Build OpenVPN server with CentOS6

Build OpenVPN server with CentOS6

OpenVPN is a free open-source software used to create a Virtual Private Network (VPC) encrypted channel. OpenVPN allows you to easily build a dedicated network channel similar to a LAN between different network access sites, such as home, office, and hotel accommodation.

Using OpenVPN with a specific proxy server can be used to access restricted websites such as Youtube, FaceBook, and Twitter, or to break through the company's network restrictions.

OpenVPN client configuration tutorial in Ubuntu

Build OpenVPN in Ubuntu 10.04

Ubuntu 13.04 VPN (OpenVPN) configuration and connection cannot access the Intranet and Internet at the same time

How to build a secure remote network architecture using OpenVPN in Linux

Setting up an OpenVPN Server on Ubuntu Server 14.04 to protect your privacy

I. Server installation and configuration

Server Environment: Clean CentOS6.3 64-bit System

Intranet IP Address: 10.143.80.116

Internet IP Address: 203.195.xxx.xxx

OpenVPN 2.3.2 x86_64-RedHat-linux-gnu

1. Preparations before installation

# Disable selinux
Setenforce 0
Sed-I '/^ SELINUX =/c \ SELINUX = disabled'/etc/selinux/config
 
# Install openssl and lzo. lzo is used to compress communication data and speed up transmission.
Yum-y install openssl-devel
Yum-y install lzo
 
# Install the epel Source
Rpm-ivh http://mirrors.sohu.com/Fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
Sed-I's/^ secure list = https/secure list = http/'/etc/yum. repos. d/epel. repo

2. install and configure OpenVPN and easy-rsa

# Install openvpn and easy-rsa
Yum-y install openvpn easy-rsa
 
# Modifying vars files
Cd/usr/share/easy-rsa/2.0/
Vim vars

# Modify registration information, such as company address, company name, and department name.
Export KEY_COUNTRY = "CN"
Export KEY_PROVINCE = "Shandong"
Export KEY_CITY = "Qingdao"
Export KEY_ORG = "MyOrganization"
Export KEY_EMAIL = "me@myhost.mydomain"
Export KEY_OU = "MyOrganizationalUnit"

# Initializing Environment Variables
Source vars
 
# Clear all certificate-related files in the keys directory
# The certificates and keys generated in the following steps are in the/usr/share/easy-rsa/2.0/keys directory.
./Clean-all
 
# Generate the root certificate ca. crt and Root key ca. key (Press enter all the way)
./Build-ca
 
# Generate a certificate and key for the server (Press enter all the way until y/n is prompted, enter y and press ENTER twice)
./Build-key-server
 
# Each VPN Client that logs on requires a certificate. Each certificate can be connected to only one client at a time. The following two certificates are created:
# Generate a certificate and key for the client (Press enter all the way until y/n is prompted, enter y and press ENTER twice)
./Build-key client1
./Build-key client2
 
# Create the difi Herman key and generate the dh2048.pem file (the generation process is slow, so do not interrupt it during this period)
./Build-dh
 
# Generate the ta. key File (Anti-DDos, UDP flood, and other malicious attacks)
Openvpn -- genkey -- secret keys/ta. key

View the files generated in the keys directory:

3. Create a server configuration file

# Create a new keys directory under the openvpn configuration directory
Mkdir/etc/openvpn/keys
 
# Copy the required openvpn certificate and key to the created keys directory.
Cp/usr/share/easy-rsa/2.0/keys/{ca. crt, server. {crt, key}, dh2048.pem, ta. key}/etc/openvpn/keys/
 
# Copy the server configuration file template server. conf to/etc/openvpn/
Cp/usr/share/doc/openvpn-2.3.2/sample-config-files/server. conf/etc/openvpn/
# View configuration parameters in server. conf
Grep '^ [^ #;]'/etc/openvpn/server. conf
# Edit server. conf
Vim/etc/openvpn/server. conf

Port 1194
# Change to tcp. udp is used by default. If HTTP Proxy is used, tcp must be used.
Proto tcp
Dev tun
# Add keys to the path. The full path is/etc/openvpn/keys/ca. crt.
Ca keys/ca. crt
Cert keys/server. crt
Key keys/server. key # This file shocould be kept secret
Dh keys/dh2048.pem
# Default Virtual lan cidr block. do not conflict with the actual LAN.
Server 10.8.0.0 255.255.255.0
Ifconfig-pool-persist ipp.txt
#10.0.0.0/8 is the Intranet CIDR block of my VPN Server. You should modify it based on your actual situation.
Push "route 10.0.0.0 255.0.0.0"
# Allows clients to access each other directly through the openvpn program forwarding, set as needed
Client-to-client
# If the client uses the same certificate and key to connect to the VPN, you must enable this option. Otherwise, each certificate allows only one person to connect to the VPN.
Duplicate-cn
Keepalive 10 120
Tls-auth keys/ta. key 0 # This file is secret
Comp-lzo
Persist-key
Persist-tun
# OpenVPN status log, the default is/etc/openvpn/openvpn-status.log
Status openvpn-status.log
# OpenVPN operation log. The default value is/etc/openvpn. log.
Log-append openvpn. log
# Change to verb 5 to view more debugging information
Verb 5

4. Configure the kernel and firewall to start the service.

# Enable route forwarding
Sed-I '/net. ipv4.ip _ forward/s/0/1/'/etc/sysctl. conf
Sysctl-p
 
# Configure the firewall. Do not forget to save it.
Iptables-I INPUT-p tcp -- dport 1194-m comment -- comment "openvpn"-j ACCEPT
Iptables-t nat-a postrouting-s 10.8.0.0/24-j MASQUERADE
Service iptables save
 
# Start openvpn and set it to start upon startup
Service openvpn start
Chkconfig openvpn on

5. Create a client configuration file

# Copy a client. conf template and name it client. ovpn.
Cp/usr/share/doc/openvpn-2.3.2/sample-config-files/client. conf client. ovpn
# Edit client. ovpn
Vim client. ovpn

Client
Dev tun
# Change to tcp
Proto tcp
# OpenVPN server's Internet IP address and port
Remote 203.195.xxx.xxxxx 1194
Resolv-retry infinite
Nobind
Persist-key
Persist-tun
Ca. crt
# Client1 Certificate
Cert client1.crt
# Key of client1
Key client1.key
Ns-cert-type server
# Remove the preceding comment
Tls-auth ta. key 1
Comp-lzo
Verb 3

For more details, please continue to read the highlights on the next page:

1 2 Next Page