Skip to content

Instantly share code, notes, and snippets.

@deviousway

deviousway/centos7_VPN_setup.md

Last active April 10, 2018 19:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save deviousway/105d3e7e700170c925352265e231b9c9 to your computer and use it in GitHub Desktop.
Save deviousway/105d3e7e700170c925352265e231b9c9 to your computer and use it in GitHub Desktop.
Download ZIP
centos7 VPN setup
Raw
centos7_VPN_setup.md

OpenVPN Setup

Install packages

yum  -y install epel-release 
yum --enablerepo=epel -y openvpn easy-rsa net-tools bridge-utils iptables-services mlocate wget htop nano

easy-rsa3 certificates

[EasyRSA3-OpenVPN-Howto] (https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto)

  1. On the CA, start a new PKI and build a CA keypair/cert:
    ./easyrsa init-pki
    ./easyrsa build-ca
  1. On each server system, generate a keypair and request. Normally these are left unencrypted by using the "nopass" argument since servers usually start up without any password input. This generates an unencrypted key, so protect its access and file permissions carefully.
    ./easyrsa init-pki
    ./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME nopass
  1. On each client, generate a keypair and request. The name selected must be unique across the PKI and is otherwise arbitrary. Create a new PKI and request on each client as follows:
    ./easyrsa init-pki
    ./easyrsa gen-req UNIQUE_CLIENT_SHORT_NAME
  • Optionally, the private key can be left unencrypted on-disk with the additional nopass option after the name. This is not recommended unless automated VPN startup is required. Unencrypted private keys can be used by anyone who obtains a copy of the file. Encrypted keys offer stronger protection, but will require the passphrase on initial use.

  1. Send the request files from each entity to the CA system. This is not security sensitive, though it is wise to verify the received file matches the sender's copy if the transport is untrusted.

  2. On the CA, import each entity request file, giving it an arbitrary "short name" as follows. This basically just copies the request file into reqs/ under the PKI dir to prepare it for review and signing.

    ./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME
  1. Review each request's details if you wish, then sign it as one of the types: server or client.
  • (optional) review the request:
        ./easyrsa show-req UNIQUE_SHORT_FILE_NAME
  • If you are signing as a client:
        ./easyrsa sign-req client UNIQUE_SHORT_FILE_NAME
  • If you are signing as a server:
        ./easyrsa sign-req server UNIQUE_SHORT_FILE_NAME

  1. The CA returns the signed certificate produced in the above step, and includes the CA certificate (ca.crt) unless the client already has it. This can be done over an insecure channel, though the client is encouraged to confirm the received CA cert is valid if the transport is untrusted.

DH Generation

On the PKI for the OpenVPN server, this command will generate DH parameters used during the TLS handshake with connecting clients. The DH params are not security sensitive and are used only by an OpenVPN server.

./easyrsa gen-dh

Openvpn confiuration

openvpn --genkey --secret /etc/openvpn/ta.key

edit */etc/openvpn/server.conf

local $IP
port 9949
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /usr/share/easy-rsa/3.0.3/pki/private/server.key
dh /usr/share/easy-rsa/3.0.3/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 0
explicit-exit-notify 1

System setup

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/sbin/service iptables save 
sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1

edit */etc/sysctl.d/01-sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

autostart

systemctl enable openvpn@server
systemctl enable iptables

example of *.ovpn file

client
dev tun
proto udp
remote  $SERVER_IP 9949
resolv-retry infinite

nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

persist-key
persist-tun

#VPN over TOR
;socks-proxy-retry
;socks-proxy 127.0.0.1 9050 

mute-replay-warnings


<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----

</key>

#ca ca.crt
#cert client.crt
#key client.key
dhcp-option DNS 1.1.1.1 
remote-cert-tls server

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

cipher AES-256-CBC

comp-lzo

verb 3
#For ubuntu (linux need script to update DNS)
script-security 2
;up /etc/openvpn/update-resolv-conf
;down /etc/openvpn/update-resolv-conf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment