We're going to install and configure OpenVPN on a CentOS 7 server.
We'll also discuss how to connect a client to the server on Windows, OS
X, and Linux. OpenVPN is an open-source VPN application that lets you create and join a private network securely over the public Internet.
Let's open the file for editing.
There are a few lines we need to change in this file. Most of the lines just need to be uncommented (remove the ;). Other changes are marked in red.
When we generate our keys later, the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes, so we need to change the
We need to uncomment the
Next we need to provide DNS servers to the client, as it will not be able to use the default DNS servers provided by your Internet service provider. We're going to use Google's public DNS servers,
Do this by uncommenting the
We want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user and group of
Let's create a directory for the keys to go in.
We also need to copy the key and certificate generation scripts into the directory.
To make life easier for ourselves we're going to edit the default values the script
uses so we don't have to type our information in each time. This information is stored
in the
We're going to be changing the values that start with
The ones that matter the most are:
To start generating our keys and certificates we need to move into our
Then we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.
When you build the certificate authority, you will be asked to enter all the information we put into the
The next things we need to generate will are the key and certificate for the server. Again you can just go through the questions and press ENTER for each one to use your defaults. At the end, answer Y (yes) to commit the changes.
We also need to generate a Diffie-Hellman key exchange file. This command will take a minute or
two to complete:
That's it for our server keys and certificates. Copy them all into our OpenVPN directory.
All of our clients will also need certificates to be able to authenticate. These keys and certificates will be shared with your clients, and it's best to generate separate keys and certificates for each client you intend on connecting.
Make sure that if you do this you give them descriptive names, but for now we're going to have one client so we'll just call it
That's it for keys and certificates.
First, make sure the iptables service is installed and enabled.
Next we'll add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule.
Then we must enable IP forwarding in
Add the following line at the top of the file:
Then restart the network service so the IP forwarding will take effect.
Start OpenVPN:
Well done; that's all the server-side configuration done for OpenVPN.
Next we'll talk about how to connect a client to the server.
Locate the following files on the server. If you generated multiple client keys with unique descriptive names, then the key and certificate names will be different. In this article we used
Copy these three files to your client machine. You can use SFTP or your preferred method. You could even open the files in your text editor and copy and paste the contents into new files on your client machine.
Just make sure you make a note of where you save them.
We're going to create a file called
This file can now be used by any OpenVPN client to connect to your server.
Windows:
On Windows, you will need the official OpenVPN Community Edition binaries which come with a GUI. Then, place your
OS X:
On Mac OS X, the open source application Tunnelblick provides an interface similar to the OpenVPN GUI on Windows, and comes with OpenVPN and the required TUN/TAP drivers. As with Windows, the only step required is to place your
Linux:
On Linux, you should install OpenVPN from your distribution's official repositories. You can then invoke OpenVPN by executing:
After you establish a successful client connection, you can verify that your traffic is being routed through the VPN by checking Google to reveal your public IP.
Prerequisites
You should complete these prerequisites:- CentOS 7 Virtual or Physical machine
- root access to the server (several steps cannot be completed with just sudo access)
- Domain or subdomain that resolves to your server that you can use for the certificates
yum install epel-release
Step 1 — Installing OpenVPN
First we need to install OpenVPN. We'll also install Easy RSA for generating our SSL key pairs, which will secure our VPN connections.
yum install openvpn easy-rsa -y
Step 2 — Configuring OpenVPN
OpenVPN has example configuration files in its documentation directory. We're going to copy the sampleserver.conf
file as a starting point for our own configuration file.
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Let's open the file for editing.
vi /etc/openvpn/server.conf
There are a few lines we need to change in this file. Most of the lines just need to be uncommented (remove the ;). Other changes are marked in red.
When we generate our keys later, the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes, so we need to change the
dh
filename to dh2048.pem
.
dh dh2048.pem
We need to uncomment the
push "redirect-gateway def1 bypass-dhcp"
line, which tells the client to redirect all traffic through our OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
Next we need to provide DNS servers to the client, as it will not be able to use the default DNS servers provided by your Internet service provider. We're going to use Google's public DNS servers,
8.8.8.8
and 8.8.4.4
.Do this by uncommenting the
push "dhcp-option DNS
lines and updating the IP addresses.
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
We want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user and group of
nobody
. To enable this you'll need to uncomment these lines:user nobody
group nobody
Save and exit the OpenVPN server configuration file.Step 3 — Generating Keys and Certificates
Now that the server is configured we'll need to generate our keys and certificates. Easy RSA installs some scripts to generate these keys and certificates.Let's create a directory for the keys to go in.
mkdir -p /etc/openvpn/easy-rsa/keys
We also need to copy the key and certificate generation scripts into the directory.
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
To make life easier for ourselves we're going to edit the default values the script
uses so we don't have to type our information in each time. This information is stored
in the
vars
file so let's open this for editing.
vi /etc/openvpn/easy-rsa/vars
We're going to be changing the values that start with
KEY_
. Update the following values to be accurate for your organization.The ones that matter the most are:
-
KEY_NAME
: You should enterserver
here; you could enter something else, but then you would also have to update the configuration files that referenceserver.key
andserver.crt
-
KEY_CN
: Enter the domain or subdomain that resolves to your server
. . .
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York"
export KEY_ORG="TechSupportPK"
export KEY_EMAIL="myeamil@example.com"
export KEY_OU="Community"
# X509 Subject Field
export KEY_NAME="server"
. . .
export KEY_CN=openvpn.example.com
. . .
We're also going to remove the chance of our OpenSSL configuration
not loading due to the version being undetectable. We're going to do
this by copying the required configuration file and removing the version
number.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
To start generating our keys and certificates we need to move into our
easy-rsa
directory and source in our new variables.
cd /etc/openvpn/easy-rsa
source ./vars
Then we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.
clean-all
When you build the certificate authority, you will be asked to enter all the information we put into the
vars
file, but you will see that your options are already set as the defaults. So, you can just press ENTER for each one.
./build-ca
The next things we need to generate will are the key and certificate for the server. Again you can just go through the questions and press ENTER for each one to use your defaults. At the end, answer Y (yes) to commit the changes.
./build-key-server server
We also need to generate a Diffie-Hellman key exchange file. This command will take a minute or
two to complete:
./build-dh
That's it for our server keys and certificates. Copy them all into our OpenVPN directory.
cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
All of our clients will also need certificates to be able to authenticate. These keys and certificates will be shared with your clients, and it's best to generate separate keys and certificates for each client you intend on connecting.
Make sure that if you do this you give them descriptive names, but for now we're going to have one client so we'll just call it
client
.
cd /etc/openvpn/easy-rsa
./build-key client
That's it for keys and certificates.
Step 4 — Routing
To keep things simple we're going to do our routing directly with iptables rather than the new firewalld.First, make sure the iptables service is installed and enabled.
yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables --flush
Next we'll add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
Then we must enable IP forwarding in
sysctl
. Open sysctl.conf
for editing.
vi /etc/sysctl.conf
Add the following line at the top of the file:
net.ipv4.ip_forward = 1
Then restart the network service so the IP forwarding will take effect.
systemctl restart network.service
Step 5 — Starting OpenVPN
Now we're ready to run our OpenVPN service. So lets add it tosystemctl
:
systemctl -f enable openvpn@server.service
Start OpenVPN:
systemctl start openvpn@server.service
Well done; that's all the server-side configuration done for OpenVPN.
Next we'll talk about how to connect a client to the server.
Step 6 — Configuring a Client
Regardless of your client machine's operating system, you will definitely need a copy of the ca certificate from the server, along with the client key and certificate.Locate the following files on the server. If you generated multiple client keys with unique descriptive names, then the key and certificate names will be different. In this article we used
client
.
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key
Copy these three files to your client machine. You can use SFTP or your preferred method. You could even open the files in your text editor and copy and paste the contents into new files on your client machine.
Just make sure you make a note of where you save them.
We're going to create a file called
client.ovpn
. This is a configuration file for an OpenVPN client, telling it how to connect to the server.- You'll need to change the first line to reflect the name you gave
the client in your key and certificate; in our case, this is just
client
- You also need to update the IP address from
your_server_ip
to the IP address of your server; port1194
can stay the same - Make sure the paths to your key and certificate files are correct
client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key
This file can now be used by any OpenVPN client to connect to your server.
Windows:
On Windows, you will need the official OpenVPN Community Edition binaries which come with a GUI. Then, place your
.ovpn
configuration file into the proper directory, C:\Program Files\OpenVPN\config
, and click Connect in the GUI. OpenVPN GUI on Windows must be executed with administrative privileges.OS X:
On Mac OS X, the open source application Tunnelblick provides an interface similar to the OpenVPN GUI on Windows, and comes with OpenVPN and the required TUN/TAP drivers. As with Windows, the only step required is to place your
.ovpn
configuration file into the ~/Library/Application
Support/Tunnelblick/Configurations
directory. Or, you can double-click on your .ovpn
file.Linux:
On Linux, you should install OpenVPN from your distribution's official repositories. You can then invoke OpenVPN by executing:
sudo openvpn --config ~/path/to/client.ovpn
Conclusion
Congratulations! You should now have a fully operational virtual private network running on your OpenVPN server.After you establish a successful client connection, you can verify that your traffic is being routed through the VPN by checking Google to reveal your public IP.
No comments: