Step 1: Prepare install OpenVPN server
sudo yum update -y
sudo yum install epel-release -y
sudo yum update -y
sudo yum install -y openvpn easy-rsa
Configure Ip forwarding for OpenVPN Server
vim /etc/sysctl.conf
The content sysctl.conf file as below:
Packet forwarding
net.ipv4.ip_forward = 1
Step 2: Configure OpenVPN Server
Open server.conf file
vim /etc/openvpn/server.conf
The content configure as below:
#Secure OpenVPN Server Config
#Basic Connection Config
dev tun
proto udp
port 1194
keepalive 10 120
max-clients 4
#Certs
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
#Ciphers and Hardening
reneg-sec 0
remote-cert-tls client
crl-verify crl.pem
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
#Drop Privs
user nobody
group nobody
#IP pool
server 10.10.100.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
client-config-dir client_dir
#Misc
persist-key
persist-tun
comp-lzo
#DHCP Push options force all traffic through VPN and sets DNS servers
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#Logging
log-append /var/log/openvpn.log
verb 3
Create client configure folder
sudo mkdir /etc/openvpn/client_dir
cd ~
/usr/share/easy-rsa/3/easyrsa init-pki
/usr/share/easy-rsa/3/easyrsa build-ca
/usr/share/easy-rsa/3/easyrsa gen-dh
/usr/share/easy-rsa/3/easyrsa build-server-full vpn-server
/usr/share/easy-rsa/3/easyrsa build-client-full vpn-client-01
/usr/share/easy-rsa/3/easyrsa gen-crl
openvpn --genkey --secret pki/ta.key
sudo cp pki/ca.crt /etc/openvpn/ca.crt
sudo cp pki/dh.pem /etc/openvpn/dh.pem
sudo cp pki/issued/vpn-server.crt /etc/openvpn/server.crt
sudo cp pki/private/vpn-server.key /etc/openvpn/server.key
sudo cp pki/ta.key /etc/openvpn/ta.key
sudo cp pki/crl.pem /etc/openvpn/crl.pem
Start OpenVPN Server
sudo systemctl -f enable [email protected]
sudo systemctl start [email protected]
The display log OpenVPN Server
sudo tail -f /var/log/openvpn.log
Configure IPTables allow OpenVPN Server
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -s 10.10.100.0/24 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Start , enable iptables services
sudo systemctl enable iptables
sudo systemctl start iptables
sudo service iptables save
Step 3: Setup client OpenVPN
cd ~
mkdir vpn-client-01-config
cp pki/ca.crt vpn-client-01-config/ca.crt
cp pki/issued/vpn-client-01.crt vpn-client-01-config/client.crt
cp pki/private/vpn-client-01.key vpn-client-01-config/client.key
cp pki/ta.key vpn-client-01-config/ta.key
To configure client with client.ovpn
vim vpn-client-01-config/client.ovpn
The content as below:
# Secure OpenVPN Client Config
#viscosity dns full
#viscosity usepeerdns true
#viscosity dhcp true
tls-client
pull
client
dev tun
proto udp
remote 123.123.123.123 1194
redirect-gateway def1
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
remote-cert-tls server
ns-cert-type server
key-direction 1
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
use tar command to compress folder vpn-client-01-config
tar cvfz vpn-client-01-config.tgz vpn-client-01-config
To download vpn-client-01-config.tgz your windows or linux. How to connect openvpn server from a linux computer
Thanks
ReplyDeleteThanks for reading my blog :) have a good nice
ReplyDelete