OpenVPN Fedora

  1. dnf install openvpn easy-rsa
  2. Copy /usr/share/easy-rsa/3 somewhere (like /etc/openvpn/ directory with mkdir /etc/openvpn/easy-rsa; cp -rai /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/).
  3. cd /etc/openvpn/easy-rsa
  4. Edit vars appropriately.
  5. ./easyrsa clean-all
  6. Before continuing, make sure the system time is correct. Preferably, set up NTP .
  7. ./easyrsa build-ca
  8. ./easyrsa build-server-full $( hostname | cut -d. -f1 )
  9. ./easyrsa gen-dh
  10. mkdir /etc/openvpn/keys
  11. cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/
  12. cp -ai /usr/share/doc/openvpn*/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/serverudp.conf
  13. Edit /etc/openvpn/server.conf appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
  14. Fix selinux context of files: restorecon -Rv /etc/openvpn
  15. (Note that 'serverudp' corresponds with the configuration name in /etc/openvpn/server such as serverudp.conf; that is, 'serverudp' corresponds to whatever name your configuration file has)
  16. systemctl enable openvpn-server@serverudp.service
  17. systemctl start openvpn-server@serverudp.service
  18. Verify that firewall rules allow traffic in from tun+, out from the LAN to tun+, and in from the outside on UDP port 1194.

Firewalld/iptables rules:

iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT