This how-to will walk you through a quick and easy OpenVPN install on a CentOS minimal server.
To help with maintenance and security we will be enabling and using EPEL. By going this route your OpenVPN installation will be updated automatically when new versions are released. Make sure your package manager (YUM) is set to run automatic updates.
yum install epel-release yum update
Now that EPEL packages are available for installation on your system we can now install OpenVPN.
yum install openvpn
Install a set of encryption tools that will help generating the SSL Certs and Keys
yum install easy-rsa
Now we are ready to generate the Cert and Keys our OpenVPN server and clients will be using. The first step is to copy over the easy-rsa tools we installed to make this job easier.
cp -R /usr/share/easy-rsa/ /etc/openvpn
Next, edit /etc/openvpn/easy-rsa/2.0/vars and modify the following lines to match your requirements
export KEY_PROVINCE="CA" export KEY_CITY="SanClemente" export KEY_ORG="Network Data Center Host, Inc." export KEY_EMAIL="recipient@domain.com" export KEY_OU="VPN" export KEY_CN="vps1.domain.com"
Generate the CA-Bundle
cd /etc/openvpn/easy-rsa/2.0/ . /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/clean-all . /etc/openvpn/easy-rsa/2.0/build-ca
The last command will ask you multiple questions, all of which should be set to to the values you entered in the vars file. You should be able to just hit enter for each question and let it fill itself with the default answer!
Now we are going to generate the server certificate and key
. /etc/openvpn/easy-rsa/2.0/build-key-server server
Again this command will ask you a series of questions. The questions will have a default answer and you can simply hit enter for them all. There will be a question asking you for a challenge password, in this example we wont set one, and will leave it blank.
Now lets build a client certificate and key. The clientname below should be unique for each VPN client. We typically will set this to the username the client will use to authenticate with the VPN server.
. /etc/openvpn/easy-rsa/2.0/build-key clientname
This command will again ask you a series of questions, just as before you can use the defaults.
Next, generate the DH parameters, this could take a while….
. /etc/openvpn/easy-rsa/2.0/build-dh
Finally, move the cert and keys into their new home!
cd /etc/openvpn/easy-rsa/2.0/keys cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
Now we will start the configuration of the OpenVPN server. OpenVPN was nice enough to provide a sample configuration file that will work out of the box.
cp /usr/share/doc/openvpn-2.3.8/sample/sample-config-files/server.conf /etc/openvpn/
The sample config lets clients connect to the VPN server and those clients will now have an encrypted connection between their computer and the server. But what if you wanted all of your clients traffic to route through the VPN, even traffic destined for the web! You can easily do this by following the instructions below.
First add the following line to your /etc/openvpn/server.conf
push "redirect-gateway def1"
Next, create /etc/sysctl.d/98-openvpn.conf and add the following line
net.ipv4.ip_forward = 1
and reload sysctl
sysctl --system
and finally lets add an iptables rule to forward traffic through the VPN!
echo "iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/rc.local echo "iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT" >> /etc/rc.local echo "iptables -A FORWARD -j REJECT" >> /etc/rc.local echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" >> /etc/rc.local . /etc/rc.local
systemctl -f enable openvpn@server.service systemctl start openvpn@server.service
OpenVPN has now been installed and should be running. You next need to configure your OpenVPN client to connect to the server!