OpenVPN Installation and Configuration


Applicable Plans - All Cloud Hosting Plans

OpenVPN Installation and Configuration

Overview

This is a user guide for system administrators who will be installing and configuring OpenVPN on their Virtual Server.

  • If you are an end user looking for instructions on how to install and configure an OpenVPN client, please see here - OpenVPN Clients.

  • If you are looking for instructions on how to use OpenVPN to connect to a shared folder, a secure web site, or secured e-mail server, please see here - Using OpenVPN

Using the OpenVPN service, you can establish a secure point to point connection between your local computer and your Virtual Server. This will allow you to securely access shared folders, create secured access to a web application, or encrypt e-mail sent back and forth to users on your domain. Your local computer will be the client, and your Virtual Server will be the server.

The OpenVPN service creates a secure and encrypted point to point connection from your local computer to your eApps Virtual Server. The OpenVPN service from eApps cannot be used to connect from your local computer to your Virtual Server and then on to the Internet - this connection cannot be used as a gateway or router. The connection is point to point only.

If you need an IPSEC-based VPN service that will allow you to route connections to the Internet, please contact eApps Sales for information on the VyOS VPN service.

Note Installing and configuring OpenVPN requires a moderate amount of Linux command line skill. You need to be familiar with navigating the Linux filesystem, manipulating files and directories, and editing files with a text editor. All of the configuration for OpenVPN on your Virtual Server is done from the command line.

eApps can also install OpenVPN for you as a billable service, for a fee of $50. If you also want assistance setting up shared folders, a secured web site, or secured e-mail, then that will be an additional fee, based on the amount of work needed. Please contact eApps Sales for more information.

Installing OpenVPN
    Installing OpenVPN from a Control Panel
    Installing OpenVPN using the command line

OpenVPN configuration

Generating additional OpenVPN keys

Setting up a secured shared folder
Creating a VPN accessible only web site
Sending secure e-mail using the VPN


Installing OpenVPN

OpenVPN can be installed from the Control Panel or the command line of your Virtual Server.

Installing OpenVPN from a Control Panel

Using the ISPmanager Control Panel

If you are using the ISPmanager Control Panel, you can install OpenVPN from that Control Panel.

Information on how to tell which version of ISPmanager you are using can be found here - ISPmanager versions

Installing OpenVPN using the command line

OpenVPN can be installed from the command line of the Virtual Server using yum. To install applications using yum you will need to be able to connect to the Virtual Server using SSH and work as the root user.

Install OpenVPN using the yum install -y openvpn command:

[root@eapps-example ~]# yum install -y openvpn


OpenVPN configuration

Once OpenVPN is installed, connect to the command line of your Virtual Server using SSH. You will need to be able to work as the root user.

The OpenVPN configuration involves several steps, all of which have to be completed successfully and in order.

  1. Install easy-rsa using yum
  2. Configure the tun device
  3. Copy the server.conf and client.conf file to the correct location
  4. Configure the server.conf and client.conf files
  5. Copy the easy-rsa directory to the correct location, make the keys directory, create the openssl.cnf file
  6. Edit the vars file
  7. Source the vars file, and create the OpenVPN keys
  8. Final steps, VS configuration: copy and move client.conf, and package the client files for download
  9. Starting the openvpn service and configuring it to start at server boot

1. Install easy-rsa using yum

The OpenVPN application needs the easy-rsa application in order to work correctly. easy-rsa is a small RSA key management package. Install it with the yum install easy-rsa command.

[root@eapps-example ~]# yum install easy-rsa

The easy-rsa application installs into the /usr/share/easy-rsa directory.

 

2. Configure the tun device

The tun device sets up the OpenVPN tunnel. The device needs to be installed and enabled for OpenVPN to work correctly. Use the modprobe tun command to enable the device, and then lsmod | grep tun command to verify it.

[root@eapps-example ~]# modprobe tun
[root@eapps-example ~]# lsmod | grep tun
tun                    16825  0
[root@eapps-example ~]#

 

3. Copy the server.conf and client.conf file to the correct location

The server.conf and client.conf file are located here - /usr/share/doc/openvpn-#.#.#/sample/sample-config-files/, where #.#.# is the OpenVPN version number. You will need to copy them from this location to the /etc/openvpn directory.

[root@eapps-example ~]# cp /usr/share/doc/openvpn-#.#.#/sample/sample-config-files/server.conf /etc/openvpn
[root@eapps-example ~]# cp /usr/share/doc/openvpn-#.#.#/sample-config-files/client.conf /etc/openvpn
[root@eapps-example ~]#

 

4. Configure the server.conf and client.conf files

Change directories to /etc/openvpn, and edit the server.conf and client.conf files.

server.conf

Edit the server.conf file, and make the following changes. This example uses vim.

[root@eapps-example ~]# cd /etc/openvpn/
[root@eapps-example openvpn]# vim server.conf

Change lines 78, 79, and 80 from this:

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

to this:

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret


Change line 87 from this:

dh dh1024.pem

to this:

dh /etc/openvpn/easy-rsa/keys/dh1024.pem


Change line 275 from this:

status openvpn-status.log

to this:

status /var/log/openvpn-status.log


Uncomment lines 284 and 285, and change them from this:

;log         openvpn.log
;log-append  openvpn.log

to this:

log         /var/log/openvpn.log
log-append  /var/log/openvpn.log

Save and exit the server.conf file.

 

client.conf

Next, edit the client.conf file. This example uses vim.

[root@eapps-example openvpn]# vim client.conf

Change line 42 from this:

remote my-server-1 1194

to this:

remote IP_ADDRESS 1194

Where IP_ADDRESS is the IP address of your Virtual Server.


Make a note of, but DO NOT CHANGE, lines 88, 89, 90:

ca ca.crt
cert client.crt
key client.key

You will need to change these lines on your local computer to match your configuration and also the locations that you will have the files in. See Connecting to OpenVPN for more information on how this file will be configured.

Once you have made your changes, save and exit the client.conf file.

5. Copy the easy-rsa directory to the correct location, make the keys directory, create the openssl.cnf file

All the files in the /usr/share/easy-rsa/2.0/ directory have to be moved to the /etc/openvpn/easy-rsa directory, and the /etc/openvpn/easy-rsa/keys directory has to be created. Note that the copy command will create the /etc/openvpn/easy-rsa directory, which does not yet exist.

This uses the cp -R command, which does a recursive copy of all the files and directories in the source directory.
Note that the source directory - /usr/share/easy-rsa/2.0/ - has a slash at the end of the directory. Make sure this slash is in the command.

[root@eapps-example openvpn]# cp -R /usr/share/easy-rsa/2.0/ /etc/openvpn/easy-rsa
[root@eapps-example openvpn]# cd /etc/openvpn/easy-rsa/
[root@eapps-example easy-rsa]# mkdir keys
[root@eapps-example easy-rsa]#


Once the files are in place in /etc/openvpn/easy-rsa, you will need to copy the openssl-1.0.0.cnf file to openssl.cnf.

[root@eapps-example easy-rsa]# cp openssl-1.0.0.cnf openssl.cnf
[root@eapps-example easy-rsa]#

6. Edit the vars file

The vars file contains the information that will be used to create your OpenVPN client and server keys. Pay close attention to the format of the entries in this file.

Edit the vars file in a text editor. This example uses vim.

[root@eapps-example easy-rsa]# vim vars

Edit lines 64 through 69. Not every line may need to be changed, depending on your specific organization.

This example uses eApps Hosting, which is located in the US (the KEY_COUNTRY), state of Georgia (GA) (the KEY_PROVINCE), city of Norcross (the KEY_CITY), organization of eApps Hosting (the KEY_ORG), and the e-mail address of support@eapps.com (the KEY_EMAIL), which appears twice.

You will need to substitute your own information here, and will need to use the two letter country code for your country, which can be found here - http://www.theodora.com/country_digraphs.html

In this example, the file would be changed from this:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain

to this:

export KEY_COUNTRY="US"
export KEY_PROVINCE="GA"
export KEY_CITY="Norcross"
export KEY_ORG="eApps Hosting"
export KEY_EMAIL="support@eapps.com"
export KEY_EMAIL=support@eapps.com

Once you have made your changes, save and edit the file. Remember to use your own information for the vars file.

7. Source the vars file, and create the OpenVPN keys

Once you have edited the vars file, you will need to source it, so that the new information is read into the system. After you do that, you can create the ca file, the cert and key file for the server (the VS), build the dh key, and then build the client key file.

Note These steps are all fairly similar, and all fairly repetitive, but they all have to be done, and they have to be done in the order shown.

Source the vars file

To force the system to reread the vars file with the new information you have just provided, use the following command: source ./vars

That is the word source, a space, a dot, a slash, and the word vars, with no spaces between the dot, the slash, and vars.

[root@eapps-example easy-rsa]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@eapps-example easy-rsa]#


After your source the vars file, run the ./clean-all command. The command is a dot, a slash, and the word clean-all, with no spaces.

[root@eapps-example easy-rsa]# ./clean-all
[root@eapps-example easy-rsa]#

 

Create the ca (certificate authority) file

Next, create the ca file, with the ./build-ca command. The command is a dot, a slash, and the word build-ca, with no spaces.

This command will pull information from the vars file. The lines for Country Name, State or Province Name, and Organization Name should all have the same values as you entered in the vars file, so just press Enter at these lines.

If you have an Organizational Unit Name, enter it here. Otherwise, enter a dot (.) to leave the line blank.

For the Common Name, enter in the hostname of your VS (in the example, eapps-example.com). For the Name, enter server-ca.

The Email Address should also be the same value as you entered in the vars file, so just press Enter at that line.

[root@eapps-example easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
...............................................++++++
.......................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [GA]:
Locality Name (eg, city) [Norcross]:
Organization Name (eg, company) [eApps Hosting]:
Organizational Unit Name (eg, section) [changeme]:.
Common Name (eg, your name or your server's hostname) [changeme]:eapps-example.com
Name [changeme]:server-ca
Email Address [support@eapps.com]:
[root@eapps-example easy-rsa]#

 

Create the server key

Next, create the server.key file, with the ./build-key-server server command. The command is a dot, a slash, the word build-key-server, a space, and server.

This command will pull information from the vars file. The lines for Country Name, State or Province Name, and Organization Name should all have the same values as you entered in the vars file, so just press Enter at these lines.

If you have an Organizational Unit Name, enter it here. Otherwise, enter a dot (.) to leave the line blank.

For the Common Name, enter in the hostname of your VS (in the example, eapps-example.com). For the Name, enter server.

The Email Address should also be the same value as you entered in the vars file, so just press Enter at that line.

You will be asked for A challenge password and An optional company name. Just press Enter at those prompts. When asked to Sign the certificate? and 1 out of 1 certificate requests certified, commit?, enter a y and press Enter at both prompts.

[root@eapps-example easy-rsa]# ./build-key-server server
Generating a 1024 bit RSA private key
.................++++++
...........................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [GA]:
Locality Name (eg, city) [Norcross]:
Organization Name (eg, company) [eApps Hosting]:
Organizational Unit Name (eg, section) [changeme]:.
Common Name (eg, your name or your server's hostname) [server]:eapps-example.com
Name [changeme]:server
Email Address [support@eapps.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'GA'
localityName          :PRINTABLE:'Norcross'
organizationName      :PRINTABLE:'eApps Hosting'
commonName            :PRINTABLE:'eapps-example.com'
name                  :PRINTABLE:'server'
emailAddress          :IA5STRING:'support@eapps.com'
Certificate is to be certified until Apr  5 23:05:27 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@eapps-example easy-rsa]#

 

Generate the DH key

DH stands for Diffie–Hellman, which is a protocol for exchanging cryptographic keys. A brief overview of the protocol and the mathematics involved can be found here - http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange.

To generate the dh key, use the ./build-dh command. The command is a dot, a slash, and the word build-dh. No input is needed to generate the key.

[root@eapps-example easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................[several lines truncated]..+................+.................................................++*++*++*
[root@eapps-example easy-rsa]#

 

Create the client key

The last key to create is the client key file, with the ./build-key client command. The command is a dot, a slash, the word build-key, a space, and client.

This command will pull information from the vars file. The lines for Country Name, State or Province Name, and Organization Name should all have the same values as you entered in the vars file, so just press Enter at these lines.

If you have an Organizational Unit Name, enter it here. Otherwise, enter a dot (.) to leave the line blank.

For the Common Name, enter in the hostname of your VS (in the example, eapps-example.com). For the Name, enter client.

The Email Address should also be the same value as you entered in the vars file, so just press Enter at that line.

You will be asked for A challenge password and An optional company name. Just press Enter at those prompts. When asked to Sign the certificate? and 1 out of 1 certificate requests certified, commit?, enter a y and press Enter at both prompts.

[root@eapps-example easy-rsa]# ./build-key client
Generating a 1024 bit RSA private key
.......................++++++
..............++++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [GA]:
Locality Name (eg, city) [Norcross]:
Organization Name (eg, company) [eApps Hosting]:
Organizational Unit Name (eg, section) [changeme]:.
Common Name (eg, your name or your server's hostname) [client]:eapps-example.com
Name [changeme]:client
Email Address [support@eapps.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'GA'
localityName          :PRINTABLE:'Norcross'
organizationName      :PRINTABLE:'eApps Hosting'
commonName            :PRINTABLE:'eapps-example.com'
name                  :PRINTABLE:'client'
emailAddress          :IA5STRING:'support@eapps.com'
Certificate is to be certified until Apr  5 23:50:10 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@eapps-example easy-rsa]#

 

8. Final steps, VS configuration: copy and move client.conf, and package the client files for download

The final steps for the Virtual Server configuration involve making a copy of the client.conf file, and then renaming (moving) it, and also packaging the files needed for the OpenVPN client on the local computer for download.

Copy and move the client.conf file

The /etc/openvpn/client.conf file has to be copied to the /etc/openvpn/easy-rsa/keys directory, but the name has to be changed from client.conf to client.ovpn. This is the file that will be used to initiate the OpenVPN connection from the client (local) computer. Use the cp /etc/openvpn/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn command.

Once the file has been copied, it must be renamed!. Otherwise, it will interfere with the openvpn service. If you don't rename the client.conf file, your OpenVPN service will not work. Use the mv /etc/openvpn/client.conf /etc/openvpn/client.conf.bck command.

[root@eapps-example easy-rsa]# cp /etc/openvpn/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
[root@eapps-example easy-rsa]# mv /etc/openvpn/client.conf /etc/openvpn/client.conf.bck
[root@eapps-example easy-rsa]#

 

Package the OpenVPN client files for download

Change directories to /etc/openvpn/easy-rsa/keys, and create a tar.gz file of the following files:

ca.crt
client.crt
client.key
client.ovpn

Use the tar cvpzf client-files.tar.gz ca.crt client.crt client.key client.ovpn command.

[root@eapps-example keys]# tar cvpzf client-files.tar.gz ca.crt client.crt client.key client.ovpn
ca.crt
client.crt
client.key
client.ovpn
[root@eapps-example keys]# ll client-files.tar.gz
-rw-r--r-- 1 root root 5136 Apr  7 20:22 client-files.tar.gz
[root@eapps-example keys]#


Once you have made the client-files.tar.gz file, you need to download it to your local computer. Do this with SFTP - http://support.eapps.com/ispmgr/sftp_ftp. You will need to use SFTP, and not FTP, because an FTP user will not have access to the directory where the OpenVPN client keys are located.

On Windows, use a utility like 7-zip to extract the files - http://www.7-zip.org/. This is a free utility.

On Mac OS X, all you will need to do is double-click on the client-files.tar.gz file to extract the files in it into a folder.

On Linux, you will need to unpack (untar) the files with the tar xvzf client-files.tar.gz command.

9. Starting the openvpn service and configuring it to start at server boot

Starting openvpn

The openvpn service has to be started so that it is waiting for connections. Change directories to /var/log. This will make it easier to view the openvpn.log and openvpn-status.log files (which won't exist until the openvpn service is started for the first time).

  • For CentOS 6, use the service openvpn start command:

    [root@eapps-example keys]# cd /var/log
    [root@eapps-example log]# service openvpn start
    Starting openvpn:                                          [  OK  ]
    [root@eapps-example log]#
  • For CentOS 7, use the systemctl start openvpn@server command:

    [root@eapps-example keys]# cd /var/log
    [root@eapps-example log]# systemctl start openvpn@server
    Starting openvpn:                                          [  OK  ]
    [root@eapps-example log]#

If the openvpn service doesn't start, view the two log files for more information, and double-check your configuration. If you need assistance, please contact eApps Support.

Set the openvpn service to start at boot time

You will also need to set the openvpn service to start every time the Virtual Server reboots.

  • For CentOS 6, use the chkconfig openvpn on command:

    [root@eapps-example log]# chkconfig openvpn on
    [root@eapps-example log]#
  • For CentOS 7, use the systemctl enable openvpn@server command:

    [root@eapps-example log]# systemctl enable openvpn@server
    [root@eapps-example log]#


OpenVPN is now configured and running on your Virtual Server.

Connecting to OpenVPN

Note Remember - the OpenVPN service creates a secure and encrypted point to point connection from your local computer to your eApps Virtual Server. The OpenVPN service cannot be used to connect from your local computer to your Virtual Server and then on to the Internet - this connection cannot be used as a gateway or router. The connection is point to point only.

If you need an IPSEC-based VPN service that will allow you to route connections to the Internet, please contact our eApps Sales for information on the VyOS VPN service.


Instructions how how to connect to OpenVPN from Windows XP Pro, Windows 7, Windows Vista, Mac OS X, and Linux are found in the OpenVPN Client Configuration User Guide - http://support.eapps.com/ispmgr/openvpn-clients. You will need to point your users to that guide, and also provide them with the necessary keys needed. Instructions on how to generate additional OpenVPN keys are here - How to generate OpenVPN keys.


Generating additional OpenVPN keys

The initial setup for OpenVPN creates one set of client keys. If you need additional keys, you can either make them yourself using the following instructions, or have eApps make them for you at a cost of $10 per set. If you need a large number of keys, please contact our eApps Sales who can provide a quote for this service.

Note You cannot share one set of keys between multiple users. If two people are using the same keys, then the first person to connect will get bumped from the VPN tunnel when the second person connects with the same keys. If the first person tries to reconnect, they will bump the second user off the VPN tunnel, etc.

Creating additional keys for OpenVPN

To create additional keys, you will need to redo the Create the client key step from the original OpenVPN configuration, but you will need to change the Common Name and the Name values. You will also need to copy the client.ovpn file to match the new Common Name and Name, and if possible edit the file for your end user. You will also need to package the files, and deliver them to your end users.

Connect via SSH to the Virtual Server where you setup the OpenVPN server, and navigate back to the /etc/openvpn/easy-rsa/ directory. You will need to work as the root user.

Before you begin, make a copy of your existing keys directory. This will ensure that you can put things back in place if you accidentally remove that directory when making new client keys. Do not skip this step.

Make a copy of the directory with the tar cvpzf keys.tar.gz keys/ command. If you need to replace the directory, you can do so with the tar xvzf keys.tar.gz command, which will overwrite the existing keys/ directory.

[root@eapps-example easy-rsa]# tar cvpzf keys.tar.gz keys/
keys/
keys/index.txt.attr
keys/client.csr
keys/server.csr
keys/ca.key
keys/serial
keys/01.pem
keys/server.crt
keys/index.txt
keys/serial.old
keys/server.key
keys/02.pem
keys/client.ovpn
keys/ca.crt
keys/index.txt.attr.old
keys/client.crt
keys/dh1024.pem
keys/client.key
keys/04.pem
keys/03.pem
keys/index.txt.old
[root@eapps-example easy-rsa]#


In the easy-rsa directory, you will first need to source the vars file with the following command: source ./vars

That is the word source, a space, a dot, a slash, and the word vars, with no spaces between the dot, the slash, and vars.

[root@eapps-example easy-rsa]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@eapps-example easy-rsa]#
Warning After you source the vars file, DO NOT RUN the ./clean-all command. To repeat, DO NOT RUN the ./clean-all command. To repeat again for emphasis, DO NOT RUN the ./clean-all command.

If you run this command, you will remove the entire contents of keys directory, breaking your OpenVPN configuration. If you followed the previous instructions and made a backup of the keys directory, you can replace it. If you didn't follow instructions and didn't make a backup of the keys directory, you will need to start the ENTIRE OpenVPN configuration again from scratch.


Once you have sourced the vars file, use the ./build-key new_client command. The command is a dot, a slash, the word build-key, a space, and new_client. For new_client, substitute whatever name you wish to use for this new client. As an example, you could use the name of the person who the new keys are for.

This will use the same information from the vars file that you used to create the original keys with. Remember, make sure that you change Common Name and Name to match the name you are using for new_client. Make no other changes.

The lines for Country Name, State or Province Name, and Organization Name should all have the same values as you entered in the vars file, so just press Enter at these lines.

If you have an Organizational Unit Name, enter it here. Otherwise, enter a dot (.) to leave the line blank.

For the Common Name, enter in the name you are using for new_client. For the Name, enter the same value.

The Email Address should also be the same value as you entered in the vars file, so just press Enter at that line.

You will be asked for A challenge password and An optional company name. Just press Enter at those prompts. When asked to Sign the certificate? and 1 out of 1 certificate requests certified, commit?, enter a y at both prompts.

[root@eapps-example easy-rsa]# ./build-key new_client
Generating a 1024 bit RSA private key
.......................++++++
..............++++++
writing new private key to 'new_client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [GA]:
Locality Name (eg, city) [Norcross]:
Organization Name (eg, company) [eApps Hosting]:
Organizational Unit Name (eg, section) [changeme]:.
Common Name (eg, your name or your server's hostname) [new_client]:new_client
Name [changeme]:new_client
Email Address [support@eapps.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'GA'
localityName          :PRINTABLE:'Norcross'
organizationName      :PRINTABLE:'eApps Hosting'
commonName            :PRINTABLE:'new_client'
name                  :PRINTABLE:'new_client'
emailAddress          :IA5STRING:'support@eapps.com'
Certificate is to be certified until Apr  5 23:50:10 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@eapps-example easy-rsa]#


If you have additional keys to make, you can continue with ./build-key other_client - you generally should only have to source the vars file once in a session. However, if you disconnect from the VS or let your session sit idle too long, you may need to source the vars file again.

If you do have to source the vars file again, it is a good practice to make another backup of the keys directory as shown above. However, this time use a name like keys1.tar.gz so that you do not overwrite your existing backup.

Copy the client.ovpn file and edit if needed

Once you have created the new client keys, change directories to the /etc/openvpn/easy-rsa/keys directory. In that directory, copy the original client.ovpn file to new_client.ovpn (or to whatever name you chose for the new client key).

[root@eapps-example easy-rsa]# cd /etc/openvpn/easy-rsa/keys
[root@eapps-example keys]# cp client.ovpn new_client.ovpn
[root@eapps-example keys]#


If you already know how and where the end user will be installing their keys, you can go ahead and edit lines 88, 89, and 90 in the new_client.ovpn for them to point to the correct locations. More information on how to do this is in the OpenVPN Client Configuration User Guide - http://support.eapps.com/ispmgr/openvpn-clients.

Package the new client files for download

You will now need to package the new client files so that you can download them and give them to the end user. You will need to package four files: ca.crt, new_client.crt, new_client.key, and new_client.ovpn.

The easiest way to do this is to compress the files with tar and gzip, and then download them to your personal computer. You can then provide them to your end users by whatever means works best for you - e-mail, FTP download, scp, etc.

Use the tar cvpzf new_client.tar.gz ca.crt new_client.crt new_client.key new_client.ovpn command to package the files, creating a new_client.tar.gz file.

[root@eapps-example keys]# tar cvpzf new_client.tar.gz ca.crt new_client.crt new_client.key new_client.ovpn
ca.crt
new_client.crt
new_client.key
new_client.ovpn
[root@eapps-example keys]# ll -d new_client.tar.gz
-rw-r--r-- 1 root root 5124 Apr 27 14:40 new_client.tar.gz
[root@eapps-example keys]#


Provide these files to your end user, and also a link to the OpenVPN Client Configuration User Guide - http://support.eapps.com/ispmgr/openvpn-clients. If they need assistance they should contact you first, but eApps Support will assist if needed.


Setting up a secured shared folder

One of the things you can use OpenVPN for is secured file sharing. Using a Linux program called Samba (for SMB, or Server Messenger Block), you can create a shared directory on your Virtual Server running OpenVPN that your users can access as a network drive, and privately share files and folders back and forth. Only users who are connected to the VPN will be able to access those files.

The configuration of Samba in this user guide is a very basic setup. Samba can be used for far more that just simple file sharing, it can be used to share printers, other resources, and can even be used to replace Windows NT Domain controllers and Novell NetWare Servers. For more information, please see the Samba Documentation - http://www.samba.org/samba/docs/. There are also several books available for Samba, including the Official Samba-3 HOWTO and Samba-3 By Example, both of which are available for free in either HTML or PDF format from the Samba Documentation site linked to above.

Note Configuring Samba requires a moderate amount of Linux command line skill. You need to be familiar with navigating the Linux file system, manipulating files and directories, and editing files with a text editor. You will also need to be able to work as the root user.

If you want to set up shared folders but do not have the necessary command line skills, please contact eApps Sales to discuss having this work done for you as a billable service.

Samba configuration on the Virtual Server

To configure Samba, you will need to connect to the Virtual Server using SSH - http://support.eapps.com/ispmgr/ssh, and you will need to be able to work as the root user.

Samba configuration requires 5 steps:

1. Start the Samba services and configure them to run at system boot

2. Configure the Samba software

3. Create the shared folder

4. Restart the Samba service and test the configuration

5. Set up the Samba users

Once Samba is configured, the shared folder created, and the users set up, you can then point your users to the instructions for connecting to the shared folder in the OpenVPN Usage user guide - http://support.eapps.com/ispmgr/openvpn-usage. Instructions for Windows 7/Vista, Windows XP, Mac OS X, and Linux are available.

 

1. Start the Samba services and configure them to run at system boot

The Samba software should already be installed on your Virtual Server, but it needs to be started manually, and then set to run when ever the Virtual Server reboots.

To start Samba, you have to actually start two services: smb and nmb.

  • For CentOS 6, use the service smb start and service nmb start commands:
[root@example ~]# service smb start
Starting SMB services:                                     [  OK  ]
[root@example ~]# service nmb start
Starting NMB services:                                     [  OK  ]
[root@example ~]#
  • For CentOS 7, use the systemctl start smb and systemctl start nmb commands:
[root@example ~]# systemctl start smb
Starting SMB services:                                     [  OK  ]
[root@example ~]# systemctl start nmb
Starting NMB services:                                     [  OK  ]
[root@example ~]#


Once the services are started, set them to start a system boot time.

  • For CentOS 6, use the chkconfig smb on and chkconfig nmb on commands:

    [root@example ~]# chkconfig smb on
    [root@example ~]# chkconfig nmb on
    [root@example ~]#
  • For CentOS 7, use the systemctl enable smb and systemctl enable nmb commands:

    [root@example ~]# systemctl enable smb
    [root@example ~]# systemctl enable nmb
    [root@example ~]#

 

2. Configure the Samba software

After you have started the two Samba services and set them to run at system boot, you will need to configure Samba itself. This is done by editing the smb.conf file, located in /etc/samba.

Change directories to /etc/samba, and make a backup of the existing smb.conf file before making any changes. Once you have made the backup, open the smb.conf file in a text editor (vim and nano are available by default).

[root@example ~]# cd /etc/samba/
[root@example samba]# ll
total 20
-rw-r--r-- 1 root root   20 Jul  4  2011 lmhosts
-rw-r--r-- 1 root root 9778 Jul  4  2011 smb.conf
-rw-r--r-- 1 root root   97 Jul  4  2011 smbusers
[root@example samba]# cp smb.conf{,.bck}
[root@example samba]#
vim smb.conf

Find the section of the file called Share Definitions. In a standard smb.conf file, this is usually around line 246. There will already be a [homes] and [printers] share in place.

To set up a shared folder for all VPN users, add the following below the existing [printers] share. This example uses [SharedFolder], but you can use any one word name, or a name with no spaces.

[SharedFolder]
        comment = Shared Folder for VPN users
        path = /home/shared
        writeable = yes
        browseable = yes
        guest ok = no
        write list = +webadmin
  • path - the absolute path to the location of the shared folder on the VS

  • writeable - this allows users to "write" to the shared folder, which means they can add or remove files or folders from it

  • browseable - the contents of the shared folder are visible to anyone with access to the folder

  • guest ok - set to no to only allow authenticated users to access the folder

  • write list - only people in the webadmin group have access to "write" to the folder

For an exhaustive explanation of all the values that can be used for an smb.conf file, please see the online smb.conf man page - http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Once you have made your changes to smb.conf, save and exit the file.

 

3. Create the shared folder

After the smb.conf file has been configured, the next step is to create the directory that will be used as the shared folder. This must be a new directory, because if you use an existing directory the existing contents may be overwritten.

Since the write list in smb.conf specifies that only people in the webadmin group will have access to the shared folder, the new directory has to be in a location that the webadmin user has access to, which is the /home directory.

Change directories to /home, and use the mkdir shared to create the directory. Since you are working as the root user, this will create the directory with owner and group of root.

You will need to change the owner and group to webadmin, with the chown -R webadmin:webadmin shared command. The last thing to do is to set the permissions of the new directory to 777, with the chmod 777 shared command.

[root@example samba]# cd /home
[root@example home]# mkdir shared
[root@example home]# ll
total 8
drwxr-xr-x 2 root     root     4096 May 30 11:16 shared
drwx------ 2 webadmin webadmin 4096 Nov 15  2011 webadmin
[root@example home]# chown -R webadmin:webadmin shared/
[root@example home]# chmod 777 shared/
[root@example home]# ll
total 8
drwxrwxrwx 2 webadmin webadmin 4096 May 30 11:16 shared
drwx------ 2 webadmin webadmin 4096 Nov 15  2011 webadmin
[root@example home]#

 

4. Restart the Samba service and test the configuration

After adding the directory for the shared folder, restart the Samba service, and then test the configuration using testparm.

Change directories back to /etc/samba, and restart both the smb and nmb services.

  • For CentOS 6, use the service smb restart and service nmb restart commands:
[root@example home]# cd /etc/samba/
[root@example samba]# service smb restart
[root@example samba]# service nmb restart
[root@example samba]#
  • For CentOS 7, use the systemctl restart smb and systemctl restart nmb commands:

    [root@example home]# cd /etc/samba/
    [root@example samba]# systemctl restart smb
    [root@example samba]# systemctl restart nmb
    [root@example samba]#


The testparm command reads through the smb.conf file, and prints any errors it finds. The command will stop and ask you to press Enter to continue about mid-way through.

The following is testparm finding no errors:

[root@example samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[SharedFolder]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        workgroup = MYGROUP
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        cups options = raw

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

[SharedFolder]
        comment = Shared Folder for VPN users
        path = /home/shared
        write list = +webadmin
        read only = No
[root@example samba]#


Here is an example of the output when testparm finds an error (the closing square bracket was removed from the [SharedFolder] entry in order to generate an error).

[root@example samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
params.c:Section() - Badly formed line in configuration file: SharedFolder
Error loading services.
[root@example samba]#

From this output, you can narrow down where the issue is located.

 

5. Set up the Samba users

Now that the Samba service has been started, the smb.conf file configured and tested, and the directory that will be used as the shared folder has been created, you will need to set up the Samba users.

If you have existing Linux users, you can add them to the Samba server. You can also create new users that can only authenticate to Samba.

If you are creating new users, keep the user names between 6 and 8 characters, all lower case, and with no dots and no spaces. In other words, johndoe is a valid username, but JohnDoe, john doe, or john.doe are not.

If possible, use the client names that you used to create the OpenVPN keys with to create the Samba user names. If you cannot do that, then use easy to remember names for your users that keep with the naming conventions. Each user will need to have a different name.

To create new users, first use the useradd username command, and then smbpasswd -a username command. Once you add the user to the Linux system and to Samba, you will need to use the usermod -a -G username group to add the user to the group that controls the shared folder. Note that there is a capital G in the usermod command.

The useradd command adds the user to the Linux system, but does not set a password for them, so they will not be able to log in directly to the Linux server. The smbpasswd -a command adds the user to the Samba password database, which is what Samba uses for authentication. The usermod -a -G command adds the user to a supplemental group.

[root@example ~]# useradd johndoe
[root@example ~]# smbpasswd -a johndoe
New SMB password:
Retype new SMB password:
[root@example ~]# usermod -a -G johndoe webadmin
[root@example ~]#

If you have existing Linux users that you are going to allow to access the shared folder, start with the smbpasswd -a command, and then the usermod -a -G command.

Once you have added your Samba users, you can provide the user names and passwords to your users, and provide them with a link to the OpenVPN Usage user guide - http://support.eapps.com/ispmgr/openvpn-usage


Creating a VPN accessible only web site

Using OpenVPN, you can create a web site on your Virtual Server that is only accessible to users on the VPN. This can be used for a web site or web application that you wish to keep private, such as an accounting package or a customer database.

Setting up a web site that is only accessible over the VPN requires four steps:

  1. Create a DNS entry for the VPN accessible web site
  2. Add a user in the Control Panel who will own the VPN accessible web site
  3. Add the domain for the VPN accessible web site to the Control Panel
  4. Create the site

1. Create a DNS entry for the VPN accessible web site

While it is possible to just use the IP address of the VPN server as the URL for your secured site, most people find it easier to remember domain names. For this reason, you will want to create a DNS entry for the secured web site. Since the DNS entry will use the IP address of the VPN server as the A record, only users that are connected to the VPN will have access.

What you will need to create is a subdomain of one of your existing domains that exists on the Virtual Server. In this example, the VS already has the domain of eapps-example.com being used for a publicly accessible web site, so we will create the subdomain of vpn.eapps-example.com for the web site that will only be available over the VPN.

To create the DNS entry, log in to the Customer Portal - http://portal.eapps.com, and click on DNS Manager. This will take you to the list of Hosted Domains, which shows all the domains you have in the eApps DNS.

Hosted Domains


To create the new DNS entry, click on Add Domain. This takes you to the Add New Domain screen.

Add New Domain - default


Using the example subdomain of vpn.eapps-example.com, create the DNS entry as follows. Make sure to substitute your specific domain name for eapps-example.com.

Name

Name

Click on Add subdomain, and add the name of the subdomain here - in this example, vpn. Make sure the drop down list shows the main domain you want to use for the subdomain - in this example, eapps-example.com.

 

IP

IP

In the box for IPv4, enter the IP address of the VPN server, which is 10.8.0.1. This is a private, or non-routable, IP address.

A technical explanation of private IP addresses (private network) can be found here - http://en.wikipedia.org/wiki/Private_network, and a more layman's explanation can be found here - http://whatismyipaddress.com/private-ip.

Because this IP address is non-routable, it is only accessible to users connected to the VPN server on your VS, meaning that this domain will only be accessible to users connected to the VPN server on your VS.

 

Aliases

Aliases

Leave the Aliases at their default settings.

 

Email handling (MX)

Email handling (MX)

The default entry is for SpamExperts, but since this domain will not be publicly accessible to send or receive e-mail, choose No Spam Filtering.

 

Reverse record (PTR) and Name servers

Reverse record (PTR) and Name servers

Make sure that the setting for PTR is set to No. You cannot change the Name servers.


When the DNS entry is complete, it will look similar to this:

Add Domain - VPN DNS entry


Once you have entered in all the information, click on Add Domain. This will add the DNS entry to the DNS Manager and your Hosted Domains list.

Hosted Domains - VPN domain

 

2. Add a user in the Control Panel who will own the VPN accessible web site

Once the DNS entry for the VPN accessible web site is complete, you will need to add a user to the Control Panel that will own the web site and all the files for it. It is possible to use an existing user for this web site, but adding a different user will help to keep the files and data for the VPN accessible site separate.

Using the ISPmanager Control Panel

3. Add the VPN accessible website to the Control Panel

Once the user who will own the website has been created, you can add the website to the Control Panel.

When you add the website, remember to use the correct User, and to also use the IP address of the VPN server, instead of the public IP address. Also remember to use the domain that you configured for the VPN accessible website in DNS.

Using the ISPmanager Control Panel

  • ISPmanager 4 - go to Domains > WWW domains and add the website. More information on adding websites can be found here - Adding Websites - ISPmanager 4.

  • ISPmanager 5 - go to Domains > Web-domains and add the website. More information on adding websites can be found here - Adding Websites - ISPmanager 5.

4. Create the web site

At this point, you can create the web site just as you would any other web site. The main thing to remember is that your users will need to be connected to the VPN to actually access the site. If they are not connected to the VPN, they will eventually get a timeout error from their browser.


Sending secure e-mail using the VPN

If users are connected to the VPN, they can securely send e-mail to other users on the VPN, by using the private IP address of the VPN server.

This is easiest to do using a Webmail client that points to the private IP address of the VPN server. You can use e-mail clients like Outlook or Thunderbird, but you will have to change the POP/IMAP and SMTP servers to the private IP, and you will only be able to send and receive e-mail for that account when connected to the VPN.

Note To securely send e-mail to other users through the VPN, both users will need to be connected to the VPN, and using the IP address of the VPN server as their mail server.

As an example, see the diagram below. Alice and Bob are both connected to the VPN, using the private IP address of the VPN server as the mail server IP. Any e-mail that Alice sends to Bob travels over the VPN, and is secured, and vice versa.

Carol is not connected to the VPN. Any e-mail sent to Carol has to leave the secured VPN connection, and is no longer secured.

VPN Mail Diagram


If your users want to send and receive e-mail from each other using the VPN connection, make sure they understand that only e-mails sent to other users who are actively connected to the VPN will be secure, and only as long as they use the VPN to send e-mails with.



Comments

Please login to comment