Note: please note that Liferay has renamed its Liferay Experience
Could offerings to Liferay SaaS (formerly LXC) and
Liferay PaaS (formerly LXC-SM).
Issue
- This article details the installation and configuration steps to have a running OpenVPN server you can integrate to your Liferay SaaS' VPN feature.
Environment
- Liferay SaaS
- Any Liferay DXP version
Basic Setup for an OpenVPN Server (CentOS/RHEL 7/8)
Follow these steps if using an OpenVPN server:
1. Create a ~/server.conf with the following values:
port 1194
proto udp
dev tun
server 10.10.20.0 255.255.255.0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/keys/dh.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
auth SHA256
compress lz4-v2
push "compress lz4-v2"
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
verify-client-cert none
persist-key
persist-tun
explicit-exit-notify 1
status openvpn-status.log
log-append /var/log/openvpn.log
verb 7
2. Install the necessary dependencies:
sudo yum install epel-release
sudo yum install -y openvpn easy-rsa
mkdir ~/openvpn-ca
ln -s /usr/share/easy-rsa/3/* ~/openvpn-ca/
cd ~/openvpn-ca
3. Create a file ~/openvpn-ca/vars with the following values:
export CA_EXPIRE=3650
export EASY_RSA="`pwd`"
export GREP="grep"
export KEY_CITY="SanFrancisco"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_COUNTRY="US"
export KEY_DIR="$EASY_RSA/keys"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EXPIRE=3650
export KEY_NAME="EasyRSA"
export KEY_ORG="Fort-Funston"
export KEY_OU="MyOrganizationalUnit"
export KEY_PROVINCE="CA"
export KEY_SIZE=2048
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
4. Set up the certificates and keys:
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
sudo cp pki/ca.crt /etc/openvpn/server/
sudo cp pki/issued/server.crt /etc/openvpn/server/
sudo cp pki/private/server.key /etc/openvpn/server/
sudo cp pki/dh.pem /etc/openvpn/server/
sudo cp pki/crl.pem /etc/openvpn/server/
5. Use the OpenVPN server.conf file from above:
sudo cp ~/server.conf /etc/openvpn/server/
6. Configure the OS kernel.
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
7. Configure the OS firewall
firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --permanent --add-masquerade
SERVERIP=$(ip route get 1.1.1.1 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/8 -o $SERVERIP -j MASQUERADE
firewall-cmd --reload
8. Start the VPN server service set it for automatic startup.
systemctl start openvpn-server@server
systemctl enable openvpn-server@server
9. Create the OS user to be used for authentication on the VPN.
sudo adduser myuser
sudo passwd myuser
The OpenVPN server has been configured.
Additional Information