Build Openvpn centos 7

Here is how i build and setup openvpn on my centos 7 box.

1. Download and install openvpn latest

Some yum packages


yum install openssl-devel lzo-devel pam-devel


tar zxvf openvpn-2.3.7.tar.gz
cd openvpn-2.3.7
make install
# /usr/local/sbin/openvpn --version



So now we have the latest version setup and lets create some cert that we can use for the server ans clients.


2. Setup certs for server and clients



cd easy-rsa-master/



So time for making the CA and Server certs



./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req nopass 
./easyrsa import-req /opt/easy-rsa-master/easyrsa3/pki/reqs/ vpn
./easyrsa show-req vpn
./easyrsa sign server vpn
./easyrsa gen-dh

/usr/local/sbin/openvpn --genkey --secret ta.key


More info here


Now create the folder /etc/openvpn and copy the certs into that folder.
You shold have the following certs

[root@control openvpn]# ls
ca.crt dh.pem server.conf ta.key vpn.crt

If must match the names to you certs names.



3. Time to setup openvpn server and client


here is my server.conf

;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
ca ca.crt
cert vpn.crt
key # This file should be kept secret
dh dh.pem
ifconfig-pool-persist ipp.txt
;push "route"
;push "route"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
status openvpn-status.log
verb 3





4. Setup my client config


first some keys


#Gen keys
./easyrsa gen-req
./easyrsa import-req pki/reqs/
./easyrsa show-req
#sign with ca on openvpn server
./easyrsa sign client


Then create a folder and get the keys that you need. You should have the following keys and certs

[root@control matte]# ls
ca.crt ta.key


Client config CHANGE Remote to you dns name ore ip



### Client configuration file for OpenVPN
# Specify that this is a client
# Bridge device setting
 dev tap
# Host name and port for the server (default port is 1194)
 # note: replace with the correct values your server set up
 remote 1194
# Client does not need to bind to a specific local port
# Keep trying to resolve the host name of OpenVPN server.
 ## The windows GUI seems to dislike the following rule.
 ##You may need to comment it out.
 resolv-retry infinite
# Preserve state across restarts
# SSL/TLS parameters - files created previously
 ca ca.crt
# Since we specified the tls-auth for server, we need it for the client
 # note: 0 = server, 1 = client
 tls-auth ta.key 1
# Specify same cipher as server
 cipher BF-CBC
# Use compression
# Log verbosity (to help if there are problems)
 verb 3