HOWTO: Configure openVPN on CentOS 7 / RHEL 7

So, I replaced my Asus RT-N66U with a Linksys EA9500 router – and LOST MY OPENVPN capabilities.

I thought I could just use the Asus as a network extender + VPN, but that didn’t work out so well. It was such a hassle, that I spun up a tiny little RHEL VM to be an openVPN router.

Here’s how I did it:

yum -y update
yum install net-tools bash-completion wget -y
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-6.noarch.rpm
yum install epel-release-7-6.noarch.rpm -y
yum install openvpn easy-rsa -y

Once that was all set …
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

I also edited the /etc/openvpn/server.conf file, making the following changes:

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;push "redirect-gateway def1 bypass-dhcp"
;user nobody
;group nobody
;log-append  openvpn.log

BECAME:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 4.2.2.1"
push "redirect-gateway def1 bypass-dhcp"
user nobody
group nobody
log-append  /var/log/openvpn.log

**NOTE -> 8.8.8.8 is Google’s DNS && 4.2.2.1 is Verizon’s

I then made a directory to store the keys & grabbed some scripts:

mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

In the /etc/openvpn/easy-rsa/vars file, I made the following changes, where THESE:

export EASY_RSA="`pwd`"
export KEY_NAME="EasyRSA"
# export KEY_CN="CommonName

BECAME:

export EASY_RSA="$(pwd)"
export KEY_NAME="server"
export KEY_CN="CommonName

… and these were just tweaked to reflect my actual info:

export KEY_CN="CommonName"        (this should be the FQDN of your site / where you're pointing to)
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

OpenSSL needs a base config file, so it the template should be put in place:
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf


And then ‘source’ the vars file, so the info in thrown into memory for use in the (build) scripts.
source /etc/openvpn/easy-rsa/vars

Now, ‘cd’ into /etc/openvpn/easy-rsa and clean up any incorrectly generated keys files, then build the Certificate Authority:

./clean-all
./build-ca

** NOTE ** –> You shouldn’t have to make any/many changes during build-ca, as it will use the vars file to populate that info <–

Now, you need to build the Server files:

./build-key-server server

** NOTE ** –> You shouldn’t have to make any/many changes during build-key-server server as it will use the vars file to populate that info <–

Build the Diffe-Hellman key exchange file:
./build-dh

Now, take all of the “SERVER” keys and put a copy into /etc/openvpn/keys:
cd keys ; cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

Now, you need to build the CLIENT files:
cd .. ; ./build-key client

** NOTE ** –> The command above will create passwordless keys – and it will be called “client” so, if you have multiple connections from different devices, you won’t know which one the connection is from.

To add a password that you can use to fire-up your VPN client, use:

cd .. ; ./build-key-pass <user-device>

** NOTE ** –> specifying user-device is helpful, as you can name it “tom-windows10-laptop” and it will log that in the inbound connections:

Thu Jun  9 04:37:20 2016 1.2.3.4:33221 [tom-windows10-laptop] Peer Connection Initiated with [AF_INET]1.2.3.4:33221

Now that the keys are all taken care of, it’s time to make some firewalld changes!

Determine your “zone”

firewall-cmd --get-active-zones
public
interfaces: eth0

Now, execute the changes to that zone:

firewall-cmd –zone=public –add-masquerade –permanent
firewall-cmd –direct –add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -o eth0 -j MASQUERADE

** NOTE ** –> You will see 10.8.0.0 defined in the /etc/openvpn/server.conf file, if you kept the defaults <–

Make routing possible by doing the following:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf

Now, enable openVPN for systemctl & restart it:
systemctl enable openvpn@server.service
systemctl restart openvpn@server.service

Lastly, let’s create a .ovpn file to put on your devices:

Given that you haven’t deviated from the default config in this guide, here’s what you can do. Create a text file and put this at the top.

client
dev tun
proto udp
remote your.domain.org 1194
float
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
resolv-retry infinite
nobind

Now, add this below the last line:

<ca>

</ca> 


<cert> 

</cert> 


<key> 

</key>

For the next steps, you are to include:
-----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----

Now, do the following; take the contents of this output and paste it between the ca and /ca entry above:
cat /etc/openvpn/easy-rsa/keys/ca.crt

Once again, take the contents of this output and paste it between the cert and /cert entry above:
cat /etc/openvpn/easy-rsa/keys/client.crt

** NOTE1 ** –> The ‘client’ in client.crt is the name from up above, if you used build-key … and <user-device> if you used build-key-pass

** NOTE2 ** –> Include only the BEGIN/END certificate contents at the bottom of the screen

Lastly, take the contents of this output and paste it between the key and /key entry above:
cat /etc/openvpn/easy-rsa/keys/client.key

Save your file, ship it to your favorite device running openVPN, connect in and have a test!