A Virtual Private Network is a technology solution used to provide privacy and security for inter-network connections. The most well-known case consists of people connecting to a remote server with traffic going through a public or insecure network (such as the Internet).
Picture the following scenarios:
In this article we will explain how to set up a VPN server in a RHEL/CentOS 8/7 box using OpenVPN, a robust and highly flexible tunneling application that uses the encryption, authentication, and certification features of the OpenSSL library. For simplicity we will only consider a case where the OpenVPN server acts as a secure Internet gateway for a client.
For this setup, we’ve used three machines, the first one act as a OpenVPN server and other two (Linux and Windows) act as a clients to connect to remote OpenVPN Server.
Note: The same instructions also works on RHEL/CentOS 6 and Fedora systems..
Installing OpenVPN Server in CentOS 8
1. To install OpenVPN in a RHEL/CentOS 8/7 server, you will first have to enable the EPEL repository and then install the package. This comes with all the dependencies needed to install the OpenVPN package.
# yum update # yum install epel-release
2. Next, we will download OpenVPN’s installation script and set up the VPN. Before downloading and running the script, it’s important that you find your server’s Public IP address as this will come in handy when setting up the OpenVPN server.
An easy way to do that is to use the curl command as shown:
$ curl ifconfig.me
Alternatively, you can invoke the dig command as follows:
$ dig +short myip.opendns.com @resolver1.opendns.com
If you get into an error “dig: command not found” install the dig utility by running the command:
$ sudo yum install bind-utils
This should resolve the problem.
A Note About Public IP Addresses
Cloud servers will usually have 2 types of IP addresses:
- A single Public IP address: If you have a VPS on Cloud platforms such as Linode, Cloudcone, or Digital Ocean, you will usually find a single Public IP address attached to it.
- A private IP address behind NAT with a public IP: This is the case with an EC2 instance on AWS or a compute instance on Google Cloud.
Whichever the IP addressing scheme, the OpenVPN script will automatically detect your VPS network setup and all you have to do is to provide the associated Public or Private IP address.
3. Now let’s proceed and download the OpenVPN installation script, run the command shown.
$ wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
4. When the download is complete, assign execute permissions and run the shell script as shown.
$ sudo chmod +x openvpn-install.sh $ sudo ./openvpn-install.sh
The installer takes you through a series of prompts:
5. First, you will be prompted to provide your server’s public IP address. Thereafter, it’s recommended to go with the default options such as default port number (1194) and protocol to use (UDP).
6. Next, select the default DNS resolvers and select the No option
( n ) for both compression and encryption settings.
7. Once done, the script will initialize the setup of the OpenVPN server along with the installation of the other software packages and dependencies.
8. Lastly, a client configuration file will be generated using the easy-RSA package which is a command-line tool used for managing security certificates.
Simply provide the name of the client and go with the default selections. The client file will be stored in your home directory with a .ovpn file extension.
9. Once the script is done setting up the OpenVPN server and creating the client configuration file, a tunnel interface
tun0 will be spawned. This is a virtual interface where all traffic from the client PC will be tunnelled to the server.
10. Now, you can start and check the status of the OpenVPN server as shown.
$ sudo systemctl start [email protected] $ sudo systemctl status [email protected]
How to Configure OpenVPN Client and Testing
11. Now head over to the client system and install EPEL repository and OpenVPN software packages.
$ sudo dnf install epel-release -y $ sudo dnf install openvpn -y
12. Once installed, you need to copy the client configuration file from the OpenVPN server to your client system. You can do this using the scp command as shown
$ sudo scp -r [email protected]:/home/tecmint/tecmint01.ovpn .
13. Once the client file is downloaded to your Linux system, you can now initialize a connection to the VPN server, using the command:
$ sudo openvpn --config tecmint01.ovpn
You will get output similar to what we have below.
14. A new routing table is created and a connection is established with the VPN server. Again, a virtual interface tunnel interface
tun0 is created on the client system.
As mentioned earlier, this is the interface that will tunnel all traffic securely to the OpenVPN server via an SSL tunnel. The interface is assigned an IP address dynamically by the VPN server. As you can see, our client Linux system has been assigned an IP address of 10.8.0.2 by the OpenVPN server.
15. Just to be certain that we are connected to the OpenVPN server, we are going to verify the public IP.
$ curl ifconfig.me
And voila! our client system has picked the VPN’s public IP confirming that indeed we are connected to the OpenVPN server. Alternatively, you can fire up your browser and Google search “What is my IP address” to confirm that your public IP has changed to that of the OpenVPN server.
As Administrator, start OpenVPN GUI from Start –> All programs –> OpenVPN, and it will be launched in the background.
Now fire up a browser and open http://whatismyip.org/ and you should see the IP of your OpenVPN server instead of the public IP provided by your ISP:
Although in this article we used the generic name server for our VPN server, you can use another name if you want. If that is the case, you will need to rename the configuration file (server.conf) to somethingelse.conf and edit the following lines in the that file:
ca somethingelse.crt cert somethingelse.crt key somethingelse.key # This file should be kept secret
In addition, you can have the VPN service start automatically on boot in the Linux client by adding the following line as a crontab entry:
@reboot /usr/bin/openvpn --config /path/to/client.ovpn
Finally, to set up the required routing as shown in the first image of this article (to enable communication with another machine on the other end of the VPN server), we will need to enable IP forwarding by setting in /etc/sysctl.conf (for future reboots).
net.ipv4.ip_forward = 1
# sysctl -w net.ipv4.ip_forward=1
for the setting to take effect immediately.
In this article we have explained how to set up and configure a VPN server using OpenVPN, and how to set up two remote clients (a Linux box and a Windows machine). You can now use this server as a VPN gateway to secure your web browsing activities. With a little extra effort (and another remote server available) you can also set up a secure file / database server, to name a few examples.
We look forward to hearing from you, so feel free to drop us a note using the form below. Comments, suggestions, and questions about this article are most welcome.