This article will explain how to install OpenVPN on Centos 6.5 (x64) on routing mode.
Why routing mode? Well, it consumes less bandwidth than the bridging mode (some call this smaller overhead), leaving more bandwidth for useful traffic. Unless you don’t need to broadcast packets over the network you will be absolutely fine with this.
No broadcast functionality will stop Network Neighgbourhood and similar Windows services from working, but you will be able to map drives instead, and easily access Windows shares that way. You can even use this setup with a domain controller.
First, we need to install OpenVPN packages, type in CLI:
yum install openvpn easy-rsa net-tools bridge-utils -y
Then, let’s backup the original config file:
cp /etc/openvpn/server.conf /etc/openvpn/server.conf.original
edit the server.conf file and paste the following code:
local 192.168.1.252 port 4000 proto udp dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 192.168.2.0 255.255.255.0 push "dhcp-option DNS 220.127.116.11" push "route 192.168.1.0 255.255.255.0" push "explicit-exit-notify 3" keepalive 5 30 comp-lzo persist-key persist-tun status /var/log/openvpn-online.log log /var/log/openvpn verb 3 user nobody group nobody mute 20 client-to-client
This will create the server on ip address 192.168.1.252 (please replace this addres with the proper IP of your server in the LAN network and in this case also correct the push “route” line, if the domain isn’t 192.168.1.0/24), that listens on port 4000 UDP, and it will pull the connectin clients to 192.168.2.0/255.255.255.0 domain. If you wish to use a DNS server of your preference (I recommend this) then correct it in the push “dhcp-option DNS” line.
Comment out the last line (client-to-client) if you want to isolate the clients from each other.
Creating the server certificates
This is the part that you do only once.
cp -R /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa
Enter the apropriate data. For future use, please mind that the CN (Common Name) parameter must be unique every time you create…let’s say ANY key. You can dig further to see why.
Enter required fields again
You can try to start the OpenVPN service now, and make it start on boot:
service openvpn start
chkconfig openvpn on
Creating the client setup
If you use a Windows box, you’ll need to download a client.
Here’s the config file for a client:
client dev tun proto udp remote myserver.url.com 4000 resolv-retry infinite nobind persist-key persist-tun ca "c:\\Program Files\\OpenVPN\\config\\ca.crt" cert "c:\\Program Files\\OpenVPN\\config\\client1.crt" key "c:\\Program Files\\OpenVPN\\config\\client1.key" comp-lzo route-method exe route-delay 2 remote-cert-tls server tun-mtu-extra 32
Please replace the myserver.url.com to the proper URL or IP address of your OpenVPN server.
This will create a VPN client that will try to (re)connect infinitelly until the connection is successful.
Creating client certificates
In this setup of installing OpenVPN on Centos, you will need certificates for the clients. In a simmilar way that you created server cerificates, you can create client certificates. On the linux box, type:
no need for ./clean-all here
Once again, answer all the questions, and the creation of the client certificates is done. You can name the client1 anyway you like, but don’t forget to adjust the file name in the client configurtion file.
Now you need to copy the files named client1.key, client1.crt and ca.crt from the /etc/openvpn/easy-rsa/2.0/keys directory on the server and put it in the c:\Program Files\OpenVPN\config folder. I usually use scp or WinSCP for this.
You might want to enable ip forwarding on your linux box, if the destination of the VPN clients isn’t just the CentOS box itself (for example, they’ll want to access the whole local network the VPN server is on).
and make sure that the option is set as follows:
net.ipv4.ip_forward = 1
Save, and let’s set SNAT for iptables:
iptables -t nat -A POSTROUTING 192.168.2.0/24 -j SNAT –to-source 192.168.1.252
service iptables save
And now you can try to fire up your VPN connection.
Of course, if you need more clients, I suggest you make a different certificate of each client (otherwise with this setup one client would kick off the another when it connects – this is easily solvable but I do not advise it).