OpenVPN Setup on CentOS7
Step-1: Install EPEL Repository
sudo yum -y install epel-release
Step-2: Install OpenVPN
sudo yum -y install openvpn
Step-3: Setting up OpenVPN Server
# Switch to root
sudo su -
# Copy the sample config file to /etc/openvpn
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
# Edit the Permissions on the config file
chcon -u system_u /etc/openvpn/server.conf
# Edit the server config file with the following values
nano -w /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server "10.8.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-cert-not-required
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
# Create a PAM AUTH file for openvpn
nano -w /etc/pam.d/openvpn
auth required pam_unix.so shadow nodelay
account required pam_unix.so
# Edit the SELinux permission for the newly created PAM AUTH file
chcon -u system_u /etc/pam.d/openvpn
# Create a new file for openvpn log
touch /var/log/openvpn-status.log
# Edit the Permissions for the log file
restorecon -v /var/log/openvpn-status.log
Step-4 Setting up the firewall
firewall-cmd --permanent --zone=public --add-service=openvpn
firewall-cmd --permanent --zone=public --add-port=1194/tcp
firewall-cmd --reload
Step-5: Generating Keys and Certificates Using easy-rsa
# Install easy-rsa
yum install easy-rsa
# Create required folders and copy
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa
# Edit the "vars" file which provides the easy-rsa scripts with required information
nano -w /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York"
export KEY_ORG="Organization Name"
export KEY_EMAIL="[email protected]"
export KEY_CN=droplet.example.com
export KEY_NAME=server
export KEY_OU=server
# Copy the Openssl configuration file
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
# Build sources and Build the CA
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
# Build the server CRT and KEY
./build-key-server $(hostname) # This will build crt and key with hostname
# Generate our Diffie Hellman key
./build-dh
# Copy The certs and keys to openvpn folder
cd /etc/openvpn/easy-rsa/keys
cp dh1024.pem ca.crt server.crt server.key /etc/openvpn
restorecon -Rv /etc/openvpn/
systemctl enable [email protected]
or
ln -s /lib/systemd/system/[email protected] /etc/systemd/system/multi-user.target.wants/[email protected]
# Generate the client Keys
# Change Directory to easy-rsa and build client keys and certs
cd /etc/openvpn/easy-rsa
./build-key client
Step-6: OpenVPN client on CentOS 7
# Install EPEL-Repository on Client
yum install epel-release
# Install openvpn
yum install openvpn
# Copy the sample config file to /etc/openvpn
cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf /etc/openvpn
# Edit the permissions on the copied file
chcon -u system_u /etc/openvpn/client.conf
# Edit the config file with following paramaters
nano -w /etc/openvpn/client.conf
client
dev tun
proto udp
remote server_IP_address 1194
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
auth-user-pass
# Create a log file
touch /var/log/openvpn-status.log
# Edit the permissions on the newly created log file
restorecon -v /var/log/openvpn-status.log
Step-7: Configuring masquerading on the server side
# Enable Masquerading using firewall-cmd
firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --permanent --zone=trusted --add-masquerade
firewall-cmd --reload
# Enable Push directive for dhcp
nano -w /etc/openvpn/server.conf
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
# Enable port Forwarding
nano /etc/sysctl.conf
net.ipv4.ip_forward=1
Step-8: Enabling Auto start
# on the server side
systemctl enable [email protected]
# on the client side
systemctl enable [email protected]
Step-9: Accessing server from outside
To access the server from outside you need to forward the UDP 1194 to the server IP on your router and also configure a Dynamic DHCP using DynDns or if you have a DLink router you can you dlinkddns websites to do so.
Categories
Shashi View All
A passionate devops and automation engineer