edit-icon download-icon

How to configure OpenVPN in CentOS

Last Updated: Jan 10, 2018

This document describes how to configure OpenVPN in CentOS.

Note: Configurations and description in this document are used only for example and operation instructions. Alibaba Cloud undertakes no responsibility toward any operation results and problems caused thereby.

Configure OpenVPN

Preparation

  1. Use the tool “update_source.sh” to update the yum source to the intranet yum source of Alibaba Cloud.

  2. The software package for installation is:

    1. yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
    2. yum install -y pkcs11-helper pkcs11-helper-devel

    To confirm whether the installation is finished.:

    1. rpm -qa lzolzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-devel

    1-rpm.jpg

Install OpenVPN

  1. Download the source code package of OpenVPN.

    1. wget http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gz
  2. Use rpmbuild to compile the source code package into an RPM package for installation.

    1. rpmbuild -tb openvpn-2.2.2.tar.gz

    Run this command and then the package can be compiled. After compilation, the openvpn-2.2.2-1.x86_64.rpm installation package is generated in the /root/rpmbuild/RPMS/x86_64 directory.

  3. Run rpm -ivh openvpn-2.2.2-1.x86_64.rpm to install the RPM package.Screenshot _ The package is installed successfully

Configure OpenVPN (client)

  1. Initialize PKI.

    1. cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0

    Enter the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0 directory, find the Vars certificate environment file, and modify values of the following parameters defined by export as follows.

    1. exportKEY_COUNTRY="CN" The country where it is located
    2. export KEY_PROVINCE="BJ" The province where it is located
    3. exportKEY_CITY="Hangzhou" The city where it is located
    4. exportKEY_ORG="aliyun" The organization to which it belongs
    5. export KEY_EMAIL=my@test.com The email address

    The preceding parameter values can be customized, which does not affect the configuration.

  2. Generate a certificate for the server:

    1. Delete all keys in the “keys” directory.
      1. Use ln -s openssl-1.0.0.cnf openssl.cnf to create a soft link to the openssl-1.0.0.cnf configuration file
      2. source ./vars
      3. ./clean-all
    2. Run the following command to generate a CA certificate. As the default parameter values have been set in the vars file, press Enter several times.

      1. ./build-ca

      3-buledca.jpg

    3. A server certificate has been generated. “aliyuntest” is the customized name. Press Enter until the last two interactions. Enter “y” for confirmation. Then the aliyuntest.key, aliyuntest.csr and aliyuntest.crt files are saved to the keys directory.

      1. ./build-key-server aliyuntest

      screenshot_result.jpg

  3. Create a user key and certificate.

    1. ./build-key aliyunuser

    Create a key and certificate for a user named “aliyunuser”. Press Enter all through and then press “y” twice. Then a 1,024-bit RSA server key, and the aliyunuser.key, aliyunuser.crt, and aliyunuser.csr files are generated in the keys directory.

  4. Generate the Diffie Hellman parameter.

    1. ./build-dh

    After running command ./build-dh, the dh parameter file dh1024.pem is generated in the “keys” directory. The file is used for client verification.

  5. Copy all files in the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys directory to /etc/openvpn.

    1. cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/
  6. Copy the OpenVPN server end configuration file server.conf to the /etc/openvpn/ directory.

    1. cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
  7. Configure server.conf.
    The configured content is as follows:

    1. $ egrep -v "^$|^#|^;" server.conf
    2. local 1.1.1.1 (Use the Internet IP address of your ECS instance)
    3. port 1194
    4. proto udp
    5. dev tun
    6. ca ca.crt
    7. cert aliyuntest.crt (Fill in the crt and key customized by the user when the server end certificate is generated)
    8. key aliyuntest.key
    9. dh dh1024.pem
    10. server 172.16.0.0 255.255.255.0
    11. ifconfig-pool-persist ipp.txt
    12. push "redirect-gateway def1 bypass-dhcp"
    13. push "dhcp-option DNS 223.5.5.5"
    14. client-to-client
    15. keepalive 10 120
    16. comp-lzo
    17. user nobody
    18. group nobody
    19. persist-key
    20. persist-tun
    21. status openvpn-status.log
    22. log openvpn.log
    23. verb 3

    screenshot_result

  8. Set iptables.
    Before setting iptables, make sure that the iptables is enabled, and the  /etc/sysconfig/iptables file exists. Enable forwarding:

    1. vi /etc/sysctl.conf

    Modify the following content:

    1. net.ipv4.ip_forward = 1

    Enable the kernel parameter to take effect:

    1. sysctl -p

    Add an iptables rule so that the server can forward the data packet to Alibaba Cloud intranet and Internet:

    1. iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE

    Save iptables configurations:

    1. service iptables save

Start OpenVPN

  1. /etc/init.d/openvpn start

Run netstat -ano | grep 1194 to check whether Port 1194 is listening and whether OpenVPN is running.

Configure the Windows PC client

  1. Download the OpenVPN client

  2. Install the client in Windows according to default settings.

  3. Download the aliyunuser.key, aliyunuser.crt, and aliyunuser.csr files in the /etc/openvpn/ directory on the ECS instance to the Windows client to be connected to OpenVPN (you can use the ftp for download.
    The save path is the \OpenVPN\config directory in the installation path of OpenVPN software.

  4. Configure client.opvn.
    Copy client.opvn in the \OpenVPN\sample-config\ directory of the installation path of OpenVPN software to the \OpenVPN\config directory of the installation path, and then modify the following parameters in the configuration file:

    1. proto udp Remove the semicolon, and use the UDP protocol the same as that used at the server end
    2. remote 1.1.1.1 1194 Replace 1.1.1.1 with the Internet IP address of the user' ECS instance, and remove the comment semicolon before this line
    3. cert aliyunuser.crt
    4. key aliyunuser.key
  5. Enter the C:\Program Files (x86)\OpenVPN\bin directory, right-click the openvpn-gui-1.0.3.exe file and run the file with the administrator permissions (so as to avoid route addition failure when running the file in common user mode).

  6. After successful connection, you can access the intranet image source website http://mirrors.aliyuncs.com/ of Alibaba Cloud to access Alibaba Cloud intranet by using OpenVPN.
    You can also access ip.cn. It can be seen that, the egress Internet IP address at the Windows PC end is changed to the Internet IP address of the ECS instance.

If the problem persists, log on to Alibaba Cloud community for free consultation, or contact Marketplace providers for help.

Thank you! We've received your feedback.