Deploy OpenVPN Server on CentOS 6

Deploy OpenVPN Server on CentOS 6

References:
Https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
Http://www.unixmen.com/setup-openvpn-server-client-centos-6-5/
Http://docs.ucloud.cn/software/vpn/OpenVPN4CentOS.html

Background:
Recently, GFW began to block VPN, and the PPTP/L2TP VPN built on VPS began to become unstable in some cases.
Therefore, we plan to create an OpenVPN Server on the VPS for emergency purposes.

Related Configuration:
OS: CentOS 6.4 x86_64 Minimal

1. Install the EPEL extension Library
# Yum install http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

2. Install the required dependent Software Package
# Yum install-y openssl-devel lzo-devel pam-devel automake pkgconfig

3. Install OpenVPN
# Yum install openvpn

4. Download easy-rsa 2.x
# Wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
# Unzip 2.x.zip
# Cd easy-rsa-release-2.x
# Cp-rf easy-rsa/etc/openvpn/

5. Configure easy-rsa vars
# Cd/etc/openvpn/easy-rsa/2.0/
# Ln-s openssl-1.0.0.cnf openssl. cnf
# Chmod + x vars

Modify the following configuration items in the vars file:
# Vim vars

...# Increase this to 2048 if you# are paranoid. This will slow# down TLS negotiation performance# as well as the one-time DH parms# generation process.export KEY_SIZE=1024...# These are the default values for fields# which will be placed in the certificate.# Don't leave any of these fields blank.export KEY_COUNTRY="JP"export KEY_PROVINCE="JP"export KEY_CITY="Tokyo"export KEY_ORG="heylinux.com"export KEY_EMAIL="guosuiyu@gmail.com"export KEY_OU="MyOrganizationalUnit"...

Run the vars file to make the environment variable take effect:
# Source./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys

6. generate various required certificate files
Clear Old certificate:
#./Clean-all

Generate the server-side CA certificate. Because the default settings have been made in the vars file, you can directly press Enter when an interactive interface is displayed:
#./Build-ca

Generating a 1024 bit RSA private key..............................++++++.....................................++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [JP]:State or Province Name (full name) [JP]:Locality Name (eg, city) [Tokyo]:Organization Name (eg, company) [heylinux.com]:Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [heylinux.com CA]:Name [EasyRSA]:Email Address [guosuiyu@gmail.com]:

Generate the server certificate. If the interactive interface still appears, press enter directly and enter y at the end of the question [y/n:
#./Build-key-server heylinux.com

Generating a 1024 bit RSA private key............++++++................++++++writing new private key to 'heylinux.com.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [JP]:State or Province Name (full name) [JP]:Locality Name (eg, city) [Tokyo]:Organization Name (eg, company) [heylinux.com]:Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [heylinux.com]:Name [EasyRSA]:Email Address [guosuiyu@gmail.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'JP'stateOrProvinceName :PRINTABLE:'JP'localityName :PRINTABLE:'Tokyo'organizationName :PRINTABLE:'heylinux.com'organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'commonName :PRINTABLE:'heylinux.com'name :PRINTABLE:'EasyRSA'emailAddress :IA5STRING:'guosuiyu@gmail.com'Certificate is to be certified until Jan 26 09:49:38 2025 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

Generate DH verification file:
#./Build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time................................+.............++*++*++*

Generate TLS private files:
# Cd keys
# Openvpn -- genkey -- secret ta. key
# Cd ..

Generate a client certificate, such as eric and rainbow:
#./Build-key eric

Generating a 1024 bit RSA private key.++++++..........................................................................++++++writing new private key to 'eric.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [JP]:State or Province Name (full name) [JP]:Locality Name (eg, city) [Tokyo]:Organization Name (eg, company) [heylinux.com]:nginxs.comOrganizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [eric]:Name [EasyRSA]:Email Address [guosuiyu@gmail.com]:eric@nginxs.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'JP'stateOrProvinceName :PRINTABLE:'JP'localityName :PRINTABLE:'Tokyo'organizationName :PRINTABLE:'nginxs.com'organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'commonName :PRINTABLE:'eric'name :PRINTABLE:'EasyRSA'emailAddress :IA5STRING:'eric@nginxs.com'Certificate is to be certified until Jan 26 09:52:03 2025 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

#./Build-key rainbow

Generating a 1024 bit RSA private key......................++++++......................++++++writing new private key to 'rainbow.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [JP]:State or Province Name (full name) [JP]:Locality Name (eg, city) [Tokyo]:Organization Name (eg, company) [heylinux.com]:Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [rainbow]:Name [EasyRSA]:Email Address [guosuiyu@gmail.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'JP'stateOrProvinceName :PRINTABLE:'JP'localityName :PRINTABLE:'Tokyo'organizationName :PRINTABLE:'heylinux.com'organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'commonName :PRINTABLE:'rainbow'name :PRINTABLE:'EasyRSA'emailAddress :IA5STRING:'guosuiyu@gmail.com'Certificate is to be certified until Jan 26 09:52:49 2025 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

7. Edit the server configuration file:
# Vim/etc/openvpn/server. conf

port 1194proto udpdev tunca /etc/openvpn/easy-rsa/2.0/keys/ca.crtcert /etc/openvpn/easy-rsa/2.0/keys/heylinux.com.crtkey /etc/openvpn/easy-rsa/2.0/keys/heylinux.com.keydh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pemserver 10.192.170.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 172.31.0.2"push "dhcp-option DOMAIN-SEARCH ap-northeast-1.compute.internal"push "dhcp-option DOMAIN-SEARCH ec2.drawbrid.ge"client-to-clientkeepalive 10 120comp-lzouser nobodygroup nobodypersist-keypersist-tunstatus /var/log/openvpn/openvpn-status.loglog /var/log/openvpn/openvpn.loglog-append /var/log/openvpn/openvpn.logverb 3

Note: In the preceding configuration file,
The udp protocol is adopted, which is better than the tcp protocol in poor network conditions;
Specifies the specific paths of ca, cert, key, dh, and other files;
The virtual IP address segment 10.192.170.0 is assigned to the VPN Client;
Ipp.txt is used as the table corresponding to the client and virtual IP address, so that the client can obtain the same IP address through reconnection;
The redirect-gateway push function is enabled, so that the client sets all traffic to go through the server by default after connection;
The push function of dhcp-option is enabled, so that the default DNS resolution configuration of EC2 can be pushed to the client and its DNS resolution files (such as/etc/resolv in MacOS) can be automatically configured. conf );
Client-to-client is enabled to enable direct communication between clients;
The nobody is enabled as the user and group to reduce the permissions of the OpenVPN execution user;
TLS authentication is enabled;
Lzo compression is enabled;
An independent log file is specified;

Create a log file directory:
# Mkdir-p/var/log/openvpn
# Chown openvpn: openvpn/var/log/openvpn

8. Start the OpenVPN Service
#/Etc/init. d/openvpn start
# Chkconfig openvpn on

9. Configure the server and enable NAT data forwarding and related ports.
# Vim/etc/sysctl. conf

...net.ipv4.ip_forward = 1...

# Sysctl-p

# Iptables-t nat-a postrouting-s 10.192.170.0/24-o eth0-j MASQUERADE

# Iptables-a input-p udp -- dport 1194-j ACCEPT
# Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT

#/Etc/init. d/iptables save
#/Etc/init. d/iptables restart
# Chkconfig iptables on
Note: If you are using a cloud host such as EC2, You need to skip the configuration related to port filtering and then set it in the Security Group.

10. Configure the OpenVPN Client
Copy the certificate generated by the server to one place. For example, for rainbow users:
# Mkdir-p/home/rainbow/tmp/openvpn_heylinux
# Cd/home/rainbow/tmp/openvpn_heylinux
# Cp-rpa/etc/openvpn/easy-rsa/2.0/keys/ta. key.
# Cp-rpa/etc/openvpn/easy-rsa/2.0/keys/ca. crt.
# Cp-rpa/etc/openvpn/easy-rsa/2.0/keys/rainbow. crt.
# Cp-rpa/etc/openvpn/easy-rsa/2.0/keys/rainbow. key.

Configure the ovpn configuration file of the rainbow User:
# Vim rainbow. ovpn

clientdev tunproto udpremote 54.238.131.140 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert rainbow.crtkey rainbow.keyremote-cert-tls servertls-auth ta.key 1comp-lzoverb 3

Package the relevant certificate file and ovpn Configuration:
# Cd/home/rainbow/tmp
# Tar cf openvpn_heylinux.tar openvpn_heylinux

Download the openvpn_heylinux.tar package to your local device;

In Windows, download and install OpenVPN Client:
: Http://openvpn.net/index.php/download.html
Then, place the relevant certificate file and the rainbow. ovpn configuration in the C:/Program Files/OpenVPN/config directory, double-click the OpenVPN icon on the desktop, and select the specified option;

In MacOS, download and install Tunnelblick:
: Https://code.google.com/p/tunnelblick/
Decompress openvpn_heylinux.tar and rename it to heylinux.com. tblk;
Find heylinux.com. tblk through the Finder and double-click it;

11. The following are related to my successful connection in MacOS: