Course Development Director in Content
In this learning activity, we will install and configure OpenVPN as a server on
Server1, and as a client on
Client1. All of the configuration parameters will be provided.
A business unit has deployed a site for private internal use, and only wants VPN users to have access. They are asking us to create a VPN server, and we have been provided with a client host as well.
Server1(10.0.1.10) Should be configured as a VPN server
Client1(10.0.2.11) Should be configured as a VPN client
All configuration parameters and information are available in the tasks.
Get logged in
Use the credentials and server IP in the hands-on lab overview page to log into our lab server. Notice there are two machines we're working with. Pay attention in the lab guide, as the shell prompt will reveal which one we're working with at the moment.
Install OpenVPN on
Before we do anything else, let's run a
sudo -i right off. Then we'll be
root and won't have to keep typing in a password.
In order to install the OpenVPN package, we'll first need to install the EPEL repo:
[root@Server1]# yum -y install epel-release
Once EPEL is installed, we can go ahead with installing OpenVPN:
[root@Server1]# yum -y install openvpn
Let's enable masquerading in the firewall, and then reload things so the changes take effect:
[root@Server1]# firewall-cmd --permanent --add-port=1194/tcp [root@Server1]# firewall-cmd --permanent --add-masquerade [root@Server1]# firewall-cmd --reload
Create Keys and Credentials on
We'll use EasyRSA to create and sign the keys for the server and client. Install it with this:
[root@Server1]# yum -y install easy-rsa
Create a directory to hold the files we'll create:
[root@Server1]# mkdir /etc/openvpn/easy-rsa
and change our working directory to it:
[root@Server1]# cd /etc/openvpn/easy-rsa
To make things a littler easier, let's append the EasyRSA executable folder to our current path:
[root@Server1]# easyrsa init-pki
Build the CA (remember the password you use, you can leave the common name as the default):
[root@Server1]# easyrsa build-ca
Generate a Diffie-Hellman key for forward secrecy:
[root@Server1]# easyrsa gen-dh
Now we'll move on to the server credentials. For convenience, we won’t password protect these.
Create the server certificate:
[root@Server1]# easyrsa gen-req server nopass
Sign the server certificate:
[root@Server1]# easyrsa sign-req server server
We'll be prompted to type
yes here. There's also a spot in here where we've got to enter the password we created a few steps back, with the
easyrsa init-pki command.
Create the client certificate:
[root@Server1]# easyrsa gen-req client nopass
Sign the client certificate:
[root@Server1]# easyrsa sign-req client client
yes when prompted, and enter the same pass we did for the server creation.
Now we need to generate the TLS key:
[root@Server1]# cd /etc/openvpn [root@Server1]# openvpn --genkey --secret pfs.key
Configure the OpenVPN Server on
We'll need to create and edit
/etc/openvpn/server.conf Make sure it has these contents:
port 1194 proto tcp dev tun ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem topology subnet cipher AES-256-CBC auth SHA512 server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 18.104.22.168" push "dhcp-option DNS 22.214.171.124" ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 tls-server tls-auth /etc/openvpn/pfs.key
We should be able to enable and start OpenVPN now:
[root@Server1]# systemctl enable email@example.com [root@Server1]# systemctl start firstname.lastname@example.org
Package up Keys and Certificates on
Server1 for Copying to
We'll need to package up the credentials we created, then copy them to
Client1. These commands do it all:
[root@Server1]# cd /etc/openvpn [root@Server1]# mkdir -p server1/keys [root@Server1]# cp pfs.key server1/keys [root@Server1]# cp easy-rsa/pki/dh.pem server1/keys [root@Server1]# cp easy-rsa/pki/ca.crt server1/keys [root@Server1]# cp easy-rsa/pki/private/ca.key server1/keys [root@Server1]# cp easy-rsa/pki/private/client.key server1/keys [root@Server1]# cp easy-rsa/pki/issued/client.crt server1/keys [root@Server1]# tar cvzf /tmp/keys.tgz server1/
Install OpenVPN on
Just like when we logged into
Server1, here in
Client1 we want to be
root, so let's run a
sudo -i right of the bat, when we can carry on without needing to type admin passwords to run commands.
We'll need to install EPEL before we can install OpenVPN:
[root@Client1]# yum -y install epel-release [root@Client1]# yum -y install openvpn
Copy and Install Keys from
Now we need to copy the keys we tarred up on
Server1 over to
[root@Client1]# cd /etc/openvpn` [root@Client1]# scp email@example.com:/tmp/keys.tgz ./
We'll need the password for
Server1 at that point. Once the tar file makes the trip, we can extract it:
[root@Client1]# tar xvzf keys.tgz
Configure the VPN client on
With the keys in place, we can configure the client, using
vim client.conf. Put ese contents into the file:
client dev tun proto tcp remote 10.0.1.10 1194 ca server1/keys/ca.crt cert server1/keys/client.crt key server1/keys/client.key tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 cipher AES-256-CBC auth SHA512 resolv-retry infinite auth-retry none nobind route-nopull persist-key persist-tun ns-cert-type server comp-lzo verb 3 tls-client tls-auth server1/keys/pfs.key
Start the Client:
[root@Client1]# systemctl start firstname.lastname@example.org
Now if we run
ip a, we'll see a
tun0 interface listed, which is the VPN tunnel.
Add a Static Route on
This is an optional step, and just sort of ties everything together.
In order to have
Client1 traffic to
node1 originate on the 10.8.0.0/24 network, we'll need to add a static route, so that the VPN tunnel is the interface that connects to that host:
[root@Client1]# ip route add 10.0.1.20 dev tun0
We can can verify the entry using:
[root@Client1]# ip route show
We should now be able to access the website on
[root@Client1]# curl 10.0.1.20
We had a private web server, and only wanted folks accessing it over a VPN. This is exactly what we were supposed to do, and we're done. Congratulations!