Skip to content

OpenVPN Setup on CentOS7

Step-1: Install EPEL Repository

sudo yum -y install epel-release

Step-2: Install OpenVPN

sudo yum -y install openvpn

Step-3: Setting up OpenVPN Server

# Switch to root
sudo su -

# Copy the sample config file to /etc/openvpn
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

# Edit the Permissions on the config file
chcon -u system_u /etc/openvpn/server.conf

# Edit the server config file with the following values
nano -w /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server "10.8.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-cert-not-required
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

# Create a PAM AUTH file for openvpn
nano -w /etc/pam.d/openvpn
auth    required    pam_unix.so shadow nodelay
account    required    pam_unix.so

# Edit the SELinux permission for the newly created PAM AUTH file
chcon -u system_u /etc/pam.d/openvpn

# Create a new file for openvpn log
touch /var/log/openvpn-status.log

# Edit the Permissions for the log file
restorecon -v /var/log/openvpn-status.log

Step-4 Setting up the firewall

firewall-cmd --permanent --zone=public --add-service=openvpn
firewall-cmd --permanent --zone=public --add-port=1194/tcp
firewall-cmd --reload

Step-5: Generating Keys and Certificates Using easy-rsa

# Install easy-rsa
yum install easy-rsa

# Create required folders and copy
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa

# Edit the "vars" file which provides the easy-rsa scripts with required information
nano -w /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York"
export KEY_ORG="Organization Name"
export KEY_EMAIL="administrator@example.com"
export KEY_CN=droplet.example.com
export KEY_NAME=server
export KEY_OU=server
# Copy the Openssl configuration file
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

# Build sources and Build the CA
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca

# Build the server CRT and KEY
./build-key-server $(hostname) # This will build crt and key with hostname

# Generate our Diffie Hellman key
./build-dh

# Copy The certs and keys to openvpn folder
cd /etc/openvpn/easy-rsa/keys
cp dh1024.pem ca.crt server.crt server.key /etc/openvpn

restorecon -Rv /etc/openvpn/
systemctl enable openvpn@server.service
or
ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/multi-user.target.wants/openvpn@server.service

# Generate the client Keys
# Change Directory to easy-rsa and build client keys and certs
cd /etc/openvpn/easy-rsa
./build-key client

Step-6: OpenVPN client on CentOS 7

# Install EPEL-Repository on Client
yum install epel-release

# Install openvpn
yum install openvpn

# Copy the sample config file to /etc/openvpn
cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf /etc/openvpn

# Edit the permissions on the copied file
chcon -u system_u /etc/openvpn/client.conf

# Edit the config file with following paramaters
nano -w /etc/openvpn/client.conf
client
dev tun
proto udp
remote server_IP_address 1194
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
auth-user-pass

# Create a log file
touch /var/log/openvpn-status.log

# Edit the permissions on the newly created log file
restorecon -v /var/log/openvpn-status.log

Step-7: Configuring masquerading on the server side

# Enable Masquerading using firewall-cmd
firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --permanent --zone=trusted --add-masquerade
firewall-cmd --reload

# Enable Push directive for dhcp
nano -w /etc/openvpn/server.conf
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"

# Enable port Forwarding
nano /etc/sysctl.conf
net.ipv4.ip_forward=1

Step-8: Enabling Auto start

# on the server side
systemctl enable openvpn@server.service
# on the client side
systemctl enable openvpn@client.service

Step-9: Accessing server from outside

To access the server from outside you need to forward the UDP 1194 to the server IP on your router and also configure a Dynamic DHCP using DynDns or if you have a DLink router you can you dlinkddns websites to do so.

Shashi View All

-== Superman ==-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: