Introduction
A virtual private network (VPN) encrypts all network traffic, masking users and protecting them from untrusted networks. It can provide a secure connection to a company’s network, bypass geo-restrictions, and allow you to browse the web using public Wi-Fi networks while keeping your data private.
OpenVPN is a full-featured, open-source Secure Socket Layer (SSL) VPN solution.
In this tutorial, you will learn how to set up OpenVPN on a CentOS 7 server and connect to OpenVPN from a client machine.
prerequisites
A CentOS 7 or
- CentOS 8
- user account with root access (sudo)
- Command line window access/terminal
- domain or subdomain that resolves to your
- A client machine from which you will connect to the
server A
A
server
OpenVPN server
Step 1: Install OpenVPN 1.
Update CentOS repositories and packages by running:
yum update -y
2. You cannot download the OpenVPN package from the default CentOS repositories. However, OpenVPN is available in the Extra Packages for Enterprise Linux (EPEL) repository. To enable the EPEL repository, run the command:
yum install epel-release -y
3. Update the repositories again:
yum update -y
4. You can now install OpenVPN with the command
: yum install -y openvpn
Step 2: Install Easy RSA
The next step is to create a public key infrastructure (PKI). To do this, you must install Easy RSA, a CLI utility for creating and managing a PKI certification authority (CA).
Easy RSA helps you configure an internal certificate authority (CA) and generate SSL key pairs to secure VPN connections.
1. To download the simple RSA package, use the wget command. If you do not have wget on your CenOS system, install it by running:
yum install -y wget
2. At the time of writing, the latest version of the CLI utility is 3.0.8, which we will download. To use another version, see the Easy RSA release page on GitHub.
wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.8.tar.gz
3. Then extract the downloaded file:
tar -xf v3.0.8.tar.gz
4. Create and move to a new openvpn directory: cd /etc/openvpn
/
5. Then, create an easy-rsa subdirectory under the path /etc/openvpn: mkdir /etc/openvpn/easy-rsa
6. Move the extracted
directory to /etc/openvpn/easy-rsa: mv /root/easy-rsa-3.0.8 /etc/openvpn/easy-rsa
To check if you have successfully moved everything from the easy-rsa-3.0.8 directory, go to easy-rsa with cd /etc/openvpn/easy-rsa and list the content with ls. You should see a list of files and folders, as in the image below.
Step 3: Configure
OpenVPN
Once you’ve installed OpenVPN and Easy RSA, you can move on to setting up the OpenVPN server
.
The instructions in this section will help you configure basic settings. You can modify it according to your needs.
Before running any of the commands, be sure to return to the root directory. To do so, type cd in the terminal window and press Enter.
1. The first step is to copy the sample server.conf file from the OpenVPN documentation directory: cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn
If you can’t find the OpenVPN sample configuration file, browse to its location using the find: find/
-name
server.conf
2 command. Then, open the copied configuration file with a text editor of your choice:
vi etc/openvpn/server.conf
The command opens the sample OpenVPN configuration file. Comments on the file begin with a hashtag # or semicolon;.
3. To configure the basic settings, you need to uncomment the following lines by removing the semicolon.
topology subnet (makes the OpenVPN
- installation work as a subnet
- redirect-gateway def1 bypass-dhcp” (instructs the client to redirect traffic through the
- push “dhcp-option DNS 208.67.220.220” (uses an OpenDNS resolver to connect to OpenVPN)
- user no one (runs OpenVPN without privileges) group nobody (runs OpenVPN without privileges)
)push “
OpenVPN server)push “dhcp-option DNS 208.67.222.222” (uses an OpenDNS resolver to connect to OpenVPN)
4. Then, generate a static encryption key to enable TLS authentication. To do this, locate the line tls-auth ta.key 0 and comment it by adding ; in front of it. Then, add a new line under it:
tls-crypt myvpn.tlsauth
5. Save and exit the configuration file.
6. Finally, generate the static encryption key specified in the file with the command
: openvpn -genkey -secret /etc/openvpn/myvpn.tlsauth
Step 4: Generate keys and certificates
1. Create a vars configuration file using vars.example stored in the /easy-rsa/easyrsa3 directory. Go to the mentioned directory with:
cd /etc/openvpn/easy-rsa/easyrsa3
2. You can enumerate the contents by using the ls command to verify that you have the vars.example file.
3. Copy the vars.example sample file with the name vars: cp vars.example vars
If you reenumerate the files in the directory, you must have a separate vars file that you can use to configure Easy RSA
.
4. Open the vars file in a text editor of your choice: vi vars
5. Scroll through the file and find the lines listed below.
#set_var EASYRSA_REQ_COUNTRY “US” #set_var EASYRSA_REQ_PROVINCE “California” #set_var EASYRSA_REQ_CITY “San Francisco” #set_var EASYRSA_REQ_ORG “Copyleft Certificate Co” #set_var EASYRSA_REQ_EMAIL “me@example.net” #set_var EASYRSA_REQ_OU “My Organizational Unit”
6. Uncomment the lines by deleting # and replace the defaults with your information.
7. Then, find the line that specifies the KEY_NAME and change it to “server”: export KEY_NAME=”server”
8. Finally, change KEY_CN to the domain or subdomain that resolves to your server.
export KEY_CN=openvpn.yourdomain.com
9. Save and close the file.
10. Clean the above keys and generate the certificate authority:
./easyrsa clean-all
11. Now, you can move on to creating the certificate authority with the build-ca script. Run the command:
./easyrsa build-ca
You will be prompted to set a CA key passphrase and common name for your CA.
12. Create a key and certificate for the server:
./easyrsa build-server-full server
13. Next, generate a Diffie-Hellman key exchange file by running:
./easyrsa gen-dh
14. You also need a certificate for each client. Build to the server, and then copy them to the client computer.
With the following command, we create a certificate and key for client1. You can modify the command using a name of your choice.
./easyrsa build-client-full client1
15. Once you have generated the keys and certificates, copy them from pki to the openvpn directory. To do so, navigate to the pki directory by running: cd /etc/openvpn/easy-rsa/easyrsa3/pki You need to copy four files in total: ca.crt dh.pem ca.key server.key The first two files (ca.crt and dh.pem) are stored in the
pki
directory, while ca.key and server.key are in a pki/private subdirectory
- .
So, copy ca.crt and dh.pem to the openvpn
directory first: cp ca.crt dh.pem /etc/openvpn Then, go to the
private subdirectory and copy ca.key and server.key
running: cd private cp ca.key server.key
/etc/openvpn
Step 5: Firewall and routing settings
Set firewall
rules 1. Start by checking
your active firewall zone: firewall-cmd -get-active-zones
The result will display your firewall zone. In the following example, it is public.
2. Add the openvpn service to the list of services that the firewall allows within the hotspot. The hotspot in our example is public. If the hotspot is trusted, modify the command accordingly.
firewall-cmd -zone=public -add-service openVPN
3. Then make the above settings permanent by running the command:
firewall-cmd -zone=public -add-service openvpn -permanent
4. To check if the openvpn service was added, use:
firewall-cmd -list-services -zone=public
5. Next, add a masquerade to the runtime instance: firewall-cmd -add-masquerade
6. And make it permanent:
firewall-cmd -add-masquerade -permanent
7. Verify that the masquerade was added by running:
firewall-cmd -query-masquerade
The result should answer with yes
.
Configuration
routing
Once you have completed the steps above, proceed with routing to your OpenVPN subnet
.
1. Create a variable that represents the primary network interface used by the server. In the following command, the variable is named VAR. However, you can create a variable under the name of your choice.
VAR=$(ip route get 208.67.222.222 | awk ‘NR==1 {print $(NF-2)}’)
2. Next, permanently add the routing rule using the variable created above:
firewall-cmd -permanent -direct -passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $VAR -j MASQUERADE
3. Reload the firewall for the changes to be made: firewall-cmd -reload
4. Continue routing all web traffic from the client to the server’s IP address by enabling IP forwarding. Open the sysctl.conf file: vi /etc/sysctl.conf
5. Add the following line at the top of the file:
net.ipv4.ip_forward = 1
6. Finally, restart the
service: systemctl restart network.service
Step 6: Start OpenVPN
1. To start the OpenVPN service, run the command:
systemctl -f start openvpn@server.service
2. Then, enable it to boot at boot by running:
systemctl -f enable openvpn@server.service
3. Verify
that the service is active with: systemctl status openvpn@server.service
The output should respond that the OpenVPN service for the server is active (running).
Step 7: Set up an
OpenVPN client
With everything set up on the OpenVPN server, you can configure your client machine and connect it to the server.
As mentioned in step 4, each client computer must have local copies of the CA certificate, client key, SSL certificate, and encryption key.
1. Find and copy the following files from the server to the client machine:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt/etc/openvpn/easy-rsa/easyrsa3/pki/client.crt/etc/openvpn/
- easy-rsa/easyrsa3/pki
- client.key/etc/openvpn/myvpn.tlsauth
/private/
2. Next, create a configuration file for the OpenVPN client under the name client.ovpn on the client computer: vi client.ovpn
3. Add the following content to the file:
client tls-client ca /path/to/ca.crt cert /path/to/client.crt key /path/to/client.key tls-crypt /path/to/myvpn.tlsauth remote-cert-eku “TLS Web Client Authentication” proto udp remote your_server_ip 1194 udp dev tun topology subnet pull user nobody group nobody
Be sure to replace the bold parts with your respected values
.
4. Save and close the file.
Step 8: Connect a client to
OpenVPN
instructions on how to connect to OpenVPN differ depending on the operating system of your client machine
. For
Linux
users
To connect to OpenVPN, run the command:
openvpn -config /path/to/client.ovpn
For Windows 1 users
. First, copy the client.ovpn configuration file to the C:OpenVPNconfig Program Files directory.
2. Download and install the OpenVPN app. You can find the latest build on the OpenVPN community downloads page. Once you’ve installed the app, launch OpenVPN.
3. Right-click the OpenVPN system tray icon and select Connect. To perform this task, you need administrative privileges.
For macOS users
You can connect to OpenVPN from a macOS system using Tunnelblick (an open-source graphical user interface for OpenVPN on OS X and macOS).
Before starting Tunnelblick
, be sure to store the client.ovpn configuration file in the ~/Library/Application Support/Tunnelblick/Configurations directory. Conclusion
After reading this article, you should have successfully configured OpenVPN on a CentOS server. Also, you should have learned how to access the OpenVPN server from a Linux, Windows, or macOS client machine.