Wednesday, January 20, 2021

How to Install OpenVPN Server on RHEL / CentOS 8 and configure Windows / Linux OpenVPN Client ?

 This guide will explain how to install and configure OpenVPN Server on RHEL / CentOS 8. A Virtual Private Network (VPN) allows you to traverse untrusted networks securely as if you were within a secure LAN network. OpenVPN is a full-featured, open-source Secure Socket Layer (SSL) VPN solution that supports a wide range of configurations.

With OpenVPN, you can easily set a secure tunnel that extends private network across a public network. All traffic being sent is encrypted and you can trust the information received on the other end. In this blog post, we will explore an easy way of installing and configuring OpenVPN server on RHEL / CentOS 8 server.

Install OpenVPN Server on RHEL / CentOS 8

There are two options of setting up OpenVPN server on RHEL / CentOS 8.

1.    Installing OpenVPN server manually – Time consuming

2.    Install OpenVPN server using automated scripts – Easy and quick

This guide will focus on using a trusted script to install and configure OpenVPN server. We will use openvpn-install script which let you set up your own VPN server in no more than a minute, even if you haven’t used OpenVPN before. It has been designed to be as unobtrusive and universal as possible.

Step 1: Add EPEL and Install git

Add EPEL repository to your RHEL / CentOS 8 system. It has openvpn package and dependencies required.

How to Install EPEL Repository on RHEL / CentOS 8

We also need git to pull the code from Github. Ensure it is installed.

sudo dnf -y install git

Step 2: Clone openvpn-install repository

Now clone the openvpn-install repository using git tool installed in Step one:

$ cd ~
$ git clone https://github.com/Nyr/openvpn-install.git
Cloning into 'openvpn-install'…
remote: Enumerating objects: 360, done.
remote: Total 360 (delta 0), reused 0 (delta 0), pack-reused 360
Receiving objects: 100% (360/360), 104.04 KiB | 263.00 KiB/s, done.
Resolving deltas: 100% (180/180), done.

Step 3: Run OpenVPN installer

Switch to the openvpn-install directory and run the installer script.

$ chmod +x openvpn-install.sh
$ sudo ./openvpn-install.sh

You will get a couple of prompts to change or confirm default settings for the installation.

Welcome to this OpenVPN "road warrior" installer!
 I need to ask you a few questions before starting the setup.
 You can leave the default options and just press enter if you are ok with them.
 First, provide the IPv4 address of the network interface you want OpenVPN
 listening to.
 IP address: 192.168.122.198
 This server is behind NAT. What is the public IPv4 address or hostname?
 Public IP address / hostname: vpn.example.com
 Which protocol do you want for OpenVPN connections?
    1) UDP (recommended)
    2) TCP
 Protocol [1-2]: 1
 What port do you want OpenVPN listening to?
 Port: 1194
 Which DNS do you want to use with the VPN?
    1) Current system resolvers
    2) 1.1.1.1
    3) Google
    4) OpenDNS
    5) Verisign
 DNS [1-5]: 1
 Finally, tell me your name for the client certificate.
 Please, use one word only, no special characters.
 Client name: computingforgeeks
 Okay, that was all I needed. We are ready to set up your OpenVPN server now.
 Press any key to continue…
 Updating Subscription Management repositories.
 Updating Subscription Management repositories.
 Extra Packages for Enterprise Linux 7 - x86_64                                                                         189 kB/s |  16 MB     01:24   
 Last metadata expiration check: 0:00:54 ago on Wed 20 Mar 2019 07:23:31 PM EAT.
 Package epel-release-7-11.noarch is already installed.
 Dependencies resolved.
 Nothing to do.
 Complete!
 Updating Subscription Management repositories.
 Updating Subscription Management repositories.
 Waiting for process with pid 1906 to finish.
 Package iptables-1.8.0-11.el8.x86_64 is already installed.
 Package openssl-1:1.1.1-6.el8.x86_64 is already installed.
 Package ca-certificates-2018.2.24-6.el8.noarch is already installed.
 Dependencies resolved.
  Package                           Arch                    Version                           Repository                                           Size
 Installing:
  openvpn                           x86_64                  2.4.7-1.el7                       epel                                                522 k
 Installing dependencies:
  pkcs11-helper                     x86_64                  1.11-3.el7                        epel                                                 56 k
  libnsl                            x86_64                  2.28-18.el8                       rhel-8-for-x86_64-baseos-beta-rpms                   84 k
  compat-openssl10                  x86_64                  1:1.0.2o-3.el8                    rhel-8-for-x86_64-baseos-beta-rpms                  1.1 M
 Transaction Summary
 Install  4 Packages
 Total download size: 1.8 M
 Installed size: 4.6 M
 Downloading Packages:
 (1/4): pkcs11-helper-1.11-3.el7.x86_64.rpm                                                                              34 kB/s |  56 kB     00:01   
 (2/4): openvpn-2.4.7-1.el7.x86_64.rpm                                                                                  191 kB/s | 522 kB     00:02   
 (3/4): libnsl-2.28-18.el8.x86_64.rpm                                                                                    26 kB/s |  84 kB     00:03   
 (4/4): compat-openssl10-1.0.2o-3.el8.x86_64.rpm
.......................                

You need to set:

·       Server’s IP address to be used by VPN

·       The hostname of Server if inside NAT

·       OpenVPN protocol to be used – TCP or UDP

·       OpenVPN port

·       DNS Nameserver to be used with VPN

·       Name of first client profile to create

If the installation was successful, you should receive message similar to one below.

..............
 Check that the request matches the signature
 Signature ok
 The Subject's Distinguished Name is as follows
 commonName            :ASN.1 12:'computingforgeeks'
 Certificate is to be certified until Mar 17 16:24:47 2029 GMT (3650 days)
 Write out database with 1 new entries
 Data Base Updated
 Using SSL: openssl OpenSSL 1.1.1 FIPS  11 Sep 2018
 Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
 Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
 140135296710464:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
 An updated CRL has been created.
 CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
 788
 success
 success
 success
 success
 success
 success
 612
 Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /usr/lib/systemd/system/openvpn@.service.
 Finished!
 Your client configuration is available at: /root/computingforgeeks.ovpn
 If you want to add more clients, you simply need to run this script again!

The main OpenVPN server configuration file is,/etc/openvpn/server.conf you are free to tune it to your liking.

$ cat  /etc/openvpn/server.conf

port 1194

proto udp

dev tun

sndbuf 0

rcvbuf 0

ca ca.crt

cert server.crt

key server.key

dh dh.pem

auth SHA512

tls-auth ta.key 0

topology subnet

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 192.168.122.1"

keepalive 10 120

cipher AES-256-CBC

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3

crl-verify crl.pem

A  tun0 virtual interface will be created during the setup process. This is used by OpenVPN clients subnet.

$ ip addr | grep tun0
 3: tun0:  mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
     inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0

The default subnet for this interface is.10.8.0.0/24.OpenVPN server will be assigned 10.8.0.1 IP address:

Step 3: Generate OpenVPN user profile (.ovpn file)

After completing step 1 through 3, your VPN Server is ready for use. We need to generate VPN Profiles to be used by the users. The same script we used for the installation will be used for this. It manages the creation and revocation of user profiles.

Run script and select 1 to add new user.

$ sudo ./openvpn-install.sh

Looks like OpenVPN is already installed.
 What do you want to do?
    1) Add a new user
    2) Revoke an existing user
    3) Remove OpenVPN
    4) Exit
 Select an option [1-4]: 1
 Tell me a name for the client certificate.
 Please, use one word only, no special characters.
 Client name: user1
 Using SSL: openssl OpenSSL 1.1.1 FIPS  11 Sep 2018
 Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
 139966006863680:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
 Generating a RSA private key
 ……………………………………………………………………..+++++
 ……………………………………….+++++
 writing new private key to '/etc/openvpn/easy-rsa/pki/private/user1.key.SeCj8ncgaH'
 Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
 Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
 139828629223232:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
 Check that the request matches the signature
 Signature ok
 The Subject's Distinguished Name is as follows
 commonName            :ASN.1 12:'user1'
 Certificate is to be certified until Mar 17 16:48:32 2029 GMT (3650 days)
 Write out database with 1 new entries
 Data Base Updated
 Client user1 added, configuration is available at: /root/user1.ovpn

The .ovpn OpenVPN profile file is placed inside /root folder.

$ sudo ls /root/ | grep ovpn
computingforgeeks.ovpn
user1.ovpn

Revoking OpenVPN user profile

To revoke a user profile, run the script and select 2.

$ sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
 What do you want to do?
    1) Add a new user
    2) Revoke an existing user
    3) Remove OpenVPN
    4) Exit
 Select an option [1-4]: 2
 Select the existing client certificate you want to revoke:
      1) computingforgeeks
      2) user1
 Select one client [1-2]: 2
 Do you really want to revoke access for client user1? [y/N]: y
 Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
 Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
 140410149218112:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
 Revoking Certificate FAC5CC0C127D1242CC55BD31B7FB27D3.
 Data Base Updated
 Using SSL: openssl OpenSSL 1.1.1 FIPS  11 Sep 2018
 Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
 Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
 139874879330112:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
 An updated CRL has been created.
 CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
 Certificate for client user1 revoked!

Uninstalling OpenVPN server on RHEL/CentOS 8

If you no longer need OpenVPN server, uninstallation can be done using the same installer script.

$ sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
 What do you want to do?
    1) Add a new user
    2) Revoke an existing user
    3) Remove OpenVPN
    4) Exit
 Select an option [1-4]: 3
 Do you really want to remove OpenVPN? [y/N]: y
 788
 success
 success
 success
 success
 success
 success
 Updating Subscription Management repositories.
 Updating Subscription Management repositories.
 Dependencies resolved.
....
Complete!
OpenVPN removed!

Step 4: Connect to OpenVPN Server from the client

You can use the VPN client of your choice to configure OpenVPN client on your operating system. For those who want to use Official OpenVPN client, go to the downloads page and get the latest release then install it.

Once Installed, on Windows, navigate to the directory with the ovpn profile, right click on the file name and select “Start OpenVPN on this config file

For CentOS Linux users, you can use NetworkManager and openvpn plugin to connect to OpenVPN server.

Install NetworkManager on CentOS 7

CentOS 7 comes with NetworkManager installed and running, you only need to install openvpn plugin for you to be able to import .ovpn profile.

sudo yum install NetworkManager-openvpn NetworkManager-openvpn-gnome

How to Import OpenVPN profile (.ovpn) using nmcli

Once you have installed the required packages and you have OpenVPN profile generated, continue to import the profile.

In this example, I assume OpenVPN profile name is called myopenvpn.ovpn and is located under your $HOME. Import the profile using the command:

$ cd ~/
$ sudo nmcli connection import type openvpn file myopenvp.ovpn
Connection 'myopenvp' (464b7c20-8999-4699-a4d7-3233cd7ea91e) successfully added.

You can confirm if the profile was imported successfully using the command:

$ nmcli connection show

To start using the profile, bring it up using:

nmcli connection up myopenvpn
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/27)

To check the connection details using:

$ nmcli connection show 
$ nmcli connection show |  egrep -i 'IP4|IPV6'

Depending on how you configured your OpenVPN server routes push, you can check ones populated on the server:

$ ip route

Try access any network on the route to see if it’s working.

Conclusion

You have successfully installed the OpenVPN server on RHEL/CentOS 8. The computers at each end of the VPN tunnel will encrypt the data entering the tunnel and is decrypted at the other end. Check OpenVPN documentation for more configuration options.

 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)