OpenVPN

Install EPEL repo

Install openvpn and easy-rsa

yum -y install openvpn easy-rsa

Setup easy-rsa environmen
Change to easy-rsa directory and source vars to setup your environment properly

cd /usr/share/easy-rsa/2.0/
source vars

Build ca cert, server cert and a client cert (we’ll call it client1)

# run clean-all only in the beginning otherwise it'll delete all your keys which is bad
./clean-all
# build ca cert first, this cert authority will authorize your server and client certs
./build-ca # follow prompts and enter relevant info
# build server cert
./build-key-server server # follow prompts and enter relevant info
# build client cert
./build-key client1 # follow prompts and enter relevant info
# build dh parameters
./build-dh

Copy crl.pem to /etc/openvpn/ and create /etc/openvpn/openvpn.conf

cd /etc/openvpn
vim /etc/openvpn/openvpn.conf
 
##### PASTE THIS
dev tun0
writepid /var/run/openvpn.pid
script-security 3
#daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-128-CBC
#local 10.128.208.191
local 107.170.43.72
tls-server
server 10.77.7.0 255.255.255.0
port 1194
max-clients 250
# run as user/group nobody
user nobody
group nobody
# you can push dns and search path for ovpn dhcp clients
push "dhcp-option DOMAIN-SEARCH nyc2.ajc.technology"
push "dhcp-option DNS 8.8.8.8"
ca /usr/share/easy-rsa/2.0/keys/ca.crt
cert /usr/share/easy-rsa/2.0/keys/server.crt
key /usr/share/easy-rsa/2.0/keys/server.key
dh /usr/share/easy-rsa/2.0/keys/dh2048.pem
comp-lzo
persist-remote-ip
#float
# push routes if you wish
push "route 10.128.0.0 255.255.0.0"
crl-verify /etc/openvpn/crl.pem
##### END PASTE THIS

Enable ip_forward to pass traffic between vpn network and other networks

echo 1 > /proc/sys/net/ipv4/ip_forward
grep "net.ipv4.ip_forward = 1" /etc/sysctl.conf
if [ $? -ne 0 ]; then
    echo "ip_forward not set to persist, modifying sysctl.conf"
    grep "net.ipv4.ip_forward" /etc/sysctl.conf
    if [ $? -ne 0 ]; then
        echo "conf entry doesn't exist at all, appending to bottom"
        echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
        exit 0;
    fi
    echo "net.ipv4.ip_forward exists but not set to 1, setting"
    sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g'/etc/sysctl.conf
fi   

12) download a client on a client machine and copy the following files from the server to the client machine ca.crt, client1.csr, client1.key, client1.crt

(Comments)

Comments