Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
  • Labs icon Lab
  • A Cloud Guru
Google Cloud Platform icon
Labs

Setup OpenVPN

In this learning activity, we will install and configure OpenVPN as a server on `Server1`, and as a client on `Client1`. All of the configuration parameters will be provided.

Try for free Contact sales
Google Cloud Platform icon
Labs

Path Info

Level
Clock icon Advanced
Duration
Clock icon 2h 0m
Published
Clock icon Nov 14, 2018

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

Table of Contents

  1. Challenge

    Install OpenVPN on `Server1`

    In order to install the OpenVPN package, we'll first need to install the EPEL repo:

    [root@Server1]# yum -y install epel-release

    Once EPEL is installed, we can go ahead with installing OpenVPN:

    [root@Server1]# yum -y install openvpn

    Let's enable masquerading in the firewall, and then reload things so the changes take effect:

    [root@Server1]# firewall-cmd --permanent --add-port=1194/tcp
[root@Server1]# firewall-cmd --permanent --add-masquerade
[root@Server1]# firewall-cmd --reload

  2. Challenge

    Create Keys and Credentials on `Server1`

    We'll use EasyRSA to create and sign the keys for the server and client. Install it with this:

    [root@Server1]# yum -y install easy-rsa

    Create a directory to hold the files we'll create:

    [root@Server1]# mkdir /etc/openvpn/easy-rsa

    and change our working directory to it:

    [root@Server1]# cd /etc/openvpn/easy-rsa

    To make things a littler easier, let's append the EasyRSA executable folder to our current path:

    [root@Server1]# PATH=$PATH:/usr/share/easy-rsa/3.0.8/

    Initialize PKI:

    [root@Server1]# easyrsa init-pki

    Build the CA (remember the password you use, you can leave the common name as the default):

    [root@Server1]# easyrsa build-ca

    Generate a Diffie-Hellman key for forward secrecy:

    [root@Server1]# easyrsa gen-dh

    Now we'll move on to the server credentials. For convenience, we won’t password protect these.

    Create the server certificate:

    [root@Server1]# easyrsa gen-req server nopass

    Sign the server certificate:

    [root@Server1]# easyrsa sign-req server server

    We'll be prompted to type yes here. There's also a spot in here where we've got to enter the password we created a few steps back, with the easyrsa init-pki command.

    Create the client certificate:

    [root@Server1]# easyrsa gen-req client nopass

    Sign the client certificate:

    [root@Server1]# easyrsa sign-req client client

    Type yes when prompted, and enter the same pass we did for the server creation.

    Now we need to generate the TLS key:

    [root@Server1]# cd /etc/openvpn
[root@Server1]# openvpn --genkey --secret pfs.key

  3. Challenge

    Configure the OpenVPN Server on `Server1`

    You'll need to create and edit /etc/openvpn/server.conf:
    [root@Server1]# vim /etc/openvpn/server.conf

    port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
cipher AES-256-CBC
auth SHA512
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
tls-server
tls-auth /etc/openvpn/pfs.key

    Now you can enable and start OpenVPN:
    [root@Server1]# systemctl enable [email protected]
    [root@Server1]# systemctl start [email protected]

  4. Challenge

    Package up Keys and Certificates on `Server1` for Copying to `Client1`

    You'll need to package up the credentials we created, and copy them to Client1, you can do this by creating the following shell script:

    [root@Server1]# vim keys.sh

    cd /etc/openvpn
mkdir -p server1/keys
cp pfs.key server1/keys
cp easy-rsa/pki/dh.pem server1/keys
cp easy-rsa/pki/ca.crt server1/keys
cp easy-rsa/pki/private/ca.key server1/keys
cp easy-rsa/pki/private/client.key server1/keys
cp easy-rsa/pki/issued/client.crt server1/keys
tar cvzf /tmp/keys.tgz server1/

    Make it executable:
    [root@Server1]# chmod +x keys.sh

    And run it:
    [root@Server1]# ./keys.sh

  5. Challenge

    Install OpenVPN on `Client1`

    Just like on Server1, you'll need to install EPEL before you can install OpenVPN:

    [root@Client1]# yum -y install epel-release
[root@Client1]# yum -y install openvpn

  6. Challenge

    Copy and Install Keys from `Server1` to `Client1`

    Now we need to copy the keys we tarred up on Server1 over to Client1.

    On Client1:

    [root@Client1]# cd /etc/openvpn`
[root@Client1]# scp [email protected]:/tmp/keys.tgz ./

    We'll need the password for Server1 at that point. Once the tar file makes the trip, we can extract it:

    [root@Client1]# tar xvzf keys.tgz

  7. Challenge

    Configure the VPN client on `Client1`

    With the keys in place, we can configure the client:
    [root@Client1]# vim client.conf

    client
dev tun
proto tcp
remote 10.0.1.10 1194  
ca server1/keys/ca.crt
cert server1/keys/client.crt
key server1/keys/client.key
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
auth-retry none
nobind
route-nopull
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
tls-client
tls-auth server1/keys/pfs.key

    Start the Client:
    [root@Client1]# systemctl start [email protected]

  8. Challenge

    Add a Static Route on Client1

    In order to have Client1 traffic to node1 originate on the 10.8.0.0/24 network, we'll need to add a static route, so that the VPN tunnel is the interface that connects to that host:

    [root@Client1]# ip route add 10.0.1.20 dev tun0

    We can can verify the entry using:

    [root@Client1]# ip route show

    We should now be able to access the website on node1:

    [root@Client1]# curl 10.0.1.20
A Cloud Guru - Labs - Setup OpenVPN
Author
A Cloud Guru

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Provided environment for hands-on practice

We will provide the credentials and environment necessary for you to practice right within your browser.

Guided walkthrough

Follow along with the author’s guided walkthrough and build something new in your provided environment!

Did you know?

On average, you retain 75% more of your learning if you get time for practice.

Start learning by doing today

View Plans