Installing and configuring OpenVPN on a server running CentOS 7

This guide will describe the process of installing and configuring the Open VPN tool on a virtual server running CentOS 7.

Open VPN is an open source software product for creating virtual private networks and connecting to them via open Internet channels.

Before you begin, you need to install additional packages from the Enterprise Linux repository (EPEL). This is necessary because Open VPN is not available on CentOS by default. The EPEL repository is managed by the Fedora Project community and contains non-standard for CentOS, but popular application packages.

yum install epel-release -y

Installing the Open VPN package

First of all, you need to install Open VPN and wget, which we will use to install the Easy RSA tool - it will be used to create pairs of SSL keys that will ensure the security of VPN connections:

yum install -y openvpn wget
wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz
tar xfz /tmp/easyrsa
mkdir /etc/openvpn/easy-rsa
cp -rf easy-rsa-old-2.3.3/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Service Setup

The Open VPN documentation directory contains files with program test configurations. Copy the file server.conf - basing on it we will create our own configuration.

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

Now open it for editing:

 vi /etc/openvpn/server.conf

Here you will need to make a few changes. When in the future we will generate keys in the Easy RSA program, their size will be 2048 bytes by default, so you need to make sure that the corresponding value is specified in the settings file. You need to change the name of the dh file to dh2048.pem:

dh dh2048.pem

Then you need to uncomment (remove the “;” character) the push line "redirect-gateway def1 bypass-dhcp", which informs the client about the need to redirect traffic through Open VPN.

Then you need to specify the DNS servers, since client applications will not be able to use the ISP’s servers. The most logical solution is to use Google’s public DNS servers 8.8.8.8 and 8.8.4.4.

To do this, uncomment the lines that begin with push "dhcp-option DNS" and enter the addresses of Google's DNS servers:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

We need Open VPN to start without privileges, so we need to specify that it runs on behalf of the user and the nobody group. To do this, uncomment the appropriate lines:

user nobody
group nobody

Next, uncomment the topology subnet line. This, along with the server 10.8.0.0 255.255.255.0 line below it, configures your OpenVPN installation to function as a subnetwork and tells the client machine which IP address it should use. In this case, the server will become 10.8.0.1 and the first client will become 10.8.0.2:

topology subnet

Then you need to save the file and exit it.

Creating Keys and Certificates

After you finish working with the configuration file, you need to create keys and certificates. The Easy RSA package includes scripts with which you can do this.

Create a directory in which the keys will be stored:

mkdir -p /etc/openvpn/easy-rsa/keys

In order to optimize further work with Open VPN, it is possible to slightly modify generation scripts in order not to enter the same values ​​each time. The necessary information is stored in the vars file, so we edit it:

vi /etc/openvpn/easy-rsa/vars

We will change the lines that start with KEY_. They should indicate the data of your company. The most important parameters:

KEY_NAME: You must specify the server value, otherwise you will have to make changes to the configuration files in which server.key and server.crt are mentioned.

KEY_CN: here you need to write a domain or a sub domain that points to your server.

In the remaining fields you can enter information about the company:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Frimont"
export KEY_ORG="NeoServer"
export KEY_EMAIL="support@neoserver.site"
export KEY_EMAIL=support@neoserver.site
export KEY_CN=openvpn.example.com
export KEY_NAME="server"
export KEY_OU="Community"

You should also prevent the possibility of failure to load the SSL configuration due to the inability to determine the version of the program. To do this, copy the necessary configuration file and remove the version number from the name:

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Now create keys and certificates. To do this, go to the easy-rsa directory and run the source command for new variables:

cd /etc/openvpn/easy-rsa
source ./vars

Then you need to delete all previous versions of keys and certificates that may be contained in this directory:

./clean-all

Specify information about the organization that issued the certificate:

./build-ca

The system will ask a few questions, but since we have already entered the necessary data into the configuration file, you can simply press Enter instead of an answer.

Now you need to generate a key and server certificate. And again, you can simply press Enter in response to questions from the system. To save the data, at the end of the procedure, you should press Y (yes):

./build-key-server server

You also need to generate a Diffie-Hellman exchange file. The process may take several minutes:

./build-dh

Generate an additional key ta.key.

openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key

Now copy the created certificates and keys to the OpenVPN directory:

cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key ta.key /etc/openvpn

All client applications for establishing communication will also need these keys and certificates. It is better to create separate keys for each user application and give the keys descriptive names. Now we are considering the situation with one client, so let's call it simply client:

cd /etc/openvpn/easy-rsa
./build-key client

Routing

To simplify the configuration, let's carry out all the manipulations using the standard iptables firewall, rather than the new firewallcd tool.

First you need to make sure that the iptables service is installed and enabled.

yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables --flush

Note: the names of the available interfaces can be viewed using the command:

ifconfig -a

Then you should add to iptables a rule according to which the connections will be sent to the Open VPN subnet created,

For example:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens32 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables

Enable IP forwarding in sysctl by editing the sysctl.conf file for editing:

vi /etc/sysctl.conf

At the very top, add the following line:

net.ipv4.ip_forward = 1

Restart the network service to apply the changes:

systemctl restart network.service

Launch Open VPN:

Now everything is ready to launch Open VPN. Add this service to the systemctl:

systemctl -f enable openvpn@server.service

Run OpenVPN:

systemctl start openvpn@server.service

You should see active (running) in the output:

systemctl status openvpn@server.service

This completes the server-side configuration. Set up the connection from the client.

Client Setup

Regardless of what operating system is installed on the client device, to connect to the server, you still need keys and certificates generated on the server.

The necessary certificates (in our case for the client "client") are stored in the easy-rsa / directory:

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key

You can download these files to a client device using SFTP or other means. You can even simply open them in a text editor and copy the contents into new files created directly on the user's computer (the main thing is to save under identical names).

Now we will create a file under client.ovpn - the configuration file for the Open VPN client. It contains settings for connecting to the server. Below are the contents of this file, in which you need to replace the client name (in our case client), specify the correct server ip-address and the correct path to the certificate and key files:

client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key

Now this file can be used to connect to the server.

Connecting from a Windows computer:

Download the official version of the binary files OpenVPN Community Edition with a graphical management interface.

Move the .ovpn file to the C: \ Program Files \ OpenVPN \ config directory, then click Connect in the Open VPN graphic interface.

MacOS:

To connect you can use the open-source tool Tunnelblick. Move the .ovpn file to the ~ / Library / Application Support / Tunnelblick / Configurations directory or simply click on this file.

Linux:

On Linux, you need to install Open VPN from the official repositories of a specific distribution. Then run it with the command:

openvpn --config ~/path/to/client.ovpn

That's all. Now we have a fully functional private virtual network with our own Open VPN server on CentOS 7 VPN.

After successful connection of the client, it is necessary to check whether the traffic is being tunneled through the VPN. This can be done using any service that shows your public IP address (for example, Google) - it should display the address of the VPN server.