Build openvpn server in Centos6.5

Last Update:2016-06-17 Source: Internet

Author: User

Tags vars

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Build openvpn server in Centos6.5

Because the new version of openvpn does not contain the most important certificate preparation part: easy-rsa, You need to download easyrsa in advance and download it on GitHub. The configuration process will be shown in the following step, this deployment uses the easy-rsa3, And the easy-rsa2.0 operation is completely different, other online on the easy-rsa2.0 of the tutorial is not suitable for this deployment

Before deploying openvpn, it is best to use ntpdate to synchronize the Time of the server. Otherwise, the certificate generation time is inaccurate, which may cause errors such as centificate error!

1. Install lzo

Lzo is a data compression algorithm dedicated to decompression speed.

[Root @ vpn ~] # Wgethttp: // www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz

[Root @ vpn ~] #Tarxflzo-2.09.tar.gz

[Root @ vpn ~] # Cdlzo-2.09

[Root@vpnlzo-2.09] #./configure & make & makeinstall

2. Install openvpn

[Root @ vpn ~] # Yum install-yopenssl-devel

[Root @ vpn ~] # Wgethttps: // swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz

[Root @ vpn ~] # Tar zxvfopenvpn-2.3.11.tar.gz

[Root @ vpn ~] # Cdopenvpn-2.3.11

[Root@vpnopenvpn-2.3.4] #./configure -- with-lzo-headers =/usr/local/include/-- with-lzo-lib =/usr/local/lib

[Root@vpnopenvpn-2.3.4] # make & makeinstall

# Whichopenvpn [root@vpnopenvpn-2.3.4]

/Usr/local/sbin/openvpn # The openvpn is successfully installed.

3. Configure the easyrsa Server

Openvpn-2.3.11 software package does not contain certificate (ca certificate, server certificate, client certificate) production tool, so you also need to download easy-rsa separately, the latest for easy-rsa3

[Root @ vpn ~] # Wgethttps: // github.com/OpenVPN/easy-rsa/archive/master.zip

[Root @ vpn ~] Unzip unzipmaster.zip

[Root @ vpn ~] # Mveasy-rsa-mastereasy-rsa

[Root @ vpn ~] # Cp-Reasy-rsa // usr/local/share/doc/openvpn/

[Root @ vpn ~] # Cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/

[Root @ vpneasyrsa3] # cpvars. examplevars

[Root @ vpneasyrsa3] # vimvars

Set_varEASYRSA_REQ_COUNTRY "CN"

Set_varEASYRSA_REQ_PROVINCE "Beijing"

Set_varEASYRSA_REQ_CITY "Beijing"

Set_varEASYRSA_REQ_ORG "qiangshCertificate"

Set_varEASYRSA_REQ_EMAIL "503579266@qq.com"

Set_varEASYRSA_REQ_OU "MyOpenVPN"

4. Create a server certificate and key

(1) initialization

[Root @ vpneasyrsa3] # ls

Easyrsaopenssl-1.0.cnfvarsvars.examplex509-types

[Root @ vpneasyrsa3] #

[Root @ vpneasyrsa3] #./easyrsainit-pki

Note: using Easy-RSAconfiguration from:./vars

Init-pki complete; you may nowcreate a CA or requests.

Your newly created PKI dir is:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki

(2) create a root certificate

[Root @ vpneasyrsa3] #./easyrsabuild-ca

Note: using Easy-RSAconfiguration from:./vars

Generating a 2048 bit RSA privatekey

... ++

........................ ++

Writing new private key to '/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key. GiibbqFhXm'

Enter PEM pass phrase: # Enter the password. This password is used to sign the certificate.

Verifying-Enter PEM passphrase: # Enter the password again

-----

You are about to be asked toenter information that will be ininitialized

Into your certificate request.

What you are about to enter iswhat is called a Distinguished Name or a DN.

There are quite a few fields butyou can leave some blank

For some fields there will be adefault value,

If you enter '.', the field willbe left blank.

-----

Common Name (eg: your user, host, or server name) [Easy-rsa ca]: qiangsh # enter a Common Name

CA creation complete and you maynow import and sign cert requests.

Your new CA certificate file forpublishing is:

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt

(3) create a server certificate

[Root @ vpneasyrsa3] #./easyrsagen-reqservernopass

Note: using Easy-RSAconfiguration from:./vars

Generating a 2048 bit RSA privatekey

....................................... ++

...................................... ++

Writing new private key to '/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key. migrh2b6ss'

-----

You are about to be asked toenter information that will be ininitialized

Into your certificate request.

What you are about to enter iswhat is called a Distinguished Name or a DN.

There are quite a few fields butyou can leave some blank

For some fields there will be adefault value,

If you enter '.', the field willbe left blank.

-----

Common Name (eg: your user, host, or server name) [server]: qiangsh-BJ # This Common Name must not be the same as the one used to create the root certificate !!!

Keypair and certificate requestcompleted. Your files are:

Req:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server. req

Key:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key

(4) sign up for the server certificate

[Root @ vpneasyrsa3] #./easyrsasignserverserver

Note: using Easy-RSAconfiguration from:./vars

You are about to sign thefollowing certificate.

Please check over the detailsshown below for accuracy. Note that this request

Has not been cryptographicallyverified. Please be sure it came from a trusted

Source or that you have verifiedthe request checksum with the sender.

Request subject, to be signed asa server certificate for 3650 days:

Subject =

CommonName = qiangsh-BJ

Type the word 'yes' to continue, or any other input to abort.

Confirm request details: yes # Enter yes to continue

Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf

Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key: # Enter the password used to create the root certificate.

Check that the request matchesthe signature

Signature OK

The Subject's Distinguished Nameis as follows

CommonName: PRINTABLE: 'qiangsh-BJ'

Certificate is to be certifieduntil Jun 6 07:19:45 2026 GMT (3650 days)

Write out database with 1 newentries

Data Base Updated

Certificate created at:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt

(5) create a Diffie-Hellman command to ensure that the key crosses the insecure network:

[Root @ vpneasyrsa3] #./easyrsagen-dh

Note: using Easy-RSAconfiguration from:./vars

Generating DH parameters, 2048bit long safe prime, generator 2

This is going to take a long time

........................................ .................................. + ........................... + ....................................... ...................... + ........................... + ....................................... ........................................ ........................................ ........................................ ........................................ ........................................ .. + ....................................... ........................................ ........................................ ........ + .. + ....................................... .......................... + ....................................... ........................................ ........... + .............. + ....................................... ........................................ ........................................ ........................................ ................ + ....................................... ........................................ ......... + ....................................... ........................................ + ....................................... ......... + .......... ++ *

DH parameters of size 2048 created at/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh. pem

5. Create a client certificate

(1) create a client directory under the root directory

[Root @ vpneasyrsa3] # cd

[Root @ vpn ~] # Mkdirclient

[Root @ vpn ~] # Cp-R/mnt/easy-rsa/client/

(2) initialization

[Root @ vpn ~] # Cdclient/easy-rsa/easyrsa3/

[Root @ vpneasyrsa3] # ls

Easyrsaopenssl-1.0.cnfvarsvars.examplex509-types

[Root @ vpneasyrsa3] #./easyrsainit-pki

Note: usingEasy-RSAconfigurationfrom:./vars

Init-pkicomplete; youmaynowcreateaCAorrequests.

YournewlycreatedPKIdiris:/root/client/easy-rsa/easyrsa3/pki

(3) create a client key and generate a certificate

[Root @ vpneasyrsa3] #./easyrsagen-reqqiangsh

Generating a 2048 bit RSA privatekey

..............................

........................................ ................ ++

Writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key. ld7wk6hmqq'

Enter PEM pass phrase: # Enter the password

Verifying-Enter PEM passphrase: # Enter the password again

-----

You are about to be asked toenter information that will be ininitialized

Into your certificate request.

What you are about to enter iswhat is called a Distinguished Name or a DN.

There are quite a few fields butyou can leave some blank

For some fields there will be adefault value,

If you enter '.', the field willbe left blank.

-----

Common Name (eg: your user, host, or server name) [qiangsh]: qiangsh # Enter qiangsh

Keypair and certificate request completed. Your files are:

Req:/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh. req

Key:/root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key

(4) import the obtained qiangsh. req and sign the certificate.

[Root @ vpn ~] # Cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/

[Root @ vpneasyrsa3] # import req

[Root @ vpneasyrsa3] #./easyrsa import-req/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh. reqqiangsh

Note: using Easy-RSAconfiguration from:./vars

The request has been successfullyimported with a short name of: qiangsh

You may now use this name toperform signing operations on this request.

[Root @ vpneasyrsa3] # signing Certificate

[Root @ vpneasyrsa3] #./easyrsasignclientqiangsh

Note: using Easy-RSAconfiguration from:./vars

You are about to sign thefollowing certificate.

Please check over the detailsshown below for accuracy. Note that this request

Has not been cryptographicallyverified. Please be sure it came from a trusted

Source or that you have verifiedthe request checksum with the sender.

Request subject, to be signed asa client certificate for 3650 days:

Subject =

CommonName = qiangsh

Type the word 'yes' to continue, or any other input to abort.

Confirm request details: yes # Enter yes

Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf

Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key: # Enter the password when creating the root certificate

Check that the request matchesthe signature

Signature OK

The Subject's Distinguished Nameis as follows

CommonName: PRINTABLE: 'qiangsh'

Certificate is to be certifieduntil Jun 6 07:50:02 2026 GMT (3650 days)

Write out database with 1 newentries

Data Base Updated

Certificate created at:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh. crt # contract successful

(5) files generated by the server and client

Server :(/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/) folder

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server. req

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/qiangsh. req

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca. key

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh. crt

/Usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh. pem

Client :(/root/client/easy-rsa)

/Root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key

/Root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh. req # This file is imported to the server.

(6) copy the server key and certificate to the openvpn directory.

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt/usr/local/share/doc/openvpn/

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server. key/usr/local/share/doc/openvpn/

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server. crt/usr/local/share/doc/openvpn/

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh. pem/usr/local/share/doc/openvpn/

(7) copy the client key and certificate to the client directory.

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca. crt/root/client/

[Root @ vpn ~] # Cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh. crt/root/client/

[Root @ vpn ~] # Cp/root/client/easy-rsa/easyrsa3/pki/private/qiangsh. key/root/client/

(8) Write a configuration file for the server

When openvpn is installed, it provides an example of the server configuration file.

Copy the openvpn directory in this example and configure

[Root @ vpn ~] # Cp/mnt/openvpn-2.3.11/sample-config-files/server. conf/usr/local/share/doc/openvpn/

[Root @ vpn ~] # Vim/usr/local/share/doc/openvpn/server. conf

Local192.168.1.100 # (self-built vpsIP)

Port1194

Protoudp

Devtun

Ca/usr/local/share/doc/openvpn/ca. crt

Cert/usr/local/share/doc/openvpn/server. crt

Key/usr/local/share/doc/openvpn/server. key # Thisfileshouldbekeptsecret

Dh/usr/local/share/doc/openvpn/dh. pem

Server10.8.0.0255.255.255.0

Ifconfig-pool-persistipp.txt

Push redirect-gatewaydef1bypass-dhcp"

Push dhcp-optionDNS8.8.8.8"

Keepalive10120

Comp-lzo

Max-clients100

Persist-key

Persist-tun

Statusopenvpn-status.log

Verb3

(9) enable the system forwarding function

[Root @ vpn ~] # Vim/etc/sysctl. conf

Net. ipv4.ip _ forward = 0 to net. ipv4.ip _ forward = 1

[Root @ vpn ~] # Sysctl-p

[Root @ vpn ~] # Sysctl-a | grepnet. ipv4.ip _ forward

Net. ipv4.ip _ forward = 1

(10) encapsulated data packets (eth0 is the network card of your vps Internet ):

/Sbin/iptables-tnat-IPOSTROUTING-s10.8.0.0/rj0000255.0-oeth0-jMASQUERADE

Iii. DownloadOpenvpnClient and configure

1. Copy the client key and certificate to windows for backup.

[Root @ vpn ~] # Cdclient/

[Root @ vpnclient] # ls

Ca. crteasy-rsanmshuishui.crtnmshuishui.key # The Three with suffixes
2. Install openvpn-gui
(1) Copy C: \ ProgramFiles \ OpenVPN \ sample-config \ client. ovpn to C: \ Program Files \ OpenVPN \ config
(2) put the three keys and certificates copied from linux under D: \ Program Files (x86) \ OpenVPN \ config.
(3) edit c: \ ProgramFiles \ OpenVPN \ config \ client. ovpn and change it
Client
Devtun
Protoudp
Remote192.168.1.1001194
Resolv-retryinfinite
Nobind
Persist-key
Persist-tun
Caca. crt // certificate required here
Certqiangsh. crt
Keyqiangsh. key
Comp-lzo
Verb3
4. Start the service and Test
1. Start the openvpn service on the vpn Server
[Root @ vpn ~] #/Usr/local/sbin/openvpn -- config/usr/local/share/doc/openvpn/server. conf &
[Root @ vpn ~] # Echo "/usr/local/sbin/openvpn -- config/usr/local/share/doc/openvpn/server. conf &
">/Etc/rc. local # set to start upon startup
2. On openvpn-gui, right-click Connect and enter the password for connection.
3. view the vpn status

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More