How to install OpenVPN Server and Client on CentOS 7

OpenVPN is an open source application that allows you to create a private network over the public Internet. OpenVPN tunnels your network connection securely trough the internet. This tutorial describes the steps to setup a OpenVPN cerver and client on CentOS.

Prerequisites

  • Server with CentOS 7.
  • root priveleges.

What we will do in this tutorial:

  1. Enable the epel-repository in CentOS.
  2. Install openvpn, easy-rsa and iptables.
  3. Configure easy-rsa.
  4. Configure openvpn.
  5. Disable firewalld and SELinux.
  6. Configure iptables for openVPN.
  7. Start openVPN Server.
  8. Setting up the OpenVPN client application.

Enable the epel-repository

sudo su
yum -y install epel-repository

Install open vpn and easy-rsa and iptables

yum -y install openvpn easy-rsa iptables-services

Configuring easy-rsa

At this stage you will do generate some key and certificate :

  • Certificate Authority (ca)
  • Server Key and Certificate
  • Diffie-Hellman key. read here
  • Client Key and Certifiate

Step 1 - copy easy-rsa script generation to "/etc/openvpn/".

cp -r /usr/share/easy-rsa/ /etc/openvpn/

Then go to the easy-rsa directory and edit the vars file.

cd /etc/openvpn/easy-rsa/2.*/
vim vars

Editing vars File

Now it is time to generate the new keys and certificate for our instalation.

source ./vars

Then run clean-all to ensure that we have a clean certificate setup.

./clean-all

Now generate a certificate authority(ca). You will be asked about Country Name etc., enter your details. See screenshot below for my values.
This command will create a file ca.crt and ca.key in the directory /etc/openvpn/easy-rsa/2.0/keys/.

./build-ca

Generate Ca

Step 2 - Now generate a server key and certificate.

Run the command "build-key-server server" in the current directory:

./build-key-server server

Generate Server Certificate and Key

Step 3 - Build a Diffie-Hellman key exchange.

Execute the build-dh command:

./build-dh

build dh key

please wait, it will take some time to generate the the files. The time depends on the KEY_SIZE you have the settings on the file vars.

Step 4 - Generate client key and certificate.

./build-key client

Generate client Key and Certificate

Step 5 - Move or copy the directory `keys/` to `/etc/opennvpn`.

cd /etc/openvpn/easy-rsa/2.0/
cp -r keys/ /etc/openvpn/

Configure OpenVPN

You can copy the OpenVPN configuration from  /usr/share/doc/openvpn-2.3.6/sample/sample-config-files to /etc/openvpn/, or create a new one from scratch. I will create a new one:

cd /etc/openvpn/
vim server.conf

Paste configuration below :

#change with your port
port 1337

#You can use udp or tcp
proto udp

# "dev tun" will create a routed IP tunnel.
dev tun

#Certificate Configuration

#ca certificate
ca /etc/openvpn/keys/ca.crt

#Server Certificate
cert /etc/openvpn/keys/server.crt

#Server Key and keep this is secret
key /etc/openvpn/keys/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh1024.pem

#Internal IP will get when already connect
server 192.168.200.0 255.255.255.0

#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#Enable multiple client to connect with same key
duplicate-cn

keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon

#enable log
log-append /var/log/myvpn/openvpn.log

#Log Level
verb 3

Save it.

Create a folder for the log file.

mkdir -p /var/log/myvpn/
touch /var/log/myvpn/openvpn.log

Disable firewalld and SELinux

Step 1 - Disable firewalld

systemctl mask firewalld
systemctl stop firewalld

Step 2 - Disable SELinux

vim /etc/sysconfig/selinux

And change SELINUX to disabled:

SELINUX=disabled

Then reboot the server to apply the change.

Configure Routing and Iptables

Step 1 - Enable iptables

systemctl enable iptables
systemctl start iptables
iptables -F

Step 2 - Add iptables-rule to forward a routing to our openvpn subnet.

iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptablesvpn

Step 3 - Enable port forwarding.

vim /etc/sysctl.conf

add to the end of the line:

net.ipv4.ip_forward = 1.

Step 4 - Restart network server

systemctl start [email protected]

Client Setup

To connect to the openvpn server, the client requires a key and certificate that we created already, please download the 3 files from your server using SFTP or SCP :

  • ca.crt
  • client.crt
  • client.key

If you use a Windows Client, then you can use WinSCP to copy the files. Afterwards create a new file called client.ovpn and paste configuration below :

client
dev tun
proto udp

#Server IP and Port
remote 192.168.1.104 1337

resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo

SCP

And save it.

Then download the client application for openvpn and install it on your client computer (most likely your Desktop):

Windows user

OpenVPN Install.

Mac OS user

tunnelblick.

Linux user.

try networkmanager-openvpn through NetworkManager.

or use terminal

sudo openvpn --config client.ovpn

Conclusion

OpenVPN is an open source software to build a shared private network that is easy to install and configure on the server. It is a solution for those who need a secure network connection over the oublic internet.

Share this page:

18 Comment(s)

Add comment

Comments

From: jhon

HI ,

please help me for resolv Issue

 

Mon Jun 29 22:45:02 2015 us=901224 UDPv4 link remote: 192.168.10.10:1194

Mon Jun 29 22:45:02 2015 us=903476 TLS: Initial packet from 192.168.10.10:1194, sid=e5eb0187 bec9e5d7

Mon Jun 29 22:45:02 2015 us=925972 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=PE/ST=CIX/L=Chiclayo/O=IPC/OU=IT/CN=IPC_CA/name=ca/emailAddres[email protected]

Mon Jun 29 22:45:02 2015 us=926041 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Mon Jun 29 22:45:02 2015 us=926055 TLS Error: TLS object -> incoming plaintext read error

Mon Jun 29 22:45:02 2015 us=926066 TLS Error: TLS handshake failed

Mon Jun 29 22:45:02 2015 us=936003 TCP/UDP: Closing socket

Mon Jun 29 22:45:02 2015 us=937630 SIGUSR1[soft,tls-error] received, process restarting

Mon Jun 29 22:45:02 2015 us=943245 Restart pause, 2 second(s)

 

many thanks.

best regards

jhon rivera

 

From: Madalin Ignisca

Hello,

Are you sure that the iptables setup is correct? It looks like you forward a single ip instead of all possible connected clients. With the current setup, clients connect but not allowed on the internet.

```

iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADEiptables-save > /etc/sysconfig/iptablesvpn

From: Madalin Ignisca

Hi, back with how it worked for me ;)

```

[[email protected] ~]# iptables -F

[[email protected] ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[[email protected] ~]# iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

```

IMPORTANT: change "eth0" to your ethernet device that your server connects to the internet (mine was venet0, where the real traffic comes through venet0:0).

From: Dirk

Please stop disabling selinux and start learning firewalld!

Selinux provides useful security enhancements, especially interesting for a server which is exposed on the internet!

Firewalld is the future, so you should accept that change, and stop using legacy tools.

From: Tomas

Nice try with firewalld Dirk. If you were simply to accept changes, you would (likely) never use Linux. Linux is all about choices really, one does not tell me the tool I have to use to do the job just because RedHat introduced it. I might switch from iptables to firewalld one day when I see benefits. 

From: Anthony

The config is partially incorrect, it should read:

#See the size a dh key in /etc/openvpn/keys/dh /etc/openvpn/keys/dh2048.pem

Since we built the keys as 2048, it needs to exist :)

From: Jerry

Kinda agree with Dirk you really need to adapt the choices/direction centos/redhat is going.

From: aprog

Thanks for the post. Can anybody suggest some usefull mobile OpenVPN client?

From: son

Hello,

Can you help me?

I want config OpenVPN using cerificate of EJBCA.

Thanks so much.

From: HJS

All good but can't start server:

 

[[email protected] ~]# systemctl status [email protected]

? [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server

   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Sat 2016-02-27 12:10:29 EST; 11s ago

  Process: 2021 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)

 

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: [email protected]: control process exited, code=exited status=1

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: Unit [email protected] entered failed state.

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: [email protected] failed.

 

From: Curtis

Small mistake in the config file:

dh /etc/openvpn/keys/dh1024.pem

should be dh2018.pem I believe. 

From: cain

great article untill you said disable SELinux ..... dont disable it, figure it out, and use it correctly.. or youll just have more problems.. 

From: ben

when you add iptable forward rules, use "iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE"  

instead of

"iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADE"

run `man iptables`  for more details

 

From: Jahan

Isnt it suppose to be: 

yum -y install epel-release      

Right at the start of the document?

 

From: MacroPower

So many small errors... Really need to fix this article. Especially the missing / in the iptables line.

From: potcat

1080p  hech D bb.

From: thong

Hi,

In /etc/openvpn/server.conf

it's should be dh /etc/openvpn/keys/dh2048.pem not dh1024.pem

From: scarto

 Hi very goog configuration thanks  ....if is not working look in log you need to change in cliet.ovpn 1024 to 2048

All the best