How To Set Up and Configure an OpenVPN Server on Linux
A
Virtual Private Network (VPN) is a physical trusted network in a remote location that you can virtually connect to and become part of as if you are physically present there. VPN has many use cases but it is mostly used to traverse untrusted networks as if you were on a private network. It gives you the freedom to access the internet safely and securely from your smartphone or laptop when connected to an untrusted network, like the WiFi at a hotel or coffee shop.
More information about What is a virtual private network (VPN)? OpenVPN is open-source commercial software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. More information about OpenVPN can be found on wikipedia.
- Virtual Private Server (VPS) or a Virtual Machine (VM) with CentOS operating system, this procedure works on Red Hat Enterprise Linux, CentOS, Almalinux, Amazon Linux 2.
- Non root sudo user to manage the server
- Firewalld
- (Optional) An advance setup of having another VPS for a private Certificate Authority (CA) server. The official OpenVPN documentation recommends that the CA server is installed on a standalone machine that is dedicated to importing and signing certificate requests. Having the CA and OpenVPN share the same server increases the risk of security vulnerabilities. Depending on the use cases, follow the recommendations to increase your security.
- OpenVPN Client to use for connecting to the OpenVPN server. Visit our guide on How to Generate OpenVPN Client Configuration Files.
Installing OpenVPN and Easy-RSA
In this section OpenVPN will be installed, and Easy-RSA will be installed to generate the needed certificates and keys to use for authentication, security, and encryption.
- Create non root sudo user.
- Install EPEL, OpenVPN, and Easy-RSA use yum or dnf depending on how your operating system was setup.
Make "vpn" directory and place it inside the home directory, example "/home/vpn". Add another directory for "easy-rsa" in the newly created vpn directory, example "/home/vpn/easy-rsa".
Create a symlink from the easyrsa script that the package installed into the "/home/vpn/easy-rsa" directory that you just created. Do not copy the easy-rsa directory or install it manually by downloading and extracting the files in the "/home/vpn/easy-rsa" directory. This will prevent you from getting future updates automatically.
Secure the directory by changing the ownership to the non root sudo user in this example greens247 and restrict access to the directory using chmod.
Creating a PKI for OpenVPN
Easy-RSA is a public key infrastructure (PKI) management tool, we will use it to generate the server and user public and private certificates and keys. We will setup a local PKI directory to handle the management of the public key infrastructure.
In this section you will need to use a text editor, Linux by default comes with vi text editor. If vi is too advanced for you, you can try another the more user friendly nano text editor. We will use the default vi text editor in this knowledge base article to setup the local PKI directory.
Populate PKI vars file with default values which will be used repeatedly later on. This will reduce the manual input for repeated tasks when generating certificates.
Once the file is opened press the insert button on your keyboard to allow input in the file. Enter the following values as shown in the example below. These values will ensure that your private keys and certificate requests are configured to use modern Elliptic Curve Cryptography (ECC) to generate keys and secure signatures for your clients and OpenVPN server. This will improve security and performance becasuse using ECC for key exchange is significantly faster than other methods like using plain Diffie-Hellman with the classic RSA algorithm. After adding the values to the file, save the file by pressing "shift+;" or ":" then typing "wq" (write and quit) and hit enter.
Initialize the PKI inside the "/home/vpn/easy-rsa" directory
This step is can be done on this server or a more advanced (optional) approach is doing all the above without installing OpenVPN on another server to be a private Certificate Authority (CA) server. You can refer to the optional prerequisite step for more information on the advanced approach. We need to add some lines to the vars file we created earlier because we are setting up the CA server and the OpenVPN server on the same server.
After adding the variables, save the file. The file can be saved by pressing "shift+;" or ":" then typing "wq" (write and quit) and hit enter. Now we create the root public and private key pair for your Certificate Authority.
Your OpenSSL version and date maybe different and that is alright. Choose a strong passphrase, and note it down somewhere safe. You will need to input the passphrase any time that you need to interact with your CA, for example to sign or revoke a certificate.If you do not want to type a passphrase everytime you interact with the CA replace the "./easyrsa build-ca" line above with "./easyrsa build-ca nopass" instead.
You will be asked for a a common name, input "Greens247 CA" as an example or hit enter to use the default value "Easy-RSA CA".
Creating an OpenVPN Server Certificate Request and Private Key
In this section we will generate a private key and a Certificate Signing Request (CSR) on the OpenVPN server. (Optional) if you are following the advance approach, you will have to transfer the request over to your CA Server to be signed to create the required certificate and transfer it back to the OpenVPN server. In this example we will import the request to the CA directly on the same server, since we have both OpenVPN and the CA on the same server. Once you have a signed certificate, we will is it directly in the OpenVPN configuration.
The nopass option will be included in the next command to avoid password protection for the request file which could lead to permissions issues later on.
You will have to input your common name, use your server's IP address. The server key will be generated once you hit enter.
Signing the OpenVPN Server’s Certificate Request
If you are using the (optional) advanced approach, you will need to transfer the above keys to the CA server and use the following command to import the server request. In this example we do not need to import the server.req because it is already there. Skip the next command, if you are not using the (optional) advanced approach.
Sign the server request, you will be asked to confirm the signing request by typing "yes". When you do that, you will be asked to input the passphrase you created for the CA certificate to approve signing the request of the server certificate.
The resulting server.crt file contains the OpenVPN server’s public encryption key, as well as a signature from the CA server. This will tell any device who trusts the CA server that they can also trust the OpenVPN server when they connect to it. If you are using the (optional) advanced approach, you will need to copy the server.crt and ca.crt from the CA server to the OpenVPN sever. In this example, we will not do that.
Configuring OpenVPN Cryptographic Material
We will use OpenVPN tls-crypt directive in order to protect the OpenVPN server from unauthenticated traffic, port scans, and Denial of Service attacks, which can tie up server resources. The tls-crypt directive is used to obfuscate the TLS certificate and makes it harder to identify OpenVPN network traffic. Use the following command to generate the tls-crypt pre-shared key.
Copy the sample server.conf file as a starting point and amend it as necessary. You may replace the "*" with the version number. Just make sure you are copying from the latest OpenVPN release directory on your system.
Copy the certificates to the OpenVPN server directory, and open the config file with the vi text editor.
Make sure you change the following variables in the file to match below, any variable having ";" gets disabled
Save the file by pressing "shift+;" or ":" then typing "wq" (write and quit) and hit enter.
Adjusting the OpenVPN Server Networking Configuration
In order for OpenVPN to function properly at routing traffic, we need to enable IP Forwarding, edit the following file. We are using an ipv4 public IP in this example.
Add the following lines in the file and add "#" at the beginning of any other line in the file to disable it.
Save the file by pressing "shift+;" or ":" then typing "wq" (write and quit) and hit enter.
To ensure that the values were properly saved and reload them, using the following command.
Make sure firewalld is installed and running as stated in the prerequisites earlier. OpenVPN needs the firewall to be configured to allow OpenVPN traffic and route traffic to VPN clients properly. Add the VPN tunnel interface "tun0" and the OpenVPN service to the firewall trusted zone. We also need to allow https because we are using tcp port 443 in this guide as the OpenVPN port. After adding the firewall rules, reload the firewall for the changes to take effect.
Check that the service was added correctly.
Because the clients are sharing the public IP address of the server, we need to configure Network Address Translation (NAT). This can be achieved on firewalld using masquerade. The last line will test that if masquerade was enabled properly.
A specific masquerade rule needs to be added for the OpenVPN subnet used in the OpenVPN configuration file used previously "server.conf" in this example the subnet used is "10.8.0.0/24". Create a shell variable (DEVICE in this example) which will represent the primary network interface used by the server, and then using that variable to permanently add the routing rule. After adding the rule, reload the firewall for changes to take effect using the last line in the following commands.
Enable and start the OpenVPN service, and confirm that the service is active by using the last command line. If the output contains "Active: active (running)" then we have setup OpenVPN successfully.
Congratulations, you have now successfully completed setting up OpenVPN Server.
