Build openvpn server in Centos6.5

Build openvpn server in Centos6.5

Because the new version of openvpn does not contain the most important certificate preparation part: easy-rsa, You need to download easyrsa in advance and download it on GitHub. The configuration process will be shown in the following step, this deployment uses the easy-rsa3, And the easy-rsa2.0 operation is completely different, other online on the easy-rsa2.0 of the tutorial is not suitable for this deployment

Before deploying openvpn, it is best to use ntpdate to synchronize the Time of the server. Otherwise, the certificate generation time is inaccurate, which may cause errors such as centificate error!

1. Install lzo

Lzo is a data compression algorithm dedicated to decompression speed.

[Root @ vpn ~] # Wgethttp: // www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz

[Root @ vpn ~] #Tarxflzo-2.09.tar.gz

[Root @ vpn ~] # Cdlzo-2.09

[Root@vpnlzo-2.09] #./configure & make & makeinstall

2. Install openvpn

[Root @ vpn ~] # Yum install-yopenssl-devel

[Root @ vpn ~] # Wgethttps: // swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz

[Root @ vpn ~] # Tar zxvfopenvpn-2.3.11.tar.gz

[Root @ vpn ~] # Cdopenvpn-2.3.11

[Root@vpnopenvpn-2.3.4] #./configure -- with-lzo-headers =/usr/local/include/-- with-lzo-lib =/usr/local/lib

[Root@vpnopenvpn-2.3.4] # make & makeinstall

# Whichopenvpn [root@vpnopenvpn-2.3.4]

/Usr/local/sbin/openvpn # The openvpn is successfully installed.

3. Configure the easyrsa Server

Openvpn-2.3.11 software package does not contain certificate (ca certificate, server certificate, client certificate) production tool, so you also need to download easy-rsa separately, the latest for easy-rsa3

[Root @ vpn ~] # Wgethttps: // github.com/OpenVPN/easy-rsa/archive/master.zip

[Root @ vpn ~] Unzip unzipmaster.zip

[Root @ vpn ~] # Mveasy-rsa-mastereasy-rsa

[Root @ vpn ~] # Cp-Reasy-rsa // usr/local/share/doc/openvpn/

[Root @ vpn ~] # Cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/

[Root @ vpneasyrsa3] # cpvars. examplevars

[Root @ vpneasyrsa3] # vimvars

Set_varEASYRSA_REQ_COUNTRY "CN"

Set_varEASYRSA_REQ_PROVINCE "Beijing"

Set_varEASYRSA_REQ_CITY "Beijing"

Set_varEASYRSA_REQ_ORG "qiangshCertificate"

Set_varEASYRSA_REQ_EMAIL "503579266@qq.com"

Set_varEASYRSA_REQ_OU "MyOpenVPN"

4. Create a server certificate and key

(1) initialization

[Root @ vpneasyrsa3] # ls

Easyrsaopenssl-1.0.cnfvarsvars.examplex509-types

[Root @ vpneasyrsa3] #

[Root @ vpneasyrsa3] #./easyrsainit-pki

Note: using Easy-RSAconfiguration from:./vars

Init-pki complete; you may nowcreate a CA or requests.

Your newly created PKI dir is:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki

(2) create a root certificate

[Root @ vpneasyrsa3] #./easyrsabuild-ca

Note: using Easy-RSAconfiguration from:./vars

Generating a 2048 bit RSA privatekey

... ++

........................ ++

Writing new private key to '/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key. GiibbqFhXm'

Enter PEM pass phrase: # Enter the password. This password is used to sign the certificate.

Verifying-Enter PEM passphrase: # Enter the password again

-----

You are about to be asked toenter information that will be ininitialized

Into your certificate request.

What you are about to enter iswhat is called a Distinguished Name or a DN.

There are quite a few fields butyou can leave some blank

For some fields there will be adefault value,

If you enter '.', the field willbe left blank.

-----

Common Name (eg: your user, host, or server name) [Easy-rsa ca]: qiangsh # enter a Common Name

CA creation complete and you maynow import and sign cert requests.

Your new CA certificate file forpublishing is:

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt

(3) create a server certificate

[Root @ vpneasyrsa3] #./easyrsagen-reqservernopass

Note: using Easy-RSAconfiguration from:./vars

Generating a 2048 bit RSA privatekey

....................................... ++

...................................... ++

Writing new private key to '/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key. migrh2b6ss'

-----

You are about to be asked toenter information that will be ininitialized

Into your certificate request.

What you are about to enter iswhat is called a Distinguished Name or a DN.

There are quite a few fields butyou can leave some blank

For some fields there will be adefault value,

If you enter '.', the field willbe left blank.

-----

Common Name (eg: your user, host, or server name) [server]: qiangsh-BJ # This Common Name must not be the same as the one used to create the root certificate !!!

Keypair and certificate requestcompleted. Your files are:

Req:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server. req

Key:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key

(4) sign up for the server certificate

[Root @ vpneasyrsa3] #./easyrsasignserverserver

Note: using Easy-RSAconfiguration from:./vars

You are about to sign thefollowing certificate.

Please check over the detailsshown below for accuracy. Note that this request

Has not been cryptographicallyverified. Please be sure it came from a trusted

Source or that you have verifiedthe request checksum with the sender.

Request subject, to be signed asa server certificate for 3650 days:

Subject =

CommonName = qiangsh-BJ

Type the word 'yes' to continue, or any other input to abort.

Confirm request details: yes # Enter yes to continue

Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf

Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key: # Enter the password used to create the root certificate.

Check that the request matchesthe signature

Signature OK

The Subject's Distinguished Nameis as follows

CommonName: PRINTABLE: 'qiangsh-BJ'

Certificate is to be certifieduntil Jun 6 07:19:45 2026 GMT (3650 days)

Write out database with 1 newentries

Data Base Updated

Certificate created at:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt

(5) create a Diffie-Hellman command to ensure that the key crosses the insecure network:

[Root @ vpneasyrsa3] #./easyrsagen-dh

Note: using Easy-RSAconfiguration from:./vars

Generating DH parameters, 2048bit long safe prime, generator 2

This is going to take a long time

........................................ .................................. + ........................... + ....................................... ...................... + ........................... + ....................................... ........................................ ........................................ ........................................ ........................................ ........................................ .. + ....................................... ........................................ ........................................ ........ + .. + ....................................... .......................... + ....................................... ........................................ ........... + .............. + ....................................... ........................................ ........................................ ........................................ ................ + ....................................... ........................................ ......... + ....................................... ........................................ + ....................................... ......... + .......... ++ *

DH parameters of size 2048 created at/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh. pem

5. Create a client certificate

(1) create a client directory under the root directory

[Root @ vpneasyrsa3] # cd

[Root @ vpn ~] # Mkdirclient

[Root @ vpn ~] # Cp-R/mnt/easy-rsa/client/

(2) initialization

[Root @ vpn ~] # Cdclient/easy-rsa/easyrsa3/

[Root @ vpneasyrsa3] # ls

Easyrsaopenssl-1.0.cnfvarsvars.examplex509-types

[Root @ vpneasyrsa3] #./easyrsainit-pki

Note: usingEasy-RSAconfigurationfrom:./vars

Init-pkicomplete; youmaynowcreateaCAorrequests.

YournewlycreatedPKIdiris:/root/client/easy-rsa/easyrsa3/pki

(3) create a client key and generate a certificate

[Root @ vpneasyrsa3] #./easyrsagen-reqqiangsh

Generating a 2048 bit RSA privatekey

..............................

........................................ ................ ++

Writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key. ld7wk6hmqq'

Enter PEM pass phrase: # Enter the password

Verifying-Enter PEM passphrase: # Enter the password again

-----

You are about to be asked toenter information that will be ininitialized

Into your certificate request.

What you are about to enter iswhat is called a Distinguished Name or a DN.

There are quite a few fields butyou can leave some blank

For some fields there will be adefault value,

If you enter '.', the field willbe left blank.

-----

Common Name (eg: your user, host, or server name) [qiangsh]: qiangsh # Enter qiangsh

Keypair and certificate request completed. Your files are:

Req:/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh. req

Key:/root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key

(4) import the obtained qiangsh. req and sign the certificate.

[Root @ vpn ~] # Cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/

[Root @ vpneasyrsa3] # import req

[Root @ vpneasyrsa3] #./easyrsa import-req/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh. reqqiangsh

Note: using Easy-RSAconfiguration from:./vars

The request has been successfullyimported with a short name of: qiangsh

You may now use this name toperform signing operations on this request.

[Root @ vpneasyrsa3] # signing Certificate

[Root @ vpneasyrsa3] #./easyrsasignclientqiangsh

Note: using Easy-RSAconfiguration from:./vars

You are about to sign thefollowing certificate.

Please check over the detailsshown below for accuracy. Note that this request

Has not been cryptographicallyverified. Please be sure it came from a trusted

Source or that you have verifiedthe request checksum with the sender.

Request subject, to be signed asa client certificate for 3650 days:

Subject =

CommonName = qiangsh

Type the word 'yes' to continue, or any other input to abort.

Confirm request details: yes # Enter yes

Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf

Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key: # Enter the password when creating the root certificate

Check that the request matchesthe signature

Signature OK

The Subject's Distinguished Nameis as follows

CommonName: PRINTABLE: 'qiangsh'

Certificate is to be certifieduntil Jun 6 07:50:02 2026 GMT (3650 days)

Write out database with 1 newentries

Data Base Updated

Certificate created at:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh. crt # contract successful

(5) files generated by the server and client

Server :(/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/) folder

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server. req

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/qiangsh. req

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh. crt

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh. pem

Client :(/root/client/easy-rsa)

/Root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key

/Root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh. req # This file is imported to the server.

(6) copy the server key and certificate to the openvpn directory.

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt/usr/local/share/doc/openvpn/

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key/usr/local/share/doc/openvpn/

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt/usr/local/share/doc/openvpn/

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh. pem/usr/local/share/doc/openvpn/

(7) copy the client key and certificate to the client directory.

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt/root/client/

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh. crt/root/client/

[Root @ vpn ~] # Cp/root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key/root/client/

(8) Write a configuration file for the server

When openvpn is installed, it provides an example of the server configuration file.

Copy the openvpn directory in this example and configure

[Root @ vpn ~] # Cp/mnt/openvpn-2.3.11/sample-config-files/server. conf/usr/local/share/doc/openvpn/

[Root @ vpn ~] # Vim/usr/local/share/doc/openvpn/server. conf

Local192.168.1.100 # (self-built vpsIP)

Port1194

Protoudp

Devtun

Ca/usr/local/share/doc/openvpn/ca. crt

Cert/usr/local/share/doc/openvpn/server. crt

Key/usr/local/share/doc/openvpn/server. key # Thisfileshouldbekeptsecret

Dh/usr/local/share/doc/openvpn/dh. pem

Server10.8.0.0255.255.255.0

Ifconfig-pool-persistipp.txt

Push redirect-gatewaydef1bypass-dhcp"

Push dhcp-optionDNS8.8.8.8"

Keepalive10120

Comp-lzo

Max-clients100

Persist-key

Persist-tun

Statusopenvpn-status.log

Verb3

(9) enable the system forwarding function

[Root @ vpn ~] # Vim/etc/sysctl. conf

Net. ipv4.ip _ forward = 0 to net. ipv4.ip _ forward = 1

[Root @ vpn ~] # Sysctl-p

[Root @ vpn ~] # Sysctl-a | grepnet. ipv4.ip _ forward

Net. ipv4.ip _ forward = 1

(10) encapsulated data packets (eth0 is the network card of your vps Internet ):

/Sbin/iptables-tnat-IPOSTROUTING-s10.8.0.0/rj0000255.0-oeth0-jMASQUERADE

Iii. DownloadOpenvpnClient and configure

1. Copy the client key and certificate to windows for backup.

[Root @ vpn ~] # Cdclient/

[Root @ vpnclient] # ls

Ca. crteasy-rsanmshuishui.crtnmshuishui.key # The Three with suffixes

2. Install openvpn-gui

(1) Copy C: \ ProgramFiles \ OpenVPN \ sample-config \ client. ovpn to C: \ Program Files \ OpenVPN \ config

(2) put the three keys and certificates copied from linux under D: \ Program Files (x86) \ OpenVPN \ config.

(3) edit c: \ ProgramFiles \ OpenVPN \ config \ client. ovpn and change it

Client

Devtun

Protoudp

Remote192.168.1.1001194

Resolv-retryinfinite

Nobind

Persist-key

Persist-tun

Caca. crt // certificate required here

Certqiangsh. crt

Keyqiangsh. key

Comp-lzo

Verb3

4. Start the service and Test

1. Start the openvpn service on the vpn Server

[Root @ vpn ~] #/Usr/local/sbin/openvpn -- config/usr/local/share/doc/openvpn/server. conf &

[Root @ vpn ~] # Echo "/usr/local/sbin/openvpn -- config/usr/local/share/doc/openvpn/server. conf &

">/Etc/rc. local # set to start upon startup

2. On openvpn-gui, right-click Connect and enter the password for connection.

3. view the vpn status