Difference between revisions of "OpenVPN on Centos 7"
Line 62: | Line 62: | ||
In case you can connect but no Internet access available please check your iptables config. | In case you can connect but no Internet access available please check your iptables config. | ||
− | For any case we've shared the | + | For any case we've also shared the alternate iptables config (no MASQUARADE used) |
/etc/sysconfig/iptables: | /etc/sysconfig/iptables: | ||
*filter | *filter | ||
− | :INPUT ACCEPT [0:0] | + | :INPUT ACCEPT [0:0] |
− | :FORWARD ACCEPT [0:0] | + | :FORWARD ACCEPT [0:0] |
− | :OUTPUT ACCEPT [3:324] | + | :OUTPUT ACCEPT [3:324] |
− | -A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT | + | -A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT |
− | -A INPUT -i venet0 -p gre -j ACCEPT | + | -A INPUT -i venet0 -p gre -j ACCEPT |
− | -A FORWARD -i tun+ -o venet0 -j ACCEPT | + | -A FORWARD -i tun+ -o venet0 -j ACCEPT |
− | -A INPUT -p icmp -j ACCEPT | + | -A INPUT -p icmp -j ACCEPT |
− | -A INPUT -i lo -j ACCEPT | + | -A INPUT -i lo -j ACCEPT |
− | -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | + | -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT |
− | COMMIT | + | COMMIT |
− | *nat | + | *nat |
− | :PREROUTING ACCEPT [6222:273716] | + | :PREROUTING ACCEPT [6222:273716] |
− | :POSTROUTING ACCEPT [306:22159] | + | :POSTROUTING ACCEPT [306:22159] |
− | :OUTPUT ACCEPT [306:22159] | + | :OUTPUT ACCEPT [306:22159] |
− | -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE | + | -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE |
− | COMMIT | + | COMMIT |
Revision as of 14:18, 13 August 2017
Install EPEL
yum install epel-release
Install OpenVPN, text editor and iptables services
yum install openvpn easy-rsa nano iptables-services
Create the server conf file
nano /etc/openvpn/server.conf
Add the following lines:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3
Generate keys and certificates
cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca ./build-key-server server ./build-dh cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
Generate client(s)
cd /etc/openvpn/easy-rsa ./build-key client1 ./build-key client2 ./build-key client3
Configure firewall (you may use firewalld but we prefer iptables)
systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables --flush iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables.service
you may overwrite default iptables config or append. we'll overwrite here:
cp /etc/sysconfig/iptables.service /etc/sysconfig/iptables systemctl restart iptables.service
Enable forwarding
nano /etc/sysctl.conf
Append the following line
net.ipv4.ip_forward = 1
Apply
systemctl restart network.service
Start Openvpn
systemctl -f enable openvpn@server.service systemctl start openvpn@server.service
In case you can connect but no Internet access available please check your iptables config.
For any case we've also shared the alternate iptables config (no MASQUARADE used)
/etc/sysconfig/iptables:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3:324] -A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT -A INPUT -i venet0 -p gre -j ACCEPT -A FORWARD -i tun+ -o venet0 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [6222:273716] :POSTROUTING ACCEPT [306:22159] :OUTPUT ACCEPT [306:22159] -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE COMMIT
Remember to restart iptables:
systemctl start iptables.service systemctl stop iptables.service
For diagnostic/logs view:
systemctl status iptables.service systemctl status openvpn@server.service tail -f /var/log/openvpn.log ss -tulpn
View connected clients/stats:
cat /etc/openvpn/openvpn-status.log