CentOS6.7 install OpenVPN Server

CentOS6.7 install OpenVPN Server

This article describes how to build an OpenVPN server in Linux (using CentOS6.7 as an example.

OpenVPN basic introduction:

OpenVPN is an open-source VPN daemon. easy-RSA provides some simple CA certificate tools.

VPN Principle:

In short, client host A establishes A connection with vpn Server B (either TCP or UDP ), create A virtual Nic a on client host A through the vpn Client (after the VPN Client is connected to the VPN Server ), this virtual network card a establishes a so-called "Private connection" channel with another virtual network card B (formed after the VPN service is started) on the VPN Server B through the port opened by the VPN Server, after the connection is successful, create A route on client host A according to the configuration on VPN Server B, this route enables Client A to use this VPN channel when it wants to access A specific network (A specific network can have multiple connections). Implementing A Network VPN is actually A proxy, it is equivalent to a pedal.

Set up an experiment environment:

The experiment environment can be simulated using virtualization software such as VMware. The OpenVPN server can have a single Nic or dual Nic. A single Nic is nothing more than configuring a virtual NIC based on the original Nic. Here we use dual Nic as an example.

The topology of the experiment environment is as follows:

(1) VPN Client:

Windows 8 + OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun 5 2014

Nic 1: 192.168.1.228

(2) VPN Server B:

CentOS release 6.7 (Final)

Linux localhost. localdomain 2.6.32-573.3.1.el6.x86 _ 64 #1 SMP Thu Aug 13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

OpenVPN version: OpenVPN 2.3.8 (git source)

Nic 1: 192.168.1.182

Network Adapter. 255.0.129

(3) server C (used to further test VPN connectivity ):

Nic 1: 192.168.1.113)

Network Adapter. 255.0.130

OpenVPN installation steps:

S1. install the basic software package for compiling and installing openvpn and solving openvpn-related dependency packages

yum-yinstallgccgcc-c++yum-yinstallautoconfyum-yinstallautomakeyum-yinstalllibtoolyum-yinstallgettextyum-yinstalllzolzo-develyum-yinstallpam-devel

S2. obtain the OpenVPN source code from github, select a stable version branch, generate configure and other files, compile and install

gitclonegit@github.com:OpenVPN/openvpn.gitgitcheckout-b2.3remotes/origin/release/2.3autoreconf-i-v-f./configure--prefix=/usr/local/openvpnmakemakeinstall

S3. configure OpenVPN Server

S3.1 configure OpenVPN

cpdistro/rpm/openvpn.init.d.rhel/etc/init.d/openvpnln-s/usr/local/openvpn/sbin/openvpn/usr/sbin/openvpnmkdir/usr/local/openvpn/etcln-s/usr/local/openvpn/etc/etc/openvpncpsample/sample-config-files/server.conf/etc/openvpn/

S3.2 edit the main configuration file of OpenVPN. The annotations in the configuration file sample-config in the previous step can help you understand the content of each field. I will not explain them in detail here.

vim/etc/openvpn/server.conf#grep-v^#/etc/openvpn/server.conf|grep-v^$|grep-v^\;port1194protoudpdevtuncaca.crtcertserver.crtkeyserver.key#Thisfileshouldbekeptsecretdhdh2048.pemserver10.8.0.0255.255.255.0ifconfig-pool-persistipp.txtpush"route10.20.0.0255.255.255.0"push"dhcp-optionDNS114.114.114.114"push"dhcp-optionDNS8.8.4.4"client-to-clientduplicate-cnkeepalive10120comp-lzopersist-keypersist-tunstatusopenvpn-status.loglogopenvpn.logverb3

S4. configure the OpenVPN server and client certificate so that the client can log on to OpenVPN through the certificate

S4.1 obtain the source code of easy-RSA from github, which is used to generate server and client certificates. It can be generated separately using openssl.

cdgitclonegit@github.com:OpenVPN/easy-rsa.gitgitcheckout-b2.xremotes/origin/release/2.xcdeasy-rsa/easy-rsa/2.0/

S4.2 edit certificate configuration information

vimvars#grep-v^#vars|grep-v^$exportEASY_RSA="`pwd`"exportOPENSSL="openssl"exportPKCS11TOOL="pkcs11-tool"exportGREP="grep"exportKEY_CONFIG=`$EASY_RSA/whichopensslcnf$EASY_RSA`exportKEY_DIR="$EASY_RSA/keys"echoNOTE:Ifyourun./clean-all,Iwillbedoingarm-rfon$KEY_DIRexportPKCS11_MODULE_PATH="dummy"exportPKCS11_PIN="dummy"exportKEY_SIZE=2048exportCA_EXPIRE=3650exportKEY_EXPIRE=3650exportKEY_COUNTRY="CN"exportKEY_PROVINCE="Shandong"exportKEY_CITY="Qingdao"exportKEY_ORG="51devops"exportKEY_EMAIL="chris@51devops.com"exportKEY_OU="chris"exportKEY_NAME="EasyRSA"

S4.3. generate Server certificates, including CA and Server certificates

sourcevars./clean-all./pkitool--initca./pkitool--serverserver./build-dh

S4.4. generate client certificate

#./pkitoolclient-christhinkt430./pkitool--pkcs12client-christhinkt430\cp-fkeys/ca.crt/etc/openvpn/\cp-fkeys/server.crt/etc/openvpn/\cp-fkeys/server.key/etc/openvpn/\cp-fkeys/dh2048.pem/etc/openvpn/

S5. start the OpenVPN service and prepare for testing.

Enable kernel forwarding parameters:

vim/etc/sysctl.confnet.ipv4.conf.default.accept_source_route=1net.ipv4.conf.default.rp_filter=0net.ipv4.ip_forward=1

Configure iptables Intranet forwarding and start OpenVPN Service

iptables-IINPUT-mstate--stateNEW-mudp-pudp--dport1194-jACCEPTiptables-tnat-APOSTROUTING-s10.8.0.0/24-oeth1-jMASQUERADEserviceiptablessave||iptables-save>/etc/sysconfig/iptablesserviceopenvpnstart

If iptables prompts that there is a nat problem (the problem was not found at the time and a text record), it may be because the module is not loaded. You can use the "modprobe iptable_nat" command to load the nat module, run the "lsmod | grep nat" command to confirm that it has been correctly loaded into the kernel.

Here, the content of the iptables file (/etc/sysconfig/iptables) is listed for reference:

#Generatedbyiptables-savev1.4.7onTueSep1509:50:412015*filter:INPUTACCEPT[95751:71225675]:FORWARDACCEPT[2:120]:OUTPUTACCEPT[18830:1205082]-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT-AINPUT-picmp-jACCEPT-AINPUT-ilo-jACCEPT-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT-AINPUT-pudp-mstate--stateNEW-mudp--dport1194-jACCEPT#-AINPUT-jREJECT--reject-withicmp-host-prohibited#-AFORWARD-jREJECT--reject-withicmp-host-prohibitedCOMMIT#CompletedonTueSep1509:50:412015#Generatedbyiptables-savev1.4.7onTueSep1509:50:412015*nat:PREROUTINGACCEPT[8758:1233668]:POSTROUTINGACCEPT[467:144522]:OUTPUTACCEPT[466:144462]-APOSTROUTING-s10.8.0.0/24-oeth1-jMASQUERADECOMMIT#CompletedonTueSep1509:50:412015

View logs on OpenVPN server B

Nic information on OpenVPN server B

Client Connection log information displayed on the OpenVPN Server

Nic and IP address information on server B

IP information on the OpenVPN client (the subnet mask shown above is 255.255.255.252, which can be ignored without affecting the connection)

S6. transmit the client certificate generated in step S4.4 to the Windows client, and configure the Windows OpenVPN client to connect to the OpenVPN server.

The client certificate is also in the/root/easy-rsa/2.0/keys path, just client-christhinkt430.p12 this certificate.

In Windows, how do I install the certificate in the config folder under the OpenVPN installation path and create a. ovpn configuration file. The configuration file is as follows:

remote192.168.1.1821194udppersist-keytls-clientpulldevtunpersist-tuncomp-lzoadaptivenobindpkcs12client-christhinkt430.p12

Open the OpenVPN client with the Administrator permission and select "connect". If the connection is successful, the following message is displayed, and the old gray icon turns green.

Now you can connect to the Intranet address of the backend of the OpenVPN server, as shown in, indicating that the connection is successful.

Summary:

Some difficulties or tips for configuring OpenVPN:

1. It is difficult to obtain the OpenVPN installation package and document support without turning over the wall. You can solve this problem through github, and select the appropriate release and client through appropriate branch.

2. the POSTROUTING and MASQUERADE of iptables firewall must be understood. The principle of iptables is to convert the addresses of a certain network segment (encapsulation and disguise) into the addresses on a certain network adapter through SNAT, to achieve the purpose of Intranet penetration

For example, when iptables-t nat-a postrouting-s 10.8.0.0/24-o eth1-j MASQUERADE, disguise these addresses as the address of the eth1 Nic for Intranet penetration. For example, when the address 10.8.0.6 (OpenVPN client address) needs to access 10.20.0.130 (server B address, actually, the IP address 10.20.0.129 (eth1 address of OpenVPN server) is used.

Finally, I will list some articles for your reference:

1. OpenVPN configuration http://blog.chinaunix.net/uid-26835604-id-3484906.html in Linux
2. Meaning http://blog.csdn.net/jk110333/article/details/8229828 of SNAT, DNAT and MASQUERADE in iptables
3. Ubuntu Simple Client Configurationhttps: // help.ubuntu.com/lts/serverguide/openvpn.html#openvpn-simple-client-configuration

Tag: OpenVPN for Linux configuration, OpenVPN for Linux installation, OpenVPN configuration, OpenVPN firewall configuration, and OpenVPN for CentOS compilation and Installation

-- End --