OpenVPN is an open-source software that securely creates a connection between two sources. In this tutorial, we will be setting up the OpenVPN server on CentOS 7 to encrypt Internet usage.
Contents
Assumptions
- Access as root or has superuser permissions
- Using Firewalld
- TUN is enabled
check using# cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state
Installation
Extra Packages for Enterprise Linux (EPEL) is a Fedora Special Interest Group that creates, maintains, and manages a set of additional packages for Enterprise Linux. It includes OpenVPN and Easy-RSA
# yum -y install epel-release
OpenVPN, Easy-RSA, and VIM. Although VIM isn’t necessary, feel free to use your text editor of choice.
# yum -y install openvpn easy-rsa vim
Generating Security Certificates
Create the configuration folders
# mkdir -p /etc/openvpn/easy-rsa/keys
Make a copy of Easy-RSA in the OpenVPN folder
# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Modify the ‘vars’ file to set the default certificate values
- KEY_NAME: use ‘server’
- KEY_CN: use your hostname
# vim /etc/openvpn/easy-rsa/vars
Select the OpenSSL version
# cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Specify the variables
# cd /etc/openvpn/easy-rsa
# source ./vars
Clean up any old keys and certificates
# ./clean-all
Build the certificate authority
# ./build-ca
Generate the server certificate
# ./build-key-server server
Generate a Diffie-Hellman key exchange file
# ./build-dh
Copy the generated certificate and keys to the OpenVPN directory
# cd /etc/openvpn/easy-rsa/keys
# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
Generate a PSK key for TLS
# cd /etc/openvpn
# openvpn –genkey –secret ta.key
All clients are required to have their own certificates. Below is an example of the generation of three client certificates.
# cd /etc/openvpn/easy-rsa
# source ./vars
# ./build-key work-computer
# ./build-key Nexus-7-2012
# ./build-key OnePlus-One
Configuring OpenVPN
Retrieve the sample configuration file
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Uncomment the following lines to:
- Set Diffie-Hellman encryption length to 2048 bit
- Tell clients to redirect all traffic to OpenVPN
- Provide DNS servers (in this case Google DNS servers)
- Run OpenVPN with no permissions
- Enable TLS authentication
dh dh2048.pem
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
user nobody
group nobody
tls-auth ta.key 0
Routing
Add the OpenVPN service to the firewall
# firewall-cmd –permanent –add-service openvpn
Add the masquerade to forward our routing to our OpenVPN subnet
# firewall-cmd –permanent –add-masquerade
Reload Firewalld to load the latest configuration
# firewall-cmd –reload
The OpenVPN Service
Enable and start the OpenVPN service
# systemctl enable openvpn@server.service
# systemctl start openvpn@server.service
Configuring a Client
Transfer the following files to your client device through a secure channel (eg. SFTP):
- /etc/openvpn/ca.crt
- /etc/openvpn/ta.key
- /etc/openvpn/easy-rsa/keys/client.crt
- /etc/openvpn/easy-rsa/keys/client.key
Create the client.ovpn file on your client device in:
- Windows: C:\Program Files\OpenVPN\config\client.ovpn
- OS X: ~/Library/Application
Support/Tunnelblick/Configurations
client
dev tun
proto udp
remote <server_host_goes_here> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca C:\\path\\to\\ca.crt
cert C:\\path\\to\\client.crt
key C:\\path\\to\\client.key
tls-auth ta.key 1
Thanks for writing this awesome article. I’m a long time reader but I’ve never been compelled to leave a comment.
I subscribed to your blog and shared this on my Twitter.
Thanks again for a great article!
Thanks for your information! It;s useful for my major.