OpenVPN Server Configuration

A little howto about configuration secured OpenVPN server on CentOS6.

Introduction

The OpenVPN service are provide VPN for yours servers. I'am strongly recommend to use OpenVPN solution on all yours server to provide more security capability. For provide authorization with client keys I'll use easy-rsa package.

We are will use the OpenVPN and the easy-rsa packages provided with EPEL repository.

Installations

Lets install EPEL and all required packages.

yum install epel-release  
yum install -y openvpn easy-rsa  

Configurations

OpenVPN Server Configuration

cat << EOF > /etc/openvpn/server.conf  
port 1194  
proto udp  
dev tun  
ca /etc/openvpn/cert/ca.crt  
cert /etc/openvpn/cert/os-ovpn.crt  
key /etc/openvpn/cert/os-ovpn.key  
dh /etc/openvpn/cert/dh2048.pem  
topology subnet  
server 172.16.250.0 255.255.255.248  
ifconfig-pool-persist /etc/openvpn/ipp.list  
keepalive 10 120  
max-clients 5  
user nobody  
group nobody  
persist-key  
persist-tun  
status /var/log/ovpn/status.log  
log       /var/log/ovpn/openvpn.log  
log-append /var/log/ovpn/openvpn.log  
verb 3  
EOF  

Also you can push a additional information to clients such as dns or routes

cat /etc/openvpn/server.conf | grep push  
push "redirect-gateway def1 bypass-dhcp"  # set as default GW  
push "dhcp-option DNS 8.8.8.8"                     # set DNS to 8.8.8.8  
;push "route 172.16.200.0 255.255.255.0"    # route to backbone

And you may wish to enable client-to-client options to allow clients see each other.

BTW if you planing to forward any traffic throw your server you will need to enable this with setting ip_forward (disable by default).

echo 1 > /proc/sys/net/ipv4/ip_forward  

Note: last command does not save ip_forward permanently, instead of it you should use sysctl configuration file.

Configure server certs and key pair

cp -r /usr/share/easy-rsa/ /etc/openvpn  
mkdir /etc/openvpn/easy-rsa/keys  
vim /etc/openvpn/easy-rsa/vars  
--- some text ---
export KEY_COUNTRY="RU"  
export KEY_PROVINCE="SPB"  
export KEY_CITY="St. Petersburg"  
export KEY_ORG="Example Corporation"  
export KEY_EMAIL="ovpn@example.com"  
export KEY_OU="Network Department"  
export KEY_NAME="server"  
--- some text ---
mkdir /etc/openvpn/cert  
openssl dhparam -out /etc/openvpn/cert/dh2048.pem 2048  
cd /etc/openvpn/easy-rsa && ./vars && ./clean-all && ./build-ca && ./build-key-server server  
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn/cert  
service openvpn start  

Generate Client cert and key

cd /etc/openvpn/easy-rsa && ./build-key client1  

Note: in this example we generate key file without password. If you want to provide more security then you should to use ./build-key-pass instead of ./build-key.

Now you need to provide this files to client (from /etc/openvpn/easy-rsa/keys/{client1.key, client2.crt}). Also you should copy the CA file to client (from /etc/openvpn/cert/ca.crt).

Client config example

cat ~/ovpn/my-server.ovpn  
client  
dev tun0my-server  
proto udp  
port 20500  
remote example.com 1194 udp  
resolv-retry infinite  
persist-key  
persist-tun  
keepalive 8 50  
verb 3  
max-routes 2000  
ca /home/user/certs/ca.crt  
cert /home/user/certs/client1.crt  
key /home/user/certs/client1.key  

If you use key-file with password protection then you may add askpass /home/user/certs/client1.pass option into your ovpn client config file. Add one-line password in this file.

Connect to the Server

You can connect from command line

sudo openvpn -c ~/ovpn/my-server.ovpn  

You must use sudo to allow openvpn to set-up routes.