yum -y install epel-release
yum --enablerepo=epel -y openvpn easy-rsa net-tools bridge-utils iptables-services mlocate wget htop nano
[EasyRSA3-OpenVPN-Howto] (https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto)
- On the CA, start a new PKI and build a CA keypair/cert:
./easyrsa init-pki
./easyrsa build-ca
- On each server system, generate a keypair and request. Normally these are left unencrypted by using the "nopass" argument since servers usually start up without any password input. This generates an unencrypted key, so protect its access and file permissions carefully.
./easyrsa init-pki
./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME nopass
- On each client, generate a keypair and request. The name selected must be unique across the PKI and is otherwise arbitrary. Create a new PKI and request on each client as follows:
./easyrsa init-pki
./easyrsa gen-req UNIQUE_CLIENT_SHORT_NAME
- Optionally, the private key can be left unencrypted on-disk with the additional nopass option after the name. This is not recommended unless automated VPN startup is required. Unencrypted private keys can be used by anyone who obtains a copy of the file. Encrypted keys offer stronger protection, but will require the passphrase on initial use.
-
Send the request files from each entity to the CA system. This is not security sensitive, though it is wise to verify the received file matches the sender's copy if the transport is untrusted.
-
On the CA, import each entity request file, giving it an arbitrary "short name" as follows. This basically just copies the request file into reqs/ under the PKI dir to prepare it for review and signing.
./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME
- Review each request's details if you wish, then sign it as one of the types: server or client.
- (optional) review the request:
./easyrsa show-req UNIQUE_SHORT_FILE_NAME
- If you are signing as a client:
./easyrsa sign-req client UNIQUE_SHORT_FILE_NAME
- If you are signing as a server:
./easyrsa sign-req server UNIQUE_SHORT_FILE_NAME
-
The CA returns the signed certificate produced in the above step, and includes the CA certificate (ca.crt) unless the client already has it. This can be done over an insecure channel, though the client is encouraged to confirm the received CA cert is valid if the transport is untrusted.
On the PKI for the OpenVPN server, this command will generate DH parameters used during the TLS handshake with connecting clients. The DH params are not security sensitive and are used only by an OpenVPN server.
./easyrsa gen-dh
openvpn --genkey --secret /etc/openvpn/ta.key
edit */etc/openvpn/server.conf
local $IP
port 9949
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /usr/share/easy-rsa/3.0.3/pki/private/server.key
dh /usr/share/easy-rsa/3.0.3/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 0
explicit-exit-notify 1
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/sbin/service iptables save
sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
edit */etc/sysctl.d/01-sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
systemctl enable openvpn@server
systemctl enable iptables
client
dev tun
proto udp
remote $SERVER_IP 9949
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
persist-key
persist-tun
#VPN over TOR
;socks-proxy-retry
;socks-proxy 127.0.0.1 9050
mute-replay-warnings
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
</key>
#ca ca.crt
#cert client.crt
#key client.key
dhcp-option DNS 1.1.1.1
remote-cert-tls server
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
cipher AES-256-CBC
comp-lzo
verb 3
#For ubuntu (linux need script to update DNS)
script-security 2
;up /etc/openvpn/update-resolv-conf
;down /etc/openvpn/update-resolv-conf