Simplest way to install Openvpn Server

Last time was looking to install Openvpn project at my work,  i had checked many tutorials , may methods  many  packages ,   finally i found this wonder script on git . an really cool work and big thanks to the developer.

Let me start to tell you about my Environment:

Openvpn Server Centos  7.5

Hostname osradar.com.local

IP= 192.168.2.96

Openvpn Client Debian 9.4

Hostname  osradar.com.debian

IP  192.168.2.161

Lets  start the article How to install Openvpn Server in Centos7

First  Download the Openvpn install script  from git.io  and run it

[root@osradar ~]# wget https://git.io/vpn -O openvpn-install.sh
--2018-07-02 18:27:20-- https://git.io/vpn
Resolving git.io (git.io)... 54.209.18.85, 54.174.44.191, 54.209.64.71, ...
Connecting to git.io (git.io)|54.209.18.85|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2018-07-02 18:27:20-- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.github.com (raw.github.com)... 151.101.36.133
Connecting to raw.github.com (raw.github.com)|151.101.36.133|:443... connected.

Run the  bash  sript

bash openvpn-install.sh

Now you have to answer some question to setup correctly  your vpn server

Please make sure that the correct IP is automatically inserted .

if you get  any extra screen about if your server NATED to  insert the Public IP ,  just ignore it  and leave it empty if its not the case

Now press Enter to select the protocol to use.

Which protocol do you want for OpenVPN connections?
1) UDP (recommended)
2) TCP
Protocol [1-2]: 1

Keep  the standard port 1194

What port do you want OpenVPN listening to?
<strong>Port: 1194</strong>

Use google DNS settings

Which DNS do you want to use with the VPN?
1) Current system resolvers
2) 1.1.1.1
3) Google
4) OpenDNS
5) Verisign
DNS [1-5]: 3

Create Certificate name, in my case called client

Finally, tell me your name for the client certificate.
Please, use one word only, no special characters.
Client name: client

Now press Enter to start the installation

Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue...
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 32 kB 00:00:00
* base: mirror.ams1.nl.leaseweb.net
* elrepo: mirrors.coreix.net
* epel: mirrors.coreix.net
* extras: mirror.ams1.nl.leaseweb.net
* updates: mirror.ams1.nl.leaseweb.net
epel | 3.2 kB 00:00:00
(1/3): epel/x86_64/group_gz | 88 kB 00:00:00
(2/3): epel/x86_64/updateinfo | 927 kB 00:00:00
(3/3): epel/x86_64/primary | 3.5 MB 00:00:00
epel 12608/12608
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.ams1.nl.leaseweb.net
* elrepo: mirrors.coreix.net
* epel: mirror.de.leaseweb.net
* extras: mirror.ams1.nl.leaseweb.net
* updates: mirror.ams1.nl.leaseweb.net
Package iptables-1.4.21-24.1.el7_5.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-12.el7.x86_64 already installed and latest version
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package openvpn.x86_64 0:2.4.6-1.el7 will be installed
--> Processing Dependency: libpkcs11-helper.so.1()(64bit) for package: openvpn-2.4.6-1.el7.x86_64
--> Running transaction check
---> Package pkcs11-helper.x86_64 0:1.11-3.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================================================
Package Arch Version Repository Size
======================================================================================================================
Installing:
openvpn x86_64 2.4.6-1.el7 epel 518 k
Installing for dependencies:
pkcs11-helper x86_64 1.11-3.el7 epel 56 k

Transaction Summary
======================================================================================================================
Install 1 Package (+1 Dependent package)

Total download size: 574 k
Installed size: 1.3 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/openvpn-2.4.6-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for openvpn-2.4.6-1.el7.x86_64.rpm is not installed
(1/2): openvpn-2.4.6-1.el7.x86_64.rpm | 518 kB 00:00:00
(2/2): pkcs11-helper-1.11-3.el7.x86_64.rpm | 56 kB 00:00:00
----------------------------------------------------------------------------------------------------------------------
Total 1.2 MB/s | 574 kB 00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <[email protected]>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-11.noarch (@extras)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : pkcs11-helper-1.11-3.el7.x86_64 1/2
Installing : openvpn-2.4.6-1.el7.x86_64 2/2
Verifying : pkcs11-helper-1.11-3.el7.x86_64 1/2
Verifying : openvpn-2.4.6-1.el7.x86_64 2/2

Installed:
openvpn.x86_64 0:2.4.6-1.el7

Dependency Installed:
pkcs11-helper.x86_64 0:1.11-3.el7

Complete!

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Generating a 2048 bit RSA private key
.......................+++
.............................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.GI75Zi700x'
-----
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...............+...+.............................+...............................+...................................................+................................+.............................+.............................................................................+............................+............................................................................................+.................................................................................................................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

Generating a 2048 bit RSA private key
........................+++
...........+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.9t5t1ZJKWW'
-----
Using configuration from ./openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jun 29 22:47:39 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Generating a 2048 bit RSA private key
...................................................+++
...........+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.vx8ObymU8Y'
-----
Using configuration from ./openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Jun 29 22:47:39 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Using configuration from ./openssl-easyrsa.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

645
success
success
success
success
success
success
453
Created symlink from /etc/systemd/system/multi-user.target.wants/[email protected] to /usr/lib/systemd/system/[email protected].
Finished!
Your client configuration is available at: /root/client.ovpn
If you want to add more clients, you simply need to run this script again!

Important :

Please  be sure that the port UDP 1194 allowed on firewalld

[root@osradar ~]# firewall-cmd --permanent --add-port=1194/udp

success


[root@osradar ~]# firewall-cmd --reload

The Client configuration is available at /root/client.ovpn  just use the file from the  other  server

Copy the client certificate  from the server to the Client 192.168.2.161

[root@osradar ~]# scp /root/client.ovpn [email protected]:/root
The authenticity of host '192.168.2.161 (192.168.2.161)' can't be established.
ECDSA key fingerprint is SHA256:+ONW5xo/70jQbrkNXmrHivMzv1IpXgl2EwgwluY3clo.
ECDSA key fingerprint is MD5:b6:c6:5e:d7:bd:dc:10:0a:26:99:af:50:ad:4e:3f:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.161' (ECDSA) to the list of known hosts.
[email protected]'s password:
client.ovpn 100% 8219 4.1MB/s 00:00
[root@osradar ~]

The OpenVPN Client  Configuration

Install  Openvpn  in Debian/Ubuntu/Mint

apt-get  install openvpn

Suse/opensuse

zypper in openvpn

Redhat/Centos/Fedora

yum install openvpn

Use the Config  vpn file to connect to the server  with bellow  command :

openvpn --config /etc/openvpn/client.ovp
Wed Jul 4 15:34:29 2018 Unrecognized option or missing or extra parameter(s) in /root/client.ovpn:15: block-outside-dns (2.4.0)
Wed Jul 4 15:34:29 2018 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Wed Jul 4 15:34:29 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Wed Jul 4 15:34:29 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jul 4 15:34:29 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jul 4 15:34:29 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.2.98:1194
Wed Jul 4 15:34:29 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 4 15:34:29 2018 UDP link local: (not bound)
Wed Jul 4 15:34:29 2018 UDP link remote: [AF_INET]192.168.2.98:1194
Wed Jul 4 15:34:29 2018 TLS: Initial packet from [AF_INET]192.168.2.98:1194, sid=aa7b5176 68f216e4
Wed Jul 4 15:34:29 2018 VERIFY OK: depth=1, CN=ChangeMe
Wed Jul 4 15:34:29 2018 Validating certificate key usage
Wed Jul 4 15:34:29 2018 ++ Certificate has key usage 00a0, expects 00a0
Wed Jul 4 15:34:29 2018 VERIFY KU OK
Wed Jul 4 15:34:29 2018 Validating certificate extended key usage
Wed Jul 4 15:34:29 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 4 15:34:29 2018 VERIFY EKU OK
Wed Jul 4 15:34:29 2018 VERIFY OK: depth=0, CN=server
Wed Jul 4 15:34:29 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 4 15:34:29 2018 [server] Peer Connection Initiated with [AF_INET]192.168.2.98:1194
Wed Jul 4 15:34:30 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 4 15:34:30 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Jul 4 15:34:30 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 4 15:34:30 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 4 15:34:30 2018 OPTIONS IMPORT: route options modified
Wed Jul 4 15:34:30 2018 OPTIONS IMPORT: route-related options modified
Wed Jul 4 15:34:30 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jul 4 15:34:30 2018 OPTIONS IMPORT: peer-id set
Wed Jul 4 15:34:30 2018 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Jul 4 15:34:30 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 4 15:34:30 2018 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 4 15:34:30 2018 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 4 15:34:30 2018 ROUTE_GATEWAY 192.168.2.254/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:b3:55:7a
Wed Jul 4 15:34:30 2018 TUN/TAP device tun0 opened
Wed Jul 4 15:34:30 2018 TUN/TAP TX queue length set to 100
Wed Jul 4 15:34:30 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 4 15:34:30 2018 /sbin/ip link set dev tun0 up mtu 1500
Wed Jul 4 15:34:30 2018 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Wed Jul 4 15:34:30 2018 /sbin/ip route add 192.168.2.98/32 dev enp0s3
Wed Jul 4 15:34:30 2018 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Wed Jul 4 15:34:30 2018 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Wed Jul 4 15:34:30 2018 Initialization Sequence Completed

The Tun0 vpn interface will be created.

Check it  with command :    ip a

#ip a 

 inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::507c:9ab3:15b6:314a/64 scope link flags 800
valid_lft forever preferred_lft forever

VPN Server assigned to your Client this  IP  = 10.8.0.2

Now try to  ping the VPN server  10.8.0.1 

root@debian:~# ping 10.8.0.1 -c4
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.549 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.960 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=0.974 ms
64 bytes from 10.8.0.1: icmp_seq=4 ttl=64 time=0.994 ms

--- 10.8.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3020ms
rtt min/avg/max/mdev = 0.549/0.869/0.994/0.186 ms
root@debian:~#

Now your VPN server is ready . congratulations

Cheers!