OpenVPN Lab continued from Page 1
Install the EPEL Repositories
========================
To install OpenVPN you will need the EPEL repositories
13. Using yum install EPEL
yum install epel-release
Disable firewalld and use iptables
===========================
14. Centos 7 has the new firewalld dynamic firewall daemon installed by default. Firewalld has many new updated and advanced features that you would want in a firewall, however if you are more familiar with the iptables firewall service you can disable firewalld and use iptables. The following commands assume root access through su.
systemctl stop firewalld
systemctl disable firewalld
yum install iptables-services //iptables should already be installed, if not then type y to install.
systemctl enable iptables
systemctl start iptables
systemctl status iptables
systemctl stop iptables
Stop iptables with the intention of configuring it later in the lab.
Install and Configure the OpenVPN Server
===================================
15. Install OpenVPN server
yum install openvpn
16. Copy the sample OpenVPN server configuration file to the /etc/openvpn folder
cd /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/
ls
cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn
17. Edit the OpenVPN server.conf file
cd /etc/openvpn
nano server.conf
edit -> uncomment the following lines and change the DNS server addresses
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
user nobody
group nobody
Install Easy-RSA to create certificate of authority, server certificates, and keys
================================================================
18. Install easy-rsa to handle encryption, certificates, and keys
yum install easy-rsa
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
19. Change the variables file in the easy-rsa folder
nano /etc/openvpn/easy-rsa/vars
edit -> change the following lines (the following settings are just my example settings)
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”OR”
export KEY_CITY=”Portland”
export KEY_ORG=”danscourses”
export KEY_EMAIL=”webadmin@danscentos-s2.danscourses.com”
export KEY_OU=”danscourses”
20. Build your security your server security certificates and keys. You will accept the default settings.
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server $( hostname )
./build-dh
21. Copy your server certificates and keys to the openvpn folder
cd /etc/openvpn/easy-rsa/keys
cp ca.crt danscentos-s2.crt danscentos-s2.key dh2048.pem /etc/openvpn
Start the OpenVPN Server
=====================
22. Restore SE Linux security context and create symbolic link for systemd
restorecon -Rv /etc/openvpn
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
23. Edit the OpenVPN server.conf file and change the names of the server certificate and server key, to match the certificates and keys that you created. Save the file and exit.
cd /etc/openvpn
nano server.conf
in server.conf change the following lines:
cert server.crt
key server.key # This file should be kept secret
replace the word “server” with your server’s hostname which should be the name of your server certificate and key files:
cert danscentos-s2.crt
key danscentos-s2.key # This file should be kept secret
24. Start the OpenVPN server
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service
Video Tutorial