OPENVPN
Installation and configuration of your very own VPN is, thankfully, a very easy task nowadays. The most popular server/client software would be OpenVPN. Below is the steps needed to get the server up and going, and the bits and pieces for your client to get connected.
SETUP REPOSITORY AND INSTALL SOFTWARE
sudo yum install epel-release
sudo yum install openvpn easy-rsa -y
CONFIGURE OPENVPN SERVER
sudo cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
sudo vi /etc/openvpn/server.conf
Set the following settings:
dh dh2048.pem
uncomment push "redirect-gateway def1 bypass-dhcp"
uncomment and fix push "dhcp-option DNS 8.8.8.8"
uncomment and fixpush "dhcp-option DNS 8.8.4.4"
uncomment user nobody
uncomment group nobody
comment out explicit-exit-notify 1
SETUP THE SERVER CERTIFICATES
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
vi /etc/openvpn/easy-rsa/vars
#Set the vars appropriately to your locale:
#export KEY_COUNTRY="US"
#export KEY_PROVINCE="WI"
#export KEY_CITY="Milwaukee"
#export KEY_ORG="Schotty.com"
#export KEY_EMAIL="vpn@schotty.com"
#export KEY_OU="Schotty.com"
#
#X509 Subject Field
#export KEY_NAME="fqdn.yourdomain.tld"
#
#export KEY_CN=fqdn.yourdomain.tld
GENERATE KEYS
sudo cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
cd /etc/openvpn/easy-rsa
sudo source ./vars
sudo ./clean-all
sudo ./build-ca
sudo ./build-key-server server
sudo ./build-dh
cd /etc/openvpn/easy-rsa/keys
sudo cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
CONFIGURE FIREWALL
It is highly advised to use the tools that Red Hat provided us, and thus firewalld will be put to work here rather than disabling it and going with the old iptables.
sudo systemctl enable firewalld
sudo systemclt start firewalld
sudo firewall-cmd --permanent --zone=public --add-service openvpn
sudo firewall-cmd --permanent --zone=public --add-masquerade
sudo firewall-cmd --permanent --zone=public --add-interface=tun0
sudo firewall-cmd --reload
sudo firewall-cmd --zone=public --list-services
sudo firewall-cmd --zone=public --query-masquerade
ENABLE AND START THE OPENVPN DAEMON
sudo systemctl -f enable openvpn@server.service
sudo systemctl start openvpn@server.service
Should any errors crop up, use "journalctl -xe" to view the full log. It is likely a typo or a skipped step.
CLIENT CONFIGURATION
To generate the files
cd /etc/openvpn/easy-rsa
sudo ./build-key client
For each client run the following and give the resulting files to the user:
/etc/openvpn/easy-rsa/keys: ca.crt client.crt client.key
The standard location on EL7 is to have the keys in
~/.cert/
If you are using SELinux (and you should), here is the selinux context fix for the certificate files:
sudo semanage fcontext -a -t home_cert_t ~/.cert/
sudo restorecon -R -v ~/.cert/
.OVPN CLIENT SAMPLE FILE
client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ~/.cert/ca.crt
cert ~/.cert/client.crt
key ~/.cert/client.key
cipher AES-256-CBC