== Install OpenVPN into CentOS 5.2 (Tunnel Mode) [VPN client] 192.168.20.X ----- 192.168.20.56 [Open VPN Server] 192.168.10.1 ----- 192.168.10.2 [Server] | ---- 192.168.10.3 [Server] == Install RPMforge repository into CentOS > yum -y install yum-priorities > vi /etc/yum.repos.d/CentOS-Base.repo # CentOS-Base.repo # # This file uses a new mirrorlist system developed by Lance Davis for CentOS. # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # # [base] name=CentOS-$releasever - Base mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5 priority=1 ########### ADD ############## #released updates [updates] name=CentOS-$releasever - Updates mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/ gpgcheck=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5 priority=1 ########### ADD ############## #packages used/produced in the build but not released [addons] name=CentOS-$releasever - Addons mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons #baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/ gpgcheck=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5 priority=1 ########### ADD ############## #additional packages that may be useful [extras] name=CentOS-$releasever - Extras mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras #baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/ gpgcheck=1 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5 priority=1 ########### ADD ############## #additional packages that extend functionality of existing packages [centosplus] name=CentOS-$releasever - Plus mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus #baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/ gpgcheck=1 enabled=0 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5 > rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt > rpm -ivh http://apt.sw.be/redhat/el5/en/i386/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.i386.rpm == Install OpenVPN Server > yum -y install openvpn > cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/ /etc/openvpn/easy-rsa > cd /etc/openvpn/easy-rsa/ > chmod +x * > vi vars export KEY_COUNTRY="US" # export KEY_PROVINCE="CA" # export KEY_CITY="Redwood City" # export KEY_ORG="openvpn" # Server Name export KEY_EMAIL="sakaijunsoccer@gmail.com" # Server admin email > source vars Initialaize * one time when you install open vpn > ./clean-all Create CA certification and seacret key. Answer as "empty enter" for all of questions. > ./build-ca > cp keys/ca.crt /etc/openvpn/ Create Server certification. Answer as "empty enter" or "y" for all of questions. >./build-key-server server > cp keys/server.crt /etc/openvpn/ > cp keys/server.key /etc/openvpn/ Create DH parameter > ./build-dh > cp keys/dh1024.pem /etc/openvpn/ Create dummy CRL. ( CRL will be created after actuall delete certification operation, that's why I crate dummy CRL) Answer as "empty enter" or "y" for all of questions. > ./build-key dmy  > vi openssl.cnf #[ pkcs11_section ] # Comment out #engine_id = pkcs11 # Comment out #dynamic_path = /usr/lib/engines/engine_pkcs11.so # Comment out #MODULE_PATH = $ENV::PKCS11_MODULE_PATH # Comment out #PIN = $ENV::PKCS11_PIN # Comment out #init = 0 # Comment out Removal dummy client certification > ./revoke-full dmy > cp keys/crl.pem /etc/openvpn/ > cd Create TLS key > openvpn --genkey --secret /etc/openvpn/ta.key  > cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/ > vi /etc/openvpn/server.conf dev tun #tunnel server 10.8.0.0 255.255.0.0 #VPN client ip range push "route 192.168.10.0 255.255.255.0" #This Ip pass open vpn server tls-auth ta.key 0 #Uncomment for TLS user nobody #For execution of openvpn group nobody #FOr execution of openvpn log-append /var/log/openvpn.log management localhost 7505 #ADD Management crl-verify crl.pem #ADD For CRL set up iptable for openvpn and firewall > iptables -I FORWARD -i tun+ -j DROP > iptables -I OUTPUT -o tun+ -j ACCEPT > iptables -I FORWARD -o tun+ -j ACCEPT > iptables -I INPUT -i tun+ -j ACCEPT > iptables -I FORWARD -i tun+ -s 10.8.2.5/24 -d 192.168.0.0/24 -j ACCEPT > iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE > /etc/init.d/iptables save check iptalbe setting > cat /etc/sysconfig/iptables > /etc/init.d/iptables restart logroate for open vpn > vi /etc/logrotate.d/openvpn /var/log/openvpn.log { missingok notifempty sharedscripts postrotate /etc/rc.d/init.d/openvpn restart 2>&1 > /dev/null || true endscript } > vi /etc/rc.d/init.d/openvpn  echo 1 > /proc/sys/net/ipv4/ip_forward #Comment out for Packet forwarding > /etc/rc.d/init.d/openvpn start > chkconfig openvpn on > chkconfing --list openvpn > reboot Make client certification and key > cd /etc/openvpn/easy-rsa/ > source vars  > ./build-key-pass client1 writing new private key to 'client1.key' Enter PEM pass phrase:  <-- Password for client1 Verifying - Enter PEM pass phrase:  <-- Password for client1 Answer as "empty enter" or "y" for other questions. == Install openvpn client into windows of VPN client copy ca.cet,client1.crt,client1.key and ta.key from server to client config folder (C:\Program Files\OpenVPN\config). /etc/openvpn/ca.crt /etc/openvpn/easy-rsa/keys/client1.crt /etc/openvpn/easy-rsa/keys/client1.key /etc/openvpn/ta.key Make client.ovpn onto windows of VPN client C:\Program Files\OpenVPN\sample-config\client.ovpn) ############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote 192.168.20.56 1194 ;remote my-server-1 1194 ;remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt #cert client.crt cert client1.crt #key client.key key client1.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20 Duble click OpenVPN GUI icon and connect. = Forconnecting to outside internet though vpn gateway. vi /etc/openvpn/server.conf push "redirect-gateway def1" push "dhcp-option DNS 10.8.0.1" > iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE = for ACL of group user > vi /etc/openvpn/server.conf > client-config-dir ccd > vi /etc/openvpn/ccd/client1 ifconfig-push 10.8.2.5 10.8.2.6 You can choose the following ip address conbination. but you can not use 10.8.0.1 and 10.8.0.2, because VPN server will use the ip address. [ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254] > mkdir /etc/openvpn/ccd > iptables -I FORWARD -i tun+ -s 10.8.2.5 -d 192.168.10.3 -j ACCEPT > cat /etc/sysconfig/iptables # Generated by iptables-save v1.3.5 on Fri May 15 10:44:52 2009 *filter :INPUT ACCEPT [436:32668] :FORWARD ACCEPT [18:1258] :OUTPUT ACCEPT [402:53956] -A INPUT -i tun+ -j ACCEPT -A FORWARD -s 10.8.2.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -i tun+ -j ACCEPT #-A FORWARD -s 10.8.2.0/255.255.255.0 -d 72.14.213.99 -i tun+ -j ACCEPT -A FORWARD -o tun+ -j ACCEPT -A FORWARD -i tun+ -j DROP -A OUTPUT -o tun+ -j ACCEPT COMMIT # Completed on Fri May 15 10:44:52 2009 # Generated by iptables-save v1.3.5 on Fri May 15 10:44:52 2009 *nat :PREROUTING ACCEPT [12:1020] :POSTROUTING ACCEPT [13:934] :OUTPUT ACCEPT [3:240] -A POSTROUTING -s 10.8.0.0/255.255.0.0 -o eth0 -j MASQUERADE COMMIT # Completed on Fri May 15 10:44:52 200