
OpenVPN Server - Linux

Setting up an OpenVPN server

  1. Install OpenVPN Server
    # yum install openvpn
  2. Install easy-rsa
    # yum install easy-rsa
    # mkdir ~/easy-rsa
    # cp -ai /usr/share/easy-rsa/2.0/* ~/easy-rsa/
  3. Initial vars appropriately
    修改預設值 vars, 這樣才不用再次輸入
    # vi vars
    # Increase this to 2048 if you
    # are paranoid.  This will slow
    # down TLS negotiation performance
    # as well as the one-time DH parms
    # generation process.
    export KEY_SIZE=1024
    # These are the default values for fields
    # which will be placed in the certificate.
    # Don't leave any of these fields blank.
    export KEY_COUNTRY="TW"
    export KEY_PROVINCE="Taiwan"
    export KEY_CITY="NewTaipei"
    export KEY_ORG="Wieson"
    export KEY_EMAIL="eddie@wieson.com"
    export KEY_OU="WSY"
    export KEY_CN="SVNServer"
    # cd ~/easy-rsa
    # . vars
    # ./clean-all
  4. 生成 root CA
    Before continuing, make sure the system time is correct. Preferably, set up NTP
    # ./build-ca


    [root@RD30 easy-rsa]# ./build-ca
    Generating a 1024 bit RSA private key
    writing new private key to 'ca.key'
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [US]:TW
    State or Province Name (full name) [CA]:Taiwan
    Locality Name (eg, city) [SanFrancisco]:Taoyuan
    Organization Name (eg, company) [Fort-Funston]:Mapower
    Organizational Unit Name (eg, section) []:Software
    Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:Eddie
    Name []:
    Email Address [me@myhost.mydomain]:eddie@mapower.com.tw
  5. 生成Server使用的証書
    # ./build-inter $( hostname | cut -d. -f1 )
    # ./build-key-server server


    [root@RD30 easy-rsa]# ./build-inter $( hostname | cut -d. -f1 )
    Generating a 1024 bit RSA private key
    writing new private key to 'RD30.key'
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [US]:TW
    State or Province Name (full name) [CA]:Taiwan
    Locality Name (eg, city) [SanFrancisco]:Taoyuan
    Organization Name (eg, company) [Fort-Funston]:Mapower
    Organizational Unit Name (eg, section) []:Software
    Common Name (eg, your name or your server's hostname) [RD30]:
    Name []:
    Email Address [me@myhost.mydomain]:eddie@mapower.com.tw
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:784026
    An optional company name []:eddie
    Using configuration from /root/easy-rsa/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'TW'
    stateOrProvinceName   :PRINTABLE:'Taiwan'
    localityName          :PRINTABLE:'Taoyuan'
    organizationName      :PRINTABLE:'Mapower'
    commonName            :PRINTABLE:'RD30'
    emailAddress          :IA5STRING:'eddie@mapower.com.tw'
    Certificate is to be certified until Oct 14 12:17:45 2020 GMT (3650 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    [root@RD30 easy-rsa]#
  6. 生成dh1024.pem文件,Server使用TLS必须使用的一个文件。
    # ./build-dh
  7. 將產生的 Key 複製到 Service 目錄
    # mkdir /etc/openvpn/keys    (如果沒有的話)
    # cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh1024.pem /etc/openvpn/keys/
  8. 編輯 /etc/openvpn/server.conf (從/usr/share/doc/openvpn-2.3.2/sample/sample-config-files複制過來)
    # cp -ai /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf
    # TLS parms
    ca keys/ca.crt
    cert keys/4000A.crt
    key keys/4000A.key
    dh keys/dh1024.pem
    local a.b.c.d  -->  Listen IP, if mask is listen 
    port 1194  --> Listen Port
    proto tcp  --> tcp/udp
    dev tun  --> tun/tap
    ca ./keys/ca.crt  -->  ca.crt path
    cert ./keys/server.crt  -->  server.crt path
    key ./keys/server.key   -->  server.key path
    dh ./keys/dh1024.pem  -->  dh1024.pem path
    server  -->  openvpn ip range(server 為
    push "redirect-gateway"  -->  所有連線都透過此gateway
    push "dhcp-option DNS"  -->  重導 DNS 為 此
    duplicate-cn  -->  使用者可重覆發入
  9. 啟動 OpenVPN
    # service openvpn start
  10. 啟動成功的話,可下達以下指令來查看狀況
    指令:ifconfig,來查看VPN的網卡連線(tun or tap)
    指令:netstat -tulnp(可查看port 1194是否有傾聽)
  11. Verify that firewall rules allow traffic in from tun+, out from the LAN to tun+, and in from the outside on UDP port 1194.
  12. The following should work (assuming your outside interface is eth1 and your inside interface is eth0):
    iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
    iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
  13. Or for genfw (my firewall-generation script, not currently available in Fedora), this in /etc/sysconfig/genfw/rules:
    append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
    append INPUT -i tun+ -j ACCEPT
    append FORWARD -i tun+ -j ACCEPT
    append FORWARD -i eth0 -o tun+ -j ACCEPT
    append FORWARD -i eth1 -o tun+ -j established

Get Client List

  1. from server config add management IP port [pw-file]
    management localhost 8998
  2. used telnet to connect this management
    telnet localhost 8998
  3. used status to list clients
    used help
    for example
    [root@4000A openvpn]# telnet 8998
    Connected to
    Escape character is '^]'.
    >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
    Updated,Sat May  6 09:46:15 2017
    Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
    eddie,,1309218,3106911,Sat May  6 09:15:38 2017
    blue,,27023,24983,Sat May  6 09:46:01 2017
    Virtual Address,Common Name,Real Address,Last Ref,eddie,,Sat May  6 09:45:52 2017,blue,,Sat May  6 09:46:15 2017
    Max bcast/mcast queue length,0