How to configure VPN Server in Linux


VPN Server

VPN is pronounced as separate letters and is short for virtual private network. VPN, or virtual private network, is a network that is constructed by using public wires usually the Internet to connect to a private network, such as a company’s internal network.

OpenVPN is a popular open source application that implements a virtual private network. works on Linux, Windows operating systems.

In this Article i will explain how to install and configure OpenVPN in centOS 7 server.
OpenVpn is not available in the default CentOS repositories. So we need to install Enterprise Linux (EPEL) repository. Use the following command to install EPEL repository.

yum install epel-release

Next install openvpn package and easy-rsa and iptables services by the following command.

yum -y install openvpn easy-rsa iptables-services

Then we need to configure the following certificates and keys for easy -rsa

Certificate Authority (ca)
Server Key and Certificate
Diffie-Hellman key
Client Key and Certificate

copy easy-rsa script generation to “/etc/openvpn/”

cp -rf /usr/share/easy-rsa/ /etc/openvpn/

Then go to the easy-rsa directory and edit the vars file.

cd /etc/openvpn/easy-rsa/2.*/
vim vars

Set KEY_CONFIG to point to the openssl.cnf file included in this distribution

Set KEY_DIR to point to a directory which will contain all keys, certificates, etc.
This directory need not exist, and if it does, it will be deleted with rm -rf,
so be careful how you set KEY_DIR.

Edit other fields in vars per your site data.You may want to increase KEY_SIZE to
2048 if you are paranoid and don’t mind slower key processing, but certainly 1024 is
fine for testing purposes.KEY_SIZE must be compatible across both peers participating
in a secure SSL/TLS connection.

Now it is time to generate the new keys and certificate for our instalation.
source ./vars

Then run clean-all to ensure that we have a clean certificate setup.


Now generate a certificate authority(ca). You will be asked about Country Name etc.

This command will create a file ca.crt and ca.key in the directory /etc/openvpn/easy-rsa/2.0/keys/.


Now generate a server key and certificate.

./build-key-server server

Build a Diffie-Hellman key exchange.


Generate client key and certificate.

./build-key client

Move or copy the directory keys/ to /etc/opennvpn
Configure OpenVPN

Now we can copy the OpenVPN configuration from /usr/share/doc/openvpn-2.3.6/sample/sample-config-files to /etc/openvpn/ or create a new one

cd /etc/openvpn/
vim server.conf

set the configuration of file as follows

#change with your port
port 1337

#You can use udp or tcp
proto udp

# "dev tun" will create a routed IP tunnel.
dev tun

#Certificate Configuration

#ca certificate
ca /etc/openvpn/keys/ca.crt

#Server Certificate
cert /etc/openvpn/keys/server.crt

#Server Key and keep this is secret
key /etc/openvpn/keys/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh1024.pem

#Internal IP will get when already connect

#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS"
push "dhcp-option DNS"

#Enable multiple client to connect with same key

keepalive 20 60

#enable log
log-append /var/log/myvpn/openvpn.log

#Log Level
verb 3

save the file by using Esc+:wq command.

create a folder for log file.

mkdir -p /var/log/myvpn/
touch /var/log/myvpn/openvpn.log

Disable SELinux

Edit the file selinux located in /etc/sysconfig by using vim editor in the following way.

vim /etc/sysconfig/selinux

Then set SELINUX to disabled for disable the selinux


Then reboot the server to apply the changes made.
Configure Routing and Iptables

First we need to enable the iptables service by the following commnds

systemctl enable iptables
systemctl start iptables
iptables –F

Add iptables-rule to forward a routing to our openvpn subnet.

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptablesvpn

For enable port forwarding in linux operating system edit the file sysctl.conf located in /etc directory by using vim editor.

vim /etc/sysctl.conf

Then add the following line at the end of the file and save the file

net.ipv4.ip_forward = 1

Reboot the server and enjoy VPN Server

Client Setup

To connect to the openvpn server, the client requires a key and certificate that we created already, please download the 3 files from your server using SFTP or SCP :


Afterwards create a new file called client.ovpn and paste configuration below :

dev tun
proto udp

#Server IP and Port
remote 1337

resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
ns-cert-type server

Then download the client application for openvpn and install it on your client computer.