How To Install OpenVPN On Oracle Linux 7

The installation process consists of rightly four stages: 1) install the EPEL repository; 2) install openvpn; 3) config openvpn, and 4) install openvpn client.

Step 1 — Install EPEL Repository

The default public oracle YUM repository does not have all the packages we need to install openvpn. So we need to run the following two commands to add the new EPEL repository:

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

sudo rpm -Uvh epel-release-7*.rpm

Step 2 — Install OpenVPN

The following two commands are all we need to install openvpn and programsto generate certificates:

yum install openvpn -y

yum install easy-rsa -y

Step 3 — Configuring OpenVPN

We can find an example configuration file in its documentation directory. We need to copy the sampleserver.conf by the following command.

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf  /etc/openvpn

Open the file in your favorite editor, I’m using editor,

vi /etc/openvpn/server.conf

Most of the lines just need to be uncommented (remove the ;) and some of there are to be changed.

Do the following changes.

local 192.168.1.13

port 1194

dev tun

ca ca.crt

cert server.crt

key server.key

dh dh2048.pem

topology subnet

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.1.0 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

client-to-client

duplicate-cn

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3

Step 4 — Generating Keys and Certificates

Now, we’ll need to generate our keys and certificates. Easy RSA installs some scripts to generate these keys and certificates.

Create a directory for the keys by the following command

mkdir -p /etc/openvpn/easy-rsa/keys

We also need to copy the key and certificate generation scripts into the directory.

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Now, we’re going to edit the default values in the script. So we don’t have to type our information in each time. Open the file in vi editor.

vi /etc/openvpn/easy-rsa/vars

Change values that start with KEY_. Update the following values to be accurate for your organization.

Some of the important value that should be change carefully are,

• KEY_NAME: You should enter server here; you could enter something else, but then you would also have to update the configuration files that reference  and
• KEY_CN: Enter the domain or subdomain that resolves to your server

Refer the sample file below,

. . .
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="OH"
export KEY_CITY="Akron"
export KEY_ORG="course.org"
export KEY_EMAIL="liu@ecourse.org"
export KEY_OU="Administration"
# X509 Subject Field
export KEY_NAME="server"
. . .
export KEY_CN="openvpn.ecourse.org"
. . .

OpenSSL configuration may not load due to the version being undetectable. To avoid this remove the version number from the openSSl file name.

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Next, We are going to generate the keys and certificates. Move to easy-rsa directory and source in our new variables.

cd /etc/openvpn/easy-rsa

source ./vars

Then, we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.

./clean-all 

When you build the certificate authority, you will be asked to enter all the information we put into the vars file, but you will see that your options are already set as the defaults. So, you can just press ENTER for each one.

./build-ca

Next, We will generate the key and certificate for the server. Please press ENTER for each question as for the above step

./build-key-server server

Now we will generate Diffie-Hellman key exchange file. This command will take few to complete:

./build-dh 

So, we completed the server keys and certificates generation process. Copy them all into our OpenVPN directory.

cd /etc/openvpn/easy-rsa/keys

cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

For authenticate our clients will also need certificates. These keys and certificates will be shared with your clients, and it’s best to generate separate keys and certificates for each client you intend on connecting.

Make sure that if you do this you give them descriptive names, but for now we’re going to have one client so we’ll just call it client.

cd /etc/openvpn/easy-rsa

./build-key client

 That's it for keys and certificates.

Step 5 — Routing

To use firewalld, you would first add openvpn service to the public zone by the command:

firewall-cmd --add-service openvpn

firewall-cmd --permanent --add-service openvpn

firewall-cmd --add-masquerade

firewall-cmd --permanent --add-masquerade

To use the old iptales, install the iptables-services and disable irewalld by execute the following commands

yum install iptables-services -y

systemctl mask firewalld

systemctl enable iptables

systemctl stop firewalld

systemctl start iptables

iptables --flush

Next, We need to add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule. Replace ethXYZ by your own network interface.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ethXYZ -j MASQUERADE

iptables-save > /etc/sysconfig/iptables

Next, enable  IP forwarding in sysctl. Open sysctl.conf in vi editor.

vi /etc/sysctl.conf

Add the following line at the top of the file:

net.ipv4.ip_forward = 1

Or issue command

echo 1 > /proc/sys/net/ipv4/ip_forward

For the IP forwarding will take effect. We need to restart the network service. Issue the following command

systemctl restart network.service

Step 6 — Starting OpenVPN

Now, we completed the installation and ready start the openVPN service. add it to systemctl using the command

systemctl -f enable openvpn@server.service

Start OpenVPN:

systemctl start openvpn@server.service

So we have successfully completed all the server-side configuration done for OpenVPN.

Step 6 — Configuring a Client

To connect you will definitely need a copy of the ca certificate from the server, along with the client key and certificate.

Locate the following files on the server. In this article we used ‘client’ as the descriptive name for the client keys.

/etc/openvpn/easy-rsa/keys/ca.crt

/etc/openvpn/easy-rsa/keys/client.crt

/etc/openvpn/easy-rsa/keys/client.key

Copy these three files to your client machine. For this, Open the file in the server and copy the content of the file into a new file in the client system an save, or use SFTP.

We’re going to create a file called client.ovpn. This is a configuration file for an OpenVPN client, telling it how to connect to the server.

• You’ll need to change the first line to reflect the name you gave the client in your key and certificate; in our case, this is just client
• You also need to update the IP address from your_server_ip to the IP address of your server; port 1194 can stay the same
• Make sure the paths to your key and certificate files are correct

client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key

This file can now be used by any OpenVPN client to connect to your server.

Example: Installation and configuration of Tunnelblick

Tunnelblick is an OpenVPN Graphic User Interface (GUI) for Mac OS X. The installation is very straightforward can be done just like installing any other program on Mac OS X.

Download the program at  http://code.google.com/p/tunnelblick/.

Open the downloaded dmg file and double-click on the Tunnelblick icon to start the installation. Answer yes to the question if Tunnelblick should be started.

After the installation a Tunnelblick icon is placed near the Spotlight icon.

The configuration files for Tunnelblick are placed in the directory /Users//Library/Application Support/Tunnelblick/Configurations. Open the file openvpn.conf in your favorite editor.

Make sure that the configuration file contains at least the following entries:

client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key

The ip-address of your internet connection can be determined with the help of the website http://whatismyipaddress.com/. The ip-address is shown in blue at the right.

Copy the following files from your OpenVPN server to your Mac:

• ca.crt
• client1.crt
• client1.key

These files are located at the /etc/openvpn/keys directory. The must be copied to the directory /Users//Library/Application Support/Tunnelblick/Configurations. I always use Cyberduck for copying files between Linux and Mac OS X.

Once the files are copied to the right location, you can test your VPN connection.

On the Tunnelblick icon, click with the right mouse button on Details.