Install and Setup OpenVPN Server on Fedora 29/CentOS 7

6
9520

Enable IP forwarding

Enabling IP forwarding ensures that traffic from the client is routed through the servers IP address so that the client IP address is masked.

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Run the command below to effect the changes;

sysctl --system

Allow OpenVPN service port through firewall

firewall-cmd --add-port=1194/udp --permanent

Activate IP Masquerading

firewall-cmd --add-masquerade --permanent

Forward traffic received on the specified OpenVPN subnet to an interface via which packets are going to be sent.

Find the interface via which packets are sent through by running the command below;

ip route get 8.8.8.8
8.8.8.8 via 192.168.43.1 dev enp0s8 src 192.168.43.23

The interface name maybe different for your case. Replace accordingly.

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 172.16.0.0/24 -o enp0s8 -j MASQUERADE

Reload firewalld for the changes to take effect.

firewall-cmd --reload

Start and set OpenVPN start on boot.

systemctl start [email protected]
systemctl enable [email protected]

When OpenVPN service runs, it will create a tunnelling interface, tun0;

ip add show tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 172.16.0.1/24 brd 172.16.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::1155:c60c:c009:48c9/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

The VPN server is assigned the IP address, 172.16.0.1 while the first client will be assigned 172.16.0.2.

Configure VPN Client

In order for the VPN client to connect to VPN server, a copy of CA certificate, client key, client certificate and TLS/SSL authentication key generated above are required. Hence, copy these files to the target client and place them on a convenient directory.

cd /etc/openvpn/easy-rsa/pki/
scp {ca.crt,issued/client.crt,private/client.key,ta.key} [email protected]:~/

Install OpenVPN client

  • If you are using a Linux/Unix server as a client, install the OpenVPN client using the respecitve package manager for example;
    apt install openvpn
    yum install openvpn
  • If you are connecting from a windows machine, you can simply download the OpenVPN client installer from OpenVPN downloads page and install it.

Create OpenVPN configuration file for the client as shown below. As an example, i have copied the certificate and key files to my home directory on the client.

[email protected]:/home/amos# ls
ca.crt client.crt client.key ta.key
vim client.ovpn
client
tls-client
pull
dev tun
proto udp
remote 192.168.43.69 1194
resolv-retry infinite
nobind
dhcp-option DNS 8.8.8.8
user nobody
group nogroup
persist-key
persist-tun
key-direction 1
tls-auth ta.key 1
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key
auth SHA512

To connect to the OpenVPN server from the client, run either of the commands below;

sudo openvpn client.ovpn

or

sudo openvpn --config client.ovpn

If the connection is successful, you should see an Initialization Sequence Completed.

Mon Dec 31 03:54:39 2018 TUN/TAP device tun0 opened
Mon Dec 31 03:54:39 2018 TUN/TAP TX queue length set to 100
Mon Dec 31 03:54:39 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Dec 31 03:54:39 2018 /sbin/ip link set dev tun0 up mtu 1500
Mon Dec 31 03:54:39 2018 /sbin/ip addr add dev tun0 172.16.0.2/24 broadcast 172.16.0.255
Mon Dec 31 03:54:39 2018 /sbin/ip route add 192.168.43.69/32 dev enp0s8
Mon Dec 31 03:54:39 2018 /sbin/ip route add 0.0.0.0/1 via 172.16.0.1
Mon Dec 31 03:54:39 2018 /sbin/ip route add 128.0.0.0/1 via 172.16.0.1
Mon Dec 31 03:54:39 2018 GID set to nogroup
Mon Dec 31 03:54:39 2018 UID set to nobody
Mon Dec 31 03:54:39 2018 Initialization Sequence Completed

If you can check the interface, you should see a tunnelling interface created.

ip add sh tun0
20: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 172.16.0.2/24 brd 172.16.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::dc37:c115:60f:6b86/64 scope link flags 800 
       valid_lft forever preferred_lft forever

You have successfully connected to your VPN server.

That is all about how to install and setup OpenVPN server on Fedora 29/CentOS 7. You OpenVPN server is fully operational. Enjoy.

6 COMMENTS

  1. Hi, this tutorial is golden, I almost got to the working VPN server on a fresh Fedora setup. The only thing that was troubling is that the firewall was closed, so a simple “nc -l -p 8080” did not accept anything, coming through the VPN. When I’ve move tun0 interface to a trusted zone, it just worked.

    firewall-cmd –permanent –zone=trusted –add-interface=tun0

  2. I’m getting this error when i try to copy the client files: cp: cannot stat ‘issued/client.crt’: No such file or directory

    Everything else is running fine. Is there a reason why this file isn’t generated during the client config?
    Is there a way to configure additional clients?

LEAVE A REPLY

Please enter your comment!
Please enter your name here