OpenVPN on CentOS 6 (Updated) - With HMAC

I've previously documented how to install and configure OpenVPN on CentOS 6, but the steps appear to be outdated.

In this documentation, we'll (very quickly) detail how to configure OpenVPN on CentOS 6. We're also going to enable TLS Authentication so that OpenVPN won't even respond unless the connecting client provides the right pre-shared key.

You'll need the EPEL repos installed and enabled.


Install OpenVPN

It goes without saying that we're going to want OpenVPN installed, though we also want the easy-rsa tool (as it doesn't seem to be bundled with OpenVPN anymore)

yum install openvpn easy-rsa


Generate Keys

Next, we want to generate the keys that will be used for authentication. To begin with, we need to copy the generation scripts across

cd /etc/openvpn
mkdir easy-rsa && cd easy-rsa
cp /usr/share/easy-rsa/2.0/* ./ -r

Next we configure ready to generate keys

nano vars

# Look for the country/state variables at the very bottom.
Save and exit (Ctrl-X, Y) once you're happy

source ./vars

The next step is to make sure we're starting from a clean slate and then create a Certificate Authority, and then create the key exchange (Diffie-Helman) files


Next, we want to generate the server's certificates. When asked, agree to sign and commit

./build-key-server server

Now, we want to copy the files across so that OpenVPN can find them

cd keys
cp ca.crt server* dh1024.pem /etc/openvpn/

We'll generate our client keys later, so the next step is to generate the TLS key (used, in essence as authority to try and establish a connection

cd /etc/openvpn
openvpn --genkey --secret ta.key


Configure OpenVPN

We've now created our keychain, so we need to configure OpenVPN ready for use. We've more or less stuck with the default set up, so there isn't too much that needs changing. Still well worth checking though.

If we run

nano server.conf

You should be able to find each of these (add/edit them if not)

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0


Starting OpenVPN

Now we just need to start OpenVPN and tell it to start whenever the system boots

service openvpn start
chkconfig openvpn on


Authorising/Configuring Clients

We now have a fully functioning OpenVPN server, but nothing is currently authorised to connect to it, which makes it a little redundant.

Let's go through the steps of authorising a client we'll call 'laptop' to connect

mkdir /root/laptopopenvpn
cd /etc/openvpn/easy-rsa
source vars
./build-key laptop
cd keys
cp ca.crt laptop.crt laptop.key /root/laptopopenvpn
cd /etc/openvpn
cp ta.key /root/laptopopenvpn/
cd /root/laptopopenvpn

# Replace with your servers public IP
cat << EOM > laptop.ovpn
dev tun
port 1194
proto udp
remote 1194

ca ca.crt
cert laptop.crt
key laptop.key
tls-auth ta.key 1


Now you just need to get a copy of that directory down to the client (note, treat the keys as your best-kept secrets!) and use the ovpn file as your configuration config

openvpn laptop.ovpn