Wednesday, June 1, 2016

Install and configure OpenVPN server - Centos 7

Pre-requisite:



1. Run the following command
  • yum install openvpn
2. Copy the sample configuration file from openvpn
  • cp /usr/share/doc/openvpn-2.3.11/sample/sample-config-files/server.conf /etc/openvpn
3. Edit the /etc/openvpn/server.conf and change the following
  • uncomment line 192, remove the semi-colon in front of the "push"
    • push "redirect-gateway def1 bypass-dhcp"
  • uncomment line 200 and 201, remove the semi-colon in front of the "push"  and change the IP address to your DNS server
    • push "dhcp-option DNS 8.8.8.8"
    • push "dhcp-option DNS 8.8.4.4"
  • uncomment line 267 and 268, remove the semi-colon in front
    • user nobody
    • group nobody
  • Save the configuration file

3. Create certificate keys

  • Install RSA 
    • yum install easy-rsa
  • Create directory
    • mkdir -p /etc/openvpn/easy-rsa/keys
  • Copy RSA files to the directory you just created
    • cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
  • Edit /etc/openvpn/easy-rsa/vars
    • Change the exports in line 64 to 49 with your appropriate information
  • Change the directory to RSA and build the Certificates of Authority
    • cd /etc/openvpn/easy-rsa
    • source ./vars
    • ./clean-all
    • ./build-ca
    • ./build-key-server $( hostname )
    • ./build-dh
  • Copy the certificate keys to /etc/openvpn folder
    • cd /etc/openvpn/easy-rsa/keys
    • cp ca.crt vpn2.crt vpn2.key dh2048.pem /etc/openvpn
  • Run restore context (restoring security context for SE Linux)
    • restorecon -Rv /etc/openvpn
  • Create symbolic link
    • ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
  • Edit server.conf 
    • In line 79,80 change the name of certificate and key you created
      • cert vpn2.crt
      • key vpn2.key 
  • Enable the server
    • systemctl -f enable openvpn@server.service
  • Start the server
    • systemctl start openvpn@server.service
  • Check the status
    • systemctl status openvpn@server.service

4. Create Client Certificate

  • cd /etc/openvpn/easy-rsa 
  • source ./vars
  • ./build-key myclient01
5. Copy the the following generated certificate to OpenVPN client remote computer into config folder

  • ca.key
  • myclient01.crt
  • myclient01.key
    • change the attribute of this file to 644
      • chmod 644 myclient01.key
  • Create or edit the myclient.ovpn file in client computer with the following parameters
    • client
    • dev tun
    • proto udp
    • remote 192.168.3.95 1194
    • resolve-retry infinite
    • nobind
    • persist-key
    • persist-tun
    • comp-lzo
    • verb 3
    • ca ca.crt
    • cert myclient01.crt
    • key myclient01.key
    • auth-user-pass

6. Turn the VPN server into a router, dynamically change kernel parameter
  • Edit the /etc/sysctl.conf and add the following line
    • net.ipv4.ip_forward=1
  • Load the sysctl.conf file
    • sysctl -p
7. Add user authentication and password for the users connecting VPN
    • touch /etc/pam.d/openvpn
    • nano /etc/pam.d/openvpn
    • Add the following lines
      • auth    required        pam_unix.so     shadow  nodelay
      • account required        pam_unix.so
  • Edit the  /etc/openvpn/server.conf and add the following lines
    • plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
    • add route in line 143, this will be the ip address range where connected users get their ip address in the internal network
      • push "route 192.168.20.0 255.255.0.0"
    • uncomment line 210
      • client-to-client
  • Restart the service
    • systemctl stop openvpn@server.service
    • systemctl start openvpn@server.service
  • Check the status
    • systemctl status openvpn@server.service

Install and enable iptables firewall - Centos 7

1. Run the following command to install
  • yum install iptables-services

2. Run the following command to install to enable the firewall
  • systemctl enable iptables

3. Start the firewall
  • systemctl start iptables

4. Check the status
  • systemctl status iptables




If you need to stop the firewall
  • systemctl stop iptables

Disable Firewalld -Centos 7

1. Run the following command

  • systemctl stop firewalld
  • systemctl disable firewalld




Remove Network Manager - Centos 7

1. Issue the following command



2. Restart the network service

  • service network restart

3. Reboot

Change ethernet name enoXX to ethXX in Centos 7

1. Edit /etc/default/grub in any text editor (I used nano)



2. Edit the 6th line, add below code at the end before the quotation mark, then save



  • net.ifnames=0 biosdevname=0



3. Create new grub configuration file by executing grub2-mkconfig -o /boot/grub2/grub.cfg



4. Reboot the machine

5. Check the ethernet