OpenVpn - degutos/wikis GitHub Wiki

OpenVpn

Installing and setting up OpenVpn

[root@ip-10-0-1-10 ~]# yum install -y epel-release
[root@ip-10-0-1-10 ~]# yum install -y openvpn

Enabling firewall for OpenVpn

OpenVpn uses port 1194 udp as default, but it can be used tcp

[root@ip-10-0-1-10 ~]# firewall-cmd --permanent --add-port=1194/tcp
success
[root@ip-10-0-1-10 ~]# firewall-cmd --permanent --add-masquerade
success
[root@ip-10-0-1-10 ~]# firewall-cmd --reload
success

Setting up rsa files and keys

[root@ip-10-0-1-10 ~]# yum install -y easy-rsa

[root@ip-10-0-1-10 ~]# mkdir /etc/openvpn/easy-rsa

[root@ip-10-0-1-10 easy-rsa]# PATH=$PATH:/usr/share/easy-rsa/3.0.3/

[root@ip-10-0-1-10 easy-rsa]# easyrsa init-pki

[root@ip-10-0-1-10 easy-rsa]# easyrsa build-ca

- Provide a PEM pass phrase

[root@ip-10-0-1-10 easy-rsa]# easyrsa gen-dh

[root@ip-10-0-1-10 easy-rsa]# easyrsa gen-req server nopass

[root@ip-10-0-1-10 easy-rsa]# easyrsa sign-req server server

- Enter with yes and then with your password created on ca file

[root@ip-10-0-1-10 easy-rsa]# easyrsa gen-req client nopass

[root@ip-10-0-1-10 easy-rsa]# easyrsa sign-req client client

- Enter with yes and then with your password created on ca file

[root@ip-10-0-1-10 easy-rsa]# cd /etc/openvpn/

[root@ip-10-0-1-10 openvpn]# openvpn --genkey --secret pfs.key

Setting up server.conf

[root@ip-10-0-1-10 openvpn]# vim server.conf

port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
cipher AES-256-CBC
auth SHA512
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
tls-server
tls-auth /etc/openvpn/pfs.key

Starting OpenVpn and checking dev tun

[root@ip-10-0-1-10 openvpn]# systemctl enable --now [email protected]

[root@ip-10-0-1-10 openvpn]# ip a show tun0
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::be0a:e12a:bcf0:6cb3/64 scope link flags 800
       valid_lft forever preferred_lft forever

[root@ip-10-0-1-10 openvpn]# mkdir -p server1/keys [root@ip-10-0-1-10 openvpn]# cp pfs.key server1/keys [root@ip-10-0-1-10 openvpn]# cp easy-rsa/pki/dh.pem server1/keys/ [root@ip-10-0-1-10 openvpn]# cp easy-rsa/pki/ca.crt server1/keys/ [root@ip-10-0-1-10 openvpn]# cp easy-rsa/pki/private/ca.key server1/keys/ [root@ip-10-0-1-10 openvpn]# cp easy-rsa/pki/private/client.key server1/keys/ [root@ip-10-0-1-10 openvpn]# cp easy-rsa/pki/issued/client.crt server1/keys/ [root@ip-10-0-1-10 openvpn]# tar czvf /tmp/key.tgz server1/

[root@ip-10-0-2-11 ~]# yum install -y epel-release

[root@ip-10-0-2-11 ~]# yum install -y openvpn

[root@ip-10-0-2-11 ~]# scp [email protected]:/tmp/key.tgz /etc/openvpn/

[root@ip-10-0-2-11 openvpn]# vi client.conf

client dev tun proto tcp remote 10.0.1.10 1194 ca server1/keys/ca.crt cert server1/keys/client.crt key server1/keys/client.key tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256 cipher AES-256-CBC resolv-retry infinite auth-retry none nobind route-nopull persist-key persist-tun ns-cert-type server comp-lzo verb 3 tls-client tls-auth server1/keys/pfs.key

[root@ip-10-0-2-11 openvpn]# systemctl enable --now [email protected]