Services/VPN/Openvpn

De TartareFR
Aller à la navigation Aller à la recherche

How to install, setup and configure an OpenVPN Service on CentOS

Introduction

In this tutorial, we will learn how to install, setup and configure an OpenVPN Service on CentOS 5 as well as configuring the firewall to allow vpn traffic. Clients configuration will be done in the linked article, available at the bottom of this tutorial.

Topology used in this scenario:

  • 1 Ethernet card (eth0) connected to a router, which forward all connection on port 1723 for UDP and TCP protocol to our server internal IP.
  • Internet IP: 1.2.3.4
  • Internal IP: 192.168.0.2
  • Existing Subnet: 192.168.0.0/24
  • New VPN Subnet: 172.16.0.0/24

Installation

Repositories

To begin, we need to make sure we have the RPMForge repository installed and activated.

SELinux

If you have SELinux enabled and enforcing, you will need to run this: 

semanage port -a -t openvpn_port_t -p tcp 1723
semanage port -a -t openvpn_port_t -p udp 1723

Install

Install OpenVPN via yum. This will make sure that the following package are installed: openvpn, lzo, pkcs11-helper 

yum install openvpn

Keys datadir

Copy the easy-rsa directory from the template to your /etc/openvpn (please change the version number according to your version of openvpn) 

cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *

SSL Configuration

Edit the configuration file <path>/etc/openvpn/easy-rsa/2.0/vars</path> with your favorite editor, and change the values at the complete bottom to correspond with your own informations and make sure you save a copie somewhere. (from KEY_COUNTRY up to KEY_OU)

File <path>/etc/openvpn/easy-rsa/2.0/vars</path> 

KEY_COUNTRY="CA"
KEY_PROVINCE="QC"
KEY_CITY="Montreal"
KEY_ORG="CompanyName"
KEY_EMAIL="your@email.com"
KEY_EMAIL=your@email.com
KEY_CN=server.hostname.com
KEY_NAME=server.hostname.com
KEY_OU=OrganisationUnitName

Create Certificate authority and keys

Source the configuration file `vars` with the following command and clean-all 

source /etc/openvpn/easy-rsa/2.0/vars
/etc/openvpn/easy-rsa/2.0/clean-all

Once we reach this step, openvpn has been installed and initially configured. Now we have to build our CA Certificate, our Server Certificate and our Client Certificate.

Start by building the CA Certificate with the command: 

/etc/openvpn/easy-rsa/2.0/build-ca

This step will ask your information for the CA Certificate Authority that we are creating, if we configured the `vars` configuration file in step 6, the default values provided between ‘[' and ']‘ for each value should be fine. Otherwise change accordingly.

It is time now to create the Server Certificate with our newly created CA Authority Certificate. Run the following command (and replace `server.hostname.com` with your server hostname): 

/etc/openvpn/easy-rsa/2.0/build-key-server server.hostname.com

This will print a summary of the certificate to be created and ask you to confirm that you want to “Sign the certificate” which you will say YES ot ‘y’ Finally, it will ask you to confirm to commit the change, which again, you will say YES or ‘y’

Create the DH and move it.

This key prevent Man on the middle attacks. 

/etc/openvpn/easy-rsa/2.0/build-dh
mv /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/keys/

Server/Client configuration

Now we have to edit our main configuration file at /etc/openvpn/openvpn.conf with our favorite editor, (change server.hostname.com for the value used while building the server certificate at step 10)

File <path>/etc/openvpn/openvpn.conf</path> 

port 1723
proto udp # UDP is faster than TCP
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.hostname.com.crt
key /etc/openvpn/keys/server.hostname.com.key
dh /etc/openvpn/keys/dh1024.pem
cipher BF-CBC
comp-lzo
server 172.16.0.0 255.255.255.0
push "dhcp-option DNS 4.2.2.2" # Change these to your own DNS Server for even greater security
push "dhcp-option DNS 4.2.2.1" # Change these to your own DNS Server for even greater security
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3

Create the directory to hold our created keys and certificates, make it private and move them into it: 

mkdir /etc/openvpn/keys/
chmod 0700 /etc/openvpn/keys/
mv /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,ca.key,server.hostname.com.crt,server.hostname.com.key} /etc/openvpn/keys/

Start the VPN

Make sure that the OpenVPN Service start at boot time 

chkconfig openvpn on

That it! The OpenVPN Service is now ready to be executed. 

/etc/init.d/openvpn start

Firewall

For the Firewall configuration, you need to run the following commands: 

/sbin/iptables -A INPUT -d 1.2.3.4 -i eth0 -p udp -m udp --dport 1723 -j ACCEPT
/sbin/iptables -A OUTPUT -s 1.2.3.4 -d 172.16.0.0/255.255.255.0 -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -s 1.2.3.4 -d 172.16.0.0/255.255.255.0 -o tun0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j DROP

/sbin/iptables-save > /etc/sysconfig/iptables
/sbin/service iptables restart

We still have to create the client certificate and configure the client to connect to our OpenVPN Service.

Récupérée de « https://wikiold.home.tartarefr.eu/index.php?title=Services/VPN/Openvpn&oldid=1814 »