Setup OpenVPN Server on Rocky Linux 8

gen_too
|
Last Updated:
|
Security, HowTos, OpenVPN, VPN
|
1 Comment

In this guide, we are going to learn how to install and easily setup OpenVPN Server on Rocky Linux 8. OpenVPN is a robust and highly flexible open-source VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It facilitates the extension of private network across a public network while maintaining security that would be achieved in a private network.

Setup OpenVPN Server on Rocky Linux 8

Install EPEL Repository

The latest OpenVPN packages is provided by the EPEL repositories on Rocky Linux 8 and other similar derivatives. EPEL can be installed on Rocky Linux 8 by running the command below;

dnf install epel-release -y

Install OpenVPN on Rocky Linux 8

Once the EPEL repos are in place, you can now install OpenVPN package on Rocky Linux 8 by executing the command below;

dnf install openvpn

Install Easy-RSA CA Utility on Rocky Linux 8

Easy-RSA package is a shell based CA utility that is used to generate SSL key-pairs that is used to secure VPN connections.

dnf install easy-rsa

Create OpenVPN Public Key Infrastructure

The first step in setting up an OpenVPN server is to create a PKI which consists of public and private keys for the OpenVPN server and connecting clients and a master Certificate Authority certificate and private key for signing the OpenVPN server and client certificates. If possible, you should create the PKI on a separate server running OpenVPN for security purposes.

Initialize the PKI

Easy-RSA is used for PKI management. The Easy-RSA scripts are installed under the /usr/share/easy-rsa directory.

To ensure that Easy-RSA any configuration made is not overwritten in case of an upgrade, copy the scripts to a different directory, preferably under /etc directory.

mkdir /etc/easy-rsa
cp -air /usr/share/easy-rsa/3/* /etc/easy-rsa/

Once the scripts are in place, navigate to the directory and initialize the PKI.

cd /etc/easy-rsa/
./easyrsa init-pki

Sample command output;

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/easy-rsa/pki

Generate the Certificate Authority (CA) Certificate and Key

Next, generate the CA certificate and key that will be used to sign certificates by running the commands below within the Easy-RSA directory above.

./easyrsa build-ca

This will prompt you for the CA key passphrase and the server common name.


Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................+++++
....................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Kifarunix-demo CA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/easy-rsa/pki/ca.crt

The CA file is /etc/easy-rsa/pki/ca.crt.

Generate Diffie Hellman Parameters

While within the same Easy-RSA directory as in above, execute the command below to generate Diffie-Hellman key file that can be used for key exchange during the TLS handshake with connecting clients.

./easyrsa gen-dh

The command will take sometime to complete. It then stores the DH parameters on the /etc/easy-rsa/pki/dh.pem file.

Generate OpenVPN Server Certificate and Key

To generate a certificate and private key for the OpenVPN server, run the command below;

cd /etc/easy-rsa
./easyrsa build-server-full server nopass

When the command runs, you will be prompted to enter the CA key passphrase create above.

nopass disables the use of passphrase in the certificates.


Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
.....+++++
...............................+++++
writing new private key to '/etc/easy-rsa/pki/easy-rsa-10170.VLZsfK/tmp.4TRoOP'
-----
Using configuration from /etc/easy-rsa/pki/easy-rsa-10170.VLZsfK/tmp.jTJJ7f
Enter pass phrase for /etc/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Oct  3 18:03:20 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Generate Hash-based Message Authentication Code (HMAC) key

To generate TLS/SSL pre-shared authentication key that will be used to add an additional HMAC signature to all SSL/TLS handshake packets, to avoid DoS attack and UDP port flooding, run the command below;

openvpn --genkey --secret /etc/easy-rsa/pki/ta.key

Generate a Revocation Certificate

In order to invalidate a previously signed certificate, you need to generate a revocation certificate.

./easyrsa gen-crl

Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Using configuration from /etc/easy-rsa/pki/easy-rsa-10284.mSzk9F/tmp.qdix0A
Enter pass phrase for /etc/easy-rsa/pki/private/ca.key:

An updated CRL has been created.
CRL file: /etc/easy-rsa/pki/crl.pe

The Revocation certificate is stored as /etc/easy-rsa/pki/crl.pem.

Copy Server Certificates and Keys to Server Directory

Next, copy all generated certificates/keys to OpenVPN server configuration directory.

cp -rp /etc/easy-rsa/pki/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} /etc/openvpn/server/

Generate OpenVPN Client Certificate and Key

To generate OpenVPN clients certificate and private key, run the command below;

cd /etc/easy-rsa
./easyrsa build-client-full gentoo nopass

Sample output;


Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
........................+++++
.........................................................................................+++++
writing new private key to '/etc/easy-rsa/pki/easy-rsa-10316.rcXRdS/tmp.tauo7u'
-----
Using configuration from /etc/easy-rsa/pki/easy-rsa-10316.rcXRdS/tmp.RxlTaw
Enter pass phrase for /etc/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'gentoo'
Certificate is to be certified until Oct  3 18:05:23 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

where gentoo is the name of the client for which the certificate and keys are generated. Always use a unique common name for each client that you are generating certificate and keys for.

To generate for the second client,

./easyrsa build-client-full johndoe nopass

Copy Client Certificates and Keys to Client Directory

Create a directory for each client on OpenVPN client’s directory

mkdir /etc/openvpn/client/{gentoo,johndoe}

Next, copy all client generated certificates/keys and CA certificate to OpenVPN client configuration directory. You can

cp -rp /etc/easy-rsa/pki/{ca.crt,issued/gentoo.crt,private/gentoo.key} /etc/openvpn/client/gentoo
cp -rp /etc/easy-rsa/pki/{ca.crt,issued/johndoe.crt,private/johndoe.key} /etc/openvpn/client/johndoe/

Configure OpenVPN Server on Rocky Linux 8

OpenVPN comes with a sample configuration file within its documentation directory. Copy the file to /etc/openvpn/server/ and modify it to suit your needs.

cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/

Open the config for modification.

vim /etc/openvpn/server/server.conf

The file is highly commented. Read the comments for every configuration options.

In the most basic form, below are our configuration options, with no comments.


port 1194
proto udp4
dev tun
ca ca.crt
cert issued/server.crt
key private/server.key  # This file should be kept secret
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 192.168.10.3"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth SHA512

Save and exit the configuration once done modifying.

Want to assign fixed/static IP addresses to your OpenVPN clients? Follow the guide below;

Assign Static IP Addresses for OpenVPN Clients

Create log directory;

mkdir /var/log/openvpn/

Explore the configuration and do further fine tuning to suit your needs.

Configure OpenVPN Server Routing

To ensure that traffic from the client is routed through the servers IP address (helps masks the the client IP address), you need to enable IP forwarding on the OpenVPN server;

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Run the command below to effect the changes without rebooting the server.

sysctl --system

Allow OpenVPN service port through firewall

firewall-cmd --add-port=1194/udp --permanent

Activate IP Masquerading

firewall-cmd --add-masquerade --permanent

Forward traffic received on the specified OpenVPN subnet, for example, the 10.8.0.0/24 in our case, to an interface via which packets are going to be sent.

To find the interface via which packets are sent through by running the command below;

ip route get 8.8.8.8
8.8.8.8 via 10.0.2.2 dev enp0s3 src 10.0.2.15 uid 0 
    cache

The interface name and the subnet defined maybe different for your case. Replace them accordingly.

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE

Reload firewalld for the changes to take effect.

firewall-cmd --reload

Start and set OpenVPN run on system boot.

systemctl enable --now openvpn-server@server

When OpenVPN service runs, it will create a tunnelling interface, tun0;

ip add s
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::afd7:17a6:57ee:7f3b/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Checking the logs;

tail /var/log/openvpn/openvpn.log

/sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDPv4 link local (bound): [AF_INET][undef]:1194
UDPv4 link remote: [AF_UNSPEC]
GID set to nobody
UID set to nobody
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
IFCONFIG POOL LIST
Initialization Sequence Completed

Your OpenVPN Server is now up and running. That brings us to the end of our guide on how to install and setup OpenVPN Server on Rocky Linux 8.

You can now proceed to configure OpenVPN clients and interconnect them through the vpn server.

Install and Configure OpenVPN Client on Rocky Linux 8

Other Tutorials

Assign Static IP Addresses for OpenVPN Clients

Configure OpenVPN LDAP Based Authentication

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
gen_too
Co-founder of Kifarunix.com, Linux Tips and Tutorials. Linux/Unix admin and author at Kifarunix.com.

Related Posts

Install Yarn on Debian 11

Install VirtualBox on Ubuntu 21.04

Install and Setup Suricata on Ubuntu 22.04/Ubuntu 20.04

Run Nexus Repository Manager Behind Apache Reverse Proxy

The Importance Of Data Protection For Your Business

How to Configure NTP Server on pfSense

1 thought on “Setup OpenVPN Server on Rocky Linux 8”

  1. Hello! Thank you very much for your guide, it saved me a lot of time

    I want to note two things which I’ve used to add to make it work

    First, as I hadn’t private DNS serve I had to install some kind of dns proxy. Guys on serverfault had generously provided basic guide with configuration on unbound (https://serverfault.com/a/1051176). Do not forget to open port for desired networks.

    firewall-cmd –permanent –zone=public –add-rich-rule=’
    rule family=”ipv4″
    source address=”10.8.0.0/24″
    port protocol=”tcp” port=”53″ accept’

    firewall-cmd –permanent –zone=public –add-rich-rule=’
    rule family=”ipv4″
    source address=”10.8.0.0/24″
    port protocol=”udp” port=”53″ accept’

    Second, for some reason, provided firewall-cmd configuration wasn’t enough for me. I’m not very proficient in VPNs (that’s I’m here) and iptables but on the Internet the were only information for iptables configuration. I took the reference from https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh
    Well, it is quite simple and it is working:

    replace $dev with your uplink interface. Other values were taken from this article so if you’re copy-pasting it is safe to make no changes except noted.

    iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $dev-j MASQUERADE
    iptables -I INPUT 1 -i tun0 -j ACCEPT
    iptables -I FORWARD 1 -i ens3 -o tun0 -j ACCEPT
    iptables -I FORWARD 1 -i tun0 -o ens3 -j ACCEPT
    iptables -I INPUT 1 -i $DEV -p udp –dport 1194 -j ACCEPT

    Reply

Leave a Comment

© 2023 kifarunix.com

Home Advertise with us Privacy Policy