Difference between revisions of "OpenVPN on Centos 7"
(3 intermediate revisions by 2 users not shown) | |||
Line 30: | Line 30: | ||
verb 3 | verb 3 | ||
Generate keys and certificates | Generate keys and certificates | ||
− | cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa | + | |
+ | *NOTE : we suggest to use old easy-rsa 2 as it well documented | ||
+ | so most likely you'll need to wget olde easy rsa: | ||
+ | wget -O /usr/share/easy-rsa/2 https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz | ||
+ | tar xfz /usr/share/easy-rsa/2 | ||
+ | |||
+ | |||
+ | #cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa | ||
+ | cp -rf /usr/share/easy-rsa/easy-rsa-old-2.3.3/easy-rsa/2.0 /etc/openvpn/easy-rsa | ||
cd /etc/openvpn/easy-rsa | cd /etc/openvpn/easy-rsa | ||
source ./vars | source ./vars | ||
Line 38: | Line 46: | ||
./build-dh | ./build-dh | ||
cd /etc/openvpn/easy-rsa/keys | cd /etc/openvpn/easy-rsa/keys | ||
− | cp dh2048.pem ca.crt server.crt server.key /etc/openvpn | + | cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/ |
Generate client(s) | Generate client(s) | ||
cd /etc/openvpn/easy-rsa | cd /etc/openvpn/easy-rsa | ||
Line 88: | Line 96: | ||
comp-lzo | comp-lzo | ||
verb 4 | verb 4 | ||
+ | |||
+ | #if you like to route all traffic via openvpn server: | ||
+ | #redirect-gateway | ||
remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. | remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. | ||
Line 135: | Line 146: | ||
View connected clients/stats: | View connected clients/stats: | ||
cat /etc/openvpn/openvpn-status.log | cat /etc/openvpn/openvpn-status.log | ||
+ | |||
+ | |||
+ | |||
+ | Add more OpenVPN Clients: | ||
+ | |||
+ | cd /etc/openvpn/easy-rsa | ||
+ | source ./vars | ||
+ | ./build-key clientXXx | ||
+ | |||
[[Category:Linux]] | [[Category:Linux]] |
Latest revision as of 20:28, 20 July 2019
We'll show how to install OpenVPN server side and configure the client side.
- Server side
Install EPEL
yum install epel-release
Install OpenVPN, text editor and iptables services
yum install openvpn easy-rsa nano iptables-services
Create the server conf file
nano /etc/openvpn/server.conf
Add the following lines:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3
Generate keys and certificates
- NOTE : we suggest to use old easy-rsa 2 as it well documented
so most likely you'll need to wget olde easy rsa:
wget -O /usr/share/easy-rsa/2 https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz tar xfz /usr/share/easy-rsa/2
#cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa cp -rf /usr/share/easy-rsa/easy-rsa-old-2.3.3/easy-rsa/2.0 /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca ./build-key-server server ./build-dh cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
Generate client(s)
cd /etc/openvpn/easy-rsa ./build-key client1 ./build-key client2 ./build-key client3
Configure firewall (you may use firewalld but we prefer iptables)
systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables --flush iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables.service
you may overwrite default iptables config or append. we'll overwrite here:
cp /etc/sysconfig/iptables.service /etc/sysconfig/iptables systemctl restart iptables.service
Enable forwarding
nano /etc/sysctl.conf
Append the following line
net.ipv4.ip_forward = 1
Apply
systemctl restart network.service
Start Openvpn
systemctl -f enable openvpn@server.service systemctl start openvpn@server.service
_____________________________________________
- Client Side
Copy the client key files from /etc/openvpn/easy-rsa/keys/ to your pc. Create the folder for client let's call it user and put all files from keys folder into the user except the keys for another clients (do not copy user2.* files for example) Now create the config file, lets call it user.ovpn And put the next lines into this file:
client dev tun proto udp remote <Your_VPN_SERVER_IP_ADDRESS> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert user.crt key user.key comp-lzo verb 4 #if you like to route all traffic via openvpn server: #redirect-gateway
remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. Now you may use this config with your Linux/MAC PC. On Windows you need to install openvpn client first (free) and copy the folder with all files specified above into installed config folder (refer to the openvpn windows client docs). You may also use these files on your iPhone or Android phones. Just download OpenVPN app from market first (free).
_____________________________________________
- Troubleshoot
In case you can connect but no Internet access available please check your iptables config.
For any case we've also shared the alternate iptables config (no MASQUARADE used)
/etc/sysconfig/iptables:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3:324] -A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT -A INPUT -i venet0 -p gre -j ACCEPT -A FORWARD -i tun+ -o venet0 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [6222:273716] :POSTROUTING ACCEPT [306:22159] :OUTPUT ACCEPT [306:22159] -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE COMMIT
Remember to restart iptables:
systemctl start iptables.service systemctl stop iptables.service
For diagnostic/logs view:
systemctl status iptables.service systemctl status openvpn@server.service tail -f /var/log/openvpn.log ss -tulpn
View connected clients/stats:
cat /etc/openvpn/openvpn-status.log
Add more OpenVPN Clients:
cd /etc/openvpn/easy-rsa source ./vars ./build-key clientXXx