Configuring and Setting Up an OpenVPN Server on CentOS 7.2
Welcome to this step-by-step tutorial that will assist you in setting up an OpenVPN server on CentOS 7.2 x64, employing robust certificate authentication. Additionally, you’ll learn how to seamlessly configure OpenVPN clients on Windows, Linux, or macOS.
Requirements
We will need the following to be able to successfully setup an OpenVPN server:
– A CentOS 7.2 x64 VPS server
– Root Access to the server
– An SSH client (You can download Putty[1] or Bitvise[2] depends on your operating system and liking)
Now that you have all the necessary ingredients, we can initiate the process of setting up your OpenVPN server. Follow this guide meticulously, and feel free to streamline the installation and configuration by copying and pasting the commands provided below. This ensures a smooth and straightforward setup.
An OpenVPN Server Installation Guide
First, Update your CentOS distribution:
yum update
Next, we’ll set up the EPEL repository. The Fedora Team’s open source, community-driven EPEL repository offers 100% genuine add-on software packages.
yum install epel-release
We’ll install the Easy-RSA package and OpenVPN. We are given the Easy-RSA software to make the process of creating certificates simpler.
yum install openvpn easy-rsaGenerate Keys & Certificates
We will need to create a folder so we can store the keys and certificates that we will generate later.
mkdir -p /etc/openvpn/easy-rsa/keys
Next, we will copy the certificate generation scripts from their default location to our OpenVPN folder.
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
We will go to the easy-rsa directory and source the variables.
cd /etc/openvpn/easy-rsa
source ./vars
Then we will clean all the existing keys & certificates (if any) and generate the new certificate authority.
./clean-all
When building the certificate authority we will be asked for different information such as the country, organization and department. You can fill in your information or to leave it as it is you can just press enter.
./build-ca
The keys and certificates for the OpenVPN server will be generated next. The identical questions from the previous command will be asked to you once more; you can choose to answer them or not by simply hitting the enter key. We will generate the keys and certificates using the server’s filename by running the command below. Once your data has been entered, you will be prompted to sign the certificate; click “y” to confirm.
./build-key-server server
We will also need to create a Diffie-Hellman file. Creation of this file will depends on the length of the key. For this default we will use 2048 bit key but you can always change it by editing the vars file in the easy-rsa folder. Key generation may take a minute or two.
./build-dh
Since this guide is all about OpenVPN authentication using client certificate we will also need to generate a certificate for our client. Without this certificate, our client will not be able to login to the OpenVPN server. Always remember to keep this client certificate safe with you at all times, you should never distribute your own certificate to others. If you want others to use your OpenVPN server you should create a client certificate for them by following the below command. For this guide we will create a certificate for “John”.
./build-key john
john.key will be the filename of the client key & certificate.
For the above commands we will have the following keys and certificates in the folder /etc/openvpn/easy-rsa/keys
server.key
server.crt
john.key
john.crt
ca.crt
ca.key
dh2048.pem
You will need to download john.key, john.crt and ca.crt for use by the OpenVPN client.
Configuring OpenVPN
We will now configure the OpenVPN server. First, create a configuration file named server.conf
nano /etc/openvpn/server.conf
Then we will fill up the file using the below basic configuration details. For more information on the configuration please see man openvpn[3].
port 443
proto tcp
dev tun
server 10.11.0.0 255.255.255.0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
persist-key
persist-tun
keepalive 10 60
reneg-sec 0
comp-lzo
tun-mtu 1468
tun-mtu-extra 32
mssfix 1400
push "persist-key"
push "persist-tun"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
status /etc/openvpn/443.log
verb 3
Save the file and exit.
Next we need to run and enable OpenVPN on startup.
systemctl start openvpn@server.service
systemctl -f enable openvpn@server.serviceRouting & Forwarding Rules
We will need to enter some iptable rules to enable internet on the client machine. Just change $serverip to your server’s IP address.
iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -j SNAT --to $serverip
iptables-save
Nest, edit systctl.conf to enable packet forwarding. Open the file /etc/sysctl.conf and add the line.
net.ipv4.ip_forward=1
then enable it by
sysctl -p
Now that our OpenVPN Server is finished we will now try connecting clients to the server.
Configuring Client
Remember the above instructions when I told you to copy:
john.key
john.crt
ca.crt
We will need this files to successfully connect to our openvpn server. Put these 3 files with the .ovpn file we will create below in the same folder. Copy the below configuration and save it as client.ovpn. Note the $serverip is the ip address of your openvpn server.
client
remote $serverip 443
proto tcp
resolv-retry infinite
route-delay 2
pull
comp-lzo yes
dev tun
nobind
ca ca.crt
cert john.crt
key john.key
Connecting from Windows
Download[4] the windows installer from openvpn, install it, run as admin then copy the 4 files (client.ovpn, ca.crt, john.crt & john.key) to the /Program Files/OpenVPN/config folder.
In the system tray right click on the OpenVPN icon and click Connect.
Connecting from Linux
Install OpenVPN from your distributions official repository then run OpenVPN by executing:
sudo openvpn --config ~/path/to/client.ovpnConnecting from MAC
For MAC, there is an application you can download called Tunnelblick[5]. You should install it and run, make sure that the 4 files required are in the same folder. While in tunnelblick look for your .ovpn file and click on it to install. To connect, just select the configuration name and click “Connect” .
There you go! Now we have a working OpenVPN installation on CentOS 7.2 using certificate authentication.
Don’t forget to put your comments if you succeeded using this guide.
As always we thank you!
[1]: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
[2]: https://www.bitvise.com/ssh-client-download
[3]: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
[4]: https://openvpn.net/community-downloads/
[5]: https://tunnelblick.net/downloads.html