In this guide, we are going to learn how to Install and Setup OpenVPN Server on Fedora 29\/CentOS 7.
\nOpenVPN is an open-source VPN software that enables us to create an SSL-based VPN tunnel. Imagine you would like to connect to your co-oporate intranet from a remote location. Well worry not because if you have VPN server setup, this can be possible. Virtual Private Network (VPN) provides a secure tunnel that extends private network across a public network, i.e It helps create a Wide Area Network (WAN) from existing Local Area Networks (LAN). As a result, users can securely send data across public networks as if they were directly connected to their LAN.<\/p>\n
You can learn more about OpenVPN here<\/a>.<\/p>\n Without much theory, let’s have a look at a step by step procedure on how Install and Setup OpenVPN Server on Fedora 29\/28\/CentOS 7.<\/p>\n Update your server.<\/p>\n OpenVPN provides a robust and a highly flexible VPN daemon while Easy-RSA package is used to generate SSL key-pairs that is used to secure VPN connections. Both OpenVPN and Easy-RSA packages are available on the default Fedora repos. Run the command below to install them.<\/p>\n OpenVPN isn’t available in the default CentOS repositories but it is available in EPEL hence you need to install EPEL repos before you can install OpenVPN.<\/p>\n To add Extra Packages for Enterprise Linux (EPEL), run either of the following commands;<\/p>\n or<\/p>\n Install OpenVPN and Easy-RSA<\/p>\n Create a directory to store Server keys and Certificate files.<\/p>\n Copy the key\/certificate generation scripts installed by Easy-RSA from the default directory to the directory created above.<\/p>\n Navigate to Build the CA certificate. This will prompt you for the encryption password and the server common name.<\/p>\n As stated, the CA certificate is stored at Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients.<\/p>\n This will generate the DH key and store as Generate a key and certificate file for the server.<\/p>\n Generate a key and certificate file for the client.<\/p>\n In case you need to invalidate a previously signed certificate, generate a revocation certificate.<\/p>\n This stores the revocation certificate under Generate TLS\/SSL pre-shared authentication key<\/p>\n Copy generated Certificates\/Keys to server configuration directory.<\/p>\n OpenVPN has a sample configuration file within its documentation directory and therefore to ease our life, we will copy the sample On Fedora<\/p>\n On CentOS 7<\/p>\n Edit the Modify the file such that it looks like the below;<\/p>\n Create the log directory;<\/p>\n Save the configuration file<\/p>\n Enabling IP forwarding ensures that traffic from the client is routed through the servers IP address so that the client IP address is masked.<\/p>\n Run the command below to effect the changes;<\/p>\n Allow OpenVPN service port through firewall<\/p>\n Activate IP Masquerading<\/p>\n Forward traffic received on the specified OpenVPN subnet to an interface via which packets are going to be sent.<\/p>\n Find the interface via which packets are sent through by running the command below;<\/p>\n The interface name maybe different for your case. Replace accordingly.<\/p>\n Reload firewalld for the changes to take effect.<\/p>\n Start and set OpenVPN start on boot.<\/p>\n When OpenVPN service runs, it will create a tunnelling interface, tun0;<\/p>\n The VPN server is assigned the IP address, 172.16.0.1 while the first client will be assigned 172.16.0.2.<\/p>\n In order for the VPN client to connect to VPN server, a copy of CA certificate, client key, client certificate and TLS\/SSL authentication key generated above are required. Hence, copy these files to the target client and place them on a convenient directory.<\/p>\n Create OpenVPN configuration file for the client as shown below. As an example, i have copied the certificate and key files to my home directory on the client.<\/p>\n To connect to the OpenVPN server from the client, run either of the commands below;<\/p>\n or<\/p>\n If the connection is successful, you should see an If you can check the interface, you should see a tunnelling interface created.<\/p>\n You have successfully connected to your VPN server.<\/p>\n That is all about how to install and setup OpenVPN server on Fedora 29\/CentOS 7. You OpenVPN server is fully operational. Enjoy.<\/p>\n Configure IPSEC VPN using StrongSwan on Ubuntu 18.04<\/a><\/p>\n Configure strongSwan VPN Client on Ubuntu 18.04\/CentOS 8<\/a><\/p>\nInstall and Setup OpenVPN Server on Fedora 29\/28\/CentOS 7<\/h2>\n
dnf update << Fedora\r\nyum update << Fedora\/CentOS<\/code><\/pre>\n
Install OpenVPN and Easy-RSA on Fedora 29\/28<\/h3>\n
dnf install openvpn easy-rsa<\/code><\/pre>\n
Install OpenVPN and Easy-RSA on CentOS 7<\/h3>\n
yum install epel-release<\/code><\/pre>\n
wget http:\/\/dl.fedoraproject.org\/pub\/epel\/epel-release-latest-7.noarch.rpm\r\nrpm -ivh epel-release-latest-7.noarch.rpm<\/code><\/pre>\n
yum install openvpn easy-rsa<\/code><\/pre>\n
Build the Local CA and generate Server Keys and Certificate file<\/h3>\n
mkdir \/etc\/openvpn\/easy-rsa<\/code><\/pre>\n
cp -air \/usr\/share\/easy-rsa\/3\/* \/etc\/openvpn\/easy-rsa<\/code><\/pre>\n
\/etc\/openvpn\/easy-rsa<\/code> directory and start new PKI.<\/p>\ncd \/etc\/openvpn\/easy-rsa\r\n.\/easyrsa init-pki<\/code><\/pre>\n
.\/easyrsa build-ca<\/code><\/pre>\n
...\r\nwriting new private key to '\/etc\/openvpn\/easy-rsa\/pki\/private\/ca.key.EajtR0SkLM'\r\nEnter PEM pass phrase: PASSWORD<\/strong>\r\nVerifying - Enter PEM pass phrase: PASSWORD<\/strong>\r\n-----\r\n...\r\n-----\r\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:server<\/strong>\r\n\r\nCA creation complete and you may now import and sign cert requests.\r\nYour new CA certificate file for publishing is at:\r\n\/etc\/openvpn\/easy-rsa\/pki\/ca.crt<\/code><\/pre>\n
\/etc\/openvpn\/easy-rsa\/pki\/ca.crt<\/code>.<\/p>\n.\/easyrsa gen-dh<\/code><\/pre>\n
\/etc\/openvpn\/easy-rsa\/pki\/dh.pem<\/code>.<\/p>\n.\/easyrsa build-server-full server nopass<\/code><\/pre>\n
.\/easyrsa build-client-full client nopass<\/code><\/pre>\n
.\/easyrsa gen-crl<\/code><\/pre>\n
\/etc\/openvpn\/easy-rsa\/pki\/crl.pem<\/code>.<\/p>\nopenvpn --genkey --secret \/etc\/openvpn\/easy-rsa\/pki\/ta.key<\/code><\/pre>\n
cp -rp \/etc\/openvpn\/easy-rsa\/pki\/{ca.crt,dh.pem,ta.key,issued,private} \/etc\/openvpn\/server\/<\/code><\/pre>\nConfigure OpenVPN Server<\/h2>\n
\/usr\/share\/doc\/openvpn{-2.4.6,}\/sample\/sample-config-files\/server.conf<\/code> file to \/etc\/openvpn<\/code> for modification.<\/p>\ncp \/usr\/share\/doc\/openvpn\/sample\/sample-config-files\/server.conf \/etc\/openvpn\/server\/<\/code><\/pre>\n
cp \/usr\/share\/doc\/openvpn-2.4.6\/sample\/sample-config-files\/server.conf \/etc\/openvpn\/server\/<\/code><\/pre>\n
server.conf<\/code> file as follows;<\/p>\nvim \/etc\/openvpn\/server\/server.conf<\/code><\/pre>\n
# Which TCP\/UDP port should OpenVPN listen on?\r\n# Change to match your port and open it in the firewall\r\nport 1194\r\n\r\n# TCP or UDP server?\r\nproto udp\r\n\r\n# \"dev tun\" will create a routed IP tunnel\r\ndev tun\r\n\r\n# Change path for certificates\r\nca ca.crt\r\ncert issued\/server.crt\r\nkey private\/server.key\r\n\r\n# Diffie hellman exchange key path\r\ndh dh.pem\r\n\r\n# Network topology\r\ntopology subnet\r\n\r\n# OpenVPN Network IP. For below, The server will take 10.8.0.1 for itself,\r\n# the rest will be made available to clients.\r\nserver 172.16.0.0 255.255.255.0\r\n\r\n# this directive will configure all clients to redirect their default\r\n# network gateway through the VPN\r\npush \"redirect-gateway def1 bypass-dhcp\"\r\n\r\n# DNS servers\r\npush \"dhcp-option DNS 208.67.222.222\"\r\npush \"dhcp-option DNS 208.67.220.220\"\r\n\r\n# For compression compatible with older clients use comp-lzo.\r\ncomp-lzo\r\n\r\n# Run VPN with limited privileges\r\nuser nobody\r\ngroup nobody\r\n\r\n# Status log file\r\nstatus \/var\/log\/openvpn\/openvpn-status.log\r\n\r\n# TLS\/SSL pre-shared authentication key\r\ntls-auth ta.key 0\r\n\r\n# Make VPN log directory and log file\r\nlog-append \/var\/log\/openvpn\/openvpn.log\r\n\r\n#Append this line to change authentication algorithm (HMAC) from SHA1 to SHA512\r\nauth SHA512<\/code><\/pre>\n
mkdir \/var\/log\/openvpn\/<\/code><\/pre>\n
Configure Routing<\/h3>\n
Enable IP forwarding<\/h4>\n
echo \"net.ipv4.ip_forward = 1\" >> \/etc\/sysctl.conf<\/code><\/pre>\n
sysctl --system<\/code><\/pre>\n
firewall-cmd --add-port=1194\/udp --permanent<\/code><\/pre>\n
firewall-cmd --add-masquerade --permanent<\/code><\/pre>\n
ip route get 8.8.8.8\r\n8.8.8.8 via 192.168.43.1 dev enp0s8<\/strong> src 192.168.43.23<\/code><\/pre>\n
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 172.16.0.0\/24 -o enp0s8<\/strong> -j MASQUERADE<\/code><\/pre>\n
firewall-cmd --reload<\/code><\/pre>\n
systemctl start openvpn-server@server\r\nsystemctl enable openvpn-server@server<\/code><\/pre>\n
ip add show tun0\r\n4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100\r\n link\/none \r\n inet 172.16.0.1\/24 brd 172.16.0.255 scope global tun0\r\n valid_lft forever preferred_lft forever\r\n inet6 fe80::1155:c60c:c009:48c9\/64 scope link stable-privacy \r\n valid_lft forever preferred_lft forever<\/code><\/pre>\n
Configure VPN Client<\/h3>\n
cd \/etc\/openvpn\/easy-rsa\/pki\/\r\nscp {ca.crt,issued\/client.crt,private\/client.key,ta.key} username@client-IP:~\/<\/code><\/pre>\nInstall OpenVPN client<\/h4>\n
\n
apt install openvpn\r\nyum install openvpn<\/code><\/pre>\n<\/li>\n
root@devserver:\/home\/amos# ls\r\nca.crt client.crt client.key ta.key<\/code><\/pre>\n
vim client.ovpn<\/code><\/pre>\n
client\r\ntls-client\r\npull\r\ndev tun\r\nproto udp\r\nremote 192.168.43.69 1194\r\nresolv-retry infinite\r\nnobind\r\ndhcp-option DNS 8.8.8.8\r\nuser nobody\r\ngroup nogroup\r\npersist-key\r\npersist-tun\r\nkey-direction 1\r\ntls-auth ta.key 1\r\ncomp-lzo\r\nverb 3\r\nca ca.crt\r\ncert client.crt\r\nkey client.key\r\nauth SHA512<\/code><\/pre>\n
sudo openvpn client.ovpn<\/code><\/pre>\n
sudo openvpn --config client.ovpn<\/code><\/pre>\n
Initialization Sequence Completed<\/code>.<\/p>\nMon Dec 31 03:54:39 2018 TUN\/TAP device tun0 opened\r\nMon Dec 31 03:54:39 2018 TUN\/TAP TX queue length set to 100\r\nMon Dec 31 03:54:39 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0\r\nMon Dec 31 03:54:39 2018 \/sbin\/ip link set dev tun0 up mtu 1500\r\nMon Dec 31 03:54:39 2018 \/sbin\/ip addr add dev tun0 172.16.0.2\/24 broadcast 172.16.0.255\r\nMon Dec 31 03:54:39 2018 \/sbin\/ip route add 192.168.43.69\/32 dev enp0s8\r\nMon Dec 31 03:54:39 2018 \/sbin\/ip route add 0.0.0.0\/1 via 172.16.0.1\r\nMon Dec 31 03:54:39 2018 \/sbin\/ip route add 128.0.0.0\/1 via 172.16.0.1\r\nMon Dec 31 03:54:39 2018 GID set to nogroup\r\nMon Dec 31 03:54:39 2018 UID set to nobody\r\nMon Dec 31 03:54:39 2018 Initialization Sequence Completed<\/code><\/pre>\n
ip add sh tun0\r\n20: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100\r\n link\/none \r\n inet 172.16.0.2<\/strong>\/24 brd 172.16.0.255 scope global tun0\r\n valid_lft forever preferred_lft forever\r\n inet6 fe80::dc37:c115:60f:6b86\/64 scope link flags 800 \r\n valid_lft forever preferred_lft forever<\/code><\/pre>\n
Related Tutorials<\/h3>\n