Centos – Implementing a vpn server and client using openvpn

Instead of sshing into your home machine from anywhere, it is actually more secure and convenient to vpn instead. With vpn, you can share different subnets as well. The problem most people find is that setting up a vpn server can be complicated – well, not so with openvpn.

This tutorial is a summarised version of http://openvpn.net/howto.html

I am using Centos 5.3 but the principle should work with any distros. Centos repo doesn’t have the openvpn rpm yet, so we will use the dag repo http://dag.wieers.com/rpm/FAQ.php#B
. Install the repo and we are ready to go.

change to root user and install openvpn

sudo -s
yum install openvpn

get all the necessary files from the sample dir and make them executable

cd /etc/openvpn
cp -r /usr/share/doc/openvpn-xxx/easy-rsa/2.0 ./
cd 2.0
chmod u+x *

change the sample vars

vim vars (change the parameters at the bottom of the file)
source vars

now build all the necessary certificates and keys

./build-ca (when prompted with the questions, you have to explicitly enter the common name)
./build-key-server server
./build-key user1 (this is the client key, you can create keys for any no. of users)

now, setup the config file

cp keys/server.{crt,key} /etc/openvpn
cp keys/ca.crt /etc/openvpn
cp keys/dh1024.pem /etc/openvpn

cp /usr/share/doc/openvpn-xxx/sample-config-files/server.conf /etc/openvpn
cd /etc/openvpn
vim server.conf
(you might want to change the port no, protocol, subnet. You also need to change the remote name.)

Now you need to modify the firewall to accomodate whatever port you are using for the vpn. If you have selinux turned on, you need to turn the boolean on

semanage port -a -t openvpn_port_t -p tcp_or_udp your_port_no

restart openvpn and try to connect it up with a client which we will talk about soon.

service openvpn restart

Now let us try to setup a vpn client using centos and connect with the server.

In the client machine, become a root user and

yum install openvpn

copy the sample config over

cd /etc/openvpn
cp /usr/share/doc/openvpn-xxx/sample-config-file/client.conf ./

(now you need to copy the client keys from the server to this directory. Remember the /etc/openvpn/2.0/keys dir that you created in the server? You will need to get the ca.crt, user1.key, user1.crt from there. Instead of putting the config and keys in /etc/openvpn, you can put it in ~/openvpn as well but then you will need root privilleges when executing the openvpn command.)

edit the config file

vim client.conf
(change the remote name, port, ca and keys path. Depending on the server settings, you might need to change the protocol as well.)

modify firewall settings if need be. when ready for testing, start the openvpn connection

openvpn client.conf

You can also setup a windows openvpn client. The details are documented in the openvpn.net how to page as well.

Like it.? Share it:

Comments are closed.