Taken from: https://github.com/angristan/openvpn-install
# cd # mkdir openvpn # cd openvpn # curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh # chmod +x openvpn-install.sh # ./openvpn-install.sh All default values, just DNS resolve should be local ([1]) Generate any client name, e.g. "example"
Delete the newly configurated client:
# rm /root/example.ovpn
Adjust configuration
# vim /etc/openvpn/server.conf Delete all routing configs starting with "push" Optional: Adjust network, e.g. from "server 10.8.0.0 255.255.255.0" to "server 10.8.1.0 255.255.255.0" Optional: change device name from "tun" to "tunX" (X=number), e.g. "tun1" Optional: add option "client-to-client" to allow direct network forward (openvpn server directly forwards requests between clients, instead of going to networking layer on openvpn server host) # vim /etc/openvpn/client-template.txt Optional: change device name from "tun" to "tunX" (X=number), e.g. "tun1" If all cetificates are included in conf file, add these lines (so root is dropped earlier when starting): user nobody group nobody
Optional: create ip assign map:
# vim /etc/openvpn/ipp.txt example-host1,10.8.1.11 example-host2,10.8.1.12
Restart and enable:
# systemctl restart openvpn-server@server # systemctl status openvpn-server@server # systemctl enable openvpn-server@server
Add on firewall:
# firewall-cmd --zone=public --add-port=1194/udp --permanent # firewall-cmd --reload # firewall-cmd --zone=public --list-all
Add zone trusted to firewall which will address all clients connecting over vpn:
# firewall-cmd --zone=trusted --permanent --change-interface=tun0 # firewall-cmd --zone=trusted --permanent --add-service=https # firewall-cmd --zone=trusted --permanent --add-port=8332/tcp ... # firewall-cmd --reload # firewall-cmd --zone=trusted --list-all
Generate client certificates
# ./openvpn-install.sh
Add client's public ip to firewall:
# firewall-cmd --permanent --zone=work --list-sources # firewall-cmd --permanent --zone=work --add-source=69.172.201.153 or # firewall-cmd --permanent --zone=work --add-source=192.168.100.0/24 # firewall-cmd --reload
Make sure client's ip is allowed in firewall on server !
# yum install -y openvpn # vim /etc/openvpn/client/example.conf Copy and paste config # systemctl start openvpn-client@example check dns resolution, ping, connects, ... # systemctl enable openvpn-client@example
Adjust firewall and add access to server's services:
# firewall-cmd --zone=trusted --add-interface=tun1 --permanent # firewall-cmd --reload # firewall-cmd --get-active-zones # firewall-cmd --zone=trusted --permanent --add-service=mysql # firewall-cmd --zone=trusted --add-port=XXXX/tcp --permanent # firewall-cmd --reload # firewall-cmd --zone=trusted --list-all
Generate new client cert
# ./openvpn-install.sh
Add new client to firewall allowed ip
# firewall-cmd --permanent --zone=work --add-source=xx.xx.xx.xxx # firewall-cmd --reload