Disclaimer: This topic may be contributed by a community or contain information about third-party products. We recommend that you visit the official website of the community or the third-party products for help and support. The third-party products are not supported by Alibaba Cloud after-sales service. This topic is for reference only. Alibaba Cloud does not make guarantees or warranties, express or implied.
This topic describes how to configure OpenVPN on an instance that runs a CentOS operating system.
Note: In this topic, relevant configurations and descriptions are used only to demonstrate and guide operations. Alibaba Cloud is not responsible for results and problems caused by operations.
Perform the following operations to configure OpenVPN on a CentOS instance.
Step 1: Make preparations
Before you install OpenVPN, make sure that you complete the following preparations:
- Update YUM repositories to Alibaba Cloud YUM repositories. For more information, see How do I use scripts to automatically update software repositories on a Linux instance?
- Run the following commands in sequence to install dependent software packages:
yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
yum install -y pkcs11-helper pkcs11-helper-devel
- Run the following command to check whether the software packages are installed:
rpm -qa lzo lzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-develA command output similar to the following one is returned.
Step 2: Install OpenVPN
Preform the following operations to install OpenVPN:
- Run the following command to install the source code package of OpenVPN:
- Run the following command to install the rpm-build software package:
yum install -y rpm-build
- Run the following command to compile the source code package into an RPM package for installation:
rpmbuild -tb openvpn-2.2.2.tar.gz
Note: After the command is run, the compile process starts. After the compile process is complete, the "openvpn-2.2.2-1.x86_64.rpm" installation package is generated in the
- Switch to the
/root/rpmbuild/RPMS/x86_64directory and run the following command to install OpenVPN in the RPM package format:
rpm -ivh openvpn-2.2.2-1.x86_64.rpmA command output similar to the following one is returned.
Step 3: Configure OpenVPN
Perform the following operations to configure OpenVPN:
Initialize environment variables
- Run the following command to go to the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0 directory, find the vars certificate environment file, and then modify the values of the parameters in the following five export lines:
- Edit the vars file, modify the values of the environment parameters in the following five lines, save the file, and then exit:
- "KEY_COUNTRY" indicates your country.
- "KEY_PROVINCE" indicates your province.
- "KEY_CITY" indicates your city.
- "KEY_ORG" indicates the organization to which you belong.
- "KEY_EMAIL" indicates your email address.
- You can modify the preceding parameters based on your needs without causing exceptional configurations of OpenVPN.
Generate certificates, keys, and parameter files
- Run the following command to create a symbolic link:
ln -s openssl-1.0.0.cnf openssl.cnf
- Run the following command to read and load the vars file:
- Run the following command to clear all keys in the directory:
- Run the following commands to generate the Certificate Authority (CA) certificate. You have configured the default parameters in the vars file. In this step, press the Enter key in succession to complete the configuration.
- Run the following command to generate the server certificate. In the command line, aliyuntest is the custom name. Press the Enter key to generate two interactions and enter
yto confirm. Then, the aliyuntest.key, aliyuntest.csr, and aliyuntest.crt files are generated in the keys directory.
./build-key-server aliyuntestA command output similar to the following one is returned.
- Run the following command to create keys and certificates. In the command line, aliyuntest is the username. Press the Enter key to generate two intersections and enter
yto confirm. Then, the aliyunuser.key, aliyunuser.crt, and aliyunuser.csr files whose keys take up to 1,024 bits by using the RSA algorithm are generated in the keys directory.
- Run the following command to generate the Diffie Hellman parameter that is used to validate the client. After the parameter is generated, the 1024.pem parameter file is generated in the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys directory.
Copy certificates, keys, and parameter files
- Run the following command to copy all files in the
/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keysdirectory to the
cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/
- Run the following command to copy the
server.confconfiguration file of OpenVPN to the
cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
- After the preceding files are configured, switch to the
/etc/openvpndirectory and edit the server.conf configuration file. The following section describes the content of the configuration file:
server 172.16.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 188.8.131.52"
keepalive 10 120
- [$IP] indicates the public IP address of your instance.
- [$CRT_Name] indicates the custom name of the CRT file when the server certificate is generated.
- [$Key_Name] indicates the custom name of the KEY file when the server certificate is generated.
Set up a firewall
Note: Before you configure a firewall, make sure that iptables is enabled and the
- Run the following command to edit the configuration file:
- Add the following parameter. Then, save the file and exit:
net.ipv4.ip_forward = 1
- Run the following command to load system parameters:
- Run the following command to add the iptables rule to check whether the instance can forward packets to Alibaba Cloud internal network and the Internet:
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
- Run the following command to save the iptables configuration:
service iptables save
- Run the following command to start OpenVPN:
- Run the following command to check whether OpenVPN is listening to port 1194. If port 1194 is listened, OpenVPN is running.
netstat -ano | grep 1194
Note: If port 1194 is not listened, edit the
/etc/init.d/openvpnfile and modify line 94 to
if [ "$NETWORKING" = "no" ]. Save the file and exit. Then, run the
Step 4: Configure the OpenVPN client for Windows
Perform the following operations to connect to OpenVPN by using the OpenVPN client for Windows:
- Download the OpenVPN client for Windows.
- Install the OpenVPN client for Windows and complete the installation based on the default settings.
- Download the aliyunuser.key, aliyunuser.crt, and aliyunuser.csr files in the
/etc/openvpn/directory of the instance to the OpenVPN client for Windows (You can use the FTP tool to download the files). The path for storing the files is the
\OpenVPN\configdirectory in the OpenVPN installation path.
- In the OpenVPN installation path, copy the
client.opvnconfiguration file in the
\OpenVPN\sample-config\directory to the
\OpenVPN\configdirectory and modify the following parameters in the configuration file:
remote [$IP] 1194
- In the "proto udp" command line, delete the semicolon (;) used to comment out in front of the line. Keep consistent with the server by using UDP.
- In the "remote [$IP] 1194" command line, delete the semicolon (;) used to comment out in front of the line.
- Open the
C:\Program Files(x86)\OpenVPN\bindirectory, right-click the
openvpn-gui-1.0.3.exefile, and then select Run as administrator to avoid failures of adding routes.
- After OpenVPN is connected, access mirror sources of Alibaba Cloud internal network to check whether you can access Alibaba Cloud internal network by using OpenVPN.
- Access "ip.cn". You can identify that the outbound public IP address of the Windows Server changes to the public IP address of the instance.
- Elastic Compute Service