Next, generate the CA certificate and key that will be used to sign certificates by running the commands below within the Easy-RSA directory above. While within the same Easy-RSA directory as in above, execute the command below to generate Diffie-Hellman key file that can be used for key exchange during the TLS handshake with connecting clients.
The command will take sometime to complete. In order to invalidate a previously signed certificate, you need to generate a revocation certificate. Always use a unique common name for each client that you are generating certificate and keys for. You can. OpenVPN comes with a sample configuration file within its documentation directory.
Next, navigate back to the EasyRSA directory and run the easyrsa script with the gen-req and nopass options, along with the common name for the client:. Then, copy the client1. Now log in to your CA Server. Then, navigate to the EasyRSA directory, and import the certificate request:.
Next, sign the request the same way as you did for the server in the previous step. This time, though, be sure to specify the client request type:. When prompted, enter yes to confirm that you intend to sign the certificate request and that it came from a trusted source:. This will create a client certificate file named client1. Transfer this file back to the server:. Next, copy the ca. There are still a few actions that need to be performed with these files, but those will come in a later step.
For now, you can move on to configuring OpenVPN. Like many other widely used open-source tools, OpenVPN has numerous configuration options available to customize your server for your specific needs. First, copy the sample server. Open the new file for editing with the text editor of your choice. First, find the HMAC section of the configuration by searching for the tls-auth directive.
This line should be uncommented. Comment it out by adding a ; to the beginning of the line. Then add a new line after it containing the value tls-crypt ta. Next, find the section on cryptographic ciphers by looking for the cipher lines.
Right after this line, add an auth directive to select the HMAC message digest algorithm. For this, SHA is a good choice:. Next, find the line containing a dh directive, which defines Diffie-Hellman parameters. Comment out the existing line that looks like dh dh The filename for the Diffie-Hellman key may be different than what is listed in the example server configuration file.
Then add a line after it with the contents dh none :. Next, we want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user and group of nobody. To enable this, find and uncomment the user nobody and group nobody lines by removing the ; sign from the beginning of each line:.
The settings above will create the VPN connection between your client and server, but will not force any connections to use the tunnel. If you wish to use the VPN to route all of your client traffic over the VPN, you will likely want to push some extra settings to the client computers. To get started, find and uncomment the line containing push "redirect-gateway def1 bypass-dhcp". Be aware that enabling this functionality can cause connectivity issues with other network services, like SSH:.
Just below this line, find the dhcp-option section. Again, remove the ; from the beginning of both of the lines to uncomment them:. If you need to use a different port because of restrictive network environments that your clients might be in, you can change the port option. If you are not hosting web content on your OpenVPN server, port is a popular choice since it is usually allowed through firewall rules.
To change OpenVPN to listen on port , open the server. Oftentimes, the protocol is restricted to that port as well. If so, find the proto line below the port line and change the protocol from udp to tcp :. Find the explicit-exit-notify line at the end of the file and change the value to 0 :.
If you have no need to use a different port and protocol, it is best to leave these settings unchanged.
If you selected a different name during the. If you used the default name, server , this is already set correctly:. You have now finished configuring your OpenVPN general settings. The first of these is IP forwarding , a method for determining where IP traffic should be routed. This is essential to the VPN functionality that your server will provide. Now your OpenVPN server will be able to forward incoming traffic from one ethernet device to another.
This setting makes sure the server can direct traffic from clients that connect on the virtual VPN interface out over its other physical ethernet devices. In the next step you will need to configure some firewall rules to ensure that traffic to and from your OpenVPN server flows properly.
However, you have not yet provided OpenVPN with any instructions on where to send incoming web traffic from clients. You can stipulate how the server should handle client traffic by establishing some firewall rules and routing configurations. Assuming you followed the prerequisites at the start of this tutorial, you should already have firewalld installed and running on your server. Find this with the following command:. If you do not see a trusted zone that lists the tun0 interface, run the following commands to add the VPN device to that zone:.
Next, add the openvpn service to the list of services allowed by firewalld within your active zone, and then make that setting permanent by running the command again but with the --permanent option added:.
You can do this by first creating a shell variable DEVICE in our example which will represent the primary network interface used by your server, and then using that variable to permanently add the routing rule:. The commands with the --permanent flag will ensure that the rules will persist across reboots. The firewall-cmd --reload command makes sure that all the outstanding changes to the firewall are applied.
With the firewall rules in place, we can start the OpenVPN service on the server. OpenVPN runs as a systemd service, so we can use systemctl for managing it. To do this, enable the OpenVPN service by adding it to systemctl :. Double check that the OpenVPN service is active with the following command. You should see active running in the output:. Rather than writing a single configuration file that can only be used on one client, this step outlines a process for building a client configuration infrastructure which you can use to generate config files on-the-fly.
Get started by creating a new directory where you will store client configuration files within the client-configs directory you created earlier:. Next, copy an example client configuration file into the client-configs directory to use as your base configuration:. Inside, locate the remote directive. If you decided to change the port that the OpenVPN server is listening on, you will also need to change to the port you selected:.
Next, uncomment the user and group directives by removing the ; sign at the beginning of each line:. As you can see, our client Linux system has been assigned an IP address of And voila! Next, download your. You can now use this server as a VPN gateway to secure your web browsing activities.
We look forward to hearing from you, so feel free to drop us a note using the form below. Comments, suggestions, and questions about this article are most welcome. TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! If you like what you are reading, please consider buying us a coffee or 2 as a token of appreciation.
We are thankful for your never ending support. Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published. Save my name, email, and website in this browser for the next time I comment.
Notify me of followup comments via e-mail.
0コメント