OpenVPN Implementation II - Host-to-site VPN solution - Part 3

5). Store Key files and Server config files to /etc/openvpn/

a). create new directory and copy key files to /etc/openvpn/

[root@localhost keys]# mkdir /etc/openvpn
[root@localhost easy-rsa]# cp -ap keys /etc/openvpn/
[root@localhost easy-rsa]# cd /home/admin/tools/openvpn/openvpn-2.3.12/sample/sample-config-files
[root@localhost sample-config-files]# cp client.conf server.conf /etc/openvpn/
[root@localhost sample-config-files]# tree /etc/openvpn/
/etc/openvpn/
|-- client.conf
|-- keys
| |-- 01.pem
| |-- 02.pem
| |-- 03.pem
| |-- admin.crt
| |-- admin.csr
| |-- admin.key
| |-- ca.crt
| |-- ca.key
| |-- dh1024.pem
| |-- dyoung.crt
| |-- dyoung.csr
| |-- dyoung.key
| |-- index.txt
| |-- index.txt.attr
| |-- index.txt.attr.old
| |-- index.txt.old
| |-- serial
| |-- serial.old
| |-- server.crt
| |-- server.csr
| `-- server.key
`-- server.conf
1 directory, 23 files

b). create new directory and copy key files to /etc/openvpn/

[root@localhost sample-config-files]# cd /etc/openvpn/
[root@localhost openvpn]# cp server.conf server.conf.$(date +%F)
[root@localhost openvpn]# grep -vE ";|#|^$" server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

 

c). Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS

Config Field

Description

local a.b.c.d

OpenVPN listening IP

port 1194

TCP/UDP port should OpenVPN listen on. Multiple instance will need to use different port#.

;proto tcp
proto udp

Using TCP or UDP, UDP as default.

;dev tap
dev tun

"dev tun" will create a routed IP tunnel,
"dev tap" will create an ethernet tunnel.

;dev-node MyTap

Only for windows that need the TAP-Windows adaptor name from network connections.

ca ca.crt

SSL/TLS root certificate, Each client
and the server must have their own cert and key file. The server and all clients will use the same ca file

cert server.crt

certificate

key server.key

private key # This file should be kept secret

dh dh1024.pem

Diffie hellman parameters

server 10.8.0.0 255.255.255.0

**Must Configure** 
VPN server will dynamically assign VPN client IP from IP range defined. Comment this line out if you are ethernet bridging

ifconfig-pool-persist ipp.txt

Maintain a record of client virtual IP address associations in this file

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

Configure only when ethernet bridging

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

**Must Configure** 
To push routes to the client to allow it reach other private subnets behind the server. It's important to remember to route the openVPN client address pool (10.8.0.0/24)back to the openvpn server.
They are the internal network IP block that you will enable the client to access once connected to VPN.

;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

Windows-specific network settings can be pushed to clients, such as DNS
or WINS server addresses

;client-to-client

Whether to allow different clients to be able to "see" each other. By default, clients will only see the server.

;duplicate-cn

Uncommon if allow client to share CN (Common Name)

keepalive 10 120

ping at 10s interval, determine the party is down if no ping received for 120s.

;tls-auth ta.key 0

"HMAC firewall" to help block DoS attacks and UDP port flooding. This file is secret. The key can be generated using openvpn --genkey --secret ta.key. The server and each client must have
a copy of this key. The second parameter should be '0' on the server and '1' on the clients

;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

This is to choose cryptographic cipher. This config item must be copied to the client config file as well.

comp-lzo

This option is to Enable compression on the VPN link. it's enabled by default. It also need to be enabled at the client config file

;max-clients 100

Max number of concurrent client allowed to connect to the server.

;user nobody
;group nobody

Used for non-windows platforms. This will reduce the server daemon priviledges after initialization to nobody

persist-key
persist-tun

This option will maintain same key/tun upon client restart

status openvpn-status.log

output brief status logs rewritten every minute.

;log openvpn.log
;log-append openvpn.log

"log" will truncate the log file on OpenVPN startup, while "log-append" will append to it. Use one

verb 3

Set the log file verbosity. 0 is silent, only fatal errors. 9 is extremely verbose.

- To edit first perform a backup

[root@localhost openvpn]# cp server.conf server.conf.$(date +%F)
[root@localhost openvpn]# ll server.conf.2016-09-08
-rw-r--r--. 1 root root 10441 Sep 8 17:05 server.conf.2016-09-08

- Then redirect filtered info from backup file to temp.t file.

- next redirect temp.t back to server.conf file.

[root@localhost openvpn]# grep -vE ";|#|^$" server.conf.2016-09-08 > temp.t
[root@localhost openvpn]# cat temp.t > server.conf
[root@localhost openvpn]# cat server.conf
local 192.168.2.34
port 11945
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.110.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
[root@localhost openvpn]#

- Change(Add/edit) server.conf file below below info:

local 192.168.2.34

port 11945

proto udp

dev tun

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

dh dh2048.pem

server 10.8.0.0 255.255.255.0

push "route 192.168.110.0 255.255.255.0"

push "route 10.8.0.0 255.255.255.0"

client-to-client

duplicate-cn

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

log-append /var/log/openvpn.log

verb 3 

6). Stop iptables firewall and stop the SElinux

- Modify iptable by vi /etc/sysconfig/iptables to add -A INPUT -p upd --dport 11945 -j ACCEPT

/etc/init.d/iptables stop

[root@localhost sbin]# vi /etc/sysconfig/iptables
** Modify to add this linke "-A INPUT -p tcp --dport 11949 -j ACCEPT"
[root@localhost sbin]# iptables -A INPUT -p tcp --dport 11949 -j ACCEPT
[root@localhost ~]# /etc/init.d/iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]

- vi /etc/selinux/config

Reboot system to take effort

 

[root@localhost sbin]# vi /etc/sysconfig/iptables
** Modify to add this linke "-A INPUT -p tcp --dport 11949 -j ACCEPT"
[root@localhost sbin]# iptables -A INPUT -p tcp --dport 11949 -j ACCEPT
[root@localhost ~]# /etc/init.d/iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[root@localhost ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
//After reboot it's shown SElinux as disabled. 
[root@localhost ~]# getenforce
Disabled

Please publish modules in offcanvas position.