OpenVPN : Configure VPN Server2026/04/23 |
|
Install OpenVPN to Configure Virtual Private Network.
This example is based on the environment like follows. On this example, it needs to set IP Masquerading on Router, too.
+----------------------+
| [ OpenVPN Server ] |172.16.100.1
| dlp.srv.world +--------+
| |tun |
+-----------+----------+ |
enp1s0|10.0.0.30 |
| |
| Local Network |
10.0.0.1| |
+------+-----+ |
-------| Router |-------------|-----
+------+-----+ |
| |
| Internet |
--------------+-------------------|-----
| |
| Local Network |
192.168.0.31| |
+-----------+----------+ |
| |tun |
| VPN Client +--------+
| |172.16.100.x
+----------------------+
|
| [1] | Install OpenVPN. |
|
# install from EPEL [root@dlp ~]# dnf --enablerepo=epel -y install openvpn easy-rsa net-tools
|
| [2] | Create CA and Certificates. |
|
[root@dlp ~]#
cd /usr/share/easy-rsa/3
# initialize [root@dlp 3]# ./easyrsa init-pki Notice ------ 'init-pki' complete; you may now create a CA or requests. Your newly created PKI dir is: * /usr/share/easy-rsa/3/pki # create CA [root@dlp 3]# ./easyrsa build-ca # set any pass-phrase Enter New CA Key Passphrase: Confirm New CA Key Passphrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Server-CA Notice ------ CA creation complete. Your new CA certificate is at: * /usr/share/easy-rsa/3/pki/ca.crt Build-ca completed successfully. # create server certificates # any name is OK for [server1] name # (it is set for file name of certs or commonName) [root@dlp 3]# ./easyrsa build-server-full server1 nopass
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /usr/share/easy-rsa/3/pki/reqs/server1.req
* key: /usr/share/easy-rsa/3/pki/private/server1.key
You are about to sign the following certificate:
Requested CN: 'server1'
Requested type: 'server'
Valid for: '825' days
subject=
commonName = server1
Type the word 'yes' to continue, or any other input to abort.
Confirm requested details: yes
Using configuration from /usr/share/easy-rsa/3/pki/2f24d7cc/temp.02
# answer with pass-phrase set on CA
Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server1'
Certificate is to be certified until Jul 26 02:26:18 2028 GMT (825 days)
Write out database with 1 new entries
Database updated
WARNING
=======
INCOMPLETE Inline file created:
* /usr/share/easy-rsa/3/pki/inline/private/server1.inline
Notice
------
Certificate created at:
* /usr/share/easy-rsa/3/pki/issued/server1.crt
# create client certificates # any name is OK for [client1] name # (it is set for file name of certs or commonName) [root@dlp 3]# ./easyrsa build-client-full client1 nopass
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /usr/share/easy-rsa/3/pki/reqs/client1.req
* key: /usr/share/easy-rsa/3/pki/private/client1.key
You are about to sign the following certificate:
Requested CN: 'client1'
Requested type: 'client'
Valid for: '825' days
subject=
commonName = client1
Type the word 'yes' to continue, or any other input to abort.
Confirm requested details: yes
Using configuration from /usr/share/easy-rsa/3/pki/12806d74/temp.02
# answer with pass-phrase set on CA
Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client1'
Certificate is to be certified until Jul 26 02:28:10 2028 GMT (825 days)
Write out database with 1 new entries
Database updated
WARNING
=======
INCOMPLETE Inline file created:
* /usr/share/easy-rsa/3/pki/inline/private/client1.inline
Notice
------
Certificate created at:
* /usr/share/easy-rsa/3/pki/issued/client1.crt
# generate Diffie Hellman ( DH ) param [root@dlp 3]# ./easyrsa gen-dh DH parameters appear to be ok. Notice ------ DH parameters of size 2048 created at: * /usr/share/easy-rsa/3/pki/dh.pem # create TLS-Auth key [root@dlp 3]# openvpn --genkey secret ./pki/ta.key
# copy generated certs [root@dlp 3]# cp -pR /usr/share/easy-rsa/3/pki/{issued,private,ca.crt,dh.pem,ta.key} /etc/openvpn/server/ |
| [3] | Configure OpenVPN. It based on the environment Firewalld is running because of using routing rules. |
|
# copy sample configuration [root@dlp ~]# cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/
[root@dlp ~]#
vi /etc/openvpn/server/server.conf # line 32 : change if need (listening port of OpenVPN) port 1194 # line 35 : change if need (use udp on this example) ;proto tcp proto udp # line 53 : change if need (use tun on this example) ;dev tap dev tun # line 86 : specify certificates ca ca.crt cert issued/server1.crt key private/server1.key dh dh.pem # line 110 : specify network to be used on VPN # any network are OK except your local network server 172.16.100.0 255.255.255.0 # line 151 : uncomment and change to your local network push "route 10.0.0.0 255.255.255.0" # line 240 : keepalive settings keepalive 10 120 # line 253 : specify TLS-Auth key tls-auth ta.key 0 # line 271 : enable persist options persist-tun # line 276 : change log path status /var/log/openvpn-status.log # line 285 : uncomment and change log path log /var/log/openvpn.log log-append /var/log/openvpn.log # line 295 : specify log level (0 - 9, 9 means debug level) verb 3
[root@dlp ~]#
vi /etc/openvpn/server/add-bridge.sh # create new #!/bin/bash # network interface which can connect to local network IF=enp1s0 # interface VPN tunnel uses # for the case of this example like specifying [tun] on the config, generally this param is [tun0] VPNIF=tun0 # listening port of OpenVPN PORT=1194 firewall-cmd --zone=public --add-masquerade firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ${VPNIF} -o ${IF} -j ACCEPT firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ${IF} -j MASQUERADE firewall-cmd --add-port=${PORT}/udp
[root@dlp ~]#
vi /etc/openvpn/server/remove-bridge.sh # create new #!/bin/bash # network interface which can connect to local network IF=enp1s0 # interface VPN tunnel uses # for the case of this example like specifying [tun] on the config, generally this param is [tun0] VPNIF=tun0 # listening port of OpenVPN PORT=1194 firewall-cmd --zone=public --remove-masquerade firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i ${VPNIF} -o ${IF} -j ACCEPT firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o ${IF} -j MASQUERADE firewall-cmd --remove-port=${PORT}/udp chmod 700 /etc/openvpn/server/{add-bridge.sh,remove-bridge.sh}
[root@dlp ~]#
systemctl edit openvpn-server@server # create new [Service] ExecStartPost=/etc/openvpn/server/add-bridge.sh ExecStopPost=/etc/openvpn/server/remove-bridge.sh systemctl enable --now openvpn-server@server |
| [4] |
Transfer certs follows you generated to Client Host you'd like to connect with VPN.
* /etc/openvpn/server/ca.crt |
| Sponsored Link |
|
|