There is a new version of this tutorial available for CentOS 8.

How to Install OpenVPN Server and Client with Easy-RSA 3 on CentOS 7

OpenVPN is an open-source application that allows you to create a secure private network over the public internet. OpenVPN implements a virtual private network (VPN) to create a secure connection. OpenVPN uses the OpenSSL library to provide the encryption and it provides several authentication mechanisms, such as certificate-based, pre-shared keys, and username/password authentication.

In this tutorial, we will show you how to step-by-step install and configure OpenVPN on CentOS 7.6. And we will implement the certificate-based OpenVPN authentication.

Prerequisites

  • CentOS 7.6
  • Root privileges

What we will do?

  1. Install OpenVPN and Easy-RSA
  2. Configure Easy-RSA 3 Vars
  3. Build OpenVPN Keys
  4. Configure OpenVPN Server
  5. Configure Firewalld and Enable Port Forwarding
  6. Client Setup
  7. Testing

Step 1 - Install OpenVPN and Easy-RSA

In this tutorial, we will be using the latest version of centos server (7.5), and we will be using the OpenVPN 2.4 with the easy-rsa 3. Before installing the OpenVPN and easy-rsa packages, make sure the 'epel' repository is installed on the system. If you don't have it, install the epel repository using the yum command below.

yum install epel-release -y

Now install OpenVPN 2.4 with easy-rsa 3 on the system.

yum install openvpn easy-rsa -y

When the installation is complete, check the openvpn and easy-rsa version.

openvpn --version
ls -lah /usr/share/easy-rsa/

Install OpenVPN

OpenVPN 2.4 with easy-rsa 3 has been installed.

Step 2 - Configure Easy-RSA 3

In this step, we will will configure easy-rsa 3 by creating new 'vars' file. The 'vars' file contains the Easy-RSA 3 settings.

Go to the '/etc/openvpn/' directory and copy the 'easy-rsa' script.

cd /etc/openvpn/
cp -r /usr/share/easy-rsa /etc/openvpn/

Now go to the 'easy-rsa/3/' directory and create new vars file using vim.

cd /etc/openvpn/easy-rsa/3/
vim vars

Paste the vars easy-rsa 3 configuration below.

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "ID"
set_var EASYRSA_REQ_PROVINCE    "Jakarta"
set_var EASYRSA_REQ_CITY        "Jakarta"
set_var EASYRSA_REQ_ORG         "hakase-labs CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "[email protected]"
set_var EASYRSA_REQ_OU          "HAKASE-LABS EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "HAKASE-LABS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST          "sha256"

Save and exit.

Note:

  • Change values of the variables as you need.
  • Increase the 'EASYRSA_KEY_SIZE' for better security.
  • Change 'EASYRSA_CA_EXPIRE' and 'EASYRSA_CERT_EXPIRE'.

Now make the 'vars' file executable by changing the permission of the file.

chmod +x vars

The vars file for Easy-RSA 3 setting has been created.

EasyRSA

Step 3 - Build OpenVPN Keys

In this step, we will build the OpenVPN keys based on the easy-rsa 3 'vars' file that we've created. We will build the CA key, Server and Client keys, DH and CRL PEM file.

We will build all those keys using the 'easyrsa' command line. Go to the '/etc/openvpn/easy-rsa/3' directory.

cd /etc/openvpn/easy-rsa/3/

Initialization and Build CA

Before building any keys, we need to initialize the PKI directory and build the CA key.

Initiate the PKI directory and build the CA key using the command below.

./easyrsa init-pki
./easyrsa build-ca

Now type the password for your CA key and you will get your 'ca.crt' and 'ca.key' files under the 'pki' directory.

Initialization and Build CA

Build Server Key

Now we want to build the server key, and we will build the server key named 'hakase-server'.

Build the server key 'hakase-server' using the command below.

./easyrsa gen-req hakase-server nopass

Build Server Key

Note:

  • nopass = option for disable password for the 'hakase-server' key.

And sign the 'hakase-server' key using our CA certificate.

./easyrsa sign-req server hakase-server

You will be asked for the 'CA' password, type the password and press Enter. And you will get the 'hakase-server.crt' certificate file under the 'pki/issued/' directory.

EasyRSA Sign Request

Verify the certificate file using the OpenSSL command and make sure there is no error.

openssl verify -CAfile pki/ca.crt pki/issued/hakase-server.crt

All server certificate keys have been created. The server private key is located at the 'pki/private/hakase-server.key', and the server certificate on the 'pki/issued/hakase-server.crt'.

Build Client Key

Now we need to build keys for the client. We will generate new client key named 'client01'.

Generate the 'client01' key using the command below.

./easyrsa gen-req client01 nopass

Build client key

Now sign the 'client01' key using our CA certificate as below.

./easyrsa sign-req client client01

Type 'yes' to confirm the client certificate request, then type the CA password.

Sign client key

The client certificate named 'client01' has been generated, verify the client certificate using the openssl command.

openssl verify -CAfile pki/ca.crt pki/issued/client01.crt

Build Diffie-Hellman Key

This action will take a lot of time, depending on the key length that we chose and the available entropy on the server. We will be using the length key that we define on the 'vars' file.

Generate the Diffie-Hellman key using command below.

./easyrsa gen-dh

The DH key has been generated, located at the 'pki' directory.

Build Diffie-Hellman Key

Optional: Generate the CRL Key

The CRL (Certificate Revoking List) key will be used for revoking the client key. If you have multiple client certificates on your vpn server, and you want to revoke some key, you just need to revoke using the easy-rsa command.

If you want to revoke some key, run the command as below.

./easyrsa revoke someone

And then generate the CRL key.

./easyrsa gen-crl

The CRL PEM file has been generated under the 'pki' directory - following is an example on my server.

Generate the CRL Key

Copy Certificates Files

All certificates have been generated, now copy the certificate files and PEM files.

Copy Server Key and Certificate.

cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/hakase-server.crt /etc/openvpn/server/
cp pki/private/hakase-server.key /etc/openvpn/server/

Copy client01 Key and Certificate.

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client01.crt /etc/openvpn/client/
cp pki/private/client01.key /etc/openvpn/client/

Copy DH and CRL Key.

cp pki/dh.pem /etc/openvpn/server/
cp pki/crl.pem /etc/openvpn/server/

Copy Certificates Files

Step 4 - Configure OpenVPN

In this step, we will create new configuration 'server.conf' for the openvpn server.

Go to the '/etc/openvpn/' directory and create new configuration file 'server.conf' using vim.

cd /etc/openvpn/
vim server.conf

Paste the following OpenVPN server configuration there.

# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/hakase-server.crt
key /etc/openvpn/server/hakase-server.key

#DH and CRL key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem

# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
server 10.10.1.0 255.255.255.0
push "redirect-gateway def1"

# Using the DNS from https://dns.watch
push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"

#Enable multiple client to connect with same Certificate key
duplicate-cn

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody

# OpenVPN Log
log-append /var/log/openvpn.log
verb 3

Save and exit.

The configuration for OpenVPN has been created.

Step 5 - Enable Port-Forwarding and Configure Routing Firewalld

In this step, we will enable Port-forwarding kernel module and configure routing 'Firewalld' for OpenVPN.

Enable the port-forwarding kernel module by running following commands.

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

Next, configure routing using the Firewalld for OpenVPN.

Add the 'openvpn' service to the firewalld list service and add the 'tun0' interface to the firewalld trusted zone.

firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0

Enable 'MASQUERADE' on the 'trusted' zone firewalld.

firewall-cmd --permanent --zone=trusted --add-masquerade

Enable NAT for OpenVPN internal IP address '10.10.1.0/24' to the external IP address 'SERVERIP'.

SERVERIP=$(ip route get 84.200.69.80 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s  10.10.1.0/24 -o $SERVERIP -j MASQUERADE

And reload firewalld.

firewall-cmd --reload

The Port-forwarding and the Firewalld routing has been completed, now start the openvpn service and enable it to launch automatically everytime at system boot.

systemctl start openvpn@server
systemctl enable openvpn@server

Enable Port-Forwarding and Configure Routing Firewalld

Check it using commands below.

netstat -plntu
systemctl status openvpn@server

The OpenVPN server is up and running on udp protocol port '1194'.

Check OpenVPN server status

Step 6 - OpenVPN Client Setup

Go to the '/etc/openvpn/client' directory and create a new openvpn client configuration file 'client01.ovpn' using vim.

cd /etc/openvpn/client
vim client01.ovpn

Paste the following OpenVPN client configuration there.

client
dev tun
proto udp

remote 139.xx.xx.xx 1194

ca ca.crt
cert client01.crt
key client01.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lzo
nobind persist-key persist-tun mute-replay-warnings verb 3

Save and exit.

Now compress the '/etc/openvpn/client' directory to 'zip' or 'tar.gz' file and download the compressed file using scp from your local computer.

Compress the '/etc/openvpn/client' directory to the 'client01.tar.gz' file.

cd /etc/openvpn/
tar -czvf client01.tar.gz client/*

OpenVPN Client Setup

scp [email protected]:/etc/openvpn/client01.tar.gz .

Copy client

Step 7 - Testing OpenVPN

Testing on the Clients.

- On Linux

Install OpenVPN package and if you want a GUI configuration, install OpenVPN network-manager.

sudo apt install openvpn network-manager-openvpn network-manager-openvpn-gnome -y

If you want to connect using a terminal shell, run the OpenVPN command below.

openvpn --config client01.ovpn

When you're connected to OpenVPN, open new terminal tab and check the connection using curl command.

curl ifconfig.io

And you will get the OpenVPN server IP address.

On Mac OS

Download Tunnelblick and install it.

Extract the 'client01.tar.gz' file and rename the 'client' directory to the 'client01.tblk'.

tar -xzvf client01.tar.gz
mv client client01.tblk

Double-click the 'client01.tblk' and the Tunnelblick will automatically detect OpenVPN configuration and then import.

Now connect through the Tunnelblick on the Top bar.

On Windows

Download the openvpn client for windows and import the configuration.

Reference

https://openvpn.net/

Share this page:

14 Comment(s)