logo of Akmatori
29.12.2024

Setting Up an OpenVPN Server on Fedora

head-image

OpenVPN is a powerful, open-source VPN solution that provides secure connections over the internet. Setting up an OpenVPN server on Fedora enhances your network's security and allows for safe remote access. This guide will walk you through the process of installing and configuring OpenVPN on a Fedora system.

Prerequisites

Before you begin, ensure you have:

  • A Fedora system with administrative (root) privileges.

  • An internet connection.

  • Basic knowledge of command-line operations.

Step 1: Install Necessary Packages

First, update your system and install the required packages:

sudo dnf update -y
sudo dnf install -y openvpn easy-rsa firewalld zip

This command installs OpenVPN, Easy-RSA (for certificate management), Firewalld (for firewall management), and Zip (for compressing files).

Step 2: Set Up Easy-RSA for Certificate Management

Create the necessary directories and copy Easy-RSA files:

sudo mkdir -p /etc/openvpn/easy-rsa/keys
sudo cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
sudo cp /etc/openvpn/easy-rsa/openssl-easyrsa.cnf /etc/openvpn/easy-rsa/openssl.cnf

Navigate to the Easy-RSA directory and initialize the Public Key Infrastructure (PKI):

cd /etc/openvpn/easy-rsa
sudo ./easyrsa init-pki

Step 3: Generate Certificates and Keys

Set the certificate variables by editing the vars file:

sudo nano /etc/openvpn/easy-rsa/vars

Update the following lines with your organization's information:

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "California"
set_var EASYRSA_REQ_CITY       "San Francisco"
set_var EASYRSA_REQ_ORG        "MyOrg"
set_var EASYRSA_REQ_EMAIL      "[email protected]"
set_var EASYRSA_REQ_OU         "MyOrgUnit"

Save and exit the editor. Then, build the Certificate Authority (CA):

sudo ./easyrsa build-ca

You'll be prompted to enter a passphrase for the CA.

Next, generate the server certificate and key:

sudo ./easyrsa build-server-full server nopass

The nopass option creates a key without a password.

Generate Diffie-Hellman parameters:

sudo ./easyrsa gen-dh

Generate a Certificate Revocation List (CRL):

sudo ./easyrsa gen-crl

Create a TLS key for additional security:

sudo openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key

Copy the generated files to the OpenVPN server directory:

sudo cp /etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,crl.pem,ta.key,issued/server.crt,private/server.key} /etc/openvpn/server/

Step 4: Configure the OpenVPN Server

Create and edit the OpenVPN server configuration file:

sudo nano /etc/openvpn/server/server.conf

Add the following configuration, replacing your_server_ip with your server's IP address and choosing an appropriate port (e.g., 1194):

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem
tls-auth /etc/openvpn/server/ta.key 0
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3

Save and exit the editor.

Step 5: Configure Firewall and Enable IP Forwarding

Start and enable Firewalld:

sudo systemctl enable --now firewalld

Allow traffic on the OpenVPN port and enable masquerading:

sudo firewall-cmd --permanent --add-port=1194/udp
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reload

Enable IP forwarding by editing the sysctl.conf file:

sudo nano /etc/sysctl.conf

Add the following line:

net.ipv4.ip_forward = 1

Save and exit, then apply the changes:

sudo sysctl -p

Step 6: Start and Enable the OpenVPN Service

Enable and start the OpenVPN service:

sudo systemctl enable --now openvpn-server@server

Check the status to ensure it's running:

sudo systemctl status openvpn-server@server

Step 7: Create Client Certificates and Configuration

Generate a client certificate and key:

cd /etc/openvpn/easy-rsa
sudo ./easyrsa build-client-full client1 nopass

Create a directory to store the client files:

mkdir -p ~/client-configs/keys

Copy the necessary files:

sudo cp /etc/openvpn/easy-rsa/pki/{ca.crt,issued/client1.crt,private/client1.key,ta.key} ~/client-configs/keys/

Create a client configuration file:

nano ~/client-configs/client1.ovpn

Add the following configuration, replacing your_server_ip with your server's IP address: 

client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 3

Save the file. Bundle the configuration and keys into a zip file for easy distribution:

zip -r ~/client-configs/client1.zip ~/client-configs/*

Distribute this zip file to your client devices and import the configuration using an OpenVPN client.

Take Network Reliability to the Next Level with Akmatori

Configuring OpenVPN improves security and privacy, but what about proactive monitoring and reliability? Akmatori is an AIOps platform designed to help you predict failures, accelerate root cause analysis, and create more reliable systems.

With Akmatori, you can:

  • Proactively identify potential network or application issues.
  • Reduce downtime with smarter incident response.
  • Optimize system reliability with AI-driven insights.

Start improving your system’s reliability today by trying Akmatori.

Conclusion

Setting up OpenVPN on Fedora provides secure and reliable VPN access for your network. By following this guide, you’ve learned how to install, configure, and manage an OpenVPN server. Don't forget to keep your setup secure with regular updates and monitoring. For advanced system reliability, consider integrating Akmatori into your operations.

Akmatori team

Maximize your website or application's performance and reliability!