Comments on How to Install OpenVPN Server and Client with Easy-RSA 3 on CentOS 7
OpenVPN is an open source application that allows you to create a secure private network over the public internet. In this tutorial, we will show you how to step-by-step install and configure OpenVPN on CentOS 7.6. And we will implement the certificate-based OpenVPN authentication.
14 Comment(s)
Comments
it's not working
this is my error
Job for [email protected] failed because the control process exited with error code. See "sys temctl status [email protected]" and "journalctl -xe" for details.
Run openvpn interactively and see what it's moaning about
[root@localhost 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
WARNING: can't open config file: $ EASYRSA / openssl-1.0.cnf
Easy-RSA error:
The OpenSSL config file cannot be found.
Expected location: $ EASYRSA / openssl-1.0.cnf
Error: "Job for [email protected] failed because the control process exited with error code"
Occurence: The error occures when the "Optional: Generate the CRL Key" step is skipped.
Solution:
# see the error message "Options error: --crl-verify fails with '/etc/openvpn/server/crl.pem': No such file or directory (errno=2)"
vim /var/log/openvpn.log
# fix the error: remove the "crl-verify /etc/openvpn/server/crl.pem" line from /etc/openvpn/server.conf
can this be used on mobile phones iphone 7 or samsung emerge ?
How can I configure a client (wich is a local network server) to give acces from a remote LAN to the OpenVPN server?
OpenVPN server: 10.10.1.1/24
Client-LANserver: 10.10.2.1/24
Can you help? Thankyou.
Clean CentOS7 install (behind NAP, port forwarded on touter) + this manual. Retried 4 times, but still:
Tue Jul 30 17:28:34 2019 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=OPenVPN
Tue Jul 30 17:28:34 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Jul 30 17:28:34 2019 TLS_ERROR: BIO read tls_read_plaintext error
Tue Jul 30 17:28:34 2019 TLS Error: TLS object -> incoming plaintext read error
Tue Jul 30 17:28:34 2019 TLS Error: TLS handshake failed
Tue Jul 30 17:28:34 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Jul 30 17:28:34 2019 MANAGEMENT: >STATE:1564500514,RECONNECTING,tls-error,,,,,
Tue Jul 30 17:28:34 2019 Restart pause, 40 second(s)
Tue Jul 30 17:29:14 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,RESOLVE,,,,,,
Tue Jul 30 17:29:14 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.17.173.222:1194
Tue Jul 30 17:29:14 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 30 17:29:14 2019 UDP link local: (not bound)
Tue Jul 30 17:29:14 2019 UDP link remote: [AF_INET]83.17.173.222:1194
Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,WAIT,,,,,,
Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,AUTH,,,,,,
Tue Jul 30 17:29:14 2019 TLS: Initial packet from [AF_INET]83.17.173.222:1194, sid=2431f8aa d07a36d4
Tue Jul 30 17:29:14 2019 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=OPenVPN
Tue Jul 30 17:29:14 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Jul 30 17:29:14 2019 TLS_ERROR: BIO read tls_read_plaintext error
Tue Jul 30 17:29:14 2019 TLS Error: TLS object -> incoming plaintext read error
Tue Jul 30 17:29:14 2019 TLS Error: TLS handshake failed
Tue Jul 30 17:29:14 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,RECONNECTING,tls-error,,,,,
Tue Jul 30 17:29:14 2019 Restart pause, 80 second(s)
UPDATE: CAPITAL letters matters when it comes to the names we use while installing. All good now after few hours of debuging and 3 reinstalls :)
Hello,
I have a problem...
In Step 5 - Enable Port-Forwarding and Configure Routing Firewalld
firewall-cmd --reload
Error: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.2 (nf_tables):
line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT
What now? :)
By default "easyrsa gen-crl" will make a certificate with a nextUpdate date of 180 days. After which your VPN server will reject all clients until you make a new CRL.
To use a longer CRL validity period add the following option to the "vars" file in Step 2:
set_var EASYRSA_CRL_DAYS "365"
what additional steps are required for the tls-crypt and would this replace the tls options in the server.conf and client.ovpn?
Dear Muhammad
I have an issue, my tunnel connected but I don't have ping 8.8.8.8 or other, just I have ping my server's public address and tun0's IP...
must I add route in my server...?
Hi. What changes are required to server.conf and below for this work with dynamic IP? TIA
SERVERIP=$(ip route get 84.200.69.80 | awk 'NR==1 {print $(NF-2)}')firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.10.1.0/24 -o $SERVERIP -j MASQUERADEJob for [email protected] failed because the control process exited with error code. See "systemctl status [email protected]" and "journalctl -xe" for details.