Decided to setup a openvpn server on a new CentOS 7 box and it was not exactly straight forward so below are the steps required, this should be enough to get started
On a (minimal) centOS 7 box:
yum -y install gcc rpm-build vim openssl-devel lzo-devel pam-devel wget wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.5.tar.gz rpmbuild -tb openvpn-2.3.5.tar.gz
if using a seperate server for as the VPN server:
scp ./RPMS/x86_64/openvpn-2.3.5-1.x86_64.rpm server:/tmp
On VPN Server:
yum localinstall /tmp/openvpn-2.3.5-1.x86_64.rpm firewall-cmd --add-service=openvpn --permanent firewall-cmd --add-masquerade --permanent
(if needed use –zone= to specify public/external or other if you have multiple zones)
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf sysctl -p
Setup easy-rsa
wget -O /tmp/easy-rsa-master.zip https://github.com/OpenVPN/easy-rsa/archive/master.zip
cd /srv/
unzip /tmp/easy-rsa-master.zip
mv /srv/easy-rsa-master/easyrsa3/ /srv/easy-rsa/
cd /srv/easy-rsa/
cp openssl{-1.0.cnf,.cnf}
vi vars
export KEY_COUNTRY="UK"
export KEY_PROVINCE="DN"
export KEY_CITY="Belfast"
export KEY_ORG="Organization Name"
export KEY_EMAIL="administrator@example.com"
export KEY_CN=droplet.example.com
export KEY_NAME=server
export KEY_OU=server
source .vars
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh
./easyrsa gen-req serverName
mv pki/private/serverName.key pki/private/serverName_p.key
openssl rsa -in pki/private/serverName_p.key -out pki/private/serverName.key
./easyrsa sign-req server serverName
mkdir -p /srv/openvpn/keys
mkdir -p /srv/openvpn/certs
cp pki/private/serverName.key /srv/openvpn/keys/
cp pki/issued/serverName.crt /srv/openvpn/certs/
cp pki/ca.crt /srv/openvpn/certs/
cp pki/dh.pem /srv/openvpn/keys/
Configure OpenVPN Server
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
Edit /etc/openvpn/server.conf
ca /srv/openvpn/certs/ca.crt cert /srv/openvpn/certs/serverName.crt key /srv/openvpn/keys/serverName.key dh /srv/openvpn/keys/dh.pem
Uncomment Replace a.b.c.d with public interface ip
local a.b.c.d
Uncomment:
push "redirect-gateway def1 bypass-dhcp" user nobody group nobody
Edit the DNS lines to (to use google DNS Servers):
push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
Edit the following line with IP & subnet you wish to use
server 10.8.0.0 255.255.255.0
Create Systemd startup for openvpn
cat > /usr/lib/systemd/system/openvpn@service <<EOF [Unit] Description=OpenVPN Robust And Highly Flexible Tunneling Application on %I After=syslog.target network.target [Service] PrivateTmp=true Type=forking PIDFile=/var/run/openvpn/%i.pid ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf [Install] WantedBy=multi-user.target EOF
Create startup link and start openVPN
ln -s /usr/lib/systemd/system/openvpn@service /etc/systemd/system/openvpn@server.service systemctl start openvpn@server.service
Prepare Key for client:
cd /srv/easy-rsa ./easyrsa gen-req clientName ./easyrsa sign-req client clientName
Setup the Client:
Going to assume a windows client here as that is what I was testing with:
Copy the following files to the client
/srv/easy-rsa/pki/private/clientName.key /srv/easy-rsa/pki/issued/clientName.crt /srv/openvpn/certs.ca
On the client create a file called “client.ovpn”
Change a.b.c.d to the IP of the VPN Server
client proto udp verb 3 dev tun remote a.b.c.d port 1194 ca c:\\openvpnkeys\\ca.crt cert c:\\openvpnkeys\\clientName.crt key c:\\openvpnkeys\\clientName.key nobind persist-key persist-tun comp-lzo
Copy file into
“C:\Program Files\OpenVPN\config\”
or
“C:\Program Files (x86)\OpenVPN\config\”