OpenVPN is an open source application which is widely used to create secure virtual private networks over the unsecured public Internet. OpenVPN is an SSL VPN solution which drains your system connection securely through the Internet. OpenVPN functions in the client server structure. All the devices connected to a virtual private network act as if they’re linked to your local area network. The packets sent through the VPN tunnel are encrypted with 256 bit AES encryption making data theft impossible.
Table of Contents
Step 1. First let’s start by ensuring your system is up-to-date.
Step 2. Installing OpenVPN on CentOS 7.
Step 3. Configuring Easy-rsa.
Step 4. Generating a server key and certificate.
Step 5. OpenVPN server configuration.
Step 6. Configure Iptables for OpenVPN.
Step 7. Create client certificate and key.
Prerequisites
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step installation OpenVPN open source virtual private network on a CentOS 7 server.
Install OpenVPN on CentOS 7
Step 1. First let’s start by ensuring your system is up-to-date.
yum clean all yum -y install epel-release yum -y update
Step 2. Installing OpenVPN on CentOS 7.
We will now install OpenVPN and Easy-RSA package. The Easy-RSA package is provided so we can have an easier way of generating certificates:
yum install openvpn easy-rsa
Step 3. Configuring Easy-rsa.
Now that you have installed OpenVPN successfully, you have to create keys and certificates, follow this section step by step:
mkdir -p /etc/openvpn/easy-rsa/keys
Next, we will copy the certificate generation scripts from their default location to our OpenVPN folder:
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
We will go to the easy-rsa directory and source the variables:
cd /etc/openvpn/easy-rsa source ./vars
Then run “./clean-all” right away to ensure that we have a clean certificate setup:
./clean-all
Now you have to generate a “Certificate Authority (ca)” file. you will be asked for country name etc. that you edited in the “vars” file. you can hit “Enter” to accept your default values.
Now move to the following directory:
cd /etc/openvpn/easy-rsa/2.0/ ./build-ca
Step 4. Generating a server key and certificate.
Run the command below in the current directory:
./build-key-server server
We will also need to create a Diffie-Hellman file. Creation of this file will depends on the length of the key. For this default we will use 2048 bit key but you can always change it by editing the vars file in the easy-rsa folder:
./build-dh
Step 5. OpenVPN server configuration.
We will now configure the OpenVPN server. First, create a configuration file named server.conf:
nano /etc/openvpn/server.conf
Paste the configurations below (you may change the values of port etc.):
local 192.168.77.20 port 443 proto tcp dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 #-ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 4.2.2.1" keepalive 2 30 comp-lzo persist-key persist-tun status 443status.log log-append 443log.log verb 3
Save the file and enable and start the OpenVPN service:
systemctl enable openvpn@server systemctl start openvpn@server
Step 6. Configure Iptables for OpenVPN.
We will need to enter some iptable rules to enable internet on the client machine:
### KVM ### iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE ### OpenVZ ### iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.77.20 iptables-save
Next, edit systctl.conf to enable packet forwarding:
nano /etc/sysctl.conf
Add the line:
net.ipv4.ip_forward=1
Step 7. Create client certificate and key.
The following commands will generate a client certificate and key:
nano client
Add following line:
cd /etc/openvpn/easy-rsa/2.0/ echo -en "Nama Client: " read client echo -en "Server IP: " read servip echo -en "TCP or UDP?: " read proto echo -en "Server port: " read servport . ../vars source ./vars echo "####################################" echo "Feel free to accept default values" echo "####################################" ./build-key $client cd /etc/openvpn/easy-rsa/2.0/keys rm -rf $client echo "client dev tun proto $proto remote $servip $servport resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt cert $client.crt key $client.key ;auth-user-pass comp-lzo verb 3" > $client.ovpn mkdir d${client} cp ${client}* d${client} cp ca.crt d${client} mv d${client} $client zip -r $client.zip $client cp $client.zip /var/www/html echo "Now grab the $client.zip file and extract it under your Openvpn\config dir!"
Set file permissions and make executable:
chmod 755 client ./client
Congratulation’s! You have successfully installed OpenVPN. Thanks for using this tutorial for installing OpenVPN open source virtual private network on your CentOS 7 system. For additional help or useful information, we recommend you to check the official OpenVPN web site.