Goal:
Allow traffic from any device via VPN. The maximum convenience is connecting new devices without creating accounts, creating passwords, etc. Fast and encrypted connection.
All steps were performed on CentOS 7.
Install the EPEL repository if it is not already in the system and install the necessary packages:
yum install epel-release -y yum install openvpn easy-rsa -y
Create a configuration file:
vim /etc/openvpn/server.conf
And copy the following into it:
local CHANGE_THIS_ON_YOUR_PUBLIC_IP port 1194 proto tcp dev-type tun dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem topology subnet server 10.8.0.1255.255.255.0 txqueuelen 250 keepalive 300 900 cipher AES-128-CBC ncp-ciphers AES-128-GCM user nobody group nobody duplicate-cn persist-key persist-tun status openvpn-status.log push "redirect-gateway def1" push "remote-gateway 10.8.0.1" push "dhcp-option DNS 8.8.8.8"
Create a folder for keys and copy the necessary scripts to create them:
mkdir -p /etc/openvpn/easy-rsa/keys cp -a /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
For convenience, we can immediately specify the information necessary for creating keys in environment variables so that we do not constantly enter it in the future:
vim /etc/openvpn/easy-rsa/vars
And we bring it to this form:
export KEY_COUNTRY="UA" export KEY_PROVINCE="UA" export KEY_CITY="Kiev" export KEY_ORG="openvpn" export KEY_EMAIL="[email protected]" export KEY_OU="VPN" export KEY_NAME="openvpn" export KEY_CN="openvpn.artem.services"
Copy the OpenSSL configuration:
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Go to the script folder for creating keys, and clear its contents for our future keys:
cd /etc/openvpn/easy-rsa source ./vars ./clean-all
Create a root certificate:
./build-ca
Create a key and a public certificate:
./build-key-server server
Create a Diffie-Hellman key:
./build-dh
Let’s go to the directory with the keys and certificates that we created:
cd /etc/openvpn/easy-rsa/keys
And copy the files we need to the OpenVPN directory:
cp -a dh2048.pem ca.crt server.crt server.key /etc/openvpn
It is important that after copying these files retain the permission
Create a certificate and a key for the client:
cd /etc/openvpn/easy-rsa ./build-key client
Further the configuration is given for iptables, if firewalld is used then you can disable it as follows:
yum install iptables-services -y systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables --flush
Add the rule to iptables and save:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables
Be sure to check the interface name is correct, in my case it is eth0
In the file “/etc/sysctl.conf” we enable packet forwarding:
net.ipv4.ip_forward = 1
And restart the network service:
systemctl restart network.service
Add the OpenVPN service to autorun and start it:
systemctl -f enable [email protected] systemctl start [email protected]
Create a client configuration file for connecting to the server, immediately inserting the necessary keys and certificates:
vim openvpn.ovpn
And copy the following into it:
client remote artem.services 1194 nobind remote-cert-tls server cipher AES-128-CBC setenv opt ncp-ciphers AES-128-GCM setenv opt block-outside-dns dev tun proto udp <ca> FILE CONTENTS ca.crt <ca/> <cert> FILE CONTENTS client.crt <cert/> <key> FILE CONTENTS client.key <key/>
Then this file can be imported to client devices and connected to the server.