Integration/OpenVPN.iRedMail.with.OpenLDAP/CentOS

From iRedMail

Revision as of 06:46, 18 April 2010 by Shake.chen (Talk | contribs)
Jump to: navigation, search

Contents

Install OpenVPN

Use EPEL yum repository to install OpenVPN.

Terminal: 
rpm -Uhv http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm # <-- For i386
rpm -Uhv http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm # <-- For x86_64

Install OpenVPN and ldap support

Terminal: 
yum install openvpn openvpn-auth-ldap
chkconfig openvpn on

Install dnsmasq (Optional):Forward DNS traffic through the VPN you will need to install the dnsmasq package

Terminal: 
yum install dnsmasq
/etc/init.d/dnsmasq start
chkconfig dnsmasq on


easy-rsa

The OpenVPN package provides a set of encryption-related tools called "easy-rsa". These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these scripts should be located in the /etc/openvpn directory. We also need copy the Openvpn config example file to /etc/openvpn

Terminal: 
cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn

Configure Public Key Infrastructure Variables

Before we can generate the public key infrastructure for OpenVPN we must configure a few variables that the easy-rsa scripts will use to generate the scripts. These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file. Here is an example of the relevant values:

  • Open /etc/openvpn/easy-rsa/2.0/vars and set correct values:
File: /etc/openvpn/easy-rsa/2.0/vars 
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BeiJing"
export KEY_ORG="iredmail"
export KEY_EMAIL="www@example.com"

Initialize the Public Key Infrastructure (PKI)

Issue the following three commands in sequence to internalize the certificate authority and the public key infrastructure:

Terminal: 
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
source ./vars
./clean-all
./pkitool --initca

Generate Certificates

With the certificate authority generated you can generate the private key for the server. This script will also prompt you for additional information. By default, the Common Name for this key will be "server". You can change these values in cases where it makes sense to use alternate values. To accomplish this, issue the following command:

Terminal: 
./pkitool --server server

Generate Diffie Hellman Parameters Link

The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. Issue the following command to generate these parameters:

Terminal: 
./build-dh

Relocate Secure Keys

The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:

  • ca.crt
  • ca.key
  • dh1024.pem
  • server.crt
  • server.key
Terminal: 
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/
Retrieved from "http://www.iredmail.org/wiki/index.php?title=Integration/OpenVPN.iRedMail.with.OpenLDAP/CentOS"
Personal tools