Install and Configure OpenVPN Client on Rocky Linux 8

By
gen_too
-
0
596

In order to connect to an OpenVPN server to allow you access your intranet local resources, you simply would need an OpenVPN client. In this guide, we are going to learn how to install and configure OpenVPN Client on Rocky Linux 8. Note that the OpenVPN software can be configured to either work as the server or the client.

Install and Set Up OpenConnect Serv...
Install and Set Up OpenConnect Server on CentOS 7 for Cisco AnyConnect Client

Learn how to install and configure OpenVPN Server on Rocky Linux 8 by following the link below;

Setup OpenVPN Server on Rocky Linux 8

Install and Configure OpenVPN Client on Rocky Linux 8

Install OpenVPN Client on Rocky Linux 8

Install OpenVPN client on Rocky Linux 8 by running the commands below;

dnf epel-release -y
dnf info openvpn
Available Packages
Name         : openvpn
Version      : 2.4.11
Release      : 1.el8
Architecture : x86_64
Size         : 543 k
Source       : openvpn-2.4.11-1.el8.src.rpm
Repository   : epel
Summary      : A full-featured SSL VPN solution
URL          : https://community.openvpn.net/
License      : GPLv2
Description  : OpenVPN is a robust and highly flexible tunneling application that uses all
             : of the encryption, authentication, and certification features of the
             : OpenSSL library to securely tunnel IP networks over a single UDP or TCP
             : port.  It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
             : for compression

You can then install OpenVPN client by executing the command;

dnf install openvpn

Configure OpenVPN Client on Rocky Linux 8

To be able to connect to OpenVPN server, you need to create the client’s configuration containing the CA certificate, the client server certificate and the key.

If you followed our guide on setting up OpenVPN server on Rocky Linux 8, we described how to generate the clients certificate files and keys.

Once you have generated the keys, copy them to the client and take a note of the path where they are stored.

You also need to copy the HMAC key and the CA cert to the client.

You can then create the OpenVPN client configuration.

For example, to create an OpenVPN configuration file for the client, gentoo, whose certificates and keys are, gentoo.crt and gentoo.key;

vim gentoo.ovpn
client
tls-client
pull
dev tun
proto udp4
remote 192.168.60.19 1194
resolv-retry infinite
nobind
#user nobody
#group nogroup
persist-key
persist-tun
key-direction 1
remote-cert-tls server
auth-nocache
comp-lzo
verb 3
auth SHA512
tls-auth ta.key 1
ca ca.crt
cert gentoo.crt
key gentoo.key

Note that in this setup, the client certificate, the key, the CA certificate and the HMAC key are located on the same path as the OpenVPN client configuration itself, gentoo.ovpn.

ls -1 .
ca.crt
gentoo.crt
gentoo.key
gentoo.ovpn
ta.key

In order to avoid the issues with the paths to the certificates and the keys, you can put them inline on the configuration file;

client
tls-client
pull
dev tun
proto udp4
remote 192.168.60.19 1194
resolv-retry infinite
nobind
#user nobody
#group nogroup
persist-key
persist-tun
key-direction 1
remote-cert-tls server
auth-nocache
comp-lzo
verb 3
auth SHA512
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
feb1af5407baa247d4e772c76aed6c75
...
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
MIIDTjCCAjagAwIBAgIUX0VQrHTgLDabUUIOAf7tD9cGp4YwDQYJKoZIhvcNAQEL
...
WA9BBk2shVWfR849Lmkep+GPyqHpU47dZAz37ARB2Gfu3w==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
...
/7FvJaeLqmUHnvSs5eBlRZSgtOL19SCFkG0HXdnw3LtBaoHQXxgzOkDPW1+5
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+DI7kg6MsRoCs
...
6WdLcNtWKAcU294xJEZoOA8/
-----END PRIVATE KEY-----
</key>

Do the same on all the client servers for every user that needs to connect to the vpn.

If you noticed, the lines below are commented to avoid the error, ERROR: Linux route add command failed: external program exited with error status: 2 by flushing created routes before adding them again on reconnection.

#user nobody
#group nogroup

The OpenVPN client configuration file is now ready.

Connecting to OpenVPN Server on Rocky Linux 8

You can then connect to OpenVPN server on demand or configure your server to establish VPN configuration file whenever the system reboots.

Connect to OpenVPN on Command Line using openvpn command

To connect on demand, simple use the openvpn command as;

sudo openvpn client-config.ovpn

or

sudo openvpn --config client-config.ovpn

Where client-config is the client’s openvpn configuration file, like gentoo.ovpn file above.

If the connection to the OpenVPN server is successful, you should see an Initialization Sequence Completed.

Wed Jun 30 15:27:16 2021 OpenVPN 2.4.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
Wed Jun 30 15:27:16 2021 library versions: OpenSSL 1.1.1g FIPS  21 Apr 2020, LZO 2.08
Wed Jun 30 15:27:16 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jun 30 15:27:16 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jun 30 15:27:16 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.60.19:1194
Wed Jun 30 15:27:16 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 30 15:27:16 2021 UDPv4 link local: (not bound)
Wed Jun 30 15:27:16 2021 UDPv4 link remote: [AF_INET]192.168.60.19:1194
Wed Jun 30 15:27:16 2021 TLS: Initial packet from [AF_INET]192.168.60.19:1194, sid=7ec70642 fdcdad40
Wed Jun 30 15:27:16 2021 VERIFY OK: depth=1, CN=Kifarunix-demo CA
Wed Jun 30 15:27:16 2021 VERIFY KU OK
Wed Jun 30 15:27:16 2021 Validating certificate extended key usage
Wed Jun 30 15:27:16 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jun 30 15:27:16 2021 VERIFY EKU OK
Wed Jun 30 15:27:16 2021 VERIFY OK: depth=0, CN=server
Wed Jun 30 15:27:16 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1586', remote='link-mtu 1602'
Wed Jun 30 15:27:16 2021 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Wed Jun 30 15:27:16 2021 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Wed Jun 30 15:27:16 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Jun 30 15:27:16 2021 [server] Peer Connection Initiated with [AF_INET]192.168.60.19:1194
Wed Jun 30 15:27:17 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jun 30 15:27:17 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 192.168.10.3,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: route options modified
Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: route-related options modified
Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: peer-id set
Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: data channel crypto options modified
Wed Jun 30 15:27:17 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 30 15:27:17 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 30 15:27:17 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 30 15:27:17 2021 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:98:30:73
Wed Jun 30 15:27:17 2021 TUN/TAP device tun0 opened
Wed Jun 30 15:27:17 2021 TUN/TAP TX queue length set to 100
Wed Jun 30 15:27:17 2021 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun 30 15:27:17 2021 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Wed Jun 30 15:27:17 2021 /sbin/ip route add 192.168.60.19/32 via 10.0.2.2
Wed Jun 30 15:27:17 2021 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Wed Jun 30 15:27:17 2021 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Wed Jun 30 15:27:17 2021 Initialization Sequence Completed

To check the IP addresses;

ip add show tun0
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::697:ce38:b852:540c/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Test connectivity to the VPN server;

ping 10.8.0.1 -c 3
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=2.71 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=2.42 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=1.95 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 46ms
rtt min/avg/max/mdev = 1.952/2.362/2.713/0.316 ms

You should also be able to get internet access depending on your server routes setup.

Running OpenVPN Client as Service

In order to establish connections automatically whenever the server reboots, you can enable OpenVPN client systemd service.

Before you can do this, change the extension of your VPN config file from .ovpn to .conf. Replace the file names accordingly.

cp gentoo.{ovpn,conf}

Copy the .conf file to OpenVPN client configurations directory, /etc/openvpn/client.

mv gentoo.conf /etc/openvpn/client

Next, disable SELinux (I dont recommend this though, -:));

setenforce 0 && sed -i 's/=enforcing/=permissive/' /etc/selinux/config

Start OpenVPN client systemd service. Replace the name gentoo with the name of your .conf configuration file.

systemctl start [email protected]

To check the status;

systemctl status [email protected]
[email protected] - OpenVPN tunnel for gentoo
   Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-06-30 15:48:47 EDT; 12s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 39782 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 11272)
   Memory: 1.6M
   CGroup: /system.slice/system-openvpn\x2dclient.slice/[email protected]
           └─39782 /usr/sbin/openvpn --suppress-timestamps --nobind --config gentoo.conf

Jun 30 15:48:48 localhost.localdomain openvpn[39782]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:98:30:73
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: TUN/TAP device tun0 opened
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: TUN/TAP TX queue length set to 100
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip link set dev tun0 up mtu 1500
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip route add 192.168.60.19/32 via 10.0.2.2
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: Initialization Sequence Completed

To enable it to run on system boot;

systemctl enable [email protected]

You have successfully installed and setup OpenVPN client Rocky Linux 8.

That brings us to the end of our tutorial on how to install and configure OpenVPN Client on Rocky Linux 8.

Other tutorials

Assign Static IP Addresses for OpenVPN Clients

Configure OpenVPN LDAP Based Authentication

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here