As it says on the tin, this is how to install OpenVPN on your Redhat based Linux server.
First ensure you have the Enterprise Packages for Enterprise Linux (EPEL) repository installed / enabled on your system.
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm rpm -Uvh epel-release-7-5.noarch.rpm
First, install the package using Yum:
yum install openvpn
Copy the sample configuration file to where it can be edited and used as the main configuration.
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
Open the new configuration file using your favourite editor.
Look for this line and uncomment (i.e. remove the “;” to configure all clients to redirect their default network gateway through the VPN.
push "redirect-gateway def1 bypass-dhcp"
Look for these lines and uncomment. These IP addresses are those of the DNS server your VPN will use. You can change the IP addresses to, say, Google’s public DNS servers if you wish:
push "dhcp-option DNS 126.96.36.199" push "dhcp-option DNS 188.8.131.52"
To improve security, remove the comments on the following lines to reduce the permissions of the OpenVPN daemon:
user nobody group nobody
RSA Security Keys
OpenVPN versions prior to 2.3 were bundled with EasyRSA, however it is now a separate project and must be downloaded separately.
Navigate to the OpenVPN folder:
Download EasyRSA from the OpenVPN website and uncompress: (Alternatively go to the releases folder of the below link to retrieve the latest version)
wget https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz tar -zxvf EasyRSA-2.2.2.tgz
Open the new EasyRSA-2.2.2 folder and Edit the vars file in the EasyRSA-2.2.2 folder with your favourite editor:
cd EasyRSA-2.2.2 nano vars
Find the below line:
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
Replace with the following:
Find the below KEY_ settings and edit to suit your requirements (find list of country codes here):
export KEY_COUNTRY="GB" export KEY_PROVINCE="London" export KEY_CITY="London" export KEY_ORG="TinnedGeek" export KEY_EMAIL="firstname.lastname@example.org"
Exit and save the configuration file and then prepare to generate the RSA certificate:
chmod 755 * source ./vars ./vars ./clean-all
Build CA (follow the on-screen prompts):
Build key server (follow the on-screen prompts) and answer ‘yes’ to commit:
Build Diffie Hellman key exchange file (may take a while to process to generate the random key)
Generate keys to allow clients to authenticate and connect. Generate as many client keys as you need for each client program or device:
Move into the keys directory and copy the respective files to the OpenVPN directory:
cd /etc/openvpn/EasyRSA-2.2.2/keys cp ca.crt dh2048.pem server.crt server.key /etc/openvpn/
Disable SELinux by editing the SELinux configuration file:
Replace the below:
Routing and IPTables
Create an iptables rule to allow routing of our VPN subnet:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE service iptables save
Then, enable IP Forwarding in sysctl:
nano -w /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1
Finally, apply our new sysctl settings. Start the server and assure that it starts automatically on boot:
sysctl -p service openvpn start chkconfig openvpn on
If you get the following error:
service openvpn start Redirecting to /bin/systemctl start openvpn.service Failed to issue method call: Unit openvpn.service failed to load: No such file or directory.
Then start the OpenVPN server manually: