CentOSLinuxTutorials

How To Install OpenVPN on CentOS 7

Install OpenVPN on CentOS 7

In this tutorial, we will show you how to install OpenVPN on your CentOS 7. For those of you who didn’t know, OpenVPN is an open-source application that is widely used to create secure virtual private networks over the unsecured public Internet. OpenVPN is an SSL VPN solution that drains your system connection securely through the Internet. OpenVPN functions in the client-server structure. All the devices connected to a virtual private network act as if they’re linked to your local area network. The packets sent through the VPN tunnel are encrypted with 256 bit AES encryption making data theft impossible.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you through the step-by-step installation of OpenVPN open-source virtual private network on a CentOS 7 server.

Install OpenVPN on CentOS 7

Step 1. First, let’s start by ensuring your system is up-to-date.

yum clean all
yum -y install epel-release
yum -y update

Step 2. Installing OpenVPN on CentOS 7.

We will now install OpenVPN and Easy-RSA packages. The Easy-RSA package is provided so we can have an easier way of generating certificates:

yum install openvpn easy-rsa

Step 3. Configuring Easy-RSA.

Now that you have installed OpenVPN successfully, you have to create keys and certificates, follow this section step by step:

mkdir -p /etc/openvpn/easy-rsa/keys

Next, we will copy the certificate generation scripts from their default location to our OpenVPN folder:

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

We will go to the easy-RSA directory and source the variables:

cd /etc/openvpn/easy-rsa
source ./vars

Then run “./clean-all” right away to ensure that we have a clean certificate setup:

./clean-all

Now you have to generate a “Certificate Authority (ca)” file. you will be asked for the country name etc. that you edited in the “vars” file. you can hit “Enter” to accept your default values.

Now move to the following directory:

cd /etc/openvpn/easy-rsa/2.0/
./build-ca

Step 4. Generating a server key and certificate.

Run the command below in the current directory:

./build-key-server server

We will also need to create a Diffie-Hellman file. The creation of this file will depend on the length of the key. For this default, we will use the 2048 bit key but you can always change it by editing the vars file in the easy-RSA folder:

./build-dh

Step 5. OpenVPN server configuration.

We will now configure the OpenVPN server. First, create a configuration file named server.conf:

nano /etc/openvpn/server.conf

Paste the configurations below (you may change the values of port etc.):

local 192.168.77.20
port 443
proto tcp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
#-ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 4.2.2.1"
keepalive 2 30
comp-lzo
persist-key
persist-tun
status 443status.log
log-append 443log.log
verb 3

Save the file and enable and start the OpenVPN service:

systemctl enable openvpn@server
systemctl start openvpn@server

Step 6. Configure Iptables for OpenVPN.

We will need to enter some IPtables rules to enable internet on the client machine:

### KVM ###
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

### OpenVZ ###
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.77.20
iptables-save

Next, edit systctl.conf to enable packet forwarding:

nano /etc/sysctl.conf

Add the line:

net.ipv4.ip_forward=1

Step 7. Create client certificate and key.

The following commands will generate a client certificate and key:

nano client

Add the following line:

cd /etc/openvpn/easy-rsa/2.0/
echo -en "Nama Client: "
read client
echo -en "Server IP: "
read servip
echo -en "TCP or UDP?: "
read proto
echo -en "Server port: "
read servport
. ../vars
source ./vars
echo "####################################"
echo "Feel free to accept default values"
echo "####################################"
./build-key $client
cd /etc/openvpn/easy-rsa/2.0/keys
rm -rf $client
echo "client
dev tun
proto $proto
remote $servip $servport
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
cert $client.crt
key $client.key
;auth-user-pass
comp-lzo
verb 3" > $client.ovpn
mkdir d${client}
cp ${client}* d${client}
cp ca.crt d${client}
mv d${client} $client
zip -r $client.zip $client
cp $client.zip /var/www/html
echo "Now grab the $client.zip file and extract it under your Openvpn\config dir!"

Set file permissions and make executable:

chmod 755 client
./client

Congratulations! You have successfully installed OpenVPN. Thanks for using this tutorial for installing OpenVPN open-source virtual private network on your CentOS 7 system. For additional help or useful information, we recommend you check the official OpenVPN website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!

r00t

r00t is a seasoned Linux system administrator with a wealth of experience in the field. Known for his contributions to idroot.us, r00t has authored numerous tutorials and guides, helping users navigate the complexities of Linux systems. His expertise spans across various Linux distributions, including Ubuntu, CentOS, and Debian. r00t's work is characterized by his ability to simplify complex concepts, making Linux more accessible to users of all skill levels. His dedication to the Linux community and his commitment to sharing knowledge makes him a respected figure in the field.
Back to top button