OpenVPN - Point-to-Point VPN using SSL/TLS mode in RHEL7

OpenVPN has 2 authentication modes:

1) Static Key Mode: uses a pre-shared key for authentication. A pre-shared key is generated and shared between both OpenVPN peers.

2) TLS/SSL mode: uses digital certificates for authentication and key exchange. An SSL session is established with both client and server authenticating each other with digital certificates.

In this tutorial, we will establish a point-to-point VPN tunnel using TLS/SSL mode, between two hosts:
Server: 192.168.3.2
Client:  192.168.3.1

The tunnel endpoints will be as follows:
Server: 10.8.0.2
Client:  10.8.0.1  

The VPN tunnel end-points represent a secure alternate path between the two hosts. For example, from client, you can 'telnet' to the server over the VPN by using the tunnel endpoint address of the server, as shown below:
telnet 10.8.0.2

Or, you can 'telnet' directly to the server, by using the server's ip address, as shown below:
telnet 192.168.3.2

NOTE: Ensure that the address you use for the tunnel endpoints is not part of any existing subnet on both the machines. 
 
In this tutorial, we use the sample keys and certificates from the dir '/usr/share/doc/openvpn-2.3.6/sample/sample-keys/'.

Server Configuration: (192.168.3.2)

1) Install EPEL Repository
[root@zserver1 ~]# yum install epel-release

2) Install packages
[root@zserver1 ~]# yum --disablerepo=\* --enablerepo=epel install openvpn

3) Files needed on the server. Sample files from the dir. '/usr/share/doc/openvpn-2.3.6/sample/sample-keys/'
a) CA's certificate (ca.crt)
b) Server's Certificate (server.crt)
c) Server's Private Key (server.key)
d) Diffie-Hellman Parameters (dh2048.pem)

4) Create the server config file '/etc/openvpn/server.conf'. Add the following entries.
dev tun 

ifconfig 10.8.0.2  10.8.0.1

tls-server
 
dh /usr/share/doc/openvpn-2.3.6/sample/sample-keys/dh2048.pem

ca /usr/share/doc/openvpn-2.3.6/sample/sample-keys/ca.crt
 
cert /usr/share/doc/openvpn-2.3.6/sample/sample-keys/server.crt
 
key /usr/share/doc/openvpn-2.3.6/sample/sample-keys/server.key


5) Start VPN Server
[root@zserver1 openvpn]#  systemctl start openvpn@server.service

6) Configure firewall. Open UDP port 1194 and enable virtual device 'tun0'.
[root@zserver1 openvpn]# firewall-cmd --zone=public --add-port=1194/udp --permanent
[root@zserver1 openvpn]#firewall-cmd --zone=public --add-interface=tun0 --permanent
[root@zserver1 openvpn]# firewall-cmd --reload

Client Configuration: (192.168.3.1)

1) Install EPEL Repository
[root@meru ~]# yum install epel-release

2) Install packages
[root@meru ~]# yum --disablerepo=\* --enablerepo=epel install openvpn

3) Files needed on the client. Sample files from the dir. '/usr/share/doc/openvpn-2.3.6/sample/sample-keys/'.
a) CA's certificate (ca.crt)
b) Client's Certificate (client.crt)
c) Client's Private Key (client.key)

4) Create the client config file '/etc/openvpn/client.conf'. Add the following entries.
remote 192.168.3.2  

dev tun

ifconfig 10.8.0.1  10.8.0.2

tls-client
 
ca /usr/share/doc/openvpn-2.3.6/sample/sample-keys/ca.crt
 
cert /usr/share/doc/openvpn-2.3.6/sample/sample-keys/client.crt
 
key /usr/share/doc/openvpn-2.3.6/sample/sample-keys/client.key


5) Connect to the VPN Server
[root@meru ~]#  openvpn --config /etc/openvpn/client.conf

6) Open another terminal window. And configure firewall. Enable virtual device 'tun0'.
[root@meru ~]# firewall-cmd --zone=public --add-interface=tun0 --permanent
[root@meru ~]# firewall-cmd --reload

7) To test the VPN, ping 10.8.0.2 from the client and 10.8.0.1 from the server
[root@meru ~]# ping 10.8.0.2