Difference between revisions of "OpenVPN on Centos 7"

From vpsget wiki
Jump to: navigation, search
 
(3 intermediate revisions by 2 users not shown)
Line 30: Line 30:
 
  verb 3
 
  verb 3
 
Generate keys and certificates
 
Generate keys and certificates
  cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa
+
 
 +
*NOTE : we suggest to use old easy-rsa 2 as it well documented
 +
so most likely you'll need to wget olde easy rsa:
 +
wget -O /usr/share/easy-rsa/2 https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz
 +
  tar xfz /usr/share/easy-rsa/2
 +
 
 +
 
 +
#cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa
 +
cp -rf /usr/share/easy-rsa/easy-rsa-old-2.3.3/easy-rsa/2.0 /etc/openvpn/easy-rsa  
 
  cd /etc/openvpn/easy-rsa
 
  cd /etc/openvpn/easy-rsa
 
  source ./vars
 
  source ./vars
Line 38: Line 46:
 
  ./build-dh
 
  ./build-dh
 
  cd /etc/openvpn/easy-rsa/keys
 
  cd /etc/openvpn/easy-rsa/keys
  cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
+
  cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
 
Generate client(s)
 
Generate client(s)
 
  cd /etc/openvpn/easy-rsa
 
  cd /etc/openvpn/easy-rsa
Line 88: Line 96:
 
  comp-lzo
 
  comp-lzo
 
  verb 4
 
  verb 4
 +
 +
#if you like to route all traffic via openvpn server:
 +
#redirect-gateway
  
 
remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located  in one folder.
 
remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located  in one folder.
Line 135: Line 146:
 
View connected clients/stats:  
 
View connected clients/stats:  
 
  cat /etc/openvpn/openvpn-status.log  
 
  cat /etc/openvpn/openvpn-status.log  
 +
 +
 +
 +
Add more OpenVPN Clients:
 +
 +
cd /etc/openvpn/easy-rsa
 +
source ./vars
 +
./build-key clientXXx
 +
  
 
[[Category:Linux]]
 
[[Category:Linux]]

Latest revision as of 20:28, 20 July 2019

We'll show how to install OpenVPN server side and configure the client side.


  • Server side


Install EPEL

yum install epel-release

Install OpenVPN, text editor and iptables services

yum install openvpn easy-rsa nano iptables-services

Create the server conf file

nano /etc/openvpn/server.conf

Add the following lines:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Generate keys and certificates

  • NOTE : we suggest to use old easy-rsa 2 as it well documented

so most likely you'll need to wget olde easy rsa:

wget -O /usr/share/easy-rsa/2 https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz
tar xfz /usr/share/easy-rsa/2


#cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa
cp -rf /usr/share/easy-rsa/easy-rsa-old-2.3.3/easy-rsa/2.0 /etc/openvpn/easy-rsa 
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/

Generate client(s)

cd /etc/openvpn/easy-rsa
./build-key client1
./build-key client2
./build-key client3

Configure firewall (you may use firewalld but we prefer iptables)

systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables --flush
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables.service

you may overwrite default iptables config or append. we'll overwrite here:

cp /etc/sysconfig/iptables.service  /etc/sysconfig/iptables
systemctl restart iptables.service

Enable forwarding

nano /etc/sysctl.conf

Append the following line

net.ipv4.ip_forward = 1

Apply

systemctl restart network.service

Start Openvpn

systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service

_____________________________________________


  • Client Side

Copy the client key files from /etc/openvpn/easy-rsa/keys/ to your pc. Create the folder for client let's call it user and put all files from keys folder into the user except the keys for another clients (do not copy user2.* files for example) Now create the config file, lets call it user.ovpn And put the next lines into this file:

client
dev tun
proto udp
remote <Your_VPN_SERVER_IP_ADDRESS> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
comp-lzo
verb 4

#if you like to route all traffic via openvpn server:
#redirect-gateway

remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. Now you may use this config with your Linux/MAC PC. On Windows you need to install openvpn client first (free) and copy the folder with all files specified above into installed config folder (refer to the openvpn windows client docs). You may also use these files on your iPhone or Android phones. Just download OpenVPN app from market first (free).

_____________________________________________


  • Troubleshoot


In case you can connect but no Internet access available please check your iptables config. For any case we've also shared the alternate iptables config (no MASQUARADE used) /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:324]
-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i venet0 -p gre -j ACCEPT
-A FORWARD -i tun+ -o venet0 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [6222:273716]
:POSTROUTING ACCEPT [306:22159]
:OUTPUT ACCEPT [306:22159]
-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
COMMIT



Remember to restart iptables:

systemctl start iptables.service
systemctl stop iptables.service

For diagnostic/logs view:

systemctl status iptables.service
systemctl status openvpn@server.service
tail -f /var/log/openvpn.log  
ss -tulpn

View connected clients/stats:

cat /etc/openvpn/openvpn-status.log 


Add more OpenVPN Clients:

cd /etc/openvpn/easy-rsa
source ./vars
./build-key clientXXx