How to setup OpenVPN Server on Centos 7

In this tutorial, I will setup OpenVPN Server on Centos 7.

 

Step 1: Prepare install OpenVPN server

sudo yum update -y
sudo yum install epel-release -y
sudo yum update -y
sudo yum install -y openvpn easy-rsa

Configure Ip forwarding for OpenVPN Server
vim /etc/sysctl.conf

The content sysctl.conf file as below:
Packet forwarding
net.ipv4.ip_forward = 1

 

Step 2: Configure OpenVPN Server


Open server.conf file
vim /etc/openvpn/server.conf

The content configure as below:
#Secure OpenVPN Server Config
#Basic Connection Config
dev tun
proto udp
port 1194
keepalive 10 120
max-clients 4

#Certs
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0

#Ciphers and Hardening
reneg-sec 0
remote-cert-tls client
crl-verify crl.pem
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

#Drop Privs
user nobody
group nobody

#IP pool
server 10.10.100.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
client-config-dir client_dir

#Misc
persist-key
persist-tun
comp-lzo

#DHCP Push options force all traffic through VPN and sets DNS servers
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#Logging
log-append /var/log/openvpn.log
verb 3

 

Create client configure folder

sudo mkdir /etc/openvpn/client_dir
cd ~
/usr/share/easy-rsa/3/easyrsa init-pki
/usr/share/easy-rsa/3/easyrsa build-ca
/usr/share/easy-rsa/3/easyrsa gen-dh
/usr/share/easy-rsa/3/easyrsa build-server-full vpn-server
/usr/share/easy-rsa/3/easyrsa build-client-full vpn-client-01
/usr/share/easy-rsa/3/easyrsa gen-crl
openvpn --genkey --secret pki/ta.key

sudo cp pki/ca.crt /etc/openvpn/ca.crt
sudo cp pki/dh.pem /etc/openvpn/dh.pem
sudo cp pki/issued/vpn-server.crt /etc/openvpn/server.crt
sudo cp pki/private/vpn-server.key /etc/openvpn/server.key
sudo cp pki/ta.key /etc/openvpn/ta.key
sudo cp pki/crl.pem /etc/openvpn/crl.pem

 

Start OpenVPN Server

sudo systemctl -f enable [email protected]
sudo systemctl start [email protected]


The display log OpenVPN Server
sudo tail -f /var/log/openvpn.log

 

Configure IPTables allow OpenVPN Server

-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -s 10.10.100.0/24 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Start , enable iptables services

sudo systemctl enable iptables
sudo systemctl start iptables
sudo service iptables save

 

Step 3: Setup client OpenVPN

cd ~
mkdir vpn-client-01-config
cp pki/ca.crt vpn-client-01-config/ca.crt
cp pki/issued/vpn-client-01.crt vpn-client-01-config/client.crt
cp pki/private/vpn-client-01.key vpn-client-01-config/client.key
cp pki/ta.key vpn-client-01-config/ta.key

To configure client with client.ovpn

vim vpn-client-01-config/client.ovpn

The content as below:

# Secure OpenVPN Client Config

#viscosity dns full
#viscosity usepeerdns true
#viscosity dhcp true
tls-client
pull
client
dev tun
proto udp
remote 123.123.123.123 1194
redirect-gateway def1
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
remote-cert-tls server
ns-cert-type server
key-direction 1
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

use tar command to compress folder vpn-client-01-config

tar cvfz vpn-client-01-config.tgz vpn-client-01-config

To download vpn-client-01-config.tgz your windows or linux. How to connect openvpn server from a linux computer

Comments

Post a Comment

Popular posts from this blog

zimbra some services are not running [Solve problem]

Bash script list all IP addresses connected to Server

How to install php7 on centos 6