Installing and configuring OpenVPN on a server running CentOS 7
This guide will describe the process of installing and configuring the Open VPN tool on a virtual server running CentOS 7.
Open VPN is an open source software product for creating virtual private networks and connecting to them via open Internet channels.
Before you begin, you need to install additional packages from the Enterprise Linux repository (EPEL). This is necessary because Open VPN is not available on CentOS by default. The EPEL repository is managed by the Fedora Project community and contains non-standard for CentOS, but popular application packages.
yum install epel-release -y
Installing the Open VPN package
First of all, you need to install Open VPN and wget, which we will use to install the Easy RSA tool - it will be used to create pairs of SSL keys that will ensure the security of VPN connections:
yum install -y openvpn wget wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz tar xfz /tmp/easyrsa mkdir /etc/openvpn/easy-rsa cp -rf easy-rsa-old-2.3.3/easy-rsa/2.0/* /etc/openvpn/easy-rsa
The Open VPN documentation directory contains files with program test configurations. Copy the file server.conf - basing on it we will create our own configuration.
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Now open it for editing:
Here you will need to make a few changes. When in the future we will generate keys in the Easy RSA program, their size will be 2048 bytes by default, so you need to make sure that the corresponding value is specified in the settings file. You need to change the name of the dh file to dh2048.pem:
Then you need to uncomment (remove the “;” character) the push line "redirect-gateway def1 bypass-dhcp", which informs the client about the need to redirect traffic through Open VPN.
Then you need to specify the DNS servers, since client applications will not be able to use the ISP’s servers. The most logical solution is to use Google’s public DNS servers 126.96.36.199 and 188.8.131.52.
To do this, uncomment the lines that begin with push "dhcp-option DNS" and enter the addresses of Google's DNS servers:
push "dhcp-option DNS 184.108.40.206" push "dhcp-option DNS 220.127.116.11"
We need Open VPN to start without privileges, so we need to specify that it runs on behalf of the user and the nobody group. To do this, uncomment the appropriate lines:
user nobody group nobody
Next, uncomment the topology subnet line. This, along with the server 10.8.0.0 255.255.255.0 line below it, configures your OpenVPN installation to function as a subnetwork and tells the client machine which IP address it should use. In this case, the server will become 10.8.0.1 and the first client will become 10.8.0.2:
Then you need to save the file and exit it.
Creating Keys and Certificates
After you finish working with the configuration file, you need to create keys and certificates. The Easy RSA package includes scripts with which you can do this.
Create a directory in which the keys will be stored:
mkdir -p /etc/openvpn/easy-rsa/keys
In order to optimize further work with Open VPN, it is possible to slightly modify generation scripts in order not to enter the same values each time. The necessary information is stored in the vars file, so we edit it:
We will change the lines that start with KEY_. They should indicate the data of your company. The most important parameters:
• KEY_NAME: You must specify the server value, otherwise you will have to make changes to the configuration files in which server.key and server.crt are mentioned.
• KEY_CN: here you need to write a domain or a sub domain that points to your server.
In the remaining fields you can enter information about the company:
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="Frimont" export KEY_ORG="NeoServer" export KEY_EMAIL="firstname.lastname@example.org" export KEY_EMAILemail@example.com export KEY_CN=openvpn.example.com export KEY_NAME="server" export KEY_OU="Community"
You should also prevent the possibility of failure to load the SSL configuration due to the inability to determine the version of the program. To do this, copy the necessary configuration file and remove the version number from the name:
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Now create keys and certificates. To do this, go to the easy-rsa directory and run the source command for new variables:
cd /etc/openvpn/easy-rsa source ./vars
Then you need to delete all previous versions of keys and certificates that may be contained in this directory:
Specify information about the organization that issued the certificate:
The system will ask a few questions, but since we have already entered the necessary data into the configuration file, you can simply press Enter instead of an answer.
Now you need to generate a key and server certificate. And again, you can simply press Enter in response to questions from the system. To save the data, at the end of the procedure, you should press Y (yes):
You also need to generate a Diffie-Hellman exchange file. The process may take several minutes:
Generate an additional key ta.key.
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
Now copy the created certificates and keys to the OpenVPN directory:
cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key ta.key /etc/openvpn
All client applications for establishing communication will also need these keys and certificates. It is better to create separate keys for each user application and give the keys descriptive names. Now we are considering the situation with one client, so let's call it simply client:
cd /etc/openvpn/easy-rsa ./build-key client
To simplify the configuration, let's carry out all the manipulations using the standard iptables firewall, rather than the new firewallcd tool.
First you need to make sure that the iptables service is installed and enabled.
yum install iptables-services -y systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables --flush
Note: the names of the available interfaces can be viewed using the command:
Then you should add to iptables a rule according to which the connections will be sent to the Open VPN subnet created,
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens32 -j MASQUERADE iptables-save > /etc/sysconfig/iptables
Enable IP forwarding in sysctl by editing the sysctl.conf file for editing:
At the very top, add the following line:
net.ipv4.ip_forward = 1
Restart the network service to apply the changes:
systemctl restart network.service
Launch Open VPN:
Now everything is ready to launch Open VPN. Add this service to the systemctl:
systemctl -f enable firstname.lastname@example.org
systemctl start email@example.com
You should see active (running) in the output:
systemctl status firstname.lastname@example.org
This completes the server-side configuration. Set up the connection from the client.
Regardless of what operating system is installed on the client device, to connect to the server, you still need keys and certificates generated on the server.
The necessary certificates (in our case for the client "client") are stored in the easy-rsa / directory:
/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/client.crt /etc/openvpn/easy-rsa/keys/client.key
You can download these files to a client device using SFTP or other means. You can even simply open them in a text editor and copy the contents into new files created directly on the user's computer (the main thing is to save under identical names).
Now we will create a file under client.ovpn - the configuration file for the Open VPN client. It contains settings for connecting to the server. Below are the contents of this file, in which you need to replace the client name (in our case client), specify the correct server ip-address and the correct path to the certificate and key files:
client dev tun proto udp remote your_server_ip 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 ca /path/to/ca.crt cert /path/to/client.crt key /path/to/client.key
Now this file can be used to connect to the server.
Connecting from a Windows computer:
Download the official version of the binary files OpenVPN Community Edition with a graphical management interface.
Move the .ovpn file to the C: \ Program Files \ OpenVPN \ config directory, then click Connect in the Open VPN graphic interface.
To connect you can use the open-source tool Tunnelblick. Move the .ovpn file to the ~ / Library / Application Support / Tunnelblick / Configurations directory or simply click on this file.
On Linux, you need to install Open VPN from the official repositories of a specific distribution. Then run it with the command:
openvpn --config ~/path/to/client.ovpn
That's all. Now we have a fully functional private virtual network with our own Open VPN server on CentOS 7 VPN.
After successful connection of the client, it is necessary to check whether the traffic is being tunneled through the VPN. This can be done using any service that shows your public IP address (for example, Google) - it should display the address of the VPN server.