{"id":5441,"date":"2020-04-15T20:01:36","date_gmt":"2020-04-15T17:01:36","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5441"},"modified":"2020-04-20T08:51:08","modified_gmt":"2020-04-20T05:51:08","slug":"setup-openvpn-server-on-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/setup-openvpn-server-on-centos-8\/","title":{"rendered":"Setup OpenVPN Server on CentOS 8"},"content":{"rendered":"\n

In this guide, we are going to learn how to install and easily setup OpenVPN Server on CentOS 8. OpenVPN<\/a> is a robust and highly flexible open-source VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It facilitates the extension of private network across a public network while maintaining security that would be achieved in a private network.<\/p>\n\n\n\n

Setup OpenVPN Server on CentOS 8<\/h2>\n\n\n\n

Install EPEL Repository<\/h3>\n\n\n\n

The latest OpenVPN packages is provided by the EPEL repositories on CentOS 8 and other similar derivatives. EPEL can be installed on CentOS 8 by running the command below;<\/p>\n\n\n\n

dnf install epel-release -y<\/code><\/pre>\n\n\n\n
Install OpenVPN on CentOS 8<\/h3>\n\n\n\n
Once the EPEL repos are in place, you can now install OpenVPN package on CentOS 8 by executing the command below;<\/p>\n\n\n\n
dnf install openvpn<\/code><\/pre>\n\n\n\n
Install Easy-RSA CA Utility on CentOS 8<\/h3>\n\n\n\n
Easy-RSA package is a shell based CA utility that is used to generate SSL key-pairs that is used to secure VPN connections.<\/p>\n\n\n\n
dnf install easy-rsa<\/code><\/pre>\n\n\n\n
Create OpenVPN Public Key Infrastructure<\/h3>\n\n\n\n
The first step in setting up an OpenVPN server is to create a PKI which consists of public and private keys for the OpenVPN server and connecting clients and a master Certificate Authority certificate and private key for signing the OpenVPN server and client certificates. If possible, you should create the PKI on a separate server running OpenVPN for security purposes.<\/p>\n\n\n\n
Initialize the PKI<\/h4>\n\n\n\n
Easy-RSA is used for PKI management. The Easy-RSA scripts are installed under the \/usr\/share\/easy-rsa<\/strong><\/code> directory.<\/p>\n\n\n\n
To ensure that Easy-RSA any configuration made is not overwritten in case of an upgrade, copy the scripts to a different directory, preferably under \/etc<\/code> directory.<\/p>\n\n\n\n
mkdir \/etc\/easy-rsa<\/code><\/pre>\n\n\n\n
cp -air \/usr\/share\/easy-rsa\/3\/* \/etc\/easy-rsa\/<\/code><\/pre>\n\n\n\n
Once the scripts are in place, navigate to the directory and initialize the PKI.<\/p>\n\n\n\n
cd \/etc\/easy-rsa\/<\/code><\/pre>\n\n\n\n
.\/easyrsa init-pki<\/code><\/pre>\n\n\n\n
Generate the Certificate Authority (CA) Certificate and Key<\/h4>\n\n\n\n
Next, generate the CA certificate and key that will be used to sign certificates by running the commands below within the Easy-RSA directory above.<\/p>\n\n\n\n
.\/easyrsa build-ca<\/code><\/pre>\n\n\n\n
This will prompt you for the CA key passphrase and the server common name.<\/p>\n\n\n\n
Using SSL: openssl OpenSSL 1.1.1c FIPS  28 May 2019\n\nEnter New CA Key Passphrase: ENTER PASSWORD<\/strong>\nRe-Enter New CA Key Passphrase: RE-ENTER PASSWORD<\/strong> \nGenerating RSA private key, 2048 bit long modulus (2 primes)\n...................................................................+++++\n.+++++\ne is 65537 (0x010001)\nCan't load \/etc\/easy-rsa\/pki\/.rnd into RNG\n140160794502976:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto\/rand\/randfile.c:98:Filename=\/etc\/easy-rsa\/pki\/.rnd\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]: Kifarunix-CA<\/strong>\n\nCA creation complete and you may now import and sign cert requests.\nYour new CA certificate file for publishing is at:\n\/etc\/easy-rsa\/pki\/ca.crt<\/code><\/pre>\n\n\n\n
The CA certificate is stored at \/etc\/easy-rsa\/pki\/ca.crt<\/code>.<\/p>\n\n\n\n
Generate Diffie Hellman Parameters<\/h4>\n\n\n\n
While within the same Easy-RSA directory as in above, execute the command below to generate Diffie-Hellman key file that can be used for key exchange during the TLS handshake with connecting clients.<\/p>\n\n\n\n
.\/easyrsa gen-dh<\/code><\/pre>\n\n\n\n
The command will take sometime to complete. It then stores the DH parameters on the \/etc\/easy-rsa\/pki\/dh.pem<\/code><\/strong> file.<\/p>\n\n\n\n
Generate OpenVPN Server Certificate and Key<\/h3>\n\n\n\n
To generate a certificate and private key for the OpenVPN server, run the command below;<\/p>\n\n\n\n
cd \/etc\/easy-rsa<\/code><\/pre>\n\n\n\n
.\/easyrsa build-server-full server nopass<\/code><\/pre>\n\n\n\n
When the command runs, you will be prompted to enter the CA key passphrase create above.<\/p>\n\n\n\n
nopass<\/code><\/strong> disables the use of passphrase.<\/p>\n\n\n\n
Generate Hash-based Message Authentication Code (HMAC) key<\/h3>\n\n\n\n
To generate TLS\/SSL pre-shared authentication key that will be used to add an additional HMAC signature to all SSL\/TLS handshake packets, to avoid DoS attack and UDP port flooding, run the command below;<\/p>\n\n\n\n
openvpn --genkey --secret \/etc\/easy-rsa\/pki\/ta.key<\/code><\/pre>\n\n\n\n
Generate a Revocation Certificate<\/h3>\n\n\n\n
In order to invalidate a previously signed certificate, you need to generate a revocation certificate.<\/p>\n\n\n\n
.\/easyrsa gen-crl<\/code><\/pre>\n\n\n\n
The Revocation certificate is stored as \/etc\/easy-rsa\/pki\/crl.pem<\/code>.<\/p>\n\n\n\n
Copy Server Certificates and Keys to Server Directory<\/h3>\n\n\n\n
Next, copy all generated certificates\/keys to OpenVPN server configuration directory.<\/p>\n\n\n\n
cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} \/etc\/openvpn\/server\/<\/code><\/pre>\n\n\n\n
Generate OpenVPN Client Certificate and Key<\/h3>\n\n\n\n
To generate OpenVPN clients certificate and private key, run the command below;<\/p>\n\n\n\n
cd \/etc\/easy-rsa<\/code><\/pre>\n\n\n\n
.\/easyrsa build-client-full koromicha nopass<\/code><\/pre>\n\n\n\n
where koromicha<\/strong> is the name of the client for which the certificate and keys are generated. Always use a unique common name for each client that you are generating certificate and keys for.<\/p>\n\n\n\n
To generate for the second client,<\/p>\n\n\n\n
.\/easyrsa build-client-full johndoe nopass<\/code><\/pre>\n\n\n\n
Copy Client Certificates and Keys to Client Directory<\/h3>\n\n\n\n
Create a directory for each client on OpenVPN client’s directory<\/p>\n\n\n\n
mkdir \/etc\/openvpn\/client\/{koromicha,johndoe}<\/code><\/pre>\n\n\n\n
Next, copy all client generated certificates\/keys and CA certificate to OpenVPN client configuration directory. You can <\/p>\n\n\n\n
cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,issued\/koromicha.crt,private\/koromicha.key} \/etc\/openvpn\/client\/koromicha<\/code><\/pre>\n\n\n\n
cp -rp \/etc\/easy-rsa\/pki\/{ca.crt,issued\/johndoe.crt,private\/johndoe.key} \/etc\/openvpn\/client\/johndoe\/<\/code><\/pre>\n\n\n\n
Configure OpenVPN Server on CentOS 8<\/h2>\n\n\n\n
OpenVPN comes with a sample configuration file within its documentation directory. Copy the file to \/etc\/openvpn\/server\/<\/strong><\/code> and modify it to suit your needs.<\/p>\n\n\n\n
cp \/usr\/share\/doc\/openvpn\/sample\/sample-config-files\/server.conf \/etc\/openvpn\/server\/<\/code><\/pre>\n\n\n\n
Open the config for modification.<\/p>\n\n\n\n
vim \/etc\/openvpn\/server\/server.conf<\/code><\/pre>\n\n\n\n
The file is highly commented. Read the comments for every configuration options.<\/p>\n\n\n\n
In the most basic form, below are our configuration options, with no comments.<\/p>\n\n\n\n
port 1194\nproto udp4\ndev tun\nca ca.crt\ncert issued\/server.crt\nkey private\/server.key  # This file should be kept secret\ndh dh.pem\ntopology subnet\nserver 10.8.0.0 255.255.255.0\nifconfig-pool-persist ipp.txt\npush \"redirect-gateway def1 bypass-dhcp\"\npush \"dhcp-option DNS 208.67.222.222\"\npush \"dhcp-option DNS 192.168.10.3\"\nclient-to-client\nkeepalive 10 120\ntls-auth ta.key 0 # This file is secret\ncipher AES-256-CBC\ncomp-lzo\nuser nobody\ngroup nobody\npersist-key\npersist-tun\nstatus \/var\/log\/openvpn\/openvpn-status.log<\/strong>\nlog-append  \/var\/log\/openvpn\/openvpn.log<\/strong>\nverb 3\nexplicit-exit-notify 1\nauth SHA512<\/strong><\/code><\/pre>\n\n\n\n
Save and exit the configuration once done modifying.<\/p>\n\n\n\n
Want to assign fixed\/static IP addresses to your OpenVPN clients? Follow the guide below;<\/p>\n\n\n\n
Assign Static IP Addresses for OpenVPN Clients<\/a><\/p>\n\n\n\n
Create log directory;<\/p>\n\n\n\n
mkdir \/var\/log\/openvpn\/<\/code><\/pre>\n\n\n\n
Explore the configuration and do further fine tuning to suit your needs.<\/p>\n\n\n\n
Configure OpenVPN Server Routing<\/h3>\n\n\n\n
To ensure that traffic from the client is routed through the servers IP address (helps masks the the client IP address), you need to enable IP forwarding on the OpenVPN server;<\/p>\n\n\n\n
echo \"net.ipv4.ip_forward = 1\" >> \/etc\/sysctl.conf<\/code><\/pre>\n\n\n\n
Run the command below to effect the changes without rebooting the server.<\/p>\n\n\n\n
sysctl --system<\/code><\/pre>\n\n\n\n
Allow OpenVPN service port through firewall<\/p>\n\n\n\n
firewall-cmd --add-port=1194\/udp --permanent<\/code><\/pre>\n\n\n\n
Activate IP Masquerading<\/p>\n\n\n\n
firewall-cmd --add-masquerade --permanent<\/code><\/pre>\n\n\n\n
Forward traffic received on the specified OpenVPN subnet, for example, the 10.8.0.0\/24 in our case, to an interface via which packets are going to be sent.<\/p>\n\n\n\n
To find the interface via which packets are sent through by running the command below;<\/p>\n\n\n\n
ip route get 8.8.8.8<\/code><\/pre>\n\n\n\n
8.8.8.8 via 192.168.43.1 dev enp0s3<\/strong> src 192.168.43.73 uid 0<\/code><\/pre>\n\n\n\n
The interface name and the subnet defined maybe different for your case. Replace them accordingly.<\/p>\n\n\n\n
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0\/24 -o enp0s<\/strong>3 -j MASQUERADE<\/code><\/pre>\n\n\n\n
Reload firewalld for the changes to take effect.<\/p>\n\n\n\n
firewall-cmd --reload<\/code><\/pre>\n\n\n\n
Start and set OpenVPN run on system boot.<\/p>\n\n\n\n
systemctl enable --now openvpn-server@server<\/code><\/pre>\n\n\n\n
When OpenVPN service runs, it will create a tunnelling interface, tun0;<\/p>\n\n\n\n
ip add s<\/code><\/pre>\n\n\n\n
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100\n    link\/none \n    inet 10.8.0.1\/24 brd 10.8.0.255 scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::2ed5:8f74:c456:96b7\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever<\/code><\/pre>\n\n\n\n
Checking the logs;<\/p>\n\n\n\n
tail \/var\/log\/openvpn\/openvpn.log<\/code><\/pre>\n\n\n\n
\/sbin\/ip addr add dev tun0 10.8.0.1\/24 broadcast 10.8.0.255\nSocket Buffers: R=[212992->212992] S=[212992->212992]\nUDPv4 link local (bound): [AF_INET][undef]:1194\nUDPv4 link remote: [AF_UNSPEC]\nGID set to nobody\nUID set to nobody\nMULTI: multi_init called, r=256 v=256\nIFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0\nIFCONFIG POOL LIST\nInitialization Sequence Completed<\/code><\/pre>\n\n\n\n
Your OpenVPN Server is now up and running. That brings us to the end of our guide on how to install and setup OpenVPN Server on CentOS 8.<\/p>\n\n\n\n
You can now proceed to configure OpenVPN clients;<\/p>\n\n\n\n
Install and Configure OpenVPN Client on CentOS 8\/Ubuntu 18.04<\/a><\/p>\n\n\n\n
Configure OpenVPN LDAP based Authentication.<\/p>\n\n\n\n
Configure OpenVPN LDAP Based Authentication<\/a><\/p>\n\n\n\n
Related Tutorial<\/h3>\n\n\n\n
Configure IPSEC VPN using StrongSwan on Ubuntu 18.04<\/a><\/p>\n\n\n\n
Configure strongSwan VPN Client on Ubuntu 18.04\/CentOS 8<\/a><\/p>\n\n\n\n
Connect to Cisco VPN Using PCF file on Ubuntu<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, we are going to learn how to install and easily setup OpenVPN Server on CentOS 8. OpenVPN is a robust and highly<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,282,34,321],"tags":[1142,1429,1430,1438,1428,308,323],"class_list":["post-5441","post","type-post","status-publish","format-standard","hentry","category-howtos","category-openvpn","category-security","category-vpn","tag-centos-8","tag-install-openvpn-centos-8","tag-networking","tag-openvpn-centos-8","tag-openvpn-server-centos-8","tag-security","tag-vpn","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5441"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5441"}],"version-history":[{"count":10,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5441\/revisions"}],"predecessor-version":[{"id":5493,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5441\/revisions\/5493"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}