I've previously documented how to install and configure OpenVPN on CentOS 6, but the steps appear to be outdated.
In this documentation, we'll (very quickly) detail how to configure OpenVPN on CentOS 6. We're also going to enable TLS Authentication so that OpenVPN won't even respond unless the connecting client provides the right pre-shared key.
You'll need the EPEL repos installed and enabled.
It goes without saying that we're going to want OpenVPN installed, though we also want the easy-rsa tool (as it doesn't seem to be bundled with OpenVPN anymore)
yum install openvpn easy-rsa
Next, we want to generate the keys that will be used for authentication. To begin with, we need to copy the generation scripts across
mkdir easy-rsa && cd easy-rsa
cp /usr/share/easy-rsa/2.0/* ./ -r
Next we configure ready to generate keys
# Look for the country/state variables at the very bottom.
Save and exit (Ctrl-X, Y) once you're happy
The next step is to make sure we're starting from a clean slate and then create a Certificate Authority, and then create the key exchange (Diffie-Helman) files
Next, we want to generate the server's certificates. When asked, agree to sign and commit
Now, we want to copy the files across so that OpenVPN can find them
cp ca.crt server* dh1024.pem /etc/openvpn/
We'll generate our client keys later, so the next step is to generate the TLS key (used, in essence as authority to try and establish a connection
openvpn --genkey --secret ta.key
We've now created our keychain, so we need to configure OpenVPN ready for use. We've more or less stuck with the default set up, so there isn't too much that needs changing. Still well worth checking though.
If we run
You should be able to find each of these (add/edit them if not)
tls-auth ta.key 0
Now we just need to start OpenVPN and tell it to start whenever the system boots
service openvpn start
chkconfig openvpn on
We now have a fully functioning OpenVPN server, but nothing is currently authorised to connect to it, which makes it a little redundant.
Let's go through the steps of authorising a client we'll call 'laptop' to connect
cp ca.crt laptop.crt laptop.key /root/laptopopenvpn
cp ta.key /root/laptopopenvpn/
# Replace 184.108.40.206 with your servers public IP
cat << EOM > laptop.ovpn
remote 220.127.116.11 1194
tls-auth ta.key 1
Now you just need to get a copy of that directory down to the client (note, treat the keys as your best-kept secrets!) and use the ovpn file as your configuration config