A VPN “Virtual Private Network” is a private network that hides user identity, origin, and data using encryption. Its main use is data privacy of the user and secure connection to the internet. As it hides data, it lets you access data that is usually blocked by geo-restrictions.

OpenVPN is an open-source VPN software that is both a software and a protocol in itself. It is very highly regarded as it continues to bypass firewalls.

This tutorial will show you step by step how to install and set up an OpenVPN server and connect it to the OpenVPN client. We will use a CentOS 8 server for the installation, the same procedure will work on Rocky Linux 8 and AlmaLinux 8 too.


Terminal access

A user account with sudo privileges.

Note: The commands in this tutorial are performed on CentOS 8. All the methods in the tutorial are also valid for CentOS 7.

Update & Upgrade System

Ensure your system is up to date by updating and upgrading your system by running the following command.

sudo dnf update && sudo dnf upgrade

Disable SELinux

Next, you need to disable the SELinux as it conflicts with the OpenVPN and prevents it from launching.

To disable SELinux, open the SELinux config file using the following command.

sudo nano /etc/selinux/config

Disable SELinux

Once the file is opened with the nano editor. Search for the SELinux and change its value to disabled or simply replace it with the following line of code.


SELinux config

Press Ctrl+O and then Ctrl+X to save and exit the file.

Enable IP Forwarding

Now, you need to enable IP forwarding so that the incoming packets can be forwarded to different networks.

To enable IP forwarding, open the sysctl config file with the nano editor.

sudo nano /etc/sysctl.conf

Enable IP Forwarding

Add the following code to the file.

net.ipv4.ip_forward = 1

net.ipv4.ip_forward = 1

Press Ctrl+O and then Ctrl+X.

Install OpenVPN Server

Make sure to install the epel-release package.

sudo dnf install epel-release -y

Add EPEL Repository

Now, You can install OpenVPN using the following command.

sudo dnf install openvpn -y

Install OpenVPN

Now that OpenVPN is installed. Navigate to its installation folder and download easy-rsa. Easy-RSA builds and manages certificate authorities (CAs).

cd /etc/openvpn
sudo wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz

Download EasyRSA

Extract the downloaded zip file.

sudo tar -xvzf EasyRSA-unix-v3.0.6.tgz

Unpack the archive

And move the EasyRSA file to its folder.

sudo mv EasyRSA-v3.0.6 easy-rsa

Rename EasyRSA Folder

Configure Easy-RSA

Next, we need to add and build an SSL certificate. To do that, first, navigate to the easy-rsa directory.

cd /etc/openvpn/easy-rsa

To open the vars file in the nano editor, run the following command.

sudo nano vars

Configure Easy-RSA

Now copy and paste the following lines of code into the vars file.

set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_PROVINCE "Newyork"
set_var EASYRSA_REQ_CITY "Newyork"
set_var EASYRSA_REQ_OU "osradar EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"

EasyRSA variables

You can change the value of country, city, province, and email according to your requirements.

Press Ctrl+O and then Ctrl+X.

Now, initiate the PKI directory with the following command.

./easyrsa init-pki

Initialize PKI

Finally, You can build your CA certificate.

sudo ./easyrsa build-ca

Build CA

Generate Server Certificate Files

Use the following command to get your key-pair and certificate request.

sudo ./easyrsa gen-req vitux-server nopass

Sign the Server Key With CA

To sign your server key with the CA, run the following command.

sudo ./easyrsa sign-req server vitux-server

We need the Diffie-Hellman key for key exchanging purposes. Generate the key by running the following command.

sudo ./easyrsa gen-dh


Next, copy all these files to the /etc/openvpn/server/ directory.

cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/vitux-server.key /etc/openvpn/server/
cp pki/issued/vitux-server.crt /etc/openvpn/server/

Generate Client Key and Certificate

You can get the client key by running the following command.

sudo ./easyrsa gen-req client nopass

Generate Client Key and Certificate

Next sign your client key with the generated CA certificate.

sudo ./easyrsa sign-req client client

sign client cert

Copy these files to the /etc/openvpn/client/ directory

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

Copy client certs

Configure OpenVPN Server

Make and open a new config file in the client directory with the following command.

sudo nano /etc/openvpn/server/server.conf

OpenVPN Server configuration

Then add the following code lines in the file.

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vitux-server.crt
key /etc/openvpn/server/vitux-server.key
dh /etc/openvpn/server/dh.pem
push "redirect-gateway def1"
push "dhcp-option DNS"
push "dhcp-option DNS"
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
keepalive 20 60
compress lz4
user nobody
group nobody
log-append /var/log/openvpn.log
verb 3

Press Ctrl+O and Ctrl+X.

Start and Enable OpenVPN Service

Your OpenVPN is ready to launch. Start and enable the server using the following commands.

sudo systemctl start [email protected]
sudo systemctl enable [email protected]

Start OpenVPN

You can see and verify the active status with the following command.

systemctl status [email protected]

Check OpenVPN status

A new network interface will be created on the successful start of the OpenVPN server. Run the following command to see the details.


ifconfig result

Generate the Client Configuration File

The next step is to connect the client to the OpenVPN server. We need the client configuration file for that. To generate the client configuration file, run the following command.

sudo nano /etc/openvpn/client/client.ovpn

OpenVPN client configuration

Now, copy and paste the following code into the file.

dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
resolv-retry infinite
compress lz4
verb 3


Press Ctrl+O to save changes and press Ctrl+X to exit the editor.

Configure Routing

Set OpenVPN service settings with the following commands to allow it through the firewall.

firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0

Configure routing

firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade

masquerade settings

Set the routing to forward the incoming traffic from the VPN to the local network.

routecnf=$(ip route get | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s -o $routecnf -j MASQUERADE

Reload to make the changes effective.

firewall-cmd --reload

Reload Firewall

Install and Use OpenVPN in Client Machine

You have to install epel-release and OpenVPN as you did on the server-side.

dnf install epel-release -y
dnf install openvpn -y

Add EPEL Repository

Now copy the client config files from the server using the command given below.

sudo scp -r [email protected]:/etc/openvpn/client .

Connect OpenVPN Client

Go to the client directory and connect to the OpenVPN server using the following commands.

cd client
openvpn --config client.ovpn

Start the client connection

Run the ifconfig to see the assigned IP address.

ifconfig tun0


How to Install OpenVPN on AlmaLinux 8, Centos 8 or Rocky Linux 8

Karim Buzdar

About the Author: Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. You can reach Karim on LinkedIn