How to Install and Configure OpenVPN Server in CentOS 8/7?

OpenVPN is a popular open-source VPN protocol that enables secure and private communication over the internet. With OpenVPN, you can create a virtual private network accessible from anywhere, providing encrypted connections for remote users. This tutorial covers installing and configuring OpenVPN server on CentOS 8/7 systems.

Prerequisites

Before proceeding with the installation, ensure you have the following prerequisites

• A CentOS 8/7 server with root access

• A static public IP address

• An SSH client installed on your local machine

• Basic knowledge of Linux command line

Step 1 Install OpenVPN Server

First, install OpenVPN server on your CentOS system. Log in as root user and run the appropriate command for your version.

For CentOS 8

dnf install -y openvpn easy-rsa

For CentOS 7

yum install -y epel-release
yum install -y openvpn easy-rsa

This installs OpenVPN server and EasyRSA for certificate management along with all necessary dependencies.

Step 2 Configure Certificate Authority

OpenVPN uses SSL/TLS certificates for authentication. We'll set up a Certificate Authority (CA) to generate and manage these certificates.

Initialize EasyRSA

mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa

Create PKI and CA

./easyrsa init-pki
./easyrsa build-ca nopass

When prompted, enter a common name for your CA (e.g., "OpenVPN-CA").

Generate Server Certificate and Key

./easyrsa build-server-full server nopass
./easyrsa gen-dh

This creates the server certificate, private key, and Diffie-Hellman parameters needed for the OpenVPN server.

Step 3 Configure OpenVPN Server

Create the main OpenVPN server configuration file.

nano /etc/openvpn/server.conf

Add the following configuration

# OpenVPN Server Configuration
port 1194
proto udp
dev tun

# SSL/TLS root certificate (ca), certificate (cert), and private key (key)
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem

# Network configuration
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt

# Push routes to client
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

# Security settings
cipher AES-256-GCM
auth SHA256
tls-version-min 1.2

# Connection settings
keepalive 10 120
comp-lzo
persist-key
persist-tun

# Logging
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20

Configuration Parameters Explained

Step 4 Enable IP Forwarding and Firewall

Configure the system to forward traffic between the VPN and internet.

Enable IP Forwarding

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

Configure Firewall

firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
firewall-cmd --reload

Step 5 Start OpenVPN Service

Create the log directory and start the OpenVPN service.

mkdir -p /var/log/openvpn
systemctl start openvpn@server
systemctl enable openvpn@server

Verify the service is running

systemctl status openvpn@server

Step 6 Generate Client Certificates

Create a script to easily generate client certificates and configuration files.

nano /etc/openvpn/easy-rsa/gen-client.sh

Add the following script content

#!/bin/bash

if [ $# -ne 1 ]; then
    echo "Usage: $0 <client_name>"
    exit 1
fi

CLIENT_NAME=$1
cd /etc/openvpn/easy-rsa/

# Generate client certificate
./easyrsa build-client-full $CLIENT_NAME nopass

# Create client config directory
mkdir -p /etc/openvpn/client-configs

# Generate client configuration
cat > /etc/openvpn/client-configs/$CLIENT_NAME.ovpn << EOF
client
dev tun
proto udp
remote $(curl -s https://ipinfo.io/ip) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-GCM
auth SHA256
verb 3

<ca>
$(cat /etc/openvpn/easy-rsa/pki/ca.crt)
</ca>

<cert>
$(cat /etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt)
</cert>

<key>
$(cat /etc/openvpn/easy-rsa/pki/private/$CLIENT_NAME.key)
</key>
EOF

chmod 600 /etc/openvpn/client-configs/$CLIENT_NAME.ovpn
echo "Client configuration created: /etc/openvpn/client-configs/$CLIENT_NAME.ovpn"
EOF

Make the script executable

chmod +x /etc/openvpn/easy-rsa/gen-client.sh

Generate Client Certificate

/etc/openvpn/easy-rsa/gen-client.sh client1

Step 7 Client Connection

Download the generated .ovpn file from /etc/openvpn/client-configs/client1.ovpn to your client device. Import this file into your OpenVPN client application:

• Windows/Mac OpenVPN Connect

• Linux NetworkManager or openvpn command

• Android/iOS OpenVPN Connect mobile app

Troubleshooting

If you encounter connection issues, check the following

• Verify OpenVPN service status: systemctl status openvpn@server

• Check logs: tail -f /var/log/openvpn/openvpn.log

• Ensure firewall rules are applied correctly

• Verify IP forwarding is enabled: cat /proc/sys/net/ipv4/ip_forward

Conclusion

You have successfully installed and configured an OpenVPN server on CentOS 8/7. The setup includes certificate-based authentication, strong encryption, and proper routing configuration. Clients can now securely connect to your VPN server using the generated configuration files for encrypted internet access.