OpenVPN on Fedora 9

Filed in: fedora, internet, linux, network, security, vpn Add comments

OpenVPN maybe free and open source, but it sure challenges the enterprise stuff out there. It is a full featured SSL VPN which can be used to create a VPN over a redily available public network. It has Linux and Windows clients, which means you are not limited to Linux alone when using OpenVPN. Ok lets dive in to installation and setup:

1. Install openvpn.

# yum install openvpn

2. Copy the necessary configuration files to generate RSA keys and Initialize PKI.

# cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn/
# cd /etc/openvpn/easy-rsa/2.0/

3. Make the /etc/openvpn/keys direcotory and edit the /etc/openvpn/easy-rsa/2.0/vars file:

# mkdir /etc/openvpn/keys
# vi vars

now set the parameters for KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_MAIL. Here is a sample:

export KEY_PROVINCE="Kaafu"
export KEY_CITY="Male"
export KEY_ORG="Fourthirty Inc."
export KEY_EMAIL="typos@fourthirty.rog"

also set the KEY_DIR parameter line to read as:

export KEY_DIR="/etc/openvpn/keys"

4. Initialize PKI.

# . ./vars

the above line is very tricky (dot space dot/vars)

# ./clean-all
# ./build-ca

5. Build the server key.

# ./build-key-server server

6. Generate certificates and keys for clients. You can do this for as many clients you want to joing your VPN. I am demonstrating the setup of only one client.

# ./build-key client1

7. Generate Diffie Hellman parameters/

# ./build-dh

8. Copy server.conf file from the /usr/share/doc/openvpn-2.1/sample-config-files/ to /etc/openvpn/ and make the following changes:

# cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/

ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem

9. That’s it ! You have successfully set up the OpenVPN server. Now start the service and set it to start automatically on start.

# service openvpn start
# chkconfig openvpn on

10. Setup the client in Linux. Copy the client.conf to /etc/openvpn

# cp /usr/share/doc/openvpn-2.1/sample-config-files/client.conf /etc/openvpn/

from the server system copy ca.crt, client1.crt and client1.key over to  the client machine. Use a secure method to do this. The files are located in /etc/openvpn/keys/

edit the client.conf to include:

remote <ip of server> 1194
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server

start the client service now.

# service openvpn start

ping to from client machine. If it succeeds…congrats !


OpenVPN on Fedora 9


Then issue these commands, each line is a new command, anything beginning with "#" are comments so dont try to execute those.


yum update
yum install openssl openssl-devel
# openssl and openssl-devel may be installed already… so don’t worry

2. Right, now you want to install OpenVPN, here are the commands,


yum install openvpn -y
#Now check that it works
service openvpn start
service openvpn stop

3. A few things to setup before you can make certificates, issue these commands,


find / -name "easy-rsa"
#you should get an output like this…
#Now, make a copy of the easy-rsa directory, to /etc/openvpn/ ( make sure you #have put the right version number in i.e. mine was -2.0.7, change if needed)
cp -R /usr/share/doc/openvpn-2.0.7/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
chmod 777 *
mkdir /etc/openvpn/keys

4. You need to edit the vars file, located in /etc/openvpn/easy-rsa
You can use any editor you like, I used vi.

Change the line


export KEY_DIR=$D/keys



export KEY_DIR=/etc/openvpn/keys

Also at the bottom of this file you will see something similar to this,


export KEY_ORG="My Org"


Change this to your own values.

5. Now its time to make the certificates, enter these commands



. ./vars








# just hit enter to the defaults apart from Common Name, this must be unique
# call it something like mydomain-ca


./build-key-server server


./build-key client1

# remember that common name must be unique e.g. use mydomain-client1
# and YES you want to sign the keys


./build-key client2

# do this step for as many clients as you need.



6. We are almost done now… right we need to create a few config files, you can download my template from here,


cd /etc/openvpn





# make sure you change a few things in the server.conf file, like DNS
# servers


touch server-tcp.log


~ this makes the log file..



touch ipp.txt

this makes the IP reservation list.

7. You need to make a few changes to OpenVPN itself. Go to..


cd /etc/init.d/


edit the openvpn file

#Uncomment this line (line 119)



echo 1 > /proc/sys/net/ipv4/ip_forward

Add these lines below it, changing to your public IP address,



iptables -t nat -A POSTROUTING -s -j SNAT --to
                 iptables -t nat -A POSTROUTING -s -j SNAT --to
                 iptables -t nat -A POSTROUTING -s -j SNAT --to
                 iptables -t nat -A POSTROUTING -s -j SNAT --to
                 iptables -t nat -A POSTROUTING -s -j SNAT --to
                 iptables -t nat -A POSTROUTING -s -j SNAT --to
                 iptables -t nat -A POSTROUTING -s -j SNAT --to
                 iptables -t nat -A POSTROUTING -s -j SNAT --to

Now install iptables if you don’t have it already,



yum install iptables
#test it
service iptables start
service iptables stop

8. Now for the client config files. If your client is a Windows machine, make sure you have installed OpenVPN, use the gui version, downloadable from here;

You need to copy a few files from the server to your client machine, here is the list, located in /etc/openvpn/keys/

## WARNING ## Use a secure way of transferring these files off the server, something like WinSCP.


Put these files in this directory C:\Program Files\OpenVPN\config\

Now you need to make a client config, here is an example..

PHP Code:

dev tun
proto tcp

#Change to your public domain or IP address
remote 1194

resolv-retry infinite

ca ca.crt
cert client1
key client1

ns-cert-type server

#DNS Options here, CHANGE THESE !!
push "dhcp-option DNS"
push "dhcp-option DNS"


verb 3 

Make sure you edit any of the lines with comments above them.

Call this file client1.opvn and put it in C:\Program Files\OpenVPN\config\

Make sure the file extension is .opvn not .txt

To connect right click on OpenVPN in the taskbar >> Connect

To test ping

If you get a response, you in business