Install OpenVPN with FreeRadius on CentOS/RHEL 5 or 6 Part 1

Overview

OpenVPN Access Server is a full featured SSL VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, and Linux OS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.

OpenVPN will create a tun or tap interface on the client and server and assign an ip from the range you provide. You can assume this additional (tap/tun)interfaces connected through a long LAN cable(the internet) connecting the machines. This range will be from the subnet you are using in your internal network most often private addresses. For this scenario I will be using a range of ip addresses from 10.8.0.0 to 10.8.0.100 netmask 255.255.255.0. OpenVPN will provide the first very first ip address in this range to the OpenVPN server tun or tap interface. Once a client machine connects to my internal network using VPN it will be assigned an IP from the range 10.8.0.0 to 10.8.0.100 barring the very first IP which will be assigned to the OpenVPN server.

Install OpenVPN with FreeRadius on CentOS/RHEL 5 or 6 Part 1

The openvpn package comes with epel repository so lets enable it first. To enable epel repository click here.

Install openvpn and bridge-utils


# yum --enablerepo=epel -y install openvpn bridge-utils

Move the sample configuration file in the openvpn directory


# cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/

Open the configuration file in an editor of choice


# vi /etc/openvpn/server.conf

Change the following lines as shown below starting line 78


ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key

Change line 87 to


dh /etc/openvpn/easy-rsa/keys/dh1024.pem

Next copy the sample key generation scripts to /etc/openvpn directory and build a Certificate Authority


# cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa
# mv openssl-1.0.0.cnf openssl.cnf
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# ./clean-all
# ./build-ca

Sample from my machine

Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:LinuxDrops
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server’s hostname) [changeme]:openvpn.linuxdrops.com
Name [changeme]:server
Email Address [mail@host.domain]:admin@linuxdrops.com

The openvpn server and client communicate with each other over a secure connection, you need to create a certificates for the same purpose. Lets next create certificates for the server and clients, you need to create a certificate for each client.


./build-key-server server

Sample from my machine

Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:LinuxDrops
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server’s hostname) [server]:openvas.linuxdrops.com
Name [changeme]:server
Email Address [mail@host.domain]:admin@linuxdrops.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’US’
stateOrProvinceName :PRINTABLE:’CA’
localityName :PRINTABLE:’SanFrancisco’
organizationName :PRINTABLE:’LinuxDrops’
organizationalUnitName:PRINTABLE:’IT’
commonName :PRINTABLE:’openvas.linuxdrops.com’
name :PRINTABLE:’server’
emailAddress :IA5STRING:’admin@linuxdrops.com’
Certificate is to be certified until Mar 9 14:07:02 2023 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries

Next we will generate Diffie Hellman parameter.


./build-dh

Generate client key and cert. I will be creating 2 certs one for my ubuntu client and another for windows. You will find all the keys and certs generated under /etc/openvpn/easy-rsa/keys directory.


./build-key-pass ubuntu
./build-key-pass windows-xp

Now move the client key, client cert and ca cert file to respective clients.

Start openvpn server and make sure it starts automatically on server reboots.


# /etc/rc.d/init.d/openvpn start
# chkconfig openvpn on

On Ubuntu Client
Install openvpn client and move the respective files to /etc/openvpn directory. Create a new client config file.


$ sudo apt-get install openvpn
$ cd /etc/openvpn
$ sudo cp windows-xp.key windows-xp.crt ca.crt /etc/openvpn/
$ sudo vi client.ovpn

Add the following to the file


client
dev tun
proto udp
remote 192.168.209.184 1194
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
cert client02.crt
key client02.key
#auth-user-pass
comp-lzo
reneg-sec 0
verb 3

To connect to vpn execute


$ sudo openvpn --config "client.ovpn"

On Windows

Download the windows client executable

http://openvpn.net/index.php/open-source/downloads.html

Run the exe to install, copy the file “C:\Program Files (x86)\OpenVPN\sample-config\client.ovpn” to “C:\Program Files (x86)\OpenVPN\config\client.ovpn” and edit it as shown below.

Change the ip address with your OpenVPN server’s address below and set the certs and key names.


remote 192.168.209.181 1194
ca ca.crt
cert windows-xp.crt
key windows-xp.key

Next copy the windows client cert, key and ca cert to “C:\Program Files (x86)\OpenVPN\config\”

openvpn03 300x187 Install OpenVPN with FreeRadius on CentOS/RHEL 5 or 6 Part 1

These steps are enough if you wish to rely on the certificates as sole authentication mechanisum however if you wish to use Radius Server for the authentication purposes click here