How to Install OpenVPN on CentOS 7

Install OpenVPN on CentOS 7

In this tutorial we are going to learn how to install OpenVPN on CentOS 7. We will also install and configure its prerequisites. OpenVPN is one of the most popular VPN software alternatives that implements virtual private network methods for creating protected IP or site-to-site connections. OpenVPN was initially published in 2001 and has become a favorite VPN solution for multiple platforms and device types; OpenVPN functions on Windows, Mac OS X, iOS, Android, and lots of Linux-style systems. Furthermore, OpenVPN modified and has been improved to be used across various router firmware implementations.

I recommend to use a minimal CentOS server setup as a basis for the tutorial, that can be a virtual or a root server image with an CentOS 7 minimal install from a web hosting company or you use our minimal server tutorial to install a server from scratch.

Install OpenVPN on CentOS 7

Step 1. First, ensure your system and apt package lists are fully up-to-date by running the following:

yum -y install epel-release
yum -y update

Step 2. Installing OpenVPN on CentOS 7.

First, install OpenVPN and EasyRSA (a small key management package for use with OpenVPN) for generating RSA keys:

yum install openvpn easy-rsa -y

Step 3. Configuring OpenVPN.

OpenVPN will have a couple example configuration files in its documentation directory. You can copy the sample ‘server.conf’ file as a starting point for your own configuration file:

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

Now it’s time to edit the server configuration file:

nano /etc/openvpn/server.conf

Then we will fill up the file using the below basic configuration details:

server 10.8.0.0 255.255.255.0
verb 3
key /etc/openvpn/server.key
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
dh /etc/openvpn/dh.pem
keepalive 10 120
persist-key
persist-tun
comp-lzo
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

user nobody
group nogroup

proto udp
port 1194
dev tun1194
status openvpn-status.log

Step 4. Generating Keys and Certificates.

After you’ve edited the configuration file, create a folder to store the key. Then copy the key and the script:

mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

When you’ve finished copying the keys and script, you can edit the vars file to make changes to the default value:

nano /etc/openvpn/easy-rsa/vars

Now copy the OpenSSL configuration:

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="CA"
export KEY_PROVINCE="QC"
export KEY_CITY="Montreal"
export KEY_ORG="INDOTUNER"
export KEY_EMAIL="abuse@myvpsource.com"
export KEY_OU="IT"
# X509 Subject Field
export KEY_NAME="server"
export KEY_CN=vpn.myvpsource.com

Then copy the OpenSSL configuration:

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

In order to begin generating your keys and certificates, you have to go into your ‘easy-rsa’ directory and source in your new variables:

cd /etc/openvpn/easy-rsa
source ./vars

Now you can clean up any keys or certificates which could already be in this folder and generate your certificate authority:

./clean-all

After cleaning up, we’re going to generate keys making sure to match our KEY_NAME value:

./build-ca
./build-key-server server
./build-dh

Now that you have got your server keys and certificates. Copy them all into the OpenVPN directory:

cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

Next we’re going to generate our client certificate, replacing the “client” with the username you choose:

cd /etc/openvpn/easy-rsa
./build-key client

Step 5. Routing.

We want to configure the routing parts of CentOS 7 for use with the VPN installation:

yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptablesiptables --flush

Now append a rule to ‘iptables’ to forward your routing to your OpenVPN subnet, then save this rule:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables

Next you should enable IP forwarding in sysctl. Open ‘sysctl.conf’ for editing:

nano /etc/sysctl.conf
net.ipv4.ip_forward = 1

Once you’ve completed your configuration and forwarding rules, it’s time to enable the OpenVPN service and start it up:

systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service

Step 6. Configuring Client.

We want to configure the client, copy the “ca” certificate, and copy the “client” key. Each of these copied files is necessary to use the VPN:

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key

To get started using the VPN, we need to create a .ovpn file configuration for use with OpenVPN:

nano client.ovpn

Following the configuration:

client
dev tun
proto udp
remote "your-server-ip" 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key

Congratulation’s! You have successfully install OpenVPN on your CentOS 7 server. Thanks for using this tutorial for installing OpenVPN on CentOS 7 system.