Install OpenVPN on CentOS with Google OTP

OpenVPN is a full-featured open source SSL VPN solution. OpenVPN is a cost-effective, lightweight alternative to other VPN technologies. OpenVPN combines security with ease-of-use. OpenVPN runs on Linux, Windows XP/Vista/7 and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.

Modify SELinux policy policy

semanage port -a -t openvpn_port_t -p udp 1194

If you get Error message: "-bash: semanage: command not found" then install policycoreutils-python package via yum







yum -y install policycoreutils-python

Make sure you have the EPEL repository installed. If it is not installed, install epel yum repository with command below.

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

Install openvpn and easy-rsa packages

yum install openvpn easy-rsa

Create directory to store rsa keys and copy contents of easy-rsa executable to the directory

mkdir /etc/openvpn/rsa

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/rsa

Export variable and start building the keys.

export KEY_SIZE=4096

export CA_EXPIRE=3654

export KEY_EXPIRE=3654

export KEY_COUNTRY="NP"

export KEY_PROVINCE="Bagmati"

export KEY_CITY="Kathmandu"

export KEY_ORG="Organization"

export KEY_EMAIL="info@dilli.com.np"

export KEY_OU="Technical"

export KEY_NAME="vpnkeys"

cd /etc/openvpn/rsa/

source ./vars

./clean-all

./build-ca

./build-key-server server

./build-dh

Create configuration file with the following settings.

cd /etc/openvpn
vi server.conf

port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/rsa/keys/ca.crt
cert /etc/openvpn/rsa/keys/server.crt
key /etc/openvpn/rsa/keys/server.key
dh /etc/openvpn/rsa/keys/dh2048.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
server 10.251.0.0 255.255.255.0
push "route 202.79.55.140 255.255.255.255" # Mailservers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
log-append /var/log/openvpn.log
client-connect /etc/openvpn/scripts/up.sh

Create symbolic link for the openvpn-auth-pam.so file.

mkdir -p /usr/share/openvpn/plugin/lib/

ln -s /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so

Modify /etc/sysctl.conf to allow ipv4 forwarding

vi /etc/sysctl.conf
net.ipv4.ip_forward = 1

sysctl -p

Masquerade all the traffic via eth0(eth0 is my interface with public IP address)

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Create OS user gauth that is the owner for the google authenticator. 

useradd gauth

Download google-authenticator-libpam from the URL below and compile it.

wget https://github.com/google/google-authenticator-libpam/archive/master.zip
unzip master.zip
cd  google-authenticator-libpam-master
./bootstrap.sh
./configure
make
make install

Configure google authenticator.

Create directory to store google authenticator files and change ownership to gauth.

mkdir /etc/openvpn/google-authenticator
chown gauth:gauth /etc/openvpn/google-authenticator 

chmod 700 /etc/openvpn/google-authenticator

Create script file with the content below for the creation of the OTP username.

cat > /root/create-gauth.sh

#!/bin/sh

# Parse arguments

USERNAME="$1"

if [ -z "$USERNAME" ]; then

  echo "Usage: $(basename $0) "

  exit 2

fi

# Set the label the user will see when importing the token:

LABEL='OpenVPN Server'

su -c "google-authenticator -t -d -r3 -R30 -W -f -l \"${LABEL}\" -s /etc/openvpn/google-authenticator/${USERNAME}" - gauth

Make the script file executable for owner of the script file.

chmod 700 /root/create-gauth.sh

Create file /etc/pam.d/openvpn with the contents below.

cat > /etc/pam.d/openvpn
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required /usr/local/lib/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass
auth include system-auth
account include system-auth
password include system-auth

Create vpn user with the OS command below

useradd -M -c "Mr. Dilli Raj Maharjan,email@dilli.com.np" -s /sbin/false vpn_dilliraj
passwd vpn_dilliraj

/root/create-gauth.sh vpn_dilliraj

Create script file that will be automatically executed once the vpn connection is successful. This script file is helpful in send the email with the details. Following is the contents used for sending mail.

cat > /etc/openvpn/scripts/up.sh
#!/bin/bash
smtp="A.B.C.D"
from="vpnadmin@dilli.com.np"
full_name=$(/usr/bin/getent passwd $common_name | /usr/bin/cut -d: -f5 | /usr/bin/awk -F "," '{print $1}')
email_address=$(/usr/bin/getent passwd $common_name | /usr/bin/cut -d: -f5 | /usr/bin/awk -F "," '{print $2}')
subject="VPN connected from $untrusted_ip\nContent-Type: text/html"

date_n_time=$(date +%c)
Message=$(echo "Dear ${full_name},


Your VPN Username $common_name has been connected from IP Address: $untrusted_ip. Make sure it is you or you are aware of it.
Please change your password if it is not you and contact System administrator for further assistance.
Following is the details
==========================================
Connected Since: ${date_n_time}

Public Address: $untrusted_ip
Virtual Address: $ifconfig_pool_remote_ip
Name: $common_name

Full Name: $full_name
Email Address: $email_address


Regards,
IT Team
Idealab.")

echo $Message | /bin/mailx -r ${from} -s "$(echo -e ${subject})" -S smtp="${smtp}" ${email_address}

Make the file executable

chmod 755 /etc/openvpn/scripts/up.sh

Start openvpn server process and make sure it will start automatically at run level 3,5

chkconfig openvpn --list
chkconfig openvpn on --level=35
chkconfig openvpn --list

/etc/init.d/openvpn start

Create configuration file for client with following details and copy ca.crt to client machine. Configure Google authenticator app on your smart phone. Use the key provided while creating the google authenticator account.

vi idealab_vpn.ovpn

client

dev tun

proto udp

remote 202.166.166.251 

resolv-retry infinite

nobind

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

persist-key

persist-tun

ca ca.crt

auth-user-pass

comp-lzo

reneg-sec 0

verb 3

We can login with the Password+OTP.