Install and Setup OpenVPN Server on Fedora 29/CentOS 7

6
9138

In this guide, we are going to learn how to Install and Setup OpenVPN Server on Fedora 29/CentOS 7.
OpenVPN is an open-source VPN software that enables us to create an SSL-based VPN tunnel. Imagine you would like to connect to your co-oporate intranet from a remote location. Well worry not because if you have VPN server setup, this can be possible. Virtual Private Network (VPN) provides a secure tunnel that extends private network across a public network, i.e It helps create a Wide Area Network (WAN) from existing Local Area Networks (LAN). As a result, users can securely send data across public networks as if they were directly connected to their LAN.

You can learn more about OpenVPN here.

Install and Setup OpenVPN Server on Fedora 29/28/CentOS 7

Without much theory, let’s have a look at a step by step procedure on how Install and Setup OpenVPN Server on Fedora 29/28/CentOS 7.

Update your server.

dnf update << Fedora
yum update << Fedora/CentOS

Install OpenVPN and Easy-RSA on Fedora 29/28

OpenVPN provides a robust and a highly flexible VPN daemon while Easy-RSA package is used to generate SSL key-pairs that is used to secure VPN connections. Both OpenVPN and Easy-RSA packages are available on the default Fedora repos. Run the command below to install them.

dnf install openvpn easy-rsa

Install OpenVPN and Easy-RSA on CentOS 7

OpenVPN isn’t available in the default CentOS repositories but it is available in EPEL hence you need to install EPEL repos before you can install OpenVPN.

To add Extra Packages for Enterprise Linux (EPEL), run either of the following commands;

yum install epel-release

or

wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm

Install OpenVPN and Easy-RSA

yum install openvpn easy-rsa

Build the Local CA and generate Server Keys and Certificate file

Create a directory to store Server keys and Certificate files.

mkdir /etc/openvpn/easy-rsa

Copy the key/certificate generation scripts installed by Easy-RSA from the default directory to the directory created above.

cp -air /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa

Navigate to /etc/openvpn/easy-rsa directory and start new PKI.

cd /etc/openvpn/easy-rsa
./easyrsa init-pki

Build the CA certificate. This will prompt you for the encryption password and the server common name.

./easyrsa build-ca
...
writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.EajtR0SkLM'
Enter PEM pass phrase: PASSWORD
Verifying - Enter PEM pass phrase: PASSWORD
-----
...
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

As stated, the CA certificate is stored at /etc/openvpn/easy-rsa/pki/ca.crt.

Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients.

./easyrsa gen-dh

This will generate the DH key and store as /etc/openvpn/easy-rsa/pki/dh.pem.

Generate a key and certificate file for the server.

./easyrsa build-server-full server nopass

Generate a key and certificate file for the client.

./easyrsa build-client-full client nopass

In case you need to invalidate a previously signed certificate, generate a revocation certificate.

./easyrsa gen-crl

This stores the revocation certificate under /etc/openvpn/easy-rsa/pki/crl.pem.

Generate TLS/SSL pre-shared authentication key

openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key

Copy generated Certificates/Keys to server configuration directory.

cp -rp /etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /etc/openvpn/server/

Configure OpenVPN Server

OpenVPN has a sample configuration file within its documentation directory and therefore to ease our life, we will copy the sample /usr/share/doc/openvpn{-2.4.6,}/sample/sample-config-files/server.conf file to /etc/openvpn for modification.

On Fedora

cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/

On CentOS 7

cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn/server/

Edit the server.conf file as follows;

vim /etc/openvpn/server/server.conf

Modify the file such that it looks like the below;

# Which TCP/UDP port should OpenVPN listen on?
# Change to match your port and open it in the firewall
port 1194

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel
dev tun

# Change path for certificates
ca ca.crt
cert issued/server.crt
key private/server.key

# Diffie hellman exchange key path
dh dh.pem

# Network topology
topology subnet

# OpenVPN Network IP. For below, The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
server 172.16.0.0 255.255.255.0

# this directive will configure all clients to redirect their default
# network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"

# DNS servers
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# For compression compatible with older clients use comp-lzo.
comp-lzo

# Run VPN with limited privileges
user nobody
group nobody

# Status log file
status /var/log/openvpn/openvpn-status.log

# TLS/SSL pre-shared authentication key
tls-auth ta.key 0

# Make VPN log directory and log file
log-append /var/log/openvpn/openvpn.log

#Append this line to change authentication algorithm (HMAC) from SHA1 to SHA512
auth SHA512

Create the log directory;

mkdir /var/log/openvpn/

Save the configuration file

Configure Routing

6 COMMENTS

  1. Hi, this tutorial is golden, I almost got to the working VPN server on a fresh Fedora setup. The only thing that was troubling is that the firewall was closed, so a simple “nc -l -p 8080” did not accept anything, coming through the VPN. When I’ve move tun0 interface to a trusted zone, it just worked.

    firewall-cmd –permanent –zone=trusted –add-interface=tun0

  2. I’m getting this error when i try to copy the client files: cp: cannot stat ‘issued/client.crt’: No such file or directory

    Everything else is running fine. Is there a reason why this file isn’t generated during the client config?
    Is there a way to configure additional clients?

LEAVE A REPLY

Please enter your comment!
Please enter your name here