In this guide, we are going to learn how to install and easily setup OpenVPN Server on Rocky Linux 8. OpenVPN is a robust and highly flexible open-source VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It facilitates the extension of private network across a public network while maintaining security that would be achieved in a private network.
Setup OpenVPN Server on Rocky Linux 8
Install EPEL Repository
The latest OpenVPN packages is provided by the EPEL repositories on Rocky Linux 8 and other similar derivatives. EPEL can be installed on Rocky Linux 8 by running the command below;
dnf install epel-release -y
Install OpenVPN on Rocky Linux 8
Once the EPEL repos are in place, you can now install OpenVPN package on Rocky Linux 8 by executing the command below;
dnf install openvpn
Install Easy-RSA CA Utility on Rocky Linux 8
Easy-RSA package is a shell based CA utility that is used to generate SSL key-pairs that is used to secure VPN connections.
dnf install easy-rsa
Create OpenVPN Public Key Infrastructure
The first step in setting up an OpenVPN server is to create a PKI which consists of public and private keys for the OpenVPN server and connecting clients and a master Certificate Authority certificate and private key for signing the OpenVPN server and client certificates. If possible, you should create the PKI on a separate server running OpenVPN for security purposes.
Initialize the PKI
Easy-RSA is used for PKI management. The Easy-RSA scripts are installed under the /usr/share/easy-rsa
directory.
To ensure that Easy-RSA any configuration made is not overwritten in case of an upgrade, copy the scripts to a different directory, preferably under /etc
directory.
mkdir /etc/easy-rsa
cp -air /usr/share/easy-rsa/3/* /etc/easy-rsa/
Once the scripts are in place, navigate to the directory and initialize the PKI.
cd /etc/easy-rsa/
./easyrsa init-pki
Sample command output;
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/easy-rsa/pki
Generate the Certificate Authority (CA) Certificate and Key
Next, generate the CA certificate and key that will be used to sign certificates by running the commands below within the Easy-RSA directory above.
./easyrsa build-ca
This will prompt you for the CA key passphrase and the server common name.
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) ........................................+++++ ....................................................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Kifarunix-demo CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/easy-rsa/pki/ca.crt
The CA file is /etc/easy-rsa/pki/ca.crt
.
Generate Diffie Hellman Parameters
While within the same Easy-RSA directory as in above, execute the command below to generate Diffie-Hellman key file that can be used for key exchange during the TLS handshake with connecting clients.
./easyrsa gen-dh
The command will take sometime to complete. It then stores the DH parameters on the /etc/easy-rsa/pki/dh.pem
file.
Generate OpenVPN Server Certificate and Key
To generate a certificate and private key for the OpenVPN server, run the command below;
cd /etc/easy-rsa
./easyrsa build-server-full server nopass
When the command runs, you will be prompted to enter the CA key passphrase create above.
nopass
disables the use of passphrase in the certificates.
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating a RSA private key .....+++++ ...............................+++++ writing new private key to '/etc/easy-rsa/pki/easy-rsa-10170.VLZsfK/tmp.4TRoOP' ----- Using configuration from /etc/easy-rsa/pki/easy-rsa-10170.VLZsfK/tmp.jTJJ7f Enter pass phrase for /etc/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Oct 3 18:03:20 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated
Generate Hash-based Message Authentication Code (HMAC) key
To generate TLS/SSL pre-shared authentication key that will be used to add an additional HMAC signature to all SSL/TLS handshake packets, to avoid DoS attack and UDP port flooding, run the command below;
openvpn --genkey --secret /etc/easy-rsa/pki/ta.key
Generate a Revocation Certificate
In order to invalidate a previously signed certificate, you need to generate a revocation certificate.
./easyrsa gen-crl
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Using configuration from /etc/easy-rsa/pki/easy-rsa-10284.mSzk9F/tmp.qdix0A Enter pass phrase for /etc/easy-rsa/pki/private/ca.key: An updated CRL has been created. CRL file: /etc/easy-rsa/pki/crl.pe
The Revocation certificate is stored as /etc/easy-rsa/pki/crl.pem
.
Copy Server Certificates and Keys to Server Directory
Next, copy all generated certificates/keys to OpenVPN server configuration directory.
cp -rp /etc/easy-rsa/pki/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} /etc/openvpn/server/
Generate OpenVPN Client Certificate and Key
To generate OpenVPN clients certificate and private key, run the command below;
cd /etc/easy-rsa
./easyrsa build-client-full gentoo nopass
Sample output;
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating a RSA private key ........................+++++ .........................................................................................+++++ writing new private key to '/etc/easy-rsa/pki/easy-rsa-10316.rcXRdS/tmp.tauo7u' ----- Using configuration from /etc/easy-rsa/pki/easy-rsa-10316.rcXRdS/tmp.RxlTaw Enter pass phrase for /etc/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'gentoo' Certificate is to be certified until Oct 3 18:05:23 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated
where gentoo is the name of the client for which the certificate and keys are generated. Always use a unique common name for each client that you are generating certificate and keys for.
To generate for the second client,
./easyrsa build-client-full johndoe nopass
Copy Client Certificates and Keys to Client Directory
Create a directory for each client on OpenVPN client’s directory
mkdir /etc/openvpn/client/{gentoo,johndoe}
Next, copy all client generated certificates/keys and CA certificate to OpenVPN client configuration directory. You can
cp -rp /etc/easy-rsa/pki/{ca.crt,issued/gentoo.crt,private/gentoo.key} /etc/openvpn/client/gentoo
cp -rp /etc/easy-rsa/pki/{ca.crt,issued/johndoe.crt,private/johndoe.key} /etc/openvpn/client/johndoe/
Configure OpenVPN Server on Rocky Linux 8
OpenVPN comes with a sample configuration file within its documentation directory. Copy the file to /etc/openvpn/server/
and modify it to suit your needs.
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/
Open the config for modification.
vim /etc/openvpn/server/server.conf
The file is highly commented. Read the comments for every configuration options.
In the most basic form, below are our configuration options, with no comments.
port 1194 proto udp4 dev tun ca ca.crt cert issued/server.crt key private/server.key # This file should be kept secret dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 192.168.10.3" client-to-client keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 auth SHA512
Save and exit the configuration once done modifying.
Want to assign fixed/static IP addresses to your OpenVPN clients? Follow the guide below;
Assign Static IP Addresses for OpenVPN Clients
Create log directory;
mkdir /var/log/openvpn/
Explore the configuration and do further fine tuning to suit your needs.
Configure OpenVPN Server Routing
To ensure that traffic from the client is routed through the servers IP address (helps masks the the client IP address), you need to enable IP forwarding on the OpenVPN server;
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
Run the command below to effect the changes without rebooting the server.
sysctl --system
Allow OpenVPN service port through firewall
firewall-cmd --add-port=1194/udp --permanent
Activate IP Masquerading
firewall-cmd --add-masquerade --permanent
Forward traffic received on the specified OpenVPN subnet, for example, the 10.8.0.0/24 in our case, to an interface via which packets are going to be sent.
To find the interface via which packets are sent through by running the command below;
ip route get 8.8.8.8
8.8.8.8 via 10.0.2.2 dev enp0s3 src 10.0.2.15 uid 0
cache
The interface name and the subnet defined maybe different for your case. Replace them accordingly.
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE
Reload firewalld for the changes to take effect.
firewall-cmd --reload
Start and set OpenVPN run on system boot.
systemctl enable --now [email protected]
When OpenVPN service runs, it will create a tunnelling interface, tun0;
ip add s
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::afd7:17a6:57ee:7f3b/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Checking the logs;
tail /var/log/openvpn/openvpn.log
/sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255 Socket Buffers: R=[212992->212992] S=[212992->212992] UDPv4 link local (bound): [AF_INET][undef]:1194 UDPv4 link remote: [AF_UNSPEC] GID set to nobody UID set to nobody MULTI: multi_init called, r=256 v=256 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0 IFCONFIG POOL LIST Initialization Sequence Completed
Your OpenVPN Server is now up and running. That brings us to the end of our guide on how to install and setup OpenVPN Server on Rocky Linux 8.
You can now proceed to configure OpenVPN clients and interconnect them through the vpn server.
Install and Configure OpenVPN Client on Rocky Linux 8
Other Tutorials
Assign Static IP Addresses for OpenVPN Clients
Configure OpenVPN LDAP Based Authentication