OpenVPN On Centos 7 With CSF Easy Setup
Using a VPN in your everyday internet activity is smart and I highly encourage people to take up this practice. Using a VPN in this way encrypts your connection so not even your ISP can see what you are doing. Any sites you visit will not see your home IP but the VPN IP and this is a large and important step to keeping yourself and your information safe online. Also if you are a website owner where security is a priority this can greatly help you secure your site. Lockdown any admin sections and sensitive logins to the VPN IP. Have other people that need access? No problem, simply create them their own OpenVPN config file.
You do not need to be a Linux guru to accomplish this and it is easier than you might think!
First step is to get yourself a VPS / CloudServer. Digital Ocean is a great choice for this, and their smallest Droplet (512MB) will work perfectly. Create the Droplet in the region closest to you. Now you can login with SSH using something like Putty and run the following commands:
yum update -y
Check everything that was updated and if you see an updated regarding “kernel” go ahead and reboot the server (type “reboot”), give it a few minutes and login again.
Install OpenVPN With Nyr’s Installer
There is really an awesome installer on GitHub written by and maintained by Nyr that automates the entire process and really makes it simple. Check it out here:
To install simply do:
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
Once it is done login to your server with SFTP and grab the config file. Now let’s make this VPN more secure using CSF (Config Server Firewall). CSF is a powerful and flexible Firewall that makes it easy to secure you server from many different types of attacks.
yum install perl -y
yum install bind-utils -y
yum install perl-libwww-perl -y
yum install unzip -y
tar -xzf csf.tgz
Configure CSF To Play Nice With OpenVPN
We need to do a little extra work for these 2 to play nice.
Paste the following into that file:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 184.108.40.206
Note: replace 220.127.116.11 with your actual server IP. Save, exit, and restart csf.
Add The OpenVPN Port And Remove Others
First option you will see is Testing = “1”. Change that to > Testing = “0”
Now scroll down until you see the port lines, you want to remove all ports except 22 (SSH), and add port 1194 which is OpenVPN assuming you went with the default setting on install. It should look like this when done:
# Allow incoming TCP ports
TCP_IN = "22,1194"
# Allow outgoing TCP ports
TCP_OUT = "22,1194"
# Allow incoming UDP ports
UDP_IN = "1194"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "1194"
Save, exit, and restart CSF. Your server is now secured from bad guys quite well.
I also highly recommend that you setup public/private keys and disable password authentication this adds a great extra layer of security to your server!