Difference between revisions of "OpenVPN on Centos 7"

From vpsget wiki
Jump to: navigation, search
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
We'll show how to install OpenVPN server side and configure the client side.
 +
 +
 +
* Server side
 +
 +
 
Install EPEL
 
Install EPEL
 
  yum install epel-release
 
  yum install epel-release
Line 24: Line 30:
 
  verb 3
 
  verb 3
 
Generate keys and certificates
 
Generate keys and certificates
  cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa
+
 
 +
*NOTE : we suggest to use old easy-rsa 2 as it well documented
 +
so most likely you'll need to wget olde easy rsa:
 +
wget -O /usr/share/easy-rsa/2 https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz
 +
  tar xfz /usr/share/easy-rsa/2
 +
 
 +
 
 +
#cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa
 +
cp -rf /usr/share/easy-rsa/easy-rsa-old-2.3.3/easy-rsa/2.0 /etc/openvpn/easy-rsa  
 
  cd /etc/openvpn/easy-rsa
 
  cd /etc/openvpn/easy-rsa
 
  source ./vars
 
  source ./vars
Line 32: Line 46:
 
  ./build-dh
 
  ./build-dh
 
  cd /etc/openvpn/easy-rsa/keys
 
  cd /etc/openvpn/easy-rsa/keys
  cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
+
  cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
 
Generate client(s)
 
Generate client(s)
 
  cd /etc/openvpn/easy-rsa
 
  cd /etc/openvpn/easy-rsa
Line 38: Line 52:
 
  ./build-key client2
 
  ./build-key client2
 
  ./build-key client3
 
  ./build-key client3
Configure firewall
+
 
 +
Configure firewall (you may use firewalld but we prefer iptables)
 
  systemctl mask firewalld
 
  systemctl mask firewalld
 
  systemctl enable iptables
 
  systemctl enable iptables
Line 46: Line 61:
 
  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
 
  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
 
  iptables-save > /etc/sysconfig/iptables.service
 
  iptables-save > /etc/sysconfig/iptables.service
 +
you may overwrite default iptables config or append. we'll overwrite here:
 +
cp /etc/sysconfig/iptables.service  /etc/sysconfig/iptables
 
  systemctl restart iptables.service
 
  systemctl restart iptables.service
 
Enable forwarding
 
Enable forwarding
Line 56: Line 73:
 
  systemctl -f enable openvpn@server.service
 
  systemctl -f enable openvpn@server.service
 
  systemctl start openvpn@server.service
 
  systemctl start openvpn@server.service
 +
 +
_____________________________________________
 +
 +
 +
*Client Side
 +
 +
Copy the client key files from /etc/openvpn/easy-rsa/keys/ to your pc.
 +
Create the folder for client let's call it user and put all files from keys folder into the user except the keys for another clients (do not copy user2.* files for example)
 +
Now create the config file, lets call it user.ovpn
 +
And put the next lines into this file:
 +
client
 +
dev tun
 +
proto udp
 +
remote <Your_VPN_SERVER_IP_ADDRESS> 1194
 +
resolv-retry infinite
 +
nobind
 +
persist-key
 +
persist-tun
 +
ca ca.crt
 +
cert user.crt
 +
key user.key
 +
comp-lzo
 +
verb 4
 +
 +
#if you like to route all traffic via openvpn server:
 +
#redirect-gateway
 +
 +
remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located  in one folder.
 +
Now you may use this config with your Linux/MAC PC. On Windows you need to install openvpn client first (free) and copy the folder with all files specified above into installed config folder (refer to the openvpn windows client docs). You may also use these files on your iPhone or Android phones. Just download OpenVPN app from market first (free).
 +
 +
_____________________________________________
 +
 +
 +
*Troubleshoot
 +
 +
 +
In case you can connect but no Internet access available please check your iptables config.
 +
For any case we've also shared the alternate iptables config (no MASQUARADE used)
 +
/etc/sysconfig/iptables:
 +
*filter
 +
:INPUT ACCEPT [0:0]
 +
:FORWARD ACCEPT [0:0]
 +
:OUTPUT ACCEPT [3:324]
 +
-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
 +
-A INPUT -i venet0 -p gre -j ACCEPT
 +
-A FORWARD -i tun+ -o venet0 -j ACCEPT
 +
-A INPUT -p icmp -j ACCEPT
 +
-A INPUT -i lo -j ACCEPT
 +
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 +
COMMIT
 +
*nat
 +
:PREROUTING ACCEPT [6222:273716]
 +
:POSTROUTING ACCEPT [306:22159]
 +
:OUTPUT ACCEPT [306:22159]
 +
-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
 +
COMMIT
 +
 +
 +
 +
 +
 +
Remember to restart iptables:
 +
systemctl start iptables.service
 +
systemctl stop iptables.service
 +
 +
For diagnostic/logs view:
 +
systemctl status iptables.service
 +
systemctl status openvpn@server.service
 +
tail -f /var/log/openvpn.log 
 +
ss -tulpn
 +
 +
View connected clients/stats:
 +
cat /etc/openvpn/openvpn-status.log
 +
 +
 +
 +
Add more OpenVPN Clients:
 +
 +
cd /etc/openvpn/easy-rsa
 +
source ./vars
 +
./build-key clientXXx
 +
  
 
[[Category:Linux]]
 
[[Category:Linux]]

Latest revision as of 20:28, 20 July 2019

We'll show how to install OpenVPN server side and configure the client side.


  • Server side


Install EPEL

yum install epel-release

Install OpenVPN, text editor and iptables services

yum install openvpn easy-rsa nano iptables-services

Create the server conf file

nano /etc/openvpn/server.conf

Add the following lines:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Generate keys and certificates

  • NOTE : we suggest to use old easy-rsa 2 as it well documented

so most likely you'll need to wget olde easy rsa:

wget -O /usr/share/easy-rsa/2 https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz
tar xfz /usr/share/easy-rsa/2


#cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa
cp -rf /usr/share/easy-rsa/easy-rsa-old-2.3.3/easy-rsa/2.0 /etc/openvpn/easy-rsa 
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/

Generate client(s)

cd /etc/openvpn/easy-rsa
./build-key client1
./build-key client2
./build-key client3

Configure firewall (you may use firewalld but we prefer iptables)

systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables --flush
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables.service

you may overwrite default iptables config or append. we'll overwrite here:

cp /etc/sysconfig/iptables.service  /etc/sysconfig/iptables
systemctl restart iptables.service

Enable forwarding

nano /etc/sysctl.conf

Append the following line

net.ipv4.ip_forward = 1

Apply

systemctl restart network.service

Start Openvpn

systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service

_____________________________________________


  • Client Side

Copy the client key files from /etc/openvpn/easy-rsa/keys/ to your pc. Create the folder for client let's call it user and put all files from keys folder into the user except the keys for another clients (do not copy user2.* files for example) Now create the config file, lets call it user.ovpn And put the next lines into this file:

client
dev tun
proto udp
remote <Your_VPN_SERVER_IP_ADDRESS> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
comp-lzo
verb 4

#if you like to route all traffic via openvpn server:
#redirect-gateway

remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. Now you may use this config with your Linux/MAC PC. On Windows you need to install openvpn client first (free) and copy the folder with all files specified above into installed config folder (refer to the openvpn windows client docs). You may also use these files on your iPhone or Android phones. Just download OpenVPN app from market first (free).

_____________________________________________


  • Troubleshoot


In case you can connect but no Internet access available please check your iptables config. For any case we've also shared the alternate iptables config (no MASQUARADE used) /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:324]
-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i venet0 -p gre -j ACCEPT
-A FORWARD -i tun+ -o venet0 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [6222:273716]
:POSTROUTING ACCEPT [306:22159]
:OUTPUT ACCEPT [306:22159]
-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
COMMIT



Remember to restart iptables:

systemctl start iptables.service
systemctl stop iptables.service

For diagnostic/logs view:

systemctl status iptables.service
systemctl status openvpn@server.service
tail -f /var/log/openvpn.log  
ss -tulpn

View connected clients/stats:

cat /etc/openvpn/openvpn-status.log 


Add more OpenVPN Clients:

cd /etc/openvpn/easy-rsa
source ./vars
./build-key clientXXx