OpenVPN on CentOS

  1. wget
    rpm -Uvh epel-release-6-8.noarch.rpm
  2. yum install openvpn -y
  3. Easy-rsa isn’t included in OpenVPN anymore.  This is from –
    Download easy-rsa from below:
    Extract the package:
    tar -zxvf easy-rsa-2.2.0_master.tar.gz
    Copy to the OpenVPN directory:
    cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/
    Open up with vi or other favorite editor /etc/openvpn/easy-rsa/2.0/vars and edit the below line:
    export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
    export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnfNext change the KEY_COUNTRY through KEY_OU values at the end of the file.Save and exit
  4. From same 2.0 directory as var, cp openssl-1.0.0.cnf openssl.cnf
  5. Build the CA, previous changes should be defaults to questions:
    source ./vars
  6. Create server certificate, answering yes to commit:
    ./build-key-server server
  7. Generate Diffie Hellman key exchange files:
    cd keys
    cp dh1024.pem ca.crt server.crt server.key /etc/openvpn
  8. Generate client certificates:
    cd ..
    ./build-key <client name>
  9. Get ca.crt, and <client name>.crt/key to OpenVPN client
  10. cp /usr/share/doc/openvpn-*/samples/sample-config-files/server.conf /etc/openvpn
  11. vi /etc/openvpn/server.conf and set the “local” ip for OpenVPN to listen on.  Uncomment the user and group nobody lines.
  12. service openvpn start
    chkconfig –level 3 openvpn on
  13. modify iptables rules for listening to port 1194 TCP:
    iptables -A INPUT -i eth0 -p tcp --dport 1194 -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --dport 1194 -j ACCEPT
    iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

    Next you need to allow certain traffic going through the tunnel.  For no restrictions use:

    iptables -A INPUT -i tun0 -j ACCEPT
    iptables -A OUTPUT -o tun0 -j ACCEPT
    iptables -A FORWARD -o tun0 -j ACCEPT
%d bloggers like this: