- Update your CentOS
# yum update
- Then Install The epel package
# rpm -Uvh http://ftp-stud.hs-esslingen.de/pub/epel/7/x86_64/e/epel-release-7-6.noarch.rpm
- Then install epel repository, openvpn easy rsa and iptables
# yum -y install epel-repository openvpn easy-rsa iptables-services
- then move copy the default configuration into configuration directory
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
- open the server.conf
# vi /etc/openvpn/server.conf
- When we generate our keys later, the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes, so we need to change the dh filename to dh2048.pem.
#dh dh2048.pem
- and change other configuration as shown below
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
user nobody group nobody
- save the configuration
- create a directory for the keys to go in.
# mkdir -p /etc/openvpn/easy-rsa/keys
- copy the key and certificate generation scripts into the directory
# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
- open vars file
# vi /etc/openvpn/easy-rsa/vars
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="youremail@your-domain.com"
export KEY_OU="MyOrganizationalUnit"
# X509 Subject Field
export KEY_NAME="server"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
export KEY_CN="openvpn.yourdomain.com"
- We're going to do this by copying the required configuration file and removing the version number.
# cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
# cd /etc/openvpn/easy-rsa
# source ./vars
# ./clean-all
# ./build-ca
# ./build-key-server server
# ./build-dh
# cd /etc/openvpn/easy-rsa/keys
# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
# cd /etc/openvpn/easy-rsa
# ./build-key client
- Firewall and Routing
# systemctl mask firewalld
# systemctl enable iptables
# systemctl stop firewalld
# systemctl start iptables
# iptables --flush
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# iptables-save > /etc/sysconfig/iptables
# vi /etc/sysctl.conf
# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
- Start The Openvpn
# systemctl restart network.service
# systemctl -f enable openvpn@server.service
# systemctl start openvpn@server.service
- The Client Configuration File ( .ovpn )
client dev tun proto udp remote yourhost/ip 1194 resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun comp-lzo verb 3 route-method adaptive route-delay 2 persist-key persist-tun auth-user-pass
redirect-gateway # Tune openvpn mssfix 1300 mute-replay-warnings # Tweak speed sndbuf 393216 rcvbuf 393216 route
yourhost/ip
255.255.255.255 net_gateway route 0.0.0.0 0.0.0.0 <ca> -----BEGIN CERTIFICATE----- #enter the
/etc/openvpn/easy-rsa/keys/ca.crt
-----END CERTIFICATE----- </ca> <cert> #enter the
/etc/openvpn/easy-rsa/keys/client.crt
</cert> <key> -----BEGIN PRIVATE KEY----- #enter the
/etc/openvpn/easy-rsa/keys/client.key
-----END PRIVATE KEY----- </key>