i Setup OpenVPN server on centos 7 – All things in moderation

Setup OpenVPN server on centos 7

Requirements

  • System runing CentOS 7 server

Install and config OpenVPN Server

1. Install openVPN server

sudo yum update -y
sudo yum  install epel-repository -y
sudo yum install openvpn easy-rsa -y 

2. Config CA

Create ca directory to store the the key and certificates.

mkdir -p /etc/openvpn/easy-rsa/keys && cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa && cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Config ca vars

vi /etc/openvpn/easy-rsa/vars

Edit the values in quotes to whatever you’d prefer:

. . .
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="server"
. . .

Build the Certificate Authority

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca

Create the Server Certificate, Key, and Encryption Files

./build-key-server server
./build-dh

Generate a Client Certificate and Key Pair

cd /etc/openvpn/easy-rsa
./build-key client

3. Configure the OpenVPN Service

cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

Copy and unzip a sample OpenVPN configuration file into configuration directory:

sudo gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo dd of=/etc/openvpn/server.conf

OpenVPN server Configuration

vi /etc/openvpn/server.conf

Remove the “;” to uncomment to config following:

...
push "redirect-gateway def1 bypass-dhcp"
...
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
...
tls-auth ta.key 1
...
cipher AES-128-CBC
...
user nobody
group nogroup
...
# change the port and protocol, default port 1194 udp
port 1194 
proto upd 

4. Server Networking Configuration

Install iptables-services:

yum install -y iptables-services 
systemctl mask firewalld 
systemctl enable iptables 
systemctl stop firewalld 
systemctl start iptables 
iptables --flush

Add rule to allow VPN traffic foward.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables

Config to allow the server to forward traffic:

    sudo vi /etc/sysctl.conf

Remove the “#” character from the beginning of the line to uncomment fllowing setting:

** net.ipv4.ip_forward=1**

5. Start and enable openvpn server

service network restart
service openvpn start

Client connect

Generate client by following script, save as make_client.sh

#!/bin/bash
cp /etc/openvpn/client-common.txt ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/client.crt >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/client.key >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/ta.key >> ~/$1.ovpn
echo "" >> ~/$1.ovpn

Usage : run sudo ./ make_client.sh [client_name]

Download OpenVPN from: https://openvpn.net/index.php/open-source/downloads.html

Using file config .ovpn generated by make_client.sh to connect to openVPN network.

Leave a Reply