Versions Compared

Old Version 3

changes.mady.by.user Mike Tango Bravo

Saved on

compared with

New Version 4

changes.mady.by.user Mike Tango Bravo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
;cipher AES-256-CBC
cipher AES-256-GCM

Right after this line, add an auth directive to select the HMAC message digest algorithm. For this, SHA256is a good choice:

Code Block
auth SHA256

Next, find the line containing a dh directive, which defines Diffie-Hellman parameters. Since we’ve configured all the certificates to use Elliptic Curve Cryptography, there is no need for a Diffie-Hellman seed file. Comment out the existing line that looks like dh dh2048.pem or dh dh.pem. The filename for the Diffie-Hellman key may be different than what is listed in the example server configuration file. Then add a line after it with the contents dh none:

Code Block
;dh dh2048.pem
dh none

Next, we want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user and group of nobody. To enable this, find and uncomment the user nobody and group nobody lines by removing the ; sign from the beginning of each line:

Code Block
user nobody
group nobody

Modify the certand key lines in the server.conf configuration file so that they point to the appropriate jujitsu.crt and jujitsu.keyfiles. :

Code Block
cert jujitsu.crt
key jujitsu.key

When you are finished, save and close the file.

You have now finished configuring your OpenVPN general settings. In the next step, we’ll customize the server’s networking options.

Adjusting the OpenVPN Server Networking Configuration

There are some aspects of the server’s networking configuration that need to be tweaked so that OpenVPN can correctly route traffic through the VPN. The first of these is IP forwarding, a method for determining where IP traffic should be routed. This is essential to the VPN functionality that your server will provide.

To adjust your OpenVPN server’s default IP forwarding setting, open the /etc/sysctl.conf file using vi or your preferred editor:

Code Block
sudo vi /etc/sysctl.conf

Then add the following line at the top of the file:

Code Block
net.ipv4.ip_forward = 1

Save and close the file when you are finished.

To read the file and load the new values for the current session, type:

Code Block
sudo sysctl -p
net.ipv4.ip_forward = 1

Now your OpenVPN server will be able to forward incoming traffic from one ethernet device to another. This setting makes sure the server can direct traffic from clients that connect on the virtual VPN interface out over its other physical ethernet devices. This configuration will route all web traffic from your client via your server’s IP address, and your client’s public IP address will effectively be hidden.

In the next step you will need to configure some firewall rules to ensure that traffic to and from your OpenVPN server flows properly.

Firewall Configuration

So far, you’ve installed OpenVPN on your server, configured it, and generated the keys and certificates needed for your client to access the VPN. However, you have not yet provided OpenVPN with any instructions on where to send incoming web traffic from clients. You can stipulate how the server should handle client traffic by establishing some firewall rules and routing configurations.

Assuming you followed the prerequisites at the start of this tutorial, you should already have firewalldinstalled and running on your server. To allow OpenVPN through the firewall, you’ll need to know what your active firewalld zone is. Find this with the following command:

Code Block
sudo firewall-cmd --get-active-zones
docker
  interfaces: docker0
public
  interfaces: eth1 eth0

If you do not see a trusted zone that lists the tun0 interface, run the following commands to add the VPN device to that zone:

Code Block
sudo firewall-cmd --zone=trusted --add-interface=tun0
sudo firewall-cmd --permanent --zone=trusted --add-interface=tun0

Next, add the openvpn service to the list of services allowed by firewalld within your active zone, and then make that setting permanent by running the command again but with the --permanent option added:

Code Block
sudo firewall-cmd --permanent --add-service openvpn
sudo firewall-cmd --permanent --zone=trusted --add-service openvpn

To apply the changes on the firewall, run:

Code Block
sudo firewall-cmd --reload

You can now check that the service was added correctly with the following command:

Code Block
sudo firewall-cmd --list-services --zone=trusted
openvpn

Next, we’ll add a masquerade rule to the firewall. Masquerading allows your OpenVPN server to translate your OpenVPN clients’ addresses into the server’s own public address, and then do the reverse with traffic that is sent back to clients. This process is also known as Network Address Translation (NAT).

Add masquerade rules with the following commands:

Code Block
sudo firewall-cmd --add-masquerade
sudo firewall-cmd --add-masquerade --permanent

You can check that the masquerade was added correctly with this command:

Code Block
sudo firewall-cmd --query-masquerade
yes

Next, you’ll need to create the specific masquerade rule for your OpenVPN subnet only. You can do this by first creating a shell variable (DEVICE in our example) which will represent the primary network interface used by your server, and then using that variable to permanently add the routing rule:

Code Block
DEVICE=$(ip route | awk '/^default via/ {print $5}')
sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $DEVICE -j MASQUERADE