On a Fedora or CentOS system with enables selinux you need to store your certificate and configuration in /etc/openvpn to avoid selinux is blocking the access of NetworkManager to this files. There is a way of setting some sebooleans to allow selinux to read them from user home directories but for me it didn’t work and I did not investigate. I moved all files on that machine to /etc/openvpn and modified the NetworkManager configuration. Everything works like a charm now. And it is quite more comfortable to configure all the details like if you wish to route all your traffic through that vpn connection or not.
As I wrote in an older post there is a simple solution using ssh to tunnel your webbrowser traffic through an ssh connection to a secure and trusted endpoint. This is a very simple solution to secure your access to the web while you are in a public wifi network or old fashioned cable network.
Because I got quite a lot of response to the article I decided to write this for the people who want to secure all of there traffic not only the web traffic.
The easiest way to do this is to use a VPN connection which will allow you to tunnel all your traffic no matter from which application to a secure endpoint. As I like open source for all of the security stuff I am using OpenVPN to do this job. It’s one of the most popular VPN solutions and based on SSL.
What do we need:
- VPN Server somewhere in the internet
- OpenVPN Client on our machine (Tunnelblick for Mac or OpenVPN Gui for Windows are both free and open source)
- Some time to configure it
In my case the VPN Server is a Linux box but it can be every operating system which can run the OpenVPN server software.
In this tutorial I will not repeat every single step because the documentation of OpenVPN is very good and clear. Just follow the setup process descripted here to get openvpn installed and all necessary certificates created. After you have openvpn starting with the example configuration and your certificates you only need to modify some lines in your server.conf file to route all the traffic trough the openvpn server. If you are running an linux box with iptables (what you should) you need to add some rules to allow the traffic be routed.
On CentOS install it via yum:
yum install -y openvpn
the example configuration files and the easy-rsa directory are located here: /usr/share/docs/openvpn-2.2.0/
Copy the easy-rsa directory to /etc/openvpn and make the shell scripts executeable:
cp -a /usr/share/docs/openvpn-2.2.0/easy-rsa /etc/openvpnchmod +x /etc/openvpn/easy-rsa/2.0/build* /etc/openvpn/easy-rsa/2.0/pkitool \ /etc/openvpn/easy-rsa/2.0/vars /etc/openvpn/easy-rsa/2.0/clean-all \ /etc/openvpn/easy-rsa/2.0/revoke-full /etc/openvpn/easy-rsa/2.0/sign-req \ /etc/openvpn/easy-rsa/2.0/whichopensslcnf
Now follow the instructions here:
If you have OpenVPN up and running but you cant establish a connection from your client please check if the configured port is open on your server. If you have a custom iptables script you need to open the port you are using for openvpn for example the default udp port 1194.