Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

System: CentOS 7

openvpn: 2.4.10-1.el8

easy-rsa: 3.0.8-1.el8

 

Make sure to perform the following operations as the root.

1 Installation and preparation

yum install -y epel-release
yum install -y openvpn
yum install -y easy-rsa
mkdir /etc/openvpn/easy-rsa
cp -R /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/

cp -p /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf /etc/openvpn/
cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf /etc/openvpn/client/

cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars

For now, the contents of the two directories are shown in the figure:

Modify the below lines of the file - vars

set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY"CN"
set_var EASYRSA_REQ_PROVINCE "SJ"
set_var EASYRSA_REQ_CITY "NJ"
set_var EASYRSA_REQ_ORG "HTEK"
set_var EASYRSA_REQ_EMAIL "support@htek.com"
set_var EASYRSA_REQ_OU "HTEK Support"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7000
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "Hanlong"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_DIGEST "sha256"

Next, we will start to create the OpenVPN server.

2 Generate Certification files

2.1 Initialize Certificate

[root@localhost openvpn]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# ./easyrsa init-pki

You will get the below notice

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

2.2 Generate a CA certificate

[root@localhost easy-rsa]# ./easyrsa build-ca

You will be prompt to enter New CA Key Passphrase, please remember it, you will use them later.

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
......................+++
..+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Htek

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

2.3 Generate a server certificate

[root@localhost easy-rsa]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
............+++
..............+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-12489.hN5NM9/tmp.EPD3Vi'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key

2.4 Sign the server certificate

[root@localhost easy-rsa]# ./easyrsa sign server server

When signing the server certificate, you need to enter the passphrase of the CA (you have set it in 2.2).

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-12735.ljcLtB/tmp.pO6V2f
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Jun  5 11:40:39 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

2.5 Generate Diffie-Hellman key

[root@localhost easy-rsa]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.................................................................................+.....................+..........................+......................................................................................+...........+........................+.....................................................................................................................................................................................................................+......+.+.......+...............................................................+.............+.........................................+..........................................................................................................................................................................................................+....................................+............+...................................................................++*++*++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

2.6 Generate a client certificate

[root@localhost easy-rsa]# ./easyrsa gen-req client nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.......................................................+++
..............+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-15549.IGSWyv/tmp.prgjs5'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/pki/private/client.key

2.7 Sign the client certificate

[root@localhost 3.0.8]# ./easyrsa sign client client

Like sign the server certificate, you need the passphrase of the CA to sign the client certificate.

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = client


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-16082.Oox3nT/tmp.7oMIBX
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Jun  5 11:49:34 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt

3 Configure the server

3.1 Configure IP route and firewall rules

vim /etc/sysctl.conf

Add the below line to this file

net.ipv4.ip_forward = 1

Now start the firewall service and add rules for the OpenVPN service

[root@localhost easy-rsa]# systemctl start firewalld.service

Check the status of the firewall

[root@localhost easy-rsa]# firewall-cmd --state
running
[root@localhost easy-rsa]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Add rules for the firewall and then reload it.

[root@localhost easy-rsa]# firewall-cmd --add-service=openvpn --permanent
success
[root@localhost easy-rsa]# firewall-cmd --add-port=1194/udp --permanent
success
[root@localhost easy-rsa]# firewall-cmd --add-port=22/tcp --permanent
success
[root@localhost easy-rsa]# firewall-cmd --add-source=10.8.0.0 --permanent
success
[root@localhost easy-rsa]# firewall-cmd --query-source=10.8.0.0 --permanent
yes
[root@localhost easy-rsa]# firewall-cmd --add-masquerade --permanent
success
[root@localhost easy-rsa]# firewall-cmd --query-masquerade --permanent
yes
[root@localhost easy-rsa]# firewall-cmd --reload
success

Check the status of the firewall again

[root@localhost easy-rsa]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 10.8.0.0
  services: dhcpv6-client openvpn ssh
  ports: 1194/udp 22/tcp
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

3.2 server.conf

port 1194
proto udp
dev tun

ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.252.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.0.230"
push "dhcp-option DNS 114.114.114.114"

client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
mute 20
explicit-exit-notify 1

3.3 Start openvpn@server.service

[root@localhost easy-rsa]# systemctl start openvpn@server

You can check the status by below command:

[root@localhost easy-rsa]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-03-02 20:16:44 CST; 5s ago
 Main PID: 26175 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─26175 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

Mar 02 20:16:44 localhost.localdomain systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Mar 02 20:16:44 localhost.localdomain systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.

4 Using openvpn on the Htek phone

4.1 client.conf

[root@localhost easy-rsa]# vim /etc/openvpn/client/client.ovpn

Add the below lines to this file:

client
dev tun
proto udp
remote 223.68.137.166 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /hlfs/vpn/ca.crt
cert /hlfs/vpn/client.crt
key /hlfs/vpn/client.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
comp-lzo
mute 20

Note

If there is no M or D in the DSP info of your phone, please change the file path to /hlcfg/vpn/xxx, such as /hlcfg/vpn/client.crt

(no M or D, path should be /hlcfg/vpn/client.crt)

(has M, path should be /hlfs/vpn/client.crt)

4.2 Creating the tar file for the phone (client)

The phone as an OpenVPN client needs at least ca.crt, client.crt, client.key, client.ovpn, and these files should be packaged in tar format.

[root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/
[root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/issued/client.crt /etc/openvpn/client/
[root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/private/client.key /etc/openvpn/client/

Now the files in /etc/openvpn/client should be:

[root@localhost client]# tar -cvpf openvpn.tar *
ca.crt
client.crt
client.key
client.ovpn

4.3 Import tar file into Htek phone

Import openvpn.tar file into the phone.

Choose Yes and then click the SaveSet button on the bottom of the webpage, the phone will reboot to apply the new configuration.

Upon the phone boot up, you can check the VPN address.

LCD GUI: Menu -> Status -> Network -> 5.VPN

  • No labels