OpenVPN Install On Fedora Server – Part 2

Configure OpenVPN Server

OpenVPN has a sample configuration file within its documentation directory and therefore to ease our life, we will copy the sample /usr/share/doc/openvpn{-2.4.6,}/sample/sample-config-files/server.conf file to /etc/openvpn for modification.

cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/

Edit the server.conf file as follows;

nano /etc/openvpn/server/server.conf
Modify the file such that it looks like the below;
# Which TCP/UDP port should OpenVPN listen on?
# Change to match your port and open it in the firewall
port 1194

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel
dev tun

# Change path for certificates
ca ca.crt
cert issued/server.crt
key private/server.key

# Diffie hellman exchange key path
dh dh.pem

# Network topology
topology subnet

# OpenVPN Network IP. For below, The server will take for itself,
# the rest will be made available to clients.

# this directive will configure all clients to redirect their default
# network gateway through the VPN
push "redirect-gateway def1 bypass-dhcp"

# DNS servers
push "dhcp-option DNS"
push "dhcp-option DNS"

# For compression compatible with older clients use comp-lzo.

# Run VPN with limited privileges
user nobody
group nobody

# Status log file
status /var/log/openvpn/openvpn-status.log

# TLS/SSL pre-shared authentication key
tls-auth ta.key 0

# Make VPN log directory and log file
log-append /var/log/openvpn/openvpn.log

#Append this line to change authentication algorithm (HMAC) from SHA1 to SHA512
auth SHA512
Create the log directory;
mkdir /var/log/openvpn/
Save the configuration file

Configure Routing

Enable IP forwarding

Enabling IP forwarding ensures that traffic from the client is routed through the servers IP address so that the client IP address is masked.

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
Run the command below to effect the changes;
sysctl --system
Allow OpenVPN service port through firewall
firewall-cmd --add-port=1194/udp --permanent
Activate IP Masquerading
firewall-cmd --add-masquerade --permanent
Forward traffic received on the specified OpenVPN subnet to an interface via which packets are going to be sent.

Find the interface via which packets are sent through by running the command below;

ip route get via dev enp0s8 src
The interface name maybe different for your case. Replace accordingly.
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s -o enp0s8 -j MASQUERADE
Reload firewalld for the changes to take effect.
firewall-cmd --reload
Start and set OpenVPN start on boot.
systemctl start openvpn-server@server
systemctl enable openvpn-server@server
When OpenVPN service runs, it will create a tunnelling interface, tun0;
ip add show tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet brd scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::1155:c60c:c009:48c9/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

The VPN server is assigned the IP address, while the first client will be assigned