Skip to content

OpenVPN Setup on CentOS7

Step-1: Install EPEL Repository

$ sudo yum -y install epel-release

Step-2: Install OpenVPN

$ sudo yum -y install openvpn


Step-3: Setting up OpenVPN Server

# Switch to root
sudo su -

# Copy the sample config file to /etc/openvpn
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

# Edit the Permissions on the config file
chcon -u system_u /etc/openvpn/server.conf

# Edit the server config file with the following values
nano -w /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server ""
push "route"
keepalive 10 120
user nobody
group nobody
status /var/log/openvpn-status.log
verb 3
plugin /usr/lib64/openvpn/plugins/ openvpn

# Create a PAM AUTH file for openvpn
nano -w /etc/pam.d/openvpn
auth    required shadow nodelay
account    required

# Edit the SELinux permission for the newly created PAM AUTH file
chcon -u system_u /etc/pam.d/openvpn

# Create a new file for openvpn log
touch /var/log/openvpn-status.log

# Edit the Permissions for the log file
restorecon -v /var/log/openvpn-status.log

Step-4 Setting up the firewall

firewall-cmd --permanent --zone=public --add-service=openvpn
firewall-cmd --permanent --zone=public --add-port=1194/tcp
firewall-cmd --reload

Step-5: Generating Keys and Certificates Using easy-rsa

# Install easy-rsa
yum install easy-rsa

# Create required folders and copy
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa

# Edit the "vars" file which provides the easy-rsa scripts with required information
nano -w /etc/openvpn/easy-rsa/vars
export KEY_CITY="New York"
export KEY_ORG="Organization Name"
export KEY_EMAIL=""
export KEY_NAME=server
export KEY_OU=server
# Copy the Openssl configuration file
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

# Build sources and Build the CA
cd /etc/openvpn/easy-rsa
source ./vars

# Build the server CRT and KEY
./build-key-server $(hostname) # This will build crt and key with hostname

# Generate our Diffie Hellman key

# Copy The certs and keys to openvpn folder
cd /etc/openvpn/easy-rsa/keys
cp dh1024.pem ca.crt server.crt server.key /etc/openvpn

restorecon -Rv /etc/openvpn/
systemctl enable openvpn@server.service
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/\@server.service

# Generate the client Keys
# Change Directory to easy-rsa and build client keys and certs
cd /etc/openvpn/easy-rsa
./build-key client

Step-6: OpenVPN client on CentOS 7

# Install EPEL-Repository on Client
yum install epel-release

# Install openvpn
yum install openvpn

# Copy the sample config file to /etc/openvpn
cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf /etc/openvpn

# Edit the permissions on the copied file
chcon -u system_u /etc/openvpn/client.conf

# Edit the config file with following paramaters
nano -w /etc/openvpn/client.conf
dev tun
proto udp
remote server_IP_address 1194
resolv-retry infinite
;user nobody
;group nobody
status /var/log/openvpn-status.log
ca ca.crt
cert client.crt
key client.key
verb 3

# Create a log file
touch /var/log/openvpn-status.log

# Edit the permissions on the newly created log file
restorecon -v /var/log/openvpn-status.log

Step-7: Configuring masquerading on the server side

# Enable Masquerading using firewall-cmd
firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --permanent --zone=trusted --add-masquerade
firewall-cmd --reload

# Enable Push directive for dhcp
nano -w /etc/openvpn/server.conf
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"

# Enable port Forwarding
nano /etc/sysctl.conf

Step-8: Enabling Auto start

# on the server side
systemctl enable openvpn@server.service
# on the client side
systemctl enable openvpn@client.service

Step-9: Accessing server from outside

To access the server from outside you need to forward the UDP 1194 to the server IP on your router and also configure a Dynamic DHCP using DynDns or if you have a DLink router you can use dlink dns websites to do so.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.