Welcome to Halil Demirezen's Tips Page
Categories

LinuxNetworkComputer VisionDatabasesProgrammingvmware


VPN: OpenVPN client-to-client vpn configuration [easy-rsa 3] 2018-06-27 14:57:19

Package installation on Centos 7

Before continuing the installation make sure the server time is correct.
In case the server time is not correct, the validity time of the certificate
you create may not be is true and aligned with the real time.

yum install epel-release
yum install openvpn
yum install easy-rsa


Initiate configuration and server keys


cd /etc/openvpn
ln -s /usr/share/easy-rsa/ easy-rsa

/usr/share/easy-rsa/3/easyrsa init-pki
/usr/share/easy-rsa/3/easyrsa build-ca nopass
/usr/share/easy-rsa/3/easyrsa gen-dh
/usr/share/easy-rsa/3/easyrsa build-server-full server nopass
/usr/share/easy-rsa/3/easyrsa gen-crl

cp pki/ca.crt /etc/openvpn/ca.crt
cp pki/dh.pem /etc/openvpn/dh.pem
cp pki/issued/server.crt /etc/openvpn/server.crt
cp pki/private/server.key /etc/openvpn/server.key
cp pki/crl.pem /etc/openvpn/crl.pem

openvpn --genkey --secret /etc/openvpn/ta.key



Create an example client sertificate and key
cd /etc/openvpn
/usr/share/easy-rsa/3/easyrsa build-client-full client1 nopass
tar -cvf client-files.tar ca.crt ta.key pki/issued/client1.crt pki/private/client1.key


Enabling routing
sysctl -w net.ipv4.ip_forward=1


and make it persistent

vi /etc/sysctl.conf
net.ipv4.ip_forward = 1



Create /etc/pam.d/openvpn file and add below to enable
username/password authentication

auth required pam_unix.so shadow nodelay
account required pam_unix.so



Server config file /etc/openvpn/server.conf

# Secure OpenVPN Server Config

# Basic Connection Config
dev tun
proto udp
port 1194
keepalive 10 120
max-clients 5

# Certs
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0

# Ciphers and Hardening
reneg-sec 0
remote-cert-tls client
crl-verify crl.pem
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

# Drop Privs
user nobody
group nobody

# IP pool
server 192.168.13.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
client-config-dir client

# Misc
persist-key
persist-tun
comp-lzo

# DHCP Push options force all traffic through VPN and sets DNS servers
push "route 192.168.10.0 255.255.255.0"

# Logging
log-append /var/log/openvpn.log
verb 3

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn



Example client ovpn file

tls-client
pull
client
dev tun
proto udp
remote ser.ver.ip.address 1194
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth-user-pass