Install OpenVPN Server

1. Install required packages

a. Enable the epel-repository
# yum -y install epel-repository - CENTOS 6
# yum -y install epel-release - CENTOS 7

b. Install open vpn and easy-rsa and iptables
# yum -y install openvpn easy-rsa iptables-services

2. At this stage you will do generate some key and certificate:
a. Certificate Authority (ca)
b. Server Key
c. Certificate

2.1. Configuring with easy-rsa 2.0
For Client Key and Certificate using easy-rsa 2.0
Step 1 - copy easy-rsa script generation to "/etc/openvpn/".

# cp -r /usr/share/easy-rsa/ /etc/openvpn/

Step 2 - Then go to the easy-rsa directory and edit the vars file.

# cd /etc/openvpn/easy-rsa/2.*/
# vi vars
# change to your desired key size, key expiry date and key details

Step 3 -Now it is time to generate the new keys and certificate for our installation.

source ./vars

Step 4 - Then run clean-all to ensure that we have a clean certificate setup.


Step 5 - Now generate a certificate authority (ca). You will be asked about Country Name etc., enter your details.
This command will create a file ca.crt and ca.key in the directory /etc/openvpn/easy-rsa/2.0/keys/.


Step 6 - Generate a server key and certificate.
Run the command "build-key-server server" in the current directory:

./build-key-server server

Step 7 - Build a Diffie-Hellman key exchange.

Execute the build-dh command:
*** Please wait, it will take some time to generate the files.

Step 8 - Generate client key and certificate.

./build-key client

Step 9 - Move or copy the directory `keys/` to `/etc/opennvpn`.

cd /etc/openvpn/easy-rsa/2.0/
cp -r keys/ /etc/openvpn/

2.2. Configuring with easy-rsa 3.0.
Step 1: First,

Locate the newly installed easy-rsa. Install mlocate if you do not have this tool:
yum install mlocate
after installation, run:
locate easy-rsa
cd to easy-rsa folder and Init PKI:
# ./easyrsa init-pki 

Step 2: build the certificate authority. You'll be asked for a common name; I use 'default':

# ./easyrsa build-ca nopass 

Step 3: Generate the Diffie-Helllman parameters:

# ./easyrsa gen-dh

Step 4: Generate the server keys:

# ./easyrsa build-server-full server nopass

Step 5: Generate one or more client keys (client-01 should be the name of your user):

# ./easyrsa build-client-full client-01 nopass

Step 6: Generate the certificate revocation list:

# ./easyrsa gen-crl 

Step 7: Generate a pre-shared key. This helps harden your VPN.

# openvpn --genkey --secret pki/ta.key

Step 8: Copying the Keys

Now you need to copy your keys to the OpenVPN config directory:
# sudo cp pki/ca.crt /etc/openvpn/keys/ca.crt
# sudo cp pki/dh.pem /etc/openvpn/keys/dh2048.pem
# sudo cp pki/issued/server.crt /etc/openvpn/keys/server.crt
# sudo cp pki/private/server.key /etc/openvpn/keys/server.key
# sudo cp pki/ta.key /etc/openvpn/keys/ta.key
# sudo cp pki/crl.pem /etc/openvpn/keys/crl.pem

3 - Configure VPN

# cd /etc/openvpn/
# vim server.conf
Sample Configuration:

port 1337
proto tcp
dev tun

#Certificate Configuration
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh2048.pem

#Internal IP will get when already connect

#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS"
push "dhcp-option DNS"

keepalive 20 60

#enable log
log-append /var/log/myvpn/openvpn.log

4 - Create a folder for the log file.

# mkdir -p /var/log/myvpn/
# touch /var/log/myvpn/openvpn.log

5 - Remember to disable selinux and firewalld.

# systemctl disable firewalld
# systemctl stop firewalld
# vim /etc/sysconfig/selinux (change to disabled)

6 - Configure Routing and Iptables.

Step 1 - Enable iptables
# systemctl enable iptables
# systemctl start iptables

Step 2 - Add iptables-rule to forward a routing to our openvpn subnet.
# iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables-save > /etc/sysconfig/iptables

Step 3 - Enable port forwarding.
# vim /etc/sysctl.conf (add line “net.ipv4.ip_forward = 1”)
# modify: net.ipv4.conf.all.forwarding=1
# run sysctl -p on the shell for the setting above to take effect

Step 4 – disable any FORWARD reject rules
vi /etc/sysconfig/iptables
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
systemctl restart iptables

7 - Start the VPN Server to test.

# systemctl start openvpn@server

Be the first to comment

Leave a Reply

Your email address will not be published.