OpenVPN maybe free and open source, but it sure challenges the enterprise stuff out there. It is a full featured SSL VPN which can be used to create a VPN over a redily available public network. It has Linux and Windows clients, which means you are not limited to Linux alone when using OpenVPN. Ok lets dive in to installation and setup:
1. Install openvpn.
# yum install openvpn
2. Copy the necessary configuration files to generate RSA keys and Initialize PKI.
# cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn/
# cd /etc/openvpn/easy-rsa/2.0/
3. Make the /etc/openvpn/keys direcotory and edit the /etc/openvpn/easy-rsa/2.0/vars file:
# mkdir /etc/openvpn/keys
# vi vars
now set the parameters for KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_MAIL. Here is a sample:
export KEY_ORG="Fourthirty Inc."
also set the KEY_DIR parameter line to read as:
4. Initialize PKI.
# . ./vars
the above line is very tricky (dot space dot/vars)
5. Build the server key.
# ./build-key-server server
6. Generate certificates and keys for clients. You can do this for as many clients you want to joing your VPN. I am demonstrating the setup of only one client.
# ./build-key client1
7. Generate Diffie Hellman parameters/
8. Copy server.conf file from the /usr/share/doc/openvpn-2.1/sample-config-files/ to /etc/openvpn/ and make the following changes:
# cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
server 172.16.0.0 255.255.255.0
9. That’s it ! You have successfully set up the OpenVPN server. Now start the service and set it to start automatically on start.
# service openvpn start
# chkconfig openvpn on
10. Setup the client in Linux. Copy the client.conf to /etc/openvpn
# cp /usr/share/doc/openvpn-2.1/sample-config-files/client.conf /etc/openvpn/
from the server system copy ca.crt, client1.crt and client1.key over to the client machine. Use a secure method to do this. The files are located in /etc/openvpn/keys/
edit the client.conf to include:
remote <ip of server> 1194
start the client service now.
# service openvpn start
ping to 172.16.0.1 from client machine. If it succeeds…congrats !
Then issue these commands, each line is a new command, anything beginning with "#" are comments so dont try to execute those.
2. Right, now you want to install OpenVPN, here are the commands,
3. A few things to setup before you can make certificates, issue these commands,
4. You need to edit the vars file, located in /etc/openvpn/easy-rsa
You can use any editor you like, I used vi.
Change the line
Also at the bottom of this file you will see something similar to this,
Change this to your own values.
5. Now its time to make the certificates, enter these commands
# just hit enter to the defaults
apart from Common Name, this must be unique
# call it something like mydomain-ca
that common name must be unique e.g. use mydomain-client1
# and YES you want to sign the keys
# do this step for as many clients as you need.
6. We are almost done now… right we need to create a few config files, you can download my template from here,
sure you change a few things in the server.conf file,
~ this makes the log file..
makes the IP reservation list.
7. You need to make a few changes to OpenVPN itself. Go to..
edit the openvpn
#Uncomment this line (line 119)
Add these lines below it, changing 126.96.36.199 to your public IP address,
Now install iptables if you don’t have it already,
8. Now for the client config files. If your client is a Windows machine, make sure you have installed OpenVPN, use the gui version, downloadable from here;
You need to copy a few files from the server to your client machine, here is the list, located in /etc/openvpn/keys/
## WARNING ## Use a secure way of transferring these files off the server, something like WinSCP.
Put these files in this directory C:\Program Files\OpenVPN\config\
Now you need to make a client config, here is an example..
#Change my.publicdomain.com to your public domain or IP address
#DNS Options here, CHANGE THESE !!
"dhcp-option DNS 188.8.131.52"
"dhcp-option DNS 184.108.40.206"
Make sure you edit any of the lines with comments above them.
Call this file client1.opvn and put it in C:\Program Files\OpenVPN\config\
Make sure the file extension is .opvn not .txt
To connect right click on OpenVPN in the taskbar >> Connect
To test ping 192.168.2.1
If you get a response, you in business