{"id":1681,"date":"2018-10-13T21:06:57","date_gmt":"2018-10-13T18:06:57","guid":{"rendered":"https:\/\/artem.services\/?p=85"},"modified":"2020-03-15T19:56:15","modified_gmt":"2020-03-15T16:56:15","slug":"1681","status":"publish","type":"post","link":"https:\/\/artem.services\/?p=1681&lang=en","title":{"rendered":"OpenVPN — All traffic through VPN"},"content":{"rendered":"

\"\"<\/p>\n

Goal:<\/h3>\n

Allow traffic from any device via VPN<\/strong>. The maximum convenience is connecting new devices without creating accounts, creating passwords, etc. Fast and encrypted connection.<\/p>\n

All steps were performed on CentOS 7<\/strong>.<\/p>\n

Install the EPEL<\/strong> repository if it is not already in the system and install the necessary packages:<\/p>\n

\r\nyum install epel-release -y\r\nyum install openvpn easy-rsa -y\r\n<\/pre>\n
Create a configuration file:<\/p>\n
\r\nvim \/etc\/openvpn\/server.conf\r\n<\/pre>\n
<\/p>\n
And copy the following into it:<\/p>\n
\r\nlocal CHANGE_THIS_ON_YOUR_PUBLIC_IP\r\nport 1194\r\n\r\nproto tcp\r\ndev-type tun\r\ndev tun\r\n\r\nca ca.crt\r\ncert server.crt\r\nkey server.key\r\n\r\ndh dh2048.pem\r\n\r\ntopology subnet\r\nserver 10.8.0.1255.255.255.0\r\n\r\ntxqueuelen 250\r\nkeepalive 300 900\r\n\r\ncipher AES-128-CBC\r\nncp-ciphers AES-128-GCM\r\n\r\nuser nobody\r\ngroup nobody\r\n\r\nduplicate-cn\r\n\r\npersist-key\r\npersist-tun\r\n\r\nstatus openvpn-status.log\r\n\r\npush "redirect-gateway def1"\r\npush "remote-gateway 10.8.0.1"\r\npush "dhcp-option DNS 8.8.8.8"\r\n<\/pre>\n
Create a folder for keys and copy the necessary scripts to create them:<\/p>\n
\r\nmkdir -p \/etc\/openvpn\/easy-rsa\/keys\r\ncp -a \/usr\/share\/easy-rsa\/2.0\/* \/etc\/openvpn\/easy-rsa\r\n<\/pre>\n
For convenience, we can immediately specify the information necessary for creating keys in environment variables so that we do not constantly enter it in the future:<\/p>\n
\r\nvim \/etc\/openvpn\/easy-rsa\/vars\r\n<\/pre>\n
And we bring it to this form:<\/p>\n
\r\nexport KEY_COUNTRY="UA"\r\nexport KEY_PROVINCE="UA"\r\nexport KEY_CITY="Kiev"\r\nexport KEY_ORG="openvpn"\r\nexport KEY_EMAIL="admin@artem.services"\r\nexport KEY_OU="VPN"\r\nexport KEY_NAME="openvpn"\r\nexport KEY_CN="openvpn.artem.services"\r\n<\/pre>\n
Copy the OpenSSL<\/strong> configuration:<\/p>\n
\r\ncp \/etc\/openvpn\/easy-rsa\/openssl-1.0.0.cnf \/etc\/openvpn\/easy-rsa\/openssl.cnf\r\n<\/pre>\n
Go to the script folder for creating keys, and clear its contents for our future keys:<\/p>\n
\r\ncd \/etc\/openvpn\/easy-rsa\r\nsource .\/vars\r\n.\/clean-all\r\n<\/pre>\n
Create a root certificate:<\/p>\n
\r\n.\/build-ca\r\n<\/pre>\n
Create a key and a public certificate:<\/p>\n
\r\n.\/build-key-server server\r\n<\/pre>\n
Create a Diffie-Hellman<\/strong> key:<\/p>\n
\r\n.\/build-dh\r\n<\/pre>\n
Let’s go to the directory with the keys and certificates that we created:<\/p>\n
\r\ncd \/etc\/openvpn\/easy-rsa\/keys\r\n<\/pre>\n
And copy the files we need to the OpenVPN<\/strong> directory:<\/p>\n
\r\ncp -a dh2048.pem ca.crt server.crt server.key \/etc\/openvpn\r\n<\/pre>\n
 <\/p>\n
It is important that after copying these files retain the permission<\/p><\/blockquote>\n
 <\/p>\n
Create a certificate and a key for the client:<\/p>\n
\r\ncd \/etc\/openvpn\/easy-rsa\r\n.\/build-key client\r\n<\/pre>\n
Further the configuration is given for iptables<\/strong>, if firewalld<\/strong> is used then you can disable it as follows:<\/p>\n
\r\nyum install iptables-services -y\r\nsystemctl mask firewalld\r\nsystemctl enable iptables\r\nsystemctl stop firewalld\r\nsystemctl start iptables\r\niptables --flush\r\n<\/pre>\n
Add the rule to iptables<\/strong> and save:<\/p>\n
\r\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\r\niptables-save > \/etc\/sysconfig\/iptables\r\n<\/pre>\n
 <\/p>\n
Be sure to check the interface name is correct, in my case it is eth0<\/strong><\/p><\/blockquote>\n
 <\/p>\n
In the file "\/etc\/sysctl.conf<\/strong>" we enable packet forwarding:<\/p>\n
\r\nnet.ipv4.ip_forward = 1\r\n<\/pre>\n
And restart the network service:<\/p>\n
\r\nsystemctl restart network.service\r\n<\/pre>\n
Add the OpenVPN<\/strong> service to autorun and start it:<\/p>\n
\r\nsystemctl -f enable openvpn@server.service\r\nsystemctl start openvpn@server.service\r\n<\/pre>\n
Create a client configuration file for connecting to the server, immediately inserting the necessary keys and certificates:<\/p>\n
\r\nvim openvpn.ovpn\r\n<\/pre>\n
And copy the following into it:<\/p>\n
\r\nclient\r\nremote artem.services 1194\r\n\r\nnobind\r\n\r\nremote-cert-tls server\r\n\r\ncipher AES-128-CBC\r\n\r\nsetenv opt ncp-ciphers AES-128-GCM\r\n\r\nsetenv opt block-outside-dns\r\n\r\ndev tun\r\n\r\nproto udp\r\n\r\n<ca>\r\nFILE CONTENTS ca.crt\r\n<ca\/>\r\n\r\n<cert>\r\nFILE CONTENTS client.crt\r\n<cert\/>\r\n\r\n<key>\r\nFILE CONTENTS client.key\r\n<key\/>\r\n<\/pre>\n
Then this file can be imported to client devices and connected to the server.<\/p>\n","protected":false},"excerpt":{"rendered":"
Goal: Allow traffic from any device via VPN. The maximum convenience is connecting new devices without creating accounts, creating passwords, etc. Fast and encrypted connection. All steps were performed on CentOS 7. Install the EPEL repository if it is not already in the system and install the necessary packages: Create a configuration file:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1335],"tags":[855,1337],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/1681"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1681"}],"version-history":[{"count":3,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/1681\/revisions"}],"predecessor-version":[{"id":1686,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/1681\/revisions\/1686"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}