Linux CentOS OpenVPN configuration overview

This article briefly explains how to configure OpenVPN on CentOS systems and how to configure Windows PC client.

Description: This configuration is only an example and instructions and operational guidelines, Ali cloud the issue and not related to operating results resulting in charge.

Configure OpenVPN

• Ready to work

• Install OpenVPN service

• Configure OpenVPN service (server)

• Start OpenVPN

Ready to work

Before installing OpenVPN service, make sure you have performed the following work:

1. Use  tools: update_source.sh  update yum source Ali cloud network yum source.

2. Install dependent packages:

    

   1. bash
   2. yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
   3. yum install -y pkcs11-helper pkcs11-helper-devel

3. Confirm that the package has been installed:

    

   1. bash
   2. rpm -qa lzolzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-devel

   

Install OpenVPN service

Please install OpenVPN service by following these steps:

1. Download OpenVPN source # wget http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gzpackage: .

2. Use rpmbuild command to compile the source package install an rpm: # rpmbuild -tb openvpn-2.2.2.tar.gz. Rpmbuild command execution and then began to compile, after the compilation is complete, /root/rpmbuild/RPMS/x86_64the directory will generate the installation package called openvpn-2.2.2-1.x86_64.rpm of.

3. Performed # rpm -ivh openvpn-2.2.2-1.x86_64.rpmin a manner rpm package installation:

Configure OpenVPN service (server)

Configure OpenVPN services are divided into four phases:

• initialization
• Generate certificates, keys and parameter files
• Copy certificates, keys and parameter files
• Set iptables

initialization

Run the initialization PKI: cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0, then enter the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0directory and find the environment vars certificate file, modify the parameter values defined in the following five lines of export:

 

1. bash
2. export KEY_COUNTRY="CN" 所在的国家
3. export KEY_PROVINCE="BJ" 所在的省份
4. export KEY_CITY="Hangzhou" 所在的城市
5. export KEY_ORG="aliyun" 所属的组织
6. export KEY_EMAIL=my@test.com 邮件地址

Note: You can customize settings for the value of the parameter does not result in abnormal OpenVPN configuration appears.

Generate certificates, keys and parameter files

Please generate the required certificates, keys, and parameter files, follow these steps:

1. Execute the following command to generate a certificate server and remove keysall the key directory:
    

   1. bash
   2. ln -s openssl-1.0.0.cnf openssl.cnf 软链接到openssl-1.0.0.cnf配置文件
   3. source ./vars
   4. ./clean-all

2. Execute the following command to generate a CA certificate. At initialization, you have configured the default parameter values ​​in the environment vars certificate file, consecutive press Enter In this step, you can complete the configuration.

    

   1. `./build-ca`

   

3. Execute the following command to generate the server certificate, which aliyuntestis a custom name, continuous press Enter, and finally there will be two interactive input yconfirmation. Upon completion, keysthe directory will generate aliyuntest.key, aliyuntest.csrand aliyuntest.crtthree files.

    

   1. ./build-key-server aliyuntest

   

4. Execute the following command to create a secret key and certificate, which aliyunuseris a user name, press Enter in a row, the last two will interact input yconfirmation. Upon completion, keysthe directory server will generate a 1024-bit RSA keys aliyunuser.key, aliyunuser.crtand aliyunuser.csrthree files.

    

   1. ./build-key aliyunuser

5. Execute the following command to generate Diffie Hellman parameters for client authentication, after completion, keysthe directory will generate dh parameter file dh1024.pem.

    

   1. ./build-dh

Copy certificates, keys and parameter files

Please follow the steps below to copy the generated certificate, keys and parameters file to the specified location:

1. Execute the following command to /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keyscopy all the files in the directory to /etc/openvpnthe directory:

    

   1. cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/

2. Execute the following command, the OpenVPN server configuration file server.confis copied to /etc/openvpn/the directory:

    

   1. cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/

3. Once configured, server.confthe contents of the file are as follows:

    

   1. bash
   2. $ egrep -v "^$|^#|^;" server.conf
   3. local 1.1.1.1 请在此处填写您的云服务器的公网IP地址
   4. port 1194
   5. proto udp
   6. dev tun
   7. ca ca.crt
   8. cert aliyuntest.crt 请在此处填写生成服务器端证书时您自定义的crt名称
   9. key aliyuntest.key 请在此处填写生成服务器端证书时您自定义的key名称
   10. dh dh1024.pem
   11. server 172.16.0.0 255.255.255.0
   12. ifconfig-pool-persist ipp.txt
   13. push "redirect-gateway def1 bypass-dhcp"
   14. push "dhcp-option DNS 223.5.5.5"
   15. client-to-client
   16. keepalive 10 120
   17. comp-lzo
   18. user nobody
   19. group nobody
   20. persist-key
   21. persist-tun
   22. status openvpn-status.log
   23. log openvpn.log
   24. verb 3

   

Set iptables

Before setting iptables, iptables has been turned on and make sure the /etc/sysconfig/iptablesfile already exists, and then complete the setup by following these steps:

1. Activate the internal routing and forwarding:

    

   1. vi /etc/sysctl.conf

2. Modify the following parameters to enable IPv4 forwarding:

    

   1. net.ipv4.ip_forward = 1

3. The kernel parameters to take effect:

    

   1. sysctl -p

4. Add iptables rules to ensure the server can forward the packet to Ali cloud network and external networks:

    

   1. iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE

5. Save the iptables configuration:

    

   1. service iptables save

Start OpenVPN

Execute the command to start OpenVPN: /etc/init.d/openvpn start, then execute the command: netstat -ano | grep 1194see 1194 port is listening, to ensure that OpenVPN is running.

Configuring Windows PC Client

Configure Windows PC client, follow these steps:

1. Download the Windows PC client.

2. Execute Windows PC client setup, installation is completed in accordance with the default settings.

3. The cloud server /etc/openvpn/directory aliyunuser.key, aliyunuser.crt and  aliyunuser.csrdownload the three files need to be connected to a Windows PC client OpenVPN (you can use ftp tool download), save path for the next installation of OpenVPN path \OpenVPN\configdirectory.

4. Configuration  client.opvn. In OpenVPN installation path, the \OpenVPN\sample-config\directory is client.opvncopied into \OpenVPN\configthe directory, and then modify the following parameters in the configuration file:

    

   1. bash
   2. proto udp 去掉前面的分号，采用udp协议,与服务器端保持一致
   3. remote 1.1.1.1 1194 请在此处将1.1.1.1修改为您的云服务器的公网IP地址，同时去掉该行前面的注释分号
   4. cert aliyunuser.crt
   5. key aliyunuser.key

5. Open the C:\Program Files (x86)\OpenVPN\bindirectory, right-click the openvpn-gui-1.0.3.exefile and select Run as Administrator (A) (avoid adding routes lead to failure).

6. Once connected, access Ali cloud network mirror source , confirm that you can access the network through the cloud Ali OpenVPN: then access ip.cn, you can see at this time of the exit end Windows PC public IP has become a cloud server public IP address: