Build an OpenVPN service environment using CentOS

Build an OpenVPN service environment using CentOS

I will not say much about the purpose of the OpenVPN environment, because friends who see this information should understand and need to use this tutorial. This tutorial has been prepared by @ qingliu for several hours. After multiple reinstallation drills, you can install and use it. The VPS environment is based on CENTOS6, if you want to install it, take a look at the following tutorial carefully.

Step 1: Install openvpn and all required software for vps

A: Install the EPEL repository.

Wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
Rpm-Uvh epel-release-6-8.noarch.rpm

B: Install openvpn

Yum install openvpn

C: Install openvpn's latest easy-rsa. This package is used to create ca certificates, server certificates, and client certificates. Latest for easy-rsa3

Wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
Unzip master.zip

If your machine does not support the UNZIP command, refer to the "UNZIP package for Linux VPS installation" article.

D: Rename the decompressed folder "easy-rsa-master" to "easy-rsa ".

Mv easy-rsa-mater/easy-rsa/

Copy the easy-ras folder to the/etc/openvpn/directory.

Cp-R easy-rsa // etc/openvpn/

Step 2: edit the vars file and configure it according to your environment

A: first go to the/etc/openvpn/easy-rsa/easyrsa3 directory.

Cp/etc/openvpn/easy-rsa/easyrsa3/

B: Copy vars. example to vars.

Cp vars. example vars

C: Modify the following field. Run the command: vi vars, modify it, and finally save the wq.

Set_var EASYRSA_REQ_COUNTRY "CN" // change as needed
Set_var EASYRSA_REQ_PROVINCE "Beijing"
Set_var EASYRSA_REQ_CITY "Tong"
Set_var EASYRSA_REQ_ORG "qingliu Certificate"
Set_var EASYRSA_REQ_EMAIL "shuiqingliu14@gmail.com"
Set_var EASYRSA_REQ_OU "My OpenVPN"

Step 3: Create a server certificate and key

A: Enter the/etc/openvpn/easy-rsa/easyrsa3/directory initialization:

./Easyrsa init-pki

B: Create a root certificate.

./Easyrsa build-ca

As follows:

Generating a 2048 bit RSA private key
........................................... ++
... ++
Writing new private key to '/root/easy-rsa/easyrsa3/pki/private/ca. key'
Enter PEM pass phrase:
Verifying-Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-rsa ca]: qingliu

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is:
/Root/easy-rsa/easyrsa3/pki/ca. crt

Note: in the above section, enter the PEM password PEM pass phrase twice. Remember this password. Otherwise, you cannot sign the certificate later. You also need to enter a common name. You can set a unique name by yourself.

Eg: Common Name (eg: your user, host, or server name) [Easy-rsa ca]: qingliu

I entered qingliu

C: Create a server certificate

./Easyrsa gen-req server nopass

As follows:

[Root @ localhost easyrsa3] #./easyrsa gen-req server nopass
Generating a 2048 bit RSA private key
........................................ ........................................ ++
............................
Writing new private key to '/root/easy-rsa/easyrsa3/pki/private/server. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: shuiqingliu

Keypair and certificate request completed. Your files are:
Req:/root/easy-rsa/easyrsa3/pki/reqs/server. req
Key:/root/easy-rsa/easyrsa3/pki/private/server. key

In this process, you need to enter the common name, but not the same as the previous root certificate.

Sign the server certificate:

./Easyrsa sign server

As follows:

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
Has not been cryptographically verified. Please be sure it came from a trusted
Source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

Subject =
CommonName = shuiqingliu
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from/root/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for/root/easy-rsa/easyrsa3/pki/private/ca. key:
Check that the request matches the signature
Signature OK
The Subject's Distinguished Name is as follows
CommonName: PRINTABLE: 'shuiqingliu'
Certificate is to be certified until Apr 20 06:02:10 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at:/root/easy-rsa/easyrsa3/pki/issued/server. crt

In this command, you must confirm the generation, enter yes, and provide the password when we created the CA. If you forget the password, start again.

D: Create the Diffie-Hellman command to ensure that the key crosses the insecure network:

./Easyrsa gen-dh

As follows:

Note: using Easy-RSA configuration from:./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........ + ..................................... + .. + ....................................... ........................................ ........................................ .......................
DH parameters of size 2048 created at/etc/openvpn/easy-rsa/easyrsa3/pki/dh. pem

Step 4: Create a client certificate

A: Go to the root directory and create A client folder. You can name the folder at will, and copy the extracted easy-ras folder to the client folder to go to the following directory:

Cd/root/
Mkdir client & cd client
Cp-R easy-rsa/client/
Cd client/easy-rsa/easyrsa3/

B: initialization

./Easyrsa init-pki

C: Create a client key and generate a certificate (remember to generate your own password)

./Easyrsa gen-req qingliu // you can customize the name.

D: import the obtained qingliu. req and sign the certificate.

A. Enter/etc/openvpn/easy-rsa/easyrsa3/

Cd/etc/openvpn/easy-rsa/easyrsa3/

B. Import req

./Easyrsa import-req/root/client/easy-rsa/easyrsa3/pki/reqs/qingliu. req qingliu

C. signing Certificate

./Easyrsa sign client qingliu

// The client must be generated here. qingliu must be the same as the previous Import Name.

The signing Certificate above is similar to the server, so it won't work, but you still need to enter the CA password during this period.

E: This step is very important. Now let's talk about what we have generated above.

Server: (etc/openvpn/easy-rsa/folder)

/Etc/openvpn/easy-rsa/easyrsa3/pki/ca. crt
/Etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server. req
/Etc/openvpn/easy-rsa/easyrsa3/pki/reqs/qingliu. req
/Etc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key
/Etc/openvpn/easy-rsa/easyrsa3/pki/private/server. key
/Etc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt
/Etc/openvpn/easy-rsa/easyrsa3/pki/issued/qingliu. crt
/Etc/openvpn/easy-rsa/easyrsa3/pki/dh. pem

Client: (root/client/easy-rsa folder)

/Root/client/easy-rsa/easyrsa3/pki/private/qingliu. key
/Root/client/easy-rsa/easyrsa3/pki/reqs/qingliu. req // This file is imported to the Server File.

A. This step is to copy these files to the corresponding location. Place the following files in the/etc/openvpn/directory and execute the command:

Cp/etc/openvpn/easy-rsa/easyrsa3/pki/ca. crt/etc/openvpn
Cp/etc/openvpn/easy-rsa/easyrsa3/pki/private/server. key/etc/openvpn
Cp/etc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt/etc/openvpn
Cp/etc/openvpn/easy-rsa/easyrsa3/pki/dh. pem/etc/openvpn

In this way, the above four files are put under the/etc/openvpn directory.

B. In this step, place the following files in the/root/client directory and execute the command:

Cp/etc/openvpn/easy-rsa/easyrsa3/pki/ca. crt/root/client
Cp/etc/openvpn/easy-rsa/easyrsa3/pki/issued/qingliu. crt/root/client
Cp/root/client/easy-rsa/easyrsa3/pki/private/qingliu. key/root/client

In this way, the above three files are copied to the/root/client Directory, including ca. crt, qingliu. crt, and qingliu. key.

Step 5: Write a configuration file for the server

When openvpn is installed, an example of the server configuration file is provided.

/Usr/share/doc/openvpn-2.3.2/sample-config-files

There will be a server. conf file. We will copy this file to/etc/openvpn

Cp/usr/share/doc/openvpn-2.3.2/sample-config-files/server. conf/etc/openvpn

Then modify the configuration vi server. conf as follows:

Local 192.227.161.xx (with your own vps IP address)
Port 1194
Proto udp
Dev tun
Ca/etc/openvpn/ca. crt
Cert/etc/openvpn/server. crt
Key/etc/openvpn/server. key # This file shocould be kept secret
Dh/etc/openvpn/dh. pem
Server 10.8.0.0 255.255.255.0
Ifconfig-pool-persist ipp.txt
Push "redirect-gateway def1 bypass-dhcp"
Push "dhcp-option DNS 8.8.8.8"
Keepalive 10 120
Comp-lzo
Max-client 100
Persist-key
Persist-tun
Status openvpn-status.log
Verb 3

Each project will be introduced in a lot. The above modifications are provided by the server. conf provided by openvpn. We only need to remove the comment # And then modify our own configuration.

Step 6. Download and configure the openvpn Client

A: Use sftp to download the client certificate and key generated in vps to the client computer.

Ca. crt qingliu. crt qingliu. key // these three files

B: Go to the official website to download the openvpn client for installation, and find simple-config in the installation directory.

D: \ Program Files \ OpenVPN \ sample-config \ client. ovpn

Copy client. ovpn to D: \ Program Files \ OpenVPN \ config. Of course, I have installed the client on the D disk and you can choose it based on your situation.

Put the three downloaded Files under D: \ Program Files \ OpenVPN \ config and then:

Edit the configuration file:

Client
Dev tun
Proto udp
Remote 192.227.161.xx 1194 // change it to your own vps ip Address
Resolv-retry infinite
Nobind
Persist-key
Persist-tun
Ca. crt // certificate required here
Cert qingliu. crt
Key qingliu. key
Comp-lzo
Verb 3

We only need one project per line.

Step 7: Test troubleshooting

A: Start the openvpn service on vps.

Service openvpn start

Oh, unfortunately, service start failed !!!

But when you run:

Openvpn/etc/openvpn/server. conf

You can run it again. solution:

Delete the ipp.txt openvpn-status.log under/etc/openvpn/

Then you can start the service. If you cannot solve the problem, go to var/log to find the message and analyze the cause.

B: Start the client.

Enable openvpn gui startup. Note that you need to enter the password when creating qingliu. key after startup! What I told you before. Go to the following page:

When you cannot connect for a long time, you need to check the error log. I encountered an error at the first link, A tls error has been fixed, but the # ns-cert-type server in the client configuration file is commented out, so that no error will occur. I provide you with configuration option 1 to fix the problem.

In view of the above operations, your openvpn should be ready to run as follows:

If it cannot work properly, perform the following steps: view the client and server log ----------- google errors and find the answer in the openvpn official forum ------ solve it