How to Setup OpenVPN Server on Linux CentOS 7
Understanding CentOS
Each variety of Linux packages different software together and is built upon some variation of the Linux kernel. Furthermore, each flavor is conditionally suited for different types of environments. CentOS seeks to position itself as an enterprise-class operating system, opposed to other operating systems that are more appropriate for personal home use.
Also, you should know that CentOS has roots in RHEL (Red Hat Enterprise Linux). Though it is much younger than its predecessor, CentOS is a great operating system that has developed into an extremely popular, stable, and secure platform with tons of quality software. In fact, in 2010, approximately 30 percent of all web servers using Linux software were running CentOS. It was even more popular than Debian, which is a much older operating system from another branch of Linux.
Fortunately, even if you know little about CentOS, it’s not too difficult to setup your very own OpenVPN server for free. After you have downloaded and installed CentOS, simply use the following steps to setup your server. In this example, I used the latest version of CentOS (version 7).
Installing the OpenVPN Software on CentOS
The first thing you will want to do before installing and configuring OpenVPN on CentOS is to download and install the Extra Packages for Enterprise Linux (EPEL). The OpenVPN software isn’t included by default on CentOS, so we need to download this package to access it.
- yum install epel-release
Without a detailed knowledge of all the different packages, you are better off entering a ‘y’ for all of the installation options. If you know what you are doing, you can get away without installing packages that you deem unnecessary. Now, simply install the package.
- yum install openvpn easy-rsa -y
Note the space after the ‘rsa’ text. Copy the server.conf file to be used as a template for our installation.
- cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Open the following file with the vi text editor and change the Diffie-Hellman (DH) parameter to 2048:
- vi /etc/openvpn/server.conf
- dh dh2048.pem
Configuring DNS Servers
Now, use the following 3 commands to redirect DNS requests through the tunnel and set the DNS servers to Google DNS:
- push “redirect-gateway def1 bypass-dhcp”
- push “dhcp-option DNS 8.8.8.8”
- push “dhcp-option DNS 8.8.4.4”
Setting Default Parameters
Next, use the following two commands to start the client without privileges by default.
- user nobody
- group nobody
Now you will want to create a directory (folder) to copy the keys and certificates to:
- mkdir -p /etc/openvpn/easy-rsa/keys
- cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
To make things less challenging, we will want to set default values in the following file. Edit the default information as pertains to your personal use or for your organization. Update the fields enclosed in quotations as you see fit:
- vi /etc/openvpn/easy-rsa/vars
- export KEY_COUNTRY=”____”
- export KEY_PROVINCE=”____”
- export KEY_CITY=”____”
- export KEY_ORG=”____”
- export KEY_EMAIL=”PeterGibbons@example.com”
- export KEY_OU=”Community”
- # X509 Subject Field
- export KEY_NAME=”server”
Next, we are going to remove the version number from a configuration file to prevent our configuration from not loading due to an undetectable version number. We will simply copy the file with a new name. Use the following commands:
- cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Generating Keys
Now change your current working directory as follows to begin generating the keys.
- cd /etc/openvpn/easy-rsa
- source ./vars
Now we need to clean out any existing keys and build new ones with the following commands. Notice that you are given another opportunity to change any information that you had set as the default earlier. However, you will want to manually edit the defaults in a text editor to save time if you are building multiple keys.
- ./clean-all
- ./build-ca
It is now time to build the server’s key and certificate that will be used to encrypt/decrypt traffic and establish trust.
- ./build-key-server server
- ./build-dh
Be prepared to wait. As the shell suggests, this is going to take a (relatively) long time. After that has been completed, copy the keys and certificates to the OpenVPN directory:
- cd /etc/openvpn/easy-rsa/keys
- cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
If you want, you can generate separate keys and certificates for each client that connects to the VPN server. For this example, though, we will only create them for a user named ‘client.’
- cd /etc/openvpn/easy-rsa
- ./build-key client
Configuring IP Forwarding
Now we need to setup forwarding rules. Start by ensuring that IPTables is installed and enabled:
- yum install iptables-services -y
- systemctl mask firewalld
- systemctl enable iptables
- systemctl stop firewalld
- systemctl start iptables
- iptables –flush
Be sure to add the following configuration to ensure that our traffic is forwarded. Remember to substitute whichever subnet you have chosen for your VPN.
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
- iptables-save > /etc/sysconfig/iptables
Open the following file in a text editor and add the code as shown below. This will enable IP forwarding.
- vi /etc/sysctl.conf
- ipv4.ip_forward = 1
Now restart the service to update our changes.
- systemctl restart network.service
Running the Server Software
Finally, we are ready to run our software. Add the VPN service to systemctl and start the service.
- systemctl -f enable openvpn@server.service
- systemctl start openvpn@server.service
The server is now configured and running. All that’s left to do is to install the client on the device you want to connect to the VPN server. Also, understand that your client machines will need a copy of the following three files in order to establish a VPN tunnel:
- /etc/openvpn/easy-rsa/keys/ca.crt
- /etc/openvpn/easy-rsa/keys/client.crt
- /etc/openvpn/easy-rsa/keys/client.key
Additionally, you will want to configure the following file to setup parameters for client connections:
- openvpn –config ~/path/to/client.ovpn
You can create this file with your favorite text editor. Be sure to add the following text. In particular, you will want to edit the name of your keys and certificates (in this example, they are named client), update the IP address of your server, as well as update the file paths to your keys and certificates. If you created additional keys, simply substitute the characters in bold with the path and name of your keys.
- client
- dev tun
- proto udp
- remote your_server_ip 1194
- resolv-retry infinite
- nobind
- persist-key
- persist-tun
- comp-lzo
- verb 3
- ca /path/to/ca.crt
- cert /path/to/client.crt
- key /path/to/client.key
Lastly, you will want to configure your clients with the client software. The process for that largely depends on your operating system, but by now the server is ready to accept client connections. I hope this guide has facilitated your task of setting up OpenVPN on CentOS 7, but if you have any questions, please comment below and I will do my best to answer them.
I don’t want to be nag about a little detail but the CentOS logo you used in your article is wrong the blue part in the upper right should be violet. I know it’s not important in this article but your image shows up pretty high in the google results for centos logo and thus could be easily spread with the error
Sorry about that, never even noticed but we agree! fixed
The only setp-by-step tutorial on this that has worked for me! Thank you very much.