OpenVPN With CentOS
I'm going to attempt to demonstrate how to easily set up an OpenVPN solution with CentOS.
While this page is reasonably complete PLEASE do not use it as a canonical source of information.
Contents |
Network Topology
- 172.26.1.1 : DNS, DHCP, Router (Running Tomato)
- 172.26.1.56 : IP address of my VPN host
- 172.26.2.0/24 : VPN client IP space
Xen
My VPN machine is running under Xen, read CentOS 5 and Xen if you're interested in using virtualization for your VPN host.
Install OpenVPN
You'll want to add the RHEL EPEL repository to your system and then follow that up with a OpenVPN & LZO (for compression) installation.
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm yum install openvpn lzo
Configure OpenVPN on the Server
PKI Files
You'll want to follow the steps detailed on the OpenVPN website.
Once that's done you'll want to copy your newly created files to /etc/openvpn
cp -v ca.crt dh1024.pem server.crt server.key /etc/openvpn
DHCP Leases File
This file tracks what certificates are using which IPs.
touch /etc/openvpn/ipp.txt
openvpn.conf
Next you'll want to update /etc/openvpn/openvpn.conf to look like the following, though you'll want to update it to reflect what your network setup is.
# what ip, port & protocol we should listen with local 172.26.1.56 port 1194 proto udp # what device we should create & use for tunneled connections dev tun0 # use lzo compression & AES-128 encryption cipher AES-128-CBC comp-lzo # the user & group the VPN should run as user nobody group nobody # routing, dns & domain options we're pushing to the clients push "route 172.26.1.0 255.255.255.0" push "dhcp-option DNS 172.26.1.1" push "dhcp-option DOMAIN sgtsavings.com" # our dhcp netblock we're using & where to save our dhcp client list server 172.26.2.0 255.255.255.0 ifconfig-pool-persist ipp.txt # the certificates & keys we've created for our vpn key server.key ca ca.crt cert server.crt dh dh1024.pem keepalive 10 120 persist-key persist-tun # logging log-append openvpn.log verb 3 mute 20 # this is a file that's updated regularly that displays currently connected users status openvpn-status.log
Set iptables Rules
THIS ALL ASSUMES THAT YOU DON'T HAVE ANY UNSAVED IPTABLES RULES SET.
Now we'll need to add iptables rules that'll handle our routing & create the NAT for our VPN hosts.
First you'll want to save your current iptables configuration in case you need to back out.
cp -pv /etc/sysconfig/iptables /etc/sysconfig/iptables.bak.$(date +%Y%m%d%H%M%S) iptables-save > /etc/sysconfig/iptables-prevpn
Now we'll reload your previously saved iptables configuration & then append our new rules.
service iptables restart iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
Now you'll want to save your new iptables off to the side & review it.
iptables-save > /etc/sysconfig/iptables-vpn
If that looks sane to you then you'll want to save it.
service iptables save
Here's what the output of iptables-save looked like on my VPN host. I cleaned out all of the comments & the lines starting with :. I have a very stripped down set of rules since my VPN lives behind an external firewall.
*nat -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -p ah -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i tun0 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o tun0 -j ACCEPT COMMIT
Enable IPV4 Packet Forwarding
First you'll want to tell the kernel to enable it.
echo 1 > /proc/sys/net/ipv4/ip_forward
To make it permanent you'll update /etc/sysctl.conf :
net.ipv4.ip_forward = 1
Start OpenVPN
Your OpenVPN should be ready to go!
service openvpn start
Configuring Clients
OpenVPN Clients has everything you need.
