CentOS 7 and OpenVPN 2.3.5 (Routed)

Decided to setup a openvpn server on a new CentOS 7 box and it was not exactly straight forward so below are the steps required, this should be enough to get started

On a (minimal) centOS 7 box:


yum -y install gcc rpm-build vim openssl-devel lzo-devel pam-devel wget
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.5.tar.gz
rpmbuild -tb openvpn-2.3.5.tar.gz

if using a seperate server for as the VPN server:


scp ./RPMS/x86_64/openvpn-2.3.5-1.x86_64.rpm server:/tmp

On VPN Server:


yum localinstall /tmp/openvpn-2.3.5-1.x86_64.rpm
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --add-masquerade --permanent

(if needed use –zone= to specify public/external or other if you have multiple zones)

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Setup easy-rsa


wget -O /tmp/easy-rsa-master.zip https://github.com/OpenVPN/easy-rsa/archive/master.zip

cd /srv/
unzip /tmp/easy-rsa-master.zip
mv /srv/easy-rsa-master/easyrsa3/ /srv/easy-rsa/

cd /srv/easy-rsa/
cp openssl{-1.0.cnf,.cnf}
vi vars
export KEY_COUNTRY="UK"
export KEY_PROVINCE="DN"
export KEY_CITY="Belfast"
export KEY_ORG="Organization Name"
export KEY_EMAIL="administrator@example.com"
export KEY_CN=droplet.example.com
export KEY_NAME=server
export KEY_OU=server

source .vars

./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh

./easyrsa gen-req serverName

mv pki/private/serverName.key pki/private/serverName_p.key
openssl rsa -in pki/private/serverName_p.key -out pki/private/serverName.key

./easyrsa sign-req server serverName

mkdir -p /srv/openvpn/keys
mkdir -p /srv/openvpn/certs

cp pki/private/serverName.key /srv/openvpn/keys/
cp pki/issued/serverName.crt /srv/openvpn/certs/
cp pki/ca.crt /srv/openvpn/certs/
cp pki/dh.pem /srv/openvpn/keys/

Configure OpenVPN Server


cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/

Edit /etc/openvpn/server.conf


ca /srv/openvpn/certs/ca.crt
cert /srv/openvpn/certs/serverName.crt
key /srv/openvpn/keys/serverName.key
dh /srv/openvpn/keys/dh.pem

Uncomment Replace a.b.c.d with public interface ip

local a.b.c.d

Uncomment:

push "redirect-gateway def1 bypass-dhcp"
user nobody
group nobody

Edit the DNS lines to (to use google DNS Servers):


push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Edit the following line with IP & subnet you wish to use


server 10.8.0.0 255.255.255.0

Create Systemd startup for openvpn


cat > /usr/lib/systemd/system/openvpn@service <<EOF
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application on %I
After=syslog.target network.target

[Service]
PrivateTmp=true
Type=forking
PIDFile=/var/run/openvpn/%i.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf

[Install]
WantedBy=multi-user.target
EOF

Create startup link and start openVPN


ln -s /usr/lib/systemd/system/openvpn@service /etc/systemd/system/openvpn@server.service
systemctl start openvpn@server.service

Prepare Key for client:


cd /srv/easy-rsa
./easyrsa gen-req clientName
./easyrsa sign-req client clientName

Setup the Client:
Going to assume a windows client here as that is what I was testing with:

Copy the following files to the client


/srv/easy-rsa/pki/private/clientName.key
/srv/easy-rsa/pki/issued/clientName.crt
/srv/openvpn/certs.ca

On the client create a file called “client.ovpn”
Change a.b.c.d to the IP of the VPN Server


client
proto udp
verb 3
dev tun
remote a.b.c.d
port 1194
ca c:\\openvpnkeys\\ca.crt
cert c:\\openvpnkeys\\clientName.crt
key c:\\openvpnkeys\\clientName.key
nobind
persist-key
persist-tun
comp-lzo

Copy file into
“C:\Program Files\OpenVPN\config\”
or
“C:\Program Files (x86)\OpenVPN\config\”

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This blog is kept spam free by WP-SpamFree.