Skip to content

OPENVPN

Installation and configuration of your very own VPN is, thankfully, a very easy task nowadays.  The most popular server/client software would be OpenVPN.  Below is the steps needed to get the server up and going, and the bits and pieces for your client to get connected.

SETUP REPOSITORY AND INSTALL SOFTWARE

    sudo yum install epel-release
    sudo yum install openvpn easy-rsa -y

CONFIGURE OPENVPN SERVER

    sudo cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
    sudo vi /etc/openvpn/server.conf

Set the following settings:

    dh dh2048.pem
    uncomment push "redirect-gateway def1 bypass-dhcp"
    uncomment and fix push "dhcp-option DNS 8.8.8.8"
    uncomment and fixpush "dhcp-option DNS 8.8.4.4"
    uncomment user nobody
    uncomment group nobody
    comment out explicit-exit-notify 1

SETUP THE SERVER CERTIFICATES

    mkdir -p /etc/openvpn/easy-rsa/keys
    cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
    vi /etc/openvpn/easy-rsa/vars
    #Set the vars appropriately to your locale:
    #export KEY_COUNTRY="US"
    #export KEY_PROVINCE="WI"
    #export KEY_CITY="Milwaukee"
    #export KEY_ORG="Schotty.com"
    #export KEY_EMAIL="vpn@schotty.com"
    #export KEY_OU="Schotty.com"
    #
    #X509 Subject Field
    #export KEY_NAME="fqdn.yourdomain.tld"
    #
    #export KEY_CN=fqdn.yourdomain.tld

GENERATE KEYS

    sudo cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
    cd /etc/openvpn/easy-rsa
    sudo source ./vars
    sudo ./clean-all
    sudo ./build-ca
    sudo ./build-key-server server
    sudo ./build-dh
    cd /etc/openvpn/easy-rsa/keys
    sudo cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

CONFIGURE FIREWALL

It is highly advised to use the tools that Red Hat provided us, and thus firewalld will be put to work here rather than disabling it and going with the old iptables.

    sudo systemctl enable firewalld
    sudo systemclt start firewalld
    sudo firewall-cmd --permanent --zone=public --add-service openvpn
    sudo firewall-cmd --permanent --zone=public --add-masquerade
    sudo firewall-cmd --permanent --zone=public --add-interface=tun0
    sudo firewall-cmd --reload
    sudo firewall-cmd --zone=public --list-services
    sudo firewall-cmd --zone=public --query-masquerade

ENABLE AND START THE OPENVPN DAEMON

    sudo systemctl -f enable openvpn@server.service
    sudo systemctl start openvpn@server.service

Should any errors crop up, use "journalctl -xe" to view the full log. It is likely a typo or a skipped step.

CLIENT CONFIGURATION

To generate the files

    cd /etc/openvpn/easy-rsa
    sudo ./build-key client

For each client run the following and give the resulting files to the user:

    /etc/openvpn/easy-rsa/keys: ca.crt client.crt client.key

The standard location on EL7 is to have the keys in

    ~/.cert/

If you are using SELinux (and you should), here is the selinux context fix for the certificate files:

    sudo semanage fcontext -a -t home_cert_t ~/.cert/
    sudo restorecon -R -v ~/.cert/

.OVPN CLIENT SAMPLE FILE

    client
    dev tun
    proto udp
    remote your_server_ip 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    comp-lzo
    verb 3
    ca ~/.cert/ca.crt
    cert ~/.cert/client.crt
    key ~/.cert/client.key
    cipher AES-256-CBC