Install OpenVPN On CentOS

how to install openvpn on centos 8

Today we are going to learn that how to install OpenVPN on Centos 8. First of all let’s have a short introduction about it. A VPN “Virtual Private Network” is a technology that permits you to create a fully secured network over the Internet. This may lets you encrypt your internet visitors and shield your online identity. It is in general used to connect business networks securely over the Internet & allows you to attach a enterprise network from anywhere.

In simple terms, a VPN connects your Cellular, Computer, & Tablet to any other computer (server) over the Internet and lets in you to access the Internet.
It will connect you using that server’s internet and also get entry to the local community via bypassing Internet censorship remotely. VPN has many other different advantages you can google them for learning in more details.
So, today we will learn that how we can Install VPN on our CentOS 8 system to stay secure and browser different activities securely. Just follow the below steps for an easy installation.

Step 1: Update your system

As usual we do, update your system by runnig

sudo yum update && sudo yum upgrade

Step 2: Disable SELinux

After updating system don’t forget to disable SELinux before further proceeding. Open the file /etc/selinux/config & then change the following line to disable SELinux

sudo nano /etc/selinux/config
SELINUX=disabled

Then save the file & exit.

Step 3: Enable IP Forwarding

Now, enable the IP forwarding in CentOS 8. It will allows the coming packets & then forward it to the network when destination is on another network.

For enabling IP Forwarding type

sudo nano /etc/sysctl.conf

Then add the following line

net.ipv4.ip_forward = 1

After it save the file & exit.

Step 4: Installing OpenVPN Server

If you’ve already installed EPEL repository in your system, leave the first step below. If you don’t have install it by

sudo dnf install epel-release -y

After it run the command to install OpenVPN server

sudo dnf install openvpn -y

When the installation finished, switch to the /etc/openvpn directory & download the easy-rsa for Security purposes.

cd /etc/openvpn
sudo wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz

Then extract the downloaded package.

sudo tar -xvzf EasyRSA-unix-v3.0.6.tgz

And move the resulting

sudo mv EasyRSA-v3.0.6 easy-rsa

Step 5: Configuring Easy RSA

As for security reasons, we’ve to add SSL certificates. And for these purposes configure the Easy RSA on our system.

Switch to the /etc/openvpn/easy-rsa directory & create a new file

cd /etc/openvpn/easy-rsa
sudo nano vars

Then paste the below content into the file

set_var EASYRSA                 "$PWD"
 set_var EASYRSA_PKI             "$EASYRSA/pki"
 set_var EASYRSA_DN              "cn_only"
 set_var EASYRSA_REQ_COUNTRY     "PAKISTAN"
 set_var EASYRSA_REQ_PROVINCE    "PUNJAB"
 set_var EASYRSA_REQ_CITY        "MULTAN"
 set_var EASYRSA_REQ_ORG         "osradar CERTIFICATE AUTHORITY"
 set_var EASYRSA_REQ_EMAIL        "[email protected]"
 set_var EASYRSA_REQ_OU          "osradar EASY CA"
 set_var EASYRSA_KEY_SIZE        2048
 set_var EASYRSA_ALGO            rsa
 set_var EASYRSA_CA_EXPIRE        7500
 set_var EASYRSA_CERT_EXPIRE     365
 set_var EASYRSA_NS_SUPPORT        "no"
 set_var EASYRSA_NS_COMMENT        "osradar CERTIFICATE AUTHORITY"
 set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
 set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
 set_var EASYRSA_DIGEST          "sha256"

Note: Replace the country, province, city & email address with yours.

Save the file & exit.

After it run the command to initiate the PKI directory.

./easyrsa init-pki

Output:

You’ll see the output like this.

how to install openvpn on centos 8

Now, build the CA certificates

sudo ./easyrsa build-ca

Output:

how to install openvpn on centos 8

Note: You’ll be given two files named as ca.key & ca.crt from the above running command. You can use them while logging in to server & clients.

Step 6: Generating Server Certificate Files

Now, run the command to generate the key-pair & certificate request.

sudo ./easyrsa gen-req osradar-server nopass

Output:

Here’s output sample

how to install openvpn on centos 8

Step 7: Sign the Server Key Using CA

Now, sign in the osradar-server key with the help of your CA certificate.

To do this just fire the command

sudo ./easyrsa sign-req server osradar-server

Output:

You will see the output like this

how to install openvpn on centos 8
openssl verify -CAfile pki/ca.crt pki/issued/osradar-server.crt

You’ll see the similar output upon successful configuration.

pki/issued/osradar-server.crt: OK

Now, generate the Diffie-Hellman key for exchange key purposes

sudo ./easyrsa gen-dh

Output:

how to install openvpn on centos 8

As you finished all these just copy them to the /etc/openvpn/server/ directory

cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/osradar-server.key /etc/openvpn/server/
cp pki/issued/osradar-server.crt /etc/openvpn/server/

Step 8: Generating Client Certificate & Key File

Generate the client key file using

sudo ./easyrsa gen-req client nopass

Output:

how to install openvpn on centos 8

Now, sign the client key with the help of your CA certificate

sudo ./easyrsa sign-req client client

Output:

how to install openvpn on centos 8

After finishing these changes, copy them to the /etc/openvpn/client/ directory

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

Step 9: Configuring OpenVPN Server

Make a new config file under the /etc/openvpn/client with your favourite editor

sudo nano /etc/openvpn/server/server.conf

Then paste the below content into it.

port 1194
 proto udp
 dev tun
 ca /etc/openvpn/server/ca.crt
 cert /etc/openvpn/server/osradar-server.crt
 key /etc/openvpn/server/osradar-server.key
 dh /etc/openvpn/server/dh.pem
 server 10.8.0.0 255.255.255.0
 push "redirect-gateway def1"
 push "dhcp-option DNS 208.67.222.222"
 push "dhcp-option DNS 208.67.220.220"
 duplicate-cn
 cipher AES-256-CBC
 tls-version-min 1.2
 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
 auth SHA512
 auth-nocache
 keepalive 20 60
 persist-key
 persist-tun
 compress lz4
 daemon
 user nobody
 group nobody
 log-append /var/log/openvpn.log
 verb 3

After it save & exit the file.

Step 10: Start OpenVPN Services

Simply run the command below to start & enable the OpenVPN Services

sudo systemctl start openvpn-server@server
sudo systemctl enable openvpn-server@server

Make sure that the status is active by

systemctl status openvpn-server@server
how to install openvpn on centos 8

Upon successful setup, OpenVPN Server will create a new network interface. Check it by typing

ifconfig

Output:

how to install openvpn on centos 8

Step 11: Generating Client Configuration File

It is necessary to generate the client configuration file in order to connect to the OpenVPN server from the client system.

sudo nano /etc/openvpn/client/client.ovpn

Then paste the below data into it.

client
 dev tun
 proto udp
 remote vpn-server-ip 1194
 ca ca.crt
 cert client.crt
 key client.key
 cipher AES-256-CBC
 auth SHA512
 auth-nocache
 tls-version-min 1.2
 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
 resolv-retry infinite
 compress lz4
 nobind
 persist-key
 persist-tun
 mute-replay-warnings
 verb 3

Save & exit the file

Step 12: Configuring Routing

Allow the service through the firewalld by typing

firewall-cmd --permanent --add-service=openvpn
 firewall-cmd --permanent --zone=trusted --add-service=openvpn
 firewall-cmd --permanent --zone=trusted --add-interface=tun0

And then add the MASQUERADE on the default zone.

firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade

After it allow the coming requests from VPN to local system (VPN Network to local network)

osradar=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
 firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $osradar -j MASQUERADE

Reload the changes

firewall-cmd --reload

Step 13: Use OpenVPN from Clients

To use the OpenVPN from the client machine, you’ve to install the OpenVPN package with the following command

dnf install epel-release -y
dnf install openvpn -y

After it download the OpenVPN client config files from server to client system.

Run the given command on client system

scp -r root@vpn-server-ip:/etc/openvpn/client  .

As it get finished switch to the client directory and type

cd client
openvpn --config client.ovpn

When the connection becomes successful, OpenVPN will assign the IP address to your system. Type the command to verify it.

ifconfig tun0

So, this is how you can configure and install the OpenVPN server and client on CentOS 8.

source: https://www.osradar.com/how-to-install-openvpn-on-centos-8/

Tags: , ,