Installing and Configuring OpenVPN on CentOS
OpenVPN is an open software implementation of the VPN protocol. A distinctive feature of this product is the ability to create encrypted tunnels, while there are implementations for most popular OS, including for mobile platforms.
The CentOS repository feature is that OpenVPN is not included in it. But this package can be obtained using the EPEL repository (Enterprise Linux), which is managed by Fedora Project. From this repository, by the way, you can get other packages that are not included in the standard CentOS repository. Install with the command:
yum install epel-release
Proceed to install OpenVPN. Install the package:
yum install openvpn easy-rsa -y
Proceed to configure the server. Copy server.conf:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
It is important to pay attention to the “*”. If only one attempt was made to install, then the program version can be replaced with an asterisk symbol. If there were several installation attempts, you may have to specify the path to the file completely.
Before generating the keys, make a few changes to the server configuration file
Open server.conf with any editor.
Find the line “Diffie hellman parameters.” and look for:
If it is indicated exactly, then no changes need to be made. The nuance of the new version of the package is that the parameter already has values. In older versions there is simply “dh”. We make it look like our own.
Next, look for the line “# Certain Windows-specific network settings”. uncomment one of the parameters below (delete the symbol “semicolon” (;) at the beginning of the line). It should look something like this:
push "dhcp-option DNS 126.96.36.199"
You can specify your DNS server if desired. Also, you can uncomment the second line to pass an alternative DNS server to clients as well.
For server security, we will start with the user nobody and the nogroup group. Uncomment the lines:
We begin to create certificates
Using the previously installed easy-rsa package, create the server and client keys.
Create a directory in which the keys will lie:
mkdir -p /etc/openvpn/easy-rsa/keys
In the newly created easy-rsa directory, copy the scripts:
cp -r /usr/share/easy-rsa/3.0/* /etc/openvpn/easy-rsa
Go to the /etc /openvpn/easy-rsa/3/ directory and create a vars script
Important! The easy-rsa version may be different, and therefore the path will need to be adjusted.
Add the following lines to the open file:
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "RU"
set_var EASYRSA_REQ_PROVINCE "Moscow"
set_var EASYRSA_REQ_CITY "Moscow"
set_var EASYRSA_REQ_ORG "MyOrg"
set_var EASYRSA_REQ_EMAIL "firstname.lastname@example.org"
set_var EASYRSA_REQ_OU "CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha256"
Allow file execution:
chmod +x vars
We initialize the PKI directory and create a CA certificate:
Important! When creating a CA certificate, the script will ask for a password of at least 4 characters. The entered password should be remembered.
Create the server key.
./easyrsa gen-req server nopass
If you do not specify the “nopass” attribute, then when creating the key, the script will ask for a password.
We sign the server certificate:
./easyrsa sign-req server server
The script will take an interest in our confidence with the first action, answer “Yes”. Then it will ask for the password that was specified when creating the CA certificate.
Check if the certificate is signed:
openssl verify -CAfile pki/ca.crt pki/issued/ server.crt
We generate an additional server key ta.key:
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
The process of creating a user certificate is identical to creating a server certificate.
1. We create without password protection:
./easyrsa gen-req client01 nopass
2. Signing the certificate:
./easyrsa sign-req client client01
3. Verify the signature:
openssl verify -CAfile pki/ca.crt pki/issued/client01.crt
Creating a certificate
As a result, the dh.pem file will be created, and in the dh2048.pem config. Rename it later when copying keys.
We transfer certificates
Copy the server key files. To do this, we sequentially perform:
cp pki/ca.crt /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/keys/ta.key /etc/openvpn/
Copy client keys
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client01.crt /etc/openvpn/client/
cp pki/private/client01.key /etc/openvpn/client/
Copy the Diffie-Hellman key file
cp pki/dh.pem /etc/openvpn/dh2048.pem
Important! The target file name is intentionally changed to the name in the config.
To speed up configuration, work will be performed with iptables, not with FirewallD. Consistently perform:
yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
Before further configuration, you should look at the names of the interfaces using the command:
Add a rule for NAT:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o <имя_интерфейса> -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
As an example:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
Allow packet forwarding between network interfaces. To do this, edit the sysctl.conf system file:
At the beginning of the file, insert the line:
net.ipv4.ip_forward = 1
We save the file, close the editor and restart the network service with the command:
systemctl restart network.service
We start the OpenVPN server
To start, add the service to the auto-upload:
systemctl -f enable email@example.com
The server is configured, it remains to configure the client so that it can connect.
Regardless of the OS used, whether it’s a mobile, server or home version, Linux or Windows, you will always need 4 files:
The first 3 files are located in the /etc/openvpn /client/directory, and client.ovpn will have to be created. To do this, go to the directory where all the client keys are:
Create a file:
Fill in the following contents:
remote <IP_ADDRESS> 1194
Instead of IP_ADDRESS, insert the IP address of the server, or its domain name. Save the file with Ctrl + X and close the editor.
We transfer files to the client. It is possible to do this, for example, through SFTP or archive the directory and «give» it through the webserver.
Depending on the operating system, we download the installation file or install from the repository. Also, OpenVPN can be obtained from the official website.
For computers running Windows, you should download the product distribution package from the official site, get the “four files”, put it in the folder, C: Program FilesOpenVPNconfig.
After starting the OpenVPN GUI, the program icon will appear in the system tray. We click on it with the right mouse button, select Connect.
OpenVPN for MacOS is a bit more complicated. You should use the open-source tool Tunnelblick. The keys and configuration file should be put in ~ /Library/Application Support/Tunnelblick/Configurations. Or double-click on the configuration file.
You should install from the repository.
apt-get install openvpn
yum install openvpn -y
After installation, go to the folder in which the configuration file with the keys is located and run the command:
sudo openvpn --config client.ovpn
To check the operation of the server, you should use any of the sites showing your IP address.