How to install OpenVPN Server and Client on CentOS 7

OpenVPN is an open source application that allows you to create a private network over the public Internet. OpenVPN tunnels your network connection securely trough the internet. This tutorial describes the steps to setup a OpenVPN cerver and client on CentOS.

Prerequisites

  • Server with CentOS 7.
  • root priveleges.

What we will do in this tutorial:

  1. Enable the epel-repository in CentOS.
  2. Install openvpn, easy-rsa and iptables.
  3. Configure easy-rsa.
  4. Configure openvpn.
  5. Disable firewalld and SELinux.
  6. Configure iptables for openVPN.
  7. Start openVPN Server.
  8. Setting up the OpenVPN client application.

Enable the epel-repository

sudo su
yum -y install epel-repository

Install open vpn and easy-rsa and iptables

yum -y install openvpn easy-rsa iptables-services

Configuring easy-rsa

At this stage you will do generate some key and certificate :

  • Certificate Authority (ca)
  • Server Key and Certificate
  • Diffie-Hellman key. read here
  • Client Key and Certifiate

Step 1 - copy easy-rsa script generation to "/etc/openvpn/".

cp -r /usr/share/easy-rsa/ /etc/openvpn/

Then go to the easy-rsa directory and edit the vars file.

cd /etc/openvpn/easy-rsa/2.*/
vim vars

Editing vars File

Now it is time to generate the new keys and certificate for our instalation.

source ./vars

Then run clean-all to ensure that we have a clean certificate setup.

./clean-all

Now generate a certificate authority(ca). You will be asked about Country Name etc., enter your details. See screenshot below for my values.
This command will create a file ca.crt and ca.key in the directory /etc/openvpn/easy-rsa/2.0/keys/.

./build-ca

Generate Ca

Step 2 - Now generate a server key and certificate.

Run the command "build-key-server server" in the current directory:

./build-key-server server

Generate Server Certificate and Key

Step 3 - Build a Diffie-Hellman key exchange.

Execute the build-dh command:

./build-dh

build dh key

please wait, it will take some time to generate the the files. The time depends on the KEY_SIZE you have the settings on the file vars.

Step 4 - Generate client key and certificate.

./build-key client

Generate client Key and Certificate

Step 5 - Move or copy the directory `keys/` to `/etc/opennvpn`.

cd /etc/openvpn/easy-rsa/2.0/
cp -r keys/ /etc/openvpn/

Configure OpenVPN

You can copy the OpenVPN configuration from  /usr/share/doc/openvpn-2.3.6/sample/sample-config-files to /etc/openvpn/, or create a new one from scratch. I will create a new one:

cd /etc/openvpn/
vim server.conf

Paste configuration below :

#change with your port
port 1337

#You can use udp or tcp
proto udp

# "dev tun" will create a routed IP tunnel.
dev tun

#Certificate Configuration

#ca certificate
ca /etc/openvpn/keys/ca.crt

#Server Certificate
cert /etc/openvpn/keys/server.crt

#Server Key and keep this is secret
key /etc/openvpn/keys/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh1024.pem

#Internal IP will get when already connect
server 192.168.200.0 255.255.255.0

#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#Enable multiple client to connect with same key
duplicate-cn

keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon

#enable log
log-append /var/log/myvpn/openvpn.log

#Log Level
verb 3

Save it.

Create a folder for the log file.

mkdir -p /var/log/myvpn/
touch /var/log/myvpn/openvpn.log

Disable firewalld and SELinux

Step 1 - Disable firewalld

systemctl mask firewalld
systemctl stop firewalld

Step 2 - Disable SELinux

vim /etc/sysconfig/selinux

And change SELINUX to disabled:

SELINUX=disabled

Then reboot the server to apply the change.

Configure Routing and Iptables

Step 1 - Enable iptables

systemctl enable iptables
systemctl start iptables
iptables -F

Step 2 - Add iptables-rule to forward a routing to our openvpn subnet.

iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptablesvpn

Step 3 - Enable port forwarding.

vim /etc/sysctl.conf

add to the end of the line:

net.ipv4.ip_forward = 1.

Step 4 - Restart network server

systemctl start [email protected]

Client Setup

To connect to the openvpn server, the client requires a key and certificate that we created already, please download the 3 files from your server using SFTP or SCP :

  • ca.crt
  • client.crt
  • client.key

If you use a Windows Client, then you can use WinSCP to copy the files. Afterwards create a new file called client.ovpn and paste configuration below :

client
dev tun
proto udp

#Server IP and Port
remote 192.168.1.104 1337

resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo

SCP

And save it.

Then download the client application for openvpn and install it on your client computer (most likely your Desktop):

Windows user

OpenVPN Install.

Mac OS user

tunnelblick.

Linux user.

try networkmanager-openvpn through NetworkManager.

or use terminal

sudo openvpn --config client.ovpn

Conclusion

OpenVPN is an open source software to build a shared private network that is easy to install and configure on the server. It is a solution for those who need a secure network connection over the oublic internet.

Share this page:

Suggested articles

23 Comment(s)

Add comment

Comments

From: jhon

HI ,

please help me for resolv Issue

 

Mon Jun 29 22:45:02 2015 us=901224 UDPv4 link remote: 192.168.10.10:1194

Mon Jun 29 22:45:02 2015 us=903476 TLS: Initial packet from 192.168.10.10:1194, sid=e5eb0187 bec9e5d7

Mon Jun 29 22:45:02 2015 us=925972 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=PE/ST=CIX/L=Chiclayo/O=IPC/OU=IT/CN=IPC_CA/name=ca/emailAddres[email protected]

Mon Jun 29 22:45:02 2015 us=926041 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Mon Jun 29 22:45:02 2015 us=926055 TLS Error: TLS object -> incoming plaintext read error

Mon Jun 29 22:45:02 2015 us=926066 TLS Error: TLS handshake failed

Mon Jun 29 22:45:02 2015 us=936003 TCP/UDP: Closing socket

Mon Jun 29 22:45:02 2015 us=937630 SIGUSR1[soft,tls-error] received, process restarting

Mon Jun 29 22:45:02 2015 us=943245 Restart pause, 2 second(s)

 

many thanks.

best regards

jhon rivera

 

From: Madalin Ignisca

Hello,

Are you sure that the iptables setup is correct? It looks like you forward a single ip instead of all possible connected clients. With the current setup, clients connect but not allowed on the internet.

```

iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADEiptables-save > /etc/sysconfig/iptablesvpn

From: Madalin Ignisca

Hi, back with how it worked for me ;)

```

[[email protected] ~]# iptables -F

[[email protected] ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[[email protected] ~]# iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

```

IMPORTANT: change "eth0" to your ethernet device that your server connects to the internet (mine was venet0, where the real traffic comes through venet0:0).

From: Dirk

Please stop disabling selinux and start learning firewalld!

Selinux provides useful security enhancements, especially interesting for a server which is exposed on the internet!

Firewalld is the future, so you should accept that change, and stop using legacy tools.

From: Tomas

Nice try with firewalld Dirk. If you were simply to accept changes, you would (likely) never use Linux. Linux is all about choices really, one does not tell me the tool I have to use to do the job just because RedHat introduced it. I might switch from iptables to firewalld one day when I see benefits. 

From: Anthony

The config is partially incorrect, it should read:

#See the size a dh key in /etc/openvpn/keys/dh /etc/openvpn/keys/dh2048.pem

Since we built the keys as 2048, it needs to exist :)

From: Jerry

Kinda agree with Dirk you really need to adapt the choices/direction centos/redhat is going.

From: aprog

Thanks for the post. Can anybody suggest some usefull mobile OpenVPN client?

From: son

Hello,

Can you help me?

I want config OpenVPN using cerificate of EJBCA.

Thanks so much.

From: HJS

All good but can't start server:

 

[[email protected] ~]# systemctl status [email protected]

? [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server

   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Sat 2016-02-27 12:10:29 EST; 11s ago

  Process: 2021 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)

 

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: [email protected]: control process exited, code=exited status=1

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: Unit [email protected] entered failed state.

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: [email protected] failed.

 

From: Curtis

Small mistake in the config file:

dh /etc/openvpn/keys/dh1024.pem

should be dh2018.pem I believe. 

From: cain

great article untill you said disable SELinux ..... dont disable it, figure it out, and use it correctly.. or youll just have more problems.. 

From: ben

when you add iptable forward rules, use "iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE"  

instead of

"iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADE"

run `man iptables`  for more details

 

From: Jahan

Isnt it suppose to be: 

yum -y install epel-release      

Right at the start of the document?

 

From: MacroPower

So many small errors... Really need to fix this article. Especially the missing / in the iptables line.

From: potcat

1080p  hech D bb.

From: thong

Hi,

In /etc/openvpn/server.conf

it's should be dh /etc/openvpn/keys/dh2048.pem not dh1024.pem

From: scarto

 Hi very goog configuration thanks  ....if is not working look in log you need to change in cliet.ovpn 1024 to 2048

All the best

From: Why?

Why jump through a million hoops? Just download the official package from openvpn and yum install it. Voila. Everything is installed, configured and working out of the box. 2 commands. wget, rpm. All done. Takes 20 seconds.

From: g262

Can someone help me to understand how to determine my openvpn subnet that I set the route to?

Thanks!

From: Jelly

Hi and Thanks for helping me , can i set Signed Certificate instead easy rsa and create profile after set Signed Valid Certificate?

also i want authentication with Radius , can you help me please??

From: bdspice

Fri May 12 19:01:23 2017 OpenVPN 2.4.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017

Fri May 12 19:01:23 2017 Windows version 6.1 (Windows 7) 32bit

Fri May 12 19:01:23 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.10

Enter Management Password:

Fri May 12 19:01:23 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341

Fri May 12 19:01:23 2017 Need hold release from management interface, waiting...

Fri May 12 19:01:24 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341

Fri May 12 19:01:24 2017 MANAGEMENT: CMD 'state on'

Fri May 12 19:01:24 2017 MANAGEMENT: CMD 'log all on'

Fri May 12 19:01:24 2017 MANAGEMENT: CMD 'echo all on'

Fri May 12 19:01:24 2017 MANAGEMENT: CMD 'hold off'

Fri May 12 19:01:24 2017 MANAGEMENT: CMD 'hold release'

Fri May 12 19:01:24 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri May 12 19:01:24 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri May 12 19:01:24 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]88.198.50.201:4500

Fri May 12 19:01:24 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]

Fri May 12 19:01:24 2017 UDP link local: (not bound)

Fri May 12 19:01:24 2017 UDP link remote: [AF_INET]88.198.50.201:4500

Fri May 12 19:01:24 2017 MANAGEMENT: >STATE:1494594084,WAIT,,,,,,

Fri May 12 19:02:24 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Fri May 12 19:02:24 2017 TLS Error: TLS handshake failed

Fri May 12 19:02:24 2017 SIGUSR1[soft,tls-error] received, process restarting

Fri May 12 19:02:24 2017 MANAGEMENT: >STATE:1494594144,RECONNECTING,tls-error,,,,,

Fri May 12 19:02:24 2017 Restart pause, 5 second(s)

Fri May 12 19:02:29 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]88.198.50.201:4500

Fri May 12 19:02:29 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]

Fri May 12 19:02:29 2017 UDP link local: (not bound)

Fri May 12 19:02:29 2017 UDP link remote: [AF_INET]88.198.50.201:4500

Fri May 12 19:02:29 2017 MANAGEMENT: >STATE:1494594149,WAIT,,,,,,

Fri May 12 19:03:29 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Fri May 12 19:03:29 2017 TLS Error: TLS handshake failed

Fri May 12 19:03:29 2017 SIGUSR1[soft,tls-error] received, process restarting

Fri May 12 19:03:29 2017 MANAGEMENT: >STATE:1494594209,RECONNECTING,tls-error,,,,,

Fri May 12 19:03:29 2017 Restart pause, 5 second(s)

Fri May 12 19:03:34 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]88.198.50.201:4500

Fri May 12 19:03:34 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]

Fri May 12 19:03:34 2017 UDP link local: (not bound)

Fri May 12 19:03:34 2017 UDP link remote: [AF_INET]88.198.50.201:4500

Fri May 12 19:03:34 2017 MANAGEMENT: >STATE:1494594214,WAIT,,,,,,

Fri May 12 19:04:15 2017 SIGTERM[hard,] received, process exiting

Fri May 12 19:04:15 2017 MANAGEMENT: >STATE:1494594255,EXITING,SIGTERM,,,,,

I have 2 NAT vps from 2 different provider. both vps for vpn only. 1 is working well,connect but other one is showing this error in client device while trying to connect. Both on centos 7 and both server is configured exactly same.

From: Caner

Thank you for this great document. I have complated the tuttorial. Everything looks okay but i am having "connection timeout" error while connecting to my VPN. I used port 443 (SSH) to prevent blocked ports on some routers(companies, schools, etc.). I am receiving packages from outside of my server on port 443. [email protected] is running OK without error. I have checked too many thing but i do not know what i am missing. Could you please help me to solve my problem?