A guide to setting up as well as configuring OpenVPN on a server running Ubuntu is readily available at the web link. Take into consideration mounting OpenVPN on a server running CentOS7.
OpenVPN is an open resource software application implementation of the VPN protocol. A distinctive feature of this item is the capacity to create encrypted passages, while there are executions for a lot of prominent os, including mobile systems.
The peculiarity of the CentOS repository is that OpenVPN is not consisted of in it. Nonetheless, this package can be gotten utilizing the EPEL (Venture Linux) repository, which is managed by the Fedora Project. From this repository, incidentally, you can obtain various other packages that are not consisted of in the basic CentOS repository. Mount with the command:
yum install epel-release
Let’s start installing OpenVPN. Installing the package:
yum install openvpn easy-rsa -y
Let’s start setting up the server. Copy server.conf:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
It is necessary to pay attention to the “*”. So one effort was made to install, the program version can be changed with an asterisk. If there were several setup efforts, you might need to define the course to the documents completely.
Before generating the keys, let’s make a few changes to the server configuration file.
Open server.conf with any editor.
nano /etc/openvpn/server.conf
Find the line “Diffie hellman parameters.” and looking for:
dh dh2048.pem
If this holds true, then no changes require to be made. The nuance of the new version of the plan is that the values currently correspond to the criterion. In older versions, it’s simply “dh”. We evoke, as we have.
Next off, search for the line “# Particular Windows-specific network setups”. uncomment one of the alternatives below (eliminate the semicolon (;-RRB- at the start of the line). It must look something such as this:.
push "dhcp-option DNS 8.8.8.8"
You can specify your own DNS web server, if preferred. Also, you can uncomment the second line to pass an alternative DNS server to customers as well.
For server security, we will range from the no one user and the nogroup team. Let’s uncomment the lines:.
user nobody
group nobody
Let’s start creating certificates.
Using the easy-rsa package installed earlier, we will create the server and client keys.
Create a directory in which the keys will be located:
mkdir -p /etc/openvpn/easy-rsa/keys
Copy the scripts to the newly created easy-rsa directory:
cp -r /usr/share/easy-rsa/3.0/* /etc/openvpn/easy-rsa
Go to /etc/openvpn/easy-rsa/3/ directory and create vars script
cd /etc/openvpn/easy-rsa/
nano vars
Important! The version of easy-rsa may be different, and therefore the path will need to be adjusted.
Add the following lines to the open file:
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "RU"
set_var EASYRSA_REQ_PROVINCE "Moscow"
set_var EASYRSA_REQ_CITY "Moscow"
set_var EASYRSA_REQ_ORG "MyOrg"
set_var EASYRSA_REQ_EMAIL "openvpn@mydomain.net"
set_var EASYRSA_REQ_OU "CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha256"
Save the file and close the editor.
Allow file execution:
chmod +x vars
Initialize the PKI directory and create a CA certificate:
./easyrsa init-pki
./easyrsa build-ca
Important! When developing a CA certificate, the script will certainly ask you to get in a password of a minimum of 4 characters. The gone into password needs to be remembered.
Create a server key.
./easyrsa gen-req server nopass
If you do not define the “nopass” characteristic, then when creating a trick, the script will certainly request a password.
Signing the server certificate:
./easyrsa sign-req server server
The initial action of the manuscript will take a rate of interest in our confidence, we answer “Yes”. Then it will certainly request the password that was defined when developing the CA certification.
Check if the certificate is signed:
openssl verify -CAfile pki/ca.crt pki/issued/ server.crt
Generate an additional server key ta.key:
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
User certificates.
The process of creating a user certificate is identical to creating a server certificate.
1. Create without password protection:
./easyrsa gen-req client01 nopass
2. We sign the certificate:
./easyrsa sign-req client client01
3. Checking the signature:
openssl verify -CAfile pki/ca.crt pki/issued/client01.crt
Diffie-Hellman.
Create a certificate:
./easyrsa gen-dh
As a result, the dh.pem file will be created, and in the config dh2048.pem. We will rename it later, when copying the keys.
Transferring certificates.
Copy the server key files. To do this, we sequentially execute:
cp pki/ca.crt /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/keys/ta.key /etc/openvpn/
Copy client keys:
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client01.crt /etc/openvpn/client/
cp pki/private/client01.key /etc/openvpn/client/
Copy the Diffie-Hellman key file:
cp pki/dh.pem /etc/openvpn/dh2048.pem
Important! The target filename has been deliberately changed to match the name in the config.
Set up routing.
To speed up the setup, the work will be done with iptables and not with FirewallD. We sequentially execute:
yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables --flush
Before further configuration, you should look at the names of the interfaces using the command:
ifconfig -a
Add a rule for NAT:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
As an example:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
Allow packet forwarding between network interfaces. To do this, edit the system file sysctl.conf:
nano /etc/sysctl.conf
Insert the line at the beginning of the file:
net.ipv4.ip_forward = 1
Save the file, close the editor and restart the network service with the command:
systemctl restart network.service
We start the OpenVPN server.
First, let’s add the service to startup:
systemctl -f enable openvpn@server.service
Start OpenVPN:
openvpn /etc/openvpn/server.conf
Customer setup.
The server is configured, it remains to configure the client so that it can connect.
Regardless of the OS you use, be it mobile, server or home versions, Linux or Windows, you will always need 4 files:
- ca.crt;
- client.crt;
- client.key;
- client.ovpn
The first 3 files are located in the /etc/openvpn/client/ directory, and client.ovpn will have to be created. To do this, go to the directory where all the client keys are located:
cd /etc/openvpn/client/
Let’s create a file:
nano client.ovpn
Fill in with the following content:
client
dev tun
proto udp
remote
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert client01.crt
key client01.key
Instead of IP_ADDRESS, we insert the server’s IP address, or its domain name. Save the file with Ctrl + X and close the editor.
We transfer files to the client. This can be done, for example, via SFTP or archive the directory and “give” it through the web server.
Client connection.
Depending on the operating system, download the installation file or install from the repository. You can also get OpenVPN from the official website .
Windows:
For computers running Windows, you should download the product distribution from the official site, the resulting “four files” should be placed in the folder C: Program FilesOpenVPNconfig.
After launching the OpenVPN GUI, the program icon will appear in the system tray. We click on it with the right mouse button, select Connect (connect).
MacOS:
OpenVPN for MacOS is a bit more complicated. You should use the open-source tool Tunnelblick. The keys and configuration file should be placed in ~/Library/Application Support/Tunnelblick/Configurations. Or double click on the configuration file.
Linux:
You should install from the repository.
For Debian/Ubuntu:
apt-get install openvpn
From CentOS/OpenSUSE/Fedora:
yum install openvpn -y
After installation, go to the folder where the configuration file with the keys is located and run the command:
sudo openvpn --config client.ovpn
To check the operation of the server, you should use any of the sites that show your IP address.
Welcome to the world of DomainRooster, where roosters (and hens) rule the roost! We're a one-stop shop for all your entrepreneurial needs, bringing together domain names and website hosting, and all the tools you need to bring your ideas to life. With our help, you'll soar to new heights and hatch great success. Think of us as your trusty sidekick, always there to lend a wing and help you navigate the sometimes-complex world of domain names and web hosting. Our team of roosters are experts in their fields and are always on hand to answer any questions and provide guidance. So why wait? Sign up today and join the ranks of the world's greatest entrepreneurs. With DomainRooster, the sky's the limit! And remember, as the saying goes, "Successful people do what unsuccessful people are not willing to do." So don't be afraid to take that leap of faith - DomainRooster is here to help you reach for the stars. Caw on!
