How to setup OpenVPN Server on Centos 7

-

Introduction

Learn how to set up an OpenVPN server on CentOS 7 with this comprehensive step-by-step guide. Ensure your network's security and privacy with one of the most reliable VPN solutions available. Perfect for both beginners and advanced users.

Setting up a secure and reliable VPN is essential for ensuring privacy and data protection, especially in today's increasingly interconnected world. OpenVPN is one of the most trusted and robust VPN solutions available, providing a high level of security and flexibility for both businesses and individual users. This guide will walk you through the process of setting up an OpenVPN server on CentOS 7, offering step-by-step instructions to help you establish a secure connection that meets your specific needs.

Step 1: Prepare install OpenVPN server

sudo yum update -y
sudo yum install epel-release -y
sudo yum update -y
sudo yum install -y openvpn easy-rsa

Configure Ip forwarding for OpenVPN Server
vim /etc/sysctl.conf
The content sysctl.conf file as below:
Packet forwarding
net.ipv4.ip_forward = 1

Step 2: Configure OpenVPN Server

Open server.conf file
vim /etc/openvpn/server.conf
The content configure as below:
#Secure OpenVPN Server Config
#Basic Connection Config
dev tun
proto udp
port 1194
keepalive 10 120
max-clients 4

#Certs
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0

#Ciphers and Hardening
reneg-sec 0
remote-cert-tls client
crl-verify crl.pem
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

#Drop Privs
user nobody
group nobody

#IP pool
server 10.10.100.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
client-config-dir client_dir

#Misc
persist-key
persist-tun
comp-lzo

#DHCP Push options force all traffic through VPN and sets DNS servers
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#Logging
log-append /var/log/openvpn.log
verb 3

Create client configure folder

sudo mkdir /etc/openvpn/client_dir
cd ~
/usr/share/easy-rsa/3/easyrsa init-pki
/usr/share/easy-rsa/3/easyrsa build-ca
/usr/share/easy-rsa/3/easyrsa gen-dh
/usr/share/easy-rsa/3/easyrsa build-server-full vpn-server
/usr/share/easy-rsa/3/easyrsa build-client-full vpn-client-01
/usr/share/easy-rsa/3/easyrsa gen-crl
openvpn --genkey --secret pki/ta.key

sudo cp pki/ca.crt /etc/openvpn/ca.crt
sudo cp pki/dh.pem /etc/openvpn/dh.pem
sudo cp pki/issued/vpn-server.crt /etc/openvpn/server.crt
sudo cp pki/private/vpn-server.key /etc/openvpn/server.key
sudo cp pki/ta.key /etc/openvpn/ta.key
sudo cp pki/crl.pem /etc/openvpn/crl.pem

Start OpenVPN Server

sudo systemctl -f enable openvpn@server.service
sudo systemctl start openvpn@server.service

The display log OpenVPN Server
sudo tail -f /var/log/openvpn.log

Configure IPTables allow OpenVPN Server

-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -s 10.10.100.0/24 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Start , enable iptables services

sudo systemctl enable iptables
sudo systemctl start iptables
sudo service iptables save

Step 3: Setup client OpenVPN

cd ~
mkdir vpn-client-01-config
cp pki/ca.crt vpn-client-01-config/ca.crt
cp pki/issued/vpn-client-01.crt vpn-client-01-config/client.crt
cp pki/private/vpn-client-01.key vpn-client-01-config/client.key
cp pki/ta.key vpn-client-01-config/ta.key
To configure client with client.ovpn
vim vpn-client-01-config/client.ovpn
The content as below:
# Secure OpenVPN Client Config

#viscosity dns full
#viscosity usepeerdns true
#viscosity dhcp true
tls-client
pull
client
dev tun
proto udp
remote 123.123.123.123 1194
redirect-gateway def1
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
remote-cert-tls server
ns-cert-type server
key-direction 1
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
use tar command to compress folder vpn-client-01-config
tar cvfz vpn-client-01-config.tgz vpn-client-01-config
To download vpn-client-01-config.tgz your windows or linux. How to connect openvpn server from a linux computer

Conclusion

By following the steps outlined in this guide, you have successfully set up an OpenVPN server on CentOS 7. This secure VPN solution not only safeguards your data but also provides the flexibility and control necessary for managing your network traffic. Whether you are securing a business environment or enhancing your personal online privacy, OpenVPN on CentOS 7 offers a powerful and reliable way to protect your connections.

Comments

Post a Comment

Popular posts from this blog

zimbra some services are not running [Solve problem]

-
Introduction How to solved zimbra some services are not running. That after, to installed zimbra mail server. The display a some admin console status red in environment multiple server ( zimbra ldap, zimbra mailbox, zimbra mta etc.). Link to below you maybe likes: How to install and configure zimbra multi server.   How to restrict to user sending mail on zimbra 8.6. How to Restrict Sending to Distribution list in zimbra mail. How to change last login time for all accounts in zimbra ldap. How to zimbra reject authenticated sender login mismatch. Error zimbra some services are not running as bellow Step by step guide the solve problem zimbra some services are not running To restart and enable cron service the permanently. service crond restart chkconfig crond on Opening rsyslog.conf file and uncomment the following. vim /etc/rsyslog.conf Uncomment these two lines $modload imupd $UDPServerRun514   To restart and enable rsyslog service the permanently. servic...
Read more

Bash script list all IP addresses connected to Server with Country Information

-
Introduction This script is designed to list all IP addresses connected to your server, retrieve geographical information for each IP using ipinfo.io , and display the results in a clean format. This guide will walk you through the script, explaining each part in detail, and ensuring you understand how to implement and use it effectively. What is Bash? Bash (Bourne Again Shell) is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. It has since become the default login shell for most Linux distributions. Bash can execute commands, read and execute commands from a file, and provide constructs for condition testing, looping, and functions. Prerequisites A Linux -based server with administrative privileges. Internet connection for accessing ipinfo.io . Basic knowledge of Bash scripting. List all IP addresses connected to Server us Bash Script Running to bash script list all IP addresses connected to Server ./stu...
Read more

Zimbra Client host rejected Access denied fixed

-
Introduction While using Zimbra , you might encounter the "Client host rejected: Access denied" error, which can disrupt your workflow. This is a common issue that can be resolved easily if you understand the causes and the solutions. This article provides a detailed guide on how to fix this error on Zimbra, helping you quickly resume your work smoothly. Zimbra client host rejected Access denied error log Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: NOQUEUE: reject: CONNECT from unknown[192.168.1.113]: 554 5.7.1 <unknown[192.168.1.113]>: Client host rejected: Access denied; proto=SMTP Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: lost connection after CONNECT from unknown[192.168.1.113] Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: disconnect from unknown[192.168.1.113] Allow the network " 192.168.1.0/24 " of client host for zimbraMtaMyNetworks attribute [zimbra@mail ~]$ zmprov ms `zmhostname` zimbraMtaMyNetworks "127.0.0.0/8 192.1...
Read more