How To Setup and Configure an OpenVPN Server on CentOS 7

We're going to install and configure OpenVPN on a CentOS 7 server. We'll also discuss how to connect a client to the server on Windows, OS X, and Linux. OpenVPN is an open-source VPN application that lets you create and join a private network securely over the public Internet.


You should complete these prerequisites:
  • CentOS 7 Virtual or Physical machine
  • root access to the server (several steps cannot be completed with just sudo access)
  • Domain or subdomain that resolves to your server that you can use for the certificates
Before we start we'll need to install the Extra Packages for Enterprise Linux (EPEL) repository. This is because OpenVPN isn't available in the default CentOS repositories. The EPEL repository is an additional repository managed by the Fedora Project containing non-standard but popular packages.
yum install epel-release

Step 1 — Installing OpenVPN

First we need to install OpenVPN. We'll also install Easy RSA for generating our SSL key pairs, which will secure our VPN connections.
yum install openvpn easy-rsa -y

Step 2 — Configuring OpenVPN

OpenVPN has example configuration files in its documentation directory. We're going to copy the sample server.conf file as a starting point for our own configuration file. 

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

Let's open the file for editing.
vi /etc/openvpn/server.conf

There are a few lines we need to change in this file. Most of the lines just need to be uncommented (remove the ;). Other changes are marked in red.

When we generate our keys later, the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes, so we need to change the dh filename to dh2048.pem.
dh dh2048.pem

We need to uncomment the push "redirect-gateway def1 bypass-dhcp" line, which tells the client to redirect all traffic through our OpenVPN.
push "redirect-gateway def1 bypass-dhcp"

Next we need to provide DNS servers to the client, as it will not be able to use the default DNS servers provided by your Internet service provider. We're going to use Google's public DNS servers, and

Do this by uncommenting the push "dhcp-option DNS lines and updating the IP addresses.
push "dhcp-option DNS"
push "dhcp-option DNS"

We want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user and group of nobody. To enable this you'll need to uncomment these lines:
user nobody
group nobody
Save and exit the OpenVPN server configuration file.

Step 3 — Generating Keys and Certificates

Now that the server is configured we'll need to generate our keys and certificates. Easy RSA installs some scripts to generate these keys and certificates.

Let's create a directory for the keys to go in.
mkdir -p /etc/openvpn/easy-rsa/keys

We also need to copy the key and certificate generation scripts into the directory.
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

To make life easier for ourselves we're going to edit the default values the script
uses so we don't have to type our information in each time. This information is stored
in the vars file so let's open this for editing.
vi /etc/openvpn/easy-rsa/vars

We're going to be changing the values that start with KEY_. Update the following values to be accurate for your organization.
The ones that matter the most are:
  • KEY_NAME: You should enter server here; you could enter something else, but then you would also have to update the configuration files that reference server.key and server.crt
  • KEY_CN: Enter the domain or subdomain that resolves to your server
For the other values, you can enter information for your organization based on the variable name.

. . .

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_CITY="New York"
export KEY_ORG="TechSupportPK"
export KEY_EMAIL=""
export KEY_OU="Community"

# X509 Subject Field
export KEY_NAME="server"

. . .


. . .

We're also going to remove the chance of our OpenSSL configuration not loading due to the version being undetectable. We're going to do this by copying the required configuration file and removing the version number.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

To start generating our keys and certificates we need to move into our easy-rsa directory and source in our new variables.
cd /etc/openvpn/easy-rsa
source ./vars

Then we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.

When you build the certificate authority, you will be asked to enter all the information we put into the vars file, but you will see that your options are already set as the defaults. So, you can just press ENTER for each one.
The next things we need to generate will are the key and certificate for the server. Again you can just go through the questions and press ENTER for each one to use your defaults. At the end, answer Y (yes) to commit the changes.
./build-key-server server

We also need to generate a Diffie-Hellman key exchange file. This command will take a minute or
two to complete:

That's it for our server keys and certificates. Copy them all into our OpenVPN directory.
cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

All of our clients will also need certificates to be able to authenticate. These keys and certificates will be shared with your clients, and it's best to generate separate keys and certificates for each client you intend on connecting.

Make sure that if you do this you give them descriptive names, but for now we're going to have one client so we'll just call it client.
cd /etc/openvpn/easy-rsa
./build-key client

That's it for keys and certificates.

Step 4 — Routing

To keep things simple we're going to do our routing directly with iptables rather than the new firewalld.

First, make sure the iptables service is installed and enabled.
yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables --flush

Next we'll add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule.
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables

Then we must enable IP forwarding in sysctl. Open sysctl.conf for editing.
vi /etc/sysctl.conf

Add the following line at the top of the file:
net.ipv4.ip_forward = 1

Then restart the network service so the IP forwarding will take effect.
systemctl restart network.service

Step 5 — Starting OpenVPN

Now we're ready to run our OpenVPN service. So lets add it to systemctl:
systemctl -f enable openvpn@server.service

Start OpenVPN:
systemctl start openvpn@server.service

Well done; that's all the server-side configuration done for OpenVPN.

Next we'll talk about how to connect a client to the server.

Step 6 — Configuring a Client

Regardless of your client machine's operating system, you will definitely need a copy of the ca certificate from the server, along with the client key and certificate.

Locate the following files on the server. If you generated multiple client keys with unique descriptive names, then the key and certificate names will be different. In this article we used client.

Copy these three files to your client machine. You can use SFTP or your preferred method. You could even open the files in your text editor and copy and paste the contents into new files on your client machine.

Just make sure you make a note of where you save them.

We're going to create a file called client.ovpn. This is a configuration file for an OpenVPN client, telling it how to connect to the server.
  • You'll need to change the first line to reflect the name you gave the client in your key and certificate; in our case, this is just client
  • You also need to update the IP address from your_server_ip to the IP address of your server; port 1194 can stay the same
  • Make sure the paths to your key and certificate files are correct
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
verb 3
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key

This file can now be used by any OpenVPN client to connect to your server.

On Windows, you will need the official OpenVPN Community Edition binaries which come with a GUI. Then, place your .ovpn configuration file into the proper directory, C:\Program Files\OpenVPN\config, and click Connect in the GUI. OpenVPN GUI on Windows must be executed with administrative privileges.

On Mac OS X, the open source application Tunnelblick provides an interface similar to the OpenVPN GUI on Windows, and comes with OpenVPN and the required TUN/TAP drivers. As with Windows, the only step required is to place your .ovpn configuration file into the ~/Library/Application
directory. Or, you can double-click on your .ovpn file.

On Linux, you should install OpenVPN from your distribution's official repositories. You can then invoke OpenVPN by executing:

sudo openvpn --config ~/path/to/client.ovpn


Congratulations! You should now have a fully operational virtual private network running on your OpenVPN server.

After you establish a successful client connection, you can verify that your traffic is being routed through the VPN by checking Google to reveal your public IP.

No comments:

Powered by Blogger.