Wednesday, December 9, 2009

Secure Communications with OpenVPN on CentOS 5

SkyHi @ Wednesday, December 09, 2009
OpenVPN, or Open Virtual Private Network, is a tool for creating networking "tunnels" between and among groups of computers that are not on the same local network. This is useful if you have services on a local network and need to access them remotely but don't want these services to be publicly accessible. By integrating with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.
For many private networking tasks, we urge users to consider the many capabilities of the OpenSSH package which can provide easier VPN and VPN-like services. OpenSSH is also installed and configured by default on all Linodes. Nevertheless, if your deployment requires a more traditional VPN solution like OpenVPN, this document covers the installation and configuration of the OpenVPN software.
Before installing OpenVPN, we assume that you have followed our getting started guide. If you're new to Linux server administration you may be interested in our using Linux document series including the beginner's guide and administration basics guide. If you're concerned about securing and "hardening" the system on your Linode, you might be interested in our security basics article as well.
These instructions work with the Linode platform. If you don't have a Linode yet, sign up for a Linux VPS and get started today.

Installing OpenVPN Link

The packages required to install OpenVPN and it's dependencies are not available in the standard CentOS repositories. As a result, in order to install OpenVPN, we must install the "EPELExternal Link" system. EPEL, or "Extra Packages for Enterprise Linux," is a product of the Fedora Project that attempts to provide Enterprise-grade software that's more current than what is typically available in the CentOS repositories. Enable EPEL with the following command:
rpm -Uvh
Make sure your package repositories and installed programs are up to date by issuing the following command:
yum update
Now we can begin installing the OpenVPN software with the following command:
yum install openvpn
The OpenVPN package provides a set of encryption-related tools called "easy-rsa". These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these scripts should be located in the /etc/openvpn directory. Copy these files with the following command:
cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn
Most of the relevant configuration for the OpenVPN public key infrastructure is contained in /etc/openvpn/easy-rsa/2.0/, and much of our configuration will be located in this directory.

Configure Public Key Infrastructure Variables Link

Before we can generate the public key infrastructure for OpenVPN we must configure a few variables that the easy-rsa scripts will use to generate the scripts. These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file. Here is an example of the relevant values:
File: /etc/openvpn/easy-rsa/2.0/vars :
export KEY_CITY="Oxford"
export KEY_ORG="Ducklington"
export KEY_EMAIL=""
Alter the examples to reflect your configuration. This information will be included in certificates you create and it is important that the information be accurate, particularly the KEY_ORG and KEY_EMAIL values.

Initialize the Public Key Infrastructure (PKI) Link

Issue the following three commands in sequence to initialize the certificate authority and the public key infrastructure:
cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca
These scripts will prompt you to enter a number of values. By configuring the vars you can be sure that your PKI is configured properly. If you set the correct values in vars, you will be able to press return at each prompt.

Generate Certificates and Private Keys Link

With the certificate authority generated you can generate the private key for the server. To accomplish this, issue the following command:
. /etc/openvpn/easy-rsa/2.0/build-key-server server
This script will also prompt you for additional information. By default, the Common Name for this key will be "server". You can change these values in cases where it makes sense to use alternate values. The challenge password and company names are optional and can be left blank. When you've completed the question section you can confirm the signing of the certificate and the "certificate requests certified" by answering "yes" to these questions.
With the private keys generated, we can create certificates for all of the VPN clients. Issue the following command:
. /etc/openvpn/easy-rsa/2.0/build-key client1
Replace the client1 parameter with a relevant identifier for each client. You will want to generate a unique key for every user of the VPN. Each key should have it's own unique identifier. All other information can remain the same. If you need to add users to your OpenVPN at any time, repeat this step to create additional keys.

Generate Diffie Hellman Parameters Link

The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. Issue the following command to generate these parameters:
. /etc/openvpn/easy-rsa/2.0/build-dh
This should produce the following output:
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
This will be followed by a quantity of seemingly random output. The task has succeeded.

Relocate Secure Keys Link

The /etc/openvpn/easy-rsa/2.0/keys/ directory contains all of the keys that you have generated using the easy-rsa tools.
In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines. They are:
  • ca.crt
  • client1.crt
  • client1.key
You can use the scp tool, or any other means of transferring. Be advised, these keys should transferred with the utmost attention to security. Anyone who has the key or is able to intercept an unencrypted copy of the key will be able to gain full access to your virtual private network.
Typically we recommend that you encrypt the keys for transfer, either by using a protocol like SSH, or by encrypting them with the PGP tool.
The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:
  • ca.crt
  • ca.key
  • dh1024.pem
  • server.crt
  • server.key
Issue the following commands:
cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
These files need not leave your server. Maintaining integrity and control over these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they're encrypted and secured. If these files are compromised, they will need to be recreated along with all client keys.

Revoking Client Certificates Link

If you need to remove a user's access to the VPN server, issue the following command sequence.
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full client1
This will revoke the ability of users who have the client1 certificate to access the VPN. For this reason, keeping track of which users are in possession of which certificates is crucial.

Configuring the Virtual Private Network Link

We'll now need to configure our server file. There is an example file in /usr/share/doc/openvpn-2.1.1/examples/sample-config-files. Issue the following sequence of commands to retrieve the example configuration files and move them to the required directories:
cp /usr/share/doc/openvpn-2.1.1/sample-config-files/server.conf /etc/openvpn/
cp /usr/share/doc/openvpn-2.1.1/sample-config-files/client.conf ~/
cd ~/
Modify the remote line in your ~/client.conf file to reflect the OpenVPN server's name.
File: ~/client.conf
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.

remote 1194
Edit the client.conf file to reflect the name of your key. In this example we use client1 for the file name.
File: ~/client.conf
# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key
Copy the ~/client1.conf file to your client system. You'll need to repeat the entire key generation and distribution process for every user and every key that will connect to your network.

Connect to the OpenVPN Link

To initialize the OpenVPN server process, run the following command:
/etc/init.d/openvpn start
This will scan the /etc/openvpn directory on the server for files with a .conf extension. For every file that it finds, it will create and run a VPN daemon (server). Enable OpenVPN to start on the following boot, issue the following command:
chkconfig openvpn on
The process for connecting to the VPN varies depending on your specific operating system and distribution running on the client machine. You will need to install the OpenVPN package for your operating system if you have not already.
Most network management tools provide some facility for managing connections to a VPN. Configure connections to your OpenVPN through the same interface where you might configure wireless or ethernet connections. If you choose to install and manage OpenVPN manually, you will need to place the the client1.conf file and the requisite certificate files in the local machine's /etc/openvpn directory, or equivalent location.
If you use OS X on a Mac, we have found that the TunnelblickExternal Link tool provides an easy method for managing OpenVPN connections. If you use Windows, the OpenVPN GUIExternal Link tool may be an effective tool for managing your connections too. Linux desktop users can install the OpenVPN package and use the network management tools that come with your desktop environment.

Using OpenVPN Link

Connect Remote Networks Securely With the VPN Link

Once configured, the OpenVPN server allows you to encrypt traffic between your local computer and your Linode's local network. While all other traffic is handled in the conventional manner, the VPN allows traffic on non-public interfaces to be securely passed through your Linode. This will also allow you to connect to the local area network in your Linode's data center if you are using the LAN to connect to multiple Linodes in the same datacenter. Using OpenVPN in this manner is supported by the default configuration, and if you connect to the OpenVPN you have configured at this point, you will have access to this functionality.

Tunnel All Connections through the VPN Link

By deploying the following configuration, you will be able to forward all traffic from client machines through your Linode, and encrypt it with transport layer security (TLS/SSL) between the client machine and the Linode. Begin by adding the following parameter to the /etc/openvpn/server.conf file to enable "full tunneling":
File excerpt: /etc/openvpn/server.conf
push "redirect-gateway def1"
Now edit the /etc/sysctl.conf file to modify the following line to ensure that your system is able to forward IPv4 traffic:
File excerpt: /etc/sysctl.conf
net.ipv4.ip_forward = 1
Issue the following command to set this variable for the current session:
echo 1 > /proc/sys/net/ipv4/ip_forward
Issue the following commands to configure iptables to properly forward traffic through the VPN:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
Before continuing, insert these iptables rules into your system's /etc/rc.local file to ensure that theses iptables rules will be recreated following your next reboot cycle:
File excerpt: /etc/rc.local
# [...]

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

touch /var/lock/subsys/local
This will enable all client traffic except DNS queries to be forwarded through the VPN. To forward forward DNS traffic through the VPN you will need to install the dnsmasq package and modify the /etc/opnevpn/server.conf package. Begin by issuing the following commands to install, start the service, and configure the service to start on boot:
yum install dnsmasq
/etc/init.d/dnsmasq start
chkconfig dnsmasq on
Add the following directive to the /etc/openvpn/server.conf file:
File excerpt: /etc/openvpn/server.conf
push "dhcp-option DNS"
Finally, before attempting to connect to the VPN in any configuration, restart the OpenVPN server by issuing the following command:
/etc/init.d/openvpn restart
Once these configuration options have been implemented, you can test the VPN connection by connecting to the VPN from your local machine, and access one of the many websites that will display your IP address. If the IP address displayed matches the IP address of your Linode, all network traffic from your local machine will be filtered through your Linode and encrypted over the VPN between your Linode and your local machine. If, however, your apparent public IP address is different from your Linode's IP address, your traffic is not being filtered through your Linode or encrypted by the VPN.

More Information Link

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Installing OpenVPN server on CentOS Linux (part3)

The configuration is similar to the process used for Debian, except for the beginning of the installation process.
Since the package is not included into the CentOS repository, you need to enable RPMforge ( to install OpenVPN.

Run the commands:
wget -ivh
rpm -Uvh rpmforge-release-0.5.1-1.el5.rf.i386.rpm
The repository installs, and you may install OpenVPN by the command
yum -y install openvpn
Copy the files (key utilities) into the openvpn configuration files’ folder
cp /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/* /etc/openvpn/
Go to the
directory and set the required access privileges for the following files:
cd /etc/openvpn/
chmod +x clean-all build-ca build-key-server build-dh build-key /etc/openvpn/whichopensslcnf ./build-ca
Create the keys (as for the installation on Debian Linux)
Then copy the openvpn configuration file
cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
Configuration is similar to the process used for Debian; you also provide other settings, for example NAT configuration.

Configuring a client’s OpenVPN on Windows Vista

We recommend using OpenVPN GUI for Windows as a client’s software
Download an openvpn-2.0.9-gui-1.0.3-install.exe file from the official website and install it leaving its parameters on the default.
Once finished, copy the client.ovpn file form
C:\Program Files\OpenVPN\sample-config\ into c:\Program Files\OpenVPN\config\
and paste there the certificates’ files from the server
In the client.ovpn client’s configuration file change the following line
remote my-server-1 1194
into the one that refers to your server address, for example,
remote 1194
and specify other certificates’ names
cert client1.crt
key client1.key
If you wish to connect to the Internet through the OpenVPN-server, you need to add the following lines to modify the routing
route-method exe
route-delay 2
Run OpenVPN as administrator – Start -> Programs -> OpenVPN –> double-click OpenVPN GUI and start it as administrator
Otherwise, modified parameters will not be applied.
Also you double click OpenVPN GUI and choose Connect
Congratulations! You have successfully installed the clients’ software.

Installing and configuring a VPN-server with OpenVPN (part1)
Installing OpenVPN on a Debian Linux (part2)