[root@testserver ~]# yum install epel-release
[root@testserver ~]# yum -y install openvpn easy-rsa iptables-services
Running transaction
Installing : pkcs11-helper-1.11-3.el7.x86_64 1/3
Installing : openvpn-2.4.3-1.el7.x86_64 2/3
Installing : easy-rsa-2.2.2-1.el7.noarch 3/3
Verifying : pkcs11-helper-1.11-3.el7.x86_64 1/3
Verifying : openvpn-2.4.3-1.el7.x86_64 2/3
Verifying : easy-rsa-2.2.2-1.el7.noarch 3/3
Installed:
easy-rsa.noarch 0:2.2.2-1.el7 openvpn.x86_64 0:2.4.3-1.el7
Dependency Installed:
pkcs11-helper.x86_64 0:1.11-3.el7
Complete!
#cp -r /usr/share/easy-rsa/ /etc/openvpn/
#cd /etc/openvpn/easy-rsa/2.0
#vi vars
export key_size=2048
export ca_expire=3650
export key_expire=3650
export Key_conuntry="us"
export Key_city="san..
export Key_org"for..
export Key_email"me...
export Key_ou="my..
export Key_name="easyrsa"
#source ./vars
#./clean-all
#./build-ca
.
.
writing new private key to 'ca.key'
.
.
---------------------------------------------------------------------------------------
[root@testserver ~]# yum install epel-release
[root@testserver ~]# systemctl stop firewalld
[root@testserver ~]# systemctl disable firewalld
[root@testserver ~]# yum install iptables-services
[root@testserver ~]# systemctl start iptables
[root@testserver ~]# systemctl status iptables
â iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2017-08-10 16:32:11 IST; 21s ago
Process: 47654 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 47654 (code=exited, status=0/SUCCESS)
Aug 10 16:32:11 testserver.boobi.com systemd[1]: Starting IPv4 firewall with....
Aug 10 16:32:11 testserver.boobi.com iptables.init[47654]: iptables: Applying...
Aug 10 16:32:11 testserver.boobi.com systemd[1]: Started IPv4 firewall with ....
Hint: Some lines were ellipsized, use -l to show in full.
[root@testserver ~]#systemctl stop iptables
# yum install openvpn
[root@testserver ~]# cd /usr/share/doc/openvpn-2.4.3/sample/sample-config-files
[root@testserver sample-config-files]# ls
client.conf openvpn-shutdown.sh static-home.conf
firewall.sh openvpn-startup.sh static-office.conf
home.up README tls-home.conf
loopback-client roadwarrior-client.conf tls-office.conf
loopback-server roadwarrior-server.conf xinetd-client-config
office.up server.conf xinetd-server-config
[root@testserver sample-config-files]# cp server.conf /etc/openvpn/
[root@testserver sample-config-files]# cd /etc/openvpn/
[root@testserver openvpn]# ls
client server server.conf
[root@testserver openvpn]# vi server.conf
.
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
.
user nobody
group nobody
[root@testserver openvpn]# yum install easy-rsa
[root@testserver openvpn]# mkdir -p /etc/openvpn/easy-rsa/keys
[root@testserver openvpn]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
[root@testserver openvpn]# ls
client easy-rsa server server.conf
[root@testserver openvpn]# cd easy-rsa/
[root@testserver easy-rsa]# ls
build-ca build-key-server list-crl sign-req
build-dh build-req openssl-0.9.6.cnf vars
build-inter build-req-pass openssl-0.9.8.cnf whichopensslcnf
build-key clean-all openssl-1.0.0.cnf
build-key-pass inherit-inter pkitool
build-key-pkcs12 keys revoke-full
[root@testserver easy-rsa]# vi vars
export KEY_COUNTRY="IN"
export KEY_PROVINCE="TN"
export KEY_CITY="Chennai"
export KEY_ORG="admin"
export KEY_EMAIL="r.boobalan@tabtree.in"
export KEY_OU="adv"
[root@testserver easy-rsa]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@testserver easy-rsa]# ./clean-all
[root@testserver easy-rsa]# ./build-ca
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [TN]:
Locality Name (eg, city) [Chennai]:
Organization Name (eg, company) [admin]:
Organizational Unit Name (eg, section) [adv]:
Common Name (eg, your name or your server's hostname) [admin CA]:adv-testserver
Name [EasyRSA]:
Email Address [r.boobalan@tabtree.in]:
[root@testserver easy-rsa]# ./build-key-server $( hostname )
Generating a 2048 bit RSA private key
...........................+++
..................................................................................................+++
writing new private key to 'testserver.boobi.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [TN]:
Locality Name (eg, city) [Chennai]:
Organization Name (eg, company) [admin]:
Organizational Unit Name (eg, section) [adv]:
Common Name (eg, your name or your server's hostname) [testserver.boobi.com]:
Name [EasyRSA]:
Email Address [r.boobalan@tabtree.in]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:treecare
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'IN'
stateOrProvinceName :PRINTABLE:'TN'
localityName :PRINTABLE:'Chennai'
organizationName :PRINTABLE:'admin'
organizationalUnitName:PRINTABLE:'adv'
commonName :PRINTABLE:'testserver.boobi.com'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'r.boobalan@tabtree.in'
Certificate is to be certified until Aug 8 11:35:21 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[root@testserver easy-rsa]# ./build-dh
[root@testserver easy-rsa]# cd keys/
[root@testserver keys]# ls
01.pem dh2048.pem index.txt.old testserver.boobi.com.crt
ca.crt index.txt serial testserver.boobi.com.csr
ca.key index.txt.attr serial.old testserver.boobi.com.key
[root@testserver keys]# cp ca.crt testserver.boobi.com.crt testserver.boobi.com.key dh2048.pem /etc/openvpn
[root@testserver keys]# cd ..
[root@testserver easy-rsa]# cd ..
[root@testserver openvpn]# ls
ca.crt dh2048.pem server testserver.boobi.com.crt
client easy-rsa server.conf testserver.boobi.com.key
[root@testserver openvpn]# ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
[root@testserver openvpn]# vi server.conf
.
ca ca.crt
cert testserver.boobi.com.crt
key testserver.boobi.com.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh dh2048.pem
.
[root@testserver openvpn]# systemctl -f enable openvpn@server.service
Removed symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
[root@testserver openvpn]# systemctl start openvpn@server.service
Job for openvpn@server.service failed because the control process exited with error code. See "systemctl status openvpn@server.service" and "journalctl -xe" for details.
refer
videos
[root@testserver ~]# yum -y install openvpn easy-rsa iptables-services
Running transaction
Installing : pkcs11-helper-1.11-3.el7.x86_64 1/3
Installing : openvpn-2.4.3-1.el7.x86_64 2/3
Installing : easy-rsa-2.2.2-1.el7.noarch 3/3
Verifying : pkcs11-helper-1.11-3.el7.x86_64 1/3
Verifying : openvpn-2.4.3-1.el7.x86_64 2/3
Verifying : easy-rsa-2.2.2-1.el7.noarch 3/3
Installed:
easy-rsa.noarch 0:2.2.2-1.el7 openvpn.x86_64 0:2.4.3-1.el7
Dependency Installed:
pkcs11-helper.x86_64 0:1.11-3.el7
Complete!
#cp -r /usr/share/easy-rsa/ /etc/openvpn/
#cd /etc/openvpn/easy-rsa/2.0
#vi vars
export key_size=2048
export ca_expire=3650
export key_expire=3650
export Key_conuntry="us"
export Key_city="san..
export Key_org"for..
export Key_email"me...
export Key_ou="my..
export Key_name="easyrsa"
#source ./vars
#./clean-all
#./build-ca
.
.
writing new private key to 'ca.key'
.
.
---------------------------------------------------------------------------------------
[root@testserver ~]# yum install epel-release
[root@testserver ~]# systemctl stop firewalld
[root@testserver ~]# systemctl disable firewalld
[root@testserver ~]# yum install iptables-services
[root@testserver ~]# systemctl start iptables
[root@testserver ~]# systemctl status iptables
â iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2017-08-10 16:32:11 IST; 21s ago
Process: 47654 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 47654 (code=exited, status=0/SUCCESS)
Aug 10 16:32:11 testserver.boobi.com systemd[1]: Starting IPv4 firewall with....
Aug 10 16:32:11 testserver.boobi.com iptables.init[47654]: iptables: Applying...
Aug 10 16:32:11 testserver.boobi.com systemd[1]: Started IPv4 firewall with ....
Hint: Some lines were ellipsized, use -l to show in full.
[root@testserver ~]#systemctl stop iptables
# yum install openvpn
[root@testserver ~]# cd /usr/share/doc/openvpn-2.4.3/sample/sample-config-files
[root@testserver sample-config-files]# ls
client.conf openvpn-shutdown.sh static-home.conf
firewall.sh openvpn-startup.sh static-office.conf
home.up README tls-home.conf
loopback-client roadwarrior-client.conf tls-office.conf
loopback-server roadwarrior-server.conf xinetd-client-config
office.up server.conf xinetd-server-config
[root@testserver sample-config-files]# cp server.conf /etc/openvpn/
[root@testserver sample-config-files]# cd /etc/openvpn/
[root@testserver openvpn]# ls
client server server.conf
[root@testserver openvpn]# vi server.conf
.
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
.
user nobody
group nobody
[root@testserver openvpn]# yum install easy-rsa
[root@testserver openvpn]# mkdir -p /etc/openvpn/easy-rsa/keys
[root@testserver openvpn]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
[root@testserver openvpn]# ls
client easy-rsa server server.conf
[root@testserver openvpn]# cd easy-rsa/
[root@testserver easy-rsa]# ls
build-ca build-key-server list-crl sign-req
build-dh build-req openssl-0.9.6.cnf vars
build-inter build-req-pass openssl-0.9.8.cnf whichopensslcnf
build-key clean-all openssl-1.0.0.cnf
build-key-pass inherit-inter pkitool
build-key-pkcs12 keys revoke-full
[root@testserver easy-rsa]# vi vars
export KEY_COUNTRY="IN"
export KEY_PROVINCE="TN"
export KEY_CITY="Chennai"
export KEY_ORG="admin"
export KEY_EMAIL="r.boobalan@tabtree.in"
export KEY_OU="adv"
[root@testserver easy-rsa]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@testserver easy-rsa]# ./clean-all
[root@testserver easy-rsa]# ./build-ca
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [TN]:
Locality Name (eg, city) [Chennai]:
Organization Name (eg, company) [admin]:
Organizational Unit Name (eg, section) [adv]:
Common Name (eg, your name or your server's hostname) [admin CA]:adv-testserver
Name [EasyRSA]:
Email Address [r.boobalan@tabtree.in]:
[root@testserver easy-rsa]# ./build-key-server $( hostname )
Generating a 2048 bit RSA private key
...........................+++
..................................................................................................+++
writing new private key to 'testserver.boobi.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [TN]:
Locality Name (eg, city) [Chennai]:
Organization Name (eg, company) [admin]:
Organizational Unit Name (eg, section) [adv]:
Common Name (eg, your name or your server's hostname) [testserver.boobi.com]:
Name [EasyRSA]:
Email Address [r.boobalan@tabtree.in]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:treecare
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'IN'
stateOrProvinceName :PRINTABLE:'TN'
localityName :PRINTABLE:'Chennai'
organizationName :PRINTABLE:'admin'
organizationalUnitName:PRINTABLE:'adv'
commonName :PRINTABLE:'testserver.boobi.com'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'r.boobalan@tabtree.in'
Certificate is to be certified until Aug 8 11:35:21 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[root@testserver easy-rsa]# ./build-dh
[root@testserver easy-rsa]# cd keys/
[root@testserver keys]# ls
01.pem dh2048.pem index.txt.old testserver.boobi.com.crt
ca.crt index.txt serial testserver.boobi.com.csr
ca.key index.txt.attr serial.old testserver.boobi.com.key
[root@testserver keys]# cp ca.crt testserver.boobi.com.crt testserver.boobi.com.key dh2048.pem /etc/openvpn
[root@testserver keys]# cd ..
[root@testserver easy-rsa]# cd ..
[root@testserver openvpn]# ls
ca.crt dh2048.pem server testserver.boobi.com.crt
client easy-rsa server.conf testserver.boobi.com.key
[root@testserver openvpn]# ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
[root@testserver openvpn]# vi server.conf
.
ca ca.crt
cert testserver.boobi.com.crt
key testserver.boobi.com.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh dh2048.pem
.
[root@testserver openvpn]# systemctl -f enable openvpn@server.service
Removed symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
[root@testserver openvpn]# systemctl start openvpn@server.service
Job for openvpn@server.service failed because the control process exited with error code. See "systemctl status openvpn@server.service" and "journalctl -xe" for details.
[root@testserver openvpn]# systemctl enable openvpn@vpnname.service
refer
videos
No comments:
Post a Comment