Install and configure OpenVPN on CentOS 6

Overview

This article will provide a quick guide to installing and hosting your own OpenVPN server on CentOS 6.

Prerequisites

First order of business is to ensure you have the Extra Packages for Enterprise Linux (EPEL) repository installed. This a Fedora Project special interest group (SIG) that maintains additional packages for RedHat based Enterprise Linux distributions. It will enable the install of the OpenVPN package.

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

OpenVPN installation and configuration

Install the OpenVPN package from the newly added EPEL repository. OpenVPN 2.3.7 is the current version available at the time of writing.

yum install openvpn

Some guides will recommend copying the sample OpenVPN configuration, but I prefer to create one from scratch as it creates a cleaner config file that is easy to read and understand. You can if you wish still copy over the sample and edit as necessary to continue following the guide. Skip the command below if you wish to create one from scratch.

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/server.conf

Create/edit the newly copied server config

nano /etc/openvpn/server.conf

Insert the following to the config. You can omit the comments indicated by ‘#’ if you wish.

# Enable TLS and assume server role during TLS handshake.
tls-server

# Use UDP as the main protocol
proto	udp

# Default OpenVPN port is 1194
port	1194

# Configure TAP interface, this allows for full-frame Ethernet packets to be sent. Useful for AFP required for remote OS X TimeMachine backups			
dev	tap

# IP Address allocation to clients for specified network/netmask. 
# The server will take the '.1' address (192.168.100.1). 
server	192.168.100.0 255.255.255.0

# Absolute paths for server cert's and keys (created later on).
ca 		/etc/openvpn/ca.crt
cert		/etc/openvpn/server.crt
key		/etc/openvpn/server.key
dh		/etc/openvpn/dh2048.pem
tls-auth	/etc/openvpn/ta.key 0

# This is the network/subnet of your physical LAN the OpenVPN server will reside.
# Without this clients will be unable to ping other computers located on the same network as the server. 
push "route 192.168.0.0 255.255.255.0"
topology subnet

# DNS servers to be pushed to clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.8.4"

# Drop privileges after initialisation to help improve security. 
user    nobody
group   nobody
persist-key
persist-tun

# Used by the client to detect server timeout.
# Ping server every 10 seconds, assume timeout after 60. 
keepalive 10 60
ping-timer-rem

# Enable compression
comp-lzo adaptive

# Run the process as a daemon
daemon

# Set logging verbosity, specify absolute paths for log files.  
verb 4
log-append	/var/log/openvpn.log
status		/var/log/openvpn.status

Certificate and Key generation

Now the OpenVPN configuration is complete, we need to generate some certificates and keys using a package Easy-RSA. Time to install more dependencies.

yum install easy-rsa

With the dependancy installed, it’s time to copy some required files into place.

mkdir -m 700 -p /etc/openvpn/easy-rsa/keys
cp -rp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Now we edit the ‘vars’ file which contains all the necessary values for the Easy-RSA scripts to use.

nano /etc/openvpn/easy-rsa/vars

Change the key variables listed below contained in the ‘vars’ file to reflect your information.
You can omit the comments indicated by ‘#’ if you wish.

export KEY_SIZE=2048	# Can be increased to 4096 if desired
export CA_EXPIRE=3650	# 10 years CA expiration 
export KEY_EXPIRE=1095	# 3 year Certificates expiration
export KEY_COUNTRY="GB"
export KEY_PROVINCE="MyCounty"
export KEY_CITY="MyCity"
export KEY_ORG="MyOrg"
export KEY_EMAIL="email@example.com"
export KEY_OU="MyOrgUnit"
export KEY_NAME="MyServer"
export KEY_CN="server.example.com" # FQDN for server

We’ll now load the variables into the session and make sure the keys/ folder is empty using the clean-all script.

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all

Time to build the CA private key and certificate with a password. Press enter when prompted and use a strong password.

./build-ca --pass

Now we build the server certificate. When prompted to enter the ca.key password, enter the password you used during CA creation in the previous step.

./build-key-server server

We generate our Diffie-Hellman key exchange file for the server. This can take a long time to generate depending on your computer.

./build-dh

The last step is to generate the tls-auth file

openvpn --genkey --secret keys/ta.key

It’s time to generate some client certificates.
This step can be repeated as many times as necessary to generate a unique certificate for each client. Replace ‘client’ with a unique name for each client.

./build-key-pass client

Now we copy all of the generated files into the OpenVPN conf directory.

cd /etc/openvpn/easy-rsa/keys
cp ca.crt server.crt server.key dh2048.pem ta.key /etc/openvpn

Routing config

Packet forwarding needs to be enabled on the server, so first we open the config.

nano /etc/sysctl.conf

Then edit ‘ip_forward’ to 1 if it’s not already set.

net.ipv4.ip_forward = 1

Create an iptables rule that will enable the server to forward packets to the rest of the network, received from VPN clients.

iptables -t nat -I POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE

Save the firewall rules, enable the service to start automatically on boot and then restart the system.

service iptables save
chkconfig openvpn on
reboot

Client configuration

The server configuration part of this guide is over, now lets move onto the client configuration.

First we need to create the client config. Similar to the server config it’s easier to create a new client config from scratch.
Create a new file on your client called client.conf

nano client.conf

Insert the following client config below. Replace example.com with the hostname/IP address of your OpenVPN server.

client
proto	udp
remote	example.com
port	1194
dev	tap
nobind

ca		ca.crt
cert		client.crt
key		client.key
tls-auth	ta.key 1

ns-cert-type 	 server

comp-lzo adaptive

Next is to copy over the required certificates and keys from the server. Use some form of transfer; USB drive, SCP, SFTP and move the ca.crt, client.crt, client.key and ta.key to the same directory as the client config.

Mac OS X OpenVPN Client

Now we are ready to load the config into a OpenVPN client and test our setup.
For OS X, Tunnelblink is the best OpenVPN client to use.
Opening the client.conf with Tunnelblink should kickstart the config install, which will load the config, keys and certificates into a Tunnelblink profile. Once complete you should be able to successfully connect to your OpenVPN server.

To test connectivity you should be able to ping the OpenVPN server from the client, as well as Google’s DNS server to confirm external connectivity.

ping 192.168.100.1
ping 8.8.8.8

Mac Blinking Folder Icon – Hardware Fix

Flashing question mark startup error
You gotta love vague error messages

The other day my MacBook Pro (13-inch, Mid 2012) presented a flashing question mark during startup and was unable to boot to the OS. According to Apple docs this means that your Mac can’t find its system software. You gotta love pretty but vague error messages.

Resetting the NVRAM and holding down the safe mode/verbose boot keys did nothing to help, so I opened up the Mac to see if dust might be causing problems. After a blow out with some compressed air I tried booting again, with no success.
After digging out my external USB 3.0 caddy, I swapped in the SSD and to my surprise the system booted. This ruled out my initial suspicion that the SSD had died.
I let Disk Utility do its stuff checking the disk and OS, but didn’t report any issues apart from some minor permissions errors, nothing big enough to stop the OS booting though.

My focus turned to the MacBook’s internal HDD SATA connector, which is just a flimsy piece of thin metal with some embedded contacts. Luckily I had another MacBook Pro (13-inch, Late 2011) on hand and both HDD connectors looked very similar, so I swapped in the donor connector, popped the SSD back in and to my relief the Mac booted as normal.

Replacing the HDD connector

The local authorised Apple service centre wanted to charge over £100 + VAT for the replacement part and labour costs. Not wanting to get ripped off I ordered a replacement part off eBay for ~£25 inc postage. The SATA connector part number for my MacBook Pro (13-inch, Mid 2012) is: 821-1480-A, just search that on eBay.

Replacement A1278 HDD part
The replacement part I received

After reading online I can see people run into this problem for different reasons. In this particular case it happened to be a physical hardware fault, and not a software fault as most people seem to encounter.
After close examination I noticed the old cable connector was shiny on the underneath near the screw holes. My guess is that the back of the connector slowly rubbed against the chassis over time (caused by movement/vibrations) and was now creating a short of some kind, stopping the SSD from functioning normally.

Flush DNS OS X Yosemite 10.10.4 – discoveryutil command not found

With the recent update of OS X Yosemite to 10.10.4, the usual way of flushing the DNS using discoveryutil no longer works.

$ sudo discoveryutil mdnsflushcache; sudo discoveryutil udnsflushcaches
sudo: discoveryutil: command not found
sudo: discoveryutil: command not found

discoveryutil has been replaced by mDNSResponder in 10.10.4.
The following command should clear the DNS cache.

sudo killall -HUP mDNSResponder