Category Archives: OpenVPN

Install and Setup OpenVPN on CentOS Linux

As it says on the tin, this is how to install OpenVPN on your Redhat based Linux server.

Repo

First ensure you have the Enterprise Packages for Enterprise Linux (EPEL) repository installed / enabled on your system.

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
rpm -Uvh epel-release-7-5.noarch.rpm

Install OpenVPN

First, install the package using Yum:

yum install openvpn

Copy the sample configuration file to where it can be edited and used as the main configuration.

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/

Open the new configuration file using your favourite editor.

nano /etc/openvpn/server.conf

Look for this line and uncomment (i.e. remove the “;” to configure all clients to redirect their default network gateway through the VPN.

push "redirect-gateway def1 bypass-dhcp"

Look for these lines and uncomment. These IP addresses are those of the DNS server your VPN will use. You can change the IP addresses to, say, Google’s public DNS servers if you wish:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.8.4"

To improve security, remove the comments on the following lines to reduce the permissions of the OpenVPN daemon:

user nobody
group nobody

RSA Security Keys

OpenVPN versions prior to 2.3 were bundled with EasyRSA, however it is now a separate project and must be downloaded separately.

Navigate to the OpenVPN folder:

cd /etc/openvpn

Download EasyRSA from the OpenVPN website and uncompress: (Alternatively go to the releases folder of the below link to retrieve the latest version)

wget https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
tar -zxvf EasyRSA-2.2.2.tgz

Open the new EasyRSA-2.2.2 folder and Edit the vars file in the EasyRSA-2.2.2 folder with your favourite editor:

cd EasyRSA-2.2.2
nano vars

Find the below line:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

Replace with the following:

export KEY_CONFIG=/etc/openvpn/EasyRSA-2.2.2/openssl-1.0.0.cnf

Find the below KEY_ settings and edit to suit your requirements (find list of country codes here):

export KEY_COUNTRY="GB"
export KEY_PROVINCE="London"
export KEY_CITY="London"
export KEY_ORG="TinnedGeek"
export KEY_EMAIL="webmaster@tinnedgeek.com"

Exit and save the configuration file and then prepare to generate the RSA certificate:

chmod 755 *
source ./vars
./vars
./clean-all

Build CA (follow the on-screen prompts):

./build-ca

Build key server (follow the on-screen prompts) and answer ‘yes’ to commit:

./build-key-server server

Build Diffie Hellman key exchange file (may take a while to process to generate the random key)

./build-dh

Generate keys to allow clients to authenticate and connect. Generate as many client keys as you need for each client program or device:

./build-key client1

Move into the keys directory and copy the respective files to the OpenVPN directory:

cd /etc/openvpn/EasyRSA-2.2.2/keys
cp ca.crt dh2048.pem server.crt server.key /etc/openvpn/

Disable SELinux

Disable SELinux by editing the SELinux configuration file:

nano /etc/selinux/config

Replace the below:

SELINUX=enforcing

With:

SELINUX=disabled

Routing and IPTables

Create an iptables rule to allow routing of our VPN subnet:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save

Then, enable IP Forwarding in sysctl:

nano -w /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Finally, apply our new sysctl settings. Start the server and assure that it starts automatically on boot:

sysctl -p
service openvpn start
chkconfig openvpn on

Troubleshooting

If you get the following error:

service openvpn start
Redirecting to /bin/systemctl start  openvpn.service
Failed to issue method call: Unit openvpn.service failed to load: No such file or directory.

Then start the OpenVPN server manually:

openvpn /etc/openvpn/server.conf

And voila!