RHEL BasedRocky Linux

How To Install OpenVPN Server on Rocky Linux 10

r00t
8 minutes read

Install OpenVPN Server on Rocky Linux 10

Setting up a secure VPN server has become essential for protecting data and ensuring private network access in today’s connected world. OpenVPN stands out as a robust, open-source solution that delivers enterprise-grade security without the hefty price tag. This comprehensive guide walks you through installing and configuring an OpenVPN server on Rocky Linux 10, transforming your system into a powerful VPN gateway that safeguards your network traffic with military-grade encryption.

Rocky Linux 10 provides a stable, production-ready environment perfectly suited for hosting VPN infrastructure. Whether you’re securing remote work connections, protecting sensitive communications, or establishing encrypted tunnels between networks, this tutorial equips you with everything needed to deploy a fully functional OpenVPN server.

Prerequisites and System Requirements

Before diving into the installation process, ensure your environment meets these requirements. You’ll need a server running Rocky Linux 10 with root or sudo privileges to execute administrative commands.

Your server should have at least 1GB of RAM and 10GB of available disk space, though 2GB RAM is recommended for handling multiple concurrent connections. A publicly accessible IP address is mandatory since clients will connect to your server over the internet.

Basic familiarity with Linux command-line operations will help you navigate this tutorial smoothly. You’ll also need SSH access to your server for remote administration. Finally, prepare a client machine for testing the VPN connection once the server configuration is complete.

Understanding OpenVPN Architecture

OpenVPN operates on a Public Key Infrastructure (PKI) model, which forms the backbone of its security framework. This architecture uses digital certificates to verify the identity of both servers and clients, preventing unauthorized access.

The Certificate Authority (CA) acts as a trusted third party that issues and signs certificates. Think of it as a digital notary that vouches for the legitimacy of each certificate. When a client attempts to connect, the server validates its certificate against the CA signature, ensuring only authorized devices gain access.

This client-server model encrypts all data flowing through the tunnel, making it unreadable to anyone intercepting the traffic. The setup process involves creating certificates for the server, generating keys for encryption, and distributing client credentials securely.

Initial System Preparation

Start by updating your Rocky Linux 10 system to ensure all packages are current. Open your terminal and execute:

sudo dnf update -y

This command refreshes the package repository and installs any available updates, patching security vulnerabilities and improving system stability. The process may take several minutes depending on how many packages require updating.

Next, verify your system version:

cat /etc/rocky-release

Configure your server’s hostname if you haven’t already. A descriptive hostname helps identify the server in logs and administrative tasks:

sudo hostnamectl set-hostname vpn-server

Reboot the system if the kernel was updated during the update process. This ensures you’re running the latest security patches.

Installing EPEL Repository and OpenVPN

The Extra Packages for Enterprise Linux (EPEL) repository contains OpenVPN and Easy-RSA packages not included in Rocky Linux’s default repositories. Install EPEL first:

sudo dnf install epel-release -y

EPEL extends Rocky Linux’s package ecosystem with community-maintained software that meets enterprise quality standards. Once EPEL installation completes, install OpenVPN:

sudo dnf install openvpn -y

You’ll also need Easy-RSA, which simplifies certificate management:

sudo dnf install easy-rsa -y

Verify the installation succeeded by checking the OpenVPN version:

openvpn --version

You should see version information displayed, confirming OpenVPN is ready for configuration.

Setting Up the Certificate Authority

Creating a Certificate Authority represents a critical security step. Begin by establishing the Easy-RSA directory structure:

sudo mkdir -p /etc/openvpn/easy-rsa

Navigate to the OpenVPN configuration directory:

cd /etc/openvpn/easy-rsa

Initialize the PKI infrastructure:

sudo /usr/share/easy-rsa/3/easyrsa init-pki

This command creates the necessary directory structure for certificate management. Now build your Certificate Authority:

sudo /usr/share/easy-rsa/3/easyrsa build-ca nopass

The nopass option creates a CA without password protection, suitable for automated operations. For production environments handling sensitive data, consider omitting this flag to add password protection.

You’ll be prompted to enter organizational details like country, state, and organization name. Provide accurate information, though these fields won’t affect VPN functionality. The process generates two critical files: ca.crt (public certificate) and ca.key (private key). Guard the private key carefully—anyone possessing it could issue fraudulent certificates.

Generating Server Certificates and Keys

With the CA established, create credentials for your OpenVPN server. Generate a certificate request:

sudo /usr/share/easy-rsa/3/easyrsa gen-req server nopass

When prompted, enter “server” as the common name. This identifies the certificate’s purpose in your PKI.

Sign the server certificate using your CA:

sudo /usr/share/easy-rsa/3/easyrsa sign-req server server

Confirm the signing operation by typing “yes” when prompted. The CA validates the request and issues a signed certificate valid for establishing secure connections.

Generate Diffie-Hellman parameters, which enable secure key exchange during connection establishment:

sudo /usr/share/easy-rsa/3/easyrsa gen-dh

This cryptographic operation takes several minutes as it generates strong mathematical parameters. The resulting file strengthens the encryption used for each VPN session.

Creating Client Certificates

Each device connecting to your VPN requires unique credentials. Generate the first client certificate:

sudo /usr/share/easy-rsa/3/easyrsa gen-req client1 nopass

Sign the client certificate:

sudo /usr/share/easy-rsa/3/easyrsa sign-req client client1

Repeat this process for additional clients, using descriptive names like “laptop-john” or “phone-mary” to track certificate ownership. This practice simplifies certificate management and revocation when needed.

Store client certificates in a temporary directory for distribution:

sudo mkdir -p /etc/openvpn/client-configs

Configuring the OpenVPN Server

OpenVPN includes sample configuration files that serve as excellent starting points. Copy the server configuration template:

sudo cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/

Edit the configuration file:

sudo nano /etc/openvpn/server/server.conf

Update the certificate and key paths to match your Easy-RSA installation:

ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem

These directives tell OpenVPN where to find authentication credentials.

Configure the VPN network settings. OpenVPN creates a virtual network interface that assigns IP addresses to connected clients:

server 10.8.0.0 255.255.255.0

This configuration reserves the 10.8.0.0/24 subnet for VPN use. The server claims 10.8.0.1, while clients receive addresses starting from 10.8.0.2.

Push DNS settings to clients, ensuring they resolve domain names through your VPN:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Route all client traffic through the VPN tunnel:

push "redirect-gateway def1 bypass-dhcp"

This directive forces clients to send internet traffic through the encrypted tunnel, protecting all communications.

Uncomment these security lines to enhance protection:

user nobody
group nobody

These settings drop root privileges after OpenVPN starts, limiting damage if the service is compromised.

Save the configuration and exit the editor.

Enabling IP Forwarding and Network Configuration

For your VPN server to route traffic between clients and the internet, enable IP forwarding. This kernel parameter allows the server to forward packets:

sudo sysctl -w net.ipv4.ip_forward=1

Make this change permanent by editing the system configuration:

sudo nano /etc/sysctl.conf

Add or uncomment this line:

net.ipv4.ip_forward = 1

Apply the changes immediately:

sudo sysctl -p

IP forwarding transforms your server into a router, directing traffic between the VPN network and external destinations.

Configuring Firewall Rules

Rocky Linux uses firewalld for firewall management. Ensure firewalld is installed and running:

sudo dnf install firewalld -y
sudo systemctl enable --now firewalld

Allow OpenVPN traffic through the firewall:

sudo firewall-cmd --add-service=openvpn --permanent

Enable masquerading, which translates VPN client addresses to your server’s public IP:

sudo firewall-cmd --add-masquerade --permanent

Masquerading is essential for NAT (Network Address Translation), allowing multiple VPN clients to share your server’s internet connection.

Reload firewall rules to apply changes:

sudo firewall-cmd --reload

Verify the configuration:

sudo firewall-cmd --list-all

You should see OpenVPN listed under services and masquerading enabled.

Starting and Enabling the OpenVPN Service

With configuration complete, start the OpenVPN server. Rocky Linux 10 uses systemd for service management:

sudo systemctl enable --now openvpn-server@server

This command enables the service to start automatically at boot and launches it immediately. The @server portion references your configuration file name (server.conf).

Check the service status:

sudo systemctl status openvpn-server@server

Look for “active (running)” in the output, indicating successful startup. Review the log output for any error messages.

If errors occur, examine the logs more thoroughly:

sudo journalctl -u openvpn-server@server -xe

Common issues include certificate path errors, permission problems, or configuration syntax mistakes.

Preparing Client Configuration Files

Create a base client configuration by copying the sample file:

sudo cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf /etc/openvpn/client-configs/base.conf

Edit the client configuration:

sudo nano /etc/openvpn/client-configs/base.conf

Update the remote directive with your server’s public IP address:

remote YOUR_SERVER_IP 1194

Replace YOUR_SERVER_IP with your actual server address.

Adjust certificate references to match embedded certificates:

ca ca.crt
cert client.crt
key client.key

Creating a unified .ovpn file simplifies client deployment. This single file contains all necessary certificates and configuration, eliminating the need to manage multiple files.

Create a script to generate client configurations:

sudo nano /etc/openvpn/client-configs/make_config.sh

Add this content:

#!/bin/bash
KEY_DIR=/etc/openvpn/easy-rsa/pki
OUTPUT_DIR=/etc/openvpn/client-configs/files
BASE_CONFIG=/etc/openvpn/client-configs/base.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/issued/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/private/${1}.key \
    <(echo -e '</key>') \
    > ${OUTPUT_DIR}/${1}.ovpn

Make the script executable:

sudo chmod +x /etc/openvpn/client-configs/make_config.sh

Create the output directory:

sudo mkdir -p /etc/openvpn/client-configs/files

Generate a client configuration:

sudo /etc/openvpn/client-configs/make_config.sh client1

This produces client1.ovpn containing all credentials needed for connection.

Installing and Configuring the Client

Transfer the .ovpn file to your client device securely using SCP:

scp user@server:/etc/openvpn/client-configs/files/client1.ovpn ~/

On Linux clients, install OpenVPN:

sudo dnf install openvpn -y

Connect using the configuration file:

sudo openvpn --config client1.ovpn

For Windows and macOS, download the OpenVPN Connect client from the official website. Import the .ovpn file through the application interface.

Testing Your VPN Connection

Once connected, verify the VPN is functioning correctly. Test connectivity to the VPN server:

ping 10.8.0.1

Successful pings confirm the tunnel is established.

Check your public IP address before and after connecting. Visit a website like whatismyip.com from your browser. Your IP should change to your VPN server’s address, indicating traffic is routing through the tunnel.

Perform a DNS leak test at dnsleaktest.com to ensure DNS queries aren’t bypassing the VPN. All DNS servers should belong to your configured provider (Google DNS in this configuration).

Troubleshooting Common Issues

If OpenVPN fails to start, check configuration syntax:

sudo openvpn --config /etc/openvpn/server/server.conf

This command runs OpenVPN in the foreground, displaying detailed error messages.

Connection timeouts usually indicate firewall or port issues. Verify port 1194 is accessible from external networks using telnet or nc from another machine.

Certificate validation errors stem from incorrect file paths or permissions. Ensure certificate files are readable by the OpenVPN service:

sudo chmod 644 /etc/openvpn/easy-rsa/pki/ca.crt
sudo chmod 644 /etc/openvpn/easy-rsa/pki/issued/server.crt
sudo chmod 600 /etc/openvpn/easy-rsa/pki/private/server.key

SELinux may block OpenVPN operations. Check for denials:

sudo ausearch -m avc -ts recent

If SELinux causes problems, create appropriate policies or temporarily set it to permissive mode for testing.

Managing Client Certificates

Revoke compromised or unused client certificates to maintain security. Generate a revocation:

sudo /usr/share/easy-rsa/3/easyrsa revoke client1

Create a Certificate Revocation List (CRL):

sudo /usr/share/easy-rsa/3/easyrsa gen-crl

Update your server configuration to reference the CRL:

crl-verify /etc/openvpn/easy-rsa/pki/crl.pem

Restart OpenVPN to apply the revocation:

sudo systemctl restart openvpn-server@server

The revoked certificate can no longer establish connections.

Performance Optimization

Fine-tune your VPN for optimal performance. Adjust MTU (Maximum Transmission Unit) settings if you experience connection slowdowns:

tun-mtu 1500

Enable compression to reduce bandwidth usage:

compress lz4-v2

UDP protocol offers better performance than TCP for VPN traffic. The default OpenVPN configuration uses UDP port 1194, which is ideal for most scenarios.

Choose ciphers balancing security and speed. AES-256-GCM provides excellent encryption with hardware acceleration on modern processors:

cipher AES-256-GCM

Monitor server resources to ensure your hardware handles the connection load. Use top or htop to watch CPU and memory usage.

Congratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing the OpenVPN server on your Rocky Linux 10 system. For additional help or useful information, we recommend you check the official OpenVPN website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
8 minutes read
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button