Install OpenVPN on CentOS and Fedora


resolved
Public

This is a guide for all Redhat based distributions, including but not limited to RHEL, CentOS, and Fedora.
RHEL/CentOS Only

You will need to install the EPEL repo to have access to the packages.

EPEL can be found by version here: https://fedoraproject.org/wiki/EPEL

 

Install OpenVPN and easy-rsa

yum install openvpn easy-rsa

 

Copy default config

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/

 

Edit /etc/openvpn/server.conf and uncomment the following lines

push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 208.67.222.222″
push “dhcp-option DNS 208.67.220.220″
user nobody
group nobody

 

Prepare keys directory and copy over easy-rsa

mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

 

Edit /etc/openvpn/easy-rsa/vars and update your name and org:

export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_OU=”MyOrganizationalUnit”

 

Make 1.0.0 the default version (unless using a different version):

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

 

Change directory and build the certificate authority:

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca

 

Build server certificate (press enter through the process and commit with y):

./build-key-server server

 

Build Diffie Hellman key:

./build-dh

 

Copy keys to openvpn:

cd /etc/openvpn/easy-rsa/keys
cp dh1024.pem ca.crt server.crt server.key /etc/openvpn

 

Build client certificate

cd /etc/openvpn/easy-rsa
./build-key client

 

Routing

CentOS 6: Set iptables rule for routing the OpenVPN subnet:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save

 

Fedora and CentOS7 using firewalld need a different command (todo)…

 

If you use APF Firewall, this would be placed in /etc/apf/postroute.rules:

$IPT -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

 

IP forwarding must be enabled (not needed on linux containers):

Add to /etc/sysctl.conf

net.ipv4.ip_forward = 1

 

Set in place

sysctl -p

 

Start openvpn:

service openvpn start
chkconfig openvpn on

 

Please login or Register to Submit Answer