Prerequisites
To follow this tutorial, you will need:
One CentOS 7 server with a sudo non-root user and a firewall set up with firewalld, which you can achieve with our Initial Server Setup with CentOS 7 guide and the Additional Recommended Steps for New CentOS 7 Servers.
A domain or subdomain that resolves to your server that you can use for the certificates. To set this up, you will first need to register a domain name and then add a DNS record via the DigitalOcean Control Panel. Note that just adding an A record will meet the requirements of this tutorial.
A client machine which you will use to connect to your OpenVPN server. For the purposes of this tutorial, it’s recommend that you use your local machine as the OpenVPN client.
With these prerequisites in place, you are ready to begin setting up and configuring an OpenVPN server on CentOS 7.
Step 1 — Installing OpenVPN
To start, we will install OpenVPN on the server. We’ll also install Easy RSA, a public key infrastructure management tool which will help us set up an internal certificate authority (CA) for use with our VPN. We’ll also use Easy RSA to generate our SSL key pairs later on to secure the VPN connections.
Log in to the server as the non-root sudo user, and update the package lists to make sure you have all the latest versions.
The Extra Packages for Enterprise Linux (EPEL) repository is an additional repository managed by the Fedora Project containing non-standard but popular packages. OpenVPN isn’t available in the default CentOS repositories but it is available in EPEL, so install EPEL:
Then update your package lists once more:
Next, install OpenVPN and wget, which we will use to install Easy RSA:
Using wget, download Easy RSA. For the purposes of this tutorial, we recommend using easy-rsa-2 because there’s more available documentation for this version. You can find the download link for the latest version of easy-rsa-2 on the project’s Releases page:
Next, extract the compressed file with tar:
This will create a new directory on your server called easy-rsa-old-2.3.3. Make a new subdirectory under /etc/openvpn and name it easy-rsa:
Copy the extracted Easy RSA files over to the new directory:
Then change the directory’s owner to your non-root sudo user:
Once these programs are installed and have been moved to the right locations on your system, the next step is to customize the server-side configuration of OpenVPN.
Step 2 — Configuring OpenVPN
Like many other widely-used open-source tools, there are dozens of configuration options available to you. In this section, we will provide instructions on how to set up a basic OpenVPN server configuration.
OpenVPN has several example configuration files in its documentation directory. First, copy the sample server.conf file as a starting point for your own configuration file.
Open the new file for editing with the text editor of your choice. We’ll use nano in our example, which you can download with the yum install nano command if you don’t have it on your server already:
There are a few lines we need to change in this file, most of which just need to be uncommented by removing the semicolon, ;, at the beginning of the line. The functions of these lines, and the other lines not mentioned in this tutorial, are explained in-depth in the comments above each one.
To get started, find and uncomment the line containing push "redirect-gateway def1 bypass-dhcp". Doing this will tell your client to redirect all of its traffic through your OpenVPN server. Be aware that enabling this functionality can cause connectivity issues with other network services, like SSH:
Because your client will not be able to use the default DNS servers provided by your ISP (as its traffic will be rerouted), you need to tell it which DNS servers it can use to connect to OpenVPN. You can pick different DNS servers, but here we’ll use Google’s public DNS servers which have the IPs of 8.8.8.8 and 8.8.4.4.
Set this by uncommenting both push "dhcp-option DNS ..." lines and updating the IP addresses:
We want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user and group of nobody. To enable this, uncomment the user nobody and group nobody lines:
Next, uncomment the topology subnet line. This, along with the server 10.8.0.0 255.255.255.0 line below it, configures your OpenVPN installation to function as a subnetwork and tells the client machine which IP address it should use. In this case, the server will become 10.8.0.1 and the first client will become 10.8.0.2:
It’s also recommended that you add the following line to your server configuration file. This double checks that any incoming client certificates are truly coming from a client, hardening the security parameters we will establish in later steps:
Lastly, OpenVPN strongly recommends that users enable TLS Authentication, a cryptographic protocol that ensures secure communications over a computer network. To do this, you will need to generate a static encryption key (named in our example as myvpn.tlsauth, although you can choose any name you like). Before creating this key, comment the line in the configuration file containing tls-auth ta.key 0 by prepending it with a semicolon. Then, add tls-crypt myvpn.tlsauth to the line below it:
Save and exit the OpenVPN server configuration file (in nano, press CTRL - X, Y, then ENTER to do so), and then generate the static encryption key with the following command:
Now that your server is configured, you can move on to setting up the SSL keys and certificates needed to securely connect to your VPN connection.
Step 3 — Generating Keys and Certificates
Easy RSA uses a set of scripts that come installed with the program to generate keys and certificates. In order to avoid re-configuring every time you need to generate a certificate, you can modify Easy RSA’s configuration to define the default values it will use for the certificate fields, including your country, city, and preferred email address.
We’ll begin our process of generating keys and certificates by creating a directory where Easy RSA will store any keys and certs you generate:
The default certificate variables are set in the vars file in /etc/openvpn/easy-rsa, so open that file for editing:
Scroll to the bottom of the file and change the values that start with export KEY_ to match your information. The ones that matter the most are:
KEY_CN: Here, enter the domain or subdomain that resolves to your server.KEY_NAME: You should enterserverhere. If you enter something else, you would also have to update the configuration files that referenceserver.keyandserver.crt.
The other variables in this file that you may want to change are:
KEY_COUNTRY: For this variable, enter the two-letter abbreviation of the country of your residence.KEY_PROVINCE: This should be the name or abbreviation of the state of your residence.KEY_CITY: Here, enter the name of the city you live in.KEY_ORG: This should be the name of your organization or company.KEY_EMAIL: Enter the email address that you want to be connected to the security certificate.KEY_OU: This should be the name of the “Organizational Unit” to which you belong, typically either the name of your department or team.
The rest of the variables can be safely ignored outside of specific use cases. After you’ve made your changes, the file should look like this:
Save and close the file.
To start generating the keys and certificates, move into the easy-rsa directory and source in the new variables you set in the vars file:
Run Easy RSA’s clean-all script to remove any keys and certificates already in the folder and generate the certificate authority:
Next, build the certificate authority with the build-ca script. You’ll be prompted to enter values for the certificate fields, but if you set the variables in the vars file earlier, all of your options will already be set as the defaults. You can press ENTER to accept the defaults for each one:
This script generates a file called ca.key. This is the private key used to sign your server and clients’ certificates. If it is lost, you can no longer trust any certificates from this certificate authority, and if anyone is able to access this file they can sign new certificates and access your VPN without your knowledge. For this reason, OpenVPN recommends storing ca.key in a location that can be offline as much as possible, and it should only be activated when creating new certificates.
Next, create a key and certificate for the server using the build-key-server script:
As with building the CA, you’ll see the values you’ve set as the defaults so you can hit ENTER at these prompts. Additionally, you’ll be prompted to enter a challenge password and an optional company name. If you enter a challenge password, you will be asked for it when connecting to the VPN from your client. If you don’t want to set a challenge password, just leave this line blank and press ENTER. At the end, enter Y to commit the changes.
The last part of creating the server keys and certificates is generating a Diffie-Hellman key exchange file. Use the build-dh script to do this:
This may take a few minutes to complete.
Once your server is finished generating the key exchange file, copy the server keys and certificates from thekeys directory into the openvpn directory:
Each client will also need a certificate in order for the OpenVPN server to authenticate it. These keys and certificates will be created on the server and then you will have to copy them over to your clients, which we will do in a later step. It’s advised that you generate separate keys and certificates for each client you intend to connect to your VPN.
Because we’ll only set up one client here, we called it client, but you can change this to a more descriptive name if you’d like:
Finally, copy the versioned OpenSSL configuration file, openssl-1.0.0.cnf, to a versionless name, openssl.cnf. Failing to do so could result in an error where OpenSSL is unable to load the configuration because it cannot detect its version:
Now that all the necessary keys and certificates have been generated for your server and client, you can move on to setting up routing between the two machines.
Step 4 — Routing
So far, you’ve installed OpenVPN on your server, configured it, and generated the keys and certificates needed for your client to access the VPN. However, you have not yet provided OpenVPN with any instructions on where to send incoming web traffic from clients. You can stipulate how the server should handle client traffic by establishing some firewall rules and routing configurations.
Assuming you followed the prerequisites at the start of this tutorial, you should already have firewalld installed and running on your server. To allow OpenVPN through the firewall, you’ll need to know what your active firewalld zone is. Find this with the following command:
Outputtrusted
Interfaces: tun0
Next, add the openvpn service to the list of services allowed by firewalld within your active zone, and then make that setting permanent by running the command again but with the --permanent option added:
You can check that the service was added correctly with the following command:
Outputopenvpn
Next, add a masquerade to the current runtime instance, and then add it again with the --permanent option to add the masquerade to all future instances:
You can check that the masquerade was added correctly with this command:
Outputyes
Next, forward routing to your OpenVPN subnet. You can do this by first creating a variable (SHARK in our example) which will represent the primary network interface used by your server, and then using that variable to permanently add the routing rule:
Be sure to implement these changes to your firewall rules by reloading firewalld:
Next, enable IP forwarding. This will route all web traffic from your client to your server’s IP address, and your client’s public IP address will effectively be hidden.
Open sysctl.conf for editing:
Then add the following line at the top of the file:
Finally, restart the network service so the IP forwarding will take effect:
With the routing and firewall rules in place, we can start the OpenVPN service on the server.
Step 5 — Starting OpenVPN
OpenVPN is managed as a systemd service using systemctl. We will configure OpenVPN to start up at boot so you can connect to your VPN at any time as long as your server is running. To do this, enable the OpenVPN server by adding it to systemctl:
Then start the OpenVPN service:
Double check that the OpenVPN service is active with the following command. You should see active (running) in the output:
Output● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: **active (running)** since Wed 2018-03-14 15:20:11 EDT; 7s ago
Main PID: 2824 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─2824 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
. . .
We’ve now completed the server-side configuration for OpenVPN. Next, you will configure your client machine and connect to the OpenVPN server.
Step 6 — Configuring a Client
Regardless of your client machine’s operating system, it will need a locally-saved copy of the CA certificate and the client key and certificate generated in Step 3, as well as the static encryption key you generated at the end of Step 2.
Locate the following files on your server. If you generated multiple client keys with unique, descriptive names, then the key and certificate names will be different. In this article we used client.
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key
/etc/openvpn/myvpn.tlsauth
Copy these files to your client machine. You can use SFTP or your preferred method. You could even just open the files in your text editor and copy and paste the contents into new files on your client machine. Regardless of which method you use, be sure to note where you save these files.
Next, create a file called client.ovpn on your client machine. This is a configuration file for an OpenVPN client, telling it how to connect to the server:
Then add the following lines to client.ovpn. Notice that many of these lines reflect those which we uncommented or added to the server.conf file, or were already in it by default:
When adding these lines, please note the following:
- You’ll need to change the first line to reflect the name you gave the client in your key and certificate; in our case, this is just
client - You also need to update the IP address from
your_server_ipto the IP address of your server; port1194can stay the same - Make sure the paths to your key and certificate files are correct
This file can now be used by any OpenVPN client to connect to your server. Below are OS-specific instructions for how to connect your client:
Windows:
On Windows, you will need the official OpenVPN Community Edition binaries which come with a GUI. Place your .ovpn configuration file into the proper directory, C:\Program Files\OpenVPN\config, and click Connect in the GUI. OpenVPN GUI on Windows must be executed with administrative privileges.
macOS:
On macOS, the open source application Tunnelblick provides an interface similar to the OpenVPN GUI on Windows, and comes with OpenVPN and the required TUN/TAP drivers. As with Windows, the only step required is to place your .ovpn configuration file into the ~/Library/Application Support/Tunnelblick/Configurations directory. Alternatively, you can double-click on your .ovpn file.
Linux:
On Linux, you should install OpenVPN from your distribution’s official repositories. You can then invoke OpenVPN by executing:
After you establish a successful client connection, you can verify that your traffic is being routed through the VPN by checking Google to reveal your public IP.
Conclusion
You should now have a fully operational virtual private network running on your OpenVPN server. You can browse the web and download content without worrying about malicious actors tracking your activity.
There are several steps you could take to customize your OpenVPN installation even further, such as configuring your client to connect to the VPN automatically or configuring client-specific rules and access policies. For these and other OpenVPN customizations, you should consult the official OpenVPN documentation. If you’re interested in other ways you can protect yourself and your machines on the internet, check out our article on 7 Security Measures to Protect Your Servers.
Source and Reference :
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-centos-7
https://www.tecmint.com/install-openvpn-in-centos/
Reviewed by ilham.sp
on
January 06, 2021
Rating:
No comments: