Posts Tagged: linux
Install OpenVPN on CentOS 7.4 with Easy RSA 3
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 |
yum -y install epel-release yum -y install openvpn easy-rsa yum -y install nano (text editor if needed) copy example server.conf file: cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn make changes in the conf file nano /etc/openvpn/server.conf port xx (or whatever, default is already in conf file) uncomment: tls-auth ta.key uncomment: topology subnet uncomment tcp, comment udp (tcp works best for me in my environments) # TCP or UDP server proto tcp ;proto udp uncomment: push "redirect-gateway def1 bypass-dhcp" (can leave with opendns, or change to google as below) uncomment and change: push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" uncomment for multiple users to use same key pair, otherwise have to generate key pairs for each user I prefer one key pair for all users, and then use user passwords duplicate-cn uncomment: needed for certain windows clients comp-lzo max-clients 5 (optional can leave uncommented, I prefer to limit it for my needs) uncomment: user nobody group nobody explicit-exit-notify is only valid in UDP mode, if present with TCP profile, connection fails. change explicit-exit-notify 1 to explicit-exit-notify 0 add line at end to enable users pam authentication - regular users and passwords plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login Save and exit the OpenVPN server configuration file. Easy RSA: mkdir /etc/openvpn/easy-rsa cp -rf /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass hit enter ./easyrsa gen-req server1 nopass hit enter ./easyrsa gen-req client1 nopass hit enter ./easyrsa sign-req client client1 type yes ./easyrsa sign-req server server1 type yes ./easyrsa gen-dh wait awhile go to server conf and put paths to keys etc nano /etc/openvpn/server.conf search for "ca ca.crt" to locate line ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server1.crt key /etc/openvpn/easy-rsa/pki/private/server1.key then right below that location of dh: dh /etc/openvpn/easy-rsa/pki/dh.pem save and exit the conf file nano /etc/sysctl.conf addd the following line: net.ipv4.ip_forward = 1 systemctl restart network.service open port in firewall with the same port you chose above firewall-cmd --zone=myzone --permanent --add-port=1194/tcp <==== or whatever port you setup (shows myzone, but use whatever zone you are using firewall-cmd --permanent --add-masquerade firewall-cmd --reload systemctl -f enable openvpn@server.service systemctl start openvpn@server.service Download the following from the server /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/pki/issued/client1.crt /etc/openvpn/easy-rsa/pki/private/client1.key for clients: create a file names client.ovpn like this: (use the keys from each of the files just downloaded) <ca> section is the info from ca.crt <cert> section is the info from client.crt <key> section is the info from client.key ============= start of file ========do not include this line======remove notes===== client dev tun proto tcp <=== change protocall? remote 45.79.70.57 53 <== connection info here port 53 <===== only add this line if other than default port of 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 cipher AES-256-CBC auth-user-pass <ca> -----BEGIN CERTIFICATE----- MIIE9DCCA9ygAwIBAgIJAOW4LP/k5QDLMA0GCSqGSIb3DQEBCwUAMIGsMQswCQYD VQQGEwJVUzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCE11cnJpZXRhMRswGQYDVQQK ExJaZWJyYSBWUE4gU2VydmljZXMxFTATBgNVBAsTDFZQTiBTZXJ2aWNlczEUMBIG A1UEAxMLb3Blbi12cG4udXMxDzANBgNVBCkTBnNlcnZlcjEiMCAGCSqGSIb3DQEJ ARYTbGVuc2JvYXJkQGdtYWlsLmNvbTAeFw0xNzAzMjAwNDEzNDRaFw0yNzAzMTgw NDEzNDRaMIGsMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCE11 cnJpZXRhMRswGQYDVQQKExJaZWJyYSBWUE4gU2VydmljZXMxFTATBgNVBAsTDFZQ TiBTZXJ2aWNlczEUMBIGA1UEAxMLb3Blbi12cG4udXMxDzANBgNVBCkTBnNlcnZl cjEiMCAGCSqGSIb3DQEJARYTbGVuc2JvYXJkQGdtYWlsLmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAJ7EweqW7lj0FyMyrwgiOkpB305NTgcT6K7Q cHDsKOwpSHC3VFU9K1kEmb4VuH7Wo5qCbj8pBI2NtzGSbGUagExnDs9mwTptqmOu +SgTcxZsjX1+S0imziJ5yOUYUUJ3rhTCRZ+KW/5lAXEbpJFN5LR3V+byBglYKl0b 6N6moBFbhgpXulzGgnBE1C/iopsLRnGyvlyp0lQWaiJY6h7l9NmnRH19uY9VX+59 rF8jV0elBkTvkNaZoTg/NzgR59gaPkpN/NDerueblClf9Vqy8kAn+mO9bOSfKSGP 8hPXX3oyQHxkkgk/aTcsQIKpiHl5NJP6FwV/GUyUgQJ1NrqE9UMCAwEAAaOCARUw ggERMB0GA1UdDgQWBBS8H1/c/VsY6rUGWBM/b1KBIXy9DzCB4QYDVR0jBIHZMIHW gBS8H1/c/VsY6rUGWBM/b1KBIXy9D6GBsqSBrzCBrDELMAkGA1UEBhMCVVMxCzAJ BgNVBAgTAkNBMREwDwYDVQQHEwhNdXJyaWV0YTEbMBkGA1UEChMSWmVicmEgVlBO IFNlcnZpY2VzMRUwEwYDVQQLEwxWUE4gU2VydmljZXMxFDASBgNVBAMTC29wZW4t dnBuLnVzMQ8wDQYDVQQpEwZzZXJ2ZXIxIjAgBgkqhkiG9w0BCQEWE2xlbnNib2Fy ZEBnbWFpbC5jb22CCQDluCz/5OUAyzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB CwUAA4IBAQCKl/2/aSCijr3rcM9svIsFeLatn7kMfW+3m4y7PJ4Q1zbFMuEPKirV 4tc2hARAi5PycU4byZBgoUR5T25yb8qmHl1EoUCZisrs9fhbqoTCSeqywG+JM4/6 4q6jYoc/hyDcve8XS2muh8OhPaxdl8ehigSlWmmpZ329eZk06A/EAtknxbK3UDeY 3uTaDh79FIoX2uVjbR3EVFy6Hi74Oj7OggVa2mM3+al3Cn7PdT92J7YFjCQCad1b 1hHZRB/5LBfA/DcQ0rMB3d9K96UZxE2rqAJLe/FzawyFN3/WTunchfDaIw1/MXvR nx4G52QzVpYTwO4kwq/XH+qkbREGXv7+ -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MIIFNTCCBB2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBrDELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkNBMREwDwYDVQQHEwhNdXJyaWV0YTEbMBkGA1UEChMSWmVicmEg VlBOIFNlcnZpY2VzMRUwEwYDVQQLEwxWUE4gU2VydmljZXMxFDASBgNVBAMTC29w ZW4tdnBuLnVzMQ8wDQYDVQQpEwZzZXJ2ZXIxIjAgBgkqhkiG9w0BCQEWE2xlbnNi b2FyZEBnbWFpbC5jb20wHhcNMTcwMzIwMDQxODUzWhcNMjcwMzE4MDQxODUzWjCB pzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhNdXJyaWV0YTEb MBkGA1UEChMSWmVicmEgVlBOIFNlcnZpY2VzMRUwEwYDVQQLEwxWUE4gU2Vydmlj ZXMxDzANBgNVBAMTBmNsaWVudDEPMA0GA1UEKRMGc2VydmVyMSIwIAYJKoZIhvcN AQkBFhNsZW5zYm9hcmRAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAu7AbGz3FPYVYKlbKBx8gZ6Ql/pTcIQuhVOlrz4vM3+QA/iOamNEM cAiOMg/z2bTe229P7ov58zd4s+ttA140n2MCBXpq7gzZo7bmOHhrDIs06Ph7T31k rLUTnDDQxTB1D7JdFYW9DoU/XZtewj6YyVJn4jnx0HRdt2gNzK/SOgZLgHOAmZNK h512hA7LW46WoxCWLl4KWWkVKKExhjfLpzfpSql8gXfkuWM5nWU//7g7FveFAzTN c6/XUP/QP2YuoYz+wnTYJPj9WiR1greycdzJORlD+oyCs6B/HyTkomBaIJK1R6i/ Bv1PajhlYqM7vlvsuUnAwf2f23c6TlrbJwIDAQABo4IBYzCCAV8wCQYDVR0TBAIw ADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBSzP79SHq61v9y9bTdP9LnBMQ7ADDCB4QYDVR0jBIHZMIHWgBS8 H1/c/VsY6rUGWBM/b1KBIXy9D6GBsqSBrzCBrDELMAkGA1UEBhMCVVMxCzAJBgNV BAgTAkNBMREwDwYDVQQHEwhNdXJyaWV0YTEbMBkGA1UEChMSWmVicmEgVlBOIFNl cnZpY2VzMRUwEwYDVQQLEwxWUE4gU2VydmljZXMxFDASBgNVBAMTC29wZW4tdnBu LnVzMQ8wDQYDVQQpEwZzZXJ2ZXIxIjAgBgkqhkiG9w0BCQEWE2xlbnNib2FyZEBn bWFpbC5jb22CCQDluCz/5OUAyzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E BAMCB4AwDQYJKoZIhvcNAQELBQADggEBAC+cQJPc5o0IvDDMF5Cg9GS2ylX2o7fX iiWD8PUDYuFhnsM0kRwV078Ffo908yWees1JKvKqM0GtZj4An4vZttt3uw8QK/Ev x5RCZyArB3k+m5qVw5uEzijsZq8TUjmDPHIhTS9Y4iRWSRq58yBuOKOyukdUeyKP w1N3p5WigiI1RplF3H4MsXDLmVRaJKWYWTiqUnpA4Ajcwzko71qqTttr4DQ0JAXa WgC6QdTi5brm4I7iNSy2uEQ7D0ZSHtuG4qRXBtIWYi+mms/+NNpemsFgdidz2WNp h0erdungleB6Vw2omDPoIh/PFmHrDlPIcOlWR6bW7NribVfTV28y5Qo= -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7sBsbPcU9hVgq VsoHHyBnpCX+lNwhC6FU6WvPi8zf5AD+I5qY0QxwCI4yD/PZtN7bb0/ui/nzN3iz 620DXjSfYwIFemruDNmjtuY4eGsMizTo+HtPfWSstROcMNDFMHUPsl0Vhb0OhT9d m17CPpjJUmfiOfHQdF23aA3Mr9I6BkuAc4CZk0qHnXaEDstbjpajEJYuXgpZaRUo oTGGN8unN+lKqXyBd+S5YzmdZT//uDsW94UDNM1zr9dQ/9A/Zi6hjP7CdNgk+P1a JHWCt7Jx3Mk5GUP6jIKzoH8fJOSiYFogkrVHqL8G/U9qOGViozu+W+y5ScDB/Z/b dzpOWtsnAgMBAAECggEAGwAWpjCYs2T/bffWUHf13XML1DfuAwL9To3V6KGf84WF bwoIL3vDYkqYyjLpTaRrev3kbdjNOGP+hUOVBysCPvurSsZ1o5FNrfOd4vnPzJoq HmnAs4rCdOYH0CxlnDiAXqW2JmZ68B/TIdA8LY17xVqJf03+r5JN+RiLA6s3fwkx mNZcJ61onovWR8LTjJjmol5pwiSkarRMyzaN/fEQKJvoRpui/ufhrJXyI8u3RSIP 9lUfLq1qD/9FZtrlkJjQ5nMPWK1H8miApHu+nnVR4xFJPiopL30YRwjnXlGvc4Ur 1g8UMJg3vPUpRUIoVA1033INoz0VwhP13OMUafl64QKBgQDptpfkqYftJAArNLlC RRg258RcmAPWtTtMHQPrftbpOd1FSllcki2P5mD2rokRuwRmyCDzb9oig1p04eFv OgNRHfp8wWNCbgviDdIna0z5LXdqFKBzfFDHPw7RJNpt66vhCsnUwLEarE9Mfj// F4nAlnz5Cu5ZgdTrFSbzAv/LrQKBgQDNlfEyM8a2q4DsgIFvCU7cHOl+G1Zwe239 MVIUtIhcycgZID9a16SuasBCc4jKpcQXa3uCl662vT/XWiX4cNkakv8SW4am/g4m kSvha0R7kI5PaJaXiQhdZK32VbbPonxyQ25zRZJMIPtkSBbgbC2Mni3iRJpfIJ1b lKbqgrJcowKBgFq7o56HXpjnCBW+A0pCDtOKCQa1kY/yjhHPle0AMikbaNb0tVql +YBLPUunmNlEVMIeYgSAYRxTCHQmGWIYEJ+WVt/GKGXq2Twqh3L8SkbWquyJE32i Pq4LwhHaD97qxrC4goDRSjCDwsl8nhXHqpgVFHGPF9ex+tpFPPjNKkeFAoGAPwIz mEVSI+5QZyvDf7qEluWtkl7ikTrjLPSOyZXDLV0SnNDLWhY5fNNu9W7ff+xqOxtQ EWhXvd4m0OPqO0iq4YAn+QJgNJIs2BkqL75mkNBvLVtKvErda3JN9u+yRdTw+zw7 f8zU18xMACIwELxXAYABZBXOklU2pTjcJ4fDDq0CgYAHFFnj0YZp88WoBxkQVbI0 QAgfI/H2fFzGUThaZ4kZ2bC/lDkK41tkp+vloAcCmCg4MCVxQz5k+c8K7vovZ27Y SG5sNdgPyUjRr0cemiNYfpNTuLG6aM/Fyk0PDl5s2e8uUZVpp6SiAonsRVbB/AFP i3gciYeb6Q9RXiAsuyMRQw== -----END PRIVATE KEY----- </key> =======================end of file============do not include this line============ the add user as you would normally to centos ie useradd... |
Recent Comments