Article Last Updated: 2009-11-30 2:32PM zhaoke

OpenVPN is a free and open source virtual private network (VPN) program for creating point-to-point or server-to-multiclient encrypted tunnels between host computers.

This guide provides step-by-step instructions for how to setup an OpenVPN server and client, and you will be able to connect Windows 7 RTM 64-bit desktop computer to The Fedora Core 11 Linux Server.

[root@islab ~]# cat /etc/redhat-release
Fedora release 11 (Leonidas)

[root@islab ~]# rpm -qa|grep openvpn
openvpn-2.1-0.32.rc15.fc11.i586

1. Installing OpenVPN 2.1 Server on Fedora Core 11 Linux

1.1 Preparing the Network

The server ip is 210.77.100.1, running Fedora Core 11 Linux with OpenVPN 2.1, The Desktop has a dynamic IP address, running Windows RTM 64-bit with OpenVPN GUI 1.0.3.

Linux DNS Settings:

[root@islab ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver 210.77.102.5
nameserver 210.77.103.5

1.2 Preparing the System

OpenVPN installation on Fedora makes use of the yum, wget and rpm commands assume you installed both yum and rpm. Log in as the root user and issue the following command:

[root@islab ~]# yum update;yum install wget -y

Futhermore get a few additional packages:

openssl
openssl-devel
lzo
lzo-devel
pam
pam-devel

[root@islab ~]# yum install openssl openssl-devel lzo lzo-devel pam pam-devel -y

OpenVPN connects two tun devices on different machines using udp or tcp packets. so make sure a tun virtual device driver exists(surely, fedora core linux 11 support TUN/TAP Devices):

[root@islab ~]# cat /proc/net/dev|grep tun

if show nothing, indicates that your kernel does not have TUN/TAP support compiled in. Rebuild your kernel with the appropriate configuration.

check your kernel config file for CONFIG_TUN=m or CONFIG_TUN=y

[root@islab ~]# grep “TUN” /usr/src/linux/.config

CONFIG_TUN=m or
CONFIG_TUN=y

Fore more information about enabling linux kernel support for TUN/TAP devices, please reference:
http://www.installationwiki.org/OpenVPN#Enabling_Linux_kernel_support_for_TUN.2FTAP_devices

1.3 Installing OpenVPN Server

With above steps now complete, it’s time to install it. Follow these steps:

[root@islab ~]# yum install openvpn -y

1.4 Generate the Master CA key:

[root@islab ~]# cp -ai /usr/share/openvpn/easy-rsa/2.0 ~/easy-rsa
[root@islab ~]# cd ~/easy-rsa
[root@islab ~]# pwd
/root/easy-rsa

[root@islab ~]# mkdir /etc/openvpn/keys
[root@islab ~]# cp -ai ~/easy-rsa/keys/* /etc/openvpn/keys
[root@islab ~]# . ./vars
Notes: there’s a space between the dot.

[root@islab ~]# ./clean-all

Creating a shell script to set the values of some user-defined environment variables that used in generating the key. I create a file named genvars_ca, and it contains the following contents:

export KEY_CONFIG=/root/easy-rsa/openssl.cnf
export KEY_DIR=/etc/openvpn/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="islab.org"
export KEY_EMAIL="youremail@yourcompany.com"
exec $SHELL -i

http://zhaoke.com/blog/data/2009/1130/genvars_ca

Ensure that you chmod your script to allow execute permissions:
[root@islab ~]# chmod +x genvars_ca

Run your script:
[root@islab ~]# ./genvars_ca

Make sure you used this command to verify your shell changes:
[root@islab ~]# env|grep KEY

Next, initialize the PKI:
[root@islab ~]# ./build-ca
Output:

Generating a 1024 bit RSA private key
……….++++++
…………………………………………………..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [islab.org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [islab.org CA]:
Name []:
Email Address [youremail@yourcompany.com]:

1.5 Generate key for server:

Note that just hit enter with most parameters, except common name enter “server”.

[root@islab ~]# ./build-key-server server
Output:

Generating a 1024 bit RSA private key
……..++++++
.++++++
writing new private key to ’server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [islab.org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [server]:
Name []:
Email Address [youremail@yourcompany.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:zhaoke.com
An optional company name []:zhaoke.com
Using configuration from /root/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName : PRINTABLE:’CN’
stateOrProvinceName : PRINTABLE:’BJ’
localityName : PRINTABLE:’BJ’
organizationName : PRINTABLE:’islab.org’
commonName : PRINTABLE:’server’
emailAddress : IA5STRING:’youremail@yourcompany.com’
Certificate is to be certified until Nov 27 13:49:01 2019 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

1.6 Generate key for client:

As above, common name must be unique, if you have more clients, for each client, enter like as below:
./build-key client1
./build-key client2
…

Now let’s generate key for one client:

[root@islab ~]# ./build-key client
Output:

Generating a 1024 bit RSA private key
……++++++
………………….++++++
writing new private key to ‘client.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [islab.org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [client]:
Name []:
Email Address [dns-manager@islab.org]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:zhaoke.com
An optional company name []:zhaoke.com
Using configuration from /root/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName : PRINTABLE:’CN’
stateOrProvinceName : PRINTABLE:’BJ’
localityName : PRINTABLE:’BJ’
organizationName : PRINTABLE:’islab.org’
commonName : PRINTABLE:’client’
emailAddress : IA5STRING:’youremail@yourcompany.com’
Certificate is to be certified until Nov 27 13:57:06 2019 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries

1.7 Generate Diffie Hellman parameters:

[root@islab ~]# ./build-dh
Output:

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
……+….+…………………..++*++*++*

1.8 Creating and Editing the server configuration file:

Copy roadwarrior-server.conf to /etc/openvpn/ and edit appropriately
[root@islab ~]# cp -ai /usr/share/doc/openvpn-*/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem

server 172.6.1.0 255.255.255.0
push "redirect-gateway"
push "dhcp-option DNS 210.77.102.5"
push "dhcp-option DNS 210.77.103.5"
client-to-client

keepalive 10 120
comp-lzo
persist-key
persist-tun
status server-udp_status.log
verb 4

Download server.conf from here:
http://zhaoke.com/blog/data/2009/1130/server.conf
or wget http://zhaoke.com/blog/data/2009/1130/server.conf

1.9 Running the VPN server:
[root@islab ~]# chkconfig --level 2345 openvpn on
[root@islab ~]# service openvpn start
Make sure UDP port 1194 is open on the server:
[root@islab ~]# lsof -i:1194
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
openvpn 31758 root 5u IPv4 398062 UDP *:openvpn

Then enable IP forwarding:
[root@islab ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

Configure Firewall and NAT:

[root@islab ~]# iptables -t nat -A POSTROUTING -s 172.6.1.0/24 -o eth0 -j SNAT --to-source 210.77.100.1

saving iptables rules:
[root@islab ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

if iptables is not installed, just run:
[root@islab ~]# yum install iptables;service iptables start

2. Installing OpenVPN GUI on windows 7 64-bit

The latest verion of OpenVPN GUI support windows 7 64-bit, just download it from here:
http://openvpn.se/download.html

Then you need to copy these keys to your desktop computer via your OpenVPN server:

On server-side:

[root@islab ~]# mkdir -p ~/client
[root@islab ~]# cd /etc/openvpn/keys
[root@islab ~]# cp -ai client.{crt,key,csr} ca.{crt,key} ~/client

Creating and editing the client configuration file:

Copy roadwarrior-server.conf to /etc/openvpn/ and edit appropriately
[root@islab ~]#cp -ai /usr/share/doc/openvpn-*/sample-config-files/roadwarrior-server.conf /etc/openvpn/client.conf

client
dev tun
proto udp

remote 210.77.100.1 1194

nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 4

Download ovpn.conf from here:
http://zhaoke.com/blog/data/2009/1130/ovpn.conf

Rename the file client.conf to client.ovpn and move it to ~/client directory:
[root@islab ~]# cd /etc/openvpn
[root@islab ~]# mv client.conf client.ovpn
[root@islab ~]# cp -ai /etc/openvpn/client.ovpn ~/client

Compress the folder “~/client” and transfer it to local directory C:\Program Files (x86)\OpenVPN\config\ on the client:

[root@islab ~]# cd ~
[root@islab ~]# tar cvf client.tar client/
[root@islab ~]# mv client.tar ../public_html
then grab client.tar from your windows browser and uncompressed it to config directory.

Remember to set the compatibility with OpenVPN GUI(right click > Properties > Compatibility tab), and set it to run as an administrator.

Now connect to your vpn server, right-click the OpenVPN GUI and click connect. if the OpenVPN icon in the taskbar turn green, you are connected to VPN.

You can successfully ping 172.6.1.1:

Keyword: linux, openvpn