Skip to content

Instantly share code, notes, and snippets.

@hoangdh

hoangdh/Note-OpenVPN-Site-to-Site_CentOS7.md

Last active August 15, 2018 04:04
Show Gist options
  • Save hoangdh/c2b7ec370bc62ce7722143a0bba28d49 to your computer and use it in GitHub Desktop.
Save hoangdh/c2b7ec370bc62ce7722143a0bba28d49 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Note-OpenVPN-Site-to-Site_CentOS7.md

Site to site - OpenVPN

Site1

Setup, gen key

11  yum install -y epel-release
   12  yum -y install openvpn easy-rsa
   13  cd /usr/share/doc/openvpn-*/sample/sample-config-files/
   14  ls
   15  cat firewall.sh
   16  cp server.conf /etc/openvpn/
   17  mkdir /etc/openvpn/rsa
   18  ls /usr/share/easy-rsa/2.0/*
   19  ls /usr/share/easy-rsa/3.0
   20  cd .
   21  ls /usr/share/easy-rsa/3.0.3/
   22  ls /usr/share/easy-rsa/3/
   23   cp –rf /usr/share/easy-rsa/3.0/* /etc/openvpn/rsa
   24   cp –rf /usr/share/easy-rsa/3.0/* /etc/openvpn/rsa/
   25   cp -rf /usr/share/easy-rsa/3.0/* /etc/openvpn/rsa/
   26   cp -f /usr/share/easy-rsa/3.0/* /etc/openvpn/rsa/
   27   cp -rf /usr/share/easy-rsa/3.0/* /etc/openvpn/rsa/
   28  y
   29  clear
   30  openvpn -v
   31  openvpn --version
   32  cd /etc/openvpn/rsa/
   33  ls
   34  ./easyrsa build-ca
   35  ./easyrsa init-pki
   36  clear
   37  ls
   38  cd pki/
   39  ls
   40  cd ..
   41  ./easyrsa build-ca
   42  clear
   43  ./easyrsa init-pki
   44  ./easyrsa gen-req vpn-site1
   45  ./easyrsa gen-req vpn-site1 nopass
   46  ./easyrsa gen-req vpn-site2 nopass
   47  ./easyrsa sign-req server vpn-site1
   48  ./easyrsa sign-req server vpn-site1 nopass
   49  ./easyrsa sign-req server vpn-site1
   50  ./easyrsa sign-req client vpn-site2
   51  clear
   52  ./easyrsa gen-dh
   53  cd pki/
   54  ls
   55  cd ..
   56  ls
   57  cd pki/reqs/
   58  ls
   59  cd ..
   60  ls private/
   61  cd certs_by_serial/
   62  ls
   63  cd ..
   64  ls issued/
   65  ls
   66  cp ca.crt /etc/openvpn/
   67  cp issued/vpn-site1.crt /etc/openvpn/
   68  cp private/vpn-site1.key /etc/openvpn/
   69  cd ..
   70  cp private/vpn-site2.key /etc/openvpn/
   71  cd pki/
   72  cp private/vpn-site2.key /etc/openvpn/
   73  cp issued/vpn-site2.crt /etc/openvpn/
   74  ls reqs/
   75  ls issued/
   76  ls private/
   77  ls
   78  cd dh.pem /etc/openvpn/
   79  cp dh.pem /etc/openvpn/
   80  cd /etc/openvpn/
   81  ls
   82  ls server
   83  ls client/
   84  ls rsa/
   85  clear
   86  vi server.conf
   87  systemctl start openvpn
   88  systemctl start openvpn.service
   89  openvpn --config server.conf
   90  vi server.conf
   91  openvpn --config server.conf
   92  clear
   93  mv server.conf server.conf.bl
   94  mv server.conf.bl server.conf.bk
   95  vi server.conf
   96  vi routes.up.sh
   97  service openvpn restart
   98  /systemctl restart openvpn.service
   99  openvpn --config server.conf
  100  chmod +x routes.up.sh
  101  openvpn --config server.conf
  102  ss -npl | grep 1194
  103  vi server.conf
  104  ip a
  105  openvpn --config server.conf
  106  ip a
  107  scp dh.pem vpn-site2.* ca.crt [email protected]:/etc/openvpn
  108  scp server.conf [email protected]:/etc/openvpn
  109  cat routes.up.sh
  110  scp routes.up.sh [email protected]:/etc/openvpn
  111  vi server.conf
  112  openvpn --config server.conf
  113  clear
  114  openvpn --config server.conf
  115  less /var/log/messages
  116  tail -n 100 /var/log/messages
  117  ip a
  118  clear
  119  tail -n 100 /var/log/messages
  120  vi server.conf
  121  tail -n 100 /var/log/messages
  122  openvpn --config server.conf
  123  tail -n 100 /var/log/messages
  124  openvpn --config server.conf --script-security 2

Config file site1: server.conf

dev tun
remote 172.16.1.196
ifconfig 10.10.10.1 10.10.10.2
# up routes.up.sh

tls-server
daemon

# Diffie-Hellman Parameters (tls-server only)
dh dh.pem

# Certificate Authority file
ca ca.crt

# Our certificate/public key
cert vpn-site1.crt

# Our private key
key vpn-site1.key

reneg-sec 300

port 1194

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3

Enable ip_forward

echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf
sysctl -p

Start service

systemctl start openvpn@server

Site 2

Copy key from site1 to site2

Config file site2

dev tun
remote 172.16.1.176
ifconfig 10.10.10.2 10.10.10.1
# up routes.up.sh

tls-client
remote-cert-tls server
daemon

# Certificate Authority file
ca ca.crt

# Our certificate/public key
cert vpn-site2.crt

# Our private key
key vpn-site2.key

reneg-sec 300

port 1194

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3

Enable ip_forward

echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf
sysctl -p

Config iptables

iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
iptables -A FORWARD -d 10.10.11.0/24 -j ACCEPT
iptables -A FORWARD -d 10.10.22.0/24 -j ACCEPT

Start service

systemctl start openvpn@server
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment