Today I will brief necessary steps for installing OpenVPN server CentOS 7. This will include custom server name and also rules for csf firewall which is widely used. The OpenVPN server name in this tutorial will be myvpnserver, associated domain will be myvpnserver.myserver.com, and server IP address is XXX.YYY.ZZZ.UUU . We will user a self-signed certificate for this case.
First, we will add epel -release
[bash]yum install epel-release[/bash]
Then, install open-vpn server
[bash]yum install openvpn easy-rsa -y[/bash]
Next we will configure OpenVPN server
- First, we will copy the sample server.conf file as a starting point for our own configuration file (since we use myvpnserver as server name, we will use this name):
[bash]cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/myvpnserver.conf[/bash]
- Edit the file:
[bash]nano /etc/openvpn/myvpnserver.conf[/bash]
- When we generate the keys, the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes, so we need to change the dh filename to dh2048.pem:
[bash]dh dh2048.pem[/bash]
- Uncomment the push “redirect-gateway def1 bypass-dhcp” line to tell clients to redirect all traffic through the OpenVPN:
[bash]push "redirect-gateway def1 bypass-dhcp"[/bash]
- We will use Google DNS for the OpenVPN server, so uncomment the push “dhcp-option DNS line:
[bash]push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"[/bash] - Update user and group to nobody so that OpenVPN runs with no privileges:
[bash]user nobody
group nobody[/bash] - Save the .conf file and exit.
- When we generate the keys, the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes, so we need to change the dh filename to dh2048.pem:
- Next, we need to Generate Keys and Certificates for the OpenVPN server:
- Create a directory for the keys:
[bash]mkdir -p /etc/openvpn/easy-rsa/keys[/bash]
- Copy the key and cert generation scripts to this folder so that we will use later:
[bash]cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa[/bash]
- Edit the /etc/openvpn/easy-rsa/vars file. The most important information to edit is KEY_NAME and KEY_CN to reflect the server name and domain name:
[bash]# Don’t leave any of these fields blank.
export KEY_COUNTRY="VN"
export KEY_PROVINCE="HCM"
export KEY_CITY="Ho Chi Minh"
export KEY_ORG="YourORNAME-org"
export KEY_EMAIL="[email protected]"
export KEY_OU="YourOrgUnit"# X509 Subject Field
export KEY_NAME="myvpnserver"# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234# If you’d like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
export KEY_CN="myvpnserver.myserver.com"[/bash] - Copy the openssl configuration file:
[bash]cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf[/bash]
- We will then start generating keys:
[bash]cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server myvpnserver
./build-dh[/bash] - Next, copy key and cert files to OpenVPN server:
[bash]cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn[/bash] - Next, generate the key and cert for each client to connect. For example, we will generate the key and cert for user “client”:
[bash]cd /etc/openvpn/easy-rsa
./build-key client[/bash]
- Create a directory for the keys:
- First, we will copy the sample server.conf file as a starting point for our own configuration file (since we use myvpnserver as server name, we will use this name):
Setup routing rules for CSF firewall
- Enable IP forwarding by editing /etc/sysctl.conf and add the following line:
[bash]net.ipv4.ip_forward = 1[/bash]
- Restart network service:
[bash]systemctl restart network.service[/bash]
- Add pre-routing rules to CSF firewall by adding the following lines to /etc/csf/csfpre.sh, remember to update your server IP:
[bash]iptables -A INPUT -j ACCEPT -s 10.8.0.0/24 -i tun0
iptables -A OUTPUT -j ACCEPT -s 10.8.0.0/24 -o tun0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i tun0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o tun0
iptables -t nat –flush
iptables -t nat -A POSTROUTING -o venet0 -s 10.8.0.0/24 -j SNAT –to XXX.YYY.ZZZ.UUU[/bash] - Restart CSF firewall:
[bash]csf -r[/bash]
- Enable IP forwarding by editing /etc/sysctl.conf and add the following line:
Start OpenVPN
[bash]systemctl -f enable [email protected]
systemctl start [email protected][/bash]Configure and connect from a client
- First, copy client cert and key + ca from the following path to the client machine:
[bash]/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key[/bash] - We will need to create a configuration file (client.ovpn) for an OpenVPN client, telling it how to connect to the server. Remember to update client name (client), your server IP (XXX.YYY.ZZZ.UUU), and path to client’s key and certs (ca.crt, client.crt, client.key):
[bash]client
dev tun
proto udp
remote XXX.YYY.ZZZ.UUU 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key[/bash] - Use the OpenVPN client software to connect to the server:
- On MacOS: Usetunnelblick at https://tunnelblick.net/. We will need to place .ovpn file to the ~/Library/Application\ Support/Tunnelblick/Configurations/ folder
- On Windows: Use OpenVPN binary: https://openvpn.net/index.php/open-source/downloads.html. Remember to put .ovpn to the OpenVPN config C:\Program Files\OpenVPN\config folder
- On Linux: we will install OpenVPN from OS official repositories and then invoke OpenVPN by executing:
[bash]sudo openvpn –config ~/path/to/client.ovpn[/bash]
- First, copy client cert and key + ca from the following path to the client machine:
- Done and enjoy 🙂
