VPN is pronounced as separate letters and is short for virtual private network. VPN, or virtual private network, is a network that is constructed by using public wires usually the Internet to connect to a private network, such as a company’s internal network.
OpenVPN is a popular open source application that implements a virtual private network. works on Linux, Windows operating systems.
In this Article i will explain how to install and configure OpenVPN in centOS 7 server.
OpenVpn is not available in the default CentOS repositories. So we need to install Enterprise Linux (EPEL) repository. Use the following command to install EPEL repository.
yum install epel-release
Next install openvpn package and easy-rsa and iptables services by the following command.
yum -y install openvpn easy-rsa iptables-services
Then we need to configure the following certificates and keys for easy -rsa
Certificate Authority (ca)
Server Key and Certificate
Client Key and Certificate
copy easy-rsa script generation to “/etc/openvpn/”
cp -rf /usr/share/easy-rsa/ /etc/openvpn/
Then go to the easy-rsa directory and edit the vars file.
cd /etc/openvpn/easy-rsa/2.*/ vim vars
Set KEY_CONFIG to point to the openssl.cnf file included in this distribution
Set KEY_DIR to point to a directory which will contain all keys, certificates, etc.
This directory need not exist, and if it does, it will be deleted with rm -rf,
so be careful how you set KEY_DIR.
Edit other fields in vars per your site data.You may want to increase KEY_SIZE to
2048 if you are paranoid and don’t mind slower key processing, but certainly 1024 is
fine for testing purposes.KEY_SIZE must be compatible across both peers participating
in a secure SSL/TLS connection.
Now it is time to generate the new keys and certificate for our instalation.
Then run clean-all to ensure that we have a clean certificate setup.
Now generate a certificate authority(ca). You will be asked about Country Name etc.
This command will create a file ca.crt and ca.key in the directory /etc/openvpn/easy-rsa/2.0/keys/.
Now generate a server key and certificate.
Build a Diffie-Hellman key exchange.
Generate client key and certificate.
Move or copy the directory keys/ to /etc/opennvpn
Now we can copy the OpenVPN configuration from /usr/share/doc/openvpn-2.3.6/sample/sample-config-files to /etc/openvpn/ or create a new one
cd /etc/openvpn/ vim server.conf
set the configuration of file as follows
#change with your port port 1337 #You can use udp or tcp proto udp # "dev tun" will create a routed IP tunnel. dev tun #Certificate Configuration #ca certificate ca /etc/openvpn/keys/ca.crt #Server Certificate cert /etc/openvpn/keys/server.crt #Server Key and keep this is secret key /etc/openvpn/keys/server.key #See the size a dh key in /etc/openvpn/keys/ dh /etc/openvpn/keys/dh1024.pem #Internal IP will get when already connect server 192.168.200.0 255.255.255.0 #this line will redirect all traffic through our OpenVPN push "redirect-gateway def1" #Provide DNS servers to the client, you can use goolge DNS push "dhcp-option DNS 22.214.171.124" push "dhcp-option DNS 126.96.36.199" #Enable multiple client to connect with same key duplicate-cn keepalive 20 60 comp-lzo persist-key persist-tun daemon #enable log log-append /var/log/myvpn/openvpn.log #Log Level verb 3
save the file by using Esc+:wq command.
create a folder for log file.
mkdir -p /var/log/myvpn/ touch /var/log/myvpn/openvpn.log
Edit the file selinux located in /etc/sysconfig by using vim editor in the following way.
Then set SELINUX to disabled for disable the selinux
Then reboot the server to apply the changes made.
Configure Routing and Iptables
First we need to enable the iptables service by the following commnds
systemctl enable iptables systemctl start iptables iptables –F
Add iptables-rule to forward a routing to our openvpn subnet.
iptables -t nat -A POSTROUTING -s 192.168.1.1/24 -o eth0 -j MASQUERADE iptables-save > /etc/sysconfig/iptablesvpn
For enable port forwarding in linux operating system edit the file sysctl.conf located in /etc directory by using vim editor.
Then add the following line at the end of the file and save the file
net.ipv4.ip_forward = 1
Reboot the server and enjoy VPN Server
To connect to the openvpn server, the client requires a key and certificate that we created already, please download the 3 files from your server using SFTP or SCP :
ca.crt client.crt client.key
Afterwards create a new file called client.ovpn and paste configuration below :
client dev tun proto udp #Server IP and Port remote 192.168.1.1 1337 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo
Then download the client application for openvpn and install it on your client computer.