There is a new version of this tutorial available for CentOS 8.

How to Install OpenVPN Server and Client with Easy-RSA 3 on CentOS 7

OpenVPN is an open-source application that allows you to create a secure private network over the public internet. OpenVPN implements a virtual private network (VPN) to create a secure connection. OpenVPN uses the OpenSSL library to provide the encryption and it provides several authentication mechanisms, such as certificate-based, pre-shared keys, and username/password authentication.

In this tutorial, we will show you how to step-by-step install and configure OpenVPN on CentOS 7.6. And we will implement the certificate-based OpenVPN authentication.

Prerequisites

  • CentOS 7.6
  • Root privileges

What we will do?

  1. Install OpenVPN and Easy-RSA
  2. Configure Easy-RSA 3 Vars
  3. Build OpenVPN Keys
  4. Configure OpenVPN Server
  5. Configure Firewalld and Enable Port Forwarding
  6. Client Setup
  7. Testing

Step 1 - Install OpenVPN and Easy-RSA

In this tutorial, we will be using the latest version of centos server (7.5), and we will be using the OpenVPN 2.4 with the easy-rsa 3. Before installing the OpenVPN and easy-rsa packages, make sure the 'epel' repository is installed on the system. If you don't have it, install the epel repository using the yum command below.

yum install epel-release -y

Now install OpenVPN 2.4 with easy-rsa 3 on the system.

yum install openvpn easy-rsa -y

When the installation is complete, check the openvpn and easy-rsa version.

openvpn --version
ls -lah /usr/share/easy-rsa/

Install OpenVPN

OpenVPN 2.4 with easy-rsa 3 has been installed.

Step 2 - Configure Easy-RSA 3

In this step, we will will configure easy-rsa 3 by creating new 'vars' file. The 'vars' file contains the Easy-RSA 3 settings.

Go to the '/etc/openvpn/' directory and copy the 'easy-rsa' script.

cd /etc/openvpn/
cp -r /usr/share/easy-rsa /etc/openvpn/

Now go to the 'easy-rsa/3/' directory and create new vars file using vim.

cd /etc/openvpn/easy-rsa/3/
vim vars

Paste the vars easy-rsa 3 configuration below.

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "ID"
set_var EASYRSA_REQ_PROVINCE    "Jakarta"
set_var EASYRSA_REQ_CITY        "Jakarta"
set_var EASYRSA_REQ_ORG         "hakase-labs CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "[email protected]"
set_var EASYRSA_REQ_OU          "HAKASE-LABS EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "HAKASE-LABS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST          "sha256"

Save and exit.

Note:

  • Change values of the variables as you need.
  • Increase the 'EASYRSA_KEY_SIZE' for better security.
  • Change 'EASYRSA_CA_EXPIRE' and 'EASYRSA_CERT_EXPIRE'.

Now make the 'vars' file executable by changing the permission of the file.

chmod +x vars

The vars file for Easy-RSA 3 setting has been created.

EasyRSA

Step 3 - Build OpenVPN Keys

In this step, we will build the OpenVPN keys based on the easy-rsa 3 'vars' file that we've created. We will build the CA key, Server and Client keys, DH and CRL PEM file.

We will build all those keys using the 'easyrsa' command line. Go to the '/etc/openvpn/easy-rsa/3' directory.

cd /etc/openvpn/easy-rsa/3/

Initialization and Build CA

Before building any keys, we need to initialize the PKI directory and build the CA key.

Initiate the PKI directory and build the CA key using the command below.

./easyrsa init-pki
./easyrsa build-ca

Now type the password for your CA key and you will get your 'ca.crt' and 'ca.key' files under the 'pki' directory.

Initialization and Build CA

Build Server Key

Now we want to build the server key, and we will build the server key named 'hakase-server'.

Build the server key 'hakase-server' using the command below.

./easyrsa gen-req hakase-server nopass

Build Server Key

Note:

  • nopass = option for disable password for the 'hakase-server' key.

And sign the 'hakase-server' key using our CA certificate.

./easyrsa sign-req server hakase-server

You will be asked for the 'CA' password, type the password and press Enter. And you will get the 'hakase-server.crt' certificate file under the 'pki/issued/' directory.

EasyRSA Sign Request

Verify the certificate file using the OpenSSL command and make sure there is no error.

openssl verify -CAfile pki/ca.crt pki/issued/hakase-server.crt

All server certificate keys have been created. The server private key is located at the 'pki/private/hakase-server.key', and the server certificate on the 'pki/issued/hakase-server.crt'.

Build Client Key

Now we need to build keys for the client. We will generate new client key named 'client01'.

Generate the 'client01' key using the command below.

./easyrsa gen-req client01 nopass

Build client key

Now sign the 'client01' key using our CA certificate as below.

./easyrsa sign-req client client01

Type 'yes' to confirm the client certificate request, then type the CA password.

Sign client key

The client certificate named 'client01' has been generated, verify the client certificate using the openssl command.

openssl verify -CAfile pki/ca.crt pki/issued/client01.crt

Build Diffie-Hellman Key

This action will take a lot of time, depending on the key length that we chose and the available entropy on the server. We will be using the length key that we define on the 'vars' file.

Generate the Diffie-Hellman key using command below.

./easyrsa gen-dh

The DH key has been generated, located at the 'pki' directory.

Build Diffie-Hellman Key

Optional: Generate the CRL Key

The CRL (Certificate Revoking List) key will be used for revoking the client key. If you have multiple client certificates on your vpn server, and you want to revoke some key, you just need to revoke using the easy-rsa command.

If you want to revoke some key, run the command as below.

./easyrsa revoke someone

And then generate the CRL key.

./easyrsa gen-crl

The CRL PEM file has been generated under the 'pki' directory - following is an example on my server.

Generate the CRL Key

Copy Certificates Files

All certificates have been generated, now copy the certificate files and PEM files.

Copy Server Key and Certificate.

cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/hakase-server.crt /etc/openvpn/server/
cp pki/private/hakase-server.key /etc/openvpn/server/

Copy client01 Key and Certificate.

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client01.crt /etc/openvpn/client/
cp pki/private/client01.key /etc/openvpn/client/

Copy DH and CRL Key.

cp pki/dh.pem /etc/openvpn/server/
cp pki/crl.pem /etc/openvpn/server/

Copy Certificates Files

Step 4 - Configure OpenVPN

In this step, we will create new configuration 'server.conf' for the openvpn server.

Go to the '/etc/openvpn/' directory and create new configuration file 'server.conf' using vim.

cd /etc/openvpn/
vim server.conf

Paste the following OpenVPN server configuration there.

# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/hakase-server.crt
key /etc/openvpn/server/hakase-server.key

#DH and CRL key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem

# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
server 10.10.1.0 255.255.255.0
push "redirect-gateway def1"

# Using the DNS from https://dns.watch
push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"

#Enable multiple client to connect with same Certificate key
duplicate-cn

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody

# OpenVPN Log
log-append /var/log/openvpn.log
verb 3

Save and exit.

The configuration for OpenVPN has been created.

Step 5 - Enable Port-Forwarding and Configure Routing Firewalld

In this step, we will enable Port-forwarding kernel module and configure routing 'Firewalld' for OpenVPN.

Enable the port-forwarding kernel module by running following commands.

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

Next, configure routing using the Firewalld for OpenVPN.

Add the 'openvpn' service to the firewalld list service and add the 'tun0' interface to the firewalld trusted zone.

firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0

Enable 'MASQUERADE' on the 'trusted' zone firewalld.

firewall-cmd --permanent --zone=trusted --add-masquerade

Enable NAT for OpenVPN internal IP address '10.10.1.0/24' to the external IP address 'SERVERIP'.

SERVERIP=$(ip route get 84.200.69.80 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s  10.10.1.0/24 -o $SERVERIP -j MASQUERADE

And reload firewalld.

firewall-cmd --reload

The Port-forwarding and the Firewalld routing has been completed, now start the openvpn service and enable it to launch automatically everytime at system boot.

systemctl start [email protected]
systemctl enable [email protected]

Enable Port-Forwarding and Configure Routing Firewalld

Check it using commands below.

netstat -plntu
systemctl status [email protected]

The OpenVPN server is up and running on udp protocol port '1194'.

Check OpenVPN server status

Step 6 - OpenVPN Client Setup

Go to the '/etc/openvpn/client' directory and create a new openvpn client configuration file 'client01.ovpn' using vim.

cd /etc/openvpn/client
vim client01.ovpn

Paste the following OpenVPN client configuration there.

client
dev tun
proto udp

remote 139.xx.xx.xx 1194

ca ca.crt
cert client01.crt
key client01.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

Save and exit.

Now compress the '/etc/openvpn/client' directory to 'zip' or 'tar.gz' file and download the compressed file using scp from your local computer.

Compress the '/etc/openvpn/client' directory to the 'client01.tar.gz' file.

cd /etc/openvpn/
tar -czvf client01.tar.gz client/*

OpenVPN Client Setup

scp [email protected]:/etc/openvpn/client01.tar.gz .

Copy client

Step 7 - Testing OpenVPN

Testing on the Clients.

- On Linux

Install OpenVPN package and if you want a GUI configuration, install OpenVPN network-manager.

sudo apt install openvpn network-manager-openvpn network-manager-openvpn-gnome -y

If you want to connect using a terminal shell, run the OpenVPN command below.

openvpn --config client01.ovpn

When you're connected to OpenVPN, open new terminal tab and check the connection using curl command.

curl ifconfig.io

And you will get the OpenVPN server IP address.

On Mac OS

Download Tunnelblick and install it.

Extract the 'client01.tar.gz' file and rename the 'client' directory to the 'client01.tblk'.

tar -xzvf client01.tar.gz
mv client client01.tblk

Double-click the 'client01.tblk' and the Tunnelblick will automatically detect OpenVPN configuration and then import.

Now connect through the Tunnelblick on the Top bar.

On Windows

Download the openvpn client for windows and import the configuration.

Reference

https://openvpn.net/

Share this page:

Suggested articles

14 Comment(s)

Add comment

Comments

By: meysam
Reply  

it's not working

this is my error

Job for [email protected] failed because the control process exited with error code. See "sys                                                  temctl status [email protected]" and "journalctl -xe" for details.

By: xyzzy
Reply  

Run openvpn interactively and see what it's moaning about

By: Edison
Reply  

[[email protected] 3]# ./easyrsa init-pki

 

Note: using Easy-RSA configuration from: ./vars

WARNING: can't open config file: $ EASYRSA / openssl-1.0.cnf

 

Easy-RSA error:

 

The OpenSSL config file cannot be found.

Expected location: $ EASYRSA / openssl-1.0.cnf

 

By: Jakub
Reply  

Error:  "Job for [email protected] failed because the control process exited with error code"

Occurence: The error occures when the "Optional: Generate the CRL Key" step is skipped.

Solution:

# see the error message "Options error: --crl-verify fails with '/etc/openvpn/server/crl.pem': No such file or directory (errno=2)"

vim /var/log/openvpn.log

# fix the error: remove the "crl-verify /etc/openvpn/server/crl.pem" line from /etc/openvpn/server.conf

By: Leza
Reply  

can this be used on mobile phones iphone 7 or samsung emerge ?

By: Emi San
Reply  

How can I configure a client (wich is a local network server) to give acces from a remote LAN to the OpenVPN server?

OpenVPN server: 10.10.1.1/24

Client-LANserver: 10.10.2.1/24

Can you help? Thankyou.

By: Krzysztof
Reply  

Clean CentOS7 install (behind NAP, port forwarded on touter) + this manual. Retried 4 times, but still:

 

Tue Jul 30 17:28:34 2019 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=OPenVPN

Tue Jul 30 17:28:34 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Tue Jul 30 17:28:34 2019 TLS_ERROR: BIO read tls_read_plaintext error

Tue Jul 30 17:28:34 2019 TLS Error: TLS object -> incoming plaintext read error

Tue Jul 30 17:28:34 2019 TLS Error: TLS handshake failed

Tue Jul 30 17:28:34 2019 SIGUSR1[soft,tls-error] received, process restarting

Tue Jul 30 17:28:34 2019 MANAGEMENT: >STATE:1564500514,RECONNECTING,tls-error,,,,,

Tue Jul 30 17:28:34 2019 Restart pause, 40 second(s)

Tue Jul 30 17:29:14 2019 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,RESOLVE,,,,,,

Tue Jul 30 17:29:14 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.17.173.222:1194

Tue Jul 30 17:29:14 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]

Tue Jul 30 17:29:14 2019 UDP link local: (not bound)

Tue Jul 30 17:29:14 2019 UDP link remote: [AF_INET]83.17.173.222:1194

Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,WAIT,,,,,,

Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,AUTH,,,,,,

Tue Jul 30 17:29:14 2019 TLS: Initial packet from [AF_INET]83.17.173.222:1194, sid=2431f8aa d07a36d4

Tue Jul 30 17:29:14 2019 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=OPenVPN

Tue Jul 30 17:29:14 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Tue Jul 30 17:29:14 2019 TLS_ERROR: BIO read tls_read_plaintext error

Tue Jul 30 17:29:14 2019 TLS Error: TLS object -> incoming plaintext read error

Tue Jul 30 17:29:14 2019 TLS Error: TLS handshake failed

Tue Jul 30 17:29:14 2019 SIGUSR1[soft,tls-error] received, process restarting

Tue Jul 30 17:29:14 2019 MANAGEMENT: >STATE:1564500554,RECONNECTING,tls-error,,,,,

Tue Jul 30 17:29:14 2019 Restart pause, 80 second(s)

By: Krzysztof
Reply  

UPDATE: CAPITAL letters matters when it comes to the names we use while installing. All good now after few hours of debuging and 3 reinstalls :)

By: Barbarian
Reply  

Hello, 

I have a problem... 

 

In Step 5 - Enable Port-Forwarding and Configure Routing Firewalld

firewall-cmd --reload

Error: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.2 (nf_tables):

line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT

line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT

 

What now? :)

By: Geoff
Reply  

By default "easyrsa gen-crl" will make a certificate with a nextUpdate date of 180 days. After which your VPN server will reject all clients until you make a new CRL.

To use a longer CRL validity period add the following option to the "vars" file in Step 2:

set_var EASYRSA_CRL_DAYS  "365"

By: Steve
Reply  

what additional steps are required for the tls-crypt and would this replace the tls options in the server.conf and client.ovpn?

By: Bata
Reply  

Dear Muhammad

I have an issue, my tunnel connected but I don't have ping 8.8.8.8 or other, just I have ping my server's public address and tun0's IP...

must I add route in my server...?

By: Cesar Baquerizo
Reply  

Hi. What changes are required to server.conf and below for this work with dynamic IP? TIA

SERVERIP=$(ip route get 84.200.69.80 | awk 'NR==1 {print $(NF-2)}')firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s  10.10.1.0/24 -o $SERVERIP -j MASQUERADE

By: jing
Reply  

Job for [email protected] failed because the control process exited with error code. See "systemctl status [email protected]" and "journalctl -xe" for details.