Installing and configuring OpenVPN (client and server) and Easy-RSA 3 on CentOS 7

Installing and configuring OpenVPN (client and server) and Easy-RSA 3 on CentOS 7

OpenVPN is a free, open source implementation of virtual private network technology for creating encrypted point-to-point or server-to-client channels between computers. Easy-RSA is a program for creating and maintaining public key infrastructure (PKI) in openVPN

Installing the necessary software

Add EPEL repository and update

[[email protected] ~]# yum install epel-release -y
[[email protected] ~]# yum update -y

Installs OpenVPN 2.4 and Easy-RSA 3

[[email protected] ~]# yum install openvpn easy-rsa -y

Let’s check their versions

[[email protected] ~]# openvpn --version
[[email protected] ~]# ls -lah /usr/share/easy-rsa/

Checking OpenVPN and Easy-RSA versions

Configuring Easy-RSA 3

Copy the easy-rsa scripts to the / etc / openvpn / directory

[[email protected] ~]# cp -r /usr/share/easy-rsa /etc/openvpn/

Go to the / etc / openvpn / easy-rsa / 3 / directory and create the vars file there

[[email protected] ~]# cd /etc/openvpn/easy-rsa/3/
[[email protected] ~]# nano vars

File contents:

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "RU"
set_var EASYRSA_REQ_PROVINCE    "Moscow"
set_var EASYRSA_REQ_CITY        "Moscow"
set_var EASYRSA_REQ_ORG         "My Organisation"
set_var EASYRSA_REQ_EMAIL       "[email protected]"
set_var EASYRSA_REQ_OU          "IT department"
set_var EASYRSA_KEY_SIZE        4096
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     3650
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST          "sha512"

Making the file executable

[[email protected] ~]# chmod +x vars

Creating a key and certificate for OpenVPN Server

Before creating the key, we need to initialize the PKI directory and create the CA key.

[[email protected] ~]# cd /etc/openvpn/easy-rsa/3/
[email protected] ~]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki

[[email protected] ~]# ./easyrsa build-ca

On this you need to come up with a password for your CA key so that the files ‘ca.crt’ and ‘ca.key’ in the ‘pki’ directory are generated. We will need this password further

Create a root certificateCreate a root certificate

Create a server key (server name srv-openvpn)

[[email protected] ~]# ./easyrsa gen-req srv-openvpn nopass

option nopass – disable password for srv-openvpn

Create a server keyCreate a server key

Let’s sign the srv-openvpn key using our CA certificate

[[email protected] ~]# ./easyrsa sign-req server srv-openvpn

In the process, we will be asked for the password that we set earlier

We sign the key using a CA certificateWe sign the key using a CA certificate

Let’s check the certificate files to make sure that the certificates were generated without errors

[[email protected] ~]# openssl verify -CAfile pki/ca.crt pki/issued/srv-openvpn.crt
pki/issued/srv-openvpn.crt: OK

All OpenVPN server certificates are generated.

  • The root certificate is located: ‘pki / ca.crt’
  • The server private key is located: ‘pki / private / srv-openvpn.key’
  • Server certificate is located: ‘pki / issued / srv-openvpn.crt’

Client key creation

Generate client key client-01

[[email protected] ~]# ./easyrsa gen-req client-01 nopass

Generating a client keyGenerating a client key

Now let’s sign the client-01 key using our CA certificate

[[email protected] ~]# ./easyrsa sign-req client client-01

In the process, we will be asked for the password that we set earlier

We sign the client key using the root certificateWe sign the client key using the root certificate

Check the certificate files

[[email protected] ~]# openssl verify -CAfile pki/ca.crt pki/issued/client-01.crt
pki/issued/client-01.crt: OK

Additional configuration of OpenVPN server

Let’s generate a Diffie-Hellman key

[[email protected] ~]# ./easyrsa gen-dh

Diffie-Hellman key generationDiffie-Hellman key generation

If we plan to revoke client certificates in the future, we need to generate a CRL key

[[email protected] ~]# ./easyrsa gen-crl

In the process, we will be asked for the password that we set earlier

Generating a CRL keyGenerating a CRL key

In order to revoke the certificate, you must run the command:

[[email protected] ~]# ./easyrsa revoke client-02

Where client-02 the name of the certificate we are revoking

All the necessary certificates have been created, now they need to be copied to the directory

Copying server certificates

[[email protected] ~]# cp pki/ca.crt /etc/openvpn/server/
[[email protected] ~]# cp pki/issued/srv-openvpn.crt /etc/openvpn/server/
[[email protected] ~]# cp pki/private/srv-openvpn.key /etc/openvpn/server/

Copying client certificates

[[email protected] ~]# cp pki/ca.crt /etc/openvpn/client/
[[email protected] ~]# cp pki/issued/client-01.crt /etc/openvpn/client/
[[email protected] ~]# cp pki/private/client-01.key /etc/openvpn/client/

Copy keys DH and CRL

[[email protected] ~]# cp pki/dh.pem /etc/openvpn/server/
[[email protected] ~]# cp pki/crl.pem /etc/openvpn/server/

!!! Check if you need to regenerate the CRL and copy it to the / etc / openvpn / server / directory after revoking the certificate !!!

OpenVPN server setup

Let’s create a configuration file server.conf

[[email protected] ~]# cd /etc/openvpn/
[[email protected] ~]# nano server.conf

File contents:

# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/srv-openvpn.crt
key /etc/openvpn/server/srv-openvpn.key

# DH and CRL key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem

# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
server 10.10.1.0 255.255.255.0
push "redirect-gateway def1"

# Using the DNS from https://dns.watch
push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"

# Enable multiple client to connect with same Certificate key
duplicate-cn

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody

# OpenVPN Log
log-append /var/log/openvpn.log
verb 3

Configuring Firewalld

Activating the port-forwarding kernel module

[[email protected] ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[[email protected] ~]# sysctl -p
net.ipv4.ip_forward = 1

Add the openvpn service to firewalld, and the tun0 interface to the trusted zone

[[email protected] ~]# firewall-cmd --permanent --add-service=openvpn
[[email protected] ~]# firewall-cmd --permanent --zone=trusted --add-interface=tun0

We activate ‘MASQUERADE’ for the firewalld trusted zone

[[email protected] ~]# firewall-cmd --permanent --zone=trusted --add-masquerade

Activating NAT

[[email protected] ~]# SERVERIP=$(ip route get 84.200.69.80 | awk 'NR==1 {print $(NF-2)}')
[[email protected] ~]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s  10.10.1.0/24 -o $SERVERIP -j MASQUERADE

Restart firewalld

[[email protected] ~]# firewall-cmd --reload

Launch OpenVPN and add it to startup

[[email protected] ~]# systemctl start [email protected]
[[email protected] ~]# systemctl enable [email protected]

Check

[[email protected] ~]# netstat -plntu
[[email protected] ~]# systemctl status [email protected]

Checking if OpenVPN is runningChecking if OpenVPN is running

OpenVPN client setup

Let’s create a configuration file client-01.ovpn

[[email protected] ~]# cd /etc/openvpn/client
[[email protected] ~]# nano client-01.ovpn

File contents:

client
dev tun
proto udp

remote xx.xx.xx.xx 1194

ca ca.crt
cert client-01.crt
key client-01.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

In line ‘remote xx.xx.xx.xx 1194‘you need to register the IP address instead of’xx.xx.xx.xx

Now for you need to archive the certificates (ca.crt, client-01.crt), client key (client-01.key), configuration file (client-01.ovpn), and transfer them to a PC that will connect to the OpenVPN server

Install zip archiver and create an archive with files

[[email protected] ~]# yum install zip unzip -y
[[email protected] ~]# cd /etc/openvpn/
[[email protected] ~]# zip client/client-01.zip client/*

We try to connect from another PC to the OpenVPN server and see the log:

[[email protected] ~]# tail -f /var/log/openvpn.log

We look at the log file of the OpenVPN serverWe look at the log file of the OpenVPN server

Installing and configuring OpenVPN (client and server) and Easy-RSA 3 on CentOS 7

Installing and configuring OpenVPN (client and server) and Easy-RSA 3 on CentOS 7

OpenVPN is a free, open source implementation of virtual private network technology for creating encrypted point-to-point or server-to-client channels between computers. Easy-RSA is a program for creating and maintaining public key infrastructure (PKI) in openVPN

Installing the necessary software

Add EPEL repository and update

[[email protected] ~]# yum install epel-release -y
[[email protected] ~]# yum update -y

Installs OpenVPN 2.4 and Easy-RSA 3

[[email protected] ~]# yum install openvpn easy-rsa -y

Let’s check their versions

[[email protected] ~]# openvpn --version
[[email protected] ~]# ls -lah /usr/share/easy-rsa/

Checking OpenVPN and Easy-RSA versions

Configuring Easy-RSA 3

Copy the easy-rsa scripts to the / etc / openvpn / directory

[[email protected] ~]# cp -r /usr/share/easy-rsa /etc/openvpn/

Go to the / etc / openvpn / easy-rsa / 3 / directory and create the vars file there

[[email protected] ~]# cd /etc/openvpn/easy-rsa/3/
[[email protected] ~]# nano vars

File contents:

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "RU"
set_var EASYRSA_REQ_PROVINCE    "Moscow"
set_var EASYRSA_REQ_CITY        "Moscow"
set_var EASYRSA_REQ_ORG         "My Organisation"
set_var EASYRSA_REQ_EMAIL       "[email protected]"
set_var EASYRSA_REQ_OU          "IT department"
set_var EASYRSA_KEY_SIZE        4096
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     3650
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST          "sha512"

Making the file executable

[[email protected] ~]# chmod +x vars

Creating a key and certificate for OpenVPN Server

Before creating the key, we need to initialize the PKI directory and create the CA key.

[[email protected] ~]# cd /etc/openvpn/easy-rsa/3/
[email protected] ~]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki

[[email protected] ~]# ./easyrsa build-ca

On this you need to come up with a password for your CA key so that the files ‘ca.crt’ and ‘ca.key’ in the ‘pki’ directory are generated. We will need this password further

Create a root certificateCreate a root certificate

Create a server key (server name srv-openvpn)

[[email protected] ~]# ./easyrsa gen-req srv-openvpn nopass

option nopass – disable password for srv-openvpn

Create a server keyCreate a server key

Let’s sign the srv-openvpn key using our CA certificate

[[email protected] ~]# ./easyrsa sign-req server srv-openvpn

In the process, we will be asked for the password that we set earlier

We sign the key using a CA certificateWe sign the key using a CA certificate

Let’s check the certificate files to make sure that the certificates were generated without errors

[[email protected] ~]# openssl verify -CAfile pki/ca.crt pki/issued/srv-openvpn.crt
pki/issued/srv-openvpn.crt: OK

All OpenVPN server certificates are generated.

  • The root certificate is located: ‘pki / ca.crt’
  • The server private key is located: ‘pki / private / srv-openvpn.key’
  • Server certificate is located: ‘pki / issued / srv-openvpn.crt’

Client key creation

Generate client key client-01

[[email protected] ~]# ./easyrsa gen-req client-01 nopass

Generating a client keyGenerating a client key

Now let’s sign the client-01 key using our CA certificate

[[email protected] ~]# ./easyrsa sign-req client client-01

In the process, we will be asked for the password that we set earlier

We sign the client key using the root certificateWe sign the client key using the root certificate

Check the certificate files

[[email protected] ~]# openssl verify -CAfile pki/ca.crt pki/issued/client-01.crt
pki/issued/client-01.crt: OK

Additional configuration of OpenVPN server

Let’s generate a Diffie-Hellman key

[[email protected] ~]# ./easyrsa gen-dh

Diffie-Hellman key generationDiffie-Hellman key generation

If we plan to revoke client certificates in the future, we need to generate a CRL key

[[email protected] ~]# ./easyrsa gen-crl

In the process, we will be asked for the password that we set earlier

Generating a CRL keyGenerating a CRL key

In order to revoke the certificate, you must run the command:

[[email protected] ~]# ./easyrsa revoke client-02

Where client-02 the name of the certificate we are revoking

All the necessary certificates have been created, now they need to be copied to the directory

Copying server certificates

[[email protected] ~]# cp pki/ca.crt /etc/openvpn/server/
[[email protected] ~]# cp pki/issued/srv-openvpn.crt /etc/openvpn/server/
[[email protected] ~]# cp pki/private/srv-openvpn.key /etc/openvpn/server/

Copying client certificates

[[email protected] ~]# cp pki/ca.crt /etc/openvpn/client/
[[email protected] ~]# cp pki/issued/client-01.crt /etc/openvpn/client/
[[email protected] ~]# cp pki/private/client-01.key /etc/openvpn/client/

Copy keys DH and CRL

[[email protected] ~]# cp pki/dh.pem /etc/openvpn/server/
[[email protected] ~]# cp pki/crl.pem /etc/openvpn/server/

!!! Check if you need to regenerate the CRL and copy it to the / etc / openvpn / server / directory after revoking the certificate !!!

OpenVPN server setup

Let’s create a configuration file server.conf

[[email protected] ~]# cd /etc/openvpn/
[[email protected] ~]# nano server.conf

File contents:

# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/srv-openvpn.crt
key /etc/openvpn/server/srv-openvpn.key

# DH and CRL key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem

# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
server 10.10.1.0 255.255.255.0
push "redirect-gateway def1"

# Using the DNS from https://dns.watch
push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"

# Enable multiple client to connect with same Certificate key
duplicate-cn

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody

# OpenVPN Log
log-append /var/log/openvpn.log
verb 3

Configuring Firewalld

Activating the port-forwarding kernel module

[[email protected] ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[[email protected] ~]# sysctl -p
net.ipv4.ip_forward = 1

Add the openvpn service to firewalld, and the tun0 interface to the trusted zone

[[email protected] ~]# firewall-cmd --permanent --add-service=openvpn
[[email protected] ~]# firewall-cmd --permanent --zone=trusted --add-interface=tun0

We activate ‘MASQUERADE’ for the firewalld trusted zone

[[email protected] ~]# firewall-cmd --permanent --zone=trusted --add-masquerade

Activating NAT

[[email protected] ~]# SERVERIP=$(ip route get 84.200.69.80 | awk 'NR==1 {print $(NF-2)}')
[[email protected] ~]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s  10.10.1.0/24 -o $SERVERIP -j MASQUERADE

Restart firewalld

[[email protected] ~]# firewall-cmd --reload

Launch OpenVPN and add it to startup

[[email protected] ~]# systemctl start [email protected]
[[email protected] ~]# systemctl enable [email protected]

Check

[[email protected] ~]# netstat -plntu
[[email protected] ~]# systemctl status [email protected]

Checking if OpenVPN is runningChecking if OpenVPN is running

OpenVPN client setup

Let’s create a configuration file client-01.ovpn

[[email protected] ~]# cd /etc/openvpn/client
[[email protected] ~]# nano client-01.ovpn

File contents:

client
dev tun
proto udp

remote xx.xx.xx.xx 1194

ca ca.crt
cert client-01.crt
key client-01.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

In line ‘remote xx.xx.xx.xx 1194‘you need to register the IP address instead of’xx.xx.xx.xx

Now for you need to archive the certificates (ca.crt, client-01.crt), client key (client-01.key), configuration file (client-01.ovpn), and transfer them to a PC that will connect to the OpenVPN server

Install zip archiver and create an archive with files

[[email protected] ~]# yum install zip unzip -y
[[email protected] ~]# cd /etc/openvpn/
[[email protected] ~]# zip client/client-01.zip client/*

We try to connect from another PC to the OpenVPN server and see the log:

[[email protected] ~]# tail -f /var/log/openvpn.log

We look at the log file of the OpenVPN serverWe look at the log file of the OpenVPN server

Sidebar