In this guide, we are going to learn how to install and easily setup OpenVPN Server on Rocky Linux 8. OpenVPN is a robust and highly flexible open-source VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It facilitates the extension of private network across a public network while maintaining security that would be achieved in a private network.
Table of Contents
Setting up OpenVPN Server on Rocky Linux 8
Install EPEL Repository
The latest OpenVPN packages is provided by the EPEL repositories on Rocky Linux 8 and other similar derivatives. EPEL can be installed on Rocky Linux 8 by running the command below;
dnf install epel-release -y
Install OpenVPN on Rocky Linux 8
Once the EPEL repos are in place, you can now install OpenVPN package on Rocky Linux 8 by executing the command below;
dnf install openvpn
Install Easy-RSA CA Utility on Rocky Linux 8
Easy-RSA package is a shell based CA utility that is used to generate SSL key-pairs that is used to secure VPN connections.
dnf install easy-rsa
Create OpenVPN Public Key Infrastructure
The first step in setting up an OpenVPN server is to create a PKI which consists of public and private keys for the OpenVPN server and connecting clients and a master Certificate Authority certificate and private key for signing the OpenVPN server and client certificates. If possible, you should create the PKI on a separate server running OpenVPN for security purposes.
Initialize the PKI
Easy-RSA is used for PKI management. The Easy-RSA scripts are installed under the /usr/share/easy-rsa
directory.
To ensure that Easy-RSA any configuration made is not overwritten in case of an upgrade, copy the scripts to a different directory, preferably under /etc
directory.
mkdir /etc/easy-rsa
cp -air /usr/share/easy-rsa/3/* /etc/easy-rsa/
Once the scripts are in place, navigate to the directory and initialize the PKI.
cd /etc/easy-rsa/
./easyrsa init-pki
Sample command output;
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/easy-rsa/pki
Generate the Certificate Authority (CA) Certificate and Key
Next, generate the CA certificate and key that will be used to sign certificates by running the commands below within the Easy-RSA directory above.
./easyrsa build-ca
This will prompt you for the CA key passphrase and the server common name.
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................+++++
....................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Kifarunix-demo CA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/easy-rsa/pki/ca.crt
The CA file is /etc/easy-rsa/pki/ca.crt
.
Generate Diffie Hellman Parameters
While within the same Easy-RSA directory as in above, execute the command below to generate Diffie-Hellman key file that can be used for key exchange during the TLS handshake with connecting clients.
./easyrsa gen-dh
The command will take sometime to complete. It then stores the DH parameters on the /etc/easy-rsa/pki/dh.pem
file.
Generate OpenVPN Server Certificate and Key
To generate a certificate and private key for the OpenVPN server, run the command below;
cd /etc/easy-rsa
./easyrsa build-server-full server nopass
When the command runs, you will be prompted to enter the CA key passphrase create above.
nopass
disables the use of passphrase in the certificates.
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
.....+++++
...............................+++++
writing new private key to '/etc/easy-rsa/pki/easy-rsa-10170.VLZsfK/tmp.4TRoOP'
-----
Using configuration from /etc/easy-rsa/pki/easy-rsa-10170.VLZsfK/tmp.jTJJ7f
Enter pass phrase for /etc/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Oct 3 18:03:20 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Generate Hash-based Message Authentication Code (HMAC) key
To generate TLS/SSL pre-shared authentication key that will be used to add an additional HMAC signature to all SSL/TLS handshake packets, to avoid DoS attack and UDP port flooding, run the command below;
openvpn --genkey --secret /etc/easy-rsa/pki/ta.key
Generate a Revocation Certificate
In order to invalidate a previously signed certificate, you need to generate a revocation certificate.
./easyrsa gen-crl
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Using configuration from /etc/easy-rsa/pki/easy-rsa-10284.mSzk9F/tmp.qdix0A
Enter pass phrase for /etc/easy-rsa/pki/private/ca.key:
An updated CRL has been created.
CRL file: /etc/easy-rsa/pki/crl.pe
The Revocation certificate is stored as /etc/easy-rsa/pki/crl.pem
.
Copy Server Certificates and Keys to Server Directory
Next, copy all generated certificates/keys to OpenVPN server configuration directory.
cp -rp /etc/easy-rsa/pki/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} /etc/openvpn/server/
Generate OpenVPN Client Certificate and Key
To generate OpenVPN clients certificate and private key, run the command below;
cd /etc/easy-rsa
./easyrsa build-client-full gentoo nopass
Sample output;
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
........................+++++
.........................................................................................+++++
writing new private key to '/etc/easy-rsa/pki/easy-rsa-10316.rcXRdS/tmp.tauo7u'
-----
Using configuration from /etc/easy-rsa/pki/easy-rsa-10316.rcXRdS/tmp.RxlTaw
Enter pass phrase for /etc/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'gentoo'
Certificate is to be certified until Oct 3 18:05:23 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
where gentoo is the name of the client for which the certificate and keys are generated. Always use a unique common name for each client that you are generating certificate and keys for.
To generate for the second client,
./easyrsa build-client-full johndoe nopass
Copy Client Certificates and Keys to Client Directory
Create a directory for each client on OpenVPN client’s directory
mkdir /etc/openvpn/client/{gentoo,johndoe}
Next, copy all client generated certificates/keys and CA certificate to OpenVPN client configuration directory. You can
cp -rp /etc/easy-rsa/pki/{ca.crt,issued/gentoo.crt,private/gentoo.key} /etc/openvpn/client/gentoo
cp -rp /etc/easy-rsa/pki/{ca.crt,issued/johndoe.crt,private/johndoe.key} /etc/openvpn/client/johndoe/
Configure OpenVPN Server on Rocky Linux 8
OpenVPN comes with a sample configuration file within its documentation directory. Copy the file to /etc/openvpn/server/
and modify it to suit your needs.
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/
Open the config for modification.
vim /etc/openvpn/server/server.conf
The file is highly commented. Read the comments for every configuration options.
In the most basic form, below are our configuration options, with no comments.
port 1194
proto udp4
dev tun
ca ca.crt
cert issued/server.crt
key private/server.key # This file should be kept secret
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 192.168.10.3"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth SHA512
Save and exit the configuration once done modifying.
Want to assign fixed/static IP addresses to your OpenVPN clients? Follow the guide below;
Assign Static IP Addresses for OpenVPN Clients
Create log directory;
mkdir /var/log/openvpn/
Explore the configuration and do further fine tuning to suit your needs.
Configure OpenVPN Server Routing
To ensure that traffic from the client is routed through the servers IP address (helps masks the the client IP address), you need to enable IP forwarding on the OpenVPN server;
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
Run the command below to effect the changes without rebooting the server.
sysctl --system
Allow OpenVPN service port through firewall
firewall-cmd --add-port=1194/udp --permanent
Activate IP Masquerading
firewall-cmd --add-masquerade --permanent
Forward traffic received on the specified OpenVPN subnet, for example, the 10.8.0.0/24 in our case, to an interface via which packets are going to be sent.
To find the interface via which packets are sent through by running the command below;
ip route get 8.8.8.8
8.8.8.8 via 10.0.2.2 dev enp0s3 src 10.0.2.15 uid 0
cache
The interface name and the subnet defined maybe different for your case. Replace them accordingly.
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE
Reload firewalld for the changes to take effect.
firewall-cmd --reload
Start and set OpenVPN run on system boot.
systemctl enable --now openvpn-server@server
When OpenVPN service runs, it will create a tunnelling interface, tun0;
ip add s
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::afd7:17a6:57ee:7f3b/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Checking the logs;
tail /var/log/openvpn/openvpn.log
/sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDPv4 link local (bound): [AF_INET][undef]:1194
UDPv4 link remote: [AF_UNSPEC]
GID set to nobody
UID set to nobody
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
IFCONFIG POOL LIST
Initialization Sequence Completed
Your OpenVPN Server is now up and running.
You can now proceed to configure OpenVPN clients and interconnect them through the vpn server.
Install and Configure OpenVPN Client on Rocky Linux 8
Hello! Thank you very much for your guide, it saved me a lot of time
I want to note two things which I’ve used to add to make it work
First, as I hadn’t private DNS serve I had to install some kind of dns proxy. Guys on serverfault had generously provided basic guide with configuration on unbound (https://serverfault.com/a/1051176). Do not forget to open port for desired networks.
firewall-cmd –permanent –zone=public –add-rich-rule=’
rule family=”ipv4″
source address=”10.8.0.0/24″
port protocol=”tcp” port=”53″ accept’
firewall-cmd –permanent –zone=public –add-rich-rule=’
rule family=”ipv4″
source address=”10.8.0.0/24″
port protocol=”udp” port=”53″ accept’
Second, for some reason, provided firewall-cmd configuration wasn’t enough for me. I’m not very proficient in VPNs (that’s I’m here) and iptables but on the Internet the were only information for iptables configuration. I took the reference from https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh
Well, it is quite simple and it is working:
replace $dev with your uplink interface. Other values were taken from this article so if you’re copy-pasting it is safe to make no changes except noted.
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $dev-j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i ens3 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o ens3 -j ACCEPT
iptables -I INPUT 1 -i $DEV -p udp –dport 1194 -j ACCEPT