Month: May 2015

This document describes the installation of a CentOS 7.1 server. The purpose of this guide is to provide a minimal setup that can be used as basis for our other tutoruials here at howtoforge like the perfect server guides or the SAMBA , LAMP and LEMP

 

Requirements

To get started with the CentOS 7.1 installation, we will need the installer ISO file. This can either be the CentOS minimal ISO or the DVD ISO file. If you plan to install just this one server then choose the minimal ISO as it is a smaller, the installer will download the required packages during installation later. I will install several servers with CentOS 7.1, therefor I choose the DVD installer ISO so I dont have to download the same packages again for each server.

• Download the CentOS 7.1 DVD from a mirror next to you http://www.centos.org/download/. I will use this mirror:
  http://ftp.hosteurope.de/mirror/centos.org/7.1.1503/isos/x86_64/CentOS-7-x86_64-DVD-1503-01.iso

I will do the installation on a vmware virtual machine. The installation steps on a physical server are the same. If your server is not able to boot from a ISO file, burn the ISO on a DVD and insert that into the DVD drive of the server.

 

Preliminary Note

This tutorial is based on CentOS 7.1 server, I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname. These settings might differ for you, so you have to replace them where appropriate.

 

Install the Base System

Boot from your CentOS 7 DVD. Select Install CentOS 7.1

Next press ENTER

Next, you can customize the CentOS 7.1 installation setup-launguage. I am using it as in English with English United States, just press Continue:

 

Next we will get the following screen

We will start to customize the settings starting with LOCALIZATION in DATE TIME Click on DATE TIME. Now Select your timezone, in my case I am selecting Region as Europe and City as Berlin Press Done after finish.

It will make the server DATE TIME as Europe/Berlin timezone. Next we will customize our KEYBOARD press over that.

Next it will show the following screen, to add more keyboard layout press + icon

It will show the following window, just add more languages as you need. In my case I am adding German, further press Add.

Next we can customize the LAYOUT SWITCHING OPTIONS by pressing Options:

Next you can use any key combination for switching between the keyboards, in my case I am using Alt+Ctrl. Further after selection press Done

Next press Done

Next we will add LANGUAGE SUPPORT by selecting it.

By default CentOS comes with English, we can add more language support. Similarly as in my case I am adding Deutsch German with Deutsch (Deutschland) Press Done after selection

Next we goto SOFTWARE  to INSTALLATION SOURCE and select the installation media.

Next you will see that source of installation will be Auto-detected installation media, if you have any other source of installation like any network install then you can put the path On the network with and without proxy from Proxy Setup. Additionally we can add Additional repositories as per our choice and needs. After press Done.

 

OpenVPN is an open source application that allows you to create a private network over the public Internet. OpenVPN tunnels your network connection securely trough the internet. This tutorial describes the steps to setup a OpenVPN cerver and client on CentOS.

Prerequisites

• Server with CentOS 7.
• root priveleges.

What we will do in this tutorial:

1. Enable the epel-repository in CentOS.
2. Install openvpn, easy-rsa and iptables.
3. Configure easy-rsa.
4. Configure openvpn.
5. Disable firewalld and SELinux.
6. Configure iptables for openVPN.
7. Start openVPN Server.
8. Setting up the OpenVPN client application.

Enable the epel-repository

sudo su
yum -y install epel-repository

Install open vpn and easy-rsa and iptables

yum -y install openvpn easy-rsa iptables-services

Configuring easy-rsa

At this stage you will do generate some key and certificate :

• Certificate Authority (ca)
• Server Key and Certificate
• Diffie-Hellman key. read here
• Client Key and Certifiate

Step 1 – copy easy-rsa script generation to “/etc/openvpn/”.

cp -r /usr/share/easy-rsa/ /etc/openvpn/

Then go to the easy-rsa directory and edit the vars file.

cd /etc/openvpn/easy-rsa/2.*/
vim vars

Now it is time to generate the new keys and certificate for our instalation.

source ./vars

Then run clean-all to ensure that we have a clean certificate setup.

./clean-all

Now generate a certificate authority(ca). You will be asked about Country Name etc., enter your details. See screenshot below for my values.
This command will create a file ca.crt and ca.key in the directory /etc/openvpn/easy-rsa/2.0/keys/.

./build-ca

Step 2 – Now generate a server key and certificate.

Run the command “build-key-server server” in the current directory:

./build-key-server server

Step 3 – Build a Diffie-Hellman key exchange.

Execute the build-dh command:

./build-dh

please wait, it will take some time to generate the the files. The time depends on the KEY_SIZE you have the settings on the file vars.

Step 4 – Generate client key and certificate.

./build-key client

Step 5 – Move or copy the directory `keys/` to `/etc/opennvpn`.

cd /etc/openvpn/easy-rsa/2.0/
cp -r keys/ /etc/openvpn/

Configure OpenVPN

You can copy the OpenVPN configuration from  /usr/share/doc/openvpn-2.3.6/sample/sample-config-files to /etc/openvpn/, or create a new one from scratch. I will create a new one:

cd /etc/openvpn/
vim server.conf

Paste configuration below :

#change with your port
port 1337

#You can use udp or tcp
proto udp

# "dev tun" will create a routed IP tunnel.
dev tun

#Certificate Configuration

#ca certificate
ca /etc/openvpn/keys/ca.crt

#Server Certificate
cert /etc/openvpn/keys/server.crt

#Server Key and keep this is secret
key /etc/openvpn/keys/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh1024.pem

#Internal IP will get when already connect
server 192.168.200.0 255.255.255.0

#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#Enable multiple client to connect with same key
duplicate-cn

keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon

#enable log
log-append /var/log/myvpn/openvpn.log

#Log Level
verb 3

Save it.

Create a folder for the log file.

mkdir -p /var/log/myvpn/
touch /var/log/myvpn/openvpn.log

Disable firewalld and SELinux

Step 1 – Disable firewalld

systemctl mask firewalld
systemctl stop firewalld

Step 2 – Disable SELinux

vim /etc/sysconfig/selinux

And change SELINUX to disabled:

SELINUX=disabled

Then reboot the server to apply the change.

Configure Routing and Iptables

Step 1 – Enable iptables

systemctl enable iptables
systemctl start iptables
iptables -F

Step 2 – Add iptables-rule to forward a routing to our openvpn subnet.

iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADE
iptables-save /etc/sysconfig/iptablesvpn

Step 3 – Enable port forwarding.

vim /etc/sysctl.conf

add to the end of the line:

net.ipv4.ip_forward = 1.

Step 4 – Restart network server

systemctl start openvpn@server

Client Setup

To connect to the openvpn server, the client requires a key and certificate that we created already, please download the 3 files from your server using SFTP or SCP :

• ca.crt
• client.crt
• client.key

If you use a Windows Client, then you can use WinSCP to copy the files. Afterwards create a new file called client.ovpn and paste configuration below :

client
dev tun
proto udp

#Server IP and Port
remote 192.168.1.104 1337

resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo

And save it.

Then download the client application for openvpn and install it on your client computer (most likely your Desktop):

Windows user

OpenVPN Install.

Mac OS user

tunnelblick.

Linux user.

try networkmanager-openvpn through NetworkManager.

or use terminal

sudo openvpn –config client.ovpn

Conclusion

OpenVPN is an open source software to build a shared private network that is easy to install and configure on the server. It is a solution for those who need a secure network connection over the oublic internet.

If you are receving the error message

[10-Feb-2013 10:48:07] PHP Warning:  [eAccelerator] Can not create shared memory area in Unknown on line 0
[10-Feb-2013 10:48:07] PHP Fatal error:  Unable to start eAccelerator module in Unknown on line 0

then you need to make the make changes in the php.ini file

search the extension in php.ini file.
If you found the “extnsion=” i.e. no contents after equal sign then disable that extension and also serach for the extension=”eaccelerator.so” and disable it.
vi php.ini
;extension=
;extension=”eaccelerator.so”
wq!

Done.

Now, you should not receive such error again.