CentOS 7 and OpenVPN 2.3.5 (Routed)

Decided to setup a openvpn server on a new CentOS 7 box and it was not exactly straight forward so below are the steps required, this should be enough to get started

On a (minimal) centOS 7 box:

yum -y install gcc rpm-build vim openssl-devel lzo-devel pam-devel wget
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.5.tar.gz
rpmbuild -tb openvpn-2.3.5.tar.gz

if using a seperate server for as the VPN server:

scp ./RPMS/x86_64/openvpn-2.3.5-1.x86_64.rpm server:/tmp

On VPN Server:

yum localinstall /tmp/openvpn-2.3.5-1.x86_64.rpm
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --add-masquerade --permanent

(if needed use –zone= to specify public/external or other if you have multiple zones)

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Setup easy-rsa

wget -O /tmp/easy-rsa-master.zip https://github.com/OpenVPN/easy-rsa/archive/master.zip

cd /srv/
unzip /tmp/easy-rsa-master.zip
mv /srv/easy-rsa-master/easyrsa3/ /srv/easy-rsa/

cd /srv/easy-rsa/
cp openssl{-1.0.cnf,.cnf}
vi vars
export KEY_COUNTRY="UK"
export KEY_PROVINCE="DN"
export KEY_CITY="Belfast"
export KEY_ORG="Organization Name"
export KEY_EMAIL="administrator@example.com"
export KEY_CN=droplet.example.com
export KEY_NAME=server
export KEY_OU=server

source .vars

./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh

./easyrsa gen-req serverName

mv pki/private/serverName.key pki/private/serverName_p.key
openssl rsa -in pki/private/serverName_p.key -out pki/private/serverName.key

./easyrsa sign-req server serverName

mkdir -p /srv/openvpn/keys
mkdir -p /srv/openvpn/certs

cp pki/private/serverName.key /srv/openvpn/keys/
cp pki/issued/serverName.crt /srv/openvpn/certs/
cp pki/ca.crt /srv/openvpn/certs/
cp pki/dh.pem /srv/openvpn/keys/

Configure OpenVPN Server

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/

Edit /etc/openvpn/server.conf

ca /srv/openvpn/certs/ca.crt
cert /srv/openvpn/certs/serverName.crt
key /srv/openvpn/keys/serverName.key
dh /srv/openvpn/keys/dh.pem

Uncomment Replace a.b.c.d with public interface ip

local a.b.c.d 

Uncomment:

push "redirect-gateway def1 bypass-dhcp"
user nobody
group nobody

Edit the DNS lines to (to use google DNS Servers):

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Edit the following line with IP & subnet you wish to use

server 10.8.0.0 255.255.255.0

Create Systemd startup for openvpn

cat > /usr/lib/systemd/system/openvpn@service <

Create startup link and start openVPN

ln -s /usr/lib/systemd/system/openvpn@service /etc/systemd/system/openvpn@server.service 
systemctl start openvpn@server.service

Prepare Key for client:

cd /srv/easy-rsa
./easyrsa gen-req clientName
./easyrsa sign-req client clientName

Setup the Client:
Going to assume a windows client here as that is what I was testing with:

Copy the following files to the client

/srv/easy-rsa/pki/private/clientName.key
/srv/easy-rsa/pki/issued/clientName.crt
/srv/openvpn/certs.ca

On the client create a file called “client.ovpn”
Change a.b.c.d to the IP of the VPN Server

client 
proto udp 
verb 3 
dev tun 
remote a.b.c.d
port 1194 
ca c:\\openvpnkeys\\ca.crt 
cert c:\\openvpnkeys\\clientName.crt 
key c:\\openvpnkeys\\clientName.key 
nobind 
persist-key 
persist-tun 
comp-lzo

Copy file into
“C:\Program Files\OpenVPN\config\”
or
“C:\Program Files (x86)\OpenVPN\config\”

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This blog is kept spam free by WP-SpamFree.