Setting up a Virtual Private Network or VPN is a crucial step for securing network traffic, whether for remote access or site-to-site connections. OpenVPN is a robust and highly configurable VPN software that uses SSL/TLS certificates for authentication, making it a popular choice for creating secure tunnels. This guide walks through the process of installing, configuring, and securing OpenVPN on RHEL 9 and CentOS 9 systems.
The first step is to install the necessary OpenVPN package. While not typically in the default repositories, it’s available in the EPEL (Extra Packages for Enterprise Linux) repository. You will need to add this repository to your system. Once EPEL is configured, you can install OpenVPN and its dependencies using your package manager. The command would typically involve using dnf install openvpn easy-rsa, where easy-rsa is a script set commonly used to manage the Certificate Authority and generate certificates.
Security in OpenVPN heavily relies on certificates. Therefore, establishing a Certificate Authority (CA) is essential. This involves setting up the easy-rsa environment, initializing a Public Key Infrastructure (PKI), and building the CA itself. After the CA is ready, you will generate a server certificate and key for the OpenVPN server, as well as separate client certificates and keys for each device or user that will connect to the VPN. Diffie-Hellman parameters should also be generated to ensure secure key exchange; this process can take some time.
Configuring the OpenVPN server involves creating or modifying the main configuration file, typically located in /etc/openvpn/server/. This file specifies parameters like the VPN protocol (UDP is common), port number, the virtual network subnet for VPN clients, paths to the server certificate, key, CA certificate, and Diffie-Hellman parameters. Important security settings include pushing DNS servers to clients, enabling client-to-client communication if needed, and configuring logging levels. You might also configure client configuration export to easily distribute connection profiles.
For clients to connect, they need their unique client certificate, client key, the CA certificate, and the OpenVPN server configuration details (like the server’s public IP or hostname and port). It’s good practice to distribute these securely, perhaps bundled into a single .ovpn configuration file. Each client file should point to the correct certificate and key files or embed them directly.
A critical part of securing the OpenVPN setup is configuring the firewall. On RHEL 9 and CentOS 9, this usually involves using firewall-cmd. You need to allow the chosen OpenVPN port and protocol (e.g., UDP port 1194) through the firewall. Furthermore, if the OpenVPN server is routing traffic for clients to other networks or the internet, you will need to enable IP forwarding on the server and configure appropriate masquerade rules in the firewall to allow this traffic to pass and have its source address translated.
SELinux is another security layer on RHEL and CentOS. By default, SELinux policies might prevent OpenVPN from starting or operating correctly, especially if it tries to access files in non-standard locations or modify network settings in ways not permitted by the default policy. Checking SELinux status and logs is important. Often, setting the relevant SELinux boolean for OpenVPN or ensuring configuration files are in contexts allowed by SELinux is necessary. In some complex setups, adjusting SELinux context for specific directories or files might be required, or in rare cases, switching SELinux to permissive mode temporarily for troubleshooting.
Once the configuration is complete, you can start the OpenVPN server service using systemctl start [email protected] (the service name might vary slightly based on the configuration file name). To ensure the VPN starts automatically after a reboot, enable the service with systemctl enable [email protected]. Check the service status and logs (journalctl -u [email protected]) to confirm it’s running without errors and listening on the correct port.
By following these steps, you can deploy a secure and reliable OpenVPN server on your RHEL 9 or CentOS 9 system, providing encrypted connectivity for your network needs. Remember to keep the system updated and manage your certificates diligently for ongoing security.
Source: https://infotechys.com/hardening-openvpn-security-on-rhel-9/
