Install OpenVPN in a Centos 7 Virtual Machine -Page 3

OpenVPN Lab continued from Page 2

Build the client keys using easy-rsa
=============================

You can build separate client keys for each client you wish to allow to connect to your server.

25. Navigate to the easy-rsa directory and build your client keys.

   cd /etc/openvpn/easy-rsa
source ./vars
./build-key myclient


Copy the client keys to the client’s computer
=====================================

26. Change directories to the keys folder and verify your client keys. You should see files named myclient.crt and myclient.key

   cd /etc/openvpn/easy-rsa/keys
ls

27. Copy the files ca.crt, myclient.crt, and myclient.key to the remote client computer using a flash drive, emailing the files or using an SSH/SCP client like Filezilla. To copy the files using Filezilla you will may first need to copy the files to a folder like Documents that does not require root access and then change the file permissions on myclient.key so that group and public have read access. The client computer used to connect to the OpenVPN server can be a computer running Windows, Linux, or OSX.

   cp ca.crt myclient.crt myclient.key /home/student/Documents
cd /home/student/Documents
ls -l
chmod 644 myclient.key   

Now from a remote computer you can use a program like Filezilla to copy the files from the server.

 

Create the client OpenVPN configuration file used to connect to the server
=============================================================

28. Using a text editor like nano in Linux or notepad in Windows create the text file myclient.ovpn and place it in the same directory as the ca.crt, myclient.crt, and myclient.key files that you copied from the Centos 7 server.

   nano myclient.ovpn

add the following lines.:

client
dev tun
proto udp
remote <centos server ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert myclient.crt
key myclient.key

auth-user-pass

 

On the server, enable Centos 7 to forward packets through its network interfaces
==================================================================

29. Use sysctl to allow IP packet forwarding. Add the following line to the sysctl.conf file

   nano /etc/sysctl.conf
  edit -> net.ipv4.ip_forward = 1

   sysctl -p

 

 

Enable the OpenVPN pam authentication module to add user authentication
==============================================================

30. Using the OpenVPN auth-pam module the OpenVPN server can authenticate using the Linux system users. To do this you will need to create a PAM service file:

   touch /etc/pam.d/openvpn
nano /etc/pam.d/openvpn

then add the following two lines:
auth    required    pam_unix.so    shadow    nodelay
account required    pam_unix.so

31. Add the following line to the end of the OpenVPN server.conf file

   nano /etc/openvpn/server.conf

    plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

On the server, add and uncomment two lines in the OpenVPN server.conf file
=============================================================== 

32. In server.conf add a line to push a route to the server’s inside LAN network and uncomment a line to allow client to client communication between tunneled users

   cd /etc/openvpn
nano server.conf

add/uncomment the following two lines:

push “route 192.168.10.0 255.255.255.0”
            client-to-client                                      

Ctrl+x, type y and press enter to save.
33. Now restart the OpenVPN server

   systemctl stop openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service

 

Connect the the OpenVPN Server from a client computer
===============================================

34. With root access use the following command to connect to the server from a Linux host. Notice, in the example command below the path to the myclient.ovpn file is the current directory. If the ovpn config file is in a different directory you will need to provide the path. You may need to install openvpn and easy-rsa if openvpn is not already installedon your linux client.

   openvpn myclient.ovpn   

OpenVPN is now running in that terminal window, to close the OpenVPN connection press Ctrl+c, or to continue working you will need to open a new terminal window. You can also close OpenVPN and the tunnel connection using the pkill program.

   pkill openvpn

35. In a new terminal window examine your tunnel interface using ifconfig. You should see a tun0 interface with a 10.8.0.0 range IP address.

   ifconfig

36. Test to see if you can ping the router’s tunnel interface at 10.8.0.1, as well communicate to the inside LAN network at 192.168.10.1

   ping 10.8.0.1
ping 192.168.10.1

37. To connect to the OpenVPN server from a Windows client computer you will need to download and install the openvpn client program from http://openvpn.net. You will find the the windows client installer at the website under community downloads. After installing the OpenVPN client for Windows you will need to copy the ca.crt, myclient.crt, myclient.key, and myclient.ovpn files to the C:\Programs and Files (x86)\OpenVPN\config\ folder, or if you installed the 64bit version of the OpenVPN client the location will be C:\Programs and Files\OpenVPN\config\.

38. Now start the Windows OpenVPN client. It will launch into the System Tray. You will right click the OpenVPN icon in the System Tray, choose the config file and select Connect.

Start > Programs > OpenVPN GUI
Right click the OpenVPN icon in the system stray, and select Connect.

 

Configure the iptables firewall to allow OpenVPN connections
===================================================

Earlier in the lab, I shutdown the iptables firewall with the intention of turning it back, after configuring it to allow OpenVPN connections.

39. to be posted soon…

 

Video Tutorial

 

 

<– Click here to go to Part 2

 

 

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *