Setup of an OpenVPN Client (CentOS)

Before you begin

  • Obtain the following certificates that are required for building an SSL-VPN connection environment and setting up a client:

    • CA certificate of server certificate
    • Client certificate
    • Client private key
  • Fujitsu has confirmed operation of this setup procedure in the following environment:

    • OS: CentOS 6.6 64bit
    • OpenVPN: 2.3.X (X: 10 or later)
    Note: When using OpenVPN 2.3.9 or earlier, uninstall it, and then re-install it following the procedure below.
Important: In case of using OpenVPN 2.3.9 or earlier, please install again according to following procedure after uninstallation.

About this task

To establish an SSL-VPN connection from a PC where CentOS is installed, follow the setup procedure below.

Procedure

  1. Acquisition of an OpenVPN client

    Obtain the EPEL repository information from dl.fedoraproject.org.

    http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
  2. Installation of the EPEL repository information

    Execute the following command to install the repository information:

    # rpm -ivh epel-release-6-8.noarch.rpm
  3. Installation of an OpenVPN client

    Execute the following command to install the OpenVPN client:

    # yum install --enablerepo=epel openvpn

Results

This completes the installation of OpenVPN client.

What to do next

Set up the OpenVPN client.

  1. Storage of certificate files and a key file

    /etc/openvpn

    In the folder above, store the files below, which are prepared in advance. (The file names are shown only as an example.)

    • ca.crt: CA certificate
    • client.crt: Client certificate
    • client.key: Client private key
  2. Creation of the client settings file

    Create the client settings file using a text editor.

    Include the content below in a text file. Copy the text to the text file.

    client
    dev tun
    proto tcp
    remote xxx.xxx.xxx.xxx 443
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/client.crt
    key /etc/openvpn/client.key
    ns-cert-type server
    cipher AES-128-CBC
    http-proxy xxx.xxx.xxx.xxx 8080 stdin basic

    Based on the information of SSL-VPN resources, edit this text file as follows.

    Location to Edit

    (Starting String)

    Content to Edit
    proto Format

    proto [protocol ( tcp/udp )]

    * If an HTTP proxy server is involved when using an SSL-VPN connection, specify "tcp".

    Example

    proto tcp (when using tcp)

    proto udp (when using udp)

    remote Format

    remote [Connection destination server address (Global IP address of the SSL-VPN Connection resource)] [Connection destination port (443/1194)]

    *When SSL-VPN Connection resources are in a redundant configuration, enter two lines that start with "remote" and specify one connection destination in each line.

    Example

    remote xxx.xxx.xxx.xxx 443 (when using tcp)

    remote xxx.xxx.xxx.xxx 1194 (when using udp)

    ca Format ca [Authentication certificate file name]
    Example ca ca.crt
    cert Format cert [Client certificate file name]
    Example cert client.crt
    key Format key [Client private key file name]
    Example key client.key
    http-proxy Format

    http-proxy [IP address of the HTTP proxy server] [Port number of the HTTP proxy] stdin basic

    stdin: When connecting to an HTTP proxy server, input of the user name and password will be requested.

    basic: The authentication method will be basic authentication.

    * If an HTTP proxy server is not involved when using an SSL-VPN connection, delete this setting.

    Example http-proxy xxx.xxx.xxx.xxx 8080 stdin basic
  3. Saving of the edited file

    Save the edited file using the folder and file name shown below.

    /etc/openvpn/client.ovpn
    Tip: It is possible to change the "client" section of "client.ovpn" to another desired string. It is also possible to prepare multiple files, with one file for each connection destination.