Professional Documents
Culture Documents
When you have all this ingredients we can now start setting up our OpenVPN
Server. Please follow the guide carefully, remember, you can always copy
and paste the commands below for ease of installation and configuration.
Then we will install the EPEL Repo. The EPEL Repo is an open source and
community based repository of the Fedora Team which provides 100%
quality add-on software packages.
yum install epel-release
We will now install OpenVPN and Easy-RSA package. The Easy-RSA package is
provided so we can have an easier way of generating certificates.
yum install openvpn easy-rsa
We will need to create a folder so we can store the keys and certificates that
we will generate later.
mkdir -p /etc/openvpn/easy-rsa/keys
Next, we will copy the certificate generation scripts from their default
location to our OpenVPN folder.
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
We will go to the easy-rsa directory and source the variables.
cd /etc/openvpn/easy-rsasource ./vars
Then we will clean all the existing keys & certificates (if any) and generate the
new certificate authority.
./clean-all
When building the certificate authority we will be asked for different
information such as the country, organization and department. You can fill in
your information or to leave it as it is you can just press enter.
./build-ca
The next thing we will generate are the keys and certificates for the
OpenVPN server. You will be again asked the same questions as the above
command which you can fill in or ignore by just pressing the enter key. From
the below command, we will create the keys and certificates with the
filename of server. After entering your information, you will be asked to Sign
the Certificate, press "y" to approve.
./build-key-server server
We will also need to create a Diffie-Hellman file. Creation of this file will
depends on the length of the key. For this default we will use 2048 bit key
but you can always change it by editing the vars file in the easy-rsa folder.
Key generation may take a minute or two.
./build-dh
Since this guide is all about OpenVPN authentication using client certificate
we will also need to generate a certificate for our client. Without this
certificate, our client will not be able to login to the OpenVPN server. Always
remember to keep this client certificate safe with you at all times, you should
never distribute your own certificate to others. If you want others to use
your OpenVPN server you should create a client certificate for them by
following the below command. For this guide we will create a certificate for
"John".
./build-key john
john.key will be the filename of the client key & certificate.
For the above commands we will have the following keys and certificates in
the folder /etc/openvpn/easy-rsa/keys
server.key
server.crt
john.key
john.crt
ca.crt
ca.key
dh2048.pem
You will need to download john.key, john.crt and ca.crt for use by the
OpenVPN client.
CONFIGURING OPENVPN
We will now configure the OpenVPN server. First, create a configuration file
named server.conf
nano /etc/openvpn/server.conf
Then we will fill up the file using the below basic configuration details. For
more information on the configuration please see man openvpn.
port 443
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
persist-key
persist-tun
keepalive 10 60
reneg-sec 0
comp-lzo
tun-mtu 1468
tun-mtu-extra 32
mssfix 1400
push "persist-key"
push "persist-tun"
status /etc/openvpn/443.log
verb 3
We will need to enter some iptable rules to enable internet on the client
machine. Just change $serverip to your server's IP address.
iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -j SNAT --to
$serveripiptables-save
Nest, edit systctl.conf to enable packet forwarding. Open the file
/etc/sysctl.conf and add the line.
net.ipv4.ip_forward=1
then enable it by
sysctl -p
Now that our OpenVPN Server is finished we will now try connecting clients
to the server.
CONFIGURING CLIENT
john.key
john.crt
ca.crt
We will need this files to successfully connect to our openvpn server. Put
these 3 files with the .ovpn file we will create below in the same folder. Copy
the below configuration and save it as client.ovpn. Note the $serverip is the
ip address of your openvpn server.
client
proto tcp
resolv-retry infinite
route-delay 2
pull
comp-lzo yes
dev tun
nobind
ca ca.crt
cert john.crt
key john.key