Wednesday, May 4, 2016

[Quick Install : VPN]: How to configure VPN Server in Linux

How to configure VPN Server in Linux

VPN is pronounced as separate letters and is short for virtual private network. VPN, or virtual private network, is a network that is constructed by using public wires usually the Internet to connect to a private network, such as a company's internal network.

OpenVPN is a popular open source application that implements a virtual private network. works on Linux, Windows operating systems.

In this Article i will explain how to install and configure OpenVPN in centOS 7 server.

OpenVpn is not available in the default CentOS repositories. So we need to install Enterprise Linux (EPEL) repository. Use the following command to install EPEL repository.


yum install epel-release
 
Next install openvpn package and easy-rsa and iptables services by the following command.

 
yum -y install openvpn easy-rsa iptables-services
 
Then we need to configure the following certificates and keys for easy -rsa

Certificate Authority (ca)
Server Key and Certificate
Diffie-Hellman key
Client Key and Certificate

copy easy-rsa script generation to "/etc/openvpn/"

cp -rf /usr/share/easy-rsa/ /etc/openvpn/
 
Then go to the easy-rsa directory and edit the vars file.

cd /etc/openvpn/easy-rsa/2.*/
vim vars
 
Set KEY_CONFIG to point to the openssl.cnf file included in this distribution
 
 Set KEY_DIR to point to a directory which will contain all keys, certificates, etc. 
 This directory need not exist, and if it does, it will be deleted with rm -rf, 
 so be careful how you set KEY_DIR.
 
Edit other fields in vars per your site data.You may want to increase KEY_SIZE to 
2048 if you are paranoid and don't mind slower key processing, but certainly 1024 is
 fine for testing purposes.KEY_SIZE must be compatible across both peers participating
 in a secure SSL/TLS connection.
 
Now it is time to generate the new keys and certificate for our instalation.

source ./vars
 
Then run clean-all to ensure that we have a clean certificate setup.

./clean-all
 
Now generate a certificate authority(ca). You will be asked about Country Name etc.

 This command will create a file ca.crt and ca.key in the directory /etc/openvpn/easy-rsa/2.0/keys/.

./build-ca
 
Now generate a server key and certificate.

./build-key-server server
 
Build a Diffie-Hellman key exchange.

 
./build-dh
 
Generate client key and certificate.

./build-key client
 
Move or copy the directory  keys/ to /etc/opennvpn

Configure OpenVPN
Now we can copy the OpenVPN configuration from  /usr/share/doc/openvpn-2.3.6/sample/sample-config-files to /etc/openvpn/ or create a new one


cd /etc/openvpn/
vim server.conf
 
set the configuration of file as follows

 
#change with your port
port 1337

#You can use udp or tcp
proto udp

# "dev tun" will create a routed IP tunnel.
dev tun

#Certificate Configuration

#ca certificate
ca /etc/openvpn/keys/ca.crt

#Server Certificate
cert /etc/openvpn/keys/server.crt

#Server Key and keep this is secret
key /etc/openvpn/keys/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh1024.pem

#Internal IP will get when already connect
server 192.168.200.0 255.255.255.0

#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#Enable multiple client to connect with same key
duplicate-cn

keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon

#enable log
log-append /var/log/myvpn/openvpn.log

#Log Level
verb 3
save the file by using Esc+:wq  command.

create a folder for log file.

mkdir -p /var/log/myvpn/
touch /var/log/myvpn/openvpn.log

Disable firewalld

systemctl mask firewalld
systemctl stop firewalld
 
Disable SELinux

Edit the file selinux located in /etc/sysconfig by using vim editor in the following way.

vim /etc/sysconfig/selinux
 
Then set SELINUX to disabled for disable the selinux

 
SELINUX=disabled
 
Then reboot the server to apply the changes made.

Configure Routing and Iptables

First we need to enable the iptables service by the following commnds

systemctl enable iptables
systemctl start iptables
iptables -F
 
Add iptables-rule to forward a routing to our openvpn subnet. 

iptables -t nat -A POSTROUTING -s 192.168.1.1/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptablesvpn
 
For enable port forwarding in linux operating system edit the file sysctl.conf located in /etc directory by using vim editor.

vim /etc/sysctl.conf
 
Then add the following line at the end of the file and save the file

net.ipv4.ip_forward = 1
 
Reboot the server and enjoy VPN Server

Client Setup

 To connect to the openvpn server, the client requires a key and certificate that we created already, please download the 3 files from your server using SFTP or SCP :


  • ca.crt
  • client.crt
  • client.key
 Afterwards create a new file called client.ovpn and paste configuration below :

client
dev tun
proto udp

#Server IP and Port
remote 192.168.1.1 1337

resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo

Then download the client application for openvpn and install it on your client computer.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)