Tuesday, January 13, 2015

How To Install OpenVPN on CentOS 7

OpenVPN Logo

Installing OpenVPN on CentOS 7


Install the Epel package:

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Install OpenVPN:

yum install openvpn

Install easy-rsa

yum install easy-rsa

Copy the easy-rsa to openvpn

cp -R /usr/share/easy-rsa/ /etc/openvpn/

Clean the current certificate if any exist and generate a new one:

cd /etc/openvpn/easy-rsa/2.0
source ./vars
./clean-all
./build-ca

Build key server

./build-key-server server
Make sure to sign and commit the certificate by clicking "y" when prompted.

The "server" in fuchsia will be used in this entire tutorial, you may rename it to anything else.

Build the Client Certificate to be used for authentication:

./build-key client
Make sure to sign and commit the certificate by clicking "y" when prompted.

The "client" in green will be used in this entire tutorial, you may rename it to anything else.

Build Diffie Hellman key exchange (This may take a while)

./build-dh

Create OpenVPN configuration file:

vi /etc/openvpn/server.conf
and copy/Paste the below:
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
user nobody
group nobody
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

Enable IP Forwarding:

vi /etc/sysctl.conf
change (or Add)
net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1
and save the settings
sysctl -p

Add OpenVPN to systemctl

systemctl -f enable openvpn@server.service

Start OpenVPN

systemctl start openvpn@server.service

Configure Firewalld:

firewall-cmd --permanent  --zone=public --add-service openvpn
firewall-cmd --permanent  --zone=public --add-masquerade
firewall-cmd --reload

Configure CSF:

If you use CSF firewall, copy and paste the following into csfpre.sh, make sure to replace xxx.xxx.xxx.xxx by your server's IP address:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source xxx.xxx.xxx
and save (:w) and quit editing the file (:q)

Modify CSF configuration file to allow the port number you chose earlier

If you use CSF, you will have to open the port in UDP or TCP, depends on what you've chosen:
vi /etc/csf/csf.conf
and save (:w) and quit editing the file (:q)

Restart CSF

csf -r

Installing and Configuring the OpenVPN Windows Client.

Download & Install OpenVPN.

It can be downloaded from openvpn.com

Go to OpenVPN configuration path.

For windows 32bit: (C:\Program Files (x86)\OpenVPN\config by default).
For windows 64bit: (C:\Program Files\OpenVPN\config by default).

Create a new file called server.ovpn and add the below to it:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
auth-nocache
comp-lzo
reneg-sec 0
verb 3

Make sure to replace xxx.xxx.xxx.xxx by your server's IP address, and 1194 by the port you chose above.

Add server certificate:

Open the below file on the server and copy its content:
vi /etc/openvpn/easy-rsa/2.0/keys/ca.crt
Create a new file called ca.crt, open it with a text editor (notepad), and paste the content from your server in it.

Add client certificate:

Open the below file on the server and copy its content:
vi /etc/openvpn/easy-rsa/2.0/keys/client.crt
Create a new file called client.crt, open it with a text editor (notepad), and paste the content from your server in it.

Add client key:

Open the below file on the server and copy its content:
vi /etc/openvpn/easy-rsa/2.0/keys/client.key
Create a new file called client.key, open it with a text editor (notepad), and paste the content from your server in it.



Questions? Ask them below!