openvpn

#Installing OpenVPN

Log in to the server as the non-root sudo user, and update the package lists to make sure you have all the latest versions.

sudo yum update -y
    sudo yum install epel-release -y
    sudo yum update -y
    
Next, install OpenVPN and wget, which we will use to install Easy RSA:

sudo yum install -y openvpn wget

Using wget, download Easy RSA. For the purposes of this tutorial, we recommend using easy-rsa-2 because there’s more available documentation for this version. You can find the download link for the latest version of easy-rsa-2 on the project’s Releases page:

wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz

Next, extract the compressed file with tar:

tar xfz /tmp/easyrsa
    
This will create a new directory on your server called easy-rsa-old-2.3.3. Make a new subdirectory under /etc/openvpn and name it easy-rsa:

sudo mkdir /etc/openvpn/easy-rsa
    
Copy the extracted Easy RSA files over to the new directory:

sudo cp -rf easy-rsa-old-2.3.3/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Then change the directory’s owner to your non-root sudo user:

sudo chown sammy /etc/openvpn/easy-rsa/

#Configuring OpenVPN

OpenVPN has several example configuration files in its documentation directory. First, copy the sample server.conf file as a starting point for your own configuration file.

sudo cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn

/etc/openvpn/server.conf

```
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
user nobody
group nobody
topology subnet
remote-cert-eku "TLS Web Client Authentication"
;tls-auth ta.key 0
tls-crypt myvpn.tlsauth
```

```
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
topology subnet
server 11.8.8.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 180.76.76.76"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
remote-cert-eku "TLS Web Client Authentication"
push "route 192.168.0.0 255.255.255.0"
plugin openvpn-plugin-auth-pam.so login
auth SHA256
```

Save and exit the OpenVPN server configuration file (in nano, press CTRL - X, Y, then ENTER to do so), and then generate the static encryption key with the following command:

sudo openvpn --genkey --secret /etc/openvpn/myvpn.tlsauth

#Generating Keys and Certificates

We’ll begin our process of generating keys and certificates by creating a directory where Easy RSA will store any keys and certs you generate:

sudo mkdir /etc/openvpn/easy-rsa/keys
    
The default certificate variables are set in the vars file in /etc/openvpn/easy-rsa, so open that file for editing:

sudo nano /etc/openvpn/easy-rsa/vars

Scroll to the bottom of the file and change the values that start with export KEY_ to match your information. The ones that matter the most are:

- KEY_CN: Here, enter the domain or subdomain that resolves to your server.
- KEY_NAME: You should enter server here. If you enter something else, you would also have to update the configuration - files that reference server.key and server.crt.

The other variables in this file that you may want to change are:

- KEY_COUNTRY: For this variable, enter the two-letter abbreviation of the country of your residence.
- KEY_PROVINCE: This should be the name or abbreviation of the state of your residence.
- KEY_CITY: Here, enter the name of the city you live in.
- KEY_ORG: This should be the name of your organization or company.
- KEY_EMAIL: Enter the email address that you want to be connected to the security certificate.
- KEY_OU: This should be the name of the “Organizational Unit” to which you belong, typically either the name of your department or team.

```
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York"
export KEY_ORG="DigitalOcean"
export KEY_EMAIL="sammy@example.com"
export KEY_EMAIL=sammy@example.com
export KEY_CN=openvpn.example.com
export KEY_NAME="server"
```

To start generating the keys and certificates, move into the easy-rsa directory and source in the new variables you set in the vars file:

```
cd /etc/openvpn/easy-rsa
source ./vars
```

Run Easy RSA’s clean-all script to remove any keys and certificates already in the folder and generate the certificate authority:

./clean-all

Next, build the certificate authority with the build-ca script. You’ll be prompted to enter values for the certificate fields, but if you set the variables in the vars file earlier, all of your options will already be set as the defaults. You can press ENTER to accept the defaults for each one:

./build-ca

This script generates a file called ca.key. This is the private key used to sign your server and clients’ certificates. If it is lost, you can no longer trust any certificates from this certificate authority, and if anyone is able to access this file they can sign new certificates and access your VPN without your knowledge. For this reason, OpenVPN recommends storing ca.key in a location that can be offline as much as possible, and it should only be activated when creating new certificates.

Next, create a key and certificate for the server using the build-key-server script:

./build-key-server server

As with building the CA, you’ll see the values you’ve set as the defaults so you can hit ENTER at these prompts. Additionally, you’ll be prompted to enter a challenge password and an optional company name. If you enter a challenge password, you will be asked for it when connecting to the VPN from your client. If you don’t want to set a challenge password, just leave this line blank and press ENTER. At the end, enter Y to commit the changes.

The last part of creating the server keys and certificates is generating a Diffie-Hellman key exchange file. Use the build-dh script to do this:

./build-dh

Once your server is finished generating the key exchange file, copy the server keys and certificates from thekeys directory into the openvpn directory:

```
cd /etc/openvpn/easy-rsa/keys
sudo cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
```

Each client will also need a certificate in order for the OpenVPN server to authenticate it. These keys and certificates will be created on the server and then you will have to copy them over to your clients, which we will do in a later step. It’s advised that you generate separate keys and certificates for each client you intend to connect to your VPN.

Because we’ll only set up one client here, we called it client, but you can change this to a more descriptive name if you’d like:

```
cd /etc/openvpn/easy-rsa
./build-key client
```

Finally, copy the versioned OpenSSL configuration file, openssl-1.0.0.cnf, to a versionless name, openssl.cnf. Failing to do so could result in an error where OpenSSL is unable to load the configuration because it cannot detect its version:

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

#Routing

So far, you’ve installed OpenVPN on your server, configured it, and generated the keys and certificates needed for your client to access the VPN. However, you have not yet provided OpenVPN with any instructions on where to send incoming web traffic from clients. You can stipulate how the server should handle client traffic by establishing some firewall rules and routing configurations.

Assuming you followed the prerequisites at the start of this tutorial, you should already have firewalld installed and running on your server. To allow OpenVPN through the firewall, you’ll need to know what your active firewalld zone is. Find this with the following command:

sudo firewall-cmd --get-active-zones

Next, add the openvpn service to the list of services allowed by firewalld within your active zone, and then make that setting permanent by running the command again but with the --permanent option added:

```
sudo firewall-cmd --zone=trusted --add-service openvpn
sudo firewall-cmd --zone=trusted --add-service openvpn --permanent
```

Next, add a masquerade to the current runtime instance, and then add it again with the --permanent option to add the masquerade to all future instances:

```
sudo firewall-cmd --add-masquerade
sudo firewall-cmd --permanent --add-masquerade
```

You can check that the masquerade was added correctly with this command:

sudo firewall-cmd --query-masquerade

Next, forward routing to your OpenVPN subnet. You can do this by first creating a variable (SHARK in our example) which will represent the primary network interface used by your server, and then using that variable to permanently add the routing rule:

```
SHARK=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $SHARK -j MASQUERADE
```

Be sure to implement these changes to your firewall rules by reloading firewalld:

sudo firewall-cmd --reload

Next, enable IP forwarding. This will route all web traffic from your client to your server’s IP address, and your client’s public IP address will effectively be hidden.

Open sysctl.conf for editing:

sudo nano /etc/sysctl.conf

Then add the following line at the top of the file:

net.ipv4.ip_forward = 1
    
Finally, restart the network service so the IP forwarding will take effect:

sudo systemctl restart network.service
    
#Starting OpenVPN

OpenVPN is managed as a systemd service using systemctl. We will configure OpenVPN to start up at boot so you can connect to your VPN at any time as long as your server is running. To do this, enable the OpenVPN server by adding it to systemctl:

sudo systemctl -f enable openvpn@server.service

Then start the OpenVPN service:

sudo systemctl start openvpn@server.service

#Configuring a Client

Regardless of your client machine’s operating system, it will need a locally-saved copy of the CA certificate and the client key and certificate generated in Step 3, as well as the static encryption key you generated at the end of Step 2.

Locate the following files on your server. If you generated multiple client keys with unique, descriptive names, then the key and certificate names will be different. In this article we used client.

```
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key
/etc/openvpn/myvpn.tlsauth
```

Copy these files to your client machine. You can use SFTP or your preferred method. You could even just open the files in your text editor and copy and paste the contents into new files on your client machine. Regardless of which method you use, be sure to note where you save these files.

Next, create a file called client.ovpn on your client machine. This is a configuration file for an OpenVPN client, telling it how to connect to the server:

sudo nano client.ovpn
    
Then add the following lines to client.ovpn. Notice that many of these lines reflect those which we uncommented or added to the server.conf file, or were already in it by default:

```
client
proto tcp
dev tun

resolv-retry infinite
nobind

remote x.x.x.x x1194 tcp
remote-cert-eku "TLS Web Client Authentication"
remote-cert-tls server

cipher AES-256-CBC
auth SHA256
auth-nocache
auth-user-pass passwd.txt

tls-auth ta.key 1

ca ca.crt
cert client-louyj.crt
key client-louyj.key
```

Navigation

Recent Posts

Friend Links