In this tutorial we are going to learn how to install OpenVPN on CentOS 7. We will also install and configure its prerequisites. OpenVPN is one of the most popular VPN software alternatives that implements virtual private network methods for creating protected IP or site-to-site connections. OpenVPN was initially published in 2001 and has become a favorite VPN solution for multiple platforms and device types; OpenVPN functions on Windows, Mac OS X, iOS, Android, and lots of Linux-style systems. Furthermore, OpenVPN modified and has been improved to be used across various router firmware implementations.
I recommend to use a minimal CentOS server setup as a basis for the tutorial, that can be a virtual or a root server image with an CentOS 7 minimal install from a web hosting company or you use our minimal server tutorial to install a server from scratch.
Install OpenVPN on CentOS 7
Step 1. First, ensure your system and apt package lists are fully up-to-date by running the following:
yum -y install epel-release yum -y update
Step 2. Installing OpenVPN on CentOS 7.
First, install OpenVPN and EasyRSA (a small key management package for use with OpenVPN) for generating RSA keys:
yum install openvpn easy-rsa -y
Step 3. Configuring OpenVPN.
OpenVPN will have a couple example configuration files in its documentation directory. You can copy the sample ‘server.conf’ file as a starting point for your own configuration file:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Now it’s time to edit the server configuration file:
Then we will fill up the file using the below basic configuration details:
server 10.8.0.0 255.255.255.0 verb 3 key /etc/openvpn/server.key ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt dh /etc/openvpn/dh.pem keepalive 10 120 persist-key persist-tun comp-lzo push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168" user nobody group nogroup proto udp port 1194 dev tun1194 status openvpn-status.log
Step 4. Generating Keys and Certificates.
After you’ve edited the configuration file, create a folder to store the key. Then copy the key and the script:
mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
When you’ve finished copying the keys and script, you can edit the vars file to make changes to the default value:
Now copy the OpenSSL configuration:
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="CA" export KEY_PROVINCE="QC" export KEY_CITY="Montreal" export KEY_ORG="INDOTUNER" export KEY_EMAIL="email@example.com" export KEY_OU="IT" # X509 Subject Field export KEY_NAME="server" export KEY_CN=vpn.myvpsource.com
Then copy the OpenSSL configuration:
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
In order to begin generating your keys and certificates, you have to go into your ‘easy-rsa’ directory and source in your new variables:
cd /etc/openvpn/easy-rsa source ./vars
Now you can clean up any keys or certificates which could already be in this folder and generate your certificate authority:
After cleaning up, we’re going to generate keys making sure to match our KEY_NAME value:
./build-ca ./build-key-server server ./build-dh
Now that you have got your server keys and certificates. Copy them all into the OpenVPN directory:
cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
Next we’re going to generate our client certificate, replacing the “client” with the username you choose:
cd /etc/openvpn/easy-rsa ./build-key client
Step 5. Routing.
We want to configure the routing parts of CentOS 7 for use with the VPN installation:
yum install iptables-services -y systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptablesiptables --flush
Now append a rule to ‘iptables’ to forward your routing to your OpenVPN subnet, then save this rule:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables
Next you should enable IP forwarding in sysctl. Open ‘sysctl.conf’ for editing:
nano /etc/sysctl.conf net.ipv4.ip_forward = 1
Once you’ve completed your configuration and forwarding rules, it’s time to enable the OpenVPN service and start it up:
systemctl -f enable firstname.lastname@example.org systemctl start email@example.com
Step 6. Configuring Client.
We want to configure the client, copy the “ca” certificate, and copy the “client” key. Each of these copied files is necessary to use the VPN:
/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/client.crt /etc/openvpn/easy-rsa/keys/client.key
To get started using the VPN, we need to create a .ovpn file configuration for use with OpenVPN:
Following the configuration:
client dev tun proto udp remote "your-server-ip" 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 ca ca.crt cert client.crt key client.key
Congratulation’s! You have successfully install OpenVPN on your CentOS 7 server. Thanks for using this tutorial for installing OpenVPN on CentOS 7 system.