OpenVPN Installation
From r00tedvw.com wiki
(Difference between revisions)
| (3 intermediate revisions by one user not shown) | |||
| Line 12: | Line 12: | ||
Copy example server.conf to openvpn parent dir. | Copy example server.conf to openvpn parent dir. | ||
<nowiki>~$ sudo cp /usr/share/doc/openvpn-2.3.14/sample/sample-config-files/server.conf /etc/openvpn/</nowiki> | <nowiki>~$ sudo cp /usr/share/doc/openvpn-2.3.14/sample/sample-config-files/server.conf /etc/openvpn/</nowiki> | ||
| + | Edit the config | ||
| + | <nowiki>~$ sudo vi /etc/openvpn/server.conf | ||
| + | Comments can be preceded by either # or ; | ||
| + | |||
| + | # change to 2048 | ||
| + | dh dh2048.pem | ||
| + | |||
| + | # redirect ALL traffic - remove ; | ||
| + | push "redirect-gateway def1 bypass-dhcp" | ||
| + | |||
| + | # specify local DNS server(s) - remove ; and update DNS server ip address | ||
| + | push "dhcp-option DNS 10.0.1.2" | ||
| + | |||
| + | # start openvpn with no priviledges - uncomment lines | ||
| + | user nobody | ||
| + | group nobody | ||
| + | |||
| + | ==Generate Keys and Certs== | ||
| + | Change to root | ||
| + | <nowiki>~$ sudo -s</nowiki> | ||
| + | Create directory and copy files | ||
| + | <nowiki>~$ sudo mkdir -p /etc/openvpn/easy-rsa/keys | ||
| + | ~$ sudo cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/</nowiki> | ||
| + | Update Config | ||
| + | <nowiki>~$ sudo vi /etc/openvpn/easy-rsa/vars | ||
| + | ... | ||
| + | |||
| + | # X509 Subject Field | ||
| + | export KEY_NAME="server" | ||
| + | . . . | ||
| + | export KEY_CN=openvpn.example.com</nowiki> | ||
| + | Begin creation of certificates. You '''must''' be root. | ||
| + | <nowiki>~$ sudo -s | ||
| + | ~$ cd /etc/openvpn/easy-rsa | ||
| + | source ./vars | ||
| + | ./clean-all | ||
| + | ./build-ca | ||
| + | ./build-key-server server | ||
| + | ./build-dh</nowiki> | ||
| + | Copy needed files to openvpn dir | ||
| + | <nowiki>~$ cd /etc/openvpn/easy-rsa/keys/ | ||
| + | cp dh2048.pem ca.crt server.crt server.key /etc/openvpn</nowiki> | ||
| + | Build client certificate and key. Easy client should have unique certs and keys. | ||
| + | <nowiki>~$ cd /etc/openvpn/easy-rsa | ||
| + | ../build-key client1</nowiki> | ||
Latest revision as of 21:21, 9 January 2017
Reference: https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7
Installation performed on Oracle Linux 7.3 x64 Server instance.
[edit] Install OpenVPN and Easy-RSA
Install EPEL repo
~$ wget http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm ~$ sudo rpm -ivh epel-release-7-8.noarch.rpm ~$ sudo yum repolist
Install OpenVPN and Easy-RSA
~$ sudo yum install openvpn easy-rsa -y
[edit] Configure OpenVPN
Copy example server.conf to openvpn parent dir.
~$ sudo cp /usr/share/doc/openvpn-2.3.14/sample/sample-config-files/server.conf /etc/openvpn/
Edit the config
~$ sudo vi /etc/openvpn/server.conf Comments can be preceded by either # or ; # change to 2048 dh dh2048.pem # redirect ALL traffic - remove ; push "redirect-gateway def1 bypass-dhcp" # specify local DNS server(s) - remove ; and update DNS server ip address push "dhcp-option DNS 10.0.1.2" # start openvpn with no priviledges - uncomment lines user nobody group nobody ==Generate Keys and Certs== Change to root <nowiki>~$ sudo -s
Create directory and copy files
~$ sudo mkdir -p /etc/openvpn/easy-rsa/keys ~$ sudo cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Update Config
~$ sudo vi /etc/openvpn/easy-rsa/vars ... # X509 Subject Field export KEY_NAME="server" . . . export KEY_CN=openvpn.example.com
Begin creation of certificates. You must be root.
~$ sudo -s ~$ cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca ./build-key-server server ./build-dh
Copy needed files to openvpn dir
~$ cd /etc/openvpn/easy-rsa/keys/ cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
Build client certificate and key. Easy client should have unique certs and keys.
~$ cd /etc/openvpn/easy-rsa ../build-key client1
