Differences

This shows you the differences between two versions of the page.

Link to this comparison view

how-to:centos7:install-openvpn [2015-09-14 23:48:56] (current)
shaun.reitan created
Line 1: Line 1:
 +====== How to install and configure OpenVPN on CentOS 7 ======
 +
 +This how-to will walk you through a quick and easy OpenVPN install on a CentOS minimal server.
 +
 +===== Install Required Packages =====
 +
 +To help with maintenance and security we will be enabling and using EPEL.  By going this route your OpenVPN installation will be updated automatically when new versions are released.  Make sure your package manager (YUM) is set to run automatic updates.
 +
 +<code>
 +yum install epel-release
 +yum update
 +</code>
 +
 +Now that EPEL packages are available for installation on your system we can now install OpenVPN.
 +
 +<code>
 +yum install openvpn
 +</code>
 +
 +Install a set of encryption tools that will help generating the SSL Certs and Keys
 +
 +<code>
 +yum install easy-rsa
 +</code>
 +
 +===== Configure and Build Certs and Keys =====
 +
 +Now we are ready to generate the Cert and Keys our OpenVPN server and clients will be using.  The first step is to copy over the easy-rsa tools we installed to make this job easier.
 +
 +<code>
 +cp -R /usr/share/easy-rsa/ /etc/openvpn
 +</code>
 +
 +Next, edit **/etc/openvpn/easy-rsa/2.0/vars** and modify the following lines to match your requirements
 +
 +<code>
 +export KEY_PROVINCE="CA"
 +export KEY_CITY="SanClemente"
 +export KEY_ORG="Network Data Center Host, Inc."
 +export KEY_EMAIL="recipient@domain.com"
 +export KEY_OU="VPN"
 +export KEY_CN="vps1.domain.com"
 +</code>
 +
 +Generate the CA-Bundle
 +
 +<code>
 +cd /etc/openvpn/easy-rsa/2.0/
 +. /etc/openvpn/easy-rsa/2.0/vars
 +. /etc/openvpn/easy-rsa/2.0/clean-all
 +. /etc/openvpn/easy-rsa/2.0/build-ca
 +</code>
 +
 +The last command will ask you multiple questions, all of which should be set to to the values you entered in the vars file.  You should be able to just hit enter for each question and let it fill itself with the default answer!
 +
 +Now we are going to generate the server certificate and key
 +
 +<code>
 +. /etc/openvpn/easy-rsa/2.0/build-key-server server
 +</code>
 +
 +Again this command will ask you a series of questions. The questions will have a default answer and you can simply hit enter for them all.  There will be a question asking you for a challenge password, in this example we wont set one, and will leave it blank.
 +
 +Now lets build a client certificate and key.  The clientname below should be unique for each VPN client. We typically will set this to the username the client will use to authenticate with the VPN server.
 +
 +<code>
 +. /etc/openvpn/easy-rsa/2.0/build-key clientname
 +</code>
 +
 +This command will again ask you a series of questions, just as before you can use the defaults.
 +
 +Next, generate the DH parameters, this could take a while....
 +
 +<code>
 +. /etc/openvpn/easy-rsa/2.0/build-dh
 +</code>
 +
 +Finally, move the cert and keys into their new home!
 +
 +<code>
 +cd /etc/openvpn/easy-rsa/2.0/keys
 +cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
 +</code>
 +
 +===== Configuring OpenVPN =====
 +
 +Now we will start the configuration of the OpenVPN server.  OpenVPN was nice enough to provide a sample configuration file that will work out of the box.
 +
 +<code>
 +cp /usr/share/doc/openvpn-2.3.8/sample/sample-config-files/server.conf /etc/openvpn/
 +</code>
 +
 +
 +===== Forwarding all client traffic through the server =====
 +
 +The sample config lets clients connect to the VPN server and those clients will now have an encrypted connection between their computer and the server.  But what if you wanted all of your clients traffic to route through the VPN, even traffic destined for the web!  You can easily do this by following the instructions below.
 +
 +First add the following line to your **/etc/openvpn/server.conf**
 +
 +<code>
 +push "redirect-gateway def1"
 +</code>
 +
 +Next, create **/etc/sysctl.d/98-openvpn.conf** and add the following line
 +
 +<code>
 +net.ipv4.ip_forward = 1
 +</code>
 +
 +and reload sysctl
 +
 +<code>
 +sysctl --system
 +</code>
 +
 +and finally lets add an iptables rule to forward traffic through the VPN!
 +
 +<code>
 +echo "iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/rc.local
 +echo "iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT" >> /etc/rc.local
 +echo "iptables -A FORWARD -j REJECT" >> /etc/rc.local
 +echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" >> /etc/rc.local
 +. /etc/rc.local
 +</code>
 +
 +===== Start OpenVPN and set to automatically start on boot =====
 +
 +<code>
 +systemctl -f enable openvpn@server.service
 +systemctl start openvpn@server.service
 +</code>
 +
 +
 +OpenVPN has now been installed and should be running.  You next need to configure your OpenVPN client to connect to the server!
 +
 +
 +
 +