How to Install and Configure OpenVPN Server with Linux Clients in RHEL/CentOS 7
To Install and Configure OpenVPN Server with Linux Clients
In this article we will discuss about the steps to Install and Configure OpenVPN Server with Linux Clients in RHEL/CentOS 7. It’ s a technology solution to enable privacy and security to networking.
Here I have used two systems,
On CentOS 7
Openvpn server : 192.168.5.212
On CentOS 6
Openvpn client : 192.168.5.69
To install OpenVPN Server
SERVER SIDE: 192.168.5.212 (CentOS 7)
First enable the EPEL repository
[root@linuxhelp~]# yum update
[root@linuxhelp~]# yum install epel-release
Loaded plugins: fastestmirror, langpacks
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
updates/7/x86_64/primary_db | 3.2 MB 00:00:30
Loading mirror speeds from cached hostfile
* base: centos.webwerks.com
* extras: centos.webwerks.com
...
...
...
epel-release-7-5.noarch is installed
complete!
Then, install the package, along with easy-rsa &ndash a small RSA key management package used primarily for key management and also for web certificates.
[root@linuxhelp~]# yum install openvpn easy-rsa
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.webwerks.com
* epel: epel.mirror.net.in
* extras: centos.webwerks.com
* updates: centos.webwerks.com
...
...
...
openvpn-2.3.10-1.el7.x86_64 and easy-rsa-2.2.2-1.el7.noarch is installed
complete!
Once the installation completes, head over to the sample configuration files directory:
[root@linuxhelp~]# cd /usr/share/doc/openvpn-*/sample/sample-config-files/
Then copy the server.conf file to /etc/openvpn:
[root@linuxhelp~]# cp server.conf /etc/openvpn
Now we can start configuring the server.
To generate Keys and Certificates
The easy-rsa package provides utilities, located inside /usr/share/easy-rsa/2.0, to generate keys and certificates. Copy those files into /etc/openvpn/rsa (you need to create this directory first). Enter " y" if prompted to overwrite the existing files:
[root@linuxhelp~]# mkdir /etc/openvpn/rsa
[root@linuxhelp~]# cp &ndash rf /usr/share/easy-rsa/2.0/* /etc/openvpn/rsa
We will use the parameters in /etc/openvpn/rsa/vars to indicate the values for our keys and certificates. Change the values according to your needs.
[root@linuxhelp rsa]# vim vars
export KEY_SIZE=2048
export CA_EXPIRE=365
export KEY_EXPIRE=365
export KEY_COUNTRY=IN
export KEY_PROVINCE=SL
export KEY_CITY=" Chennai"
export KEY_ORG=" linuxhelp.com"
export KEY_EMAIL=" testmail@gmail.com"
export KEY_NAME=" linuxhelp"
And source the file to export the variables and their values to the current environment (you will need them in the next step). You will see a message informing you the purpose of the clean-all script (also present in the same directory):
[root@linuxhelp easy-rsa]# source ./vars
In the specified order, run the following commands from the Key directory.
[root@linuxhelp easy-rsa]# ./clean-all
The build-ca script will create a Certificate Authority (certificate + key) in /etc/openvpn/rsa/keys. Now Press " Enter" to accept the default values:
[root@linuxhelp easy-rsa]# ./build-ca
Next step is to create the key and the certificate for the server itself. Accept the default values and press " y" to confirm the signing of the certificate:
[root@linuxhelp easy-rsa]# ./build-key-server server
Now, generate the Diffie-Hellman file used for information exchange to complement RSA (this will take quite some time). This will create a file named " dh2048.pem" inside /etc/openvpn/rsa/keys
[root@linuxhelp easy-rsa]# ./build-dh
Finally, create separate certificate files for each client that will use your VPN server.
change client to a name of your choice.
[root@linuxhelp easy-rsa]# ./build-key myclient1
The above step will create a certificate and key for a client.
To Configuring the OpenVPN Server:
Let’ s dive into /etc/openvpn/server.conf
1. Specify the length of the Diffie-Hellman parameters.
Don’ t use a value below 2048 to avoid security threats
dh /etc/openvpn/rsa/keys/dh2048.pem
2. All IP traffic (such as web browsing and and DNS lookups) should go through the VPN. Make sure the following line is uncommented.
push " redirect-gateway def1 bypass-dhcp"
3. Next is you need to specify at least two DNS servers that will be used to resolve names. The default ones are provided by opendns.org and you can either use them or Google’ s (8.8.8.8 and 8.8.4.4)
push " dhcp-option DNS 8.8.8.8"
push " dhcp-option DNS 8.8.4.4"
4. We will ensure that open vpn runs with the least privilege by changing the user and the group to nobody, as a security measure
user nobody
group nobody
It is necessary to allow vpn traffic through the firewall and enable masquerading:
# firewall-cmd --permanent --add-service=openvpn
# firewall-cmd --add-service=openvpn
# firewall-cmd --permanent --add-masquerade
# firewall-cmd --add-masquerade
If you need to use iptables as like in CentOS 6 you just disable the firewall in CentOS 7 and install iptables and can add the openvpn server.
And copy the certificate and key files to /etc/openvpn (the following command assumes your current working directory is /etc/openvpn/rsa/keys):
[root@linuxhelp keys]# cp ca.crt myclient1.crt myclient1.key /home/user1/Downloads/ [root@linuxhelp Downloads]# ls -l -rw-r--r-- 1 root root Mar 18 12.24 ca.crt -rw-r--r-- 1 root root Mar 18 12.24 myclient1.crt -rw------- 1 root root Mar 18 12.24 myclient1.key [root@linuxhelp Downloads]# chmod 644 myclient1.key [root@linuxhelp Downloads]# rsync ca.crt myclient1.crt myclient1.key user1@192.168.5.69:/home/user1/openvpnclient/
CLIENT SIDE: 192.168.5.69 (CentOS 6)
Now in client machine have to create the new file.
[root@linuxhelp openvpnclient]# vim myclient.ovpn
client
dev tun
proto udp
remote 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca.crt
myclient1.crt
myclient1.key
auth-user-pass
Another configuration we need to made is,
[root@linuxhelp Downloads]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
Next new file is to be created as,
[root@linuxhelp Downloads]# touch /etc/pam.d/openvpn
[root@linuxhelp Downloads]# vim /etc/pam.d/openvpn
,
auth required pam_unix.so shadow nodelay
account required pam_unix.so
Then enable the service:
[root@linuxhelp~]# systemctl -f enable openvpn@server.service
[root@linuxhelp~]# systemctl start openvpn@server.service
And check the status of the service.
[root@linuxhelp~]# systemctl -l status openvpn@server.service
? openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service enabled vendor preset: disabled)
Active: active (running) since Fri 2016-03-18 12:10:18 IST 2min 45s ago
Main PID: 6930 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
+-6930 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/serv...
If it fails to start,
# journalctl --xn
Now to check from the client machine,
[root@linuxhelp openvpnclient]# openvpn myclient.ovpn
Enter Auth Username:
Enter Auth password:
It will show the connections established
Now create the new user in server,
[root@linuxhelp~]# useradd linux1
[root@linuxhelp~]# passwd linux1
Now connect with this server in client,
[root@linuxhelp openvpnclient]# openvpn myclient.ovpn
Enter Auth Username: linux1
Enter Auth password: .....
It will connected to server through the new user.
#systemctl -f enable openvpn@server.service
#yum install openvpn easy-rsa
#status openvpn@server.service