For the most part, the how-to documentation on the OpenVPN website it quite good, and easy to follow. However, there are a few “gotcha’s” that the documentation doesn’t make clear. Some of these “gotcha’s” involve errors on the part of the package maintainers or developers. Some involve things that you need to do, but that the documentation doesn’t even mention.
In this document, we’ll endeavor to make things a bit more clear, and save you from suffering the “trial-and-error” method of setting up a simple VPN.
Preparation
You can install OpenVPN on a variety of operating systems. (For our demo, we’ll be using CentOS 5.) For our present purpose, we’ll assume that all applications and data that clients need to reach are on the OpenVPN server itself, and that clients don’t need to reach any other subnets that are on the other side of the server. We’ll also assume that all clients are to use the same OpenVPN configuration.
If you’re using Red Hat Enterprise Linux or one of its derivatives as the OpenVPN server–this would include CentOS 5, Startcom 5, and perhaps a few others—you won’t find OpenVPN in the distro’s repositories. But, it is in a few different third-party repositories. The best one to use is RPMForge. To install RPMForge to your Yum repository list, run one of the following commands:
For systems running a 32-bit version of RHEL 4 or one of its derivatives:
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.i386.rpm
For systems running a 64-bit version of RHEL 4 or one of its derivatives:
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.x86_64.rpm
For systems running a 32-bit version of RHEL 5 or one of its derivatives:
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
For systems running a 32-bit version of RHEL 5 or one of its derivatives:
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
Note that you can copy and paste these commands from this document to the command-line of your terminal window. Also, you would want to install this on any RHEL-style Linux machines that you may be using as clients.
If your Linux machines are running either Debian or Ubuntu, you will find OpenVPN in the normal distro repositories. Just use apt-get or your favorite package manager to install it, the same as you would with any other package. Other than that, installation and configuration will be the same as what we’re about to present in the following steps.
Installation
(Note that this portion of the procedure is the same for both OpenVPN servers and OpenVPN clients that are running on Linux.)
Once the repository configuration is done, you can open Yum Extender, search for “openvpn”, and install it as you would any other package.
Alternatively, you can open a command-line window, and enter:
su – root
yum install openvpn
This is actually the recommended option, since Yum Extender is so notoriously slow.
When installation is complete, open a terminal window and enter “su – root”. (If you used the command-line installation option, just keep the window open, and remain logged in as root.)
By default, OpenVPN installs to the “/usr/sbin” directory. So, in order to manually start it from a command-line, the user will either have to be placed in the “sudoer” list, or will have to log into a command-line terminal as root.
After the initial installation, the “/etc/openvpn” directory will be empty. You’ll need to copy the appropriate files to it.
Server specific
First, cd to the “/usr/share/doc/openvpn-2.0.9/sample-config-files” directory. Copy the following files to the “/etc/openvpn” directory:
firewall.sh
openvpn-shutdown.sh
openvpn-startup.sh
server.conf
Note that the three shell script files don’t have executable permissions set. Use the chmod utility to set the executable bit for “all”.
chmod a+x firewall.sh
chmod a+x openvpn-shutdown.sh
chmod a+x openvpn-startup.sh
You’ll also need to change the names of the two “openvpn” scripts to get rid of the “.sh” suffix. (That’s because these two scripts are referenced incorrectly in the openvpn init script.) Do this with the following two commands:
mv openvpn-startup.sh openvpn-startup
mv openvpn-shutdown.sh openvpn-shutdown
Next, cd to the “/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0” directory. Open the “Makefile” file for editing. Set the “DESTDIR” parameter to the following:
DESTDIR=/etc/openvpn
Leave the “PREFIX” parameter blank.
Save the file and exit the text editor. Now, issue the command:
make install
This will copy the files to the “etc/openvpn” directory, and set the executable permission on all but one of the shell-script files. (We’ll fix the one that got missed in the next step.)
Next, cd to the “/etc/openvpn” directory, and open the “vars” file for editing. At the very bottom of the file, set the appropriate values for “export KEY_COUNTRY=”, “export KEY_PROVINCE=”, “export KEY_CITY=”, “export KEY_ORG=”, and “export KEY_EMAIL=”. Save the file and exit the text editor. Use chmod to manually add the executable permissions to the “vars” file.
chmod a+x vars
While still within the “/etc/openvpn” directory, use the “easy-rsa” scripts to create security keys and certificates. To prepare for building the key sets, issue the following commands:
./vars
./clean-all
./build-ca
Note: When you attempt to run the “clean-all” script, you may receive a message about having to source the vars file, first. If you do, just run the command:
source vars
Re-run the “clean-all” script, and continue on to the next step.
To build the appropriate key set for the OpenVPN server, issue the command:
./build-key-server server
When asked to make choices, just hit the “Enter” key to choose the default values.
For each client that will connect to this server, you’ll need to create a set of keys and certificates, each named after the client that will use them. For example, if you have three clients, issue the commands:
./build-key client1
./build-key client2
./build-key client3
(Optionally, you can substitute the “build-key-pass” script if you desire to password-protect the client keys.)
When asked to make choices, just hit the “Enter” key to accept the default value.
Generate the Diffie-Hellman keys by entering:
./build-dh
Finally, cd to the “/etc/openvpn/keys” directory, and copy all of the files back to “/etc/openvpn”. (You don’t want to have your working keys in the “keys” directory, because you’ll wipe them out the next time you use the “clean-all” utility.)
cp * ../
Configure the server by editing the “server.conf” file. Find the line that says:
server 10.8.0.0 255.255.255.0
and change it to the network address and subnet mask that you desire to use. For our example, we’ll initially have one-hundred clients connecting to the server, but we also want scalability in case we add more clients later. So, we’ll use the “10.1.1.0” network with a 25-bit subnet mask. For that, we’ll change this line to:
server 10.1.1.0 255.255.255.128
This will allow for 125 clients, since the server will automatically assign the “10.1.1.1” address to itself.
Scroll down to the stanza that begins with the line, “# Select a cryptographic cipher.” Choose which cryptographic method you desire to use by uncommenting the appropriate line. Later, when you setup the clients, you’ll make this parameter of their configuration files match what you’ve set for the server. (Note that “Blowfish” is the default choice, so you won’t need to uncomment anything if you want to use it.) Save this file, and open the “firewall.sh” file for editing.
Near the top of the file, you’ll see the line that reads:
PRIVATE=10.0.0.0/24
Change this line to the address of the private network that you desire to use. (This must match what you used in the server.conf file.) For our example, we’ll change this to:
PRIVATE=10.1.1.0/25
Important: Even though the “firewall.sh” script makes reference to interfaces “eth0” and “eth1”, that doesn’t mean that you need two active, physical NIC’s in your server. In this case, “eth1” refers to the virtual interface that will be created when you start the OpenVPN program. In fact, if you have installed a second NIC, and you accidentally assign it the address that you want to use for the OpenVPN private network, then your clients won’t be able to connect properly.
Note: If you’re using something other than eth0 as the physical NIC for the VPN, then you’ll need to edit the firewall.sh file, changing all of the “eth0”’s accordingly. You’ll also need to change all of the “eth1”’s to “eth0”. (Even if “eth0” is in use as another NIC, that fine, since all we’re doing here is creating a virtual NIC.
Save the file and open the “openvpn-startup” file for editing. At the bottom of the file, find the lines:
openvpn –cd $dir –daemon –config vpn1.conf
openvpn –cd $dir –daemon –config vpn2.conf
openvpn –cd $dir –daemon –config vpn2.conf
Comment out all three of these lines:
# openvpn –cd $dir –daemon –config vpn1.conf
# openvpn –cd $dir –daemon –config vpn2.conf
# openvpn –cd $dir –daemon –config vpn2.conf
Save the file and exit the text editor.
To manually start the program, you’ll either need to use “sudo” and have the appropriate sudo privileges, or you’ll need to “su” to a root login, and enter one of the following commands:
sudo /sbin/service openvpn start
or, if logged in as root:
service openvpn start
On a Debian or Ubuntu-type system, you would enter one of the following commands:
sudo /etc/init.d/openvpn start
or, if logged in as root,
/etc/init.d/openvpn start
When you initially install OpenVPN, you’ll also install an init script into the “/etc/init.d” directory, and links to it will be installed into the appropriate run-level directories. This will cause OpenVPN to automatically start whenever you boot the server.
Now that that’s done, you’ll want to configure the clients.
