Home / How To / How to install OpenVPN server and client with Easy-RSA 3 on CentOS 8

How to install OpenVPN server and client with Easy-RSA 3 on CentOS 8



OpenVPN is an open source software that lets you create a secure private network over the public Internet. OpenVPN implements a virtual private network (VPN) to create a secure connection. OpenVPN uses the OpenSSL library to provide the encryption and it provides several authentication mechanisms, e.g. certificate-based, shared keys and username / password authentication.

In this guide we will show you how to install and configure OpenVPN on CentOS 8 Server step-by-step. And we will implement certificate-based OpenVPN authentication.

Prerequisites

  • CentOS 8 Server
  • Root privileges

What we will do?

  • Install OpenVPN and Easy-RSA
  • Configure Easy-RSA 3 Vars
  • Build OpenVPN Keys
  • Configure OpenVPN Server
  • Configure Firewalld and Enable Port Forwarding
  • Client Setup

    Testing [1

    9659015] Step 1 – Install OpenVPN and Easy-RSA

    First, we will add the EPEL (Extra Package for Enterprise Linux) layer and install the latest OpenVPN package and download the easy-rsa script to CentOS 8- system.

    Install the EPEL layer with the dnf command below.

      dnf install epel release 

    Then install the latest OpenVPN package 2.4.7.

      dnf install openvpn 

    When installation is complete, go to & # 39; / etc / openvpn & # 39; and download easy-rsa scripts using the wget command below.

      cd / etc / openvpn / 
    wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz Chapter19659018 Now extract EasyRSA-unix -v3.0.6.tgz & # 39; file and rename directory to & # 39; easy-rsa & # 39 ;.

      tar -xf EasyRSA-unix-v3.0.6.tgz 
    etc. EasyRSA-v3.0.6 / easy-rsa /; rm -f EasyRSA-unix-v3.0.6.tgz

    The OpenVPN package and the easy-rsa script have been installed on the CentOS 8 system.

     Install openvpn on CentOS 8

    Step 2 - Configure Easy-RSA 3

    In this step we configure easy-rsa 3 by creating a new & # 39; whose & # 39; -file. File & # 39; fresh & # 39; contains the settings for Easy-RSA 3.

    Go to directory & # 39; / etc / openvpn / easy-rsa / & # 39; and create a new Whose script with the vim editor.

      cd / etc / openvpn / easy-rsa / 
    vim whose

    Paste whose easy-rsa 3 configurations below.

      set_var EASYRSA "$ PWD" 
    set_var EASYRSA_PKI "$ EASYRSA / pki"
    set_var EASYnSA_ly
    set_var EASYRSA_REQ_COUNTRY "ID"
    set_var EASYRSA_REQ_ORG "Hakase-lab's Certificate Authority"
    set_var EASYRSA_REQ_EMAIL "[email protected]"
    set_var EASYRSA_REQ_OU "Hakase LABS EASY CA"
    set_var EASYRSA_KEY_SIZE 2048
    set_var EASYRSA_ALGO RSA
    set_var EASYRSA_CA_EXPIRE 7500
    set_var EASYRSA_CERT_EXPIRE 365
    set_var EASYRSA_NS_SUPPORT "no"
    set_var EASYRSA_NS_COMMENT "Hakase LABS CAs"
    set_var EASYRSA_EXT_DIR "$ EASYRSA / x509 types"
    set_var EASYRSA_SSL_CONF "$ EASYRSA / openssl- easyrsa .cnf "
    set_var EASYRSA_DIGEST" sha256 "

    Save and exit.

    Note:

    • Change the values ​​of the variables as needed.
    • Increase "EASYRSA_KEY_SIZE" for better security.
    • ] Change & # 39; EASYRSA_CA_EXPIRE & # 39; and & # 39; EASYRSA_CERT_EXPIRE & # 39 ;.

    Now make the file & # 39; whose & # 39; executable by changing the state of the file.

      chmod + x whose 

    simple-rsa 3 configuration has been completed. [19659002]   Configuring Easy-RSA 3

    Step 3 - Build OpenVPN Keys

    In this step we will build the OpenVPN keys based on the easy-rsa 3 & # 39; file that we created. We will build the CA key, server and client keys, DH and the CRL PEM file.

    We will build all these keys using the command line "easyrsa". Go to the & # 39; / etc / openvpn / easy-rsa / & # 39; directory.

      cd / etc / openvpn / easy-rsa / 3 / 

    - Initialization and build CA

    Before building the server and client key, we must initialize the public key infrastructure (PKI) directory and build the CA key.

    Start the PKI directory and build the CA key with the command below.

      ./ easyrsa init-pki 
    . / easyrsa build-ca

    Now enter the password for your CA key and you will get your "ca.crt" and "ca.key" files under the directory "pki".

     Build OpenVPN Keys

    - Build Server Key

    Now we want to build the server key and we will build the server key named & # 39; hakase-server & # 39;

    Build server key & # 39; hakase server & # 39; with the command below.

      ./ easyrsa gene-req hakase-server nopass 

     Build Server Key

    Note:

    • nopass = option to disable password for "hakase-server" key.

    And sign the key & # 39; hakase server & # 39; with ou r CA certificate.

      ./ easyrsa sign-req-server hakase-server 

    You will be asked for "CA" password, type the password and press Enter. And you will get the certificate file & # 39; hakase-server.crt & # 39; under the & # 39; pki / issue / & # 39; directory.

     easyrsa sign-req

    Verify the certificate file with the OpenSSL command and make sure there is no error.

      openssl verify -CAfile pki / ca.crt pki / issued / hakase-server.crt 

    All server certificate keys have been created. The server's private key is located on & # 39; pki / private / hakase-server.key & # 39; and the server certificate at & # 39; pki / issue / hakase-server.crt & # 39 ;.

     Private Key

    - Build Client Key

    Now we need to build keys for the client. We will generate a new client key named & # 39; client01 & # 39;

    Generate the "client01" key with the command below.

      ./ easyrsa gen-req client01 nopass 

     Build Client Key [19659002] Now enter the "client01" key with our CA certificate as below.

      ./ easyrsa sign-req client client01 

    Type "yes" to confirm the client certificate request, and then enter the CA password.

     easyrsa sign-req client client01

    Client certificate named & # 39; client01 & # 39; has been generated, verify the client certificate using the openssl command.

      openssl verify -CAfile pki / ca.crt pki / issued /client01.crtebrit19659018achte Make sure there is no error. 

     verify ca file

    - Build Diffie-Hellman Key

    The Diffie-Hellman key is needed for better security. And we will generate the DH key 2048 based on the configuration file & # 39; whose & # 39; that has been created on top.

    Generate the Diffie-Hellman key with the command below.

      ./ easyrsa gen-dh 

    And the DH key has been generated, located in the directory "pki".

     Build Diffie-Hellman Key

    - Optional: Generate CRL key

    The Certificate Revocation List (CRL) key will be used to revoke the client key. If you have multiple client certificates for clients on your VPN server and you want to remove any key, you just need to revoke using the easy-rsa command.

    To revoke a key, run the command below.

    19659017] ./ easyrsa revokes someone

    And then generates the CRL key.

      ./ easyrsa gen-crl 

    The CRL PEM file has been generated under the directory "pki" - the following is an example of my server.

     Generate CRL key

    - Copy Certificate Files

    All certificates have been generated, now copy certificate files and PEM files.

    Copy server key and certificate.

      cp pki / ca.crt / etc / openvpn / server / 
    cp pki / issued / hakase-server.crt / etc / openvpn / server /
    cp pki / private / hakase-server.key / etc / openvpn / server /

    Copy client01 Key and certificate.

      cp pki / ca.crt / etc / openvpn / client / 
    cp pki / issued / client01.crt / etc / openvpn / client /
    cp pki /private/client01.key / etc / openvpn / client /

    Copy DH and CRL Key.

      cp pki / dh.pem / etc / openvpn / server / 
    cp pki / crl.pem / etc / openvpn / server / [19659018] All server and client certificates have been copied to each directory.

     Copy Certificate Files

    Step 4 - Configure OpenVPN

    In this step, we create a new configuration "server.conf" for the OpenVPN server.

    Go to directory & # 39; / etc / openvpn / server / & # 39; and create a new configuration file & # 39; server.conf & # 39; with vim.

      cd / etc / openvpn / server / 
    vim-server. conf

    Paste the following OpenVPN server configuration there.

      # OpenVPN port, protocol and Tun 
    port 1194
    proto udp
    dev tun

    # OpenVPN Server Certificate - CA, server key and certificate
    ca / ​​etc / openvpn / server / ca.crtebrit19459016 ?? cert /etc/openvpn/server/hakase-server.crt 3.819459016keykey /etc/openvpn/server/hakase-server.key [19659109] #DH and CRL key
    dh / etc / openvpn / ser ver / ie.pem
    crl-verify /etc/openvpn/server/crl.pemebrit19659109achte# Network Configuration - Internal Network
    # Redirect all Connection via OpenVPN Server
    server 10.5.0.0 255.255.255.0
    push "redirect-gateway def1"

    # Using DNS from https://dns.watch
    push "dhcp option DNS 84.200.69.80"
    push "dhcp option DNS 84.200.70.40" [19659106] # Enable multiple clients to connect to the same certificate key
    duplicate-cn

    # TLS Security
    cipher AES-256-CBC
    tls-version-min 1.2
    tls-cipher TLS-DHE-RSA-MED-AES-256-GCM-SHA384: TLS-DHE-RSA-WITH-AES-256-CBC-SHA256: TLS-DHE-RSA-WITH-AES-128- GCM-SHA256: TLS -DHE-RSA-WITH-AES-128-CBC-SHA256
    authentic SHA512
    auth-nocache

    # Other configuration
    keepalive 20 60
    persist-key
    persist-tun

    compress lz4
    daemon
    user none
    group none

    # OpenVPN Log
    log-append / var / log / openvpn.log
    verb 3

    Save and exit.

    And the OpenVPN server configuration has been created.

    Step 5 - Enable port forwarding and configure routing in Firewalld

    In this step we will enable the port forwarding core module and configure routing & # 39; Firewalld & # 39; for OpenVPN.

    Activate the port forwarding kernel module by running the following commands.

      echo & # 39; net.ipv4.ip_forward = 1 & # 39;>> /etc/sysctl.confebrit19459016??sysctl -p 

    Then configure routing with Firewalld for OpenVPN.

      Enable port forwarding and configure routing in Firewalld

    Add OpenVPN service to "public" and "trusted" firewall zone.

      firewall cmd --permanent --add-service = openvpn 
    firewall-cmd --permanent - zone = trusted - add-service = openvpn

    Then add & # 39; tun0 & # 39; to the & # 39; trusted & # 39; zone.

      firewall-cmd --permanent --zone = trusted - add-interface = tun0 

    Enable now & # 39; MASQUERADE & # 39; at th e standard & # 39; public & # 39; zone firewall.

      firewall-cmd --permanent --add-masquerade 

    Enable NAT for OpenVPN internal IP address & # 39; 10 .5.0.0 / 24 & # 39; to the external IP address & # 39; SERVERIP & # 39 ;. [19659017] SERVERIP = $ (ip route get 1.1.1.1 | awk & # 39; NR == 1 {print $ (NF-2)} & # 39;)
    firewall cmd - permanent - direct - passth through ipv4 -t nat -A POSTROUTING -s 10.5.0.0/24 -o $ SERVERIP -j MASQUERADE

    And reload firewall.

      firewall cmd - reload 

     reload firewall

    The port forwarding and Firewalld routing configuration is complete, start the OpenVPN service and enable it to start automatically every time the system starts.

      systemctl start [email protected]
    systemctl enable [email protected]

     Start openvpn

    Then check the OpenVPN service using the commands below.

      netstat -plntu 
    systemctl status [email protected]

    And you will get the result as below.

     OpenVPN started successfully

    As a result, the OpenVPN service is up and running on the UDP protocol with the default port & # 39; 1194 & # 39;

    Step 6 - OpenVPN Client Setup

    Go to directory & # 39; / etc / openvpn / client & # 39; and create a new o penvpn client configuration file & # 39; client01.ovpn & # 39; with vim.

      cd / etc / openvpn / client 
    vim client01.ovpn

    Paste the following OpenVPN client configuration there.

      client 
    dev tun
    proto udp

    remote xxx.xxx.xxx.xxx 1194

    approx. crt
    cert client01.crt
    key client01.key

    cipher AES-256-CBC
    authentic SHA512
    authentic-nocache
    tls-version-min 1.2
    tls-ciffer TLS-DHE-RSA-WITH-AES-256-GCM-SHA384: TLS-DHE-RSA-WITH-AES-256-CBC-SHA256: TLS-DHE-RSA-WITH-AES-128-GCM-SHA256: TLS- DHE-RSA-WITH-AES-128-CBC-SHA256

    resolv-retry-infinite
    compress lz4
    nobind
    persist-key
    persist-tun
    mute-replay alerts
    verb 3

    Save and exit.

    Now compress & # 39; / etc / openvpn / client & # 39; directory to the "zip" or "tar.gz" file and download the compressed SCP file from your local computer.

    Compress "/ etc / openvpn / client" directories to the & # 39; client01.tar.gz & # 39; file.

      cd / etc / openvpn / 
    tar -czvf client01.tar.gz client / *

     OpenVPN Client Setup

    You can now download the compressed OpenVPN file with FTP server or scp command as below.

      scp [email protected]: / etc / openvpn / client01.tar.gz. 

    Step 7 - Connect to OpenVPN

    Test on the clients.

    - On Linux

    Install the OpenVPN package and if you want a GUI configuration, install the OpenVPN network manager.

      sudo apt install openvpn network-manager-openvpn network-manager-openvpn-gnome -y 

    If you want to connect with a terminal shelf, run the OpenVPN command below.

      openvpn --config client01.ovpn 

    When connected to OpenVPN, open a new terminal tab and check connection using curl command.

      curl ifconfig.io 

    And you will get the IP address of the OpenVPN server.

    - On Mac OS

    Download Tunnelblick and install it. [19659002] Extract file & # 39; client01.tar.gz & # 39; and rename the client directory to & # 39; client01.tblk & # 39 ;.

      tar -xzvf client01.tar.gz 
    etc. client client01.tblk

    Double-click & # 39; client01.tblk & # 39; and Tunnelblick will automatically detect the OpenVPN configuration and then import.

    Now connect through tunnel look at the top field.

    - On Windows

    Download the windows openvpn client and import the configuration.

    Reference


Source link