OpenVPN on Centos 7

From vpsget wiki
Jump to: navigation, search

We'll show how to install OpenVPN server side and configure the client side.


  • Server side


Install EPEL

yum install epel-release

Install OpenVPN, text editor and iptables services

yum install openvpn easy-rsa nano iptables-services

Create the server conf file

nano /etc/openvpn/server.conf

Add the following lines:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Generate keys and certificates

cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/

Generate client(s)

cd /etc/openvpn/easy-rsa
./build-key client1
./build-key client2
./build-key client3

Configure firewall (you may use firewalld but we prefer iptables)

systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables --flush
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables.service

you may overwrite default iptables config or append. we'll overwrite here:

cp /etc/sysconfig/iptables.service  /etc/sysconfig/iptables
systemctl restart iptables.service

Enable forwarding

nano /etc/sysctl.conf

Append the following line

net.ipv4.ip_forward = 1

Apply

systemctl restart network.service

Start Openvpn

systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service

_____________________________________________


  • Client Side

Copy the client key files from /etc/openvpn/easy-rsa/keys/ to your pc. Create the folder for client let's call it user and put all files from keys folder into the user except the keys for another clients (do not copy user2.* files for example) Now create the config file, lets call it user.ovpn And put the next lines into this file:

client
dev tun
proto udp
remote <Your_VPN_SERVER_IP_ADDRESS> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
comp-lzo
verb 4

remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. Now you may use this config with your Linux/MAC PC. On Windows you need to install openvpn client first (free) and copy the folder with all files specified above into installed config folder (refer to the openvpn windows client docs). You may also use these files on your iPhone or Android phones. Just download OpenVPN app from market first (free).

_____________________________________________


  • Troubleshoot


In case you can connect but no Internet access available please check your iptables config. For any case we've also shared the alternate iptables config (no MASQUARADE used) /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:324]
-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i venet0 -p gre -j ACCEPT
-A FORWARD -i tun+ -o venet0 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [6222:273716]
:POSTROUTING ACCEPT [306:22159]
:OUTPUT ACCEPT [306:22159]
-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
COMMIT



Remember to restart iptables:

systemctl start iptables.service
systemctl stop iptables.service

For diagnostic/logs view:

systemctl status iptables.service
systemctl status openvpn@server.service
tail -f /var/log/openvpn.log  
ss -tulpn

View connected clients/stats:

cat /etc/openvpn/openvpn-status.log