How To Install OpenVPN Server on CentOS Stream 10
In this tutorial, we will show you how to install OpenVPN Server on CentOS Stream 10. OpenVPN stands out as a reliable solution for establishing secure Virtual Private Network (VPN) tunnels, ensuring data privacy and integrity. Combined with CentOS Stream 10, a cutting-edge Linux distribution known for its rolling-release model, you can create a robust and flexible VPN server environment. This comprehensive guide will walk you through the process of installing and configuring an OpenVPN server on CentOS Stream 10, providing step-by-step instructions, troubleshooting tips, and best practices to ensure a smooth setup.
Prerequisites and System Preparation
System Requirements
Before diving into the installation, ensure your server meets the necessary requirements:
- Hardware: Minimum 1 GHz CPU, 512 MB RAM, and 10 GB of disk space.
- Operating System: CentOS Stream 10 installed with root access.
- Network: A stable internet connection and a static IP address are recommended.
Preparing the Server
Start by updating your system packages to ensure all software is up-to-date:
sudo dnf update -yNext, install essential tools required for the setup:
sudo dnf install -y curl wget vimEnabling EPEL Repository
The Extra Packages for Enterprise Linux (EPEL) repository provides additional packages necessary for OpenVPN:
sudo dnf install epel-release -yAfter enabling EPEL, update the repositories again:
sudo dnf update -yStep 1: Installing OpenVPN Server
Downloading OpenVPN Installation Script
For a streamlined installation process, you can use the Angristan OpenVPN installation script. Download it using the following command:
curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.shMaking the Script Executable
Set executable permissions for the script:
chmod +x openvpn-install.shRunning the Installation Script
Execute the script to initiate the OpenVPN installation:
sudo ./openvpn-install.shFollow the on-screen prompts to configure your OpenVPN server. You’ll be asked to specify details such as the VPN protocol (TCP/UDP), port number, and DNS settings. The default options are generally suitable for most setups, but feel free to customize them based on your requirements.
Step 2: Configuring OpenVPN Server
Editing the Configuration File
Locate and edit the OpenVPN server configuration file:
sudo vim /etc/openvpn/server.confKey parameters to consider:
- Port: Ensure it’s consistent with your installation script.
- Protocol: Choose between TCP or UDP based on your needs.
- Network Settings: For example,
server 10.8.0.0 255.255.255.0defines the VPN subnet.
Setting Up Certificates and Keys
OpenVPN relies on a Public Key Infrastructure (PKI) for secure communications. Use Easy-RSA to generate the necessary certificates and keys:
sudo dnf install easy-rsa -y
cd /usr/share/easy-rsa/
sudo cp -r /usr/share/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/
sudo ./easyrsa init-pki
sudo ./easyrsa build-ca
sudo ./easyrsa gen-req server nopass
sudo ./easyrsa sign-req server server
sudo ./easyrsa gen-dh
sudo openvpn --genkey --secret ta.key
Move the generated certificates and keys to the OpenVPN directory:
sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt ta.key /etc/openvpn/Enabling IP Forwarding
Modify the system configuration to allow IP forwarding, which is essential for VPN traffic routing:
sudo vim /etc/sysctl.confAdd or uncomment the following line:
net.ipv4.ip_forward = 1Apply the changes:
sudo sysctl -pFirewall Configuration
Configure the firewall to allow OpenVPN traffic and enable Network Address Translation (NAT):
sudo firewall-cmd --add-service=openvpn --permanent
sudo firewall-cmd --add-masquerade --permanent
sudo firewall-cmd --reloadAdditionally, ensure that the firewall allows traffic on the specified OpenVPN port:
sudo firewall-cmd --permanent --add-port=1194/udp
sudo firewall-cmd --reloadStep 3: Starting and Enabling OpenVPN Service
Starting OpenVPN Service
Initiate the OpenVPN service:
sudo systemctl start openvpn@serverEnabling Service on Boot
Ensure that OpenVPN starts automatically on system boot:
sudo systemctl enable openvpn@serverVerifying Service Status
Check if the OpenVPN service is active and running:
sudo systemctl status openvpn@serverYou should see an output indicating that the service is active (running).
Step 4: Configuring OpenVPN Clients
Generating Client Configuration Files
Use the installation script to create configuration files for your clients:
sudo ./openvpn-install.shFollow the prompts to generate a client profile, which will produce a .ovpn file containing the necessary configurations and certificates.
Transferring Configuration Files to Clients
Securely transfer the .ovpn file to your client devices using tools like SCP or SFTP:
scp user@your-server-ip:/home/user/client.ovpn ~/DownloadsInstalling OpenVPN Client Software
Install the OpenVPN client on your devices:
- Windows: Download from the OpenVPN website.
- macOS: Use Tunnelblick or the official OpenVPN client.
- Linux: Install via package managers, e.g.,
sudo dnf install openvpn -y.
Importing Configuration Files on Clients
Import the .ovpn file into your OpenVPN client application:
- Windows: Open the OpenVPN GUI, right-click the icon in the system tray, and select “Import file.”
- macOS: Open Tunnelblick, click “Add a new configuration,” and select the .ovpn file.
- Linux: Use NetworkManager or command-line tools to import the configuration.
Testing Client Connections
Connect to the VPN using the client application. Verify the connection by checking your IP address or accessing restricted resources to ensure traffic is routed through the VPN.
Step 5: Advanced Configuration Options
Customizing DNS Settings
To enhance privacy and browsing speed, specify custom DNS resolvers in the server configuration file:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"Optimizing Performance
Improve VPN performance by adjusting MTU settings and enabling compression:
tun-mtu 1500
comp-lzoNote that compression can introduce security vulnerabilities; consider using modern encryption algorithms like AES-256-GCM instead.
Adding Additional Clients
To add more clients, rerun the installation script and generate new .ovpn files for each user:
sudo ./openvpn-install.shSelect the option to add a new client and follow the prompts accordingly.
Troubleshooting Common Issues
Connection Failures
If clients cannot connect, inspect the OpenVPN logs for errors:
sudo journalctl -u openvpn@serverCommon issues include incorrect firewall settings or mismatched configuration parameters.
Firewall Problems
Ensure that the firewall rules are correctly set to allow OpenVPN traffic:
sudo firewall-cmd --list-allVerify that the OpenVPN service and the specific port are open.
Certificate Errors
Certificates may expire or become corrupted. Regenerate them using Easy-RSA if necessary:
cd /etc/openvpn/easy-rsa/
sudo ./easyrsa gen-req client2 nopass
sudo ./easyrsa sign-req client client2DNS Resolution Issues
If DNS queries fail, double-check the DNS settings in the server configuration and ensure that the client’s DNS settings are correctly applied.
Security Best Practices
Using Strong Encryption Algorithms
Enhance security by using robust encryption protocols such as AES-256-GCM:
cipher AES-256-GCM
auth SHA256Regularly Updating Software
Maintain security by keeping OpenVPN and CentOS updated with the latest patches:
sudo dnf update -yMonitoring Server Logs
Regularly review server logs to detect any suspicious activities:
sudo tail -f /var/log/openvpn/openvpn.logRestricting Access to the VPN Server
Limit access by configuring firewall rules or using fail2ban to block unauthorized attempts:
sudo dnf install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2banCongratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing the OpenVPN server on your CentOS Stream 10 system. For additional help or useful information, we recommend you check the official OpenVPN website.
