Build Openvpn centos 7

Here is how i build and setup openvpn on my centos 7 box.

1. Download and install openvpn latest

Some yum packages

 

yum install openssl-devel lzo-devel pam-devel

 

 

https://openvpn.net/index.php/open-source/downloads.html

 

wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.7.tar.gz
tar zxvf openvpn-2.3.7.tar.gz
cd openvpn-2.3.7
./configure
make
make install
# /usr/local/sbin/openvpn --version

 

 

So now we have the latest version setup and lets create some cert that we can use for the server ans clients.

 

2. Setup certs for server and clients

 

 

wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
cd easy-rsa-master/

 

 

So time for making the CA and Server certs

 

 

./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req vpn.ollebo.com nopass 
./easyrsa import-req /opt/easy-rsa-master/easyrsa3/pki/reqs/vpn.ollebo.com.req vpn
./easyrsa show-req vpn
./easyrsa sign server vpn
./easyrsa gen-dh

/usr/local/sbin/openvpn --genkey --secret ta.key



 

More info here https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

 

Now create the folder /etc/openvpn and copy the certs into that folder.
You shold have the following certs

[root@control openvpn]# ls
ca.crt dh.pem server.conf ta.key vpn.crt vpn.ollebo.com.key

If must match the names to you certs names.

 

 

3. Time to setup openvpn server and client

 

here is my server.conf

;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
ca ca.crt
cert vpn.crt
key vpn.ollebo.com.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

 

 

 

 

4. Setup my client config

 

first some keys

 

#Gen keys
./easyrsa gen-req mattes-vpn.ollebo.com
./easyrsa import-req pki/reqs/mattes-vpn.ollebo.com.req mattes-vpn.ollebo.com
./easyrsa show-req mattes-vpn.ollebo.com
#sign with ca on openvpn server
./easyrsa sign client mattes-vpn.ollebo.com

 

Then create a folder and get the keys that you need. You should have the following keys and certs

[root@control matte]# ls
ca.crt mattes-vpn.ollebo.com.crt mattes-vpn.ollebo.com.key ta.key

 

Client config CHANGE Remote to you dns name ore ip

 

 

### Client configuration file for OpenVPN
# Specify that this is a client
 client
# Bridge device setting
 dev tap
# Host name and port for the server (default port is 1194)
 # note: replace with the correct values your server set up
 remote 127.0.0.1 1194
# Client does not need to bind to a specific local port
 nobind
# Keep trying to resolve the host name of OpenVPN server.
 ## The windows GUI seems to dislike the following rule.
 ##You may need to comment it out.
 resolv-retry infinite
# Preserve state across restarts
 persist-key
 persist-tun
# SSL/TLS parameters - files created previously
 ca ca.crt
 cert mattes-vpn.ollebo.com.crt
 key mattes-vpn.ollebo.com.key
# Since we specified the tls-auth for server, we need it for the client
 # note: 0 = server, 1 = client
 tls-auth ta.key 1
# Specify same cipher as server
 cipher BF-CBC
# Use compression
 comp-lzo
# Log verbosity (to help if there are problems)
 verb 3

 

Leave a Reply

%d bloggers like this: