OpenVPN is often called an SSL-based VPN, as it uses the SSL/TLS protocol to secure the connection. However, OpenVPN server also uses HMAC in combination with a digest (or hashing) algorithm for ensuring the integrity of the packets delivered. It can be configured to use pre-shared keys as well as X.509 certificates. These features are not typically offered by other SSL-based VPNs.
e
What is a VPN?
Put simply, a VPN allows an administrator to create a "local" network between multiple computers on varying network segments. In some instances, those machines can be on the same LAN, they can be distant from each other across the vast Internet, or they can even be connected across a multitude of connection media such as wireless uplinks, satellite, dial-up-networking, and so on. The P in VPN comes from the added protection to make that virtual network private. Network traffic that is flowing over a VPN is often referred to as inside the (VPN) tunnel, compared to all the other traffic that is outside the tunnel.
Install & Configure OpenVPN server
To install and setup openvpn server, first of all install the EPEL repo using which we can install the openvpn
rpm and it's dependencies.
[root@node2 ~]# yum -y install epel-release
Next once our repo is installed successfully, install openvpn
and easy-rsa
rpm using yum
command.
[root@node2 ~]# yum -y install openvpn easy-rsa
First, create a copy of the system easy-rsa
directory within /etc/openvpn
and change to the /etc/openvpn/easy-rsa/
directory,
[root@node2 ~]# cd /usr/share/easy-rsa/3.0.3
Below is the list of files available under easy-rsa 3
directory
[root@node2 3.0.3]# ls -l total 48 -rwxr-xr-x 1 root root 35985 Aug 22 2017 easyrsa -rw-r--r-- 1 root root 4560 Sep 3 2015 openssl-1.0.cnf drwxr-xr-x 2 root root 4096 Apr 16 19:05 x509-types
We will copy these files to our custom directory /etc/openvpn/easy-rsa/
[root@node2 3.0.3]# cp -rf * /etc/openvpn/easy-rsa/ [root@node2 3.0.3]# cd /etc/openvpn/easy-rsa/ [root@node2 easy-rsa]# ls -l total 48 -rwxr-xr-x 1 root root 35985 Apr 16 19:11 easyrsa drwxr-xr-x 2 root root 4096 Apr 16 19:09 keys -rw-r--r-- 1 root root 4560 Apr 16 19:11 openssl-1.0.cnf drwxr-xr-x 2 root root 4096 Apr 16 19:11 x509-types
Initialise Easy-RSA 3 PKI
In this case, the initialisation process cleans out the contents of the pki directory under easy-rsa 3, and creates the private
and reqs
subdirectories.
[root@node2 easy-rsa]# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
Generate CA Certificate
The build-ca
sub command first generates a Certificate Signing Request (CSR) under easy-rsa 3, and subsequently self-signs that request. You will be prompted for a password to use for your CA key along with some organisational information.
[root@node2 easy-rsa]# ./easyrsa build-ca
Generating a 2048 bit RSA private key
...........................+++
...........................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.docNHm1tdU'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
Generate Diffie-Hellman parameters
Next, run commands to initialise and build your CA files and generate Diffie-Hellman parameters under easy-rsa 3.
[root@node2 easy-rsa]# ./easyrsa gen-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .....................................................+........................................................................+...+.............................................................................................+...........................................................................................................................................................................................................................+.............................................................................................................................................................................................................+.................................................+....+.........................................................................................+....+.....................................................................................................................................................................................................................................................................................................+..............................................................................................................................................................................................................................+............................................................................................................................................................................................................................................c.d.........s...................+..............................+........................................................................................................++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
Generate a standalone keypair and request (CSR)
Next, generate a certificate for your OpenVPN server and sign it using the easy-rsa 3 script i.e. easyrsa
. In the example below, we create a key named “node2” to match the keys we reference in our above OpenVPN server configuration file. We create this certificate without a password so that OpenVPN server can access it without requiring sysadmin interaction each time, but you will be prompted for a password when you sign the server certificate:
[root@node2 easy-rsa]# ./easyrsa gen-req node2 nopass
Generating a 2048 bit RSA private key
.....................................+++
.........................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/node2.key.c8WE211mjv'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [node2]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/node2.req
key: /etc/openvpn/easy-rsa/pki/private/node2.key
[root@node2 easy-rsa]# ./easyrsa sign server node2 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = node2 Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'node2' Certificate is to be certified until Apr 13 14:09:43 2029 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/node2.crt
Copy certificates for OpenVPN server
Now we create an /etc/openvpn/keys
directory and copy the important keys and certificates we need for OpenVPN server from the easy-rsa 3
directory there:
[root@node2 easy-rsa]# mkdir /etc/openvpn/keys/ [root@node2 easy-rsa]# chmod 750 /etc/openvpn/keys [root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/keys/ [root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/keys/dh2048.pem [root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/issued/node2.crt /etc/openvpn/keys/ [root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/private/node2.key /etc/openvpn/keys/
Generate certificates for Client
Whenever you want to add a new user, change to the /etc/openvpn/easy-rsa
directory and run the following commands to generate a certificate request and then sign it:
[root@node2 easy-rsa]# cd /etc/openvpn/easy-rsa
Here I am using client name as deepak, you can change it according to your environment.
[root@node2 easy-rsa]# ./easyrsa gen-req deepak nopass
Generating a 2048 bit RSA private key
.............+++
...........................................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/deepak.key.3h2S55BG8q'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [deepak]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/deepak.req
key: /etc/openvpn/easy-rsa/pki/private/deepak.key
[root@node2 easy-rsa]# ./easyrsa sign client deepak You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = deepak Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'deepak' Certificate is to be certified until Apr 13 14:11:20 2029 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/deepak.crt
Copy the client keys to /etc/openvpn/keys/
[root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/issued/deepak.crt /etc/openvpn/keys/ [root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/private/deepak.key /etc/openvpn/keys/
Initial setup of the client/server mode
In order to set up a basic OpenVPN server, we first create a server configuration file using the following steps:
Create the following file on the server side with below entry
[root@node2 openvpn]# vim /etc/openvpn/server.conf port 1194 proto udp dev tun comp-lzo management 127.0.0.1 1194 keepalive 10 120 persist-key persist-tun ifconfig-pool-persist ipp.txt status openvpn-status.log verb 3 server 172.16.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" push "dhcp-option DNS 192.168.0.5" push "dhcp-option DOMAIN example.com" ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/node2.crt key /etc/openvpn/keys/node2.key # This file should be kept secret dh /etc/openvpn/keys/dh2048.pem
Disable Firewall on server
For the sake of this article we will disable firewall and selinux. As it is not in the scope of this article. I will write another article with the firewall installation and configuration for OpenVPN server.
[root@node2 ~]# systemctl stop firewalld [root@node2 ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
SELinux is also disabled
[root@node2 ~]# getenforce Disabled
Enable and Start OpenVPN server
Now all our configuration on the openvpn server side is completed. Enable and start the service.
[root@node2 easy-rsa]# systemctl -f enable openvpn@server.service Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service. [root@node2 easy-rsa]# systemctl start openvpn@server.service
Check if the tunnel is successfully created on OpenVPN server.
[root@node2 openvpn]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:df:87:41 brd ff:ff:ff:ff:ff:ff inet 10.0.2.31/8 brd 10.255.255.255 scope global noprefixroute eth0 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fedf:8741/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:95:c3:cd brd ff:ff:ff:ff:ff:ff inet 192.168.0.105/24 brd 192.168.0.255 scope global noprefixroute dynamic eth1 valid_lft 3327sec preferred_lft 3327sec inet6 2401:4900:2742:d79f:a00:27ff:fe95:c3cd/64 scope global mngtmpaddr dynamic valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fe95:c3cd/64 scope link valid_lft forever preferred_lft forever 4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000 link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff 14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 172.16.0.1 peer 172.16.0.2/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::b522:32f4:7576:a549/64 scope link flags 800 valid_lft forever preferred_lft forever
Next copy the client certificates to the client node under /etc/openvpn
[root@node2 keys]# scp /etc/openvpn/keys/deepak.* node3:/etc/openvpn/ Warning: Permanently added the ECDSA host key for IP address '10.0.2.32' to the list of known hosts. root@node3's password: deepak.crt 100% 4410 3.1MB/s 00:00 deepak.key 100% 1704 1.0MB/s 00:00 [root@node2 keys]# scp /etc/openvpn/keys/ca.crt node3:/etc/openvpn/ root@node3's password: ca.crt 100% 1151 310.2KB/s 00:00
OpenVPN Client Configuration
Install the EPEL repo on the openvpn client node
[root@node3 ~]# yum -y install epel-release
Next install the openvpn rpm on the openvpn client node
[root@node3 ~]# yum search openvpn
On the openvpn client side, the same openvpn package needs to be installed as on the server. Then create an /etc/openvpn/client.conf
file with the following contents on the openvpn client node
[root@node3 openvpn]# vim /etc/openvpn/client.conf client dev tun proto udp remote node2.example.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert deepak.crt key deepak.key comp-lzo verb 3 ns-cert-type server script-security 2 down /etc/openvpn/client.down up /etc/openvpn/client.up
node2.example.com
with your VPN server.Often, VPNs will push their own DNS settings to the clients. If you want to automatically update your resolv.conf
, you will also want to trigger a script to run when the VPN connects and disconnects to manage resolv.conf
correctly. Copy two scripts to your /etc/openvpn
directory on the openvpn client node.
[root@node3 ~]# cp /usr/share/doc/openvpn-2.4.7/contrib/pull-resolv-conf/client.down /etc/openvpn/ [root@node3 ~]# cp /usr/share/doc/openvpn-2.4.7/contrib/pull-resolv-conf/client.up /etc/openvpn/
Finally, be sure that the ca.crt
, deepak.crt
, and deepak.key
files that you copied from the server are in your /etc/openvpn
directory
[root@node3 ~]# cd /etc/openvpn/
Make sure that deepak.key
is not world-readable on the openvpn client:
[root@node3 openvpn]# chmod 640 deepak.key
Also make client.down
and client.up
as executable
[root@node3 openvpn]# chmod u+x client.down client.up
Verify the files and their permissions on the openvpn client node
[root@node3 openvpn]# ls -l total 36 -rw-------. 1 root root 1151 Apr 16 19:55 ca.crt drwxr-x---. 2 root openvpn 4096 Apr 16 20:43 client -rw-r--r--. 1 root root 259 Apr 16 20:49 client.conf -rwxr--r--. 1 root root 1698 Apr 16 19:48 client.down -rwxr--r--. 1 root root 2928 Apr 16 19:48 client.up -rw-------. 1 root root 4410 Apr 16 19:55 deepak.crt -rw-r-----. 1 root root 1704 Apr 16 19:55 deepak.key drwxr-x---. 2 root openvpn 4096 Apr 16 19:58 server
Disable Firewall on client
I will disable the firewall and selinux on my openvpn client for this article as it will increase the length of this article. I may write another article with the firewall rules to install and configure OpenVPN.
[root@node3 ~]# systemctl stop firewalld [root@node3 ~]# systemctl disable firewalld
SELinux is also disabled
[root@node3 ~]# getenforce Disabled
Enable and start OpenVPN Client Service
All our configuration on the openvpn client side is completed and we can start our openvpn client service.
[root@node3 openvpn]# systemctl -f enable openvpn@client.service Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@client.service to /usr/lib/systemd/system/openvpn@.service. [root@node3 openvpn]# systemctl start openvpn@client.service
Check the status of the service on the openvpn client to make sure there are no errors
[root@node3 openvpn]# systemctl status openvpn@client.service
● openvpn@client.service - OpenVPN Robust And Highly Flexible Tunneling Application On client
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2019-04-16 19:56:58 IST; 2min 53s ago
Main PID: 11281 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@client.service
└─11281 /usr/sbin/openvpn --cd /etc/openvpn/ --config client.conf
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 ROUTE_GATEWAY 10.0.2.2/255.0.0.0 IFACE=eth0 HWADDR=08:00:27:df:87:41
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 TUN/TAP device tun0 opened
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 TUN/TAP TX queue length set to 100
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip link set dev tun0 up mtu 1500
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip addr add dev tun0 local 172.16.0.6 peer 172.16.0.5
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /etc/openvpn/client.up tun0 1500 1553 172.16.0.6 172.16.0.5 init
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip route add 192.168.0.0/24 via 172.16.0.5
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip route add 172.16.0.1/32 via 172.16.0.5
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 Initialization Sequence Completed
If all is good then tunnel must be created successfully on our openvpn client
[root@node3 openvpn]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:df:87:41 brd ff:ff:ff:ff:ff:ff inet 10.0.2.32/8 brd 10.255.255.255 scope global noprefixroute eth0 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fedf:8741/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:95:c3:cd brd ff:ff:ff:ff:ff:ff inet 10.0.3.15/24 brd 10.0.3.255 scope global noprefixroute dynamic eth1 valid_lft 75484sec preferred_lft 75484sec inet6 fe80::19d9:1da:ac06:fec0/64 scope link noprefixroute valid_lft forever preferred_lft forever 4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000 link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff 6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 172.16.0.6 peer 172.16.0.5/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::55b6:ffb9:2cee:5343/64 scope link flags 800 valid_lft forever preferred_lft forever
You can verify that the connection is functioning correctly by pinging the VPN address of the server:
From the openvpn client
[root@node3 openvpn]# ping -c 4 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=1.51 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=2.03 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=64 time=2.56 ms
64 bytes from 172.16.0.1: icmp_seq=4 ttl=64 time=2.34 ms
--- 172.16.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3078ms
rtt min/avg/max/mdev = 1.514/2.115/2.565/0.394 ms
From the openvpn server
[root@node2 openvpn]# ping -c 4 172.16.0.6
PING 172.16.0.6 (172.16.0.6) 56(84) bytes of data.
64 bytes from 172.16.0.6: icmp_seq=1 ttl=64 time=1.32 ms
64 bytes from 172.16.0.6: icmp_seq=2 ttl=64 time=1.50 ms
64 bytes from 172.16.0.6: icmp_seq=3 ttl=64 time=37.9 ms
64 bytes from 172.16.0.6: icmp_seq=4 ttl=64 time=4.08 ms
--- 172.16.0.6 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3060ms
rtt min/avg/max/mdev = 1.323/11.221/37.974/15.484 ms
So our VPN configuration is working as expected.
Lastly I hope the steps from the article to install and configure OpenVPN Server and Easy-RSA 3 on RHEL/CentOS 7 on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
This is a great tutorial, seems to be about the most succinct set of steps out there — except for one very important detail. The “common name” entered for the server cert needs to be the FQDN of the server, or TLS negotiation between the OpenVPN client and server will fail.
Hello,
Here is the summary on why it was failed to bring up ipsec – for the benefit of others.
I was trying to bring up openvpn ipsec tunnel between two Centos 7 VM’s deployed in Azure and AWS.
openVPN Client VM was setup in Azure and the openVPN VM server was setup in AWS. However I think/guess the Centos 7 is packaged differently in both of these clouds (this is what I concluded).
So I created another VPC in AWS itself and brought up a openVPN client (remember this client was setup in Azure and failed to bring up), installed all the required ca/client certs, config files. Finally able to bring up the ipsec tunnel.
Thanks.,
Laxmana
Thank you for sharing.
almost entire instructions perfect. One mistake and one failure at the very end while enabling client. No clue, any help is highly appreciated.
1) The mistake is yum -y install openvpn easyrsa (here easyrsa is incorrect. easy-rsa is correct one)
2) why it fails no clue, please help
[root@openvpnclient client]# systemctl -f enable openvpn@client.service
Failed to enable unit: Unit file openvpn@client.service does not exist.
[root@openvpnclient client]#
Hi Laxmana,
Thanks for highlighting the typo. I have corrected it.
For (2), I would need more details to help you. Anything from the logs.
Thank you!!! I was following along with a course and I’m on CentOS 7.7 and the course was using CentOS 7.2. Slight differences but easyrsa was version 2.0 in the course vice version 3.0.6 in CentOS 7.7. Your post was very timely and walked me through the installation flawlessly. Again, many thanks.
Hi,
How do I setup my client configuration if its a phone? Is there something that I need to download or copy to my phone?
Thanks!
Jimar