A VPN “Virtual Private Network” is a private network that hides user identity, origin, and data using encryption. Its main use is data privacy of the user and secure connection to the internet. As it hides data, it lets you access data that is usually blocked by geo-restrictions.
OpenVPN is an open-source VPN software that is both a software and a protocol in itself. It is very highly regarded as it continues to bypass firewalls.
This tutorial will show you step by step how to install and set up an OpenVPN server and connect it to the OpenVPN client. We will use a CentOS 8 server for the installation, the same procedure will work on Rocky Linux 8 and AlmaLinux 8 too.
Prerequisites
Terminal access
A user account with sudo privileges.
Note: The commands in this tutorial are performed on CentOS 8. All the methods in the tutorial are also valid for CentOS 7.
Update & Upgrade System
Ensure your system is up to date by updating and upgrading your system by running the following command.
sudo dnf update && sudo dnf upgrade
Disable SELinux
Next, you need to disable the SELinux as it conflicts with the OpenVPN and prevents it from launching.
To disable SELinux, open the SELinux config file using the following command.
sudo nano /etc/selinux/config
Once the file is opened with the nano editor. Search for the SELinux and change its value to disabled or simply replace it with the following line of code.
SELINUX=disabled
Press Ctrl+O and then Ctrl+X to save and exit the file.
Enable IP Forwarding
Now, you need to enable IP forwarding so that the incoming packets can be forwarded to different networks.
To enable IP forwarding, open the sysctl config file with the nano editor.
sudo nano /etc/sysctl.conf
Add the following code to the file.
net.ipv4.ip_forward = 1
Press Ctrl+O and then Ctrl+X.
Install OpenVPN Server
Make sure to install the epel-release package.
sudo dnf install epel-release -y
Now, You can install OpenVPN using the following command.
sudo dnf install openvpn -y
Now that OpenVPN is installed. Navigate to its installation folder and download easy-rsa. Easy-RSA builds and manages certificate authorities (CAs).
cd /etc/openvpn
sudo wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
Extract the downloaded zip file.
sudo tar -xvzf EasyRSA-unix-v3.0.6.tgz
And move the EasyRSA file to its folder.
sudo mv EasyRSA-v3.0.6 easy-rsa
Configure Easy-RSA
Next, we need to add and build an SSL certificate. To do that, first, navigate to the easy-rsa directory.
cd /etc/openvpn/easy-rsa
To open the vars file in the nano editor, run the following command.
sudo nano vars
Now copy and paste the following lines of code into the vars file.
set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "USA" set_var EASYRSA_REQ_PROVINCE "Newyork" set_var EASYRSA_REQ_CITY "Newyork" set_var EASYRSA_REQ_ORG "osradar CERTIFICATE AUTHORITY" set_var EASYRSA_REQ_EMAIL "" set_var EASYRSA_REQ_OU "osradar EASY CA" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7500 set_var EASYRSA_CERT_EXPIRE 365 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "osradar CERTIFICATE AUTHORITY" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" set_var EASYRSA_DIGEST "sha256"
You can change the value of country, city, province, and email according to your requirements.
Press Ctrl+O and then Ctrl+X.
Now, initiate the PKI directory with the following command.
./easyrsa init-pki
Finally, You can build your CA certificate.
sudo ./easyrsa build-ca
Generate Server Certificate Files
Use the following command to get your key-pair and certificate request.
sudo ./easyrsa gen-req vitux-server nopass
Sign the Server Key With CA
To sign your server key with the CA, run the following command.
sudo ./easyrsa sign-req server vitux-server
We need the Diffie-Hellman key for key exchanging purposes. Generate the key by running the following command.
sudo ./easyrsa gen-dh
Next, copy all these files to the /etc/openvpn/server/ directory.
cp pki/ca.crt /etc/openvpn/server/ cp pki/dh.pem /etc/openvpn/server/ cp pki/private/vitux-server.key /etc/openvpn/server/ cp pki/issued/vitux-server.crt /etc/openvpn/server/
Generate Client Key and Certificate
You can get the client key by running the following command.
sudo ./easyrsa gen-req client nopass
Next sign your client key with the generated CA certificate.
sudo ./easyrsa sign-req client client
Copy these files to the /etc/openvpn/client/ directory
cp pki/ca.crt /etc/openvpn/client/ cp pki/issued/client.crt /etc/openvpn/client/ cp pki/private/client.key /etc/openvpn/client/
Configure OpenVPN Server
Make and open a new config file in the client directory with the following command.
sudo nano /etc/openvpn/server/server.conf
Then add the following code lines in the file.
port 1194 proto udp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/vitux-server.crt key /etc/openvpn/server/vitux-server.key dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" duplicate-cn cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache keepalive 20 60 persist-key persist-tun compress lz4 daemon user nobody group nobody log-append /var/log/openvpn.log verb 3
Press Ctrl+O and Ctrl+X.
Start and Enable OpenVPN Service
Your OpenVPN is ready to launch. Start and enable the server using the following commands.
sudo systemctl start [email protected] sudo systemctl enable [email protected]
You can see and verify the active status with the following command.
systemctl status [email protected]
A new network interface will be created on the successful start of the OpenVPN server. Run the following command to see the details.
ifconfig
Generate the Client Configuration File
The next step is to connect the client to the OpenVPN server. We need the client configuration file for that. To generate the client configuration file, run the following command.
sudo nano /etc/openvpn/client/client.ovpn
Now, copy and paste the following code into the file.
client dev tun proto udp remote vpn-server-ip 1194 ca ca.crt cert client.crt key client.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lz4 nobind persist-key persist-tun mute-replay-warnings verb 3
Press Ctrl+O to save changes and press Ctrl+X to exit the editor.
Configure Routing
Set OpenVPN service settings with the following commands to allow it through the firewall.
firewall-cmd --permanent --add-service=openvpn firewall-cmd --permanent --zone=trusted --add-service=openvpn firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --add-masquerade firewall-cmd --permanent --add-masquerade
Set the routing to forward the incoming traffic from the VPN to the local network.
routecnf=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $routecnf -j MASQUERADE
Reload to make the changes effective.
firewall-cmd --reload
Install and Use OpenVPN in Client Machine
You have to install epel-release and OpenVPN as you did on the server-side.
dnf install epel-release -y dnf install openvpn -y
Now copy the client config files from the server using the command given below.
sudo scp -r [email protected]:/etc/openvpn/client .
Go to the client directory and connect to the OpenVPN server using the following commands.
cd client openvpn --config client.ovpn
Run the ifconfig to see the assigned IP address.
ifconfig tun0
