Comments on How to Install OpenVPN Server and Client with Easy-RSA 3 on CentOS 8
OpenVPN is an open-source application that allows you to create a secure private network over the public internet. In this tutorial, we will show you how to step-by-step install and configure OpenVPN on CentOS 8. And we will implement the certificate-based OpenVPN authentication.
11 Comment(s)
Comments
is the OpenVPN client configuration right?
I received decompression error ("Bad LZ4 decompression header byte: 250") in the server logs. To fix it:1) remove the "compress lz4" part from both client01.ovpn and server.conf2) add this to the server.conf:push "compress lz4-v2"compress lz4-v2
Step 3:
cd /etc/openvpn/easy-rsa/3/
doesn't look right.
Security can be tweaked a bit more after the initial setup.
Setup went smooth.
But, no matter what I try, internet traffic stops working on connecting to vpn.
I am pretty sure it's got something to do with firewalld settings.
firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'trusted' (see --get-active-zones)
You most likely need to use --zone=trusted option.
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https nrpe openvpn smtp ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I get to entering commands for NAT and openvpn internal ip with success
entered
SERVERIP=$(ip route get 1.1.1.1 | awk 'NR==1 {print $(NF-2)}')firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.5.0.0/24 -o $SERVERIP -j MASQUERADEbut in reloading firewall i.e. firewall-cmd --reload
I receive an error
"Error: list index out of range"
I have recheck the command enteries multiple times and the same error.
Check what's under $SERVERIP, so try the command without saving it to a variable and you will know what went wrong.
ip route get 1.1.1.1 | awk 'NR==1 {print $(NF-2)}'
Everything wnet well until Step 5
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.5.0.0/24 -o $SERVERIP -j MASQUERADE sucess
Then entering firewall-cmd --reload I get
Error: list index out of range
If I re-enter firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.5.0.0/24 -o $SERVERIP -j MASQUERADE
I get Warning: ALREADY_ENABLED: passthrough 'ipv4', '['-t', 'nat', '-A', 'POSTROUTING', '-s', '10.5.0.0/24', '-o', '192.168.1.2', '-j', 'MASQUERADE']' success
and Then Entering
Firewall-cmd --reload
Error: list index out of range
Not sure where to go
Thank you
Hi!
What font are you using on your terminal?
Merci pour ce tuto très bien expliqué et mis en image et forme !
Pour ma part, cela a très bien fonctionné !
MErciiiii
I am able to connect to my OPENVPN server. I am able to ping the internal computers. I cannot connect via RDP to any computer on the network. The internal computers are able to connect to each other via RDP so I assume there is something not right in the firewall. Any ideas what I may have done?
I have following the complete process. Everything is working fine but while I revoke the client01 certificate than the command output is fine as expected (mentioned below) but client is still able to connect with vpn server. Please help to resolve this issue.
#################################################
root@ip-172-31-8-140:/etc/openvpn/easy-rsa# ./easyrsa revoke client01
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = client01
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-5041.P6U6k2/tmp.MZRCuP
Revoking Certificate 350C0F80B4355F2B641394CB662ADBA6.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
root@ip-172-31-8-140:/etc/openvpn/easy-rsa# ./easyrsa gen-crl
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-5079.0l51ER/tmp.hVh3vs
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
#################################################