OpenVPN on CENTOS LINUX

centos

This is a mini howto of Openvpn on CentOS Linux. I hope it would be helpful for some one.

So lets get going !!

 Scenario:

Linux Server Centos (5.7) acting as OpenVpn Server , This Linux Server has two lan cards , eth0

and eth1 for local Lan

My Steps to setup Certificate based Server is as follow:

1. Copying required config files to /etc/openvpn

2. Building ca cert , client cert , dh , and server cert

3. Sending the required certs and keys to client computer which will connect with vpn server

4. VPN client version which i am using is openvpn 2.3.1.1001

Server.conf:

local 1.1.1.1
port 53
proto udp
dev tun0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 192.168.10.0 255.255.255.0
push ""route 192.168.100.0 255.255.255.0""

 

Ip Forwarding in sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
 
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
 
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

Iptables Rules on Linux Server

*filter
:INPUT ACCEPT [64246:5545649]
:FORWARD ACCEPT [10952:1104937]
:OUTPUT ACCEPT [29223:7371875]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -s 192.168.10.0/255.255.255.0 -d 192.168.100.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 192.168.100.0/255.255.255.0 -d 192.168.10.0/255.255.255.0 -j ACCEPT
-A POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.245 
COMMIT

Route Table on Linux Server

route -n
 
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.10.2    0.0.0.0         255.255.255.255 UH    0      0        0 tun0
1.1.1.192       0.0.0.0         255.255.255.192 U     0      0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.10.0    192.168.10.2    255.255.255.0   UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1

ifconfig on Linux Server:

eth0      Link encap:Ethernet  HWaddr  XXXXXXXX
          inet addr:1.1.1.1  Bcast:1.1.1.255  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:388987 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51440 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:25793966 (24.5 MiB)  TX bytes:12318111 (11.7 MiB)
          Interrupt:66 Base address:0xa000
 
eth1      Link encap:Ethernet  HWaddr  XXXXXXXX
          inet addr:192.168.100.245  Bcast:192.168.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:816339 errors:0 dropped:0 overruns:0 frame:0
          TX packets:457 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:69792681 (66.5 MiB)  TX bytes:29006 (28.3 KiB)
          Interrupt:209 Memory:fe4c0000-fe4e0000
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:18085 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18085 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1497788 (1.4 MiB)  TX bytes:1497788 (1.4 MiB)
 
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.10.1  P-t-P:192.168.10.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

VPN Client configuration in config file:

 
dev tun0
proto udp
remote 1.1.1.1 53
ca ca.crt
cert client.crt
key client.key

client is win 7 and its routes are as follow:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
 0.0.0.0          0.0.0.0    192.168.5.150    192.168.5.165    276
 192.168.5.0    255.255.255.0         On-link     192.168.5.165    276
192.168.5.165  255.255.255.255         On-link     192.168.5.165    276
192.168.5.255  255.255.255.255         On-link     192.168.5.165    276
192.168.10.1  255.255.255.255     192.168.10.5     192.168.10.6     30
192.168.10.4  255.255.255.252         On-link      192.168.10.6    286
192.168.10.6  255.255.255.255         On-link      192.168.10.6    286
192.168.10.7  255.255.255.255         On-link      192.168.10.6    286
192.168.100.0    255.255.255.0     192.168.10.1     192.168.10.6     31
192.168.100.0    255.255.255.0     192.168.10.5     192.168.10.6     30

Enjoy !

Please Do Comment

Thanks,

Salman Aftab