Login- Preparing Your Rocky Linux Environment
- Installing OpenVPN
- Setting Up the Easy-RSA Toolkit
- Configuring the Certificate Authority
- Building the CA
- Creating Server Certificates
- Generating Diffie-Hellman Parameters
- Setting Up the Server Configuration
- Starting the OpenVPN Server
- Configuring the Client
- Final Steps and Verification
- Conclusion
OpenVPN is a robust and highly configurable open-source VPN solution that provides secure point-to-point or site-to-site connections. For users looking to set up OpenVPN on Rocky Linux, this guide will walk you through the essential steps to install and configure it securely and effectively.
Preparing Your Rocky Linux Environment
Before you begin the installation process, it’s important to ensure your Rocky Linux system is up-to-date. Open a terminal and run the following commands:
sudo dnf update -y
This command updates your system’s package index and installs security updates, ensuring you have the latest features and patches.
Installing OpenVPN
Once your system is up-to-date, you can proceed with the installation of OpenVPN. Rocky Linux uses dnf as its package manager, making the installation process straightforward. Run the following command to install OpenVPN:
sudo dnf install openvpn -y
Setting Up the Easy-RSA Toolkit
OpenVPN relies on a tool called Easy-RSA for creating the necessary encryption keys and certificates. Install Easy-RSA with this command:
sudo dnf install easy-rsa -y
After the installation, create a directory for Easy-RSA and set up the environment:
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
Configuring the Certificate Authority
Next, you’ll need to configure your Certificate Authority (CA). Edit the vars file located in the openvpn-ca directory. Modify the following fields to match your organization:
nano vars
Find and adjust the following lines:
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York"
export KEY_ORG="MyOrganization"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrganizationalUnit"
Building the CA
With your configurations set, source the vars file and build the CA:
source vars
./clean-all
./build-ca
This process will generate several key and certificate files in the ~/openvpn-ca/keys directory, which you will use later.
Creating Server Certificates
Next, create a server certificate and key:
./build-key-server server
You will be prompted to answer a series of questions. As a general rule, you can press Enter to accept the defaults, except when prompted to sign the certificate; type “y” to proceed.
Generating Diffie-Hellman Parameters
Generate the Diffie-Hellman parameters for secure key exchange:
./build-dh
Setting Up the Server Configuration
Navigate to the OpenVPN directory and copy the example server configuration file:
cd /etc/openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
sudo gunzip server.conf.gz
Now, edit the server.conf file:
sudo nano server.conf
Here, you may wish to customize configurations like the subnet, port, and protocol. Key settings include:
- port: Default is 1194.
- proto: The protocol can be either
udportcp. - server: Defines the VPN network (e.g.,
10.8.0.0 255.255.255.0).
Starting the OpenVPN Server
Before starting the OpenVPN service, ensure that IP forwarding is enabled. Edit the system control configuration:
sudo nano /etc/sysctl.conf
Uncomment or add the following line:
net.ipv4.ip_forward = 1
Save the file and apply the changes:
sudo sysctl -p
You can now start the OpenVPN server using the following command:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
Configuring the Client
To connect clients to your OpenVPN server, you’ll need to generate client certificates. Return to the openvpn-ca directory:
cd ~/openvpn-ca
./build-key client1
Copy the client configuration and keys to the appropriate directory:
sudo cp ~/openvpn-ca/keys/{ca.crt,client1.crt,client1.key} /etc/openvpn/client/
sudo nano /etc/openvpn/client/client.ovpn
In the client.ovpn file, specify the following configurations:
client
dev tun
proto udp
remote your-server-ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
Substituting your-server-ip with the actual IP address of your server.
Final Steps and Verification
Finally, restart the OpenVPN server to ensure all settings take effect:
sudo systemctl restart openvpn@server
To verify that the server is running correctly, check the status:
sudo systemctl status openvpn@server
If everything is configured properly, your OpenVPN server on Rocky Linux should now be running smoothly. Clients can connect using the configuration you prepared, achieving secure and encrypted internet access.
Conclusion
Installing OpenVPN on Rocky Linux is not only a practical security measure but also a gateway to privacy and secure networking. By following the steps outlined in this guide, you’ll establish a reliable VPN service tailored to your needs.
