#yum install epel-release
Step 1 — Installing OpenVPN
#yum install openvpn -y
For generating our SSL key pairs, which will secure our VPN connections. Execute the following command:
#yum install easy-rsa -y
Step 3 — Configuring OpenVPN
We can find an example configuration file in its documentation directory. We need to copy the sampleserver.confby the following command.
#cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Open the file in your favorite editor, I’m using editor,
#vi /etc/openvpn/server.conf
Most of the lines just need to be uncommented (remove and some of there are to be changed.
Do the following changes.
We need to change the dh file name to dh2048.pem. Because the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes. We will do the key generation in next step.
#vi /etc/openvpn/server.conf
Most of the lines just need to be uncommented (remove and some of there are to be changed.
Do the following changes.
We need to change the dh file name to dh2048.pem. Because the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes. We will do the key generation in next step.
#dh dh2048.pem
Next, uncomment the push “redirect-gateway def1 bypass-dhcp” line, which tells the client to redirect all traffic through our OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
For this, uncomment the push “dhcp-option DNS lines and updating the IP addresses.
push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" server 10.8.0.0 255.255.255.24 #for amazone linux we need uncommand below: tls-server tls-auth secure/ta.key 0 cipher DES-EDE3-CBC
user nobody
group nobody
Step 4 — Generating Keys and Certificates
Now, we’ll need to generate our keys and certificates. Easy RSA installs some scripts to generate these keys and certificates.
Create a directory for the keys by the following command
#mkdir -p /etc/openvpn/easy-rsa/keys
Create a directory for the keys by the following command
#mkdir -p /etc/openvpn/easy-rsa/keys
We also need to copy the key and certificate generation scripts into the directory.
#cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Now, we’re going to edit the default values in the script. So we don’t
have to type our information in each time. Open the file in vi editor.
#vi /etc/openvpn/easy-rsa/vars
Change values that start with KEY_. Update the following values to be accurate for your organization.
Some of the important value that should be change carefully are,
Some of the important value that should be change carefully are,
- KEY_NAME: You should enter server here; you could enter something else, but then you would also have to update the configuration files that reference and
- KEY_CN: Enter the domain or subdomain that resolves to your server
. . . # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York" export KEY_ORG="nixpal" export KEY_EMAIL="open@vpn.com" export KEY_OU="Community" # X509 Subject Field export KEY_NAME="server" . . . export KEY_CN=openvpn.nixpal.com . . .
OpenSSL configuration may not load due to the version being
undetectable. To avoid this remove the version number from the openSSl
file name.
#cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Next, We are going to generate the keys and certificates. Move to easy-rsa directory and source in our new variables.
#cd /etc/openvpn/easy-rsa
#source ./varsNext, We are going to generate the keys and certificates. Move to easy-rsa directory and source in our new variables.
#cd /etc/openvpn/easy-rsa
Then, we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.
#./clean-all
When you build the certificate authority, you will be asked to enter all
the information we put into the vars file, but you will see that your
options are already set as the defaults. So, you can just press ENTER
for each one.
#./build-ca
Next, We will generate the key and certificate for the server. Please press ENTER for each question as for the above step
#./build-key-server server
Now we will generate Diffie-Hellman key exchange file. This command will take few to complete:
#./build-dh
#./build-dh
So, we completed the server keys and certificates generation process. Copy them all into our OpenVPN directory.
#cd /etc/openvpn/easy-rsa/keys
#cp dh2048.pem ca.crt server.crt server.key /etc/openvpn#cd /etc/openvpn/easy-rsa/keys
For authenticate our clients will also need certificates. These keys
and certificates will be shared with your clients, and it’s best to
generate separate keys and certificates for each client you intend on
connecting.
Make sure that if you do this you give them descriptive names, but for now we’re going to have one client so we’ll just call it client.
#cd /etc/openvpn/easy-rsa
#./build-key clientMake sure that if you do this you give them descriptive names, but for now we’re going to have one client so we’ll just call it client.
#cd /etc/openvpn/easy-rsa
That's it for keys and certificates.
Step 5 — Routing
Install the iptables and disablefirewalld by execute the following commands
Next, We need to add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule.
#yum install iptables-services -y
#systemctl mask firewalld
#systemctl enable iptables
#systemctl stop firewalld
#systemctl start iptables
#iptables --flush
#yum install iptables-services -y
#systemctl mask firewalld
#systemctl enable iptables
#systemctl stop firewalld
#systemctl start iptables
#iptables --flush
#iptables-save > /etc/sysconfig/iptables
Next, enable IP forwarding in sysctl. Open sysctl.conf in vi editor.
setting to take effect immediately
#sysctl -w net.ipv4.ip_forward=1
add perminent forward
#vi /etc/sysctl.confsetting to take effect immediately
#sysctl -w net.ipv4.ip_forward=1
add perminent forward
Add the following line at the top of the file and reboot:
net.ipv4.ip_forward = 1
For the IP forwarding will take effect. We need to restart the network service. Issue the following command
#/etc/init.d/networking restart
Step 6 — Starting OpenVPN
Now, we completed the installation and ready start the openVPN service. add it to systemctl using the command
#systemctl -f enable <span id="cloak54270">openvpn@server.service</span>
#/etc/openvpn/easy-rsa/keys/client.key
#systemctl start openvpn@server.service
or
#systemctl start openvpn@server
So we have successfully completed all the server-side configuration done for OpenVPN.
or
#systemctl start openvpn@server
So we have successfully completed all the server-side configuration done for OpenVPN.
Next Let’s see how to connect a client to the server.
Step 7 — Configuring a Client
Step 7 — Configuring a Client
To connect you will definitely need a copy of the ca certificate from the server, along with the client key and certificate.
Locate the following files on the server. In this article we used ‘client’ as the descriptive name for the client keys.
#/etc/openvpn/easy-rsa/keys/ca.crt
#/etc/openvpn/easy-rsa/keys/client.crtLocate the following files on the server. In this article we used ‘client’ as the descriptive name for the client keys.
#/etc/openvpn/easy-rsa/keys/ca.crt
Copy these three files to your client machine. For this, Open the file
in the server and copy the content of the file into a new file in the
client system an save, or use SFTP.
#vim /etc/openvpn/client.conf
#vim /etc/openvpn/client.conf
We’re going to create a file called client.ovpn. This is a
configuration file for an OpenVPN client, telling it how to connect to
the server.
- You’ll need to change the first line to reflect the name you gave the client in your key and certificate; in our case, this is just client
- You also need to update the IP address from your_server_ip to the IP address of your server; port1194 can stay the same
- Make sure the paths to your key and certificate files are correct
client dev tun proto udp remote your_server_ip 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo user nobody group nobody #for amazone linux uncommand this two red line tls-client tls-auth ta.key 1 cipher DES-EDE3-CBC #change the same vpn server config verb 3 ca /path/to/ca.crt cert /path/to/client.crt key /path/to/client.key
#nohup openvpn --config /path/client.conf &
Now we finished for client connected and we will have tun0 after your config is right
configuration below for centos 7 as router
#vi /etc/sysctl.conf
Add the following line at the top of the file:
net.ipv4.ip_forward = 1
#iptables -t nat -A POSTROUTING -s 10.105.0.0/16 -o tun0 -j MASQUERADE
Add Persistence Static Routes
Centos 7
# vi /etc/sysconfig/network-scripts/route-eth0
10.10.20.0/24 via 192.168.50.100 dev eth0
#/etc/init.d/sysconfig/network restart
Centos6
#vim /etc/rc.local
add this:
/usr/sbin/ip route add 10.105.0.0/16 via 10.105.8.18
==============================
http://www.unixmen.com/install-openvpn-centos-7/
http://www.invitevps.com/knowledgebase/31/HOW-TO-Install-OpenVPN-on-RHELorCentOS-VPS.html