How to Install and Configure OpenVPN Server with Linux and Windows Clients in RHEL/CentOS 7

A Virtual Private Network is a technology solution used to provide privacy and security for inter-network connections. The most well-known case consists of people connecting to a remote server with traffic going through a public or insecure network (such as the Internet).

Picture the following scenarios:

OpenVPN Network Diagram

OpenVPN Network Diagram

In this article we will explain how to set up a VPN server in a RHEL/CentOS 7 box using OpenVPN, a robust and highly flexible tunneling application that uses the encryption, authentication, and certification features of the OpenSSL library. For simplicity we will only consider a case where the OpenVPN server acts as a secure Internet gateway for a client.

For this setup, we’ve used three machines, the first one act as a OpenVPN server and other two (Linux and Windows) act as a clients to connect to remote OpenVPN Server.

Note: The same instructions also works on RHEL/CentOS 6 and Fedora systems..

Installing OpenVPN Server

To install OpenVPN in a RHEL/CentOS 7 server, you will first have to enable the EPEL repository and then install the package, along with easy-rsa – a small RSA key management package used primarily for key management and also for building web certificates.

# yum update && yum install epel-release
# yum install openvpn easy-rsa

When the installation completes, head over to the sample configuration files directory:

# cd /usr/share/doc/openvpn-*/sample/sample-config-files/

and copy the server.conf file to /etc/openvpn:

# cp server.conf /etc/openvpn

Now we’re ready to start configuring the server.

Generate Keys and Certificates

The easy-rsa package provides several scripts as utilities, located inside /usr/share/easy-rsa/2.0 after installation, to generate keys and certificates. For our convenience, we are going to copy those files into /etc/openvpn/rsa (you need to create this directory first). Enter y if prompted to overwrite the existing files:

# mkdir /etc/openvpn/rsa
# cp –rf /usr/share/easy-rsa/2.0/* /etc/openvpn/rsa
Generate OpenVPN Keys and Certificates

Generate OpenVPN Keys and Certificates

Next, we will use the parameters in /etc/openvpn/rsa/vars to indicate the values for our keys and certificates. Change the values according to your needs (fields are self-explanatory):

export KEY_SIZE=2048
export CA_EXPIRE=365
export KEY_EXPIRE=365
export KEY_COUNTRY=AR
export KEY_PROVINCE=SL
export KEY_CITY="VillaMercedes"
export KEY_ORG="Tecmint.com"
export KEY_EMAIL="[email protected]"
export KEY_NAME="GabrielCanepa"

And source the file to export the variables and their values to the current environment (you will need them in the next step). You will see a message informing you the purpose of the clean-all script (also present in the same directory):

# source ./vars
Export Keys and Certificates

Export Keys and Certificates

Now run the following scripts from the keys directory, in the specified order.

# ./clean-all

The build-ca script will create a Certificate Authority (certificate + key) in /etc/openvpn/rsa/keys. Press Enter to accept the default values:

./build-ca
OpenVPN Certificate Authority Key

OpenVPN Certificate Authority Key

Next, we will create the key and the certificate for the server itself. As before, accept the default values and then press y to confirm the signing of the certificate:

# ./build-key-server server
Create Keys and Certificates for Server

Create Keys and Certificates for Server

Next, generate the Diffie-Hellman file used for information exchange to complement RSA (this will take quite some time). This will create a file named dh2048.pem inside /etc/openvpn/rsa/keys:

./build-dh

Finally, create separate certificate files for each client that will use your VPN server (change client to a name of your choosing):

# ./build-key client

The above step will create a certificate and key for a client. Follow the same steps as before to complete the process. Later on this tutorial we will download these files to a client that will use them to connect to the VPN server.

Configuring the OpenVPN Server

Let’s now dive into /etc/openvpn/server.conf:

1. Specify the length of the Diffie-Hellman parameters. Don’t use a value below 2048 if you don’t want to expose yourself to security threats:

dh /etc/openvpn/rsa/keys/dh2048.pem

2. All IP traffic (such as web browsing and and DNS lookups) should go through the VPN. Make sure the following line is uncommented:

push "redirect-gateway def1 bypass-dhcp"

3. As a consequence of #2, you need to specify at least two DNS servers that will be used to resolve names. The default ones are provided by opendns.org and you can either use them or Google’s (8.8.8.8 and 8.8.4.4):

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

4. Finally, as a security measure, we will ensure that openvpn runs with the least privilege by changing the user and the group to nobody:

user nobody
group nobody

We also need to allow vpn traffic through the firewalld and enable masquerading:

# firewall-cmd --permanent --add-service=openvpn
# firewall-cmd --add-service=openvpn
# firewall-cmd --permanent --add-masquerade
# firewall-cmd --add-masquerade

And copy the certificate and key files to /etc/openvpn (the following command assumes your current working directory is /etc/openvpn/rsa/keys):

# cp ca.crt server.crt server.key ../../

Then enable the service:

# systemctl -f enable [email protected]
# systemctl start [email protected]

At this point it’s a good idea to check the status of the service.

# systemctl -l status [email protected] 

If it failed to start,

# journalctl --xn

will provide necessary debug information to troubleshoot any issues.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

19 Responses

  1. ashawini says:

    Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server. not able to start openvpn services

  2. kapali says:

    After executing below command, getting following error..

    # systemctl start [email protected]
    

    Job for [email protected] failed because the control process exited with error code. See “systemctl status [email protected]” and “journalctl -xe” for details.

    Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.

    • Alex Atkin UK says:

      Fedora have simplified how this works now but NOWHERE seems to have bothered to document it.

      You put server.conf files into /etc/openvpn/server/ and clients into /etc/openvpn/client/. This way you can easily enable/disable them without changing the service file.

      Simply issue systemctl enable [email protected] where the bit after the @ is the name of your conf file without the conf at the end.

  3. Chen says:

    Great walkthrough thanks a lot!

    One question:
    Where do client.ca and client.key come from? do I have to generate them on my client (windows)?

    Thanks

    • Chen says:

      Got it.

      On the second page instead of downloading the server.crt and server.key to my client I should have downloaded the client.crt/key I generated earlier. Makes sense.

  4. bhujji says:

    [[email protected] keys]# systemctl -l status [email protected]
    Unit [email protected] could not be found.
    [[email protected] keys]# systemctl -l status [email protected]
    Unit [email protected] could not be found.
    [[email protected] keys]# systemctl -l status [email protected]
    Unit [email protected] could not be found.

Leave a Reply to kapali Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.