OpenVPN on CentOS 5.2

Posted by linuxscooter on Mar 5, 2009 8:41 PM EDT
HowtoForge; By linuxscooter 		Mail this story
Print this story

So your users need access to Exchange and data from outside your organisation. Sure you can set up RPC over HTTPS and various other tools to access the data. I just find OpenVPN very good, convenient and reliable.





OpenVPN Server Setup

(Tested on Centos 5.2)




Commands in Bold


yum install openvpn

cd /etc/openvpn/

cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/

cd /etc/openvpn/easy-rsa/2.0/



chmod +x ../vars

../vars

chmod +rwx *

./clean-all

source ./vars

vi ../vars (At the bottom of the files change the values to match the site)



vi vars (At the bottom of the files change the values to match the site)

./build-ca (this builds the CA certaficate)

source ./vars

./clean-all

./build-ca

./build-key-server server (this builds the server .key file)



vi /etc/openvpn/openvpn.conf (for slow lines UDP is faster and use the below as a starting point)


port 1723 (1194 is the default but on some APN networks this is blocked)

proto tcp

dev tun

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

server 172.16.0.0 255.255.255.0

push "dhcp-option DNS 192.168.168.1"

push "dhcp-option DNS 168.210.2.2"

#push "dhcp-option WINS 192.168.1.2"

push "route 192.168.168.0 255.255.255.0"

ifconfig-pool-persist ipp.txt

keepalive 10 120



comp-lzo

user nobody

group users

persist-key

persist-tun

status openvpn-status.log

verb 3

client-to-client

duplicate-cn (this means several users can use the same key)




cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/

./build-dh (builds the dh1024)

cp keys/dh1024.pem /etc/openvpn/

/etc/init.d/openvpn start

chkconfig --list | grep vpn (make sure it is set to start at boot)

./build-key <name> (Repeat and rinse if you want several individual keys)



cd keys/

zip ttt.zip ca.crt ca.key <name>.crt <name>.csr <name>.key

yum install -y nail

nail -s “Keys" -a ttt.zip me@mydomain.com



/etc/init.d/openvpn restart

netstat -ntpl | grep 1723



Set the iptables firewall rules to allow with these rules:


# External Interface for VPN

# VPN Interface

VPNIF="tun0"

VPNNET="172.16.0.0/24"



VPNIP="172.16.0.1"

### OpenVPN

$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN

$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN



# Allow TUN interface connections to OpenVPN server

$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT

$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT

# OpenVPN



$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT

$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT

$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT

$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT



Follow the client side instructions from here...

Full Story

  Nav
» Read more about: Story Type: Tutorial; Groups: Linux

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.