Difference between revisions of "OpenVPN on Centos 7"
Line 1: | Line 1: | ||
+ | We'll show how to install OpenVPN server side and configure the client side. | ||
+ | |||
+ | |||
+ | **Server side | ||
+ | |||
Install EPEL | Install EPEL | ||
yum install epel-release | yum install epel-release | ||
Line 60: | Line 65: | ||
systemctl start openvpn@server.service | systemctl start openvpn@server.service | ||
+ | ___ | ||
+ | **Client Side | ||
+ | |||
+ | Copy the client key files from /etc/openvpn/easy-rsa/keys/ to your pc. | ||
+ | Create the folder for client let's call it user and put all files from keys folder into the user except the keys for another clients (do not copy user2.* files for example) | ||
+ | Now create the config file, lets call it user.ovpn | ||
+ | And put the next lines into this file: | ||
+ | client | ||
+ | dev tun | ||
+ | proto udp | ||
+ | remote <Your_VPN_SERVER_IP_ADDRESS> 1194 | ||
+ | resolv-retry infinite | ||
+ | nobind | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | ca ca.crt | ||
+ | cert user.crt | ||
+ | key user.key | ||
+ | comp-lzo | ||
+ | verb 4 | ||
+ | |||
+ | remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. | ||
+ | Now you may use this config with your Linux/MAC PC. On Windows you need to install openvpn client first (free) and copy the folder with all files specified above into installed config folder (refer to the openvpn windows client docs). You may also use these files on your iPhone or Android phones. Just download OpenVPN app from market first (free). | ||
+ | |||
+ | ___ | ||
+ | **Troubleshoot | ||
+ | ___ | ||
In case you can connect but no Internet access available please check your iptables config. | In case you can connect but no Internet access available please check your iptables config. | ||
For any case we've also shared the alternate iptables config (no MASQUARADE used) | For any case we've also shared the alternate iptables config (no MASQUARADE used) |
Revision as of 14:26, 13 August 2017
We'll show how to install OpenVPN server side and configure the client side.
- Server side
Install EPEL
yum install epel-release
Install OpenVPN, text editor and iptables services
yum install openvpn easy-rsa nano iptables-services
Create the server conf file
nano /etc/openvpn/server.conf
Add the following lines:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3
Generate keys and certificates
cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca ./build-key-server server ./build-dh cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
Generate client(s)
cd /etc/openvpn/easy-rsa ./build-key client1 ./build-key client2 ./build-key client3
Configure firewall (you may use firewalld but we prefer iptables)
systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables --flush iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables.service
you may overwrite default iptables config or append. we'll overwrite here:
cp /etc/sysconfig/iptables.service /etc/sysconfig/iptables systemctl restart iptables.service
Enable forwarding
nano /etc/sysctl.conf
Append the following line
net.ipv4.ip_forward = 1
Apply
systemctl restart network.service
Start Openvpn
systemctl -f enable openvpn@server.service systemctl start openvpn@server.service
___
- Client Side
Copy the client key files from /etc/openvpn/easy-rsa/keys/ to your pc. Create the folder for client let's call it user and put all files from keys folder into the user except the keys for another clients (do not copy user2.* files for example) Now create the config file, lets call it user.ovpn And put the next lines into this file:
client dev tun proto udp remote <Your_VPN_SERVER_IP_ADDRESS> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert user.crt key user.key comp-lzo verb 4
remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. Now you may use this config with your Linux/MAC PC. On Windows you need to install openvpn client first (free) and copy the folder with all files specified above into installed config folder (refer to the openvpn windows client docs). You may also use these files on your iPhone or Android phones. Just download OpenVPN app from market first (free).
___
- Troubleshoot
___ In case you can connect but no Internet access available please check your iptables config. For any case we've also shared the alternate iptables config (no MASQUARADE used) /etc/sysconfig/iptables:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3:324] -A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT -A INPUT -i venet0 -p gre -j ACCEPT -A FORWARD -i tun+ -o venet0 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [6222:273716] :POSTROUTING ACCEPT [306:22159] :OUTPUT ACCEPT [306:22159] -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE COMMIT
Remember to restart iptables:
systemctl start iptables.service systemctl stop iptables.service
For diagnostic/logs view:
systemctl status iptables.service systemctl status openvpn@server.service tail -f /var/log/openvpn.log ss -tulpn
View connected clients/stats:
cat /etc/openvpn/openvpn-status.log