David Biers

The only one that seems to be having fun.

CentOS 7.x OpenVPN Server Setup

by · June 20, 2022

Having a VPN server can be crucial for many reasons. If anything, it should be used in most cases for all activities especially when you're connected to a public Wifi connection to keep your information private while browsing.

A VPN uses SSL certificates and password protected keys to encrypt data transferred between the VPN server and the client. This ensures data integrity, confidentiality, and protects privacy to an extent by keeping the transferred data hidden from others that may be on the same network sniffing traffic, attempting to perform attacks, and so forth.

To Redirect or not to Redirect

OpenVPN as well as many other VPN technologies will give an option to redirect all of the connected client traffic over the VPN or to only redirect traffic destined for the private networks behind OpenVPN.  If you're redirecting all traffic through the VPN, this could increase privacy as websites and other users on IRC, for example, would be unable to see your true IP address at home.

This is something you will need to make a decision on as it will depend on the requirements you currently have.

Pre-requisites

Let's first ensure we have all the latest updates and packages before moving forward.  Too many times I've run into an issue caused by an incompatibility with an out-dated package.  This combined with the recent Meltdown and Spectre vulnerabilities being patched (for the most part) it would be best to go ahead and ensure you're running all of the latest updates available. In addition to this, let's get the epel-release package installed as well.

$ sudo yum update -y
$ sudo yum install epel-release

For the sake of ease, let's also switch SElinux over to Permissive mode.

/etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

$ sudo setenforce Permissive
$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

If you ever want to disable SELinux at ALL you should always set it to permissive mode. Setting SELinux to "Disabled" will completely turn it off including the logging function. Setting SElinux to Permissive mode keeps it in a "disabled" state, but will continue to log SELinux errors instead of stopping you in your tracks.

OpenVPN Certificate Setup

  1. Let's get the packages installed for the OpenVPN Server: 
    $ sudo yum install easy-rsa openvpn
  2. Copy over the easyrsa packages default configurations to the OpenVPN server folder: 
    $ sudo cp /usr/share/easy-rsa/2.0/ /etc/openvpn/server/easyrsa -Rfv
‘/usr/share/easy-rsa/2.0/’ -> ‘/etc/openvpn/server/easyrsa’
‘/usr/share/easy-rsa/2.0/build-ca’ -> ‘/etc/openvpn/server/easyrsa/build-ca’
‘/usr/share/easy-rsa/2.0/build-dh’ -> ‘/etc/openvpn/server/easyrsa/build-dh’
‘/usr/share/easy-rsa/2.0/build-inter’ -> ‘/etc/openvpn/server/easyrsa/build-inter’
‘/usr/share/easy-rsa/2.0/build-key’ -> ‘/etc/openvpn/server/easyrsa/build-key’
‘/usr/share/easy-rsa/2.0/build-key-pass’ -> ‘/etc/openvpn/server/easyrsa/build-key-pass’
....
  3. Copy of the example server configuration file for OpenVPN: 
    $ sudo cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/server/. -fv
  4. Modify /etc/openvpn/easyrsa/vars: 
    export KEY_COUNTRY="US"
export KEY_PROVINCE="TX"
export KEY_CITY="SanAntonio"
export KEY_ORG="MyOrganization"
export KEY_EMAIL="sysadmins@domain.com"
export KEY_OU="SupportIT"
  5. Use the vars file as a source to export all of it's variables and then run a ./clean-all: 
    # source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/server/easyrsa/keys
# ./clean-all
  6. Generate the CA and DH: 
    # ./build-ca
Generating a 2048 bit RSA private key
............................................++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [TX]:
Locality Name (eg, city) [SanAntonio]:
Organization Name (eg, company) [MyOrganization]:
Organizational Unit Name (eg, section) [SupportIT]:
Common Name (eg, your name or your server's hostname) [MyOrganization CA]:
Name [EasyRSA]:CA
Email Address [sysadmins@domain.com]:

# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.................................................+.......+.......
...
  7. Build a new key for the VPN (Windows) client using PKCS12: 
    # ./build-key-pkcs12 DavidVPN
Generating a 2048 bit RSA private key
............................................................+++
...........................+++
writing new private key to 'DavidVPN.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [TX]:
Locality Name (eg, city) [SanAntonio]:
Organization Name (eg, company) [MyOrganization]:
Organizational Unit Name (eg, section) [SupportIT]:
Common Name (eg, your name or your server's hostname) [DavidVPN]:
Name [EasyRSA]:
Email Address [sysadmins@domain.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/server/easyrsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'TX'
localityName          :PRINTABLE:'SanAntonio'
organizationName      :PRINTABLE:'MyOrganization'
organizationalUnitName:PRINTABLE:'SupportIT'
commonName            :PRINTABLE:'DavidVPN'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'sysadmins@domain.com'
Certificate is to be certified until Jan 22 16:13:09 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Enter Export Password:   **************
Verifying - Enter Export Password:   **************

OpenVPN Server Configuration

We will use the default "server.conf" example to build our own configuration.

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *