Install OpenVPN in a Centos 7 Virtual Machine -Page 2

OpenVPN Lab continued from Page 1

Install the EPEL Repositories
========================

To install OpenVPN you will need the EPEL repositories

13. Using yum install EPEL

yum install epel-release

Disable firewalld and use iptables
===========================

14. Centos 7 has the new firewalld dynamic firewall daemon installed by default. Firewalld has many new updated and advanced features that you would want in a firewall, however if you are more familiar with the iptables firewall service you can disable firewalld and use iptables. The following commands assume root access through su.

   systemctl stop firewalld
systemctl disable firewalld

   yum install iptables-services   //iptables should already be installed, if not then type y to install.

systemctl enable iptables
systemctl start iptables
systemctl status iptables
systemctl stop iptables

Stop iptables with the intention of configuring it later in the lab.
Install and Configure the OpenVPN Server
===================================

15. Install OpenVPN server

yum install openvpn

16. Copy the sample OpenVPN server configuration file to the /etc/openvpn folder

   cd /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/
ls
cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn

17. Edit the OpenVPN server.conf file

   cd /etc/openvpn
nano server.conf

edit -> uncomment the following lines and change the DNS server addresses
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
user nobody
group nobody

Install Easy-RSA to create certificate of authority, server certificates, and keys
================================================================

18. Install easy-rsa to handle encryption, certificates, and keys

   yum install easy-rsa
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

19. Change the variables file in the easy-rsa folder

   nano /etc/openvpn/easy-rsa/vars

edit -> change the following lines (the following settings are just my example settings)
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”OR”
export KEY_CITY=”Portland”
export KEY_ORG=”danscourses”
export KEY_EMAIL=”webadmin@danscentos-s2.danscourses.com”
export KEY_OU=”danscourses”

20. Build your security your server security certificates and keys. You will accept the default settings.

   cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server $( hostname )
./build-dh

21. Copy your server certificates and keys to the openvpn folder

   cd /etc/openvpn/easy-rsa/keys
cp ca.crt danscentos-s2.crt danscentos-s2.key dh2048.pem /etc/openvpn

Start the OpenVPN Server
=====================

22. Restore SE Linux security context and create symbolic link for systemd

   restorecon -Rv /etc/openvpn
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service

23. Edit the OpenVPN server.conf file and change the names of the server certificate and server key, to match the certificates and keys that you created. Save the file and exit.

   cd /etc/openvpn
nano server.conf

in server.conf change the following lines:
cert server.crt
key server.key    # This file should be kept secret

replace the word “server” with your server’s hostname which should be the name of your server certificate and key files:
cert danscentos-s2.crt
key danscentos-s2.key    # This file should be kept secret

24. Start the OpenVPN server

   systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service

 

Video Tutorial

 

 

Click here to go to Part 3

 

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *