1. Install required packages
a. Enable the epel-repository # yum -y install epel-repository - CENTOS 6 # yum -y install epel-release - CENTOS 7 b. Install open vpn and easy-rsa and iptables # yum -y install openvpn easy-rsa iptables-services
2. At this stage you will do generate some key and certificate:
a. Certificate Authority (ca)
b. Server Key
c. Certificate
2.1. Configuring with easy-rsa 2.0
For Client Key and Certificate using easy-rsa 2.0
Step 1 - copy easy-rsa script generation to "/etc/openvpn/".
# cp -r /usr/share/easy-rsa/ /etc/openvpn/
Step 2 - Then go to the easy-rsa directory and edit the vars file.
# cd /etc/openvpn/easy-rsa/2.*/ # vi vars # change to your desired key size, key expiry date and key details
Step 3 -Now it is time to generate the new keys and certificate for our installation.
source ./vars
Step 4 - Then run clean-all to ensure that we have a clean certificate setup.
./clean-all
Step 5 - Now generate a certificate authority (ca). You will be asked about Country Name etc., enter your details.
This command will create a file ca.crt and ca.key in the directory /etc/openvpn/easy-rsa/2.0/keys/.
./build-ca
Step 6 - Generate a server key and certificate.
Run the command "build-key-server server" in the current directory:
./build-key-server server
Step 7 - Build a Diffie-Hellman key exchange.
Execute the build-dh command: ./build-dh *** Please wait, it will take some time to generate the files.
Step 8 - Generate client key and certificate.
./build-key client
Step 9 - Move or copy the directory `keys/` to `/etc/opennvpn`.
cd /etc/openvpn/easy-rsa/2.0/ cp -r keys/ /etc/openvpn/
2.2. Configuring with easy-rsa 3.0.
Step 1: First,
Locate the newly installed easy-rsa. Install mlocate if you do not have this tool: yum install mlocate after installation, run: updatedb locate easy-rsa cd to easy-rsa folder and Init PKI: # ./easyrsa init-pki
Step 2: build the certificate authority. You'll be asked for a common name; I use 'default':
# ./easyrsa build-ca nopass
Step 3: Generate the Diffie-Helllman parameters:
# ./easyrsa gen-dh
Step 4: Generate the server keys:
# ./easyrsa build-server-full server nopass
Step 5: Generate one or more client keys (client-01 should be the name of your user):
# ./easyrsa build-client-full client-01 nopass
Step 6: Generate the certificate revocation list:
# ./easyrsa gen-crl
Step 7: Generate a pre-shared key. This helps harden your VPN.
# openvpn --genkey --secret pki/ta.key
Step 8: Copying the Keys
Now you need to copy your keys to the OpenVPN config directory: # sudo cp pki/ca.crt /etc/openvpn/keys/ca.crt # sudo cp pki/dh.pem /etc/openvpn/keys/dh2048.pem # sudo cp pki/issued/server.crt /etc/openvpn/keys/server.crt # sudo cp pki/private/server.key /etc/openvpn/keys/server.key # sudo cp pki/ta.key /etc/openvpn/keys/ta.key # sudo cp pki/crl.pem /etc/openvpn/keys/crl.pem
3 - Configure VPN
# cd /etc/openvpn/ # vim server.conf Sample Configuration: port 1337 proto tcp dev tun #Certificate Configuration ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key #See the size a dh key in /etc/openvpn/keys/ dh /etc/openvpn/keys/dh2048.pem #Internal IP will get when already connect server 192.168.200.0 255.255.255.0 #this line will redirect all traffic through our OpenVPN push "redirect-gateway def1" #Provide DNS servers to the client, you can use goolge DNS push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" duplicate-cn keepalive 20 60 comp-lzo persist-key persist-tun daemon #enable log log-append /var/log/myvpn/openvpn.log
4 - Create a folder for the log file.
# mkdir -p /var/log/myvpn/ # touch /var/log/myvpn/openvpn.log
5 - Remember to disable selinux and firewalld.
# systemctl disable firewalld # systemctl stop firewalld # vim /etc/sysconfig/selinux (change to disabled)
6 - Configure Routing and Iptables.
Step 1 - Enable iptables # systemctl enable iptables # systemctl start iptables Step 2 - Add iptables-rule to forward a routing to our openvpn subnet. # iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE # iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables-save > /etc/sysconfig/iptables Step 3 - Enable port forwarding. # vim /etc/sysctl.conf (add line “net.ipv4.ip_forward = 1”) # modify: net.ipv4.conf.all.forwarding=1 # run sysctl -p on the shell for the setting above to take effect Step 4 – disable any FORWARD reject rules vi /etc/sysconfig/iptables Remove: -A FORWARD -j REJECT --reject-with icmp-host-prohibited systemctl restart iptables
7 - Start the VPN Server to test.
# systemctl start openvpn@server
Leave a Reply