OpenVPN Installation

7/29/2019 OpenVPN Installation

1/7

Installing OpenVPN

For the most part, the how-to documentation on the OpenVPN website it quite good, and easy to

follow. However, there are a few gotchas that the documentation doesnt make clear. Some

of these gotchas involve errors on the part of the package maintainers or developers. Some

involve things that you need to do, but that the documentation doesnt even mention.

In this document, well endeavor to make things a bit more clear, and save you from suffering

the trial-and-error method of setting up a simple VPN.

Preparation

You can install OpenVPN on a variety of operating systems. (For our demo, well be using

CentOS 5.) For our present purpose, well assume that all applications and data that clients need

to reach are on the OpenVPN server itself, and that clients dont need to reach any other subnets

that are on the other side of the server. Well also assume that all clients are to use the same

OpenVPN configuration.

If youre using Red Hat Enterprise Linux or one of its derivatives as the OpenVPN serverthis

would include CentOS 5, Startcom 5, and perhaps a few othersyou wont find OpenVPN in

the distros repositories. But, it is in a few different third-party repositories. The best one to use

is RPMForge. To install RPMForge to your Yum repository list, run one of the following

commands:

For systems running a 32-bit version of RHEL 4 or one of its derivatives:

rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.i386.rpm


rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-

1.el4.rf.x86_64.rpm


rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpmFor systems running a 32-bit version of RHEL 5 or one of its derivatives:

rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-

1.el5.rf.x86_64.rpm


2/7

Note that you can copy and paste these commands from this document to the command-line of

your terminal window. Also, you would want to install this on any RHEL-style Linux machines

that you may be using as clients.

If your Linux machines are running either Debian or Ubuntu, you will find OpenVPN in the

normal distro repositories. Just use apt-get or your favorite package manager to install it, the

same as you would with any other package. Other than that, installation and configuration will

be the same as what were about to present in the following steps.

Installation

(Note that this portion of the procedure is the same for both OpenVPN servers and OpenVPN

clients that are running on Linux.)

Once the repository configuration is done, you can open Yum Extender, search for openvpn,

and install it as you would any other package.

Alternatively, you can open a command-line window, and enter:

suroot

yum install openvpn

This is actually the recommended option, since Yum Extender is so notoriously slow.

When installation is complete, open a terminal window and enter su root. (If you used the

command-line installation option, just keep the window open, and remain logged in as root.)

By default, OpenVPN installs to the /usr/sbin directory. So, in order to manually start it from a

command-line, the user will either have to be placed in the sudoer list, or will have to log into

a command-line terminal as root.

After the initial installation, the /etc/openvpn directory will be empty. Youll need to copy the

appropriate files to it.

Server specific

First, cd to the /usr/share/doc/openvpn-2.0.9/sample-config-files directory. Copy the

following files to the /etc/openvpn directory:


3/7

firewall.sh

openvpn-shutdown.sh

openvpn-startup.sh

server.conf

Note that the three shell script files dont have executable permissions set. Use the chmod utility

to set the executable bit for all.

chmod a+x firewall.sh

chmod a+x openvpn-shutdown.sh

chmod a+x openvpn-startup.sh

Youll also need to change the names of the two openvpn scripts to get rid of the .sh

suffix. (Thats because these two scripts are referenced incorrectly in the openvpn init

script.) Do this with the following two commands:

mv openvpn-startup.sh openvpn-startup

mv openvpn-shutdown.sh openvpn-shutdown

Next, cd to the /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0 directory. Open the Makefile file

for editing. Set the DESTDIR parameter to the following:

DESTDIR=/etc/openvpn

Leave the PREFIX parameter blank.

Save the file and exit the text editor. Now, issue the command:

make install

This will copy the files to the etc/openvpn directory, and set the executable permission on all

but one of the shell-script files. (Well fix the one that got missed in the next step.)

Next, cd to the /etc/openvpn directory, and open the vars file for editing. At the very bottom

of the file, set the appropriate values for export KEY_COUNTRY=, export

KEY_PROVINCE=, export KEY_CITY=, export KEY_ORG=, and export


4/7

KEY_EMAIL=. Save the file and exit the text editor. Use chmod to manually add the

executable permissions to the vars file.

chmod a+x vars

While still within the /etc/openvpn directory, use the easy-rsa scripts to create security keys

and certificates. To prepare for building the key sets, issue the following commands:

./vars

./clean-all

./build-ca

Note: When you attempt to run the clean-all script, you may receive a message about having

to source the vars file, first. If you do, just run the command:

source vars

Re-run the clean-all script, and continue on to the next step.

To build the appropriate key set for the OpenVPN server, issue the command:

./build-key-server server

When asked to make choices, just hit the Enter key to choose the default values.

For each client that will connect to this server, youll need to create a set of keys and certificates,

each named after the client that will use them. For example, if you have three clients, issue the

commands:

./build-key client1

./build-key client2

./build-key client3

(Optionally, you can substitute the build-key-pass script if you desire to password-protect the

client keys.)


5/7

When asked to make choices, just hit the Enter key to accept the default value.

Generate the Diffie-Hellman keys by entering:

./build-dh

Finally, cd to the /etc/openvpn/keys directory, and copy all of the files back to

/etc/openvpn. (You dont want to have your working keys in the keys directory, because

youll wipe them out the next time you use the clean-all utility.)

cp * ../

Configure the serverby editing the server.conf file. Find the line that says:

server 10.8.0.0 255.255.255.0

and change it to the network address and subnet mask that you desire to use. For our example,

well initially have one-hundred clients connecting to the server, but we also want scalability in

case we add more clients later. So, well use the 10.1.1.0 network with a 25-bit subnet

mask. For that, well change this line to:

server 10.1.1.0 255.255.255.128

This will allow for 125 clients, since the server will automatically assign the 10.1.1.1 address

to itself.

Scroll down to the stanza that begins with the line, # Select a cryptographic cipher. Choose

which cryptographic method you desire to use by uncommenting the appropriate line. Later,

when you setup the clients, youll make this parameter of their configuration files match what

youve set for the server. (Note that Blowfish is the default choice, so you wont need to

uncomment anything if you want to use it.) Save this file, and open the firewall.sh file for

editing.

Near the top of the file, youll see the line that reads:


6/7

PRIVATE=10.0.0.0/24

Change this line to the address of the private network that you desire to use. (This must match

what you used in the server.conf file.) For our example, well change this to:

PRIVATE=10.1.1.0/25

Important: Even though the firewall.sh script makes reference to interfaces eth0 and eth1,

that doesnt mean that you need two active, physical NICs in your server. In this case, eth1

refers to the virtual interface that will be created when you start the OpenVPN program. In fact,

if you have installed a second NIC, and you accidentally assign it the address that you want to

use for the OpenVPN private network, then your clients wont be able to connect properly.

Note: If youre using something other than eth0 as the physical NIC for the VPN, then youll

need to edit the firewall.sh file, changing all of the eth0s accordingly. Youll also need to

change all of the eth1s to eth0. (Even if eth0 is in use as another NIC, that fine, since all

were doing here is creating a virtual NIC.

Save the file and open the openvpn-startup file for editing. At the bottom of the file, find the

lines:

openvpncd $dirdaemonconfig vpn1.conf



Comment out all three of these lines:

# openvpncd $dirdaemonconfig vpn1.conf



Save the file and exit the text editor.

To manually start the program, youll either need to use sudo and have the appropriate sudo

privileges, or youll need to su to a root login, and enter one of the following commands:


7/7

sudo /sbin/service openvpn start

or, if logged in as root:

service openvpn start

On a Debian or Ubuntu-type system, you would enter one of the following commands:

sudo /etc/init.d/openvpn start

or, if logged in as root,

/etc/init.d/openvpn start

When you initially install OpenVPN, youll also install an init script into the /etc/init.d

directory, and links to it will be installed into the appropriate run-level directories. This will

cause OpenVPN to automatically start whenever you boot the server.

Now that thats done, youll want to configure the clients.

OpenVPN Installation

Documents

Transcript of OpenVPN Installation