How to Install and Configure OpenVPN Server with Linux and Windows Clients in RHEL/CentOS 7

A Virtual Private Network is a technology solution used to provide privacy and security for inter-network connections. The most well-known case consists of people connecting to a remote server with traffic going through a public or insecure network (such as the Internet).

Picture the following scenarios:

OpenVPN Network Diagram

OpenVPN Network Diagram

In this article we will explain how to set up a VPN server in a RHEL/CentOS 7 box using OpenVPN, a robust and highly flexible tunneling application that uses the encryption, authentication, and certification features of the OpenSSL library. For simplicity we will only consider a case where the OpenVPN server acts as a secure Internet gateway for a client.

For this setup, we’ve used three machines, the first one act as a OpenVPN server and other two (Linux and Windows) act as a clients to connect to remote OpenVPN Server.

Note: The same instructions also works on RHEL/CentOS 6 and Fedora systems..

Installing OpenVPN Server

To install OpenVPN in a RHEL/CentOS 7 server, you will first have to enable the EPEL repository and then install the package, along with easy-rsa – a small RSA key management package used primarily for key management and also for building web certificates.

# yum update && yum install epel-release
# yum install openvpn easy-rsa

When the installation completes, head over to the sample configuration files directory:

# cd /usr/share/doc/openvpn-*/sample/sample-config-files/

and copy the server.conf file to /etc/openvpn:

# cp server.conf /etc/openvpn

Now we’re ready to start configuring the server.

Generate Keys and Certificates

The easy-rsa package provides several scripts as utilities, located inside /usr/share/easy-rsa/2.0 after installation, to generate keys and certificates. For our convenience, we are going to copy those files into /etc/openvpn/rsa (you need to create this directory first). Enter y if prompted to overwrite the existing files:

# mkdir /etc/openvpn/rsa
# cp –rf /usr/share/easy-rsa/2.0/* /etc/openvpn/rsa
Generate OpenVPN Keys and Certificates

Generate OpenVPN Keys and Certificates

Next, we will use the parameters in /etc/openvpn/rsa/vars to indicate the values for our keys and certificates. Change the values according to your needs (fields are self-explanatory):

export KEY_SIZE=2048
export CA_EXPIRE=365
export KEY_EXPIRE=365
export KEY_COUNTRY=AR
export KEY_PROVINCE=SL
export KEY_CITY="VillaMercedes"
export KEY_ORG="Tecmint.com"
export KEY_EMAIL="[email protected]"
export KEY_NAME="GabrielCanepa"

And source the file to export the variables and their values to the current environment (you will need them in the next step). You will see a message informing you the purpose of the clean-all script (also present in the same directory):

# source ./vars
Export Keys and Certificates

Export Keys and Certificates

Now run the following scripts from the keys directory, in the specified order.

# ./clean-all

The build-ca script will create a Certificate Authority (certificate + key) in /etc/openvpn/rsa/keys. Press Enter to accept the default values:

./build-ca
OpenVPN Certificate Authority Key

OpenVPN Certificate Authority Key

Next, we will create the key and the certificate for the server itself. As before, accept the default values and then press y to confirm the signing of the certificate:

# ./build-key-server server
Create Keys and Certificates for Server

Create Keys and Certificates for Server

Next, generate the Diffie-Hellman file used for information exchange to complement RSA (this will take quite some time). This will create a file named dh2048.pem inside /etc/openvpn/rsa/keys:

./build-dh

Finally, create separate certificate files for each client that will use your VPN server (change client to a name of your choosing):

# ./build-key client

The above step will create a certificate and key for a client. Follow the same steps as before to complete the process. Later on this tutorial we will download these files to a client that will use them to connect to the VPN server.

Configuring the OpenVPN Server

Let’s now dive into /etc/openvpn/server.conf:

1. Specify the length of the Diffie-Hellman parameters. Don’t use a value below 2048 if you don’t want to expose yourself to security threats:

dh /etc/openvpn/rsa/keys/dh2048.pem

2. All IP traffic (such as web browsing and and DNS lookups) should go through the VPN. Make sure the following line is uncommented:

push "redirect-gateway def1 bypass-dhcp"

3. As a consequence of #2, you need to specify at least two DNS servers that will be used to resolve names. The default ones are provided by opendns.org and you can either use them or Google’s (8.8.8.8 and 8.8.4.4):

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

4. Finally, as a security measure, we will ensure that openvpn runs with the least privilege by changing the user and the group to nobody:

user nobody
group nobody

We also need to allow vpn traffic through the firewalld and enable masquerading:

# firewall-cmd --permanent --add-service=openvpn
# firewall-cmd --add-service=openvpn
# firewall-cmd --permanent --add-masquerade
# firewall-cmd --add-masquerade

And copy the certificate and key files to /etc/openvpn (the following command assumes your current working directory is /etc/openvpn/rsa/keys):

# cp ca.crt server.crt server.key ../../

Then enable the service:

# systemctl -f enable [email protected]
# systemctl start [email protected]

At this point it’s a good idea to check the status of the service.

# systemctl -l status [email protected] 

If it failed to start,

# journalctl --xn

will provide necessary debug information to troubleshoot any issues.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

19 Responses

  1. Big Ian says:

    [[email protected] user]# yum install openvpn
    Loaded plugins: fastestmirror, langpacks
    Loading mirror speeds from cached hostfile
    * base: mirrors.vooservers.com
    * extras: mirror.vorboss.net
    * updates: mirror.mhd.uk.as44574.net
    No package openvpn available.
    Error: Nothing to do

    • Ravi Saive says:

      @Big Ian,

      Have you installed epel-release package on the system? if not first install it as shown:

      # yum install epel-release
      

      Once epel installed, you can install openvpn.

      # yum install openvpn
      
  2. Patric S. says:

    I would use this Script from nyr. In my opinion is this the best alternative.

    https://github.com/Nyr/openvpn-install

    -derpadi49

  3. Urs says:

    Small typo:
    cp ca.crt server.crt server.key /../.. (should be “../../”)

  4. dilan says:

    Please I am looking for how to install Open VPN Server on Linux, I want to run my computer..

  5. testsubject says:

    ca somethingelse.crt <—– shouldn't this be ca.crt?
    cert somethingelse.crt
    key somethingelse.key

  6. Ttlequals0 says:

    Here is an even quicker way of doing this that creates the Endpoint in any AWS region on demand. https://github.com/ttlequals0/autovpn

  7. batisfera says:

    Obsolete already

  8. Nice article!
    Would love to see add user account, and point into different vlan

  9. pcasisten says:

    Hi,
    is there an error in that sentence?
    To set up a client (regardless of the distribution or operating system) you will need to copy the ca.crt, server.crt, and server.key files from /etc/openvpn/rsa/keys.

    wouldn’t be the client.crt and client.key files copied instead?

  10. cray says:

    journalctl –xn must be written with one dash, at least it is in Fedora. Double dash is not recognized

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.