A Virtual Private Network is a technology solution used to provide privacy and security for inter-network connections. The most well-known case consists of people connecting to a remote server with traffic going through a public or insecure network (such as the Internet).
Picture the following scenarios:
In this article we will explain how to set up a VPN server in a RHEL/CentOS 7 box using OpenVPN, a robust and highly flexible tunneling application that uses the encryption, authentication, and certification features of the OpenSSL library. For simplicity we will only consider a case where the OpenVPN server acts as a secure Internet gateway for a client.
For this setup, we’ve used three machines, the first one act as a OpenVPN server and other two (Linux and Windows) act as a clients to connect to remote OpenVPN Server.
Note: The same instructions also works on RHEL/CentOS 6 and Fedora systems..
Installing OpenVPN Server
To install OpenVPN in a RHEL/CentOS 7 server, you will first have to enable the EPEL repository and then install the package, along with easy-rsa – a small RSA key management package used primarily for key management and also for building web certificates.
# yum update && yum install epel-release # yum install openvpn easy-rsa
When the installation completes, head over to the sample configuration files directory:
# cd /usr/share/doc/openvpn-*/sample/sample-config-files/
and copy the server.conf file to /etc/openvpn:
# cp server.conf /etc/openvpn
Now we’re ready to start configuring the server.
Generate Keys and Certificates
The easy-rsa package provides several scripts as utilities, located inside /usr/share/easy-rsa/2.0 after installation, to generate keys and certificates. For our convenience, we are going to copy those files into /etc/openvpn/rsa (you need to create this directory first). Enter y if prompted to overwrite the existing files:
# mkdir /etc/openvpn/rsa # cp –rf /usr/share/easy-rsa/2.0/* /etc/openvpn/rsa
Next, we will use the parameters in /etc/openvpn/rsa/vars to indicate the values for our keys and certificates. Change the values according to your needs (fields are self-explanatory):
export KEY_SIZE=2048 export CA_EXPIRE=365 export KEY_EXPIRE=365 export KEY_COUNTRY=AR export KEY_PROVINCE=SL export KEY_CITY="VillaMercedes" export KEY_ORG="Tecmint.com" export KEY_EMAIL="[email protected]" export KEY_NAME="GabrielCanepa"
And source the file to export the variables and their values to the current environment (you will need them in the next step). You will see a message informing you the purpose of the clean-all script (also present in the same directory):
# source ./vars
Now run the following scripts from the keys directory, in the specified order.
The build-ca script will create a Certificate Authority (certificate + key) in /etc/openvpn/rsa/keys. Press Enter to accept the default values:
Next, we will create the key and the certificate for the server itself. As before, accept the default values and then press y to confirm the signing of the certificate:
# ./build-key-server server
Next, generate the Diffie-Hellman file used for information exchange to complement RSA (this will take quite some time). This will create a file named dh2048.pem inside /etc/openvpn/rsa/keys:
Finally, create separate certificate files for each client that will use your VPN server (change client to a name of your choosing):
# ./build-key client
The above step will create a certificate and key for a client. Follow the same steps as before to complete the process. Later on this tutorial we will download these files to a client that will use them to connect to the VPN server.
Configuring the OpenVPN Server
Let’s now dive into /etc/openvpn/server.conf:
1. Specify the length of the Diffie-Hellman parameters. Don’t use a value below 2048 if you don’t want to expose yourself to security threats:
2. All IP traffic (such as web browsing and and DNS lookups) should go through the VPN. Make sure the following line is uncommented:
push "redirect-gateway def1 bypass-dhcp"
3. As a consequence of #2, you need to specify at least two DNS servers that will be used to resolve names. The default ones are provided by opendns.org and you can either use them or Google’s (188.8.131.52 and 184.108.40.206):
push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168"
4. Finally, as a security measure, we will ensure that openvpn runs with the least privilege by changing the user and the group to nobody:
user nobody group nobody
We also need to allow vpn traffic through the firewalld and enable masquerading:
# firewall-cmd --permanent --add-service=openvpn # firewall-cmd --add-service=openvpn # firewall-cmd --permanent --add-masquerade # firewall-cmd --add-masquerade
And copy the certificate and key files to /etc/openvpn (the following command assumes your current working directory is /etc/openvpn/rsa/keys):
# cp ca.crt server.crt server.key ../../
Then enable the service:
# systemctl -f enable [email protected] # systemctl start [email protected]
At this point it’s a good idea to check the status of the service.
# systemctl -l status [email protected]
If it failed to start,
# journalctl --xn
will provide necessary debug information to troubleshoot any issues.