OpenVPN Installation & Configuration

General discussion about Linux, Linux distribution, using Linux etc.
Post Reply
thecooldude
Lance Naik
Posts: 43
Joined: Sun Nov 26, 2006 6:04 pm
Location: Dubai, UAE.
Contact:

OpenVPN Installation & Configuration

Post by thecooldude »

E-mail: khurram.jn@gmail.com

I'm installing it for you on my box to see how it has to be done exactly.!!

[root@muslim 2.0]# cat /etc/issue
CentOS release 5.7 (Final)
Kernel \r on an \m

[root@muslim 2.0]# cat /etc/redhat-release
CentOS release 5.7 (Final)
[root@muslim 2.0]# uname -a
Linux muslim.town 2.6.18-274.el5 #1 SMP Fri Jul 22 04:49:12 EDT 2011 i686 i686 i386 GNU/Linux
[root@muslim 2.0]#


[root@muslim ~]# cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state
[root@muslim ~]#
take a look at the status above, "File descriptor in bad state" means tun/tap is active, otherwise please ask your provider to activate it.



To set your hostname type

hostname YOUR-HOSTNAME-HERE

[root@proxy ~]# vi /etc/sysconfig/network

HOSTNAME="proxy.local"

[root@proxy ~]# vi /etc/hosts

YOUR-IP YOUR-HOSTNAME-HERE localhost



Before we start I've already loaded rpmforge-release-0.5.2-2.el5.rf.i386.rpm, please download the latest release.

Step 1

[root@muslim tmp]# wget http://pkgs.repoforge.org/rpmforge-rele ... f.i386.rpm
--2012-01-03 20:25:53-- http://pkgs.repoforge.org/rpmforge-rele ... f.i386.rpm
Resolving pkgs.repoforge.org... 78.46.17.228
Connecting to pkgs.repoforge.org|78.46.17.228|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://rpmforge.sw.be/redhat/el5/en/i38 ... f.i386.rpm [following]
--2012-01-03 20:26:09-- http://rpmforge.sw.be/redhat/el5/en/i38 ... f.i386.rpm
Resolving rpmforge.sw.be... 78.46.17.228
Connecting to rpmforge.sw.be|78.46.17.228|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://tree.repoforge.org/redhat/el5/en ... f.i386.rpm [following]
--2012-01-03 20:26:24-- http://tree.repoforge.org/redhat/el5/en ... f.i386.rpm
Resolving tree.repoforge.org... 78.46.17.228
Connecting to tree.repoforge.org|78.46.17.228|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://apt.sw.be/redhat/el5/en/i386/rpm ... f.i386.rpm [following]
--2012-01-03 20:26:40-- http://apt.sw.be/redhat/el5/en/i386/rpm ... f.i386.rpm
Resolving apt.sw.be... 193.1.193.67
Connecting to apt.sw.be|193.1.193.67|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12680 (12K) [application/x-redhat-package-manager]
Saving to: `rpmforge-release-0.5.2-2.el5.rf.i386.rpm'

100%[===================================================================================================================>] 12,680 37.3K/s in 0.3s

2012-01-03 20:26:50 (37.3 KB/s) - `rpmforge-release-0.5.2-2.el5.rf.i386.rpm' saved [12680/12680]

[root@muslim tmp]#


Step 2


[root@muslim tmp]# rpm -Uvh rpmforge-release-0.5.2-2.el5.rf.i386.rpm
Preparing... ########################################### [100%]
package rpmforge-release-0.5.2-2.el5.rf.i386 is already installed
[root@muslim tmp]#


Step 3

[root@muslim ~]# yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* 5jpackage-generic: mirror.ibcp.fr
* base: mirror-cybernet.lums.edu.pk
* epel: mirror.nus.edu.sg
* extras: mirror-cybernet.lums.edu.pk
* jpackage-generic: mirror.ibcp.fr
* rpmforge: fr2.rpmfind.net
* updates: mirror-cybernet.lums.edu.pk
Setting up Install Process
Package gcc-4.1.2-51.el5.i386 already installed and latest version
Package 1:make-3.81-3.el5.i386 already installed and latest version
Package autoconf-2.59-12.noarch already installed and latest version
Package zlib-devel-1.2.3-4.el5.i386 already installed and latest version
Package openssl-devel-0.9.8e-20.el5.i386 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package pam-devel.i386 0:0.99.6.2-6.el5_5.2 set to be updated
---> Package rpm-build.i386 0:4.4.2.3-22.el5_7.2 set to be updated
--> Processing Dependency: rpm-libs = 4.4.2.3-22.el5_7.2 for package: rpm-build
--> Processing Dependency: popt = 1.10.2.3-22.el5_7.2 for package: rpm-build
--> Processing Dependency: rpm = 4.4.2.3-22.el5_7.2 for package: rpm-build
--> Running transaction check
--> Processing Dependency: popt = 1.10.2.3-22.el5 for package: rpm-python
---> Package popt.i386 0:1.10.2.3-22.el5_7.2 set to be updated
---> Package rpm.i386 0:4.4.2.3-22.el5_7.2 set to be updated
---> Package rpm-libs.i386 0:4.4.2.3-22.el5_7.2 set to be updated
--> Running transaction check
---> Package rpm-python.i386 0:4.4.2.3-22.el5_7.2 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
pam-devel i386 0.99.6.2-6.el5_5.2 base 187 k
Updating:
rpm-build i386 4.4.2.3-22.el5_7.2 updates 302 k
Updating for dependencies:
popt i386 1.10.2.3-22.el5_7.2 updates 75 k
rpm i386 4.4.2.3-22.el5_7.2 updates 1.2 M
rpm-libs i386 4.4.2.3-22.el5_7.2 updates 928 k
rpm-python i386 4.4.2.3-22.el5_7.2 updates 60 k

Transaction Summary
=============================================================================================================================================================
Install 1 Package(s)
Upgrade 5 Package(s)

Total download size: 2.7 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): rpm-python-4.4.2.3-22.el5_7.2.i386.rpm | 60 kB 00:00
(2/6): popt-1.10.2.3-22.el5_7.2.i386.rpm | 75 kB 00:00
(3/6): pam-devel-0.99.6.2-6.el5_5.2.i386.rpm | 187 kB 00:00
(4/6): rpm-build-4.4.2.3-22.el5_7.2.i386.rpm | 302 kB 00:00
(5/6): rpm-libs-4.4.2.3-22.el5_7.2.i386.rpm | 928 kB 00:00
(6/6): rpm-4.4.2.3-22.el5_7.2.i386.rpm | 1.2 MB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 30 kB/s | 2.7 MB 01:31
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : pam-devel 1/11
Updating : popt 2/11
Updating : rpm-libs 3/11
Updating : rpm 4/11
Updating : rpm-python 5/11
Updating : rpm-build 6/11
Cleanup : rpm 7/11
Cleanup : rpm-python 8/11
Cleanup : popt 9/11
Cleanup : rpm-build 10/11
Cleanup : rpm-libs 11/11

Installed:
pam-devel.i386 0:0.99.6.2-6.el5_5.2

Updated:
rpm-build.i386 0:4.4.2.3-22.el5_7.2

Dependency Updated:
popt.i386 0:1.10.2.3-22.el5_7.2 rpm.i386 0:4.4.2.3-22.el5_7.2 rpm-libs.i386 0:4.4.2.3-22.el5_7.2 rpm-python.i386 0:4.4.2.3-22.el5_7.2

Complete!
[root@muslim ~]#


Step 4


[root@muslim ~]# yum install lzo.i386 lzo-devel.i386 lzo1.i386 lzo1-devel.i386 lzop.i386
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* 5jpackage-generic: mirror.ibcp.fr
* base: mirror-cybernet.lums.edu.pk
* epel: mirror.nus.edu.sg
* extras: mirror-cybernet.lums.edu.pk
* jpackage-generic: mirror.ibcp.fr
* rpmforge: fr2.rpmfind.net
* updates: mirror-cybernet.lums.edu.pk
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package lzo.i386 0:2.04-1.el5.rf set to be updated
---> Package lzo-devel.i386 0:2.04-1.el5.rf set to be updated
---> Package lzo1.i386 0:1.08-5.el5.rf set to be updated
---> Package lzo1-devel.i386 0:1.08-5.el5.rf set to be updated
---> Package lzop.i386 0:1.03-2.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
lzo i386 2.04-1.el5.rf rpmforge 131 k
lzo-devel i386 2.04-1.el5.rf rpmforge 32 k
lzo1 i386 1.08-5.el5.rf rpmforge 142 k
lzo1-devel i386 1.08-5.el5.rf rpmforge 11 k
lzop i386 1.03-2.el5 epel 52 k

Transaction Summary
=============================================================================================================================================================
Install 5 Package(s)
Upgrade 0 Package(s)

Total download size: 367 k
Is this ok [y/N]: y
Downloading Packages:
(1/5): lzo1-devel-1.08-5.el5.rf.i386.rpm | 11 kB 00:00
(2/5): lzo-devel-2.04-1.el5.rf.i386.rpm | 32 kB 00:00
(3/5): lzop-1.03-2.el5.i386.rpm | 52 kB 00:00
(4/5): lzo-2.04-1.el5.rf.i386.rpm | 131 kB 00:00
(5/5): lzo1-1.08-5.el5.rf.i386.rpm | 142 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 8.3 kB/s | 367 kB 00:44
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : lzo 1/5
Installing : lzo1 2/5
Installing : lzop 3/5
Installing : lzo-devel 4/5
Installing : lzo1-devel 5/5

Installed:
lzo.i386 0:2.04-1.el5.rf lzo-devel.i386 0:2.04-1.el5.rf lzo1.i386 0:1.08-5.el5.rf lzo1-devel.i386 0:1.08-5.el5.rf lzop.i386 0:1.03-2.el5

Complete!
[root@muslim ~]#


Step 5



[root@muslim ~]# yum install openvpn
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* 5jpackage-generic: mirror.ibcp.fr
* base: mirror-cybernet.lums.edu.pk
* epel: mirror.nus.edu.sg
* extras: mirror-cybernet.lums.edu.pk
* jpackage-generic: mirror.ibcp.fr
* rpmforge: fr2.rpmfind.net
* updates: mirror-cybernet.lums.edu.pk
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package openvpn.i386 0:2.2.0-3.el5.rf set to be updated
--> Processing Dependency: libpkcs11-helper.so.1 for package: openvpn
--> Running transaction check
---> Package pkcs11-helper.i386 0:1.08-1.el5.rf set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
openvpn i386 2.2.0-3.el5.rf rpmforge 460 k
Installing for dependencies:
pkcs11-helper i386 1.08-1.el5.rf rpmforge 128 k

Transaction Summary
=============================================================================================================================================================
Install 2 Package(s)
Upgrade 0 Package(s)

Total download size: 588 k
Is this ok [y/N]: y

Downloading Packages:
(1/2): pkcs11-helper-1.08-1.el5.rf.i386.rpm | 128 kB 00:00
(2/2): openvpn-2.2.0-3.el5.rf.i386.rpm | 460 kB 00:01
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 33 kB/s | 588 kB 00:18
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : pkcs11-helper 1/2
Installing : openvpn 2/2

Installed:
openvpn.i386 0:2.2.0-3.el5.rf

Dependency Installed:
pkcs11-helper.i386 0:1.08-1.el5.rf

Complete!
[root@muslim ~]#


Step 6


Copy OPENVPN easy-rsa folder to /etc/openvpn/:

[root@muslim ~]# cp -R /usr/share/doc/openvpn-2.2.0/easy-rsa/ /etc/openvpn/
[root@muslim ~]#

Step 7

Now let's create the certificate:

[root@muslim ~]# cd /etc/openvpn/easy-rsa/2.0
[root@muslim 2.0]#


Step 8


[root@muslim 2.0]# chmod 755 *
[root@muslim 2.0]# ls
build-ca build-key build-key-server clean-all Makefile pkitool sign-req
build-dh build-key-pass build-req inherit-inter openssl-0.9.6.cnf README vars
build-inter build-key-pkcs12 build-req-pass list-crl openssl.cnf revoke-full whichopensslcnf

Step 9

[root@muslim 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys


Step 10


[root@muslim 2.0]# ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys

Step 11

[root@muslim 2.0]# ./clean-all
[root@muslim 2.0]#


Step 12

Build CA

[root@muslim 2.0]# ./build-ca
Generating a 1024 bit RSA private key
................++++++
................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:.
State or Province Name (full name) [CA]:.
Locality Name (eg, city) [SanFrancisco]:.
Organization Name (eg, company) [Fort-Funston]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:muslim.town
Name []:vpn
Email Address [me@myhost.mydomain]:sherry.safdar@gmail.com
[root@muslim 2.0]#


Step 13


Build key server:

[root@muslim 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
................++++++
...++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:.
State or Province Name (full name) [CA]:.
Locality Name (eg, city) [SanFrancisco]:.
Organization Name (eg, company) [Fort-Funston]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) [server]:muslim.town
Name []:server
Email Address [me@myhost.mydomain]:sherry.safdar@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mypassword
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'muslim.town'
name :PRINTABLE:'server'
emailAddress :IA5STRING:'sherry.safdar@gmail.com'
Certificate is to be certified until Dec 31 14:52:55 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@muslim 2.0]#


Step 14


Build Diffie Hellman (wait a moment until the process finish)
[root@muslim 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..............................+....................................................+....+....+.................................+......+......................................................................+...............+....+................................................................................+.........................................................................................................................................................................+.................+.............................+.....................................................................................+..........................+...............+.........................................................+...+................................................................................+..............................+...........................................................+..........................+..................................................................+...............................................................................................................................+........................................+..........+.........................................+.....................................+...................................................................+.................................................................+.....................................................+........................+.......................+.................+...........................................+.......................................................................+...............+................................................+........................+................+......................................................................................+...................................................+.+.................................................+.........................................+..+.....................................................................................................+................+.+........+......+..+.........................................................+..................+.................................+.....................................................................................................................................................+............................................................+.........................+......................+...............................................................+..+....................+......................+................+................................+..........+.......+...............................................................................................+.....+...........................................................+.................................................................................................................................+...................................+........+..................................+................+..+.............+........................................+.......+..+.......................................................+.........+....................................................+.....................................+...............................+.............................................................+..+..........................................+.......................+...................................................................................................+.........................................+..................+........++*++*++*
[root@muslim 2.0]#


Step 15


[root@muslim 2.0]# vi /etc/openvpn/1194.conf

And now paste all these lines in it.

local 78.46.145.126 #- your_server_ip
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 1.2.3.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
client-to-client
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3



Step 16


[root@muslim 2.0]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@muslim 2.0]# iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to XXX.XXX.XX.XX ---->> Enter your IP.
[root@muslim 2.0]#


Now :)


Step 17

[root@muslim 2.0]# openvpn /etc/openvpn/1194.conf &
[1] 7295
[root@muslim 2.0]# Tue Jan 3 20:03:08 2012 OpenVPN 2.2.0 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jun 6 2011
Tue Jan 3 20:03:08 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jan 3 20:03:08 2012 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Tue Jan 3 20:03:08 2012 Diffie-Hellman initialized with 1024 bit key
Tue Jan 3 20:03:08 2012 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Tue Jan 3 20:03:08 2012 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jan 3 20:03:08 2012 Socket Buffers: R=[110592->131072] S=[110592->131072]
Tue Jan 3 20:03:08 2012 ROUTE default_gateway=117.102.32.1
Tue Jan 3 20:03:08 2012 TUN/TAP device tun0 opened
Tue Jan 3 20:03:08 2012 TUN/TAP TX queue length set to 100
Tue Jan 3 20:03:08 2012 /sbin/ip link set dev tun0 up mtu 1500
Tue Jan 3 20:03:08 2012 /sbin/ip addr add dev tun0 local 1.2.3.1 peer 1.2.3.2
Tue Jan 3 20:03:08 2012 /sbin/ip route add 1.2.3.0/24 via 1.2.3.2
Tue Jan 3 20:03:08 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Jan 3 20:03:08 2012 UDPv4 link local (bound): XXX.XXX.XX.XX:1194
Tue Jan 3 20:03:08 2012 UDPv4 link remote: [undef]
Tue Jan 3 20:03:08 2012 MULTI: multi_init called, r=256 v=256
Tue Jan 3 20:03:08 2012 IFCONFIG POOL: base=1.2.3.4 size=62
Tue Jan 3 20:03:08 2012 Initialization Sequence Completed

[root@muslim 2.0]#
[root@muslim 2.0]#


You can start it with service openvpn restart I've tested as well :)


Download ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory, I've used WinSCP bro!

Download and install OpenVPN Client http://swupdate.openvpn.org/community/r ... nstall.exe

After you finished installing OPENVPN, move ca.crt (file that you previously downloaded from /etc/openvpn/easy-rsa/2.0/keys/) to OPENVPN config folder in your program files (\Program Files\OpenVPN\config\)

Also create client configuration file in OPENVPN config directory, here's the example:

safe file with client.ovpn make sure extention must be .ovpn


client
dev tun
proto udp
remote XXX.XXX.XX.XX 1194 -------------->> Enter your IP.
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3


[root@muslim tmp]# ps -aux | grep openvpn
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
root 7364 0.0 0.1 8932 1340 pts/0 S 20:04 0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/1194.pid --config 1194.conf --cd /etc/openvpn --script-security 2
root 7375 0.0 0.1 9148 2256 ? Ss 20:04 0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/1194.pid --config 1194.conf --cd /etc/openvpn --script-security 2
root 7673 0.0 0.0 4016 672 pts/0 R+ 20:31 0:00 grep openvpn
[root@muslim tmp]#


[root@muslim 2.0]# useradd sherry -s /bin/false
[root@muslim 2.0]# passwd sherry
Changing password for user sherry.
New UNIX password:
BAD PASSWORD: it does not contain enough DIFFERENT characters
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@muslim 2.0]#


I'm connected :)


*CHEERS*
Post Reply