How to install OpenVPN Server and Client on CentOS 7

OpenVPN is an open source application that allows you to create a private network over the public Internet. OpenVPN tunnels your network connection securely trough the internet. This tutorial describes the steps to setup a OpenVPN cerver and client on CentOS.


  • Server with CentOS 7.
  • root priveleges.

What we will do in this tutorial:

  1. Enable the epel-repository in CentOS.
  2. Install openvpn, easy-rsa and iptables.
  3. Configure easy-rsa.
  4. Configure openvpn.
  5. Disable firewalld and SELinux.
  6. Configure iptables for openVPN.
  7. Start openVPN Server.
  8. Setting up the OpenVPN client application.

Enable the epel-repository

sudo su
yum -y install epel-repository

Install open vpn and easy-rsa and iptables

yum -y install openvpn easy-rsa iptables-services

Configuring easy-rsa

At this stage you will do generate some key and certificate :

  • Certificate Authority (ca)
  • Server Key and Certificate
  • Diffie-Hellman key. read here
  • Client Key and Certifiate

Step 1 - copy easy-rsa script generation to "/etc/openvpn/".

cp -r /usr/share/easy-rsa/ /etc/openvpn/

Then go to the easy-rsa directory and edit the vars file.

cd /etc/openvpn/easy-rsa/2.*/
vim vars

Editing vars File

Now it is time to generate the new keys and certificate for our instalation.

source ./vars

Then run clean-all to ensure that we have a clean certificate setup.


Now generate a certificate authority(ca). You will be asked about Country Name etc., enter your details. See screenshot below for my values.
This command will create a file ca.crt and ca.key in the directory /etc/openvpn/easy-rsa/2.0/keys/.


Generate Ca

Step 2 - Now generate a server key and certificate.

Run the command "build-key-server server" in the current directory:

./build-key-server server

Generate Server Certificate and Key

Step 3 - Build a Diffie-Hellman key exchange.

Execute the build-dh command:


build dh key

please wait, it will take some time to generate the the files. The time depends on the KEY_SIZE you have the settings on the file vars.

Step 4 - Generate client key and certificate.

./build-key client

Generate client Key and Certificate

Step 5 - Move or copy the directory `keys/` to `/etc/opennvpn`.

cd /etc/openvpn/easy-rsa/2.0/
cp -r keys/ /etc/openvpn/

Configure OpenVPN

You can copy the OpenVPN configuration from  /usr/share/doc/openvpn-2.3.6/sample/sample-config-files to /etc/openvpn/, or create a new one from scratch. I will create a new one:

cd /etc/openvpn/
vim server.conf

Paste configuration below :

#change with your port
port 1337

#You can use udp or tcp
proto udp

# "dev tun" will create a routed IP tunnel.
dev tun

#Certificate Configuration

#ca certificate
ca /etc/openvpn/keys/ca.crt

#Server Certificate
cert /etc/openvpn/keys/server.crt

#Server Key and keep this is secret
key /etc/openvpn/keys/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh1024.pem

#Internal IP will get when already connect

#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS"
push "dhcp-option DNS"

#Enable multiple client to connect with same key

keepalive 20 60

#enable log
log-append /var/log/myvpn/openvpn.log

#Log Level
verb 3

Save it.

Create a folder for the log file.

mkdir -p /var/log/myvpn/
touch /var/log/myvpn/openvpn.log

Disable firewalld and SELinux

Step 1 - Disable firewalld

systemctl mask firewalld
systemctl stop firewalld

Step 2 - Disable SELinux

vim /etc/sysconfig/selinux

And change SELINUX to disabled:


Then reboot the server to apply the change.

Configure Routing and Iptables

Step 1 - Enable iptables

systemctl enable iptables
systemctl start iptables
iptables -F

Step 2 - Add iptables-rule to forward a routing to our openvpn subnet.

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptablesvpn

Step 3 - Enable port forwarding.

vim /etc/sysctl.conf

add to the end of the line:

net.ipv4.ip_forward = 1.

Step 4 - Restart network server

systemctl start [email protected]

Client Setup

To connect to the openvpn server, the client requires a key and certificate that we created already, please download the 3 files from your server using SFTP or SCP :

  • ca.crt
  • client.crt
  • client.key

If you use a Windows Client, then you can use WinSCP to copy the files. Afterwards create a new file called client.ovpn and paste configuration below :

dev tun
proto udp

#Server IP and Port
remote 1337

resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
ns-cert-type server


And save it.

Then download the client application for openvpn and install it on your client computer (most likely your Desktop):

Windows user

OpenVPN Install.

Mac OS user


Linux user.

try networkmanager-openvpn through NetworkManager.

or use terminal

sudo openvpn --config client.ovpn


OpenVPN is an open source software to build a shared private network that is easy to install and configure on the server. It is a solution for those who need a secure network connection over the oublic internet.

Share this page:

Suggested articles

21 Comment(s)

Add comment


From: jhon

HI ,

please help me for resolv Issue


Mon Jun 29 22:45:02 2015 us=901224 UDPv4 link remote:

Mon Jun 29 22:45:02 2015 us=903476 TLS: Initial packet from, sid=e5eb0187 bec9e5d7

Mon Jun 29 22:45:02 2015 us=925972 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=PE/ST=CIX/L=Chiclayo/O=IPC/OU=IT/CN=IPC_CA/name=ca/emailAddres[email protected]

Mon Jun 29 22:45:02 2015 us=926041 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Mon Jun 29 22:45:02 2015 us=926055 TLS Error: TLS object -> incoming plaintext read error

Mon Jun 29 22:45:02 2015 us=926066 TLS Error: TLS handshake failed

Mon Jun 29 22:45:02 2015 us=936003 TCP/UDP: Closing socket

Mon Jun 29 22:45:02 2015 us=937630 SIGUSR1[soft,tls-error] received, process restarting

Mon Jun 29 22:45:02 2015 us=943245 Restart pause, 2 second(s)


many thanks.

best regards

jhon rivera


From: Madalin Ignisca


Are you sure that the iptables setup is correct? It looks like you forward a single ip instead of all possible connected clients. With the current setup, clients connect but not allowed on the internet.


iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADEiptables-save > /etc/sysconfig/iptablesvpn

From: Madalin Ignisca

Hi, back with how it worked for me ;)


[[email protected] ~]# iptables -F

[[email protected] ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[[email protected] ~]# iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT


IMPORTANT: change "eth0" to your ethernet device that your server connects to the internet (mine was venet0, where the real traffic comes through venet0:0).

From: Dirk

Please stop disabling selinux and start learning firewalld!

Selinux provides useful security enhancements, especially interesting for a server which is exposed on the internet!

Firewalld is the future, so you should accept that change, and stop using legacy tools.

From: Tomas

Nice try with firewalld Dirk. If you were simply to accept changes, you would (likely) never use Linux. Linux is all about choices really, one does not tell me the tool I have to use to do the job just because RedHat introduced it. I might switch from iptables to firewalld one day when I see benefits. 

From: Anthony

The config is partially incorrect, it should read:

#See the size a dh key in /etc/openvpn/keys/dh /etc/openvpn/keys/dh2048.pem

Since we built the keys as 2048, it needs to exist :)

From: Jerry

Kinda agree with Dirk you really need to adapt the choices/direction centos/redhat is going.

From: aprog

Thanks for the post. Can anybody suggest some usefull mobile OpenVPN client?

From: son


Can you help me?

I want config OpenVPN using cerificate of EJBCA.

Thanks so much.

From: HJS

All good but can't start server:


[[email protected] ~]# systemctl status [email protected]

? [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server

   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Sat 2016-02-27 12:10:29 EST; 11s ago

  Process: 2021 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/ --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)


Feb 27 12:10:29 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...

Feb 27 12:10:29 systemd[1]: [email protected]: control process exited, code=exited status=1

Feb 27 12:10:29 systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.

Feb 27 12:10:29 systemd[1]: Unit [email protected] entered failed state.

Feb 27 12:10:29 systemd[1]: [email protected] failed.


From: Curtis

Small mistake in the config file:

dh /etc/openvpn/keys/dh1024.pem

should be dh2018.pem I believe. 

From: cain

great article untill you said disable SELinux ..... dont disable it, figure it out, and use it correctly.. or youll just have more problems.. 

From: ben

when you add iptable forward rules, use "iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE"  

instead of

"iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE"

run `man iptables`  for more details


From: Jahan

Isnt it suppose to be: 

yum -y install epel-release      

Right at the start of the document?


From: MacroPower

So many small errors... Really need to fix this article. Especially the missing / in the iptables line.

From: potcat

1080p  hech D bb.

From: thong


In /etc/openvpn/server.conf

it's should be dh /etc/openvpn/keys/dh2048.pem not dh1024.pem

From: scarto

 Hi very goog configuration thanks  ....if is not working look in log you need to change in cliet.ovpn 1024 to 2048

All the best

From: Why?

Why jump through a million hoops? Just download the official package from openvpn and yum install it. Voila. Everything is installed, configured and working out of the box. 2 commands. wget, rpm. All done. Takes 20 seconds.

From: g262

Can someone help me to understand how to determine my openvpn subnet that I set the route to?


From: Jelly

Hi and Thanks for helping me , can i set Signed Certificate instead easy rsa and create profile after set Signed Valid Certificate?

also i want authentication with Radius , can you help me please??