Install & Configure OpenVPN Server Easy-RSA 3 (RHEL/CentOS 7) in Linux


Security, Linux

OpenVPN is often called an SSL-based VPN, as it uses the SSL/TLS protocol to secure the connection. However, OpenVPN server also uses HMAC in combination with a digest (or hashing) algorithm for ensuring the integrity of the packets delivered. It can be configured to use pre-shared keys as well as X.509 certificates. These features are not typically offered by other SSL-based VPNs.

Install & Configure OpenVPN Server Easy-RSA 3 (RHEL/CentOS 7) in Linux
e
 

What is a VPN?

Put simply, a VPN allows an administrator to create a "local" network between multiple computers on varying network segments. In some instances, those machines can be on the same LAN, they can be distant from each other across the vast Internet, or they can even be connected across a multitude of connection media such as wireless uplinks, satellite, dial-up-networking, and so on. The P in VPN comes from the added protection to make that virtual network private. Network traffic that is flowing over a VPN is often referred to as inside the (VPN) tunnel, compared to all the other traffic that is outside the tunnel.

 

Install & Configure OpenVPN server

To install and setup openvpn server, first of all install the EPEL repo using which we can install the openvpn rpm and it's dependencies.

[root@node2 ~]# yum -y install epel-release

Next once our repo is installed successfully, install openvpn and easy-rsa rpm using yum command.

[root@node2 ~]# yum -y install openvpn easy-rsa
NOTE:
Easy-RSA 3 has a completely different set of scripts compared to version 2, but the general idea of creating a CA and creating server and client keys is similar in Easy-RSA 3.

First, create a copy of the system easy-rsa directory within /etc/openvpn and change to the /etc/openvpn/easy-rsa/ directory,

[root@node2 ~]# cd /usr/share/easy-rsa/3.0.3

Below is the list of files available under easy-rsa 3 directory

[root@node2 3.0.3]# ls -l
total 48
-rwxr-xr-x 1 root root 35985 Aug 22  2017 easyrsa
-rw-r--r-- 1 root root  4560 Sep  3  2015 openssl-1.0.cnf
drwxr-xr-x 2 root root  4096 Apr 16 19:05 x509-types

We will copy these files to our custom directory /etc/openvpn/easy-rsa/

[root@node2 3.0.3]# cp -rf * /etc/openvpn/easy-rsa/

[root@node2 3.0.3]# cd /etc/openvpn/easy-rsa/

[root@node2 easy-rsa]# ls -l
total 48
-rwxr-xr-x 1 root root 35985 Apr 16 19:11 easyrsa
drwxr-xr-x 2 root root  4096 Apr 16 19:09 keys
-rw-r--r-- 1 root root  4560 Apr 16 19:11 openssl-1.0.cnf
drwxr-xr-x 2 root root  4096 Apr 16 19:11 x509-types

 

Initialise Easy-RSA 3 PKI

In this case, the initialisation process cleans out the contents of the pki directory under easy-rsa 3, and creates the private and reqs subdirectories.

[root@node2 easy-rsa]# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

 

Generate CA Certificate

The build-ca sub command first generates a Certificate Signing Request (CSR) under easy-rsa 3, and subsequently self-signs that request. You will be prompted for a password to use for your CA key along with some organisational information.

IMPORTANT NOTE:
You will need to enter this password any time you sign a certificate request for a server or client certificate:
[root@node2 easy-rsa]# ./easyrsa build-ca
Generating a 2048 bit RSA private key
...........................+++
...........................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.docNHm1tdU'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

 

Generate Diffie-Hellman parameters

Next, run commands to initialise and build your CA files and generate Diffie-Hellman parameters under easy-rsa 3.

[root@node2 easy-rsa]# ./easyrsa gen-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................................................+........................................................................+...+.............................................................................................+...........................................................................................................................................................................................................................+.............................................................................................................................................................................................................+.................................................+....+.........................................................................................+....+.....................................................................................................................................................................................................................................................................................................+..............................................................................................................................................................................................................................+............................................................................................................................................................................................................................................c.d.........s...................+..............................+........................................................................................................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

 

Generate a standalone keypair and request (CSR)

Next, generate a certificate for your OpenVPN server and sign it using the easy-rsa 3 script i.e. easyrsa. In the example below, we create a key named “node2” to match the keys we reference in our above OpenVPN server configuration file. We create this certificate without a password so that OpenVPN server can access it without requiring sysadmin interaction each time, but you will be prompted for a password when you sign the server certificate:

[root@node2 easy-rsa]# ./easyrsa gen-req node2 nopass
Generating a 2048 bit RSA private key
.....................................+++
.........................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/node2.key.c8WE211mjv'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [node2]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/node2.req
key: /etc/openvpn/easy-rsa/pki/private/node2.key

[root@node2 easy-rsa]# ./easyrsa sign server node2

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = node2


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'node2'
Certificate is to be certified until Apr 13 14:09:43 2029 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/node2.crt

 

Copy certificates for OpenVPN server

Now we create an /etc/openvpn/keys directory and copy the important keys and certificates we need for OpenVPN server from the easy-rsa 3 directory there:

[root@node2 easy-rsa]# mkdir /etc/openvpn/keys/
[root@node2 easy-rsa]# chmod 750 /etc/openvpn/keys
[root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/keys/
[root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/keys/dh2048.pem
[root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/issued/node2.crt /etc/openvpn/keys/
[root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/private/node2.key /etc/openvpn/keys/

 

Generate certificates for Client

Whenever you want to add a new user, change to the /etc/openvpn/easy-rsa directory and run the following commands to generate a certificate request and then sign it:

[root@node2 easy-rsa]# cd /etc/openvpn/easy-rsa

Here I am using client name as deepak, you can change it according to your environment.

[root@node2 easy-rsa]# ./easyrsa gen-req  deepak nopass
Generating a 2048 bit RSA private key
.............+++
...........................................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/deepak.key.3h2S55BG8q'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [deepak]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/deepak.req
key: /etc/openvpn/easy-rsa/pki/private/deepak.key
[root@node2 easy-rsa]# ./easyrsa sign client deepak

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = deepak


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'deepak'
Certificate is to be certified until Apr 13 14:11:20 2029 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/deepak.crt

Copy the client keys to /etc/openvpn/keys/

[root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/issued/deepak.crt /etc/openvpn/keys/
[root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/private/deepak.key /etc/openvpn/keys/

 

Initial setup of the client/server mode

In order to set up a basic OpenVPN server, we first create a server configuration file using the following steps:

Create the following file on the server side with below entry

[root@node2 openvpn]# vim /etc/openvpn/server.conf
port 1194
proto udp
dev tun
comp-lzo
management 127.0.0.1 1194
keepalive 10 120
persist-key
persist-tun
ifconfig-pool-persist ipp.txt
status openvpn-status.log
verb 3
server 172.16.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.5"
push "dhcp-option DOMAIN example.com"
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/node2.crt
key /etc/openvpn/keys/node2.key  # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem

 

Disable Firewall on server

For the sake of this article we will disable firewall and selinux. As it is not in the scope of this article. I will write another article with the firewall installation and configuration for OpenVPN server.

[root@node2 ~]# systemctl stop firewalld
[root@node2 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

SELinux is also disabled

[root@node2 ~]# getenforce
Disabled

 

Enable and Start OpenVPN server

Now all our configuration on the openvpn server side is completed. Enable and start the service.

[root@node2 easy-rsa]# systemctl -f enable openvpn@server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.

[root@node2 easy-rsa]# systemctl start openvpn@server.service

Check if the tunnel is successfully created on OpenVPN server.

[root@node2 openvpn]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:df:87:41 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.31/8 brd 10.255.255.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fedf:8741/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:95:c3:cd brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.105/24 brd 192.168.0.255 scope global noprefixroute dynamic eth1
       valid_lft 3327sec preferred_lft 3327sec
    inet6 2401:4900:2742:d79f:a00:27ff:fe95:c3cd/64 scope global mngtmpaddr dynamic
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe95:c3cd/64 scope link
       valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 172.16.0.1 peer 172.16.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::b522:32f4:7576:a549/64 scope link flags 800
       valid_lft forever preferred_lft forever

Next copy the client certificates to the client node under /etc/openvpn

NOTE:
Before copying these certificate files make sure openvpn rpm is installed on the client node.
[root@node2 keys]# scp /etc/openvpn/keys/deepak.* node3:/etc/openvpn/
Warning: Permanently added the ECDSA host key for IP address '10.0.2.32' to the list of known hosts.
root@node3's password:
deepak.crt                                                                                100% 4410     3.1MB/s   00:00
deepak.key                                                                                100% 1704     1.0MB/s   00:00

[root@node2 keys]# scp /etc/openvpn/keys/ca.crt node3:/etc/openvpn/
root@node3's password:
ca.crt                                                                                    100% 1151   310.2KB/s   00:00

 

OpenVPN Client Configuration

Install the EPEL repo on the openvpn client node

[root@node3 ~]# yum -y install epel-release

Next install the openvpn rpm on the openvpn client node

[root@node3 ~]# yum search openvpn

On the openvpn client side, the same openvpn package needs to be installed as on the server. Then create an /etc/openvpn/client.conf file with the following contents on the openvpn client node

[root@node3 openvpn]# vim /etc/openvpn/client.conf
client
dev tun
proto udp
remote node2.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert deepak.crt
key deepak.key
comp-lzo
verb 3
ns-cert-type server
script-security 2
down /etc/openvpn/client.down
up /etc/openvpn/client.up
NOTE:
Here replace node2.example.com with your VPN server.

Often, VPNs will push their own DNS settings to the clients. If you want to automatically update your resolv.conf, you will also want to trigger a script to run when the VPN connects and disconnects to manage resolv.conf correctly. Copy two scripts to your /etc/openvpn directory on the openvpn client node.

[root@node3 ~]# cp /usr/share/doc/openvpn-2.4.7/contrib/pull-resolv-conf/client.down /etc/openvpn/
[root@node3 ~]# cp /usr/share/doc/openvpn-2.4.7/contrib/pull-resolv-conf/client.up /etc/openvpn/

Finally, be sure that the ca.crt, deepak.crt, and deepak.key files that you copied from the server are in your /etc/openvpn directory

[root@node3 ~]# cd /etc/openvpn/

Make sure that deepak.key is not world-readable on the openvpn client:

[root@node3 openvpn]# chmod 640 deepak.key

Also make client.down and client.up as executable

[root@node3 openvpn]# chmod u+x client.down client.up

Verify the files and their permissions on the openvpn client node

[root@node3 openvpn]# ls -l
total 36
-rw-------. 1 root root    1151 Apr 16 19:55 ca.crt
drwxr-x---. 2 root openvpn 4096 Apr 16 20:43 client
-rw-r--r--. 1 root root     259 Apr 16 20:49 client.conf
-rwxr--r--. 1 root root    1698 Apr 16 19:48 client.down
-rwxr--r--. 1 root root    2928 Apr 16 19:48 client.up
-rw-------. 1 root root    4410 Apr 16 19:55 deepak.crt
-rw-r-----. 1 root root    1704 Apr 16 19:55 deepak.key
drwxr-x---. 2 root openvpn 4096 Apr 16 19:58 server

 

Disable Firewall on client

I will disable the firewall and selinux on my openvpn client for this article as it will increase the length of this article. I may write another article with the firewall rules to install and configure OpenVPN.

[root@node3 ~]# systemctl stop firewalld
[root@node3 ~]# systemctl disable firewalld

SELinux is also disabled

[root@node3 ~]# getenforce
Disabled

 

Enable and start OpenVPN Client Service

All our configuration on the openvpn client side is completed and we can start our openvpn client service.

[root@node3 openvpn]# systemctl -f enable openvpn@client.service
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@client.service to /usr/lib/systemd/system/openvpn@.service.

[root@node3 openvpn]# systemctl start openvpn@client.service

Check the status of the service on the openvpn client to make sure there are no errors

[root@node3 openvpn]# systemctl status openvpn@client.service
● openvpn@client.service - OpenVPN Robust And Highly Flexible Tunneling Application On client
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-04-16 19:56:58 IST; 2min 53s ago
 Main PID: 11281 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@client.service
           └─11281 /usr/sbin/openvpn --cd /etc/openvpn/ --config client.conf

Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 ROUTE_GATEWAY 10.0.2.2/255.0.0.0 IFACE=eth0 HWADDR=08:00:27:df:87:41
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 TUN/TAP device tun0 opened
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 TUN/TAP TX queue length set to 100
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip link set dev tun0 up mtu 1500
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip addr add dev tun0 local 172.16.0.6 peer 172.16.0.5
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /etc/openvpn/client.up tun0 1500 1553 172.16.0.6 172.16.0.5 init
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip route add 192.168.0.0/24 via 172.16.0.5
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip route add 172.16.0.1/32 via 172.16.0.5
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 Initialization Sequence Completed

If all is good then tunnel must be created successfully on our openvpn client

[root@node3 openvpn]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:df:87:41 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.32/8 brd 10.255.255.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fedf:8741/64 scope link tentative dadfailed
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:95:c3:cd brd ff:ff:ff:ff:ff:ff
    inet 10.0.3.15/24 brd 10.0.3.255 scope global noprefixroute dynamic eth1
       valid_lft 75484sec preferred_lft 75484sec
    inet6 fe80::19d9:1da:ac06:fec0/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 172.16.0.6 peer 172.16.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::55b6:ffb9:2cee:5343/64 scope link flags 800
       valid_lft forever preferred_lft forever

 

You can verify that the connection is functioning correctly by pinging the VPN address of the server:

From the openvpn client

[root@node3 openvpn]# ping -c 4 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=1.51 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=2.03 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=64 time=2.56 ms
64 bytes from 172.16.0.1: icmp_seq=4 ttl=64 time=2.34 ms

--- 172.16.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3078ms
rtt min/avg/max/mdev = 1.514/2.115/2.565/0.394 ms

 

From the openvpn server

[root@node2 openvpn]# ping -c 4 172.16.0.6
PING 172.16.0.6 (172.16.0.6) 56(84) bytes of data.
64 bytes from 172.16.0.6: icmp_seq=1 ttl=64 time=1.32 ms
64 bytes from 172.16.0.6: icmp_seq=2 ttl=64 time=1.50 ms
64 bytes from 172.16.0.6: icmp_seq=3 ttl=64 time=37.9 ms
64 bytes from 172.16.0.6: icmp_seq=4 ttl=64 time=4.08 ms

--- 172.16.0.6 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3060ms
rtt min/avg/max/mdev = 1.323/11.221/37.974/15.484 ms

So our VPN configuration is working as expected.

 

Lastly I hope the steps from the article to install and configure OpenVPN Server and Easy-RSA 3 on RHEL/CentOS 7 on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

7 thoughts on “Install & Configure OpenVPN Server Easy-RSA 3 (RHEL/CentOS 7) in Linux”

  1. This is a great tutorial, seems to be about the most succinct set of steps out there — except for one very important detail. The “common name” entered for the server cert needs to be the FQDN of the server, or TLS negotiation between the OpenVPN client and server will fail.

    Reply
  2. Hello,

    Here is the summary on why it was failed to bring up ipsec – for the benefit of others.

    I was trying to bring up openvpn ipsec tunnel between two Centos 7 VM’s deployed in Azure and AWS.
    openVPN Client VM was setup in Azure and the openVPN VM server was setup in AWS. However I think/guess the Centos 7 is packaged differently in both of these clouds (this is what I concluded).

    So I created another VPC in AWS itself and brought up a openVPN client (remember this client was setup in Azure and failed to bring up), installed all the required ca/client certs, config files. Finally able to bring up the ipsec tunnel.

    Thanks.,
    Laxmana

    Reply
  3. almost entire instructions perfect. One mistake and one failure at the very end while enabling client. No clue, any help is highly appreciated.

    1) The mistake is yum -y install openvpn easyrsa (here easyrsa is incorrect. easy-rsa is correct one)

    2) why it fails no clue, please help
    [root@openvpnclient client]# systemctl -f enable openvpn@client.service
    Failed to enable unit: Unit file openvpn@client.service does not exist.
    [root@openvpnclient client]#

    Reply
    • Hi Laxmana,

      Thanks for highlighting the typo. I have corrected it.
      For (2), I would need more details to help you. Anything from the logs.

      Reply
  4. Thank you!!! I was following along with a course and I’m on CentOS 7.7 and the course was using CentOS 7.2. Slight differences but easyrsa was version 2.0 in the course vice version 3.0.6 in CentOS 7.7. Your post was very timely and walked me through the installation flawlessly. Again, many thanks.

    Reply
  5. Hi,

    How do I setup my client configuration if its a phone? Is there something that I need to download or copy to my phone?

    Thanks!

    Jimar

    Reply

Leave a Comment