AlmaLinuxRHEL Based

How To Install OpenVPN Server on AlmaLinux 9

r00t

Install OpenVPN Server on AlmaLinux 9

OpenVPN is a versatile and widely-used open-source Virtual Private Network (VPN) solution that provides secure, encrypted connections between remote computers and private networks. It’s an essential tool for businesses and individuals who need to protect their online activities and access resources securely over the internet. AlmaLinux 9, a free and open-source Linux distribution that’s binary compatible with Red Hat Enterprise Linux (RHEL), offers a stable and reliable platform for hosting OpenVPN servers.

In this comprehensive guide, we’ll walk you through the process of installing and configuring an OpenVPN server on AlmaLinux 9. By the end of this tutorial, you’ll have a fully functional OpenVPN server capable of securely connecting remote clients to your network.

Prerequisites

Before we begin, ensure that you have the following:

  • A server running AlmaLinux 9 with root or sudo access
  • A minimum of 1GB RAM and 10GB disk space
  • A static IP address assigned to your server
  • Basic knowledge of Linux command-line operations

It’s also recommended to have a fully qualified domain name (FQDN) pointing to your server’s IP address, although this is not strictly necessary.

Preparing the Server

Let’s start by preparing our AlmaLinux 9 server for the OpenVPN installation.

Updating the System

First, ensure your system is up to date:

sudo dnf update -y

Installing EPEL Repository

OpenVPN is available in the Extra Packages for Enterprise Linux (EPEL) repository. Install it with:

sudo dnf install epel-release -y

Configuring Firewall Settings

OpenVPN typically uses UDP port 1194. Let’s open this port in the firewall:

sudo firewall-cmd --add-port=1194/udp --permanent
sudo firewall-cmd --reload

Installing OpenVPN

Now that our server is prepared, let’s install OpenVPN and Easy-RSA, which we’ll use for certificate management.

Installing OpenVPN Package

Install OpenVPN using the following command:

sudo dnf install openvpn -y

Installing Easy-RSA for Certificate Management

Easy-RSA is a key management tool that simplifies the process of setting up a Certificate Authority (CA) and generating certificates. Install it with:

sudo dnf install easy-rsa -y

Configuring the Certificate Authority (CA)

OpenVPN uses certificates for authentication. We’ll set up our own Certificate Authority to issue these certificates.

Initializing the PKI

First, create a directory for Easy-RSA and initialize the Public Key Infrastructure (PKI):

mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/3/* ~/easy-rsa/
cd ~/easy-rsa
./easyrsa init-pki

Creating the CA Certificate and Key

Now, let’s create the CA certificate and key:

./easyrsa build-ca nopass

You’ll be prompted to enter a Common Name for your CA. Choose something descriptive, like “OpenVPN-CA”.

Generating Server Certificate and Key

Next, generate the server certificate and key:

./easyrsa gen-req server nopass
./easyrsa sign-req server server

When prompted, enter “yes” to confirm signing the certificate.

Generating Diffie-Hellman Parameters

Generate Diffie-Hellman parameters for key exchange:

./easyrsa gen-dh

This process may take a few minutes to complete.

Configuring OpenVPN Server

With our certificates in place, we can now configure the OpenVPN server.

Creating Server Configuration File

Start by copying the sample server configuration file:

sudo cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/

Now, edit the configuration file:

sudo nano /etc/openvpn/server/server.conf

Make the following changes:

  • Uncomment the line push "redirect-gateway def1 bypass-dhcp" to route all client traffic through the VPN.
  • Uncomment the lines push "dhcp-option DNS 208.67.222.222" and push "dhcp-option DNS 208.67.220.220" to use OpenDNS servers. You can replace these with your preferred DNS servers.
  • Change dh dh2048.pem to dh dh.pem to match the file generated by Easy-RSA.
  • Uncomment user nobody and group nobody for additional security.

Configuring Network Settings

Enable IP forwarding to allow traffic to flow between clients and the server:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Setting up DNS

To ensure DNS requests are routed correctly, create a script that updates resolv.conf:

sudo nano /etc/openvpn/update-resolv-conf

Add the following content:

#!/bin/bash
cp /etc/resolv.conf /etc/resolv.conf.backup
grep -v '#' /etc/resolv.conf.backup | grep -v '^$' > /etc/resolv.conf
echo 'nameserver 208.67.222.222' >> /etc/resolv.conf
echo 'nameserver 208.67.220.220' >> /etc/resolv.conf

Make the script executable:

sudo chmod +x /etc/openvpn/update-resolv-conf

Managing Client Certificates

Now let’s create certificates for our clients.

Generating Client Certificates

For each client, run:

cd ~/easy-rsa
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

Replace “client1” with a unique name for each client.

Creating Client Configuration Files

Create a base configuration file for clients:

sudo nano /etc/openvpn/client-template.conf

Add the following content, replacing your_server_ip with your server’s public IP address:

client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 3

Starting and Enabling OpenVPN Service

With our configuration complete, we can now start the OpenVPN service:

sudo systemctl start openvpn-server@server
sudo systemctl enable openvpn-server@server

Verify that the service is running:

sudo systemctl status openvpn-server@server

Connecting Clients to the OpenVPN Server

To connect clients, you’ll need to provide them with:

  • The client configuration file
  • The CA certificate
  • The client certificate and key
  • The ta.key file for TLS authentication

Combine these into a single .ovpn file for easy distribution. For Windows and macOS clients, you can use the official OpenVPN client software. For Linux, most distributions have OpenVPN available in their package managers.

Troubleshooting Common Issues

If you encounter issues, check the following:

  • Ensure all certificates and keys are correctly placed and have proper permissions.
  • Verify that the firewall is allowing traffic on UDP port 1194.
  • Check OpenVPN logs for error messages: sudo journalctl -u openvpn-server@server
  • Make sure IP forwarding is enabled and persists after reboot.
  • Verify that the server and client clocks are synchronized.

Security Considerations

To maintain a secure OpenVPN server:

  • Regularly update OpenVPN and AlmaLinux 9 with security patches.
  • Use strong encryption settings and consider implementing two-factor authentication.
  • Regularly audit and rotate client certificates.
  • Monitor server logs for unusual activity.
  • Consider implementing a firewall on the VPN subnet to control client access.

Congratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing the OpenVPN server on your AlmaLinux 9 system. For additional help or useful information, we recommend you check the official OpenVPN website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2024 idroot.us | All Rights Reserved.
Back to top button