Installation OpenVPN Server on Centos 7

OpenVPN is the most known open source SSL VPN (Virtual Private Network) in the world. OpenVPN implemented OSI Layer 2 or 3 by securing network extension using SSL/TLS protocol. They allow you to connect securely to an insecure public network such as wifi in the cafe or public area. For Corporate and Enterprise they commonly used to allowing/blocking connection for back-office application or even secure connection to the server itself. When you has been read my post before, you can escalate this method to more secure than before, since before we have the SSH Port still exposing to public (although only public key authentication are allowed).
This post scoped only in CentOS 7 and I'm using Alibaba Cloud as my cloud provider. Using other Operating System (OS) or cloud provider may need some adjustment to be matched, but I'll describe in general. If you have a trouble during follow this tutorial, don't hesitate to ask in the comment. Go go go!

Step 1 Find IP of Server

During this step, you need to note your IP both private and public of your server. To get IP Private just use command below.
$ ifconfig
eth0: flags=4163 UP,BROADCAST,RUNNING,MULTICAST  mtu 1500
        inet 172.31.5.163  netmask 255.255.240.0  broadcast 172.31.15.255
        ether 00:16:3e:01:75:5a  txqueuelen 1000  (Ethernet)
        RX packets 176564  bytes 190616976 (181.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 62463  bytes 16518893 (15.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73 UP,LOOPBACK,RUNNING  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
And to find IP Public just use curl to icanhazip.com.
$ curl icanhazip.com
149.129.111.11
Write down all of the IP above. But some cloud provider sometimes offer direct assign. So your Private IP is same with Public one. For direct assign you need to take different step during the installation.

Step 2 Download Installation Script

Download the OpenVPN installation script using curl.
$ curl -o openvpn.sh https://raw.githubusercontent.com/h3rucutu/openvpn-install/master/openvpn-install.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 38986  100 38986    0     0  10115      0  0:00:03  0:00:03 --:--:-- 10115
To secure this file we need to move into opt directory and make openvpn directory.
$ sudo mkdir /opt/openvpn
Change the file permission into 755 or simply add execute (+x) and move to /opt/openvpn.
$ chmod +x openvpn.sh
$ sudo mv openvpn.sh /opt/openvpn/
Now we're ready to proceed the installation.

Step 3 Execute Installation Script

Now execute the script.
$ sudo sh /opt/openvpn/openvpn.sh 
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 172.31.5.163

It seems this server is behind NAT. What is its public IPv4 address or hostname?
We need it for the clients to connect to the server.
Public IPv4 address or hostname: 149.129.111.11
First question is related with step 1, are your server is behind the NAT (you have different Private and Public IP) or direct assign. If your server behind NAT fill the IP Address with the Private IP you've got from step 1, then fill Public IPv4 with your Public IP. But when your server have direct assign, you just fill the IP Address with the Public IP, the script will know that your server is direct assign.
After you fill the IP, press enter. You'll be asked some configuration, the script has default value so you don't need to change (for DNS Resolver I recommended to change using 9 Google).
Checking for IPv6 connectivity...

Your host does not appear to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: n

What port do you want OpenVPN to listen to?
   1) Default: 1194
   2) Custom
   3) Random [49152-65535]
Port choice [1-3]: 1

What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
   1) UDP
   2) TCP
Protocol [1-2]: 1

What DNS resolvers do you want to use with the VPN?
   1) Current system resolvers (from /etc/resolv.conf)
   2) Self-hosted DNS Resolver (Unbound)
   3) Cloudflare (Anycast: worldwide)
   4) Quad9 (Anycast: worldwide)
   5) Quad9 uncensored (Anycast: worldwide)
   6) FDN (France)
   7) DNS.WATCH (Germany)
   8) OpenDNS (Anycast: worldwide)
   9) Google (Anycast: worldwide)
   10) Yandex Basic (Russia)
   11) AdGuard DNS (Anycast: worldwide)
   12) NextDNS (Anycast: worldwide)
   13) Custom
DNS [1-12]: 9

Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n

Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.

Customize encryption settings? [y/n]: n

Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
When the Press any key to continue is appear, just press and wait a while until you'll be asked the client name. Fill the client name only accept alphabetical so make sure you typing the right client name, press Enter while you done.
Client name: h3rucutu

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 1
Then just follow the default value for password in file configuration (1).
Once the script has been done, actually the OpenVPN already installed and running on your server. To checking this, use systemctl.
$ sudo systemctl status openvpn-server@server
● openvpn-server@server.service - OpenVPN service for server
   Loaded: loaded (/etc/systemd/system/openvpn-server@.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-04-07 16:26:53 CST; 11min ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 819 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
           └─819 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf

Apr 07 16:26:54 caltic-sandbox openvpn[819]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Apr 07 16:26:54 caltic-sandbox openvpn[819]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Apr 07 16:26:54 caltic-sandbox openvpn[819]: UDPv4 link local (bound): [AF_INET][undef]:1194
Apr 07 16:26:54 caltic-sandbox openvpn[819]: UDPv4 link remote: [AF_UNSPEC]
Apr 07 16:26:54 caltic-sandbox openvpn[819]: GID set to nobody
Apr 07 16:26:54 caltic-sandbox openvpn[819]: UID set to nobody
Apr 07 16:26:54 caltic-sandbox openvpn[819]: MULTI: multi_init called, r=256 v=256
Apr 07 16:26:54 caltic-sandbox openvpn[819]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Apr 07 16:26:54 caltic-sandbox openvpn[819]: IFCONFIG POOL LIST
Apr 07 16:26:54 caltic-sandbox openvpn[819]: Initialization Sequence Completed

Step 4 Setting Up OpenVPN Client

Before setting up OpenVPN Client, we need to download configuration file from the server. Once step 3 finished, one configuration file already there. We can download via sftp.
% sftp h3rucutu@149.129.111.11
sftp ls
h3rucutu.ovpn  
sftp get h3rucutu.ovpn
Fetching /home/h3rucutu/h3rucutu.ovpn to h3rucutu.ovpn
/home/h3rucutu/h3rucutu.ovpn                                                                                                                             100% 2684   166.7KB/s   00:00    
sftp
After downloaded the file, we need to download OpenVPN Client. Since OpenVPN is famous, most platform are supported by OpenVPN.
To make this post simple, I only demonstrate using Tunnelblick on macOS. Install the Tunnelblick and after Tunnelblick installed properly, open the window of Tunnelblick.

Add Configuration to Tunnelblick

Then, drag the configuration file to the window of Tunnelblick, you'll be asked that are this configuration for all user or only you (I recommended choose Only Me).

Tunnelblick Window

Click connect button on the bottom right of the window, wait until the status is connected.

Tunnelblick is Connected

Once the status is connected, now you're connected to OpenVPN Server in your server.

(Optional) Step 5 SSH Connection via OpenVPN

As I mentioned earlier that after we're setting up the OpenVPN on the server and successfully connect to them, we now could establish SSH connection via Private IP.
% ssh h3rucutu@172.31.5.163
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /Users/h3rucutu/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/h3rucutu/.ssh/known_hosts:11
ECDSA host key for 172.31.5.163 has changed and you have requested strict checking.
Host key verification failed.
If you found an error above, it's because the IP of the server has been change, before we're connected the server with Public IP, now we're connecting to the server with Private IP. The solution is simple, just delete line 11 on known_hosts file, see error above.
After you deleted, try to connect again, the prompt will be asked type 'yes'.
% ssh h3rucutu@172.31.5.163
Last login: Tue Apr  7 18:54:51 2020 from 10.8.0.2

Welcome to Alibaba Cloud Elastic Compute Service !

[h3rucutu@caltic-sandbox ~]$
And you're now connected over OpenVPN connection. Last step, you need to drop SSH Port from NAT or Firewall (in my case I only forbid the SSH Port on Security Rules).

Forbid SSH Port

Verify that your server now are not exposed SSH Port to Public.
% ssh h3rucutu@ 149.129.111.11
ssh: connect to host 149.129.111.11 port 22: Operation timed out
Good! Now you're one more step securing your server than before.
Later more on this blog. Stay tune!

Comments

Popular Posts