Contents

Setting up and Configuring an OpenVPN Server on CentOS 7

02 Nov 2017 0 204  4
OpenVPN for CentOS
OpenVPN Server on CentOS

Introduction

In this tutorial we will teach you how to install and configure OpenVPN for a CentOS 7 VPS. We’ll be discussing how you can connect a client to the VPS on Windows, OS X, and Linux.

OpenVPN is an open source VPN application which lets you make and join a private network securely over the public internet.

Prerequisites

You will need these Prerequisities:

  • CentOS 7 VPS
  • root access to the vps  (certain steps cannot be completed with just sudo access)
  • Domain or sub domain that resolves to your server that you may use for the certificates

Before beginning you will have to install the Extra Packages for Enterprise Linux (EPEL) repository. This is because OpenVPN is not available in the default CentOS repositories. The EPEL repository is an extra repository managed by the Fedora Project which holds non-standard yet popular packages.

yum install epel-release

Step 1 – Installing OpenVPN

For starters, you will have to install OpenVPN. You will have to install Easy RSA to generate our SSL key pairs, which should secure our VPN connections.

yum install openvpn easy-rsa –y

Step 2 – Configuring OpenVPN

OpenVPN will have a couple example configuration files in its documentation directory. You can copy the sample ‘server.conf’ file as a starting point for your own configuration file.

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

Now open the file to modify it.

vi /etc/openvpn/server.conf

There are a couple lines which you will need to replace in this file.

A lot of the lines just require to be uncommented by deleting the ‘;’. Other changes will be marked in red.

After you generate the keys later, the default ‘Diffie-Hellman’ encryption length for Easy RSA should be 2048 bytes, so you will want to replace the dh filename to dh2048.pem.

dh dh2048.pem

You have to uncomment the push ‘redirect-gateway def1 bypass-dhcp’ line, what it does is tell the client to redirect all traffic using your OpenVPN.

push "redirect-gateway def1 bypass-dhcp"

Now, you will want to provide DNS servers to the client, though it will not be able to use the default DNS servers given by your Internet service provider.

We will be using Google’s public DNS servers, 8.8.8.8 along with 8.8.4.4.

You can do this by uncommenting the push ‘dhcp-option DNS’ lines before updating the IP addresses like shown in the following below.

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

You will need OpenVPN to run using no privileges after its started, then we have to tell it to run with a user and group of nobody.

user nobody
group nobody

To enable this you must uncomment these lines: user nobodygroup nobody.

Finally, save and exit the OpenVPN server configuration file and then proceed to the next step.

Step 3 – Generating Keys and Certificates

Since the server is now configured, you will have to generate your keys and certificates. Easy RSA will install some scripts to generate these keys and certificates.

You will now create a directory for the keys to go in.

mkdir -p /etc/openvpn/easy-rsa/keys

Next you will also want to copy the key and certificate generation scripts into the directory.

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

In order to make things easier, you will be modifying the default values the script uses so that you will not need to enter your information every time. The information will be stored in the vars file; open it for editing.

vi /etc/openvpn/easy-rsa/vars

You will need to change the values which start with ‘KEY_’ before updating the following values to be accurate for your organization.

The ones which matter the most are those shown here:

KEY_NAME: You will enter server here; you can type something different but you would then need to update the configuration files which reference ‘server.key’ and ‘server.crt’.

KEY_CN: Type the domain or subdomain which resolves to your server.

With any other values, you may type information for your organization based on the variable name.

. . . 

# These are the default values for fields# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY" 
export KEY_CITY="New York" 
export KEY_ORG="DreamVPS"
export KEY_EMAIL="[email protected]"
export KEY_OU="Community" # X509 Subject Field
export KEY_NAME="server" 

. . . 

export KEY_CN=openvpn.example.com 

. . .

You can delete the chance of your OpenSSL configuration not loading because of the version being undetectable. You can do this by copying the needed configuration file and deleting the version number.

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

In order to begin generating your keys and certificates, you have to go into your ‘easy-rsa’ directory and source in your new variables.

cd /etc/openvpn/easy-rsa
source ./vars

Now you can clean up any keys or certificates which could already be in this folder and generate your certificate authority.

./clean-all

After you build the certificate authority, you will be asked to type all of the information you put into the ‘vars’ file but you will notice that your options are already set as the defaults. In that case you can simply press ‘ENTER’ for each one.

./build-ca

The next step is generate the key and certificate for the server. Once more you may just go through the questions and press ‘ENTER’ for each one to use your defaults. In the end, answer ‘Y’ (yes) to commit these changes.

./build-key-server server

We also have to generate a ‘Diffie-Hellman’ key exchange file. The command should take a minute or two to complete.

./build-dh

Now that you have got your server keys and certificates. Copy them all into the OpenVPN directory.

cd /etc/openvpn/easy-rsa/keyscp dh2048.pem ca.crt server.crt server.key /etc/openvpn

The clients will all need certificates to be able to authenticate. The certificates and keys are shared with your clients, we also recommended that you generate separate keys and certificates for every client you plan on connecting.

Ensure that, if you do this, you hand them descriptive names. For now we’ll be having one client so we are just going to call it ‘client’.

cd /etc/openvpn/easy-rsa.
/build-key client

This is it for keys and certificates.

Step 4 – Routing

In order to keep things easy, you can do your routing directly with ‘iptables’ other than the new firewalld.

For starters, ensure the ‘iptables’ service is installed and enabled.

yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptablesiptables --flush

Now append a rule to ‘iptables’ to forward your routing to your OpenVPN subnet, then save this rule.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables

Next you should enable IP forwarding in sysctl. Open ‘sysctl.conf’ for editing.

vi /etc/sysctl.conf

Append the following line at the top of the file: net.ipv4.ip_forward = 1.

Now restart the network service so that the IP forwarding takes effect. systemctl restart network.service.

Step 5 – Starting OpenVPN

You are now ready to run your OpenVPN service. Add it to systemctl.

systemctl -f enable [email protected]

Start OpenVPN.

systemctl start [email protected]

This is all that is needed for OpenVPN.

We will now talk about how you can connect a client to the server.

Step 6 – Configuring a Client

Regardless of your client machine’s operating system, you will need to get a copy of the ‘ca’ certificate from the server, as well as the client key and certificate.

Look for the following files on the server. If you have generated a few client keys with unique descriptive names, then the key and certificate names should be different.

In our tutorial we have used ‘client’.

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key

Copy the three files into your client machine. You may use SFTP or any other method that you prefer. You may even open the files in your text editor before copying and pasting the contents into new files on the client machine.

Just ensure you make a note of the place you have saved them.

You will be creating a file called ‘client.ovpn’ which is going to be a configuration file for an OpenVPN client which, in turn, tells it how it can connect to the server.

You will want to replace the first line to reflect the name you have given the client in your key and certificate; in our example it would be just ‘client’.

You will also have to update the IP addresses from ‘server_ip_here’ to the IP address of your server; the port 119 may be the same

Ensure the paths to your key and certificate files are right.

client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key

You will now be able to use this file by every OpenVPN client connecting to your server.

Windows:

For windows you will require the official OpenVPN Community Edition; it should be with a GUI.

Now, put your ‘.ovpn’ configuration file into the right directory, ‘C:\Program Files\OpenVPN\config’ and then click connect in the GUI. OpenVPN Gui on windows will be executed with administrative privileges.

OS X:

For Mac OS X, the open source application ‘Tunnelblick’, which gives an interface close to the OpenVPN GUI on windows, then comes along with OpenVPN and the needed TUN/TAP drivers.

Like with windows, the needed step here is to put your ‘.opvpn’ configuration file inside the ‘~/Library/Application/Support/Tunnelblick/Configurations’ directory. Alternatively, you can just double-click on your ‘.ovpn’ file.

Linux:

For Linux: you need to install OpenVPN from your distribution’s official repositories. You may then invoke OpenVPN by running the below.

sudo openvpn --config ~/path/to/client.ovpn

Conclusion

Congratulations, you should now have a fully operational virtual private network running on your OpenVPN server.

Once you have established a successful client connection, you may verify that your traffic is getting routed using the VPN by checking google to reveal your public IP

4 Comments
Add a comment

4 Replies to “Setting up and Configuring an OpenVPN Server on CentOS 7”

  1. Same thing

    cd /etc/openvpn/easy-rsa./build-key client

    is

    cd /etc/openvpn/easy-rsa
    ./build-key client

    cd /etc/openvpn/easy-rsa/keyscp dh2048.pem ca.crt server.crt server.key /etc/openvpn

    is

    cd /etc/openvpn/easy-rsa/keys
    cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

    yum install iptables-services -ysystemctl mask firewalldsystemctl enable iptablessystemctl stop firewalldsystemctl start iptablesiptables –flush

    is

    yum install iptables-services -y
    systemctl mask firewalld
    systemctl enable iptables
    systemctl stop firewalld
    systemctl start iptables
    iptables –flush

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADEiptables-save > /etc/sysconfig/iptables

    becomes

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    iptables-save > /etc/sysconfig/iptables

  2. Hi,

    I ran all the steps but client.crt and server.crt are empty (0 bytes) and opevpn (windows) give me this error:

    openssl … PEM routines: PEM_read_bio: no start line
    SSL routines: SSL_CTS_use_certificate_file:PEM lib
    Cannot load certificate file \client.crt <—— this file exists but is empty

    Best Regards,

    Mario.

  3. I followed the guide and setup ovpn on Windows. Got this error:

    TLS Error: cannot locate HMAC in incoming packet from [AF_INET]

    Solved putting ta.key on the client configuration and adding this line to client.ovpn:

    tls-auth /path/to/ta.key 1

  4. openssl … PEM routines: PEM_read_bio: no start line

    is solved. When

    ./build-key-server server

    is run you must reply “y” to the question “sign the certificate?”. Pressing Enter the default is “n” and crt file is empty.

    Thanks.

Leave a Reply