This document describes how to configure OpenVPN in CentOS.
Note: Configurations and description in this document are used only for example and operation instructions. Alibaba Cloud undertakes no responsibility toward any operation results and problems caused thereby.
Use the tool “update_source.sh” to update the yum source to the intranet yum source of Alibaba Cloud.
The software package for installation is:
yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
yum install -y pkcs11-helper pkcs11-helper-devel
To confirm whether the installation is finished.:
rpm -qa lzolzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-devel
Download the source code package of OpenVPN.
Use rpmbuild to compile the source code package into an RPM package for installation.
rpmbuild -tb openvpn-2.2.2.tar.gz
Run this command and then the package can be compiled. After compilation, the openvpn-2.2.2-1.x86_64.rpm installation package is generated in the /root/rpmbuild/RPMS/x86_64 directory.
Run rpm -ivh openvpn-2.2.2-1.x86_64.rpm to install the RPM package.
Configure OpenVPN (client)
/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0directory, find the Vars certificate environment file, and modify values of the following parameters defined by export as follows.
exportKEY_COUNTRY="CN" The country where it is located
export KEY_PROVINCE="BJ" The province where it is located
exportKEY_CITY="Hangzhou" The city where it is located
exportKEY_ORG="aliyun" The organization to which it belongs
export KEY_EMAILemail@example.com The email address
The preceding parameter values can be customized, which does not affect the configuration.
Generate a certificate for the server:
- Delete all keys in the “keys” directory.
Use ln -s openssl-1.0.0.cnf openssl.cnf to create a soft link to the openssl-1.0.0.cnf configuration file
Run the following command to generate a CA certificate. As the default parameter values have been set in the vars file, press Enter several times.
A server certificate has been generated. “aliyuntest” is the customized name. Press Enter until the last two interactions. Enter “y” for confirmation. Then the aliyuntest.key, aliyuntest.csr and aliyuntest.crt files are saved to the keys directory.
- Delete all keys in the “keys” directory.
Create a user key and certificate.
Create a key and certificate for a user named “aliyunuser”. Press Enter all through and then press “y” twice. Then a 1,024-bit RSA server key, and the aliyunuser.key, aliyunuser.crt, and aliyunuser.csr files are generated in the keys directory.
Generate the Diffie Hellman parameter.
After running command
./build-dh, the dh parameter file dh1024.pem is generated in the “keys” directory. The file is used for client verification.
Copy all files in the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys directory to /etc/openvpn.
cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/
Copy the OpenVPN server end configuration file server.conf to the /etc/openvpn/ directory.
cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
The configured content is as follows:
$ egrep -v "^$|^#|^;" server.conf
local 22.214.171.124 (Use the Internet IP address of your ECS instance)
cert aliyuntest.crt (Fill in the crt and key customized by the user when the server end certificate is generated)
server 172.16.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 126.96.36.199"
keepalive 10 120
Before setting iptables, make sure that the iptables is enabled, and the /etc/sysconfig/iptables file exists. Enable forwarding:
Modify the following content:
net.ipv4.ip_forward = 1
Enable the kernel parameter to take effect:
Add an iptables rule so that the server can forward the data packet to Alibaba Cloud intranet and Internet:
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
Save iptables configurations:
service iptables save
netstat -ano | grep 1194 to check whether Port 1194 is listening and whether OpenVPN is running.
Download the OpenVPN client
Install the client in Windows according to default settings.
Download the aliyunuser.key, aliyunuser.crt, and aliyunuser.csr files in the /etc/openvpn/ directory on the ECS instance to the Windows client to be connected to OpenVPN (you can use the ftp for download.
The save path is the \OpenVPN\config directory in the installation path of OpenVPN software.
Copy client.opvn in the \OpenVPN\sample-config\ directory of the installation path of OpenVPN software to the \OpenVPN\config directory of the installation path, and then modify the following parameters in the configuration file:
proto udp Remove the semicolon, and use the UDP protocol the same as that used at the server end
remote 188.8.131.52 1194 Replace 184.108.40.206 with the Internet IP address of the user' ECS instance, and remove the comment semicolon before this line
Enter the C:\Program Files (x86)\OpenVPN\bin directory, right-click the openvpn-gui-1.0.3.exe file and run the file with the administrator permissions (so as to avoid route addition failure when running the file in common user mode).
After successful connection, you can access the intranet image source website
http://mirrors.aliyuncs.com/of Alibaba Cloud to access Alibaba Cloud intranet by using OpenVPN.
You can also access ip.cn. It can be seen that, the egress Internet IP address at the Windows PC end is changed to the Internet IP address of the ECS instance.
If the problem persists, log on to Alibaba Cloud community for free consultation, or contact Marketplace providers for help.