OpenVPN Install on Fedora Server

OpenVPN provides a robust and a highly flexible VPN daemon while Easy-RSA package is used to generate SSL key-pairs that is used to secure VPN connections. Both OpenVPN and Easy-RSA packages are available on the default Fedora repos. Run the command below to install them.

dnf update
dnf install openvpn easy-rsa

SELinux

Open the /etc/selinux/config file and set the SELINUX mod to disabled.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

Save the file and reboot your CentOS system with:

sudo shutdown -r now

Once the system boots up, verify the change with the sestatus command:

sestatus

The output should look like this:

SELinux status:                 disabled

Build the Local CA and generate Server Keys and Certificate file

Create a directory to store Server keys and Certificate files.

mkdir /etc/openvpn/easy-rsa

Copy the key/certificate generation scripts installed by Easy-RSA from the default directory to the directory created above.

cp -air /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa

Navigate to /etc/openvpn/easy-rsa directory and start new PKI.

cd /etc/openvpn/easy-rsa
./easyrsa init-pki

Build the CA certificate. This will prompt you for the encryption password and the server common name.

./easyrsa build-ca

Output of the code

...
writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.EajtR0SkLM'
Enter PEM pass phrase: PASSWORD
Verifying - Enter PEM pass phrase: PASSWORD
-----
...
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

As stated, the CA certificate is stored at /etc/openvpn/easy-rsa/pki/ca.crt.

Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients.

./easyrsa gen-dh

This will generate the DH key and store as /etc/openvpn/easy-rsa/pki/dh.pem.

Generate a key and certificate file for the server.

./easyrsa build-server-full server nopass

Generate a key and certificate file for the client.

./easyrsa build-client-full client nopass

In case you need to invalidate a previously signed certificate, generate a revocation certificate.

./easyrsa gen-crl

This stores the revocation certificate under /etc/openvpn/easy-rsa/pki/crl.pem.

Generate TLS/SSL pre-shared authentication key

openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key

Copy generated Certificates/Keys to server configuration directory.

cp -rp /etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /etc/openvpn/server/