Navigation :

Server on CentOS 7

Install OpenVPN

yum -y install openvpn

Configure OpenVPN server

Copy the example of openvpn config file to /etc/openvpn.

cd /etc/openvpn
cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf ./

Copy keys and certificates to /etc/openvpn/server.

cd /etc/openvpn/CA/keys
cp ca.crt VPN_SRV_KEY.crt VPN_SRV_KEY.key dh2048.pem ta.key /etc/openvpn/server

Edit config file to set parameters for OpenVPN server

# Use UDP protocol
proto udp
dev tun0

# Set server keys and certificates
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/VPN_SRV_KEY.crt
key /etc/openvpn/server/VPN_SRV_KEY.key
dh /etc/openvpn/server/dh2048.pem

# Location of list disabled client's certificates
;crl-verify /etc/openvpn/server/crl.pem

# TLS
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC

# IP VPN Network
server 192.168.100.0 255.255.255.0

# Set file to store of static IP of client
ifconfig-pool-persist /etc/openvpn/server/ipp.txt

# Enable client-client communication
client-to-client

# Use compress of traffic (universal case)
;comp-lzo
# Use compress of traffic (OpenVPN version > 2.4)
compress lz4-v2
push "compress lz4-v2"

# Discard root privilages for service
user nobody
group nobody

Additional settings

Bypass of firewall

Connection to OpenVPN port can be blocked in some local networks, we can try to change port and protocol for bypass this limitation. We can try to use 433 port, this port is used https protocol and is avaliable to connect in networks with enabled internet connection.

Change config file server.conf

port 443

Sometimes, it is not enough, some firewall can drop upd packets on hppts port. So, we can switch to use https port and tcp protocol to bypass firewall in such networks.

Change config file server.conf

# Use of tcp protocol and https port
proto tcp
port 443

Forwarding of internet traffic through OpenVPN server

Add string to server.conf

push "redirect-gateway def1 bypass-dhcp"

# Push DHCP servers to client, for example, we can use google dhcp servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Additional actions are needed for forwarding of internet traffic through OpenVPN server:

activate of IP Forwarding;
configure firewall (iptables);

IP Forwarding

Create file 10-ip4forwarding.conf in /etc/sysctl.d directory with content:

# Enable ip 4 forwarding
net.ipv4.ip_forward=1

Restart network service

systemctl restart network.service

Configure iptables

Configuration of iptables is quite big topic.

Be careful for configure iptables, because your server could be become anonymous gateway, so some persons could use it for illegal actions

iptables config store in /etc/sysconfig/iptables

Default iptables rules for CentOS7

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Tune this rule for traffic forwarding and make more secure

# DROP is default action for table filter, chains INPUT and FORWARD.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
# Allow packets for established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ICMP(ping)
-A INPUT -p icmp -j ACCEPT
# Allow packets from vpn network
-A INPUT -i tun0 -j ACCEPT
# Allow packets to OpenVPN port 1194 (default vpn port)
-A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
# If you use tcp protocol and https port for OpenVPN connection use
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 443 -j ACCEPT
# Allow ssh connection!
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Configure of transfer packets between network interfaces
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Activate masquerade
-A POSTROUTING -s 192.168.100.0/255.255.255.0 -o venet0 -j MASQUERADE
COMMIT

iptables service should be restarted after change configuration file

systemctl restart iptables

Combine local networks using by OpenVPN

Add strings to server.conf to determine of routing

# Routing to client networks
route 192.168.10.0 255.255.255.0
route 192.168.20.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"

192.168.10.0 and 192.168.20.0 IP of networks

If OpenVPN clients are not installed on gateways than additional actions for routing configure are needed.

Start OpenVPN service

Start

systemctl start openvpn@server

Enable start on OS boot

systemctl enable openvpn@server