Minimalistic hardened and convenient self-contained provisioning of a VPN gateway, with client certificate management and a DNS proxy for CentOS.
- On the physical host, enable VPN port forwarding (default 1194/udp) to the VM running the gateway. This may require some ad-hoc changes, assuming that virtualisation frameworks do their own firewall management.
- Running in a dedicated VM
- Centos 7.5+
- OpenVPN as foundation
- UDP for less overhead (encapsulated protocol is TCP most of the time, anyway)
- Systemd service management (one service, not a template, for simplicity)
- Firewalld instead of iptables
- DNS proxy (dnsmasq) to provide host names from internal networks (from /etc/hosts or internal DNS)
- Self-managed CA, co-located at gateway
- Client certificates managed by EasyRSA
- Safe ciphers by default
- HMAC firewall for additional security
$ cd /etc/openvpn/ca
$ ./make_client_ovpn <client_id> > <client_id>.ovpn
- Integrating LDAP/PAM auth for external user registries/CAs
- Identity management with freeipa