How To Setup and Configure an OpenVPN Server on CentOS 7
We're going to install and configure OpenVPN on a CentOS 7 server. We'll also discuss how to connect a client to the server on Windows, OS X, and Linux.
OpenVPN is an open-source VPN application that lets you create and join a private network securely over the public Internet.
You should complete these prerequisites:
- CentOS 7 Droplet
- root access to the server (several steps cannot be completed with just sudo access)
- Domain or subdomain that resolves to your server that you can use for the certificates
Before we start we'll need to install the Extra Packages for Enterprise Linux (EPEL) repository. This is because OpenVPN isn't available in the default CentOS repositories. The EPEL repository is an additional repository managed by the Fedora Project containing non-standard but popular packages.
yum install epel-release
Step 1 — Installing OpenVPN
First we need to install OpenVPN. We'll also install Easy RSA for generating our SSL key pairs, which will secure our VPN connections.
yum install openvpn easy-rsa -y
Step 2 — Configuring OpenVPN
OpenVPN has example configuration files in its documentation directory. We're going to copy the sample
server.conf file as a starting point for our own configuration file.
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Let's open the file for editing.
There are a few lines we need to change in this file. Most of the lines just need to be uncommented (remove the ;). Other changes are marked in red.
When we generate our keys later, the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes, so we need to change the
dh filename to
We need to uncomment the
push "redirect-gateway def1 bypass-dhcp" line, which tells the client to redirect all traffic through our OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
Next we need to provide DNS servers to the client, as it will not be able to use the default DNS servers provided by your Internet service provider. We're going to use Google's public DNS servers,
Do this by uncommenting the
push "dhcp-option DNS lines and updating the IP addresses.
push "dhcp-option DNS 18.104.22.168" push "dhcp-option DNS 22.214.171.124"
We want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user and group of
nobody. To enable this you'll need to uncomment these lines:
user nobody group nobody
Save and exit the OpenVPN server configuration file.
Step 3 — Generating Keys and Certificates
Now that the server is configured we'll need to generate our keys and certificates. Easy RSA installs some scripts to generate these keys and certificates.
Let's create a directory for the keys to go in.
mkdir -p /etc/openvpn/easy-rsa/keys
We also need to copy the key and certificate generation scripts into the directory.
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
To make life easier for ourselves we're going to edit the default values the script
uses so we don't have to type our information in each time. This information is stored
vars file so let's open this for editing.
We're going to be changing the values that start with
KEY_. Update the following values to be accurate for your organization.
The ones that matter the most are:
KEY_NAME: You should enter
serverhere; you could enter something else, but then you would also have to update the configuration files that reference
KEY_CN: Enter the domain or subdomain that resolves to your server
For the other values, you can enter information for your organization based on the variable name.
. . . # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York" export KEY_ORG="DigitalOcean" export KEY_EMAIL="firstname.lastname@example.org" export KEY_OU="Community" # X509 Subject Field export KEY_NAME="server" . . . export KEY_CN=openvpn.example.com . . .
We're also going to remove the chance of our OpenSSL configuration not loading due to the version being undetectable. We're going to do this by copying the required configuration file and removing the version number.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
To start generating our keys and certificates we need to move into our
easy-rsa directory and source in our new variables.
cd /etc/openvpn/easy-rsa source ./vars
Then we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.
When you build the certificate authority, you will be asked to enter all the information we put into the
vars file, but you will see that your options are already set as the defaults. So, you can just press ENTER for each one.
The next things we need to generate will are the key and certificate for the server. Again you can just go through the questions and press ENTER for each one to use your defaults. At the end, answer Y (yes) to commit the changes.
We also need to generate a Diffie-Hellman key exchange file. This command will take a minute or two to complete:
That's it for our server keys and certificates. Copy them all into our OpenVPN directory.
cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
All of our clients will also need certificates to be able to authenticate. These keys and certificates will be shared with your clients, and it's best to generate separate keys and certificates for each client you intend on connecting.
Make sure that if you do this you give them descriptive names, but for now we're going to have one client so we'll just call it
cd /etc/openvpn/easy-rsa ./build-key client
That's it for keys and certificates.
Step 4 — Routing
To keep things simple we're going to do our routing directly with iptables rather than the new firewalld.
First, make sure the iptables service is installed and enabled.
yum install iptables-services -y systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables --flush
Next we'll add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables
Then we must enable IP forwarding in
sysctl.conf for editing.
Add the following line at the top of the file:
net.ipv4.ip_forward = 1
Then restart the network service so the IP forwarding will take effect.
systemctl restart network.service
Step 5 — Starting OpenVPN
Now we're ready to run our OpenVPN service. So lets add it to
systemctl -f enable email@example.com
systemctl start firstname.lastname@example.org
Well done; that's all the server-side configuration done for OpenVPN.
Next we'll talk about how to connect a client to the server.
Step 6 — Configuring a Client
Regardless of your client machine's operating system, you will definitely need a copy of the ca certificate from the server, along with the client key and certificate.
Locate the following files on the server. If you generated multiple client keys with unique descriptive names, then the key and certificate names will be different. In this article we used
/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/client.crt /etc/openvpn/easy-rsa/keys/client.key
Copy these three files to your client machine. You can use SFTP or your preferred method. You could even open the files in your text editor and copy and paste the contents into new files on your client machine.
Just make sure you make a note of where you save them.
We're going to create a file called
client.ovpn. This is a configuration file for an OpenVPN client, telling it how to connect to the server.
- You'll need to change the first line to reflect the name you gave the client in your key and certificate; in our case, this is just
- You also need to update the IP address from
your_server_ipto the IP address of your server; port
1194can stay the same
- Make sure the paths to your key and certificate files are correct
client dev tun proto udp remote your_server_ip 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 ca /path/to/ca.crt cert /path/to/client.crt key /path/to/client.key
This file can now be used by any OpenVPN client to connect to your server.
On Windows, you will need the official OpenVPN Community Edition binaries which come with a GUI. Then, place your
.ovpn configuration file into the proper directory,
C:\Program Files\OpenVPN\config, and click Connect in the GUI. OpenVPN GUI on Windows must be executed with administrative privileges.
On Mac OS X, the open source application Tunnelblick provides an interface similar to the OpenVPN GUI on Windows, and comes with OpenVPN and the required TUN/TAP drivers. As with Windows, the only step required is to place your
.ovpn configuration file into the
~/Library/Application directory. Or, you can double-click on your
On Linux, you should install OpenVPN from your distribution's official repositories. You can then invoke OpenVPN by executing:
sudo openvpn --config ~/path/to/client.ovpn
Congratulations! You should now have a fully operational virtual private network running on your OpenVPN server.
After you establish a successful client connection, you can verify that your traffic is being routed through the VPN by checking Google to reveal your public IP.