Client to Server OpenVPN: Difference between revisions
No edit summary |
No edit summary |
||
| Line 10: | Line 10: | ||
<pre> | <pre> | ||
yum -y install openssl lzo openvpn | yum -y install openssl lzo openvpn easy-rsa | ||
</pre> | </pre> | ||
| Line 21: | Line 21: | ||
== OpenVPN == | == OpenVPN == | ||
<pre> | <pre> | ||
/etc/openvpn/server.conf | vi /etc/openvpn/server.conf | ||
</pre> | </pre> | ||
<pre> | <pre> | ||
local | local 192.168.1.1 | ||
port 1194 | port 1194 | ||
proto udp | proto udp | ||
| Line 47: | Line 47: | ||
verb 3 | verb 3 | ||
log access.log | log access.log | ||
</pre> | |||
= Certificate Creation = | |||
'''NOTE''': Make sure the KeyName is different for each certificate generated otherwise the system can't keep track of the certfiicates generated and you will get errors like: | |||
<pre> | |||
failed to update database | |||
TXT_DB error number 2 | |||
</pre> | |||
The default KeyName is : EasyRSA | |||
== Preparation == | |||
<pre> | |||
mkdir /etc/openvpn/easy-rsa | |||
cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ | |||
mkdir /etc/openvpn/easy-rsa/keys | |||
mkdir /etc/openvpn/keys | |||
cd /etc/openvpn/easy-rsa | |||
vi vars | |||
</pre> | |||
change | |||
<pre> | |||
export EASY_RSA="`pwd`" | |||
</pre> | |||
to | |||
<pre> | |||
export EASY_RSA="/etc/openvpn/easy-rsa/keys" | |||
</pre> | |||
Change the other fields as required. | |||
<pre> | |||
export KEY_COUNTRY="US" | |||
export KEY_PROVINCE="CA" | |||
export KEY_CITY="SanFrancisco" | |||
export KEY_ORG="Fort-Funston" | |||
export KEY_EMAIL="me@myhost.mydomain" | |||
export KEY_OU="MyOrganizationalUnit" | |||
</pre> | |||
<pre> | |||
export KEY_CN="my.fqdn.server.name" | |||
</pre> | |||
Source in our new variables. | |||
<pre> | |||
source ./vars | |||
</pre> | |||
Clean any previous builds. Should not be required if this is your first run at building certificates. | |||
<pre> | |||
./clean-all | |||
</pre> | |||
== Server Certificates == | |||
Build Certificate Authority Certificate | |||
<pre> | |||
./build-ca | |||
</pre> | |||
Build Certificate and Key and name the certificate server | |||
<pre> | |||
./build-key-server server | |||
</pre> | |||
Build Diffie-Hellman key exchange | |||
<pre> | |||
./build-dh | |||
</pre> | |||
Copy certificate files to OpenVPN keys folder | |||
<pre> | |||
cd /etc/openvpn/easy-rsa/keys | |||
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/keys/ | |||
</pre> | |||
== Client Certificate == | |||
For tightened security you would normally generate a client certificate for each client. In this case I will use the one certificate for all clients. | |||
The name client below is the name of the client certificate. If generating multiple certificates you will have to name them differently. | |||
<pre> | |||
cd /etc/openvpn/easy-rsa | |||
./build-key client | |||
</pre> | |||
= Openvpn Service = | |||
Enable service | |||
<pre> | |||
systemctl -f enable openvpn@server.service | |||
</pre> | |||
Start service | |||
<pre> | |||
systemctl start openvpn@server | |||
</pre> | </pre> | ||
[[Category : Linux]] | [[Category : Linux]] | ||
Revision as of 05:04, 1 August 2016
Work in Progress
My specific purpose for these instructions is so IP phones can establish a tunnel and communicate to a SIP server without the need of worrying about NAT, STUN or port forwards. The Yealink SIP phones have inbuilt OpenVPN capabilities.
The following instructions were performed on CentOS 7.2
Installing
Firstly install epel due to openvpn not been available in the default repository. Once epel has been install then...
yum -y install openssl lzo openvpn easy-rsa
Config Files
Examples of Configuration Files
/usr/share/doc/openvpn-2.3.11/sample/sample-config-files/server.conf
OpenVPN
vi /etc/openvpn/server.conf
local 192.168.1.1 port 1194 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/key.pem dh /etc/openvpn/keys/dh2048.pem server 172.21.18.0 255.255.254.0 ifconfig-pool-persist ipp.txt push "route 172.21.18.0 255.255.254.0" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun verb 3 log access.log
Certificate Creation
NOTE: Make sure the KeyName is different for each certificate generated otherwise the system can't keep track of the certfiicates generated and you will get errors like:
failed to update database TXT_DB error number 2
The default KeyName is : EasyRSA
Preparation
mkdir /etc/openvpn/easy-rsa cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ mkdir /etc/openvpn/easy-rsa/keys mkdir /etc/openvpn/keys cd /etc/openvpn/easy-rsa vi vars
change
export EASY_RSA="`pwd`"
to
export EASY_RSA="/etc/openvpn/easy-rsa/keys"
Change the other fields as required.
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain" export KEY_OU="MyOrganizationalUnit"
export KEY_CN="my.fqdn.server.name"
Source in our new variables.
source ./vars
Clean any previous builds. Should not be required if this is your first run at building certificates.
./clean-all
Server Certificates
Build Certificate Authority Certificate
./build-ca
Build Certificate and Key and name the certificate server
./build-key-server server
Build Diffie-Hellman key exchange
./build-dh
Copy certificate files to OpenVPN keys folder
cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/keys/
Client Certificate
For tightened security you would normally generate a client certificate for each client. In this case I will use the one certificate for all clients.
The name client below is the name of the client certificate. If generating multiple certificates you will have to name them differently.
cd /etc/openvpn/easy-rsa ./build-key client
Openvpn Service
Enable service
systemctl -f enable openvpn@server.service
Start service
systemctl start openvpn@server
