How to Configure OpenVPN in Centos 7

How to Configure OpenVPN in Centos 7

image Source Link

We will learn How to Configure VPN in EC2 Instance as well as Local Server (In Office) for access the Office Network from Out side. In Cloud, If We are Configuring own VPC and Creating Public and Private Subnet for the Environment but Public Subnet EC2 Iinstance easy to access but not access to Private Subnet EC2 instance. that way We will Configure the OpenVPN in Cloud.

1. Create EC2 Instance in Your Public Subnet :-

2. Download the Package and Install it :-

yum install wget -y
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel*.rpm
yum install openvpn openssl ca-certificates easy-rsa -y

3. Copy sample file and Create a directory for keys and Certificates :-
cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn/
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/
cp /etc/openvpn/easy-rsa/openssl-1.0.cnf /etc/openvpn/openssl.cnf

4. Creating the PKI for CA :-

./easyrsa init-pki

5. Creating a Certificate Authority :-

./easyrsa --batch build-ca nopass

6. Creating Diffie-Hellman key Exchange :-

./easyrsa gen-dh

7. Creating Server Key and certificate with Nopassword :-

./easyrsa build-server-full server nopass

8. Creating Client Key and Certificate with Nopassword :-

./easyrsa build-client-full client nopass

9. Creating crl.pem along with  tls-auth key :-

openvpn --genkey --secret /etc/openvpn/ta.key
./easyrsa gen-crl

10. Copy All file in this Directory /etc/openvpn/ :-

cp pki/ca.crt /etc/openvpn/
cp pki/private/ca.key /etc/openvpn/
cp pki/dh.pem /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/crl.pem /etc/openvpn/

11. Give the Permission to crl.pem :-

chown nobody:nobody /etc/openvpn/crl.pem

12.  Open this file and Uncommants these Words :-

vim /etc/openvpn/server.conf

port 1194
proto udp
dev tun
#sndbuf 0
#rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
#comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
#crl-verify crl.pem
log openvpn.log

13. Add this for IP Forwarding :-

vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

14. Restart the Network Service :-

sudo systemctl restart network.service

15. Restart OpenVPN Service :-

systemctl enable openvpn@server.service
systemctl restart openvpn@server.service

Note :- If you are using Iptable must be use below command and also using  Firewall in Your Server command below.

IPTABLES :-

yum install iptables iptables-services
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -D INPUT -p 1194 --dport udp -j ACCEPT
iptables-save > /etc/sysconfig/iptables

FIREWALL :-

sudo firewall-cmd --get-active-zones
firewall-cmd --zone=trusted --add-service openvpn
firewall-cmd --zone=trusted --add-service openvpn --permanent
firewall-cmd --list-services --zone=trusted
sudo firewall-cmd --add-masquerade
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --query-masquerade
SHARK=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $SHARK -j MASQUERADE
sudo firewall-cmd --reload

Note :- If you facing a problem the Chef Server Configuration troubleshoot.