For the sake of this article we will disable firewall and selinux. As it is not in the scope of this article. I will write another article with the firewall installation and configuration for OpenVPN server.
How to Install OpenVPN Server and Client with Easy-RSA 3 on CentOS 7
I will disable the firewall and selinux on my openvpn client for this article as it will increase the length of this article. I may write another article with the firewall rules to install and configure OpenVPN.
OpenVPN is an open-source application that allows you to create a secure private network over the public internet. OpenVPN implements a virtual private network (VPN) to create a secure connection. OpenVPN uses the OpenSSL library to provide the encryption and it provides several authentication mechanisms, such as certificate-based, pre-shared keys, and username/password authentication.In this tutorial, we will show you how to step-by-step install and configure OpenVPN on CentOS 7.6. And we will implement the certificate-based OpenVPN authentication.if(typeof ez_ad_units!='undefined')ez_ad_units.push([[728,90],'howtoforge_com-medrectangle-3','ezslot_12',121,'0','0']);__ez_fad_position('div-gpt-ad-howtoforge_com-medrectangle-3-0');PrerequisitesCentOS 7.6Root privilegesWhat we will do?Install OpenVPN and Easy-RSAConfigure Easy-RSA 3 VarsBuild OpenVPN KeysConfigure OpenVPN ServerConfigure Firewalld and Enable Port ForwardingClient SetupTestingStep 1 - Install OpenVPN and Easy-RSAIn this tutorial, we will be using the latest version of centos server (7.5), and we will be using the OpenVPN 2.4 with the easy-rsa 3. Before installing the OpenVPN and easy-rsa packages, make sure the 'epel' repository is installed on the system. If you don't have it, install the epel repository using the yum command below.yum install epel-release -yNow install OpenVPN 2.4 with easy-rsa 3 on the system.yum install openvpn easy-rsa -yWhen the installation is complete, check the openvpn and easy-rsa version.openvpn --versionls -lah /usr/share/easy-rsa/(adsbygoogle=window.adsbygoogle[]).push();OpenVPN 2.4 with easy-rsa 3 has been installed.Step 2 - Configure Easy-RSA 3In this step, we will will configure easy-rsa 3 by creating new 'vars' file. The 'vars' file contains the Easy-RSA 3 settings.Go to the '/etc/openvpn/' directory and copy the 'easy-rsa' script.cd /etc/openvpn/cp -r /usr/share/easy-rsa /etc/openvpn/Now go to the 'easy-rsa/3/' directory and create new vars file using vim.if(typeof ez_ad_units!='undefined')ez_ad_units.push([[728,90],'howtoforge_com-medrectangle-4','ezslot_7',108,'0','0']);__ez_fad_position('div-gpt-ad-howtoforge_com-medrectangle-4-0');cd /etc/openvpn/easy-rsa/3/vim varsPaste the vars easy-rsa 3 configuration below.set_var EASYRSA "$PWD"set_var EASYRSA_PKI "$EASYRSA/pki"set_var EASYRSA_DN "cn_only"set_var EASYRSA_REQ_COUNTRY "ID"set_var EASYRSA_REQ_PROVINCE "Jakarta"set_var EASYRSA_REQ_CITY "Jakarta"set_var EASYRSA_REQ_ORG "hakase-labs CERTIFICATE AUTHORITY"set_var EASYRSA_REQ_EMAIL "[email protected]"set_var EASYRSA_REQ_OU "HAKASE-LABS EASY CA"set_var EASYRSA_KEY_SIZE 2048set_var EASYRSA_ALGO rsaset_var EASYRSA_CA_EXPIRE 7500set_var EASYRSA_CERT_EXPIRE 365set_var EASYRSA_NS_SUPPORT "no"set_var EASYRSA_NS_COMMENT "HAKASE-LABS CERTIFICATE AUTHORITY"set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"set_var EASYRSA_DIGEST "sha256"Save and exit.Note:Change values of the variables as you need.Increase the 'EASYRSA_KEY_SIZE' for better security.Change 'EASYRSA_CA_EXPIRE' and 'EASYRSA_CERT_EXPIRE'.Now make the 'vars' file executable by changing the permission of the file.chmod +x varsThe vars file for Easy-RSA 3 setting has been created.if(typeof ez_ad_units!='undefined')ez_ad_units.push([[580,400],'howtoforge_com-box-4','ezslot_6',110,'0','0']);__ez_fad_position('div-gpt-ad-howtoforge_com-box-4-0');Step 3 - Build OpenVPN KeysIn this step, we will build the OpenVPN keys based on the easy-rsa 3 'vars' file that we've created. We will build the CA key, Server and Client keys, DH and CRL PEM file.We will build all those keys using the 'easyrsa' command line. Go to the '/etc/openvpn/easy-rsa/3' directory.cd /etc/openvpn/easy-rsa/3/Initialization and Build CABefore building any keys, we need to initialize the PKI directory and build the CA key.Initiate the PKI directory and build the CA key using the command below../easyrsa init-pki./easyrsa build-caNow type the password for your CA key and you will get your 'ca.crt' and 'ca.key' files under the 'pki' directory.Build Server KeyNow we want to build the server key, and we will build the server key named 'hakase-server'.Build the server key 'hakase-server' using the command below../easyrsa gen-req hakase-server nopassNote:nopass = option for disable password for the 'hakase-server' key.And sign the 'hakase-server' key using our CA certificate../easyrsa sign-req server hakase-serverYou will be asked for the 'CA' password, type the password and press Enter. And you will get the 'hakase-server.crt' certificate file under the 'pki/issued/' directory.Verify the certificate file using the OpenSSL command and make sure there is no error.openssl verify -CAfile pki/ca.crt pki/issued/hakase-server.crtAll server certificate keys have been created. The server private key is located at the 'pki/private/hakase-server.key', and the server certificate on the 'pki/issued/hakase-server.crt'.Build Client KeyNow we need to build keys for the client. We will generate new client key named 'client01'.Generate the 'client01' key using the command below../easyrsa gen-req client01 nopassNow sign the 'client01' key using our CA certificate as below../easyrsa sign-req client client01Type 'yes' to confirm the client certificate request, then type the CA password.The client certificate named 'client01' has been generated, verify the client certificate using the openssl command.openssl verify -CAfile pki/ca.crt pki/issued/client01.crtBuild Diffie-Hellman KeyThis action will take a lot of time, depending on the key length that we chose and the available entropy on the server. We will be using the length key that we define on the 'vars' file.Generate the Diffie-Hellman key using command below../easyrsa gen-dhThe DH key has been generated, located at the 'pki' directory.Optional: Generate the CRL KeyThe CRL (Certificate Revoking List) key will be used for revoking the client key. If you have multiple client certificates on your vpn server, and you want to revoke some key, you just need to revoke using the easy-rsa command.If you want to revoke some key, run the command as below../easyrsa revoke someoneAnd then generate the CRL key../easyrsa gen-crlThe CRL PEM file has been generated under the 'pki' directory - following is an example on my server.Copy Certificates FilesAll certificates have been generated, now copy the certificate files and PEM files.Copy Server Key and Certificate.cp pki/ca.crt /etc/openvpn/server/cp pki/issued/hakase-server.crt /etc/openvpn/server/cp pki/private/hakase-server.key /etc/openvpn/server/Copy client01 Key and Certificate.cp pki/ca.crt /etc/openvpn/client/cp pki/issued/client01.crt /etc/openvpn/client/cp pki/private/client01.key /etc/openvpn/client/Copy DH and CRL Key.cp pki/dh.pem /etc/openvpn/server/cp pki/crl.pem /etc/openvpn/server/Step 4 - Configure OpenVPNIn this step, we will create new configuration 'server.conf' for the openvpn server.Go to the '/etc/openvpn/' directory and create new configuration file 'server.conf' using vim.cd /etc/openvpn/vim server.confPaste the following OpenVPN server configuration there.# OpenVPN Port, Protocol and the Tunport 1194proto udpdev tun# OpenVPN Server Certificate - CA, server key and certificateca /etc/openvpn/server/ca.crtcert /etc/openvpn/server/hakase-server.crtkey /etc/openvpn/server/hakase-server.key#DH and CRL keydh /etc/openvpn/server/dh.pemcrl-verify /etc/openvpn/server/crl.pem# Network Configuration - Internal network# Redirect all Connection through OpenVPN Serverserver 10.10.1.0 255.255.255.0push "redirect-gateway def1"# Using the DNS from "dhcp-option DNS 84.200.69.80"push "dhcp-option DNS 84.200.70.40"#Enable multiple client to connect with same Certificate keyduplicate-cn# TLS Securitycipher AES-256-CBCtls-version-min 1.2tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256auth SHA512auth-nocache# Other Configurationkeepalive 20 60persist-keypersist-tuncomp-lzo yesdaemonuser nobodygroup nobody# OpenVPN Loglog-append /var/log/openvpn.logverb 3Save and exit.The configuration for OpenVPN has been created.Step 5 - Enable Port-Forwarding and Configure Routing FirewalldIn this step, we will enable Port-forwarding kernel module and configure routing 'Firewalld' for OpenVPN.Enable the port-forwarding kernel module by running following commands.echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.confsysctl -pNext, configure routing using the Firewalld for OpenVPN.Add the 'openvpn' service to the firewalld list service and add the 'tun0' interface to the firewalld trusted zone.firewall-cmd --permanent --add-service=openvpnfirewall-cmd --permanent --zone=trusted --add-interface=tun0Enable 'MASQUERADE' on the 'trusted' zone firewalld.firewall-cmd --permanent --zone=trusted --add-masqueradeEnable NAT for OpenVPN internal IP address '10.10.1.0/24' to the external IP address 'SERVERIP'.SERVERIP=$(ip route get 84.200.69.80 awk 'NR==1 print $(NF-2)')firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.10.1.0/24 -o $SERVERIP -j MASQUERADEAnd reload firewalld.firewall-cmd --reloadThe Port-forwarding and the Firewalld routing has been completed, now start the openvpn service and enable it to launch automatically everytime at system boot.systemctl start [email protected]systemctl enable [email protected]Check it using commands below.netstat -plntusystemctl status [email protected]The OpenVPN server is up and running on udp protocol port '1194'.Step 6 - OpenVPN Client SetupGo to the '/etc/openvpn/client' directory and create a new openvpn client configuration file 'client01.ovpn' using vim.cd /etc/openvpn/clientvim client01.ovpnPaste the following OpenVPN client configuration there.clientdev tunproto udpremote 139.xx.xx.xx 1194ca ca.crtcert client01.crtkey client01.keycipher AES-256-CBCauth SHA512auth-nocachetls-version-min 1.2tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256resolv-retry infinitecompress lzonobindpersist-keypersist-tunmute-replay-warningsverb 3Save and exit.Now compress the '/etc/openvpn/client' directory to 'zip' or 'tar.gz' file and download the compressed file using scp from your local computer.Compress the '/etc/openvpn/client' directory to the 'client01.tar.gz' file.cd /etc/openvpn/tar -czvf client01.tar.gz client/*scp [email protected]:/etc/openvpn/client01.tar.gz .Step 7 - Testing OpenVPNTesting on the Clients.- On LinuxInstall OpenVPN package and if you want a GUI configuration, install OpenVPN network-manager.sudo apt install openvpn network-manager-openvpn network-manager-openvpn-gnome -yIf you want to connect using a terminal shell, run the OpenVPN command below.openvpn --config client01.ovpnWhen you're connected to OpenVPN, open new terminal tab and check the connection using curl command.curl ifconfig.ioAnd you will get the OpenVPN server IP address.On Mac OSDownload Tunnelblick and install it.Extract the 'client01.tar.gz' file and rename the 'client' directory to the 'client01.tblk'.tar -xzvf client01.tar.gzmv client client01.tblkDouble-click the 'client01.tblk' and the Tunnelblick will automatically detect OpenVPN configuration and then import.Now connect through the Tunnelblick on the Top bar.On WindowsDownload the openvpn client for windows and import the configuration.Reference About Muhammad ArulMuhammad Arul is a freelance system administrator and technical writer. He is working with Linux Environments for more than 5 years, an Open Source enthusiast and highly motivated on Linux installation and troubleshooting. Mostly working with RedHat/CentOS Linux and Ubuntu/Debian, Nginx and Apache web server, Proxmox, Zimbra Administration, and Website Optimization. Currently learning about OpenStack and Container Technology. view as pdf printShare this page:Suggested articles14 Comment(s)Add commentName *Email *tinymce.init( bold italic link",);CommentsBy: meysam Reply it's not workingthis is my errorJob for [email protected] failed because the control process exited with error code. See "sys temctl status [email protected]" and "journalctl -xe" for details.By: xyzzy Reply Run openvpn interactively and see what it's moaning aboutBy: Edison Reply [[email protected] 3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./varsWARNING: can't open config file: $ EASYRSA / openssl-1.0.cnf Easy-RSA error: The OpenSSL config file cannot be found.Expected location: $ EASYRSA / openssl-1.0.cnf By: Jakub Reply Error: "Job for [email protected] failed because the control process exited with error code"Occurence: The error occures when the "Optional: Generate the CRL Key" step is skipped.Solution:# see the error message "Options error: --crl-verify fails with '/etc/openvpn/server/crl.pem': No such file or directory (errno=2)"vim /var/log/openvpn.log# fix the error: remove the "crl-verify /etc/openvpn/server/crl.pem" line from /etc/openvpn/server.confBy: Leza Reply can this be used on mobile phones iphone 7 or samsung emerge ?By: Emi San Reply How can I configure a client (wich is a local network server) to give acces from a remote LAN to the OpenVPN server?OpenVPN server: 10.10.1.1/24Client-LANserver: 10.10.2.1/24Can you help? Thankyou.By: Krzysztof Reply Clean CentOS7 install (behind NAP, port forwarded on touter) + this manual. Retried 4 times, but still: Tue Jul 30 17:28:34 2019 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=OPenVPNTue Jul 30 17:28:34 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failedTue Jul 30 17:28:34 2019 TLS_ERROR: BIO read tls_read_plaintext errorTue Jul 30 17:28:34 2019 TLS Error: TLS object -> incoming plaintext read errorTue Jul 30 17:28:34 2019 TLS Error: TLS handshake failedTue Jul 30 17:28:34 2019 SIGUSR1[soft,tls-error] received, process restartingTue Jul 30 17:28:34 2019 MANAGEMENT: >STATE:1564500514,RECONNECTING,tls-error,,,,,Tue Jul 30 17:28:34 2019 Restart pause, 40 second(s)Tue Jul 30 17:29:14 2019 WARNING: No server certificate verification method has been enabled. See for more info.Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,RESOLVE,,,,,,Tue Jul 30 17:29:14 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.17.173.222:1194Tue Jul 30 17:29:14 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]Tue Jul 30 17:29:14 2019 UDP link local: (not bound)Tue Jul 30 17:29:14 2019 UDP link remote: [AF_INET]83.17.173.222:1194Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,WAIT,,,,,,Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,AUTH,,,,,,Tue Jul 30 17:29:14 2019 TLS: Initial packet from [AF_INET]83.17.173.222:1194, sid=2431f8aa d07a36d4Tue Jul 30 17:29:14 2019 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=OPenVPNTue Jul 30 17:29:14 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failedTue Jul 30 17:29:14 2019 TLS_ERROR: BIO read tls_read_plaintext errorTue Jul 30 17:29:14 2019 TLS Error: TLS object -> incoming plaintext read errorTue Jul 30 17:29:14 2019 TLS Error: TLS handshake failedTue Jul 30 17:29:14 2019 SIGUSR1[soft,tls-error] received, process restartingTue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,RECONNECTING,tls-error,,,,,Tue Jul 30 17:29:14 2019 Restart pause, 80 second(s)By: Krzysztof Reply UPDATE: CAPITAL letters matters when it comes to the names we use while installing. All good now after few hours of debuging and 3 reinstalls :)By: Barbarian Reply Hello, I have a problem... In Step 5 - Enable Port-Forwarding and Configure Routing Firewalldfirewall-cmd --reloadError: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.2 (nf_tables):line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUTline 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT What now? :)By: Geoff Reply By default "easyrsa gen-crl" will make a certificate with a nextUpdate date of 180 days. After which your VPN server will reject all clients until you make a new CRL.To use a longer CRL validity period add the following option to the "vars" file in Step 2:set_var EASYRSA_CRL_DAYS "365"By: Steve Reply what additional steps are required for the tls-crypt and would this replace the tls options in the server.conf and client.ovpn?By: Bata Reply Dear MuhammadI have an issue, my tunnel connected but I don't have ping 8.8.8.8 or other, just I have ping my server's public address and tun0's IP...must I add route in my server...?By: Cesar Baquerizo Reply Hi. What changes are required to server.conf and below for this work with dynamic IP? TIA 2ff7e9595c
Comments