Fedora 27 is a close cousin of CentOS 7, which is actually Fedora 19. Most of the documentation for server-centric stuff is still targeted at CentOS 7. Some topics, like how to install and configure OpenVPN, are poorly documented.
I was pleased to find this link, a tutorial on how to install OpenVPN on Fedora 26:
https://chichivica.github.io/2017/08/02/Install-OpenVPN-on-Fedora-26/
I found this guide to be useful, but found myself taking notes on corrections to the procedure. Unable to contact the author of the howto, I offer the procedure with minor corrections here. Note that my procedure was done on Fedora 27.
1) First of all install necessary dependencies
sudo dnf install openvpn easy-rsa
2) Copy rsa scripts to the home folder
mkdir ~/openvpn-ca
cp -ai /usr/share/easy-rsa/3/* ~/openvpn-ca
cd ~/openvpn-ca
3) According to this start a new PKI and build a CA keypair/cert
./easyrsa init-pki
./easyrsa build-ca nopass
4) Build Server certificate, key
./easyrsa build-server-full server nopass
5) Build Client certificate, key
./easyrsa build-client-full client01 nopass
you can omit nopass on steps 3,4,5 if you need to
6) Generate a strong Diffie-Hellman keys
./easyrsa gen-dh
7) Generate HMAC signature to strengthen the server’s TLS integrity verification capabilities
openvpn –genkey –secret pki/ta.key
8) Before openvpn server setting up we need to put appropriate keys ca.crt ca.key server.crt server.key ta.key dh.pem into /etc/openvpn/server/keys folder
sudo ln -s ~/openvpn-ca/openssl-1.0.cnf ~/client-configs/
sudo cp ~/openvpn-ca/pki/issued/server.crt /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/private/server.key /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/private/ca.key /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/server
sudo cp ~/openvpn-ca/pki/ta.key /etc/openvpn/server
9) Now we need to set up the server itself, firstly copy configurations
sudo cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server
10) Modify several lines in that configuration file
sudo nano /etc/openvpn/server/server.conf
add these lines at the end of the file:
key-direction 0
auth SHA256
remove ; symbol to uncomment following lines
user nobody
group nogroup
10a) [optional] In order to Redirect all traffic Through the VPN, remove ; from the following lines:
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
10b) [optional] Adjust port and protocol if you don’t wish to use default:
port 443
proto tcp
and if you have server.crt and server.key with the different name point to them here:
cert myservername.crt
key myservername.key
11) Allow IP Forwarding. This is fairly essential to the functionality we want our VPN server to provide.
sudo nano /etc/sysctl.conf
and drop a line there
net.ipv4.ip_forward=1
activate that:
sudo sysctl -p
12) Set up firewalld to work with OpenVPN
sudo firewall-cmd –permanent –add-service openvpn
sudo firewall-cmd –permanent –add-masquerade
13) Now we are going to set up our systemd service.
sudo ln -s /usr/lib/systemd/system/openvpn-server\@.service /etc/systemd/system/multi-user.target.wants/openvpn-server\@server.service
sudo ln -s /etc/openvpn/server/dh.pem /etc/openvpn/server/dh2048.pem
server corresponds with the configuration file name in /etc/openvpn/server such as server.conf. So if you have myserver.conf you have to replace server with myserver
14) Now we are ready to start OpenVPN service
sudo systemctl -f enable openvpn-server@server.service
sudo systemctl start openvpn-server@server.service
15) enter in /etc/rc.d/rc.local (reminder: chmod 755 rc.local):
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp3s0 -j MASQUERADE
(where enp3s0 is the name of your ethernet device)
Done! We successfully deployed our OpenVPN server, and we are ready to move on and set up the client
Client setup
As you remember we already generated client01.crt and client01.key at step 5. Now we need combine them with our general Certificates of Authority in order to build client config file.
1) First of all we need generate Client Configurations. Let’s create client-configs directory and prepare with the keys
mkdir -p ~/client-configs/files
cd ~/client-configs
we are actually going to omit these instructions, we have re-coded our batch file under client creation to avoid this issue:
# mkdir ~/keys
# cp ~/openvpn-ca/pki/ca.crt ~/client-configs/keys
# cp ~/openvpn-ca/pki/ta.key ~/client-configs/keys
# cp ~/openvpn-ca/pki/private/client1.key ~/client-configs/keys
# cp ~/openvpn-ca/pki/private/client1.crt ~/client-configs/keys
2) Next we need to copy base configuration from examples
cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf ~/client-configs/base.conf
3) Open this file in your text editor
nano ~/client-configs/base.conf
4) and modify as following
remote server_IP_address 1194
# place your server address here
proto udp
# update with specified protocol
next uncomment (by removing leading semicolons)
user nobody
group nogroup
NB: If you are using CentOS, change the group from nogroup to nobody to match the distribution’s available groups
and comment out the lines because we place them directly in client’s config
#ca ca.crt
#cert client.crt
#key client.key
add these lines at the end of the file:
auth SHA256
key-direction 1
5) Next, we will create a simple script to compile our base configuration with the relevant certificate, key, and encryption files. This will place the generated configuration in the ~/client-configs/ files directory.
Note: to be consistent with the portion of this document above, I should really use ~ instead of /home/desktop in the section below. However that is how I run it:
nano ~/client-configs/make_config.sh
#!/bin/bash
# remember to run easyrsa build-client-full clientid nopass
# First argument: clientid
KEY_DIR=~/openvpn-ca/pki
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e ‘<ca>’) \
${KEY_DIR}/ca.crt \
<(echo -e ‘</ca>\n<cert>’) \
${KEY_DIR}/issued/${1}.crt \
<(echo -e ‘</cert>\n<key>’) \
${KEY_DIR}/private/${1}.key \
<(echo -e ‘</key>\n<tls-auth>’) \
${KEY_DIR}/ta.key \
<(echo -e ‘</tls-auth>’) \
> ${OUTPUT_DIR}/${1}.ovpn
make the file executable:
chmod 700 ~/client-configs/make_config.sh
6) Execute that file with client01 input parameter
Note you must first run the client creation from step 5 in the server setup. A repeatable procedure for client creation is as follows (using client02 as token):
cd ~/openvpn-ca
./easyrsa build-client-full client02 nopass
cd ~/client-configs
./make_config.sh client02
If everything went well, we should have a client02.ovpn file in our ~/client-configs/ directory
7) Now that file can be used on the client machine
sudo dnf install openvpn
sudo openvpn –config client02.ovpn