How to Install and Configure OpenVPN Server in CentOS 8/7

A Virtual Private Network is a technology solution used to provide privacy and security for inter-network connections. The most well-known case consists of people connecting to a remote server with traffic going through a public or insecure network (such as the Internet).

Picture the following scenarios:

OpenVPN Network Diagram
OpenVPN Network Diagram

In this article, we will explain how to set up a VPN server in an RHEL/CentOS 8/7 box using OpenVPN, a robust and highly flexible tunneling application that uses encryption, authentication, and certification features of the OpenSSL library. For simplicity, we will only consider a case where the OpenVPN server acts as a secure Internet gateway for a client.

For this setup, we’ve used three machines, the first one acts as an OpenVPN server, and the other two (Linux and Windows) act as a client to connect to remote OpenVPN Server.

Note: The same instructions also work on RHEL 8/7 and Fedora systems.

Installing OpenVPN Server in CentOS 8

1. To install OpenVPN in an RHEL/CentOS 8/7 server, you will first have to enable the EPEL repository and then install the package. This comes with all the dependencies needed to install the OpenVPN package.

# yum update
# yum install epel-release

2. Next, we will download OpenVPN’s installation script and set up the VPN. Before downloading and running the script, it’s important that you find your server’s Public IP address as this will come in handy when setting up the OpenVPN server.

An easy way to do that is to use the curl command as shown:

$ curl ifconfig.me
Check CentOS Server IP Address
Check CentOS Server IP Address

Alternatively, you can invoke the dig command as follows:

$ dig +short myip.opendns.com @resolver1.opendns.com
Find CentOS Server IP Address
Find CentOS Server IP Address

If you get into an error “dig: command not found” install the dig utility by running the command:

$ sudo yum install bind-utils

This should resolve the problem.

A Note About Public IP Addresses

Cloud servers will usually have 2 types of IP addresses:

  • A single Public IP address: If you have a VPS on Cloud platforms such as Linode, Cloudcone, or Digital Ocean, you will usually find a single Public IP address attached to it.
  • A private IP address behind NAT with a public IP: This is the case with an EC2 instance on AWS or a compute instance on Google Cloud.

Whichever the IP addressing scheme, the OpenVPN script will automatically detect your VPS network setup and all you have to do is to provide the associated Public or Private IP address.

3. Now let’s proceed and download the OpenVPN installation script, run the command shown.

$ wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
Download OpenVPN Script
Download OpenVPN Script

4. When the download is complete, assign execute permissions and run the shell script as shown.

$ sudo chmod +x openvpn-install.sh
$ sudo ./openvpn-install.sh

The installer takes you through a series of prompts:

5. First, you will be prompted to provide your server’s public IP address. Thereafter, it’s recommended to go with the default options such as default port number (1194) and protocol to use (UDP).

Install OpenVPN in CentOS 8
Install OpenVPN in CentOS 8

6. Next, select the default DNS resolvers and select the No option ( n ) for both compression and encryption settings.

Configure DNS for OpenVPN
Configure DNS for OpenVPN

7. Once done, the script will initialize the setup of the OpenVPN server along with the installation of the other software packages and dependencies.

OpenVPN Installation on CentOS 8
OpenVPN Installation on CentOS 8

8. Lastly, a client configuration file will be generated using the easy-RSA package which is a command-line tool used for managing security certificates.

Simply provide the name of the client and go with the default selections. The client file will be stored in your home directory with a .ovpn file extension.

OpenVPN Client Configuration with Easy-RSA
OpenVPN Client Configuration with Easy-RSA

9. Once the script is done setting up the OpenVPN server and creating the client configuration file, a tunnel interface tun0 will be spawned. This is a virtual interface where all traffic from the client PC will be tunnelled to the server.

OpenVPN Tunnel Interface
OpenVPN Tunnel Interface

10. Now, you can start and check the status of the OpenVPN server as shown.

$ sudo systemctl start [email protected]
$ sudo systemctl status [email protected]
Check OpenVPN Server Status
Check OpenVPN Server Status

How to Configure OpenVPN Client in Linux

11. Now head over to the client system and install EPEL repository and OpenVPN software packages.

$ sudo dnf install epel-release -y
$ sudo dnf install openvpn -y

12. Once installed, you need to copy the client configuration file from the OpenVPN server to your client system. You can do this using the scp command as shown

$ sudo scp -r [email protected]:/home/tecmint/tecmint01.ovpn .
Copy OpenVPN Client Configuration
Copy OpenVPN Client Configuration

13. Once the client file is downloaded to your Linux system, you can now initialize a connection to the VPN server, using the command:

$ sudo openvpn --config tecmint01.ovpn

You will get output similar to what we have below.

Connect to OpenVPN
Connect to OpenVPN

14. A new routing table is created and a connection is established with the VPN server. Again, a virtual interface tunnel interface tun0 is created on the client system.

As mentioned earlier, this is the interface that will tunnel all traffic securely to the OpenVPN server via an SSL tunnel. The interface is assigned an IP address dynamically by the VPN server. As you can see, our client Linux system has been assigned an IP address of 10.8.0.2 by the OpenVPN server.

$ ifconfig
Confirm OpenVPN Network Connection
Confirm OpenVPN Network Connection

15. Just to be certain that we are connected to the OpenVPN server, we are going to verify the public IP.

$ curl ifconfig.me
Verify OpenVPN Client IP
Verify OpenVPN Client IP

And voila! our client system has picked the VPN’s public IP confirming that indeed we are connected to the OpenVPN server. Alternatively, you can fire up your browser and Google search “What is my IP address” to confirm that your public IP has changed to that of the OpenVPN server.

Check Your IP Address
Check Your IP Address

How to Configure OpenVPN Client on Windows

16. On Windows, you will need to download the official OpenVPN Community Edition binaries that come with a GUI.

17. Next, download your .ovpn configuration file into the C:\Program Files\OpenVPN\config directory and as an Administrator, start OpenVPN GUI from Start –> All programs –> OpenVPN, and it will be launched in the background.

18. Now fire up a browser and open http://whatismyip.org/ and you should see the IP of your OpenVPN server instead of the public IP provided by your ISP:

Summary

In this article, we have explained how to set up and configure a VPN server using OpenVPN, and how to set up two remote clients (a Linux box and a Windows machine). You can now use this server as a VPN gateway to secure your web browsing activities. With a little extra effort (and another remote server available) you can also set up a secure file/database server, to name a few examples.

We look forward to hearing from you, so feel free to drop us a note using the form below. Comments, suggestions, and questions about this article are most welcome.

James Kiarie
This is James, a certified Linux administrator and a tech enthusiast who loves keeping in touch with emerging trends in the tech world. When I'm not running commands on the terminal, I'm taking listening to some cool music. taking a casual stroll or watching a nice movie.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

30 thoughts on “How to Install and Configure OpenVPN Server in CentOS 8/7”

  1. Hello,

    I have setup the OpenVPN however whenever I connect to the VPN, I cannot access my internal network appliances. How can I get this working?

    Please advise.

    Reply
  2. Why you skip important moments about firewalls?

    How to open port and redirect tun0 to eth0 for the internet? without it I can connect to vpnserver, but there is no internet.

    Reply
  3. Please help me.

    $ sudo systemctl status [email protected]
    
    Sample Output


    [email protected] - OpenVPN service for server
    Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor>
    Active: active (running) since Tue 2020-10-27 10:30:47 +05; 1min 38s ago
    Docs: man:openvpn(8)
    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
    https://community.openvpn.net/openvpn/wiki/HOWTO
    Main PID: 63764 (openvpn)
    Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 23956)
    Memory: 1.5M
    CGroup: /system.slice/system-openvpn\x2dserver.slice/[email protected]>
    └─63764 /usr/sbin/openvpn --status /run/openvpn-server/status-server>

    Oct 27 10:30:47 ubtuitvpn openvpn[63764]: Could not determine IPv4/IPv6 protoco>
    Oct 27 10:30:47 ubtuitvpn openvpn[63764]: Socket Buffers: R=[212992->212992] S=>
    Oct 27 10:30:47 ubtuitvpn openvpn[63764]: UDPv4 link local (bound): [AF_INET][u>
    Oct 27 10:30:47 ubtuitvpn openvpn[63764]: UDPv4 link remote: [AF_UNSPEC]
    Oct 27 10:30:47 ubtuitvpn openvpn[63764]: GID set to nobody
    Oct 27 10:30:47 ubtuitvpn openvpn[63764]: UID set to nobody
    Oct 27 10:30:47 ubtuitvpn openvpn[63764]: MULTI: multi_init called, r=256 v=256
    Oct 27 10:30:47 ubtuitvpn openvpn[63764]: IFCONFIG POOL: base=10.8.0.2 size=252>
    Oct 27 10:30:47 ubtuitvpn openvpn[63764]: IFCONFIG POOL LIST
    Oct 27 10:30:47 ubtuitvpn openvpn[63764]: Initialization Sequence Completed
    lines 1-23/23 (END)

    Reply
  4. After executing below command, getting following error..

    # systemctl start openvpn@server
    

    Job for [email protected] failed because the control process exited with error code. See “systemctl status [email protected]” and “journalctl -xe” for details.

    Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.

    Reply
    • Fedora have simplified how this works now but NOWHERE seems to have bothered to document it.

      You put server.conf files into /etc/openvpn/server/ and clients into /etc/openvpn/client/. This way you can easily enable/disable them without changing the service file.

      Simply issue systemctl enable openvpn-server@config where the bit after the @ is the name of your conf file without the conf at the end.

      Reply
  5. Great walkthrough thanks a lot!

    One question:
    Where do client.ca and client.key come from? do I have to generate them on my client (windows)?

    Thanks

    Reply
    • Got it.

      On the second page instead of downloading the server.crt and server.key to my client I should have downloaded the client.crt/key I generated earlier. Makes sense.

      Reply
  6. [root@localhost user]# yum install openvpn
    Loaded plugins: fastestmirror, langpacks
    Loading mirror speeds from cached hostfile
    * base: mirrors.vooservers.com
    * extras: mirror.vorboss.net
    * updates: mirror.mhd.uk.as44574.net
    No package openvpn available.
    Error: Nothing to do

    Reply
    • @Big Ian,

      Have you installed epel-release package on the system? if not first install it as shown:

      # yum install epel-release
      

      Once epel installed, you can install openvpn.

      # yum install openvpn
      
      Reply
    • @testsubject,
      I am not really sure exactly what part of this article you are referring to. Please clarify (section and exact command where you see the error).

      Reply
  7. Hi,
    is there an error in that sentence?
    To set up a client (regardless of the distribution or operating system) you will need to copy the ca.crt, server.crt, and server.key files from /etc/openvpn/rsa/keys.

    wouldn’t be the client.crt and client.key files copied instead?

    Reply

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.