- 18 Dec 2020
- Wbakke
- VPN
- Comments: 0
OpenVPN provides a robust and a highly flexible VPN daemon while Easy-RSA package is used to generate SSL key-pairs that is used to secure VPN connections. Both OpenVPN and Easy-RSA packages are available on the default Fedora repos. Run the command below to install them.
dnf update
dnf install openvpn easy-rsa
SELinux
Open the
./etc/selinux/config
file and set the SELINUX
mod to disabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Save the file and reboot your CentOS system with:
sudo shutdown -r now
Once the system boots up, verify the change with the sestatus
command:
sestatus
The output should look like this:
SELinux status: disabled
Build the Local CA and generate Server Keys and Certificate file
Create a directory to store Server keys and Certificate files.
mkdir /etc/openvpn/easy-rsa
Copy the key/certificate generation scripts installed by Easy-RSA from the default directory to the directory created above.
cp -air /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa
Navigate to /etc/openvpn/easy-rsa
directory and start new PKI.
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
Build the CA certificate. This will prompt you for the encryption password and the server common name.
./easyrsa build-ca
Output of the code
...
writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.EajtR0SkLM'
Enter PEM pass phrase: PASSWORD
Verifying - Enter PEM pass phrase: PASSWORD
-----
...
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
As stated, the CA certificate is stored at /etc/openvpn/easy-rsa/pki/ca.crt
.
Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients.
./easyrsa gen-dh
This will generate the DH key and store as /etc/openvpn/easy-rsa/pki/dh.pem
.
Generate a key and certificate file for the server.
./easyrsa build-server-full server nopass
Generate a key and certificate file for the client.
./easyrsa build-client-full client nopass
In case you need to invalidate a previously signed certificate, generate a revocation certificate.
./easyrsa gen-crl
This stores the revocation certificate under /etc/openvpn/easy-rsa/pki/crl.pem
.
Generate TLS/SSL pre-shared authentication key
openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key
Copy generated Certificates/Keys to server configuration directory.
cp -rp /etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /etc/openvpn/server/
OpenVPN Install On Fedora Server – Part 2