https:\/\/chichivica.github.io\/2017\/08\/02\/Install-OpenVPN-on-Fedora-26\/<\/a><\/p>\nI found this guide to be useful, but found myself taking notes on corrections to the procedure. Unable to contact the author of the howto, I offer the procedure with minor corrections here. Note that my procedure was done on Fedora 27.<\/p>\n
1) First of all install necessary dependencies<\/p>\n
sudo dnf install openvpn easy-rsa<\/p>\n
2) Copy rsa scripts to the home folder<\/p>\n
mkdir ~\/openvpn-ca<\/p>\n
cp -ai \/usr\/share\/easy-rsa\/3\/* ~\/openvpn-ca
\ncd ~\/openvpn-ca<\/p>\n
3) According to this start a new PKI and build a CA keypair\/cert<\/p>\n
.\/easyrsa init-pki
\n.\/easyrsa build-ca nopass<\/p>\n
4) Build Server certificate, key<\/p>\n
.\/easyrsa build-server-full server nopass<\/p>\n
5) Build Client certificate, key<\/p>\n
.\/easyrsa build-client-full client01 nopass<\/p>\n
you can omit nopass on steps 3,4,5 if you need to<\/p>\n
6) Generate a strong Diffie-Hellman keys<\/p>\n
.\/easyrsa gen-dh<\/p>\n
7) Generate HMAC signature to strengthen the server\u2019s TLS integrity verification capabilities<\/p>\n
openvpn –genkey –secret pki\/ta.key<\/p>\n
8) Before openvpn server setting up we need to put appropriate keys ca.crt ca.key server.crt server.key ta.key dh.pem into \/etc\/openvpn\/server\/keys folder<\/p>\n
sudo ln -s ~\/openvpn-ca\/openssl-1.0.cnf ~\/client-configs\/<\/p>\n
sudo cp ~\/openvpn-ca\/pki\/issued\/server.crt \/etc\/openvpn\/server
\nsudo cp ~\/openvpn-ca\/pki\/private\/server.key \/etc\/openvpn\/server
\nsudo cp ~\/openvpn-ca\/pki\/private\/ca.key \/etc\/openvpn\/server
\nsudo cp ~\/openvpn-ca\/pki\/ca.crt \/etc\/openvpn\/server
\nsudo cp ~\/openvpn-ca\/pki\/dh.pem \/etc\/openvpn\/server
\nsudo cp ~\/openvpn-ca\/pki\/ta.key \/etc\/openvpn\/server<\/p>\n
9) Now we need to set up the server itself, firstly copy configurations<\/p>\n
sudo cp \/usr\/share\/doc\/openvpn\/sample\/sample-config-files\/server.conf \/etc\/openvpn\/server<\/p>\n
10) Modify several lines in that configuration file<\/p>\n
sudo nano \/etc\/openvpn\/server\/server.conf<\/p>\n
add these lines at the end of the file:<\/p>\n
key-direction 0
\nauth SHA256
\nremove ; symbol to uncomment following lines<\/p>\n
user nobody
\ngroup nogroup<\/p>\n
10a) [optional] In order to Redirect all traffic Through the VPN, remove ; from the following lines:<\/p>\n
push “redirect-gateway def1 bypass-dhcp”
\npush “dhcp-option DNS 208.67.222.222”
\npush “dhcp-option DNS 208.67.220.220”<\/p>\n
10b) [optional] Adjust port and protocol if you don\u2019t wish to use default:<\/p>\n
port 443
\nproto tcp<\/p>\n
and if you have server.crt and server.key with the different name point to them here:<\/p>\n
cert myservername.crt
\nkey myservername.key<\/p>\n
11) Allow IP Forwarding. This is fairly essential to the functionality we want our VPN server to provide.<\/p>\n
sudo nano \/etc\/sysctl.conf
\nand drop a line there<\/p>\n
net.ipv4.ip_forward=1
\nactivate that:<\/p>\n
sudo sysctl -p<\/p>\n
12) Set up firewalld to work with OpenVPN<\/p>\n
sudo firewall-cmd –permanent –add-service openvpn
\nsudo firewall-cmd –permanent –add-masquerade<\/p>\n
13) Now we are going to set up our systemd service.<\/p>\n
sudo ln -s \/usr\/lib\/systemd\/system\/openvpn-server\\@.service \/etc\/systemd\/system\/multi-user.target.wants\/openvpn-server\\@server.service<\/p>\n
sudo ln -s \/etc\/openvpn\/server\/dh.pem \/etc\/openvpn\/server\/dh2048.pem<\/p>\n
server corresponds with the configuration file name in \/etc\/openvpn\/server such as server.conf. So if you have myserver.conf you have to replace server with myserver<\/p>\n
14) Now we are ready to start OpenVPN service<\/p>\n
sudo systemctl -f enable openvpn-server@server.service
\nsudo systemctl start openvpn-server@server.service<\/p>\n
15) enter in \/etc\/rc.d\/rc.local (reminder: chmod 755 rc.local):<\/p>\n
iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o enp3s0 -j MASQUERADE
\n(where enp3s0 is the name of your ethernet device)<\/p>\n
Done! We successfully deployed our OpenVPN server, and we are ready to move on and set up the client<\/p>\n
Client setup<\/p>\n
As you remember we already generated client01.crt and client01.key at step 5. Now we need combine them with our general Certificates of Authority in order to build client config file.<\/p>\n
1) First of all we need generate Client Configurations. Let’s create client-configs directory and prepare with the keys<\/p>\n
mkdir -p ~\/client-configs\/files
\ncd ~\/client-configs<\/p>\n
we are actually going to omit these instructions, we have re-coded our batch file under client creation to avoid this issue:
\n# mkdir ~\/keys
\n# cp ~\/openvpn-ca\/pki\/ca.crt ~\/client-configs\/keys
\n# cp ~\/openvpn-ca\/pki\/ta.key ~\/client-configs\/keys
\n# cp ~\/openvpn-ca\/pki\/private\/client1.key ~\/client-configs\/keys
\n# cp ~\/openvpn-ca\/pki\/private\/client1.crt ~\/client-configs\/keys<\/p>\n
2) Next we need to copy base configuration from examples<\/p>\n
cp \/usr\/share\/doc\/openvpn\/sample\/sample-config-files\/client.conf ~\/client-configs\/base.conf<\/p>\n
3) Open this file in your text editor<\/p>\n
nano ~\/client-configs\/base.conf<\/p>\n
4) and modify as following<\/p>\n
remote server_IP_address 1194
\n# place your server address here
\nproto udp
\n# update with specified protocol
\nnext uncomment (by removing leading semicolons)<\/p>\n
user nobody
\ngroup nogroup<\/p>\n
NB: If you are using CentOS, change the group from nogroup to nobody to match the distribution\u2019s available groups
\nand comment out the lines because we place them directly in client\u2019s config<\/p>\n
#ca ca.crt
\n#cert client.crt
\n#key client.key<\/p>\n
add these lines at the end of the file:<\/p>\n
auth SHA256
\nkey-direction 1<\/p>\n
5) Next, we will create a simple script to compile our base configuration with the relevant certificate, key, and encryption files. This will place the generated configuration in the ~\/client-configs\/ files directory.<\/p>\n
Note: to be consistent with the portion of this document above, I should really use ~ instead of \/home\/desktop in the section below. However that is how I run it:<\/p>\n
nano ~\/client-configs\/make_config.sh<\/p>\n
#!\/bin\/bash<\/p>\n
# remember to run easyrsa build-client-full clientid nopass<\/p>\n
# First argument: clientid<\/p>\n
KEY_DIR=~\/openvpn-ca\/pki
\nOUTPUT_DIR=~\/client-configs\/files
\nBASE_CONFIG=~\/client-configs\/base.conf<\/p>\n
cat ${BASE_CONFIG} \\
\n<(echo -e ‘<ca>’) \\
\n${KEY_DIR}\/ca.crt \\
\n<(echo -e ‘<\/ca>\\n<cert>’) \\
\n${KEY_DIR}\/issued\/${1}.crt \\
\n<(echo -e ‘<\/cert>\\n<key>’) \\
\n${KEY_DIR}\/private\/${1}.key \\
\n<(echo -e ‘<\/key>\\n<tls-auth>’) \\
\n${KEY_DIR}\/ta.key \\
\n<(echo -e ‘<\/tls-auth>’) \\
\n> ${OUTPUT_DIR}\/${1}.ovpn<\/p>\n
make the file executable:<\/p>\n
chmod 700 ~\/client-configs\/make_config.sh<\/p>\n
6) Execute that file with client01 input parameter<\/p>\n
Note you must first run the client creation from step 5 in the server setup. A repeatable procedure for client creation is as follows (using client02 as token):<\/p>\n
cd ~\/openvpn-ca<\/p>\n
.\/easyrsa build-client-full client02 nopass<\/p>\n
cd ~\/client-configs<\/p>\n
.\/make_config.sh client02<\/p>\n
If everything went well, we should have a client02.ovpn file in our ~\/client-configs\/ directory<\/p>\n
7) Now that file can be used on the client machine<\/p>\n
sudo dnf install openvpn
\nsudo openvpn –config client02.ovpn<\/p>\n","protected":false},"excerpt":{"rendered":"
Fedora 27 is a close cousin of CentOS 7, which is actually Fedora 19. Most of the documentation for server-centric stuff is still targeted at CentOS 7. Some topics, like how to install and configure OpenVPN, are poorly documented. I was pleased to find this link, a tutorial on how to install OpenVPN on Fedora … <\/p>\n
Continue reading “A corrected procedure for the installation of OpenVPN on Fedora 27”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-101","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/blog.gordonbuchan.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/101","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.gordonbuchan.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.gordonbuchan.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.gordonbuchan.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.gordonbuchan.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=101"}],"version-history":[{"count":11,"href":"https:\/\/blog.gordonbuchan.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/101\/revisions"}],"predecessor-version":[{"id":3879,"href":"https:\/\/blog.gordonbuchan.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/101\/revisions\/3879"}],"wp:attachment":[{"href":"https:\/\/blog.gordonbuchan.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=101"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.gordonbuchan.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=101"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.gordonbuchan.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}