Openvpn installation configuration in centos6 Environment

Source: Internet
Author: User
Tags openssl version openvpn gui
1.
Environment 1.1. server environment

Centos6, kernel version: 2.6.32-71. el6
The IP address is 192.168.122.180, and the tunnel IP address is 10.8.0.1.

Kernel must support Tun devices and must load iptables
Check whether Tun is installed:

# Modinfo Tun

Filename:/lib/modules/2.6.32-71. el6.i686/kernel/Drivers/NET/TUN. Ko
Alias: Char-Major-10-200
License: GPL
Author: (c) 1999-2004 Max kranyansky maxk@qualcomm.com
Description: Universal tun/TAP Device Driver
Srcversion: 7d2aaef89c71c83bbffa0de
Depends:
Vermagic: 2.6.32-71. el6.i686 SMP mod_unload modversions 686

1.2. Client Environment

The IP address of the win7 host is 192.168.122.29.

2.
Install 2.1. Linux

Currently, openvpn cannot be directly installed using yum. The RPM installation package is available on the official website and can be downloaded directly. This RPM depends on:

  • OpenSSL
  • Lzo
  • Pam

In addition, if we compile the source code package, we will also rely on the corresponding development package of the above package:

  • OpenSSL-devel
  • Lzo-devel
  • Pam-devel

Fortunately, all dependent packages can be directly obtained and installed through yum.

Here we use the method of directly compiling the source code. After all the dependent packages are installed, decompress the downloaded source code package:

Download the latest source code package from http://openvpn.net/index.php/open-source/downloads.html.

#tar xfz openvpn-[version].tar.gz

Then, go to the top-level directories of the source code and execute the three steps of compilation and installation:

#./configure#make#make install
2.2. Windows

Download the latest installation package from http://openvpn.net/index.php/open-source/downloads.html. double-click the installation.

3.
Certificates and Key Files

Because my environment uses Linux as the server, certificate generation is also completed in Linux.

If openvpn is installed through the RPM package, the easy-RSA directory is usually/Usr/share/doc/packages/openvpn or/usr/share/doc/openvpn-versionIf openvpn is compiled using the source code package, easy-RSA will be under the top-level directory of the source code package.
(Before editing, it is best to copy the entire easy-RSA directory to another place, for example/Etc/openvpnIn this way, if you need to upgrade openvpn later, it will not overwrite the original configuration ).

First copy easy-RSA to/etc/openvpn:

#mkdir –p /etc/openvpn
#cp -R easy-rsa /etc/openvpn
#cd /etc/openvpn/easy-rsa/2.0
3.1. Ca File

Open it with a familiar editing toolVarsFile, modify the following variables according to the actual situation:

Export key_country = "CN"
Export key_province = "CA"
Export key_city = "HZ"
Export key_org = "my_org"
Export key_email = "yetyongjin # 163.com"

Configure OpenSSL, according to the OpenSSL version installed by the system, copy the corresponding openssl-version.cnf file, the target file name is OpenSSL. CNF, or create a file link:

# rpm -q openssl
openssl-1.0.0-20.el6_2.2.i686
# cp openssl-1.0.0.cnf openssl.cnf

Run the following command:

#. ./vars#./clean-all#./build-ca server

Note that the First Command has two.

Output:

Generating a 1024 bit RSA private key.++++++......................++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [CA]:Locality Name (eg, city) [HZ]:Organization Name (eg, company) [HZ]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [changeme]:Name [changeme]:Email Address [mail@host.domain]:
 
 
3.2. Generate server key
# ./build-key-server server

The server here is the specified name label. If it is not specified, a prompt is displayed during execution.

Generating a 1024 bit RSA private key.....++++++.................++++++writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [CA]:Locality Name (eg, city) [HZ]:Organization Name (eg, company) [HZ]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [server]:Name [changeme]:Email Address [mail@host.domain]:  Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'CN'stateOrProvinceName   :PRINTABLE:'CA'localityName          :PRINTABLE:'HZ'organizationName      :PRINTABLE:'HZ'organizationalUnitName:PRINTABLE:'changeme'commonName            :PRINTABLE:'server'name                  :PRINTABLE:'changeme'emailAddress          :IA5STRING:'mail@host.domain'Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days)Sign the certificate? [y/n]:y      1 out of 1 certificate requests certified, commit? [y/n]y  Write out database with 1 new entriesData Base Update
Note that some content in the table box requires interaction. Generally, you can use the default value. You must enter the content marked in red.
 
3.3. Generate the client key
# ./build-key client1
Client1 indicates the client name. If multiple clients exist, multiple keys must be generated.
Generating a 1024 bit RSA private key...++++++...............++++++writing new private key to 'client1.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [CA]:Locality Name (eg, city) [HZ]:Organization Name (eg, company) [HZ]:Organizational Unit Name (eg, section) [changeme]:Common Name (eg, your name or your server's hostname) [client1]:Name [changeme]:Email Address [mail@host.domain]:  Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'CN'stateOrProvinceName   :PRINTABLE:'CA'localityName          :PRINTABLE:'HZ'organizationName      :PRINTABLE:'HZ'organizationalUnitName:PRINTABLE:'changeme'commonName            :PRINTABLE:'client1'name                  :PRINTABLE:'changeme'emailAddress          :IA5STRING:'mail@host.domain'Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days)Sign the certificate? [y/n]:y      1 out of 1 certificate requests certified, commit? [y/n]y  Write out database with 1 new entriesData Base Updated
Note that some content in the table box requires interaction. Generally, you can use the default value. You must enter the content marked in red.
 
3.4. Generate the Diffie Hellman Parameter
This step is required on the server and may take a long time:
#./build-dh
3.5. File description

Up to now, we have created a complete key and Certificate file, which is stored in the easy-RSA directory and namedKeys. The following table provides a brief description of these files:

Filename

Needed

Purpose

Secret

CA. CRT

SERVER + all clients

Root CA certificate

No

CA. Key

Key signing machine only

Root CA key

Yes

DH {n}. pem

Server only

Diffie Hellman Parameters

No

Server. CRT

Server only

Server Certificate

No

Server. Key

Server only

Server key

Yes

Client1.crt

Client1 only

Client1 Certificate

No

Client1.key

Client1 only

Client1 key

Yes

 
Finally, you need to download the keys Directory, which is used by some file clients.
4.
Configuration
Openvpn carries a configuration file template. You can edit the required configuration items according to the actual situation. The configuration template is stored in:
L openvpn source code packageSample-config-FilesSubdirectory
L RPM package/Usr/share/doc/packages/openvpnOr/Usr/share/doc/openvpn-versionUnderSample-config-FilesSubdirectory
 
4.1. Server
Edit/etc/sysctl. conf and change net. ipv4.ip _ forward = 0 to net. ipv4.ip _ forward = 1 to save. Then execute:
#sysctl –p
 
Add routing rules:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.122.180
Change 192.168.122.180 to the IP address of your VPs.
Use/Etc/init. d/iptables saveSave iptables settings, and then/Etc/init. d/iptables restartRestart.
 
Copy the keys directory to/etc/openvpn
Copy server. conf in the anti-template to/etc/openvpn and configure it according to your actual situation. The following is my Configuration:
local 192.168.122.180port 1194proto udp dev tun ca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtkey /etc/openvpn/keys/server.key  # This file should be kept secretdh /etc/openvpn/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush “dhcp-option DNS 202.101.172.35client-to-clientkeepalive 10 120 comp-lzopersist-keypersist-tunstatus openvpn-status.logverb 4
 
Start openvpn
#openvpn --config /etc/openvpn/server.conf &
4.2. Client
Open the downloaded keys folder and copy the ca. CRT, client1.crt, and client1.key files to the \ config directory under the openvpn installation path. Edit the client1.ovpn configuration file. For more information, see client. conf in the template. The following is my client Configuration
clientdev tun proto udp remote 192.168.122.180 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client1.crtkey client1.keyns-cert-type servercomp-lzoverb 3
Run openvpn GUI as an administrator in win7 and click Connect. After a while, you can see the successful connection message.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.