnet mask

eth_broadcast="192.168.0.255"# broadcast address

# add follows to the end: define gateway

eth_gw="192.168.0.1"

route add default gw $eth_gw

[root@dlp ~]# cp /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/openvpn-bridge.service 

[root@dlp ~]# vi /usr/lib/systemd/system/openvpn-bridge.service

# change like follows in [Service] section

[Service]

PrivateTmp=true

Type=forking

PIDFile=/var/run/openvpn/openvpn.pid

ExecStartPre=/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

ExecStartPre=/etc/openvpn/openvpn-startup

ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/openvpn.pid --cd /etc/openvpn/ --config server.conf

ExecStopPost=/etc/openvpn/openvpn-shutdown

ExecStopPost=/bin/echo 0 > /proc/sys/net/ipv4/ip_forward

[root@dlp ~]# systemctl start openvpn-bridge 

[ 1367.964300] device tap0 entered promiscuous mode

[ 1367.967487] IPv6: ADDRCONF(NETDEV_UP): tap0: link is not ready

[ 1367.971388] br0: port 1(eth0) entered forwarding state

[ 1367.972534] br0: port 1(eth0) entered forwarding state

[ 1368.006320] IPv6: ADDRCONF(NETDEV_CHANGE): tap0: link becomes ready

[ 1368.007546] br0: port 2(tap0) entered forwarding state

[ 1368.008452] br0: port 2(tap0) entered forwarding state

[root@dlp ~]# systemctl enable openvpn-bridge 

[7]

Transfer files "ca.crt", "client01.crt", "client01.key" which are under the "/etc/openvpn/keys" to client computer to connect to OpenVPN Server.