Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
Physics
Chemistry
Biology
Mathematics
English
Economics
Psychology
Social Studies
Fashion Studies
Legal Studies
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
How to Install and Configure OpenVPN Server in CentOS 8/7?
OpenVPN is a popular open-source VPN protocol that allows secure and private communication over internet. With OpenVPN, you can create a virtual private network that can be accessed from anywhere, providing a secure and encrypted connection for remote users.
In this article, we will discuss how to install and configure OpenVPN on CentOS 8/7, which is a popular Linux distribution.
Prerequisites
Before we proceed with installation, we need to ensure that we have following prerequisites −
A CentOS 8/7 server with root access.
A static public IP address.
An SSH client installed on your local machine.
Step 1: Install OpenVPN Server
The first step is to install OpenVPN server on your CentOS 8/7 server. To do this, log in to your server as root user and run following command −
CentOS 8
dnf install -y openvpn
CentOS 7
yum install -y epel-release yum install -y openvpn
This will install OpenVPN server and all necessary dependencies.
Step 2: Configure OpenVPN Server
Once you have installed OpenVPN, next step is to configure it. configuration files for OpenVPN are located in /etc/openvpn directory.
Step 2.1: Generate Server Certificates and Keys
Before we start configuration, we need to generate server certificates and keys. To do this, we will use EasyRSA tool.
First, install EasyRSA on your CentOS 8/7 server by running following command −
dnf install -y easy-rsa
Next, we need to create a directory to store our EasyRSA files. To do this, run following command −
mkdir /etc/openvpn/easy-rsa
Now, we need to copy EasyRSA files from package to our newly created directory. To do this, run following command −
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
Next, we need to edit vars file to set default values for our certificates. To do this, run following command −
nano /etc/openvpn/easy-rsa/vars
In this file, you will find some variables that you can modify to suit your needs. For example, you can change default country, organization, and email address.
Once you have edited vars file, save and exit.
Now, we need to initialize PKI (Public Key Infrastructure) for EasyRSA. To do this, run following command −
cd /etc/openvpn/easy-rsa/ ./easyrsa init-pki
Next, we need to generate CA (Certificate Authority) certificate and key. To do this, run following command −
./easyrsa build-ca nopass
This will generate CA certificate and key without a password.
Next, we need to generate server certificate and key. To do this, run following command −
./easyrsa build-server-full server nopass
This will generate server certificate and key without a password.
Step 2.2: Configure OpenVPN Server
Now that we have generated necessary certificates and keys, next step is to configure OpenVPN server.
To do this, we need to create a configuration file for OpenVPN server. To keep things simple, we will create a file called server.conf in /etc/openvpn directory. To do this, run following command −
nano /etc/openvpn/server.conf
In this file, paste following configuration −
# OpenVPN server configuration file # Set port number port 1194 # Set protocol proto udp # Set server mode and network dev tun server 10.8.0.0 255.255.255.0 # Set server certificates and keys ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem # Set DNS server(s) push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" # Set cipher and HMAC digest cipher AES-256-CBC auth SHA256 # Set keepalive time keepalive 10 120 # Set logging level verb 3
Let's go through each of these options −
port − This option sets port number that OpenVPN will listen on. default is 1194.
proto − This option sets protocol used by OpenVPN. We will use UDP, which is faster and more efficient than TCP.
dev − This option sets network device used by OpenVPN. We will use tun.
server − This option sets network that will be used by OpenVPN clients. We will use 10.8.0.0/24.
ca, cert, key, dh − These options set server certificates and keys that we generated earlier.
push "dhcp-option DNS" − This option sets DNS server(s) that OpenVPN clients will use.
cipher, auth − These options set cipher and HMAC digest that OpenVPN will use for encryption.
keepalive − This option sets keepalive time for OpenVPN connection.
verb − This option sets logging level for OpenVPN.
Save and exit file.
Next, we need to create a directory to store client certificates and keys. To do this, run following command −
mkdir /etc/openvpn/client
Now, we need to create a script that will generate client certificates and keys. To do this, run following command −
nano /etc/openvpn/easy-rsa/gen-client.sh
In this file, paste following script −
#!/bin/bash # Generate a client certificate and key if [ $# -ne 1 ]; then echo "Usage: $0 <client_name>" exit 1 fi CLIENT_NAME=$1 cd /etc/openvpn/easy-rsa/ ./easyrsa build-client-full $CLIENT_NAME nopass # Generate client configuration file cat > /etc/openvpn/client/$CLIENT_NAME.ovpn << EOF client dev tun proto udp remote `curl -s https://ipinfo.io/ip` 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 <ca> $(cat /etc/openvpn/easy-rsa/pki/ca.crt) </ca> <cert> $(cat /etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt) </cert> <key> $(cat /etc/openvpn/easy-rsa/pki/private/$CLIENT_NAME.key) </key> EOF # Set permissions on client configuration file chmod 600 /etc/openvpn/client/$CLIENT_NAME.ovpn
This script generates a client certificate and key using EasyRSA tool, and then creates a client configuration file (.ovpn) that contains necessary configuration for client to connect to OpenVPN server.
The configuration file contains following options −
client − This option sets OpenVPN client mode.
dev − This option sets network device used by OpenVPN. We will use tun.
proto − This option sets protocol used by OpenVPN. We will use UDP.
remote − This option sets IP address or domain name of OpenVPN server and port number.
resolv-retry − This option sets number of times that OpenVPN will retry resolving server address.
nobind − This option prevents OpenVPN from binding to a specific local IP address and port number.
persist-key, persist-tun − These options keep key and tunnel devices active between connections.
comp-lzo − This option enables LZO compression, which reduces size of data sent over VPN.
verb − This option sets logging level for OpenVPN.
ca, cert, key − These options set client certificates and keys that we generated earlier.
Save and exit file.
Next, we need to make gen-client.sh script executable. To do this, run following command −
chmod +x /etc/openvpn/easy-rsa/gen-client.sh
Step 3: Start and Enable OpenVPN Server
Now that we have configured OpenVPN server, next step is to start and enable it. To do this, run following commands −
Start OpenVPN service
systemctl start openvpn@server
Enable OpenVPN service to start at boot
systemctl enable openvpn@server
This will start OpenVPN service and enable it to start automatically at boot.
Step 4: Generate Client Certificates and Keys
To generate client certificates and keys, run gen-client.sh script that we created earlier. To do this, run following command −
/etc/openvpn/easy-rsa/gen-client.sh client1
This will generate a client certificate and key for a client named "client1". You can replace "client1" with any name that you want to use for your client.
The script will also create a client configuration file (/etc/openvpn/client/client1.ovpn) that you can use to connect to OpenVPN server.
Step 5: Connect to OpenVPN Server
To connect to OpenVPN server from a client machine, you need to install an OpenVPN client. There are many OpenVPN clients available for different platforms, such as OpenVPN Connect, Tunnelblick, and OpenVPN GUI.
Once you have installed an OpenVPN client, you need to import client configuration file that we created earlier (/etc/openvpn/client/client1.ovpn). exact process for importing a configuration file will depend on OpenVPN client that you are using.
After importing configuration file, you can connect to OpenVPN server by clicking on "Connect" button. If everything is configured correctly, you should be able to establish a secure and encrypted connection to OpenVPN server.
Conclusion
In this article, we have discussed how to install and configure an OpenVPN server on CentOS 8/7. We have also discussed how to generate server and client certificates and keys, and how to connect to OpenVPN server from a client machine.
OpenVPN is a powerful and flexible VPN protocol that can provide secure and private communication over internet. With steps outlined in this article, you should be able to set up an OpenVPN server on your CentOS 8/7 server and start using it to connect to internet securely and privately.
392 Views
