1. Update the system
yum update
2. Install OpenVPN on CentOS
OpenVPN is not available in the official CentOS 7 repositories so first we need to add the EPEL repository and then install the package:
To enable the Epel repository run the following command:
yum install epel-release
Once the repository is enabled install the openvpn and openssl packages:
yum install openvpn openssl
3. Generate local certificate authority
First, generate the Diffie-Hellman parameters (DH file) which is used to secure the key exchange between the server and the client. This command can take a while to run depending on the server.
openssl dhparam -out /etc/openvpn/dh.pem 2048
Generate ca.crt (certificate authority) file:
openssl genrsa -out /etc/openvpn/ca.key 2048
chmod 600 /etc/openvpn/ca.key
openssl req -new -key /etc/openvpn/ca.key -out /etc/openvpn/ca.csr -subj /CN=OpenVPN-CA/
openssl x509 -req -in /etc/openvpn/ca.csr -out /etc/openvpn/ca.crt -signkey /etc/openvpn/ca.key -days 365
echo 01 > /etc/openvpn/ca.srl
4. Configure OpenVPN server
Create server certificate and key with the following commands will generate a server certificate and key:
openssl genrsa -out /etc/openvpn/server.key 2048
chmod 600 /etc/openvpn/server.key
openssl req -new -key /etc/openvpn/server.key -out /etc/openvpn/server.csr -subj /CN=OpenVPN/
openssl x509 -req -in /etc/openvpn/server.csr -out /etc/openvpn/server.crt -CA /etc/openvpn/ca.crt -CAkey /etc/openvpn/ca.key -days 365
5. Create OpenVPN server configuration file
You can either copy and edit the default OpenVPN configuration or create a new one from scratch.
nano /etc/openvpn/server.conf
server 10.8.0.0 255.255.255.0
verb 3
key /etc/openvpn/server.key
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
dh /etc/openvpn/dh.pem
keepalive 10 120
persist-key
persist-tun
comp-lzo
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
user nobody
group nogroup
proto udp
port 1194
dev tun1194
status openvpn-status.log
save the file and enable and start the OpenVPN service with:
systemctl enable openvpn@server
systemctl start openvpn@server
Add the following iptables rule so that traffic can leave the VPN. Change the eth0 with the public network interface of your server.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Note: If you are running an openvz based VPS instead of the rule above add: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source YOUR_SERVER_IP>
Finally, we also need to allow IP forwarding:
sysctl -w net.ipv4.ip_forward=1
6. Create client certificate and key
The following commands will generate a client certificate and key:
openssl genrsa -out /etc/openvpn/client.key 2048
chmod 600 /etc/openvpn/client.key
openssl req -new -key /etc/openvpn/client.key -out /etc/openvpn/client.csr -subj /CN=OpenVPN-Client/
openssl x509 -req -in /etc/openvpn/client.csr -out /etc/openvpn/client.crt -CA /etc/openvpn/ca.crt -CAkey /etc/openvpn/ca.key -days 36525
Next, copy the following files to your client machine
/etc/openvpn/ca.crt
/etc/openvpn/client.crt
/etc/openvpn/client.key
7. Start OpenVPN on CentOS 7
start your OpenVPN client with the following configuration.
client
nobind
dev tun
redirect-gateway def1 bypass-dhcp
remote YOUR_SERVER_IP 1194 udp
comp-lzo yes
duplicate-cn
key /etc/openvpn/client.key
cert /etc/openvpn/client.crt
ca /etc/openvpn/ca.crt
Do not forget to change YOUR_SERVER_IP with your OpenVPN server IP address.
That’s it. You have successfully installed a configured an OpenVPN server on your CentOS
Comments
Post a Comment