How To Set Up and Configure an OpenVPN on Centos 7

In this article, we want to teach you How to Set up and Configure an OpenVPN on Centos 7.

OpenVPN is an open-source connection protocol used to simplify a secure tunnel between two points in a network. It means that it is a trusted technology used by many virtual private networks, or VPNs, to make sure any data sent over the internet is encrypted and private.

How To Set Up and Configure an OpenVPN on Centos 7

Before you start learning how to set up and configure an OpenVPN on Centos 7 you need some requirements.

Requirements for setting up and configuring an OpenVPN

You need to log in as a non-root user with sudo privileges on your Centos 7. you can check our article about the Initial server setup with Centos 7.

You need to set up a basic firewall too. by visiting this article about Set Up a Firewall with FirewallD on CentOS 7 you can do this.

Also, you need to register a domain name that you can use for certificates.

After you are done with these requirements you can start to set up and configure an OpenVPN server.

How to Install OpenVPN on Centos 7

Here you can install OpenVPN on Centos 7. Also, you need to install Easy RSA which helps you set up an internal certificate authority for use with your VPN.

First of all update, the package lists to be sure you have them in the latest version. run the following command:

sudo yum update

OpenVPN package is available in the EPEL-repository on Centos 7. install EPEL-repository with the following command:

sudo yum install epel-release

Then update the packages:

sudo yum update

At this step, install OpenVPN and wget on Centos 7 with the following command:

sudo yum install -y openvpn wget

Use wget to download Easy RSA. Find the download link of easy-rsa-2 in the latest version on the Releases page. and paste it in the following command:

wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz

Then extract the file with the following command:

tar xfz /tmp/easyrsa

This command will create a new directory named easy-rsa-old-2.3.3. Now make a new subdirectory named easy-rsa under the /etc/openvpn with the following command:

sudo mkdir /etc/openvpn/easy-rsa

Now copy the extracted Easy RSA file in the new directory with the following command:

sudo cp -rf easy-rsa-old-2.3.3/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Here you need to change the directory owner to your non-root user with sudo privileges by the following command:

sudo chown olivia /etc/openvpn/easy-rsa/

When you have finished installing OpenVPN on Centos 7 let’s see how to customize the server-side configuration of OpenVPN.

How to Configure OpenVPN on Centos 7

In this part, you learn how to set up a basic OpenVPN configuration on Centos 7.

First of all copy the sample server.conf file for your own configuration file with the following command:

sudo cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn

Then open the file with your favorite text editor. here we use Vi text editor. Run the following command:

sudo vi /etc/openvpn/server.conf

When you get into the file, there are a few lines that you need to change.

First, find the push “redirect-gateway def1 bypass-dhcp” line then uncomment it by removing the “;” at the beginning of the line. it should be like this:

push "redirect-gateway def1 bypass-dhcp"

Then, you need to uncomment both push “dhcp-option DNS …” lines and update the IP addresses, here we use Google’s public DNS servers. you can pick different DNS servers.

It should be like this:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Here, uncomment the user nobody and group nobody lines because we want OpenVPN to run with no privileges once it has started.

user nobody
group nobody

Now you need to uncomment the topology subnet line. this, along with the server 10.8.0.0 255.255.255.0 line below it. it tells the client machine which IP it should be used. In this case, the server will become 10.8.0.1 and the first client will become 10.8.02.

topology subnet

It is suggested that to add the following line to your file. It’s double-checked the incoming client certificates are truly coming from a client.

remote-cert-eku "TLS Web Client Authentication"

At last, OpenVPN strongly recommends that users enable TLS Authentication, a cryptographic protocol that ensures secure communications over a computer network.

Comment the “tls-auth ta.key 0” line by adding “;” at the beginning of the line. then generate a static encryption key named “myvpn.tlsauth” or your favorite name.

;tls-auth ta.key 0
tls-crypt myvpn.tlsauth

Save and close the file. In vi editor you can do this with “:wq”.

After you finished configuring OpenVPN on centos 7. Let’s see how to set up SSL keys and certificates.

How to generate keys and certificates

To generate keys and certificates you need to create a directory where Easy RSA will store any keys and certificates you generate. run the following command:

sudo mkdir /etc/openvpn/easy-rsa/keys

The default certificate variables are set in the vars file in /etc/openvpn/easy-rsa. Open the file to edit with the following command:

sudo vi /etc/openvpn/easy-rsa/vars

Go to the bottom of the file and change the export-keys values.

. . .
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Sanfrancisco"
export KEY_ORG="orcacore"
export KEY_EMAIL="olivia@orcacore.com"
export KEY_EMAIL=olivia@orcacore.com
export KEY_CN=ov.orcacore.net
export KEY_NAME="server"
export KEY_OU="Community"
. . .

You need to change these values:

Key-Country: Enter the two-letter of your residence country.

Key-Province: Enter the two-letter of the State of your residence.

Key-City: Name of the city you live in.

Key-Org: Name of your organization or company.

Key-Email: Enter the email address that you want to be connected to the security certificate.

Key-CN: Enter the domain or subdomain that resolves to your server.

Key-Name: You should enter the “server” here. If you enter something else, you would also have to update the configuration files that reference server.key and server.crt.

Key-OU: Name of your department or team.

The rest of the variables can be ignored.

Save and close the file.

Create the easy-rsa directory

Here you need to go to the easy-rsa directory with the following command:

cd /etc/openvpn/easy-rsa

Then source in the new variables you set in the vars file:

source ./vars

At this point, remove any keys and certificates already in the folder and generate the certificate authority with the script below:

./clean-all

Now build the certificate authority. run the build-ca script to do this. you will be asked to enter values for the certificate fields. because set them in the vars file you can press enter to accept the defaults.

./build-ca

Note: This will generate a file named “ca.key”. this is the private key that is used to sign your server and clients’ certificates. If you lost it, you can’t trust any certificates from this certificate authority. and if anyone can access this file they can sign new certificates and access your VPN without your understanding. because of this, OpenVPN recommends you store ca.key in a location that can be offline, and it should only be activated when creating new certificates.

Create key and certificate for the server

Here, create a key and certificate for the server with the following script:

./build-key-server server

You will be asked to enter the values again and press enter to accept the default. Then you will be asked to enter a challenge password and an optional company name.

If you want to enter a challenge password, every time you want to connect to your VPN from your client you must enter that password.

At the end press ‘Y’ to commit the changes.

The last part is to generate a Diffie-Hellman key exchange file. use the following script:

./build-dh

This may take a few minutes to get complete.

you need to copy the server keys and certificate from the keys directory into the OpenVPN directory. run the following commands:

cd /etc/openvpn/easy-rsa/keys
sudo cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

Also, each client needs a certificate for the OpenVPN server on Centos 7 to authenticate it.

we use the client name here, you can use any name that you want. run the following commands:

cd /etc/openvpn/easy-rsa
./build-key client

Finally, copy the versioned OpenSSL configuration file, openssl-1.0.0.cnf, to a version less name, openssl.cnf. skip this could result in an error where OpenSSL is unable to load the configuration because it cannot detect its version. Run the following command:

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Now you can start to set up routing between the two machines.

How to Route between two machines

In this step, you can arrange how the server should handle client traffic by demonstrating some firewall rules and routing configuration.

we assume that you followed the requirements at the beginning of the article about installing firewalld and running on Centos 7. To allow OpenVPN through the firewall on Centos 7, run the following commands:

sudo firewall-cmd --get-active-zones
sudo firewall-cmd --zone=trusted --add-service openvpn
sudo firewall-cmd --zone=trusted --add-service openvpn --permanent

Now check the service was added correctly run the following command:

sudo firewall-cmd --list-services --zone=trusted
Output
openvpn

Here you need to add a masquerade to the current runtime instance and all future instances with the following command:

sudo firewall-cmd --add-masquerade
sudo firewall-cmd --permanent --add-masquerade

Now check that masquerade is added correctly with the following command:

sudo firewall-cmd --query-masquerade
Output
yes

At this point, you need to forward routing to your OpenVPN subnet. first create a variable, here we named it ORCA, which will represent the primary network interface used by your server, and then use that variable to permanently add the routing rule:

ORCA=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $ORCA -j MASQUERADE

Then reload the firewall with the following command:

sudo firewall-cmd --reload

Now, enable IP forwarding. This will route all web traffic from your client to your server’s IP address, and your client’s public IP address will effectively be hidden.

Open the sysctl.conf file to edit:

sudo vi /etc/sysctl.conf

Add the following line at the beginning of the file:

net.ipv4.ip_forward = 1

Restart the network service with the following command:

sudo systemctl restart network.service

Now you can start the OpenVPN service on Centos 7.

How to start OpenVPN

First, you need to enable the OpenVPN server by adding it to the systemctl on Centos 7. run the following command:

sudo systemctl -f enable [email protected]

Start the OpenVPN server with the command below:

sudo systemctl start [email protected]

Now check that the OpenVPN service is active and running on Centos 7 with the following command:

sudo systemctl status [email protected]
Output
[email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-08-31 05:02:39 EDT; 13s ago
 Main PID: 31504 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           └─31504 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

The server-side configuration for OpenVPN on Centos 7 is completed. Let’s see how to configure the client-side and connect to the OpenVPN server.

How to configure a client

Despite everything in your client machine’s operating system, it will need a locally-saved copy of the CA certificate, client key, and certificate generated, and the static encryption key you generated in the previous parts.

Locate the following lines on your server. may your key and certificate names be different.

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key
/etc/openvpn/myvpn.tlsauth

Copy these files to your client’s machine.

You can use SFTP or your favorite way. you can the files in your text editor and copy and paste the contents into the new files on your client machine.

Note: Remember where you save these files.

Now, create a file named client.ovpn on your client machine with the following command. this is a configuration file for the OpenVPN client that tells it how to connect to the server.

sudo vi client.ovpn

Add the following line to the file:

client
tls-client
dev tun
pull
user nobody
group nobody
cipher BF-CBC
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key
tls-crypt /path/to/myvpn.tlsauth
remote-cert-tls server
remote your_server_ip 1194 udp
proto udp
topology subnet

Note: Remember to change the name you gave to the client in your key and certificate. and put your own IP address instead of your-server-ip. and Make sure the paths to your key and certificate files are correct.

This file can now be used by any OpenVPN client to connect to your server.

Let’s see how to connect your client with other OS.

Windows:

On windows, you need to download the OpenVPN binaries from the OpenVPN community which come with a GUI.

Then, locate your “.ovpn” configuration file in the right directory, c:\Program Files\OpenVPN\config, and click connect in the GUI.

Note: OpenVPN GUI on Windows must be executed with administrative privileges.

macOS:

On macOS, the open-source application on the Tunnelblick gives an interface similar to the OpenVPN GUI on Windows and comes with OpenVPN and the required TUN/TAP drivers.

Locate your “.ovpn” configuration file into the ~/Library/Application Support/Tunnelblick/Configurations directory. and you can double-click on the “.ovpn” file.

Linux:

On Linux, you should install OpenVPN from your distribution’s official repositories. Now you can use OpenVPN by running the following command:

sudo openvpn --config ~/path/to/client.ovpn

After you set up a successful client connection, you can verify that your traffic is being routed through the VPN by checking Google to tell your public IP.

Conclusion of How to Set up and Configure an OpenVPN on Centos 7

At this point, you have a fully operational VPN running on your OpenVPN server.

Hope you enjoy this article on the Orcacore website about How to Set up and Configure an OpenVPN on Centos 7.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

POPULAR TAGS

Most Popular