| Install OpenVPN and create virtual private network. This example is based on the environment below. ( [172.16.2.1] is private range's IP, but I use it to explain, pleae look it as your own grobal IP.) (1) VPN Server [172.16.2.1] - Grobal IP address [192.168.0.17] - eth0 [192.168.0.4] - br0 - create it for bridge (2) VPN Client(Windows) [10.0.0.2] - original one [192.168.0.??] - given from VPN server By the way, it's neccesary to set some configs on your router for NAT/Port forwarding. The used protocol and listening port by default on VPN server is UDP/1194. Speaking on an example here, a request to 1194 with UDP from internet is needed to forward to 192.168.0.4/1194 in LAN. | |
| [1] | Install and configure OpenVPN |
# install from DAG [root@ns ~]# yum --enablerepo=dag -y install openvpn bridge-utils [root@ns ~]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/ [root@ns ~]# vi /etc/openvpn/server.conf # line 53: change dev tap0 # line 78: change ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # line 87: change dh /etc/openvpn/easy-rsa/keys/dh1024.pem # line 96: make it comment # server 10.8.0.0 255.255.255.0# line 103: make it comment # ifconfig-pool-persist ipp.txt# line 115: change ( [VPN server's IP] [subnetmask] [IP range given to client] ) server-bridge 192.168.0.4 255.255.255.0 192.168.0.50 192.168.0.100 # line 125: change ( [VPN server's network] [subnetmask] ) push "route 192.168.0.0 255.255.255.0 "# line 267: change status /var/log/openvpn-status.log # line 276: change log /var/log/openvpn.log log-append /var/log/openvpn.log |
| [2] | Create CA Certificate and key |
| [root@ns ~]# cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa /etc/openvpn/ [root@ns ~]# cd /etc/openvpn/easy-rsa/ [root@ns easy-rsa]# mkdir keys [root@ns easy-rsa]# vi vars # line 45: change for your environment export KEY_COUNTRY= JP export KEY_PROVINCE= Hiroshima export KEY_CITY= Hiroshima export KEY_ORG=" server-linux.info "export KEY_EMAIL=" root@server-linux.info "[root@ns easy-rsa]# chmod 700 vars [root@ns easy-rsa]# . ./vars NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys [root@ns easy-rsa]# chmod 700 clean-all [root@ns easy-rsa]# ./clean-all [root@ns easy-rsa]# chmod 700 build-ca [root@ns easy-rsa]# ./build-ca Generating a 1024 bit RSA private key .........................................++++++ ...............................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [server-linux.info]: # Enter Organizational Unit Name (eg, section) []: # Enter Common Name (eg, your name or your server's hostname) []: server-ca # input Email Address [root@server-linux.info]: # Enter |
| [3] | "ca.crt" is created under /etc/openvpn/easy-rsa/keys/. Please download it on your client PC by FTP or SFTP. |
| [4] | Create server Certificate and key |
| [root@ns easy-rsa]# chmod 700 build-key-server [root@ns easy-rsa]# ./build-key-server server Generating a 1024 bit RSA private key ....++++++ .......................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [server-linux.info]: # Enter Organizational Unit Name (eg, section) []: # Enter Common Name (eg, your name or your server's hostname) []: server # input Email Address [root@server-linux.info]: # Enter Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: # Enter An optional company name []: # Enter Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'server-linux.info' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'root@server-linux.info' Certificate is to be certified until Sep 4 14:11:20 2018 GMT (3650 days) Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entries Data Base Updated |
| [5] | create Diffie Hellman ( DH ) |
| [root@ns easy-rsa]# chmod 700 build-dh [root@ns easy-rsa]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time |
| [6] | Create client Certificate and key |
| [root@ns easy-rsa]# chmod 700 build-key-pass [root@ns easy-rsa]# ./build-key-pass client Generating a 1024 bit RSA private key ......++++++ .......................++++++ writing new private key to 'client.key' Enter PEM pass phrase: # set pass-phrase Verifying - Enter PEM pass phrase: # verify ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [server-linux.info]: # Enter Organizational Unit Name (eg, section) []: # Enter Common Name (eg, your name or your server's hostname) []: client # input Email Address [root@server-linux.info]: # Enter Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: # Enter An optional company name []: # Enter Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'server-linux.info' commonName :PRINTABLE:'client' emailAddress :IA5STRING:'root@server-linux.info' Certificate is to be certified until Sep 4 14:20:52 2018 GMT (3650 days) Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n] y Write out database with 1 new entries Data Base Updated |
| [7] | "client.crt" and "client.key" are created under /etc/openvpn/easy-rsa/keys/. Please download them on your client PC by FTP or SFTP. |
| [8] | Create bridge networking and starting script for VPN server. |
| [root@ns ~]# cp /usr/share/doc/openvpn-2.0.9/sample-scripts/openvpn.init /etc/openvpn/ [root@ns ~]# cp /usr/share/doc/openvpn-2.0.9/sample-scripts/bridge-stop /etc/openvpn/ [root@ns ~]# cp /usr/share/doc/openvpn-2.0.9/sample-scripts/bridge-start /etc/openvpn/ [root@ns ~]# chmod 755 /etc/openvpn/bridge-start [root@ns ~]# chmod 755 /etc/openvpn/bridge-stop [root@ns ~]# chmod 755 /etc/openvpn/openvpn.init [root@ns ~]# vi /etc/openvpn/bridge-start # 18,19,20: change ( IP for bridge : subnetmask : broadcast address ) eth_ip=" 192.168.0.4 "eth_netmask=" 255.255.255.0 "eth_broadcast=" 192.168.0.255 "[root@ns ~]# vi /etc/sysctl.conf # line 7: change ( enable ip forward ) net.ipv4.ip_forward = 1 [root@ns ~]# cp /etc/rc.d/init.d/network /etc/rc.d/init.d/vpn [root@ns ~]# vi /etc/rc.d/init.d/vpn # line 168: add these 2 lines /etc/openvpn/bridge-start /etc/openvpn/openvpn.init start # line 174: add these 2 lines stop) /etc/openvpn/openvpn.init stop /etc/openvpn/bridge-stop [root@ns ~]# /etc/rc.d/init.d/vpn start Bringing up loopback interface: [ OK ] Bringing up interface eth0: [ OK ] Bringing up interface eth1: [ OK ] Wed Sep 3 23:05:57 2008 TUN/TAP device tap0 opened Wed Sep 3 23:05:57 2008 Persist state set to: ON Starting openvpn: [ OK ] [root@ns ~]# chkconfig --add vpn [root@ns ~]# chkconfig vpn on |
