System: CentOS 7
openvpn: 2.4.10-1.el8
easy-rsa: 3.0.8-1.el8
Make sure to perform the following operations as the root.
1 Installation and preparation
yum install -y epel-release yum install -y openvpn yum install -y easy-rsa mkdir /etc/openvpn/easy-rsa cp -R /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/ cp -p /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf /etc/openvpn/ cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars
For now, the contents of the two directories are shown in the figure:
Modify the below lines of the file - vars
set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY"CN" set_var EASYRSA_REQ_PROVINCE "SJ" set_var EASYRSA_REQ_CITY "NJ" set_var EASYRSA_REQ_ORG "HTEK" set_var EASYRSA_REQ_EMAIL "support@htek.com" set_var EASYRSA_REQ_OU "HTEK Support" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7000 set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "Hanlong" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_DIGEST "sha256"
Next, we will start to create the OpenVPN server.
2 Generate Certification files
2.1 Initialize Certificate
[root@localhost openvpn]# cd /etc/openvpn/easy-rsa/ [root@localhost easy-rsa]# ./easyrsa init-pki
You will get the below notice
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
2.2 Generate a CA certificate
[root@localhost easy-rsa]# ./easyrsa build-ca
You will be prompt to enter New CA Key Passphrase, please remember it, you will use them later.
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus ......................+++ ..+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Htek CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt
2.3 Generate a server certificate
[root@localhost easy-rsa]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ............+++ ..............+++ writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-12489.hN5NM9/tmp.EPD3Vi' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server.req key: /etc/openvpn/easy-rsa/pki/private/server.key
2.4 Sign the server certificate
[root@localhost easy-rsa]# ./easyrsa sign server server
When signing the server certificate, you need to enter the passphrase of the CA (you have set it in 2.2).
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-12735.ljcLtB/tmp.pO6V2f
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jun 5 11:40:39 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
2.5 Generate Diffie-Hellman key
[root@localhost easy-rsa]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .................................................................................+.....................+..........................+......................................................................................+...........+........................+.....................................................................................................................................................................................................................+......+.+.......+...............................................................+.............+.........................................+..........................................................................................................................................................................................................+....................................+............+...................................................................++*++*++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
2.6 Generate a client certificate
[root@localhost easy-rsa]# ./easyrsa gen-req client nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .......................................................+++ ..............+++ writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-15549.IGSWyv/tmp.prgjs5' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/client.req key: /etc/openvpn/easy-rsa/pki/private/client.key
2.7 Sign the client certificate
[root@localhost 3.0.8]# ./easyrsa sign client client
Like sign the server certificate, you need the passphrase of the CA to sign the client certificate.
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-16082.Oox3nT/tmp.7oMIBX
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Jun 5 11:49:34 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
3 Configure the server
3.1 Configure IP route and firewall rules
vim /etc/sysctl.conf
Add the below line to this file
net.ipv4.ip_forward = 1
After editing the file, you can run the following command to make the changes take effect right away.
sysctl -p
Now start the firewall service and add rules for the OpenVPN service
[root@localhost easy-rsa]# systemctl start firewalld.service
Check the status of the firewall
[root@localhost easy-rsa]# firewall-cmd --state running [root@localhost easy-rsa]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Add rules for the firewall and then reload it.
[root@localhost easy-rsa]# firewall-cmd --add-service=openvpn --permanent success [root@localhost easy-rsa]# firewall-cmd --add-port=1194/udp --permanent success [root@localhost easy-rsa]# firewall-cmd --add-port=22/tcp --permanent success [root@localhost easy-rsa]# firewall-cmd --add-source=10.8.0.0 --permanent success [root@localhost easy-rsa]# firewall-cmd --query-source=10.8.0.0 --permanent yes [root@localhost easy-rsa]# firewall-cmd --add-masquerade --permanent success [root@localhost easy-rsa]# firewall-cmd --query-masquerade --permanent yes [root@localhost easy-rsa]# firewall-cmd --reload success
Check the status of the firewall again
[root@localhost easy-rsa]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: 10.8.0.0 services: dhcpv6-client openvpn ssh ports: 1194/udp 22/tcp protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
3.2 server.conf
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.252.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 192.168.0.230" push "dhcp-option DNS 114.114.114.114" client-to-client keepalive 10 120 cipher AES-256-CBC comp-lzo max-clients 100 persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 mute 20 explicit-exit-notify 1
3.3 Start openvpn@server.service
[root@localhost easy-rsa]# systemctl start openvpn@server
You can check the status by below command:
[root@localhost easy-rsa]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2021-03-02 20:16:44 CST; 5s ago
Main PID: 26175 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─26175 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Mar 02 20:16:44 localhost.localdomain systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Mar 02 20:16:44 localhost.localdomain systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
4 Using openvpn on the Htek phone
4.1 Create client.ovpn
[root@localhost easy-rsa]# vim /etc/openvpn/client/client.ovpn
Add the below lines to this file:
client dev tun proto udp remote 223.68.137.166 1194 resolv-retry infinite nobind persist-key persist-tun ca /hlfs/vpn/ca.crt cert /hlfs/vpn/client.crt key /hlfs/vpn/client.key remote-cert-tls server cipher AES-256-CBC verb 3 comp-lzo mute 20
Note
If there is no M or D in the DSP info of your phone, please change the file path to /hlcfg/vpn/xxx, such as /hlcfg/vpn/client.crt
(no M or D, path should be /hlcfg/vpn/client.crt)
(has M, path should be /hlfs/vpn/client.crt)
4.2 Creating the tar file for the phone (client)
The phone as an OpenVPN client needs at least ca.crt, client.crt, client.key, client.ovpn, and these files should be packaged in tar format.
[root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/ [root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/issued/client.crt /etc/openvpn/client/ [root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/private/client.key /etc/openvpn/client/
Now the files in /etc/openvpn/client should be:
[root@localhost client]# tar -cvpf openvpn.tar * ca.crt client.crt client.key client.ovpn
Now you get the openvpn.tar file, then you should put it into a folder that you could import the file into the phone.
4.3 Import tar file into Htek phone
Import openvpn.tar file into the phone.
Choose Yes and then click the SaveSet button on the bottom of the webpage, the phone will reboot to apply the new configuration.
Upon the phone boot up, you can check the VPN address.
LCD GUI: Menu -> Status -> Network -> 5.VPN
5 Option: Authenticate with Username/Password
If you want to use username/password along with the certificate to verify the client, you could do as follows.
5.1 Prepare a script to check username/password
[root@localhost openvpn]# vim /etc/openvpn/checkpsw.sh
The content is:
#!/bin/bash
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/auth_file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
After you have done this, exit and give the executable permissions to it by
[root@localhost openvpn]# chmod +x checkpsw.sh
5.2 Create username/password record file
In the file - checkpsw.sh - we have defined a PASSFILE, that is used to store username and password pairs.
[root@localhost openvpn]# vim /etc/openvpn/auth_file
In this file, we record the username and password line by line like following
htek 123456 client 456789
5.3 Modify server.conf
[root@localhost openvpn]# vim /etc/openvpn/server.conf
Add these three lines:
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env username-as-common-name script-security 3
So the server.conf now looks like this:
port 1194 proto udp dev tun auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env username-as-common-name script-security 3 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.252.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 192.168.0.230" push "dhcp-option DNS 114.114.114.114" client-to-client keepalive 10 120 cipher AES-256-CBC comp-lzo max-clients 100 persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 mute 20 explicit-exit-notify 1
After you have done this, you should restart openvpn server to make it effective.
[root@localhost openvpn]# systemctl restart openvpn@server
5.4 Modify the client.conf
Add this line to the client.conf
auth-user-pass /hlfs/vpn/auth.txt
And now the whole file is like this:
client dev tun proto udp remote 223.68.137.166 1194 resolv-retry infinite nobind persist-key persist-tun auth-user-pass /hlfs/vpn/auth.txt ca /hlfs/vpn/ca.crt cert /hlfs/vpn/client.crt key /hlfs/vpn/client.key remote-cert-tls server cipher AES-256-CBC verb 3 comp-lzo mute 20
5.5 Create a username/password file for client
[root@localhost client]# vim auth.txt
And then add the username and password equals to the record in /etc/openvpn/auth_file, such as:
htek 123456
5.6 Creating the tar file for the phone (client)
In the previous steps, we have prepared some files for the phone.
Now there is a new file, so in /etc/openvpn/client :
[root@localhost client]# tar -cvpf openvpn.tar * auth.txt ca.crt client.crt client.key client.ovpn
Now, put the new openvpn.tar file into a folder and import it into the phone.
5.7 If you don’t want to verify by a certificate
In the server.conf, add this line
client-cert-not-required
So the whole server.conf will be
port 1194 proto udp dev tun client-cert-not-required auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env username-as-common-name script-security 3 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.252.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 192.168.0.230" push "dhcp-option DNS 114.114.114.114" client-to-client keepalive 10 120 cipher AES-256-CBC comp-lzo max-clients 100 persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 mute 20 explicit-exit-notify 1
In the client.conf, comment out these two lines
;cert /hlfs/vpn/client.crt ;key /hlfs/vpn/client.key
So the whole client.conf will be
client dev tun proto udp remote 223.68.137.166 1194 resolv-retry infinite nobind persist-key persist-tun auth-user-pass /hlfs/vpn/auth.txt ca /hlfs/vpn/ca.crt ;cert /hlfs/vpn/client.crt ;key /hlfs/vpn/client.key remote-cert-tls server cipher AES-256-CBC verb 3 comp-lzo mute 20