We’re going to install and configure OpenVPN on a CentOS 7 server. We’ll also discuss how to connect a client to the server on Windows, OS X, and Linux.
OpenVPN is an open-source VPN application that lets you create and join a private network securely over the public Internet.
You should complete these prerequisites:
- CentOS 7 Server
- root access to the server (several steps cannot be completed with just sudo access)
- Domain or subdomain that resolves to your server that you can use for the certificates
Before we start we’ll need to install the Extra Packages for Enterprise Linux (EPEL) repository. This is because OpenVPN isn’t available in the default CentOS repositories. The EPEL repository is an additional repository managed by the Fedora Project containing non-standard but popular packages.
yum install epel-release
Step 1 — Installing OpenVPN
First we need to install OpenVPN. We’ll also install Easy RSA for generating our SSL key pairs, which will secure our VPN connections.
yum install openvpn easy-rsa -y
Step 2 — Configuring OpenVPN
OpenVPN has example configuration files in its documentation directory. We’re going to copy the sample
server.conf file as a starting point for our own configuration file.
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Let’s open the file for editing.
There are a few lines we need to change in this file. Most of the lines just need to be uncommented (remove the ;). Other changes are marked in red.
When we generate our keys later, the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes, so we need to change the
dh filename to
We need to uncomment the
push "redirect-gateway def1 bypass-dhcp" line, which tells the client to redirect all traffic through our OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
Next we need to provide DNS servers to the client, as it will not be able to use the default DNS servers provided by your Internet service provider. We’re going to use Google’s public DNS servers,
Do this by uncommenting the
push "dhcp-option DNS lines and updating the IP addresses.
push "dhcp-option DNS 220.127.116.11"
push "dhcp-option DNS 18.104.22.168"
We want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user and group of
nobody. To enable this you’ll need to uncomment these lines:
Save and exit the OpenVPN server configuration file.
Step 3 — Generating Keys and Certificates
Now that the server is configured we’ll need to generate our keys and certificates. Easy RSA installs some scripts to generate these keys and certificates.
Let’s create a directory for the keys to go in.
mkdir -p /etc/openvpn/easy-rsa/keys
We also need to copy the key and certificate generation scripts into the directory.
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
To make life easier for ourselves we’re going to edit the default values the script
uses so we don’t have to type our information in each time. This information is stored
vars file so let’s open this for editing.
We’re going to be changing the values that start with
KEY_. Update the following values to be accurate for your organization.
The ones that matter the most are:
KEY_NAME: You should enter
server here; you could enter something else, but then you would also have to update the configuration files that reference
KEY_CN: Enter the domain or subdomain that resolves to your server
For the other values, you can enter information for your organization based on the variable name.
. . .
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_CITY="New York"
# X509 Subject Field
export KEY_NAME="server". . .
. . .
We’re also going to remove the chance of our OpenSSL configuration not loading due to the version being undetectable. We’re going to do this by copying the required configuration file and removing the version number.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
To start generating our keys and certificates we need to move into our
easy-rsa directory and source in our new variables.
Then we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.
When you build the certificate authority, you will be asked to enter all the information we put into the
vars file, but you will see that your options are already set as the defaults. So, you can just press ENTER for each one.
The next things we need to generate will are the key and certificate for the server. Again you can just go through the questions and press ENTER for each one to use your defaults. At the end, answer Y (yes) to commit the changes.
We also need to generate a Diffie-Hellman key exchange file. This command will take a minute or two to complete:
That’s it for our server keys and certificates. Copy them all into our OpenVPN directory.
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
All of our clients will also need certificates to be able to authenticate. These keys and certificates will be shared with your clients, and it’s best to generate separate keys and certificates for each client you intend on connecting.
Make sure that if you do this you give them descriptive names, but for now we’re going to have one client so we’ll just call it
That’s it for keys and certificates.
Step 4 — Routing
To keep things simple we’re going to do our routing directly with iptables rather than the new firewalld.
First, make sure the iptables service is installed and enabled.
yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
Next we’ll add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
Then we must enable IP forwarding in
sysctl.conf for editing.
Add the following line at the top of the file:
net.ipv4.ip_forward = 1
Then restart the network service so the IP forwarding will take effect.
systemctl restart network.service
Step 5 — Starting OpenVPN
Now we’re ready to run our OpenVPN service. So lets add it to
systemctl -f enable email@example.com
systemctl start firstname.lastname@example.org
Well done; that’s all the server-side configuration done for OpenVPN.
Next we’ll talk about how to connect a client to the server.
Step 6 — Configuring a Client
Regardless of your client machine’s operating system, you will definitely need a copy of the ca certificate from the server, along with the client key and certificate.
Locate the following files on the server. If you generated multiple client keys with unique descriptive names, then the key and certificate names will be different. In this article we used
Copy these three files to your client machine. You can use SFTP or your preferred method. You could even open the files in your text editor and copy and paste the contents into new files on your client machine.
Just make sure you make a note of where you save them.
We’re going to create a file called
client.ovpn. This is a configuration file for an OpenVPN client, telling it how to connect to the server.
- You’ll need to change the first line to reflect the name you gave the client in your key and certificate; in our case, this is just
- You also need to update the IP address from
your_server_ip to the IP address of your server; port
1194 can stay the same
- Make sure the paths to your key and certificate files are correct
remote your_server_ip 1194
This file can now be used by any OpenVPN client to connect to your server.
On Windows, you will need the official OpenVPN Community Edition binaries which come with a GUI. Then, place your
.ovpn configuration file into the proper directory,
C:\Program Files\OpenVPN\config, and click Connect in the GUI. OpenVPN GUI on Windows must be executed with administrative privileges.
On Mac OS X, the open source application Tunnelblick provides an interface similar to the OpenVPN GUI on Windows, and comes with OpenVPN and the required TUN/TAP drivers. As with Windows, the only step required is to place your
.ovpn configuration file into the
~/Library/Application directory. Or, you can double-click on your
On Linux, you should install OpenVPN from your distribution’s official repositories. You can then invoke OpenVPN by executing:
sudo openvpn --config ~/path/to/client.ovpn
Congratulations! You should now have a fully operational virtual private network running on your OpenVPN server.
After you establish a successful client connection, you can verify that your traffic is being routed through the VPN by checking Google to reveal your public IP.