- 27 Jan 2021
- Wbakke
- VPN
- Comments: 0
Configure OpenVPN Server
OpenVPN has a sample configuration file within its documentation directory and therefore to ease our life, we will copy the sample /usr/share/doc/openvpn{-2.4.6,}/sample/sample-config-files/server.conf file to /etc/openvpn for modification.
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/Edit the server.conf file as follows;
nano /etc/openvpn/server/server.confModify the file such that it looks like the below;
# Which TCP/UDP port should OpenVPN listen on?
# Change to match your port and open it in the firewall
port 1194
# TCP or UDP server?
proto udp
# "dev tun" will create a routed IP tunnel
dev tun
# Change path for certificates
ca ca.crt
cert issued/server.crt
key private/server.key
# Diffie hellman exchange key path
dh dh.pem
# Network topology
topology subnet
# OpenVPN Network IP. For below, The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
server 172.16.0.0 255.255.255.0
# this directive will configure all clients to redirect their default
# network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"
# DNS servers
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# For compression compatible with older clients use comp-lzo.
comp-lzo
# Run VPN with limited privileges
user nobody
group nobody
# Status log file
status /var/log/openvpn/openvpn-status.log
# TLS/SSL pre-shared authentication key
tls-auth ta.key 0
# Make VPN log directory and log file
log-append /var/log/openvpn/openvpn.log
#Append this line to change authentication algorithm (HMAC) from SHA1 to SHA512
auth SHA512Create the log directory;
mkdir /var/log/openvpn/Save the configuration file
Configure Routing
Enable IP forwarding
Enabling IP forwarding ensures that traffic from the client is routed through the servers IP address so that the client IP address is masked.
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.confRun the command below to effect the changes;
sysctl --systemAllow OpenVPN service port through firewall
firewall-cmd --add-port=1194/udp --permanentActivate IP Masquerading
firewall-cmd --add-masquerade --permanentForward traffic received on the specified OpenVPN subnet to an interface via which packets are going to be sent.
Find the interface via which packets are sent through by running the command below;
ip route get 8.8.8.8
8.8.8.8 via 192.168.43.1 dev enp0s8 src 192.168.43.23The interface name maybe different for your case. Replace accordingly.
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 172.16.0.0/24 -o enp0s8 -j MASQUERADEReload firewalld for the changes to take effect.
firewall-cmd --reloadStart and set OpenVPN start on boot.
systemctl start openvpn-server@server
systemctl enable openvpn-server@serverWhen OpenVPN service runs, it will create a tunnelling interface, tun0;
ip add show tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 172.16.0.1/24 brd 172.16.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::1155:c60c:c009:48c9/64 scope link stable-privacy
valid_lft forever preferred_lft foreverThe VPN server is assigned the IP address, 172.16.0.1 while the first client will be assigned 172.16.0.2.
https://ravenhawktech.com/index.php/2020/12/18/openvpn-install-on-fedora-server/