I prefer to route all my traffic through a vpn server, so I can allow traffic based on just the ip address of my vpn server instead of all ip addresses of the different locations I work at. OpenVPN is a very safe and easy to setup vpn solution. This howto will guide you through the process of installing and configuring OpenVPN on CentOS or Amazon Linux.
Install the OpenVPN and Git packages.
yum install openvpn git
Now we can setup the /etc/openvpn folder. We are doing this by copying the easy-rsa files from the openvpn repository and copying the sample server config file from the openvpn folder.
git clone https://github.com/OpenVPN/easy-rsa /tmp/easy-rsa cp -r /tmp/easy-rsa/easyrsa3 /etc/openvpn/easy-rsa cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
The vars file will be used to create the self-signed certificates. Edig the /etc/openvpn/easy-rsa/vars to contain the following values (you can replace the values with your own values).
export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York" export KEY_ORG="Organization Name" export KEY_EMAIL="email@example.com" export KEY_CN=droplet.example.com export KEY_NAME=server export KEY_OU=server
Next thing is creating the Certificate Authority so we can sign our server and client cetificates.
cd /etc/openvpn/easy-rsa $ ./easyrsa init-pki $ ./easyrsa build-ca $ ./easyrsa gen-dh
This will create the server certificate. If you need to set a password on the certificate, you can remove nopass.
$ ./easyrsa build-server-full server nopass
Copy the files to the /etc/openvpn folder.
cp pki/ca.crt pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/
Update the openvpn server configuration file /etc/openvpn/server.conf. Update the values with these values. These settings will use the Google DNS servers, and configure OpenVPN so it will drop privileges when started.
ca ca.crt cert server.crt key server.key dh dh.pem push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 126.96.36.199" push "dhcp-option DNS 188.8.131.52" user nobody group nobody
Edit /etc/sysctl.conf to enable packet forwarding.
net.ipv4.ip_forward = 1 $ sysctl -p
And finally we can start the OpenVPN daemon. Remember that OpenVPN runs on tcp and udp port 1194, so these ports should be opened in the firewall.
service openvpn restart
Next thing will be to create the client certificates. If you need to set a password on the certificate, you can remove nopass:
$ ./easyrsa build-client-full client nopass
Copy the following files to the client:
Edit client.conf and update the remote attribute with the address of the vpn server (change my-server with the dns name or ip address).
remote my-server 1194
Now the client should create a tunnel with the openvpn server and forward packets. You can check your ip address easily with http://ifconfig.me/.
These are some common errors:
If you are getting the following error on the client, the server certification isn't containing the server type attribute:
Fri Jan 07 09:46:13 2011 VERIFY nsCertType ERROR: /C=###/ST=###/L=###/O=###/emailAddress=###@###.com/CN=###, require nsCertType=SERVER
This can be fixed by either adding the attribute, or removing the check from the client. Adding the attribute to the server certificate (add following lines to openssl.conf):
Or by disabling the type check on the client by commenting the following line:
; ns-cert-type server
Failed to update databases
If you are getting the following error:
failed to update database TXT_DB error number 2
This is because the certificate has been already created by the server. You need to either revoke it or remove it from the pki/index.txt.