Revision as of 23:41, 1 August 2016

Work in Progress

My specific purpose for these instructions is so IP phones can establish a tunnel and communicate to a SIP server without the need of worrying about NAT, STUN or port forwards. The Yealink SIP phones have inbuilt OpenVPN capabilities.

The following instructions were performed on CentOS 7.2

Server

Installing

Firstly install epel due to openvpn not been available in the default repository. Once epel has been install then...

yum -y install openssl lzo openvpn easy-rsa

Config Files

Examples of Configuration Files

/usr/share/doc/openvpn-2.3.11/sample/sample-config-files/server.conf

OpenVPN

vi /etc/openvpn/server.conf

local 192.168.1.1
port 1194
proto udp
dev tun

ca   /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key  /etc/openvpn/keys/server.key
dh   /etc/openvpn/keys/dh2048.pem

cipher AES-256-CBC
duplicate-cn
tls-auth ta.key 0

server 172.21.18.0 255.255.254.0
ifconfig-pool-persist ipp.txt

push "route 172.21.18.0 255.255.254.0"

client-to-client
keepalive 10 120
#comp-lzo
persist-key
persist-tun
verb 3
log access.log

Certificate Creation

NOTE: Make sure the KeyName is different for each certificate generated otherwise the system can't keep track of the certfiicates generated and you will get errors like:

failed to update database
TXT_DB error number 2

The default KeyName is : EasyRSA

Preparation

mkdir /etc/openvpn/easy-rsa
cp  /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
mkdir /etc/openvpn/easy-rsa/keys
mkdir /etc/openvpn/keys
cd /etc/openvpn/easy-rsa
vi vars

change

export EASY_RSA="`pwd`"

to

export EASY_RSA="/etc/openvpn/easy-rsa/keys"

Change the other fields as required.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

export KEY_CN="my.fqdn.server.name"

Source in our new variables.

source ./vars

Clean any previous builds. Should not be required if this is your first run at building certificates.

./clean-all

Server Certificates

Build Certificate Authority Certificate

./build-ca

Build Certificate and Key and name the certificate server

./build-key-server server

Build Diffie-Hellman key exchange

./build-dh

Copy certificate files to OpenVPN keys folder

cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/keys/

Client Certificate

For tightened security you would normally generate a client certificate for each client. In this case I will use the one certificate for all clients.

The name client below is the name of the client certificate. If generating multiple certificates you will have to name them differently.

cd /etc/openvpn/easy-rsa
./build-key client

tls-auth Key

openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key

Openvpn Service

Enable service

systemctl -f enable openvpn@server.service

Start service

systemctl start openvpn@server

Client

Config File

client
dev tun
proto udp
remote 192.168.25.127 1194
resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key

remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

cipher AES-256-CBC

# comp-lzo
verb 3

Copy Cert Files

Copy the following files to your openvpn config folder.

ca.crt
client.crt
client.key
ta.key

@@ Line 5: / Line 5: @@
 The following instructions were performed on CentOS 7.2
-= Installing =
+= Server =
+== Installing ==
 Firstly [[Install_epel | install epel]] due to openvpn not been available in the default repository.  Once epel has been install then...
@@ Line 13: / Line 14: @@
 </pre>
-== Config Files ==
+=== Config Files ===
 Examples of Configuration Files
 <pre>
@@ Line 19: / Line 20: @@
 </pre>
-== OpenVPN ==
+=== OpenVPN ===
 <pre>
 vi /etc/openvpn/server.conf
@@ Line 36: / Line 37: @@
 cipher AES-256-CBC
+duplicate-cn
+tls-auth ta.key 0
 server 172.21.18.0 255.255.254.0
@@ Line 51: / Line 54: @@
 </pre>
-= Certificate Creation =
+== Certificate Creation ==
 '''NOTE''': Make sure the KeyName is different for each certificate generated otherwise the system can't keep track of the certfiicates generated and you will get errors like:
 <pre>
@@ Line 60: / Line 63: @@
 The default KeyName is : EasyRSA
-== Preparation ==
+=== Preparation ===
 <pre>
 mkdir /etc/openvpn/easy-rsa
@@ Line 107: / Line 110: @@
 </pre>
-== Server Certificates ==
+=== Server Certificates ===
 Build Certificate Authority Certificate
 <pre>
@@ Line 130: / Line 133: @@
 </pre>
-== Client Certificate ==
+=== Client Certificate ===
 For tightened security you would normally generate a client certificate for each client.  In this case I will use the one certificate for all clients.
@@ Line 139: / Line 142: @@
 </pre>
-= Openvpn Service =
+=== tls-auth Key ===
+<pre>
+openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
+</pre>
+== Openvpn Service ==
 Enable service
 <pre>
@@ Line 150: / Line 158: @@
 </pre>
+= Client =
+== Config File ==
+<pre>
+client
+dev tun
+proto udp
+remote 192.168.25.127 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+ca ca.crt
+cert client.crt
+key client.key
+remote-cert-tls server
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+tls-auth ta.key 1
+cipher AES-256-CBC
+# comp-lzo
+verb 3
+</pre>
+== Copy Cert Files ==
+Copy the following files to your openvpn config folder.
+<pre>
+ca.crt
+client.crt
+client.key
+ta.key
+</pre>
 [[Category : Linux]]

Client to Server OpenVPN: Difference between revisions

Revision as of 23:41, 1 August 2016

Contents