OpenVPN Server On Cent-OS 5.2
So your users need access to Exchange and data from outside your organisation. Sure you can set up RPC over HTTPS and various other tools to access the data. I just find OpenVPN very good, convenient and reliable.
And after battling to find a good simple HOWTO, I put this together. It's a quick and nasty but it works!:)
Firstly, ensure you are root, and just in case the OpenVPN is not in the base repository, add the rpmforge repo (these steps you can find elsewhere).
If you use selinux you will need this:
#semanage port -a -t openvpn_port_t -p tcp 1723
yum install openvpn
cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
. ../vars
chmod +rwx *
./clean-all
source ./vars
vi ../vars
(At the bottom of the files change the values to match the site.)
vi vars
(At the bottom of the files change the values to match the site.)
./build-ca
(This builds the CA certificate.)
source ./vars
./clean-all
./build-ca
./build-key-server server
(This builds the server.key file.)
vi /etc/openvpn/openvpn.conf
(For slow lines UDP is faster. Use the below as a starting point:)
port 1723 # (1194 is the default but on some APN networks this is blocked)
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.16.0.0 255.255.255.0
push "dhcp-option DNS 192.168.168.1"
push "dhcp-option DNS 168.210.2.2"
#push "dhcp-option WINS 192.168.1.2"
push "route 192.168.168.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn # (this means several users can use the same key)
cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/
./build-dh (builds the dh1024)
cp keys/dh1024.pem /etc/openvpn/
/etc/init.d/openvpn start
chkconfig --list | grep vpn
./build-dh (builds the dh1024)
cp keys/dh1024.pem /etc/openvpn/
/etc/init.d/openvpn start
chkconfig --list | grep vpn
(Make sure it is set to start at boot.)
./build-key <name>
(Repeat and rinse if you want several individual client keys.)
cd keys/
zip keys.zip ca.crt ca.key <name>.crt <name>.csr <name>.key
yum install -y nail
nail -s “Keys" -a keys.zip me@mydomain.co.za
zip keys.zip ca.crt ca.key <name>.crt <name>.csr <name>.key
yum install -y nail
nail -s “Keys" -a keys.zip me@mydomain.co.za
netstat -ntpl | grep 1723
Set the iptables firewall rules to allow with these rules:
# External Interface for VPN
# VPN Interface
VPNIF="tun0"
VPNNET="172.16.0.0/24"
VPNIP="172.16.0.1"
### OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT
# OpenVPN
$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT
# VPN Interface
VPNIF="tun0"
VPNNET="172.16.0.0/24"
VPNIP="172.16.0.1"
### OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT
# OpenVPN
$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT
Follow the client side instructions from here...
Installing OpenVPN GUI On Windows XP / Vista
Once the OpenVPN server has been setup and the client key(s) made available to you for installation, follow these steps to roll the VPN out to the clients:
-Download the client software here: http://www.openvpn.se/. The tested version is 1.0.3. Version 2.0.9 works on Vista with the following in the client.ovpn file:
route-method exe route-delay 2
-Install the program.
-Under C:\Program Files\OpenVPN\config place the following:
ca.crt
ca.key
client.ovpn (you might need to edit this file later)
<name>.crt (eg. johnl.crt)
<name>.csr
<name>.key
ca.key
client.ovpn (you might need to edit this file later)
<name>.crt (eg. johnl.crt)
<name>.csr
<name>.key
-Edit the client.ovpn file and ensure that the following fields match up for the site / user:
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <myserver> 1723
;remote my-server-2 1194
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert <name>.crt
key <name>.key
-Start OpenVPN and the client machine should connect. This is done by right clicking the OpenVPN in the task tray and clicking 'connect' or after starting the program via the start menu.
No comments:
Post a Comment