How to Install and Configure OpenVPN Server with Linux and Windows Clients in RHEL/CentOS 7

A Virtual Private Network is a technology solution used to provide privacy and security for inter-network connections. The most well-known case consists of people connecting to a remote server with traffic going through a public or insecure network (such as the Internet).

Picture the following scenarios:

OpenVPN Network Diagram
OpenVPN Network Diagram

In this article we will explain how to set up a VPN server in a RHEL/CentOS 8/7 box using OpenVPN, a robust and highly flexible tunneling application that uses the encryption, authentication, and certification features of the OpenSSL library. For simplicity we will only consider a case where the OpenVPN server acts as a secure Internet gateway for a client.

For this setup, we’ve used three machines, the first one act as a OpenVPN server and other two (Linux and Windows) act as a clients to connect to remote OpenVPN Server.

Note: The same instructions also works on RHEL/CentOS 6 and Fedora systems..

Installing OpenVPN Server in CentOS 8

1. To install OpenVPN in a RHEL/CentOS 8/7 server, you will first have to enable the EPEL repository and then install the package. This comes with all the dependencies needed to install the OpenVPN package.

# yum update
# yum install epel-release

2. Next, we will download OpenVPN’s installation script and set up the VPN. Before downloading and running the script, it’s important that you find your server’s Public IP address as this will come in handy when setting up the OpenVPN server.

An easy way to do that is to use the curl command as shown:

$ curl ifconfig.me
Check CentOS Server IP Address
Check CentOS Server IP Address

Alternatively, you can invoke the dig command as follows:

$ dig +short myip.opendns.com @resolver1.opendns.com
Find CentOS Server IP Address
Find CentOS Server IP Address

If you get into an error “dig: command not found” install the dig utility by running the command:

$ sudo yum install bind-utils

This should resolve the problem.

A Note About Public IP Addresses

Cloud servers will usually have 2 types of IP addresses:

  • A single Public IP address: If you have a VPS on Cloud platforms such as Linode, Cloudcone, or Digital Ocean, you will usually find a single Public IP address attached to it.
  • A private IP address behind NAT with a public IP: This is the case with an EC2 instance on AWS or a compute instance on Google Cloud.

Whichever the IP addressing scheme, the OpenVPN script will automatically detect your VPS network setup and all you have to do is to provide the associated Public or Private IP address.

3. Now let’s proceed and download the OpenVPN installation script, run the command shown.

$ wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
Download OpenVPN Script
Download OpenVPN Script

4. When the download is complete, assign execute permissions and run the shell script as shown.

$ sudo chmod +x openvpn-install.sh
$ sudo ./openvpn-install.sh

The installer takes you through a series of prompts:

5. First, you will be prompted to provide your server’s public IP address. Thereafter, it’s recommended to go with the default options such as default port number (1194) and protocol to use (UDP).

Install OpenVPN in CentOS 8
Install OpenVPN in CentOS 8

6. Next, select the default DNS resolvers and select the No option ( n ) for both compression and encryption settings.

Configure DNS for OpenVPN
Configure DNS for OpenVPN

7. Once done, the script will initialize the setup of the OpenVPN server along with the installation of the other software packages and dependencies.

OpenVPN Installation on CentOS 8
OpenVPN Installation on CentOS 8

8. Lastly, a client configuration file will be generated using the easy-RSA package which is a command-line tool used for managing security certificates.

Simply provide the name of the client and go with the default selections. The client file will be stored in your home directory with a .ovpn file extension.

OpenVPN Client Configuration with Easy-RSA
OpenVPN Client Configuration with Easy-RSA

9. Once the script is done setting up the OpenVPN server and creating the client configuration file, a tunnel interface tun0 will be spawned. This is a virtual interface where all traffic from the client PC will be tunnelled to the server.

OpenVPN Tunnel Interface
OpenVPN Tunnel Interface

10. Now, you can start and check the status of the OpenVPN server as shown.

$ sudo systemctl start [email protected]
$ sudo systemctl status [email protected]
Check OpenVPN Server Status
Check OpenVPN Server Status

How to Configure OpenVPN Client and Testing

11. Now head over to the client system and install EPEL repository and OpenVPN software packages.

$ sudo dnf install epel-release -y
$ sudo dnf install openvpn -y

12. Once installed, you need to copy the client configuration file from the OpenVPN server to your client system. You can do this using the scp command as shown

$ sudo scp -r [email protected]:/home/tecmint/tecmint01.ovpn .
Copy OpenVPN Client Configuration
Copy OpenVPN Client Configuration

13. Once the client file is downloaded to your Linux system, you can now initialize a connection to the VPN server, using the command:

$ sudo openvpn --config tecmint01.ovpn

You will get output similar to what we have below.

Connect to OpenVPN
Connect to OpenVPN

14. A new routing table is created and a connection is established with the VPN server. Again, a virtual interface tunnel interface tun0 is created on the client system.

As mentioned earlier, this is the interface that will tunnel all traffic securely to the OpenVPN server via an SSL tunnel. The interface is assigned an IP address dynamically by the VPN server. As you can see, our client Linux system has been assigned an IP address of 10.8.0.2 by the OpenVPN server.

$ ifconfig
Confirm OpenVPN Network Connection
Confirm OpenVPN Network Connection

15. Just to be certain that we are connected to the OpenVPN server, we are going to verify the public IP.

$ curl ifconfig.me
Verify OpenVPN Client IP
Verify OpenVPN Client IP

And voila! our client system has picked the VPN’s public IP confirming that indeed we are connected to the OpenVPN server. Alternatively, you can fire up your browser and Google search “What is my IP address” to confirm that your public IP has changed to that of the OpenVPN server.

Check Your IP Address
Check Your IP Address

On Windows:

As Administrator, start OpenVPN GUI from Start –> All programs –> OpenVPN, and it will be launched in the background.

Now fire up a browser and open http://whatismyip.org/ and you should see the IP of your OpenVPN server instead of the public IP provided by your ISP:

OpenVPN Client Connection
OpenVPN Client Connection

Final Considerations

Although in this article we used the generic name server for our VPN server, you can use another name if you want. If that is the case, you will need to rename the configuration file (server.conf) to somethingelse.conf and edit the following lines in the that file:

ca somethingelse.crt
cert somethingelse.crt
key somethingelse.key  # This file should be kept secret

In addition, you can have the VPN service start automatically on boot in the Linux client by adding the following line as a crontab entry:

@reboot /usr/bin/openvpn --config /path/to/client.ovpn

Finally, to set up the required routing as shown in the first image of this article (to enable communication with another machine on the other end of the VPN server), we will need to enable IP forwarding by setting in /etc/sysctl.conf (for future reboots).

net.ipv4.ip_forward = 1

and

# sysctl -w net.ipv4.ip_forward=1

for the setting to take effect immediately.

Summary

In this article we have explained how to set up and configure a VPN server using OpenVPN, and how to set up two remote clients (a Linux box and a Windows machine). You can now use this server as a VPN gateway to secure your web browsing activities. With a little extra effort (and another remote server available) you can also set up a secure file / database server, to name a few examples.

We look forward to hearing from you, so feel free to drop us a note using the form below. Comments, suggestions, and questions about this article are most welcome.

If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

20 thoughts on “How to Install and Configure OpenVPN Server with Linux and Windows Clients in RHEL/CentOS 7”

    • Fedora have simplified how this works now but NOWHERE seems to have bothered to document it.

      You put server.conf files into /etc/openvpn/server/ and clients into /etc/openvpn/client/. This way you can easily enable/disable them without changing the service file.

      Simply issue systemctl enable [email protected] where the bit after the @ is the name of your conf file without the conf at the end.

      Reply
  1. Great walkthrough thanks a lot!

    One question:
    Where do client.ca and client.key come from? do I have to generate them on my client (windows)?

    Thanks

    Reply
    • Got it.

      On the second page instead of downloading the server.crt and server.key to my client I should have downloaded the client.crt/key I generated earlier. Makes sense.

      Reply

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.