Today we are going to learn that how to install OpenVPN on Centos 8. First of all let’s have a short introduction about it. A VPN “Virtual Private Network” is a technology that permits you to create a fully secured network over the Internet. This may lets you encrypt your internet visitors and shield your online identity. It is in general used to connect business networks securely over the Internet & allows you to attach a enterprise network from anywhere.
In simple terms, a VPN connects your Cellular, Computer, & Tablet to any other computer (server) over the Internet and lets in you to access the Internet.
It will connect you using that server’s internet and also get entry to the local community via bypassing Internet censorship remotely. VPN has many other different advantages you can google them for learning in more details.
So, today we will learn that how we can Install VPN on our CentOS 8 system to stay secure and browser different activities securely. Just follow the below steps for an easy installation.
Step 1: Update your system
As usual we do, update your system by runnig
sudo yum update && sudo yum upgrade
Step 2: Disable SELinux
After updating system don’t forget to disable SELinux before further proceeding. Open the file /etc/selinux/config & then change the following line to disable SELinux
sudo nano /etc/selinux/config
SELINUX=disabled
Then save the file & exit.
Step 3: Enable IP Forwarding
Now, enable the IP forwarding in CentOS 8. It will allows the coming packets & then forward it to the network when destination is on another network.
For enabling IP Forwarding type
sudo nano /etc/sysctl.conf
Then add the following line
net.ipv4.ip_forward = 1
After it save the file & exit.
Step 4: Installing OpenVPN Server
If you’ve already installed EPEL repository in your system, leave the first step below. If you don’t have install it by
sudo dnf install epel-release -y
After it run the command to install OpenVPN server
sudo dnf install openvpn -y
When the installation finished, switch to the /etc/openvpn directory & download the easy-rsa for Security purposes.
cd /etc/openvpn
sudo wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
Then extract the downloaded package.
sudo tar -xvzf EasyRSA-unix-v3.0.6.tgz
And move the resulting
sudo mv EasyRSA-v3.0.6 easy-rsa
Step 5: Configuring Easy RSA
As for security reasons, we’ve to add SSL certificates. And for these purposes configure the Easy RSA on our system.
Switch to the /etc/openvpn/easy-rsa directory & create a new file
cd /etc/openvpn/easy-rsa
sudo nano vars
Then paste the below content into the file
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "PAKISTAN"
set_var EASYRSA_REQ_PROVINCE "PUNJAB"
set_var EASYRSA_REQ_CITY "MULTAN"
set_var EASYRSA_REQ_ORG "osradar CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "osradar EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "osradar CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"
Note: Replace the country, province, city & email address with yours.
Save the file & exit.
After it run the command to initiate the PKI directory.
./easyrsa init-pki
Output:
You’ll see the output like this.
Now, build the CA certificates
sudo ./easyrsa build-ca
Output:
Note: You’ll be given two files named as ca.key & ca.crt from the above running command. You can use them while logging in to server & clients.
Step 6: Generating Server Certificate Files
Now, run the command to generate the key-pair & certificate request.
sudo ./easyrsa gen-req osradar-server nopass
Output:
Here’s output sample
Step 7: Sign the Server Key Using CA
Now, sign in the osradar-server key with the help of your CA certificate.
To do this just fire the command
sudo ./easyrsa sign-req server osradar-server
Output:
You will see the output like this
openssl verify -CAfile pki/ca.crt pki/issued/osradar-server.crt
You’ll see the similar output upon successful configuration.
pki/issued/osradar-server.crt: OK
Now, generate the Diffie-Hellman key for exchange key purposes
sudo ./easyrsa gen-dh
Output:
As you finished all these just copy them to the /etc/openvpn/server/ directory
cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/osradar-server.key /etc/openvpn/server/
cp pki/issued/osradar-server.crt /etc/openvpn/server/
Step 8: Generating Client Certificate & Key File
Generate the client key file using
sudo ./easyrsa gen-req client nopass
Output:
Now, sign the client key with the help of your CA certificate
sudo ./easyrsa sign-req client client
Output:
After finishing these changes, copy them to the /etc/openvpn/client/ directory
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/
Step 9: Configuring OpenVPN Server
Make a new config file under the /etc/openvpn/client with your favourite editor
sudo nano /etc/openvpn/server/server.conf
Then paste the below content into it.
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/osradar-server.crt
key /etc/openvpn/server/osradar-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nobody
log-append /var/log/openvpn.log
verb 3
After it save & exit the file.
Step 10: Start OpenVPN Services
Simply run the command below to start & enable the OpenVPN Services
sudo systemctl start openvpn-server@server
sudo systemctl enable openvpn-server@server
Make sure that the status is active by
systemctl status openvpn-server@server
Upon successful setup, OpenVPN Server will create a new network interface. Check it by typing
ifconfig
Output:
Step 11: Generating Client Configuration File
It is necessary to generate the client configuration file in order to connect to the OpenVPN server from the client system.
sudo nano /etc/openvpn/client/client.ovpn
Then paste the below data into it.
client
dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
Save & exit the file
Step 12: Configuring Routing
Allow the service through the firewalld by typing
firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0
And then add the MASQUERADE on the default zone.
firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade
After it allow the coming requests from VPN to local system (VPN Network to local network)
osradar=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $osradar -j MASQUERADE
Reload the changes
firewall-cmd --reload
Step 13: Use OpenVPN from Clients
To use the OpenVPN from the client machine, you’ve to install the OpenVPN package with the following command
dnf install epel-release -y
dnf install openvpn -y
After it download the OpenVPN client config files from server to client system.
Run the given command on client system
scp -r root@vpn-server-ip:/etc/openvpn/client .
As it get finished switch to the client directory and type
cd client
openvpn --config client.ovpn
When the connection becomes successful, OpenVPN will assign the IP address to your system. Type the command to verify it.
ifconfig tun0
So, this is how you can configure and install the OpenVPN server and client on CentOS 8.
This is working fine .but i’m unable to access internet after connected openvpn.Any idea on this.
Thanks
Step 2: Disable SELinux
…
No, thanks!