OpenVPN Implementation II - Host-to-site VPN solution - Part 2

3. OpenVPN installation directory, Prep software

3). Install OpenVPN

wget --no-check-certificate https://swupdate.openvpn.org/community/releases/openvpn-2.3.12.tar.gz

tar zxf openvpn-2.3.12.tar.gz

cd openvpn-2.3.12

a). run wget to download and install the unzip..

[root@localhost openvpn]# wget --no-check-certificate https://swupdate.openvpn.org/community/releases/openvpn-2.3.12.tar.gz
--2016-09-08 07:41:24-- https://swupdate.openvpn.org/community/releases/openvpn-2.3.12.tar.gz
Resolving swupdate.openvpn.org... 104.24.0.59, 104.24.1.59
Connecting to swupdate.openvpn.org|104.24.0.59|:443... connected.
WARNING: certificate common name “ssl381718.cloudflaressl.com” doesn’t match requested host name “swupdate.openvpn.org”.
HTTP request sent, awaiting response... 200 OK
Length: 1235262 (1.2M) [application/octet-stream]
Saving to: “openvpn-2.3.12.tar.gz”

100%[=========================================================>] 1,235,262 5.97M/s in 0.2s

2016-09-08 07:41:24 (5.97 MB/s) - “openvpn-2.3.12.tar.gz” saved [1235262/1235262]



b). tar zxf openvpn-2.3.12.tar.gz

[root@localhost openvpn]# tar zxf openvpn-2.3.12.tar.gz
[root@localhost openvpn]# ll openvpn-2.3.12
total 1468
-rw-r--r--. 1 1000 1000 42175 Aug 23 07:19 aclocal.m4
-rw-r--r--. 1 1000 1000 28 Aug 23 06:10 AUTHORS
drwxr-xr-x. 3 1000 1000 4096 Aug 23 07:20 build
-rw-r--r--. 1 1000 1000 191590 Aug 23 07:16 ChangeLog
-rw-r--r--. 1 1000 1000 2251 Aug 23 06:10 compat.m4
-rwxr-xr-x. 1 1000 1000 7333 Aug 23 07:19 compile
............., ...............................


c). tar zxf openvpn-2.3.12.tar.gz

[root@localhost openvpn]# tar zxf openvpn-2.3.12.tar.gz
[root@localhost openvpn]# ll openvpn-2.3.12
total 1468
-rw-r--r--. 1 1000 1000 42175 Aug 23 07:19 aclocal.m4
-rw-r--r--. 1 1000 1000 28 Aug 23 06:10 AUTHORS
drwxr-xr-x. 3 1000 1000 4096 Aug 23 07:20 build
-rw-r--r--. 1 1000 1000 191590 Aug 23 07:16 ChangeLog
-rw-r--r--. 1 1000 1000 2251 Aug 23 06:10 compat.m4
-rwxr-xr-x. 1 1000 1000 7333 Aug 23 07:19 compile
............., ...............................
[root@localhost openvpn-2.3.12]# cd openvpn-2.3.12


d). run ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib or just ./configure when using openvpn 2.3.12 version.

If receive error shown below OpenSSL crypto headers not found. then you will need to go back to step2 to install the openssl. FYI, by default the CentOS will install openssl but they are the complete install.

you can check your openssl version by using rpm -qa openssl

[root@localhost openvpn-2.3.12]# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib
configure: WARNING: unrecognized options: --with-lzo-headers
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking build system type... x86_64-unknown-linux-gnu
........................., ...................................
checking for lzo/lzo1x.h... yes
checking git checkout... no
configure: error: libpam required but missing

here we receive error "configure: error: libpam required but missing". To fix it we will need to download/install pam-devel using yum install pam-devel

[root@localhost openvpn-2.3.12]# yum install pam-devel
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: mirror.csclub.uwaterloo.ca
 * extras: mirror.csclub.uwaterloo.ca
 * updates: mirror.csclub.uwaterloo.ca
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pam-devel.x86_64 0:1.1.1-22.el6 will be installed
--> Processing Dependency: pam = 1.1.1-22.el6 for package: pam-devel-1.1.1-22.el6.x86_64
...................., ....................
Setting up Install Process
Package pam-devel-1.1.1-22.el6.x86_64 already installed and latest version
Nothing to do

 Now run the ./configure again

[root@localhost openvpn-2.3.12]# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for style of include used by make... GNU
checking for gcc... gcc
......................., .............................
config.status: executing libtool commands

e). run make if no error reported

[root@localhost openvpn-2.3.12]# make
make all-recursive
make[1]: Entering directory `/home/admin/tools/openvpn/openvpn-2.3.12'
Making all in build
................, .........................
make[2]: Entering directory `/home/admin/tools/openvpn/openvpn-2.3.12'
make[2]: Leaving directory `/home/admin/tools/openvpn/openvpn-2.3.12'
make[1]: Leaving directory `/home/admin/tools/openvpn/openvpn-2.3.12'

f). run make install if no error reported

[root@localhost openvpn-2.3.12]# make install
make install-recursive
make[1]: Entering directory `/home/admin/tools/openvpn/openvpn-2.3.12'
Making install in build
make[2]: Entering directory `/home/admin/tools/openvpn/openvpn-2.3.12/build'
................, .........................

 /bin/mkdir -p '/usr/local/share/doc/openvpn'
 /usr/bin/install -c -m 644 README README.IPv6 README.polarssl COPYRIGHT.GPL COPYING '/usr/local/share/doc/openvpn'
make[3]: Leaving directory `/home/admin/tools/openvpn/openvpn-2.3.12'
make[2]: Leaving directory `/home/admin/tools/openvpn/openvpn-2.3.12'
make[1]: Leaving directory `/home/admin/tools/openvpn/openvpn-2.3.12'

g). validate if openvpn installed successfully

[root@localhost openvpn-2.3.12]# cd ../
[root@localhost openvpn]# echo $0
-bash
[root@localhost openvpn]# echo $?
0
[root@localhost openvpn]# which openvpn
/usr/local/sbin/openvpn

4). Setup and configure CA(certificate authority)

## Please note that From the version 2.3 easy-rsa is an independent project so it has to be downloaded separately, for example like this:

 

cd /etc/openvpn wget https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz tar -zxvf EasyRSA-3.0.1.tgz cd EasyRSA-3.0.1 cp vars.example vars edit VARS change from "export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`" to export KEY_CONFIG=/home/admin/tools/easy-rsa/openssl-1.0.0.cnf cd /home/admin/tools/easy-rsa chmod 755 * source ./vars ./vars ./clean-all ./build-ca ./build-key-server server ./build-dh
 

a). Download easy-rsa. ## Please note that From the version 2.3 easy-rsa is an independent project so it has to be downloaded separately,

[root@localhost openvpn-2.3.12]# cd /home/admin/tools/openvpn
[root@localhost openvpn-2.3.12]# wget https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
[root@localhost openvpn-2.3.12]# tar -zxvf EasyRSA-2.2.2.tgz
........, ................
[root@localhost easy-rsa]#cp vars vars.davidcp

b). edit VARS change from export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

to export KEY_CONFIG=/home/tools/openvpn/EasyRSA/openssl-1.0.0.cnf

c). Chmod and run source./vars, ./vars , ./clean-all

chmod 755 *

source ./vars

./vars

./clean-all

[root@localhost easy-rsa]# chmod 755 *
[root@localhost easy-rsa]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/admin/tools/easy-rsa/keys
[root@localhost easy-rsa]# ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/admin/tools/easy-rsa/keys
[root@localhost easy-rsa]# ./clean-all

d). Build CA:

[root@localhost easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
................++++++
..++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CA
State or Province Name (full name) [CA]:Ontario
Locality Name (eg, city) [SanFrancisco]:Toronto
Organization Name (eg, company) [Fort-Funston]:Innovite Consulting
Organizational Unit Name (eg, section) [changeme]:N/A
Common Name (eg, your name or your server's hostname) [changeme]:David Young
Name [changeme]:David
Email Address [This email address is being protected from spambots. You need JavaScript enabled to view it.]:This email address is being protected from spambots. You need JavaScript enabled to view it.

e). Build Server Key :

[root@localhost easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
....++++++
..........................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CA
State or Province Name (full name) [CA]:Ontario
Locality Name (eg, city) [SanFrancisco]:Toronto
Organization Name (eg, company) [Fort-Funston]:Innovite Consulting
Organizational Unit Name (eg, section) [changeme]:N/A
Common Name (eg, your name or your server's hostname) [server]:openvpn
Name [changeme]:openvpn
Email Address [This email address is being protected from spambots. You need JavaScript enabled to view it.]:This email address is being protected from spambots. You need JavaScript enabled to view it.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:welcome
An optional company name []:zengic
Using configuration from /home/admin/tools/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CA'
stateOrProvinceName :PRINTABLE:'Ontario'
localityName :PRINTABLE:'Toronto'
organizationName :PRINTABLE:'Innovite Consulting'
organizationalUnitName:PRINTABLE:'N/A'
commonName :PRINTABLE:'openvpn'
name :PRINTABLE:'openvpn'
emailAddress :IA5STRING:This email address is being protected from spambots. You need JavaScript enabled to view it.'
Certificate is to be certified until Sep 6 18:32:10 2026 GMT (3650 days)
Sign the certificate? [y/n]:yes

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

f). Build DH(Diffie Hellman)

Note: DH(Diffie Hellman) must be generated for openvpn server. It will be used for encryption, authentication, and

key exchange. for more detail, please check below website: http://www.rsasecurity.com/rsalabs/node.asp?id=2248.

 

[root@localhost easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......................+.........+.....................+...................................................++*++*++*
[root@localhost easy-rsa]#

f). Generate client keys

./build-key admin => Generate Key without password

./build-key-pass dyoung => Generate Key with password protection

 

[root@localhost keys]# ./build-key admin
-bash: ./build-key: No such file or directory
[root@localhost keys]# cd ..
[root@localhost easy-rsa]# pwd
/home/admin/tools/easy-rsa
[root@localhost easy-rsa]# ./build-key admin
Generating a 1024 bit RSA private key
...++++++
...................++++++
writing new private key to 'admin.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:^[^C
[root@localhost easy-rsa]# ./build-key admin
Generating a 1024 bit RSA private key
...................................++++++
.....++++++
writing new private key to 'admin.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CA
State or Province Name (full name) [CA]:Ontario
Locality Name (eg, city) [SanFrancisco]:Toronto
Organization Name (eg, company) [Fort-Funston]:Innovite Consulting
Organizational Unit Name (eg, section) [changeme]:N/A
Common Name (eg, your name or your server's hostname) [admin]:
Name [changeme]:admin
Email Address [This email address is being protected from spambots. You need JavaScript enabled to view it.]:This email address is being protected from spambots. You need JavaScript enabled to view it.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:welcome
An optional company name []:
Using configuration from /home/admin/tools/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CA'
stateOrProvinceName :PRINTABLE:'Ontario'
localityName :PRINTABLE:'Toronto'
organizationName :PRINTABLE:'Innovite Consulting'
organizationalUnitName:PRINTABLE:'N/A'
commonName :PRINTABLE:'admin'
name :PRINTABLE:'admin'
emailAddress :IA5STRING:This email address is being protected from spambots. You need JavaScript enabled to view it.'
Certificate is to be certified until Sep 6 19:26:16 2026 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost easy-rsa]#

Generate client Key with password protection

[root@localhost easy-rsa]# ./build-key-pass dyoung
Generating a 1024 bit RSA private key
...........................++++++
...++++++
writing new private key to 'dyoung.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [dyoung]:
Name [changeme]:
Email Address [This email address is being protected from spambots. You need JavaScript enabled to view it.]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:welcome
An optional company name []:
Using configuration from /home/admin/tools/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'dyoung'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:This email address is being protected from spambots. You need JavaScript enabled to view it.'
Certificate is to be certified until Sep 6 21:22:39 2026 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost easy-rsa]#

Server/Client Key function& Usage

key name

Type of Cerificate( Function)

Encry'd

Purpose

ca.crt

Root CA Certificate

No

Required by Server and Clients

ca.key

Root CA Key

Yes

Used for signing requests for your CA. ca.key is essential and must be pretected, maintain in secure machine.

dh*.pem

Diffie Hellman

No

contains Diffie-Hellman parameters. These values are not secret. They do not depend upon any external element, neither certificate, private key, or anything else.

server.crt

Server Certificate

No

Signed certificate of the Server, must be on Server

server.key

Server Key

Yes

Private RSA key of the Server, must be on Server.

dyoung.crt

Client Certificate for user dyoung

No

Signed certificate of the client, must be on Client.

dyoung.key

Client key for user dyoung

Yes

Private RSA key of the client, must be on Client.

g). Generate additional Key for client

If need to generate new key for client after openvpn implemented, you will need to run source ./vars

h). How to revote existing account(key)

you can use ./revoke-full <account name> to revoke an existing account.. see below example

[root@VpnL01 EasyRSA]# ./revoke-full newaccount
Using configuration from /home/tools/openvpn/EasyRSA/openssl-1.0.0.cnf
Revoking Certificate 03.
Data Base Updated
Using configuration from /home/tools/openvpn/EasyRSA/openssl-1.0.0.cnf
newaccount.crt: C = US, ST = CA, L = SanFrancisco, O = Fort-Funston, OU = MyOrganizationalUnit, CN = newaccount, name = EasyRSA, emailAddress = This email address is being protected from spambots. You need JavaScript enabled to view it.
error 23 at 0 depth lookup:certificate revoked
[root@VpnL01 EasyRSA]#

See index.txt for account status.. you can see that "newaccount" marked as "R".

[root@VpnL01 keys]# cat index.txt
V 260917175735Z 01 unknown /C=CA/ST=Ontario/L=Toronto/O=Innovite/OU=NA/CN=server/name=EasyRSA/emailAddress=This email address is being protected from spambots. You need JavaScript enabled to view it.
V 260917180158Z 02 unknown /C=CA/ST=Ontario/L=Toronto/O=INNOVITE/OU=NA/CN=dyoung/name=EasyRSA/emailAddress=This email address is being protected from spambots. You need JavaScript enabled to view it.
R 260919182139Z 160921182155Z 03 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=newaccount/name=EasyRSA/emailAddress=This email address is being protected from spambots. You need JavaScript enabled to view it.
[root@VpnL01 keys]#

 

 

 

Please publish modules in offcanvas position.