Here is how i build and setup openvpn on my centos 7 box.
1. Download and install openvpn latest
Some yum packages
yum install openssl-devel lzo-devel pam-devel
https://openvpn.net/index.php/open-source/downloads.html
wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.7.tar.gz
tar zxvf openvpn-2.3.7.tar.gz
cd openvpn-2.3.7
./configure
make
make install
# /usr/local/sbin/openvpn --version
So now we have the latest version setup and lets create some cert that we can use for the server ans clients.
2. Setup certs for server and clients
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
cd easy-rsa-master/
So time for making the CA and Server certs
./easyrsa init-pki ./easyrsa build-ca ./easyrsa gen-req vpn.ollebo.com nopass ./easyrsa import-req /opt/easy-rsa-master/easyrsa3/pki/reqs/vpn.ollebo.com.req vpn ./easyrsa show-req vpn ./easyrsa sign server vpn ./easyrsa gen-dh /usr/local/sbin/openvpn --genkey --secret ta.key
More info here https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
Now create the folder /etc/openvpn and copy the certs into that folder.
You shold have the following certs
[root@control openvpn]# ls ca.crt dh.pem server.conf ta.key vpn.crt vpn.ollebo.com.key
If must match the names to you certs names.
3. Time to setup openvpn server and client
here is my server.conf
;local a.b.c.d port 1194 ;proto tcp proto udp ;dev tap dev tun ca ca.crt cert vpn.crt key vpn.ollebo.com.key # This file should be kept secret dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" client-to-client keepalive 10 120 tls-auth ta.key 0 # This file is secret comp-lzo persist-key persist-tun status openvpn-status.log verb 3
4. Setup my client config
first some keys
#Gen keys ./easyrsa gen-req mattes-vpn.ollebo.com ./easyrsa import-req pki/reqs/mattes-vpn.ollebo.com.req mattes-vpn.ollebo.com ./easyrsa show-req mattes-vpn.ollebo.com #sign with ca on openvpn server ./easyrsa sign client mattes-vpn.ollebo.com
Then create a folder and get the keys that you need. You should have the following keys and certs
[root@control matte]# ls ca.crt mattes-vpn.ollebo.com.crt mattes-vpn.ollebo.com.key ta.key
Client config CHANGE Remote to you dns name ore ip
### Client configuration file for OpenVPN
# Specify that this is a client client
# Bridge device setting dev tap
# Host name and port for the server (default port is 1194) # note: replace with the correct values your server set up remote 127.0.0.1 1194
# Client does not need to bind to a specific local port nobind
# Keep trying to resolve the host name of OpenVPN server. ## The windows GUI seems to dislike the following rule. ##You may need to comment it out. resolv-retry infinite
# Preserve state across restarts persist-key persist-tun
# SSL/TLS parameters - files created previously ca ca.crt cert mattes-vpn.ollebo.com.crt key mattes-vpn.ollebo.com.key
# Since we specified the tls-auth for server, we need it for the client # note: 0 = server, 1 = client tls-auth ta.key 1
# Specify same cipher as server cipher BF-CBC
# Use compression comp-lzo
# Log verbosity (to help if there are problems) verb 3