on Install and configure OpenVPN on a CentOS 7

OpenVPN is a Virtual Private Networking (VPN) solution which allows you to create secure tunnels between machines that are not on the same local network. In this article we will take a look at how to install and configure OpenVPN on a CentOS 7 machine

Server configuration

Since OpenVPN is not available in the default CentOS 7 repositories, first we will need to add the EPEL repository. Run the following commands to add the EPEL repository and install openvpn and easy-rsa packages:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install openvpn easy-rsa

To prevent your changes from being overwritten when you update the package easy-rsa, copy the certificate generation scripts to the /etc/openvpn/easy-rsa/ directory.

rsync -av /usr/share/easy-rsa/2.0/ /etc/openvpn/easy-rsa/

Change to the easy-rsa directory and edit the vars file according to your requirement.

cd /etc/openvpn/easy-rsa/
vim /etc/openvpn/easy-rsa/vars  
export KEY_CITY="Veles"
export KEY_ORG="Panovski LTD"
export KEY_EMAIL="dejan@panovski.me"
export KEY_CN=panovski.me
export KEY_NAME=server
export KEY_OU=server

Next we need to generate the necessary files using the scripts in the easy-rsa directory.

Invoke the vars:

. ./vars

Clean out the keys directory (if any):


Generate the Certificate Authority (CA) certificate


Generate a server certificate and key:

./build-key-server server

Generate the Diffie-Hellman parameters .pem file:


Generate the first client key:

./build-key client1

Repeat the previous step for each new client that you want to allow access to your OpenVPN server.

Copy all of the generated server files into the /etc/openvpn directory:

cp /etc/openvpn/easy-rsa/keys/{dh2048.pem,ca.crt,server.crt,server.key} /etc/openvpn/

OpenVPN comes with an example server configuration file, which we will use as a base for our server configuration. First, copy the example file:

cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/

Now we need to edit the server.conf file. Since we are using 2048 bit keys we'll change dh dh1024.pem to dh dh2048.pem:

sed -i 's/dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf

To enable client traffic through the server, uncomment the redirect-gateway option:

sed -i '/redirect-gateway/s/^;//' /etc/openvpn/server.conf

Push DNS servers to the clients (OpenDNS by default):

sed -i '/dhcp-option/s/^;//g' /etc/openvpn/server.conf

Uncoment user nobody and group nobody to run the OpenVPN service with reduced privileges:

sed -i '/nobody/s/^;//g' /etc/openvpn/server.conf

Now we can start the OpenVPN service using the following command:

systemctl start openvpn@server.service

To enable the OpenVPN service to start on boot, run:

systemctl enable openvpn@server.service

Routing the client traffic ( access to Internet) through the VPN .

For the server to be able to forward IPv4 packets between the interfaces we need to enable IPv4 forwarding. To see if IPv4 forwarding is already enabled run:

cat /proc/sys/net/ipv4/ip_forward

If the output is 1, it means its enabled, if not run:

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

We will also need to add the following iptables rules

firewall-cmd --permanent --add-service openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --permanent --zone=trusted --add-masquerade
DEV=$(ip route get | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s -o $DEV -j MASQUERADE
firewall-cmd --reload

Client configuration

No matter what operating system you're using, you need to transfer the key and certificate, generated with the ./build-key script, client1.key and client1.crt and the Certificate Authority (CA) certificate ca.crt to the client machine. You can use SFTP, FTP or Rsync over SSH for the transfer. We also need to create a client1.ovpn file containing the content as shown below:

remote **YOUR_SERVER_IP_ADDRESS** 1194
dev tun
proto udp
resolv-retry infinite
verb 3
key client1.key
ca ca.crt
cert client1.crt
  • Install the latest version of OpenVPN
sudo yum install openvpn # CentOS && Fedora
sudo apt-get install openvpn # Debian && Ubuntu && Mint 
sudo pacman -S openvpn # ArchLinux
  • Create a new directory mkdir ~/.openvpn and copy the files named client1.ovpn, client1.key, client1.crt and ca.crt into that directory.
  • Start the OpenVPN service using the foollowing command:
sudo openvpn --config ~/.openvpn/client1.ovpn

Note that depending on your distribution, you can also use GUI tools to configure your OpenVPN client

  • Download and install the latest version of OpenVPN Windows client.
  • Copy the files named client1.ovpn, client1.key, client1.crt and ca.crt into the C:\Program Files\OpenVPN\config directory.
  • Download and install the latest version of Tunnelblick .
  • Copy the files named client1.ovpn, client1.key, client1.crt and ca.crt into your Downloads directory.
  • Launch the application and click on "I have configuration files" button. On the new window select "OpenVPN Configuration(s)" and follow the instructions on the screen.