Client to Server OpenVPN
My specific purpose for these instructions is so IP phones can establish a tunnel and communicate to a SIP server without the need of worrying about NAT, STUN or port forwards. The Yealink SIP phones have inbuilt OpenVPN capabilities.
The following instructions were performed on CentOS 7.2
Server
Installing
Firstly install epel due to openvpn not been available in the default repository. Once epel has been install then...
yum -y install openssl lzo openvpn easy-rsa
Config Files
Examples of Configuration Files
/usr/share/doc/openvpn-2.3.12/sample/sample-config-files/server.conf
OpenVPN
vi /etc/openvpn/server.conf
local 192.168.1.1 port 1194 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh2048.pem cipher AES-256-CBC #duplicate-cn #tls-auth /etc/openvpn/keys/ta.key 0 server 10.121.18.0 255.255.254.0 ifconfig-pool-persist ipp.txt push "route 10.121.18.0 255.255.254.0" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun verb 4 log access.log status connections.log
Certificate Creation
NOTE: Make sure the KeyName is different for each certificate generated otherwise the system can't keep track of the certfiicates generated and you will get errors like:
failed to update database TXT_DB error number 2
The default KeyName is : EasyRSA
Preparation
mkdir /etc/openvpn/easy-rsa cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ mkdir /etc/openvpn/easy-rsa/keys mkdir /etc/openvpn/keys cd /etc/openvpn/easy-rsa vi vars
change
export EASY_RSA="`pwd`"
to
export EASY_RSA="/etc/openvpn/easy-rsa"
Change the other fields as required.
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain" export KEY_OU="MyOrganizationalUnit"
NOTE: Do not populate the KEY_CN field if you are utilising individual client certificates. If you are generate a single certificate for all clients then you can specify a default value here.
#export KEY_CN="my.fqdn.server.name"
Source in our new variables.
source ./vars
Clean any previous builds. Should not be required if this is your first run at building certificates.
./clean-all
Server Certificates
Build Certificate Authority Certificate
./build-ca
Build Certificate and Key and name the certificate server
./build-key-server server
Build Diffie-Hellman key exchange
./build-dh
Copy certificate files to OpenVPN keys folder
cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/keys/
Client Certificate
Know Issues:
1. For the tightened of security you would normally generate a client certificate for each client. In this case I will use the one certificate for all clients.
The name client in the below command is the name of the client certificate. If generating multiple certificates you will have to name them differently.
cd /etc/openvpn/easy-rsa source ./vars ./build-key client
2. If you are using the same client certificate name and the duplicate-cn variable then the ifconfig-pool-persist won't work as the client certificate name is used to map the IP address to keep it consistent.
tls-auth Key
openvpn --genkey --secret /etc/openvpn/keys/ta.key
Openvpn Service
Automatic
vi /etc/default/openvpn
Add or specific file without the conf.
AUTOSTART="all"
or
AUTOSTART="server"
Start Service
systemctl restart openvpn
Manually
While the openvpn service is stopped.
openvpn --config /etc/openvpn/server.conf
Client
Windows
VPN Config File
C:\Program Files\OpenVPN\config\office-vpn.ovpn
client dev tun proto udp remote my-vpn.server.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key # tls-auth ta.key 1 remote-cert-tls server cipher AES-256-CBC comp-lzo verb 3
Copy Certificate Files
Copy the following files from the Openvpn server to your openvpn client config folder.
Source
/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/client.crt /etc/openvpn/easy-rsa/keys/client.key /etc/openvpn/easy-rsa/keys/ta.key
Destination
C:\Program Files\OpenVPN\config
Yealink IP Phone
NOTE: The Yealink phones don't seem to support tls-auth, which means you will nee to remove this setting from the server and client configuration files.
Copy Certificate Files
On the Linux server where the OpenVPN server is running:
mkdir -p /tmp/yealink/keys cd /etc/openvpn/easy-rsa/keys cp ca.crt client.crt client.key /tmp/yealink/keys/
Create VPN client config File
vi /tmp/yealink/vpn.cnf
client nobind setenv SERVER_POLL_TIMEOUT 4 proto udp remote my-vpn.server.com 1194 dev tun dev-type tun ns-cert-type server persist-tun persist-key comp-lzo verb 3 ca /config/openvpn/keys/ca.crt cert /config/openvpn/keys/client.crt key /config/openvpn/keys/client.key cipher AES-256-CBC
tar files
cd /tmp/yealink tar cvpf openvpn.tar *
Copy openvpn.tar to your client computer. Open a web browser and enter the IP address of the handset. Select Network, Advanced. Go down to the VPN setting, upload the openvpn.tar file and then select enable.
Once the phone reboots you should see VPN located in the top right of the screen. If you do not see VPN displayed then a VPN has not been successfully established to the server.