All Products
Search
Document Center

How do I configure OpenVPN on a CentOS instance?

Last Updated: Aug 06, 2021

Disclaimer: This topic may be contributed by a community or contain information about third-party products. We recommend that you visit the official website of the community or the third-party products for help and support. The third-party products are not supported by Alibaba Cloud after-sales service. This topic is for reference only. Alibaba Cloud does not make guarantees or warranties, express or implied.

Overview

This topic describes how to configure OpenVPN on an instance that runs a CentOS operating system.

Note: In this topic, relevant configurations and descriptions are used only to demonstrate and guide operations. Alibaba Cloud is not responsible for results and problems caused by operations.

Background information

Perform the following operations to configure OpenVPN on a CentOS instance.

Step 1: Make preparations

Before you install OpenVPN, make sure that you complete the following preparations:

  1. Update YUM repositories to Alibaba Cloud YUM repositories. For more information, see How do I use scripts to automatically update software repositories on a Linux instance?
  2. Run the following commands in sequence to install dependent software packages:
    yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
    yum install -y pkcs11-helper pkcs11-helper-devel
  3. Run the following command to check whether the software packages are installed:
    rpm -qa lzo lzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-devel
    A command output similar to the following one is returned.

Step 2: Install OpenVPN

Preform the following operations to install OpenVPN:

  1. Run the following command to install the source code package of OpenVPN:
    wget http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gz
  2. Run the following command to install the rpm-build software package:
    yum install -y rpm-build
  3. Run the following command to compile the source code package into an RPM package for installation:
    rpmbuild -tb openvpn-2.2.2.tar.gz
    Note: After the command is run, the compile process starts. After the compile process is complete, the "openvpn-2.2.2-1.x86_64.rpm" installation package is generated in the /root/rpmbuild/RPMS/x86_64 directory.
  4. Switch to the /root/rpmbuild/RPMS/x86_64 directory and run the following command to install OpenVPN in the RPM package format:
    rpm -ivh openvpn-2.2.2-1.x86_64.rpm
    A command output similar to the following one is returned.

Step 3: Configure OpenVPN

Perform the following operations to configure OpenVPN:

Initialize environment variables

  1. Run the following command to go to the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0 directory, find the vars certificate environment file, and then modify the values of the parameters in the following five export lines:
    cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0
  2. Edit the vars file, modify the values of the environment parameters in the following five lines, save the file, and then exit:
    export KEY_COUNTRY="CN" 
    export KEY_PROVINCE="BJ"
    export KEY_CITY="Hangzhou"
    export KEY_ORG="aliyun"
    export KEY_EMAIL=my@test.com
    Note:
    • "KEY_COUNTRY" indicates your country.
    • "KEY_PROVINCE" indicates your province.
    • "KEY_CITY" indicates your city.
    • "KEY_ORG" indicates the organization to which you belong.
    • "KEY_EMAIL" indicates your email address.
    • You can modify the preceding parameters based on your needs without causing exceptional configurations of OpenVPN.

Generate certificates, keys, and parameter files

  1. Run the following command to create a symbolic link:
    ln -s openssl-1.0.0.cnf openssl.cnf
  2. Run the following command to read and load the vars file:
    source ./vars
  3. Run the following command to clear all keys in the directory:
    ./clean-all
  4. Run the following commands to generate the Certificate Authority (CA) certificate. You have configured the default parameters in the vars file. In this step, press the Enter key in succession to complete the configuration.
    ./build-ca
  5. Run the following command to generate the server certificate. In the command line, aliyuntest is the custom name. Press the Enter key to generate two interactions and enter y to confirm. Then, the aliyuntest.key, aliyuntest.csr, and aliyuntest.crt files are generated in the keys directory.
    ./build-key-server aliyuntest 
    A command output similar to the following one is returned.
  6. Run the following command to create keys and certificates. In the command line, aliyuntest is the username. Press the Enter key to generate two intersections and enter y to confirm. Then, the aliyunuser.key, aliyunuser.crt, and aliyunuser.csr files whose keys take up to 1,024 bits by using the RSA algorithm are generated in the keys directory.
    ./build-key aliyunuser 
  7. Run the following command to generate the Diffie Hellman parameter that is used to validate the client. After the parameter is generated, the 1024.pem parameter file is generated in the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys directory.
    ./build-dh 

Copy certificates, keys, and parameter files

  1. Run the following command to copy all files in the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys directory to the /etc/openvpn directory.
    cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/
  2. Run the following command to copy the server.conf configuration file of OpenVPN to the /etc/openvpn directory.
    cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf  /etc/openvpn/
  3. After the preceding files are configured, switch to the /etc/openvpn directory and edit the server.conf configuration file. The following section describes the content of the configuration file:
    local [$IP]
    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert [$CRT_Name]
    key [$Key_Name]
    dh dh1024.pem
    server 172.16.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 223.5.5.5"
    client-to-client
    keepalive 10 120
    comp-lzo
    user nobody
    group nobody
    persist-key
    persist-tun
    status openvpn-status.log
    log openvpn.log
    verb 3
    Note:
    • [$IP] indicates the public IP address of your instance.
    • [$CRT_Name] indicates the custom name of the CRT file when the server certificate is generated.
    • [$Key_Name] indicates the custom name of the KEY file when the server certificate is generated.

Set up a firewall

Note: Before you configure a firewall, make sure that iptables is enabled and the /etc/sysconfig/iptables file exists.

  1. Run the following command to edit the configuration file:
    vi /etc/sysctl.conf
  2. Add the following parameter. Then, save the file and exit:
    net.ipv4.ip_forward = 1
  3. Run the following command to load system parameters:
    sysctl -p
  4. Run the following command to add the iptables rule to check whether the instance can forward packets to Alibaba Cloud internal network and the Internet:
    iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
  5. Run the following command to save the iptables configuration:
     service iptables save

Start OpenVPN

  1. Run the following command to start OpenVPN:
    /etc/init.d/openvpn start
  2. Run the following command to check whether OpenVPN is listening to port 1194. If port 1194 is listened, OpenVPN is running.
    netstat -ano | grep 1194
    Note: If port 1194 is not listened, edit the /etc/init.d/openvpn file and modify line 94 to if [ "$NETWORKING" = "no" ]. Save the file and exit. Then, run the systemctl daemon-reload command.

Step 4: Configure the OpenVPN client for Windows

Perform the following operations to connect to OpenVPN by using the OpenVPN client for Windows:

  1. Download the OpenVPN client for Windows.
  2. Install the OpenVPN client for Windows and complete the installation based on the default settings.
  3. Download the aliyunuser.key, aliyunuser.crt, and aliyunuser.csr files in the /etc/openvpn/ directory of the instance to the OpenVPN client for Windows (You can use the FTP tool to download the files). The path for storing the files is the \OpenVPN\config directory in the OpenVPN installation path.
  4. In the OpenVPN installation path, copy the client.opvn configuration file in the \OpenVPN\sample-config\ directory to the \OpenVPN\config directory and modify the following parameters in the configuration file:
    proto udp   
    remote [$IP] 1194
    cert aliyunuser.crt
    key aliyunuser.key
    Note:
    • In the "proto udp" command line, delete the semicolon (;) used to comment out in front of the line. Keep consistent with the server by using UDP.
    • In the "remote [$IP] 1194" command line, delete the semicolon (;) used to comment out in front of the line.
  5. Open the C:\Program Files(x86)\OpenVPN\bin directory, right-click the openvpn-gui-1.0.3.exe file, and then select Run as administrator to avoid failures of adding routes.
  6. After OpenVPN is connected, access mirror sources of Alibaba Cloud internal network to check whether you can access Alibaba Cloud internal network by using OpenVPN.
  7. Access "ip.cn". You can identify that the outbound public IP address of the Windows Server changes to the public IP address of the instance.

Application scope

  • Elastic Compute Service