Difference between revisions of "OpenVPN on Centos 7"
(9 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | We'll show how to install OpenVPN server side and configure the client side. | ||
+ | |||
+ | |||
+ | * Server side | ||
+ | |||
+ | |||
Install EPEL | Install EPEL | ||
yum install epel-release | yum install epel-release | ||
Line 24: | Line 30: | ||
verb 3 | verb 3 | ||
Generate keys and certificates | Generate keys and certificates | ||
− | cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa | + | |
+ | *NOTE : we suggest to use old easy-rsa 2 as it well documented | ||
+ | so most likely you'll need to wget olde easy rsa: | ||
+ | wget -O /usr/share/easy-rsa/2 https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz | ||
+ | tar xfz /usr/share/easy-rsa/2 | ||
+ | |||
+ | |||
+ | #cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa | ||
+ | cp -rf /usr/share/easy-rsa/easy-rsa-old-2.3.3/easy-rsa/2.0 /etc/openvpn/easy-rsa | ||
cd /etc/openvpn/easy-rsa | cd /etc/openvpn/easy-rsa | ||
source ./vars | source ./vars | ||
Line 32: | Line 46: | ||
./build-dh | ./build-dh | ||
cd /etc/openvpn/easy-rsa/keys | cd /etc/openvpn/easy-rsa/keys | ||
− | cp dh2048.pem ca.crt server.crt server.key /etc/openvpn | + | cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/ |
Generate client(s) | Generate client(s) | ||
cd /etc/openvpn/easy-rsa | cd /etc/openvpn/easy-rsa | ||
Line 38: | Line 52: | ||
./build-key client2 | ./build-key client2 | ||
./build-key client3 | ./build-key client3 | ||
− | Configure firewall | + | |
+ | Configure firewall (you may use firewalld but we prefer iptables) | ||
systemctl mask firewalld | systemctl mask firewalld | ||
systemctl enable iptables | systemctl enable iptables | ||
Line 46: | Line 61: | ||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE | ||
iptables-save > /etc/sysconfig/iptables.service | iptables-save > /etc/sysconfig/iptables.service | ||
+ | you may overwrite default iptables config or append. we'll overwrite here: | ||
+ | cp /etc/sysconfig/iptables.service /etc/sysconfig/iptables | ||
systemctl restart iptables.service | systemctl restart iptables.service | ||
Enable forwarding | Enable forwarding | ||
Line 56: | Line 73: | ||
systemctl -f enable openvpn@server.service | systemctl -f enable openvpn@server.service | ||
systemctl start openvpn@server.service | systemctl start openvpn@server.service | ||
+ | |||
+ | _____________________________________________ | ||
+ | |||
+ | |||
+ | *Client Side | ||
+ | |||
+ | Copy the client key files from /etc/openvpn/easy-rsa/keys/ to your pc. | ||
+ | Create the folder for client let's call it user and put all files from keys folder into the user except the keys for another clients (do not copy user2.* files for example) | ||
+ | Now create the config file, lets call it user.ovpn | ||
+ | And put the next lines into this file: | ||
+ | client | ||
+ | dev tun | ||
+ | proto udp | ||
+ | remote <Your_VPN_SERVER_IP_ADDRESS> 1194 | ||
+ | resolv-retry infinite | ||
+ | nobind | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | ca ca.crt | ||
+ | cert user.crt | ||
+ | key user.key | ||
+ | comp-lzo | ||
+ | verb 4 | ||
+ | |||
+ | #if you like to route all traffic via openvpn server: | ||
+ | #redirect-gateway | ||
+ | |||
+ | remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. | ||
+ | Now you may use this config with your Linux/MAC PC. On Windows you need to install openvpn client first (free) and copy the folder with all files specified above into installed config folder (refer to the openvpn windows client docs). You may also use these files on your iPhone or Android phones. Just download OpenVPN app from market first (free). | ||
+ | |||
+ | _____________________________________________ | ||
+ | |||
+ | |||
+ | *Troubleshoot | ||
+ | |||
+ | |||
+ | In case you can connect but no Internet access available please check your iptables config. | ||
+ | For any case we've also shared the alternate iptables config (no MASQUARADE used) | ||
+ | /etc/sysconfig/iptables: | ||
+ | *filter | ||
+ | :INPUT ACCEPT [0:0] | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [3:324] | ||
+ | -A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT | ||
+ | -A INPUT -i venet0 -p gre -j ACCEPT | ||
+ | -A FORWARD -i tun+ -o venet0 -j ACCEPT | ||
+ | -A INPUT -p icmp -j ACCEPT | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
+ | COMMIT | ||
+ | *nat | ||
+ | :PREROUTING ACCEPT [6222:273716] | ||
+ | :POSTROUTING ACCEPT [306:22159] | ||
+ | :OUTPUT ACCEPT [306:22159] | ||
+ | -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE | ||
+ | COMMIT | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | Remember to restart iptables: | ||
+ | systemctl start iptables.service | ||
+ | systemctl stop iptables.service | ||
+ | |||
+ | For diagnostic/logs view: | ||
+ | systemctl status iptables.service | ||
+ | systemctl status openvpn@server.service | ||
+ | tail -f /var/log/openvpn.log | ||
+ | ss -tulpn | ||
+ | |||
+ | View connected clients/stats: | ||
+ | cat /etc/openvpn/openvpn-status.log | ||
+ | |||
+ | |||
+ | |||
+ | Add more OpenVPN Clients: | ||
+ | |||
+ | cd /etc/openvpn/easy-rsa | ||
+ | source ./vars | ||
+ | ./build-key clientXXx | ||
+ | |||
[[Category:Linux]] | [[Category:Linux]] |
Latest revision as of 20:28, 20 July 2019
We'll show how to install OpenVPN server side and configure the client side.
- Server side
Install EPEL
yum install epel-release
Install OpenVPN, text editor and iptables services
yum install openvpn easy-rsa nano iptables-services
Create the server conf file
nano /etc/openvpn/server.conf
Add the following lines:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3
Generate keys and certificates
- NOTE : we suggest to use old easy-rsa 2 as it well documented
so most likely you'll need to wget olde easy rsa:
wget -O /usr/share/easy-rsa/2 https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz tar xfz /usr/share/easy-rsa/2
#cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa cp -rf /usr/share/easy-rsa/easy-rsa-old-2.3.3/easy-rsa/2.0 /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca ./build-key-server server ./build-dh cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
Generate client(s)
cd /etc/openvpn/easy-rsa ./build-key client1 ./build-key client2 ./build-key client3
Configure firewall (you may use firewalld but we prefer iptables)
systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables --flush iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables.service
you may overwrite default iptables config or append. we'll overwrite here:
cp /etc/sysconfig/iptables.service /etc/sysconfig/iptables systemctl restart iptables.service
Enable forwarding
nano /etc/sysctl.conf
Append the following line
net.ipv4.ip_forward = 1
Apply
systemctl restart network.service
Start Openvpn
systemctl -f enable openvpn@server.service systemctl start openvpn@server.service
_____________________________________________
- Client Side
Copy the client key files from /etc/openvpn/easy-rsa/keys/ to your pc. Create the folder for client let's call it user and put all files from keys folder into the user except the keys for another clients (do not copy user2.* files for example) Now create the config file, lets call it user.ovpn And put the next lines into this file:
client dev tun proto udp remote <Your_VPN_SERVER_IP_ADDRESS> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert user.crt key user.key comp-lzo verb 4 #if you like to route all traffic via openvpn server: #redirect-gateway
remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. Now you may use this config with your Linux/MAC PC. On Windows you need to install openvpn client first (free) and copy the folder with all files specified above into installed config folder (refer to the openvpn windows client docs). You may also use these files on your iPhone or Android phones. Just download OpenVPN app from market first (free).
_____________________________________________
- Troubleshoot
In case you can connect but no Internet access available please check your iptables config.
For any case we've also shared the alternate iptables config (no MASQUARADE used)
/etc/sysconfig/iptables:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3:324] -A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT -A INPUT -i venet0 -p gre -j ACCEPT -A FORWARD -i tun+ -o venet0 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [6222:273716] :POSTROUTING ACCEPT [306:22159] :OUTPUT ACCEPT [306:22159] -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE COMMIT
Remember to restart iptables:
systemctl start iptables.service systemctl stop iptables.service
For diagnostic/logs view:
systemctl status iptables.service systemctl status openvpn@server.service tail -f /var/log/openvpn.log ss -tulpn
View connected clients/stats:
cat /etc/openvpn/openvpn-status.log
Add more OpenVPN Clients:
cd /etc/openvpn/easy-rsa source ./vars ./build-key clientXXx