Setting up and Configuring an OpenVPN Server on CentOS 7
In this tutorial we will teach you how to install and configure OpenVPN for a CentOS 7 VPS. We’ll be discussing how you can connect a client to the VPS on Windows, OS X, and Linux.
OpenVPN is an open source VPN application which lets you make and join a private network securely over the public internet.
You will need these Prerequisities:
- CentOS 7 VPS
- root access to the vps (certain steps cannot be completed with just sudo access)
- Domain or sub domain that resolves to your server that you may use for the certificates
Before beginning you will have to install the Extra Packages for Enterprise Linux (EPEL) repository. This is because OpenVPN is not available in the default CentOS repositories. The EPEL repository is an extra repository managed by the Fedora Project which holds non-standard yet popular packages.
yum install epel-release
Step 1 – Installing OpenVPN
For starters, you will have to install OpenVPN. You will have to install Easy RSA to generate our SSL key pairs, which should secure our VPN connections.
yum install openvpn easy-rsa –y
Step 2 – Configuring OpenVPN
OpenVPN will have a couple example configuration files in its documentation directory. You can copy the sample ‘server.conf’ file as a starting point for your own configuration file.
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Now open the file to modify it.
There are a couple lines which you will need to replace in this file.
A lot of the lines just require to be uncommented by deleting the ‘;’. Other changes will be marked in red.
After you generate the keys later, the default ‘Diffie-Hellman’ encryption length for Easy RSA should be 2048 bytes, so you will want to replace the dh filename to dh2048.pem.
You have to uncomment the push ‘redirect-gateway def1 bypass-dhcp’ line, what it does is tell the client to redirect all traffic using your OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
Now, you will want to provide DNS servers to the client, though it will not be able to use the default DNS servers given by your Internet service provider.
We will be using Google’s public DNS servers, 184.108.40.206 along with 220.127.116.11.
You can do this by uncommenting the push ‘dhcp-option DNS’ lines before updating the IP addresses like shown in the following below.
push "dhcp-option DNS 18.104.22.168" push "dhcp-option DNS 22.214.171.124"
You will need OpenVPN to run using no privileges after its started, then we have to tell it to run with a user and group of nobody.
user nobody group nobody
To enable this you must uncomment these lines: user nobodygroup nobody.
Finally, save and exit the OpenVPN server configuration file and then proceed to the next step.
Step 3 – Generating Keys and Certificates
Since the server is now configured, you will have to generate your keys and certificates. Easy RSA will install some scripts to generate these keys and certificates.
You will now create a directory for the keys to go in.
mkdir -p /etc/openvpn/easy-rsa/keys
Next you will also want to copy the key and certificate generation scripts into the directory.
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
In order to make things easier, you will be modifying the default values the script uses so that you will not need to enter your information every time. The information will be stored in the vars file; open it for editing.
You will need to change the values which start with ‘KEY_’ before updating the following values to be accurate for your organization.
The ones which matter the most are those shown here:
KEY_NAME: You will enter server here; you can type something different but you would then need to update the configuration files which reference ‘server.key’ and ‘server.crt’.
KEY_CN: Type the domain or subdomain which resolves to your server.
With any other values, you may type information for your organization based on the variable name.
. . . # These are the default values for fields# which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York" export KEY_ORG="DreamVPS" export KEY_EMAIL="[email protected]" export KEY_OU="Community" # X509 Subject Field export KEY_NAME="server" . . . export KEY_CN=openvpn.example.com . . .
You can delete the chance of your OpenSSL configuration not loading because of the version being undetectable. You can do this by copying the needed configuration file and deleting the version number.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
In order to begin generating your keys and certificates, you have to go into your ‘easy-rsa’ directory and source in your new variables.
cd /etc/openvpn/easy-rsa source ./vars
Now you can clean up any keys or certificates which could already be in this folder and generate your certificate authority.
After you build the certificate authority, you will be asked to type all of the information you put into the ‘vars’ file but you will notice that your options are already set as the defaults. In that case you can simply press ‘ENTER’ for each one.
The next step is generate the key and certificate for the server. Once more you may just go through the questions and press ‘ENTER’ for each one to use your defaults. In the end, answer ‘Y’ (yes) to commit these changes.
We also have to generate a ‘Diffie-Hellman’ key exchange file. The command should take a minute or two to complete.
Now that you have got your server keys and certificates. Copy them all into the OpenVPN directory.
cd /etc/openvpn/easy-rsa/keyscp dh2048.pem ca.crt server.crt server.key /etc/openvpn
The clients will all need certificates to be able to authenticate. The certificates and keys are shared with your clients, we also recommended that you generate separate keys and certificates for every client you plan on connecting.
Ensure that, if you do this, you hand them descriptive names. For now we’ll be having one client so we are just going to call it ‘client’.
cd /etc/openvpn/easy-rsa. /build-key client
This is it for keys and certificates.
Step 4 – Routing
In order to keep things easy, you can do your routing directly with ‘iptables’ other than the new firewalld.
For starters, ensure the ‘iptables’ service is installed and enabled.
yum install iptables-services -y systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptablesiptables --flush
Now append a rule to ‘iptables’ to forward your routing to your OpenVPN subnet, then save this rule.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables
Next you should enable IP forwarding in sysctl. Open ‘sysctl.conf’ for editing.
Append the following line at the top of the file: net.ipv4.ip_forward = 1.
Now restart the network service so that the IP forwarding takes effect. systemctl restart network.service.
Step 5 – Starting OpenVPN
You are now ready to run your OpenVPN service. Add it to systemctl.
systemctl -f enable [email protected]
systemctl start [email protected]
This is all that is needed for OpenVPN.
We will now talk about how you can connect a client to the server.
Step 6 – Configuring a Client
Regardless of your client machine’s operating system, you will need to get a copy of the ‘ca’ certificate from the server, as well as the client key and certificate.
Look for the following files on the server. If you have generated a few client keys with unique descriptive names, then the key and certificate names should be different.
In our tutorial we have used ‘client’.
/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/client.crt /etc/openvpn/easy-rsa/keys/client.key
Copy the three files into your client machine. You may use SFTP or any other method that you prefer. You may even open the files in your text editor before copying and pasting the contents into new files on the client machine.
Just ensure you make a note of the place you have saved them.
You will be creating a file called ‘client.ovpn’ which is going to be a configuration file for an OpenVPN client which, in turn, tells it how it can connect to the server.
You will want to replace the first line to reflect the name you have given the client in your key and certificate; in our example it would be just ‘client’.
You will also have to update the IP addresses from ‘server_ip_here’ to the IP address of your server; the port 119 may be the same
Ensure the paths to your key and certificate files are right.
client dev tun proto udp remote your_server_ip 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 ca /path/to/ca.crt cert /path/to/client.crt key /path/to/client.key
You will now be able to use this file by every OpenVPN client connecting to your server.
For windows you will require the official OpenVPN Community Edition; it should be with a GUI.
Now, put your ‘.ovpn’ configuration file into the right directory, ‘C:\Program Files\OpenVPN\config’ and then click connect in the GUI. OpenVPN Gui on windows will be executed with administrative privileges.
For Mac OS X, the open source application ‘Tunnelblick’, which gives an interface close to the OpenVPN GUI on windows, then comes along with OpenVPN and the needed TUN/TAP drivers.
Like with windows, the needed step here is to put your ‘.opvpn’ configuration file inside the ‘~/Library/Application/Support/Tunnelblick/Configurations’ directory. Alternatively, you can just double-click on your ‘.ovpn’ file.
For Linux: you need to install OpenVPN from your distribution’s official repositories. You may then invoke OpenVPN by running the below.
sudo openvpn --config ~/path/to/client.ovpn
Congratulations, you should now have a fully operational virtual private network running on your OpenVPN server.
Once you have established a successful client connection, you may verify that your traffic is getting routed using the VPN by checking google to reveal your public IP