Why OpenVPN with CentOS
A VPN (Virtual Private Network) enables you to create a secure connection to a remote network over the Internet through a virtual encrypted tunnel.
By routing the internet traffic through this encrypted tunnel, a VPN service not only masks your identity/location but also encrypts the data so that it can only be read by your VPN client and server.
So in general a VPN keeps your internet activity private and secure, preventing authorities and ISP to snoop your internet activity.
There are number of enterprise level and open source VPN solutions out there like OpenVPN, OpenSWAN, Softether to mention few.
In this article we will look at details about how to install and configure OpenVPN server in CentOS 7 followed by configuring a OpenVPN client.
Prerequisites:
- You have a CentOS 7 system with credentials of root or a sudo enabled user.
Installing OpenVPN on CentOS 7
OpenVPN package is not available with default CentOS repository. Therefore before proceeding with installation of OpenVPN server, you need to install the EPEL (Extra Packages for Enterprise Linux) repository.
Once EPEL package is there in the system, install OpenVPN by issuing following commands from the terminal.
# sudo yum install epel-release # sudo yum update
# sudo yum install openvpn git
Next proceed with installing/configuring Easy-RSA (Version 3) which is a very handy key management tool for use with OpenVPN in the process of generating RSA keys.
Download and Configure Easy-RSA
Now that OpenVPN has been installed, use the following steps to download easy-rsa using git and then leveraging easy-rsa script, generate keys and certificates starting with Certificate authority(ca) file needed by OpenVPN server.
To start with, “cd” to OpenVPN configuration folder and download the easy-RSA script.
# cd /etc/openvpn/ # sudo git clone git://github.com/OpenVPN/easy-rsa
The only folder that we really need is the “easyrsa3” folder which holds the script for generating keys.
Since the keys and certificates are needed by both VPN client and OpenVPN server, create a directory for storing them.
But before that adjust few parameters in the easy-rsa variable definition file “vars” that is shipped along with Easy-RSA to reflect your environment.
# mkdir -p /etc/openvpn/keys # cd /etc/openvpn/easy-rsa/easyrsa3 # cp vars.example vars # vi vars
set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_KEY_EXPIRE 3650 set_var EASYRSA_REQ_COUNTRY "USA" set_var EASYRSA_REQ_PROVINCE "New Jersey" set_var EASYRSA_REQ_CITY "Princeton" set_var EASYRSA_REQ_ORG "Best-Web-Hosting" set_var EASYRSA_REQ_EMAIL "test@best-web-hosting.org" set_var EASYRSA_REQ_OU "My Organizational Unit" set_var EASYRSA_KEY_NAME "Easy RSA"
Now copy all the files and folders from “easyrsa3” to the location that we have created earlier for storing the keys and certificates.
# cp -rf /etc/openvpn/easy-rsa/easyrsa3/* /etc/openvpn/keys
At this point, the easy-rsa script is in right place for generating keys and certificates.
Proceed with generating certificates and keys for client and server in the next step.
Generate Certificate and Keys
Generate Server Certificate
Since the information required (country, organization, department etc.) for generating the certificate authority(CA) are already set through “vars” config file in the previous step, Let us start generating the same starting with initializing public key infrastructure (PKI) environment.
# cd /etc/openvpn/keys # sudo ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/keys/pki
Run the following command to create the “ca” files. You will be prompted for a passphrase, provide a reasonably strong passphrase as per your choice.
Easy-RSA script will ask to provide this passphrase again at later stage while creating server and client certificates.
# sudo ./easyrsa build-ca
The above command will generate all the files that one need to manage CA and are listed below.
- /etc/openvpn/keys/pki - /etc/openvpn/keys/pki/ca.crt
Now that our CA is ready, let’s create a certificate for the server.
The only parameter that is needed is the CN and will be asked during the process. You can use user name or server hostname or whatever you want to name it.
# cd /etc/openvpn/keys # sudo ./easyrsa gen-req BestWebHosting nopass
The relevant files those are generated during the process are:
- /etc/openvpn/keys/pki/private/BestWebHosting.key - /etc/openvpn/keys/pki/reqs/BestWebHosting.req - /etc/openvpn/keys/pki/issued/BestWebHosting.crt
Finally, sign your own request using CA. The script will prompt you for confirmation to create the certificate.
Moreover, it will also prompt to provide the passphrase that you have entered during CA certificate creation step.
# cd /etc/openvpn/server # sudo ./easyrsa sign-req server BestWebHosting
Generate Client Certificates
This step is exactly same as previous step but the certificates generated in this step will be used by clients to connect to the OpenVPN server.
Lets generate a certificate for client say “john”, so make a request for john’s certificate.
# cd /etc/openvpn/keys # sudo ./easyrsa gen-req john nopass
Then sign john’s request using CA to generate john’s certificate:
# sudo ./easyrsa sign-req client john
The relevant certificate files for client’s are:
- /etc/openvpn/keys/pki/private/john.key - /etc/openvpn/keys/pki/reqs/john.req - /etc/openvpn/keys/pki/issued/john.crt
Remember to repeat this step for each client so that client’s should own unique certificates for better security.
Generate Diffie-Hellman Key Exchange
OpenVPN server also needs a Diffie-Hellman key exchange file. It will take some time to create this file depending on key length.
Of course, You can always change the key length through the last parameter of following “openssl” command.
# mkdir -p /etc/openvpn/ssl # cd /etc/openvpn/ssl # sudo openssl dhparam -out dh2048.pem 2048
Generate TLS Key
Adding this feature (tls-auth) is optional, but it adds an “extra protection” to the TLS channel by requiring that incoming packets have a valid signature generated using the PSK key.
Any packets that don’t have the valid signature signed by OpenVPN server will be discarded.
# cd /etc/openvpn/keys # sudo openvpn --genkey --secret ta.key
Configure OpenVPN
Now create a OpenVPN configuration file by the name “server.conf”.
All the available configuration options are described in details here
# cd /etc/openvpn # sudo vi server.conf
I have used the following configuration options for OpenVPN server. But you can always fine-tune the following configuration for better results.
mode server tls-server port 1194 proto udp dev tun ca /etc/openvpn/keys/pki/ca.crt cert /etc/openvpn/keys/pki/issued/BestWebHosting.crt key /etc/openvpn/keys/pki/private/BestWebHosting.key dh /etc/openvpn/ssl/dh2048.pem tls-auth /etc/openvpn/keys/ta.key 0 server 10.1.1.0 255.255.255.0 cipher AES-256-CBC comp-lzo persist-key persist-tun push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 log-append /var/log/vpn/openvpn.log verb 3
Create log directory/file for OpenVPN server and change the security context of the log file to allow logging if SELINUX is enabled in your system.
# sudo mkdir -p /var/log/vpn # sudo touch /var/log/vpn/openvpn.log # sudo chcon -t var_log_t /var/log/vpn/openvpn.log
Configure Firewall/Routing
Assuming the default firewall management tool “Firewalld” have been installed in your system, then at first using firewalld allow OpenVPN traffic to pass through the firewall and make the setting permanent.
Use the “ifconfig” command to find the tunnel interface in your system.
# sudo firewall-cmd --permanent --add-service openvpn # sudo firewall-cmd --permanent --zone=trusted --add-interface=tun0
Next, enable the masquerade and make it permanent:
# sudo firewall-cmd --permanent --zone=trusted --add-masquerade
Finally, Add the rule for forwarding the network traffic to OpenVPN subnet and reload the firewall.
The following “ROUT” variable will fetch the default interface from the system which is “eth0” in my system and forwards any traffic through it to the tunneled interface.
# ROUT=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
# sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.1.1.0/24 -o $ROUT -j MASQUERADE
# sudo firewall-cmd --reload
To enable the OpenVPN server forward IPv4 packets between the interfaces, issue the following two commands from terminal.
# sudo echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf # sudo sysctl -p
Start the OpenVPN server:
# cd /etc/openvpn # sudo openvpn server.conf & OR # sudo systemctl start openvpn@server.service
At this stage, OpenVPN server should be running in your server to accept the client’s connection. You can also check the OpenVPN server’s log for any possible issues with the following command.
# tail -f /var/log/vpn/openvpn.log
Configure OpenVPN Client
You need the following four files to connect to the OpenVPN server through any OpenVPN client.
Download these files from the server to your client system.
- ca.crt - john.crt - john.key - ta.key
Once downloaded, create an OpenVPN client configuration file using your favorite editor and paste the contents of above four files along with other parameters like below.
It is also possible to call the above files from the OpenVPN clients configuration file without copying their content.
# cd ~ # vi john.ovpn client dev tun proto udp remote SERVER_IP 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings <ca> // Place CA(a.crt) file's content here </ca> <cert> // Place client's(john.crt) certificate file's content here </cert> <key> // Place client's(john.key) key file's content here </key> tls-client key-direction 1 <tls-auth> // Place TLS key(ta.key) file's content here </tls-auth> comp-lzo
Connecting from Linux
To connect OpenVPN server from any Linux flavored system, you need to install OpenVPN (client) and then connect to the OpenVPN server using the following command.
But before that you need to copy the above OpenVPN configuration file to your work station.
# cd ~ # sudo yum install openvpn # sudo openvpn --config ~/john.ovpn
Connecting from Windows
Download and install the latest version of OpenVPN Windows client. Once done copy the client configuration file(john.ovpn) to OpenVPN configuration folder possibly in “C:\Program Files\OpenVPN\config”.
Right click the OpenVPN client icon from taskbar and click connect for a secure connection to your OpenVPN server.
Conclusion
OpenVPN is the one of the most used VPN services with numerous available options and solid cryptographic design. Since the beginning of the project, OpenVPN has followed the best practices for secure development and is a low cost solution for those who need a secure network connection over the public internet.
The post How to Install OpenVPN (Easy-RSA 3) on CentOS 7 first appeared on Best-Web-Hosting.org.