Skip to content

Latest commit

 

History

History
160 lines (115 loc) · 4.97 KB

witheasyrsa3.md

File metadata and controls

160 lines (115 loc) · 4.97 KB

OpenVPN with EasyRSA3

We are going to use a CentOS 7 minimal x64 version

From the original source

http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1708.iso

In this repo, the version 1708

http://ftp.uma.es/mirror/CentOS/7/isos/x86_64/CentOS-7-x86_64-Minimal-1708.iso

  • Start, connecting via ssh
NOTE: At this point, all the commands are going to execute with root privileges, in case of yum we are going to force yes (-y).
  • Update the system

yum -y update

  • Install epel-release package

yum -y install epel-release

  • Update one more time

yum -y update

  • Install openvpn (at this time, April 2018, the openvpn version is: 2.4.5)

yum -y install openvpn

  • Install wget

yum -y install wget

  • Disabled selinux

The configuration file is: /etc/sysconfig/selinux

Change to:

SELINUX=disabled

  • In sysctl file we enable the ip4 forward

File location: /etc/sysctl.conf

net.ipv4.ip_forward = 1

  • Restart the network services

systemctl restart network

  • We need the easy-rsa3 (In this document the version is: 3.0.4)

Oficial repo

https://github.com/OpenVPN/easy-rsa

Release 3.0.4

https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz

  • Make a folder where download the easy-rsa release, and we move to it

mkdir /tmp/easy-rsa3.0.4

cd /tmp/easy-rsa3.0.4

  • Download easy-rsa

wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz

  • Extract easy-rsa

tar xvf EasyRSA-3.0.4.tgz

  • Make a easy-rsa folder at openvpn directory

mkdir /etc/openvpn/easy-rsa

  • Copy the extradted files to easy-rsa folder

cp -rf /tmp/easy-rsa3.0.4/EasyRSA-3.0.4/* /etc/openvpn/easy-rsa

  • Copy the sample config file for the openvpn server

cp /usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf /etc/openvpn/server.conf

  • Uncomment the following lines

push "redirect-gateway def1 bypass-dhcp"

user nobody

group nobody

log openvpn.log

log-append openvpn.log

  • Uncomment and edit the dns (In this example i used the google ones)

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

  • Move to the easy-rsa folder

cd /etc/openvpn/easy-rsa

  • Innitial config

./easyrsa init-pki

  • Generate your Certificate Authority file

We need to add a pass-phrase to the PEM file, we need to use it to sign the keys of the server and the clients

./easyrsa build-ca

  • Generate the key and the certificate for the server, with no password requirements for the auto start of the server.

./easyrsa gen-req server nopass

  • Generate the key and the certificate for the clients, with no password requirements

./easyrsa gen-req client1 nopass ... ./easyrsa gen-req clientN nopass

  • Sign the clients keys

We need to answer "yes" for the requirements show, you accept the situation.

Insert the CA pass-phrase

./easyrsa sign-req client client1 ... ./easyrsa sign-req client clientN

  • Sign the server keys

We need to answer "yes" for the requirements show, you accept the situation.

Insert the CA pass-phrase

./easyrsa sign-req server server

  • Time to generate the Diffie-Hellman file

This process depend the CPU of your server, can take a few minutes

./easyrsa gen-dh

  • Move to the openvpn folder

cd /etc/openvpn

  • Generate the ta key, ta.key

openvpn --genkey --secret ta.key

  • Copy the server keys, the CA and the Diffie-Hellman file to the openvpn folder

cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server.crt cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server.key cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/ca.crt cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/dh2048.pem

  • Deactivate and disable for autostart the firewalld and install iptables

systemctl mask firewalld

  • Install iptables

yum -y install iptables-services

  • Enable iptables for autostart

systemctl enable iptables

  • Stop firewalld

systemctl stop firewalld

  • Start iptables service

systemctl start iptables

  • Flush al the iptables rules

iptables --flush

  • We need to know the server network interface, check it:

In this exaple: eth0

ip address show

  • We need to add masquerade rule for the postrouting to enable the outbound traffic

We add for the configured network at openvpn server, in this repo the subnet is: 10.8.0.0/24

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

  • Save the iptables rules to a file for persistent iptables

iptables-save > /etc/sysconfig/iptables

  • Enable the openvpn service

systemctl enable [email protected]

  • Reboot the server, you can check the openvpn server status running:

systemctl status [email protected]

  • The server side it's ready