This document is based on an older DigitalOcean document: https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7
- Install openvpn:
yum install openvpn - Install easy-rsa (for your own CA):
yum install easy-rsa - Configure openvpn:
- Find location of the sample server.conf file from the openvpn distribution and copy to
/etc/openvpn/server:cp /usr/share/doc/openvpn-2.4.2/sample/sample-config-files/server.conf /etc/openvpn/server - Edit the configuration file and uncomment the following lines:
- `toplogy subnet
comp-lzouser nobodygroup noobdy- Note that the DO includes a different set of changes. In some cases (i.e. the
dhline) the line was already uncommented, in others (thepushlines) I felt this wasn't necessary because my plan is to control that explicitly using client settings
- Generate
ta.keyin/etc/openvpn/serverdirectory:openvpn --genkey --secret ta.key
- Find location of the sample server.conf file from the openvpn distribution and copy to
- Set up CA
mkdir -p /etc/openvpn/easy-rsa/keyscp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa- Modify the
varsfile to update the following variables:KEY_COUNTRYKEY_PROVINCEKEY_CITYKEY_ORGKEY_EMAILKEY_OU- Note that I did not see a need to modify
KEY_NAMEorKEY_CNsince those should be overridden for each certificate
- Load environment variables into shell:
source ./vars(from/etc/openvpn/easy-rsadirectory)
- Create CA
./build-ca
- Generate server key/cert
./build-key-server server./build-dh- Copy server keys/certs to conf directory:
cp /etc/openvpn/easy-rsa/keys/{dh2048.pem,ca.crt,server.crt,server.key} /etc/openvpn/server
- Forward router port 1194 (UDP) to server
- Set up firewall using firewalld (see below)
- Add sysctl to enable IP Forwarding:
- Add line to
/etc/sysctl.d/99-forwarding.conf: `net.ipv4.ip_forward = 1
- Add line to
- Turn on openvpn
- Run at startup:
systemctl enable [email protected] - Start now:
systemctl start [email protected] - If you have problems, try:
systemctl status [email protected](andjournalctl -u [email protected]possibly with-fdepending on what you are doing)
- Run at startup:
cd /etc/openvpn/easy-rsa
# If necessary:
source ./vars
./build-key foo # where foo is the name of the client (like "client" so "build-key client")
You will need the following files for each client (plus potentially a configuration file, but these days many systems will generate one for you on-the-fly) from the /etc/openvpn directory:
server/ca.crteasy-rsa/keys/foo.crteasy-rsa/keys/foo.keyserver/ta.key
In the example above, it was assumed that the client was named "foo" so replace as appropriate.
Note that if your client uses SELinux, you may need to use some poorly-(un)documented magic and put all of the necessary files in your ~/.cert directory (which gets its own magical SELinux labels). You then may need to run something like restorecon -R -v ~/.cert
For Android, I use "OpenVPN for Android": https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en which is awesome.
Note that I'm not a firewalld expert, so there may be a better way to handle this.
firewall-cmd --zone=public --add-port=1194/udp --permanent
firewall-cmd --zone=public --add-port=1194/udp
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -o enp8s0 -j MASQUERADE
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -o enp8s0 -j MASQUERADE
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun0 -o enp8s0 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun0 -o enp8s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun0 -o enp8s0 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun0 -o enp8s0 -m state --state RELATED,ESTABLISHED -j ACCEPT