How to Install OpenVPN on CentOS 7
OpenVPN® is open-source software that lets the user implement and create virtual private networks; these networks serve as a secure connection between two points, allowing traffic to move unobstructed while remaining private and secure. OpenVPN allows peers to use a pre-shared secret key, certificate, or username and password combination to authenticate traffic and communications. It can also function in multi-client environments, providing each client with an authentication certificate from the server.
OpenVPN was first published in 2001 and has become a favorite VPN solution for multiple platforms and device types; OpenVPN functions on Windows, Mac OS X, iOS, Android, and many Linux-style systems. Additionally, OpenVPN has been enhanced and modified for use across different router firmware implementations.
To get started installing OpenVPN, you will need a node running on a cloud server, dedicated server, or virtual private server; your operational needs or personal preference can be the deciding factor. When you’ve chosen a node, it will need to have an up-to-date version of CentOS 7 running.
CentOS 7 is a popular Linux-style operating system and you can learn more about the CentOS Project on the project website.
Additionally, you may choose to use a domain or sub-domain later in this guide. If you’re choosing to use a domain or sub-domain, you may want to set this up before setting up OpenVPN.
How to Install OpenVPN on CentOS 7
Once you’ve chosen your cloud, dedicated, or virtual private server node, verified your CentOS 7 installation, and have root access available, you’re ready to begin. As mentioned above, if you are using a domain or sub-domain for this setup, you may want to have that available before walking through the steps to install OpenVPN.
The first step during this installation is to make sure your server node is up-to-date and then reboot, processing any updates if needed:
yum update -y && sleep 5 && reboot
After your system reboots, you can install the EPEL (Extra Packages for Enterprise Linux) repository:
yum install epel-release -y
When complete, it’s time to install OpenVPN and EasyRSA (a small key management package for use with OpenVPN) for generating RSA keys:
yum install openvpn easy-rsa -y
Once OpenVPN and EasyRSA are installed, you can copy the example configuration:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Now it’s time to edit the server configuration file:
This step is optional, but if you want to push all traffic through the VPN, you will want to uncomment the following line:
After you’ve edited the configuration file, create a folder to store the key. Then copy the key and the script:
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
When you’ve finished copying the keys and script, you can edit the vars file to make changes to the default value:
Now copy the OpenSSL configuration:
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
# X509 Subject Field
Then copy the OpenSSL configuration:
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
It’s time to start generating keys and certificates. Then you can load the vars file to automate the setup process:
Before proceeding, we want to use a fresh install to clean up a bit. Make sure to do this on a fresh install, since you will lose all your certificates:
After cleaning up, we’re going to generate keys making sure to match our KEY_NAME value:
Take the generated key, copy it, and place the copy in your OpenVPN folder:
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
Now we’re going to generate our client certificate, replacing the “client” with the username you choose:
When complete, we want to configure the routing parts of CentOS 7 for use with the VPN installation:
yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
We want to add some forwarding rules before enabling our VPN service:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
net.ipv4.ip_forward = 1
Once you’ve completed your configuration and forwarding rules, it’s time to enable the OpenVPN service and start it up:
systemctl -f enable firstname.lastname@example.org
systemctl start email@example.com
After starting and enable the service, we want to configure the client, copy the “ca” certificate, and copy the “client” key. Each of these copied files is necessary to use the VPN:
To get started using the VPN, we need to create a .ovpn file configuration for use with OpenVPN:
remote "your_server_ip" 1194
Once you’ve created your .ovpn file it’s time to use the certificate:
Windows: Copy all file to C:Program FilesOpenVPNconfig
MacOS: Import .ovpn file with Tunnelblick
Linux: sudo openvpn --config client.ovpn
Congratulations, you’ve installed OpenVPN on your cloud or dedicated server node running CentOS 7. If you found this guide on how to install OpenVPN helpful, please share it with other users going through the same process. Additionally, check out our other guides and learn more about other options available for your cloud server or dedicated server nodes.