Install and Setup OpenVPN Server on Fedora 29/CentOS 7

6
11767

In this guide, we are going to learn how to Install and Setup OpenVPN Server on Fedora 29/CentOS 7.
OpenVPN is an open-source VPN software that enables us to create an SSL-based VPN tunnel. Imagine you would like to connect to your co-oporate intranet from a remote location. Well worry not because if you have VPN server setup, this can be possible. Virtual Private Network (VPN) provides a secure tunnel that extends private network across a public network, i.e It helps create a Wide Area Network (WAN) from existing Local Area Networks (LAN). As a result, users can securely send data across public networks as if they were directly connected to their LAN.

You can learn more about OpenVPN here.

Install and Setup OpenVPN Server on Fedora 29/28/CentOS 7

Without much theory, let’s have a look at a step by step procedure on how Install and Setup OpenVPN Server on Fedora 29/28/CentOS 7.

Update your server.

dnf update << Fedora
yum update << Fedora/CentOS

Install OpenVPN and Easy-RSA on Fedora 29/28

OpenVPN provides a robust and a highly flexible VPN daemon while Easy-RSA package is used to generate SSL key-pairs that is used to secure VPN connections. Both OpenVPN and Easy-RSA packages are available on the default Fedora repos. Run the command below to install them.

dnf install openvpn easy-rsa

Install OpenVPN and Easy-RSA on CentOS 7

OpenVPN isn’t available in the default CentOS repositories but it is available in EPEL hence you need to install EPEL repos before you can install OpenVPN.

To add Extra Packages for Enterprise Linux (EPEL), run either of the following commands;

yum install epel-release

or

wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm

Install OpenVPN and Easy-RSA

yum install openvpn easy-rsa

Build the Local CA and generate Server Keys and Certificate file

Create a directory to store Server keys and Certificate files.

mkdir /etc/openvpn/easy-rsa

Copy the key/certificate generation scripts installed by Easy-RSA from the default directory to the directory created above.

cp -air /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa

Navigate to /etc/openvpn/easy-rsa directory and start new PKI.

cd /etc/openvpn/easy-rsa
./easyrsa init-pki

Build the CA certificate. This will prompt you for the encryption password and the server common name.

./easyrsa build-ca
...
writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.EajtR0SkLM'
Enter PEM pass phrase: PASSWORD
Verifying - Enter PEM pass phrase: PASSWORD
-----
...
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

As stated, the CA certificate is stored at /etc/openvpn/easy-rsa/pki/ca.crt.

Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients.

./easyrsa gen-dh

This will generate the DH key and store as /etc/openvpn/easy-rsa/pki/dh.pem.

Generate a key and certificate file for the server.

./easyrsa build-server-full server nopass

Generate a key and certificate file for the client.

./easyrsa build-client-full client nopass

In case you need to invalidate a previously signed certificate, generate a revocation certificate.

./easyrsa gen-crl

This stores the revocation certificate under /etc/openvpn/easy-rsa/pki/crl.pem.

Generate TLS/SSL pre-shared authentication key

openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key

Copy generated Certificates/Keys to server configuration directory.

cp -rp /etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /etc/openvpn/server/

Configure OpenVPN Server

OpenVPN has a sample configuration file within its documentation directory and therefore to ease our life, we will copy the sample /usr/share/doc/openvpn{-2.4.6,}/sample/sample-config-files/server.conf file to /etc/openvpn for modification.

On Fedora

cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/

On CentOS 7

cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn/server/

Edit the server.conf file as follows;

vim /etc/openvpn/server/server.conf

Modify the file such that it looks like the below;

# Which TCP/UDP port should OpenVPN listen on?
# Change to match your port and open it in the firewall
port 1194

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel
dev tun

# Change path for certificates
ca ca.crt
cert issued/server.crt
key private/server.key

# Diffie hellman exchange key path
dh dh.pem

# Network topology
topology subnet

# OpenVPN Network IP. For below, The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
server 172.16.0.0 255.255.255.0

# this directive will configure all clients to redirect their default
# network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"

# DNS servers
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# For compression compatible with older clients use comp-lzo.
comp-lzo

# Run VPN with limited privileges
user nobody
group nobody

# Status log file
status /var/log/openvpn/openvpn-status.log

# TLS/SSL pre-shared authentication key
tls-auth ta.key 0

# Make VPN log directory and log file
log-append /var/log/openvpn/openvpn.log

#Append this line to change authentication algorithm (HMAC) from SHA1 to SHA512
auth SHA512

Create the log directory;

mkdir /var/log/openvpn/

Save the configuration file

Configure Routing

Enable IP forwarding

Enabling IP forwarding ensures that traffic from the client is routed through the servers IP address so that the client IP address is masked.

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Run the command below to effect the changes;

sysctl --system

Allow OpenVPN service port through firewall

firewall-cmd --add-port=1194/udp --permanent

Activate IP Masquerading

firewall-cmd --add-masquerade --permanent

Forward traffic received on the specified OpenVPN subnet to an interface via which packets are going to be sent.

Find the interface via which packets are sent through by running the command below;

ip route get 8.8.8.8
8.8.8.8 via 192.168.43.1 dev enp0s8 src 192.168.43.23

The interface name maybe different for your case. Replace accordingly.

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 172.16.0.0/24 -o enp0s8 -j MASQUERADE

Reload firewalld for the changes to take effect.

firewall-cmd --reload

Start and set OpenVPN start on boot.

systemctl start [email protected]
systemctl enable [email protected]

When OpenVPN service runs, it will create a tunnelling interface, tun0;

ip add show tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 172.16.0.1/24 brd 172.16.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::1155:c60c:c009:48c9/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

The VPN server is assigned the IP address, 172.16.0.1 while the first client will be assigned 172.16.0.2.

Configure VPN Client

In order for the VPN client to connect to VPN server, a copy of CA certificate, client key, client certificate and TLS/SSL authentication key generated above are required. Hence, copy these files to the target client and place them on a convenient directory.

cd /etc/openvpn/easy-rsa/pki/
scp {ca.crt,issued/client.crt,private/client.key,ta.key} [email protected]:~/

Install OpenVPN client

  • If you are using a Linux/Unix server as a client, install the OpenVPN client using the respecitve package manager for example;
    apt install openvpn
    yum install openvpn
  • If you are connecting from a windows machine, you can simply download the OpenVPN client installer from OpenVPN downloads page and install it.

Create OpenVPN configuration file for the client as shown below. As an example, i have copied the certificate and key files to my home directory on the client.

[email protected]:/home/amos# ls
ca.crt client.crt client.key ta.key
vim client.ovpn
client
tls-client
pull
dev tun
proto udp
remote 192.168.43.69 1194
resolv-retry infinite
nobind
dhcp-option DNS 8.8.8.8
user nobody
group nogroup
persist-key
persist-tun
key-direction 1
tls-auth ta.key 1
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key
auth SHA512

To connect to the OpenVPN server from the client, run either of the commands below;

sudo openvpn client.ovpn

or

sudo openvpn --config client.ovpn

If the connection is successful, you should see an Initialization Sequence Completed.

Mon Dec 31 03:54:39 2018 TUN/TAP device tun0 opened
Mon Dec 31 03:54:39 2018 TUN/TAP TX queue length set to 100
Mon Dec 31 03:54:39 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Dec 31 03:54:39 2018 /sbin/ip link set dev tun0 up mtu 1500
Mon Dec 31 03:54:39 2018 /sbin/ip addr add dev tun0 172.16.0.2/24 broadcast 172.16.0.255
Mon Dec 31 03:54:39 2018 /sbin/ip route add 192.168.43.69/32 dev enp0s8
Mon Dec 31 03:54:39 2018 /sbin/ip route add 0.0.0.0/1 via 172.16.0.1
Mon Dec 31 03:54:39 2018 /sbin/ip route add 128.0.0.0/1 via 172.16.0.1
Mon Dec 31 03:54:39 2018 GID set to nogroup
Mon Dec 31 03:54:39 2018 UID set to nobody
Mon Dec 31 03:54:39 2018 Initialization Sequence Completed

If you can check the interface, you should see a tunnelling interface created.

ip add sh tun0
20: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 172.16.0.2/24 brd 172.16.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::dc37:c115:60f:6b86/64 scope link flags 800 
       valid_lft forever preferred_lft forever

You have successfully connected to your VPN server.

That is all about how to install and setup OpenVPN server on Fedora 29/CentOS 7. You OpenVPN server is fully operational. Enjoy.

Related Tutorials

Configure IPSEC VPN using StrongSwan on Ubuntu 18.04

Configure strongSwan VPN Client on Ubuntu 18.04/CentOS 8

Setup IPSEC VPN using StrongSwan on Debian 10

 

6 COMMENTS

  1. Hi, this tutorial is golden, I almost got to the working VPN server on a fresh Fedora setup. The only thing that was troubling is that the firewall was closed, so a simple “nc -l -p 8080” did not accept anything, coming through the VPN. When I’ve move tun0 interface to a trusted zone, it just worked.

    firewall-cmd –permanent –zone=trusted –add-interface=tun0

  2. I’m getting this error when i try to copy the client files: cp: cannot stat ‘issued/client.crt’: No such file or directory

    Everything else is running fine. Is there a reason why this file isn’t generated during the client config?
    Is there a way to configure additional clients?

LEAVE A REPLY

Please enter your comment!
Please enter your name here