Setup and Configuration of OpenVPN Server on CentOS 7.2

This tutorial will help you install and configure an OpenVPN server on CentOS 7.2 x64 with certificate authentication. This will also help you setup the OpenVPN client on your Windows, Linux or MAC.

OpenVPN with CentOS 7.2

Prerequisites

We will need the following to be able to successfully setup an OpenVPN server:
- A CentOS 7.2 x64 VPS server
- Root Access to the server
- An SSH client (You can download Putty[1] or Bitvise[2] depends on your operating system and liking)

When you have all this ingredients we can now start setting up our OpenVPN Server. Please follow the guide carefully, remember, you can always copy and paste the commands below for ease of installation and configuration.

Installing OpenVPN Server

First, Update your CentOS distribution:

yum update

Then we will install the EPEL Repo. The EPEL Repo is an open source and community based repository of the Fedora Team which provides 100% quality add-on software packages.

yum install epel-release

We will now install OpenVPN and Easy-RSA package. The Easy-RSA package is provided so we can have an easier way of generating certificates.

yum install openvpn easy-rsa

Generate Keys & Certificates

We will need to create a folder so we can store the keys and certificates that we will generate later.

mkdir -p /etc/openvpn/easy-rsa/keys

Next, we will copy the certificate generation scripts from their default location to our OpenVPN folder.

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

We will go to the easy-rsa directory and source the variables.

cd /etc/openvpn/easy-rsa
source ./vars

Then we will clean all the existing keys & certificates (if any) and generate the new certificate authority.

./clean-all

When building the certificate authority we will be asked for different information such as the country, organization and department. You can fill in your information or to leave it as it is you can just press enter.

./build-ca

The next thing we will generate are the keys and certificates for the OpenVPN server. You will be again asked the same questions as the above command which you can fill in or ignore by just pressing the enter key. From the below command, we will create the keys and certificates with the filename of server. After entering your information, you will be asked to Sign the Certificate, press "y" to approve.

./build-key-server server

We will also need to create a Diffie-Hellman file. Creation of this file will depends on the length of the key. For this default we will use 2048 bit key but you can always change it by editing the vars file in the easy-rsa folder. Key generation may take a minute or two.

./build-dh

Since this guide is all about OpenVPN authentication using client certificate we will also need to generate a certificate for our client. Without this certificate, our client will not be able to login to the OpenVPN server. Always remember to keep this client certificate safe with you at all times, you should never distribute your own certificate to others. If you want others to use your OpenVPN server you should create a client certificate for them by following the below command. For this guide we will create a certificate for "John".

./build-key john

john.key will be the filename of the client key & certificate.

For the above commands we will have the following keys and certificates in the folder /etc/openvpn/easy-rsa/keys

server.key
server.crt
john.key
john.crt
ca.crt
ca.key
dh2048.pem

You will need to download john.key, john.crt and ca.crt for use by the OpenVPN client.

Configuring OpenVPN

We will now configure the OpenVPN server. First, create a configuration file named server.conf

nano /etc/openvpn/server.conf

Then we will fill up the file using the below basic configuration details. For more information on the configuration please see man openvpn[3].

port 443    
proto tcp    
dev tun    
server 10.11.0.0 255.255.255.0    
ca /etc/openvpn/easy-rsa/keys/ca.crt    
cert /etc/openvpn/easy-rsa/keys/server.crt    
key /etc/openvpn/easy-rsa/keys/server.key    
dh /etc/openvpn/easy-rsa/keys/dh2048.pem  
persist-key    
persist-tun    
keepalive 10 60    
reneg-sec 0    
comp-lzo    
tun-mtu 1468    
tun-mtu-extra 32    
mssfix 1400    
push "persist-key"    
push "persist-tun"    
push "redirect-gateway def1"    
push "dhcp-option DNS 8.8.8.8"    
push "dhcp-option DNS 8.8.4.4"    
status /etc/openvpn/443.log    
verb 3    

Save the file and exit.

Next we need to run and enable OpenVPN on startup.

systemctl start openvpn@server.service
systemctl -f enable openvpn@server.service

Routing & Forwarding Rules

We will need to enter some iptable rules to enable internet on the client machine. Just change $serverip to your server's IP address.

iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -j SNAT --to $serverip
iptables-save

Nest, edit systctl.conf to enable packet forwarding. Open the file /etc/sysctl.conf and add the line.

net.ipv4.ip_forward=1

then enable it by

sysctl -p

Now that our OpenVPN Server is finished we will now try connecting clients to the server.

Configuring Client

Remember the above instructions when I told you to copy:

john.key
john.crt
ca.crt

We will need this files to successfully connect to our openvpn server. Put these 3 files with the .ovpn file we will create below in the same folder. Copy the below configuration and save it as client.ovpn. Note the $serverip is the ip address of your openvpn server.

client    
remote $serverip 443    
proto tcp    
resolv-retry infinite    
route-delay 2    
pull    
comp-lzo yes    
dev tun    
nobind    
ca ca.crt    
cert john.crt    
key john.key    

Connecting from Windows

Download[4] the windows installer from openvpn, install it, run as admin then copy the 4 files (client.ovpn, ca.crt, john.crt & john.key) to the /Program Files/OpenVPN/config folder.
In the system tray right click on the OpenVPN icon and click Connect.

Connecting from Linux

Install OpenVPN from your distributions official repository then run OpenVPN by executing:

sudo openvpn --config ~/path/to/client.ovpn

Connecting from MAC

For MAC, there is an application you can download called Tunnelblick[5]. You should install it and run, make sure that the 4 files required are in the same folder. While in tunnelblick look for your .ovpn file and click on it to install. To connect, just select the configuration name and click "Connect" .


There you go! Now we have a working OpenVPN installation on CentOS 7.2 using certificate authentication.
Don't forget to put your comments if you succeeded using this guide.

As always we thank you!

[1]: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
[2]: https://www.bitvise.com/ssh-client-download
[3]: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
[4]: https://openvpn.net/community-downloads/
[5]: https://tunnelblick.net/downloads.html

comments (5)

  • VPSUser 002

    - 7 years ago

    Hi and Thanks for helping me , can i set Signed Certificate instead easy rsa and create profile after set Signed Valid Certificate? also i want authentication with Radius , can you help me please??

  • iytrew

    - 6 years ago

    Hello, I got a problem while trying to do what is written at paragraph "GENERATE KEYS & CERTIFICATES" (issuing the command "cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa"). I've installed easy-rsa v3, and I cannot find vars file.

    Thank you, anyway.

    • Sligs

      - 6 years ago

      having the same issue with easy-rsa v3 all instructions for v2 which is older version now..

  • Sligs

    - 6 years ago

    have the same issue with Easy RSA 3.0

  • Gateway problem

    - 5 years ago

    Hi,

    I've setup OpenVPN, but it seems not to redirect gateway. I have: push "redirect-gateway def1"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4" server 10.8.0.0 255.255.255.0 in the server.config

    and:

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 45.61.48.5

    I have no idea what might be wrong, especially that i have the same setup elsewhere and it's working.