How to install and configure OpenVPN on CentOS 7

This how-to will walk you through a quick and easy OpenVPN install on a CentOS minimal server.

Install Required Packages

To help with maintenance and security we will be enabling and using EPEL. By going this route your OpenVPN installation will be updated automatically when new versions are released. Make sure your package manager (YUM) is set to run automatic updates.

yum install epel-release
yum update

Now that EPEL packages are available for installation on your system we can now install OpenVPN.

yum install openvpn

Install a set of encryption tools that will help generating the SSL Certs and Keys

yum install easy-rsa

Configure and Build Certs and Keys

Now we are ready to generate the Cert and Keys our OpenVPN server and clients will be using. The first step is to copy over the easy-rsa tools we installed to make this job easier.

cp -R /usr/share/easy-rsa/ /etc/openvpn

Next, edit /etc/openvpn/easy-rsa/2.0/vars and modify the following lines to match your requirements

export KEY_CITY="SanClemente"
export KEY_ORG="Network Data Center Host, Inc."
export KEY_EMAIL=""
export KEY_OU="VPN"
export KEY_CN=""

Generate the CA-Bundle

cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca

The last command will ask you multiple questions, all of which should be set to to the values you entered in the vars file. You should be able to just hit enter for each question and let it fill itself with the default answer!

Now we are going to generate the server certificate and key

. /etc/openvpn/easy-rsa/2.0/build-key-server server

Again this command will ask you a series of questions. The questions will have a default answer and you can simply hit enter for them all. There will be a question asking you for a challenge password, in this example we wont set one, and will leave it blank.

Now lets build a client certificate and key. The clientname below should be unique for each VPN client. We typically will set this to the username the client will use to authenticate with the VPN server.

. /etc/openvpn/easy-rsa/2.0/build-key clientname

This command will again ask you a series of questions, just as before you can use the defaults.

Next, generate the DH parameters, this could take a while….

. /etc/openvpn/easy-rsa/2.0/build-dh

Finally, move the cert and keys into their new home!

cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn

Configuring OpenVPN

Now we will start the configuration of the OpenVPN server. OpenVPN was nice enough to provide a sample configuration file that will work out of the box.

cp /usr/share/doc/openvpn-2.3.8/sample/sample-config-files/server.conf /etc/openvpn/

Forwarding all client traffic through the server

The sample config lets clients connect to the VPN server and those clients will now have an encrypted connection between their computer and the server. But what if you wanted all of your clients traffic to route through the VPN, even traffic destined for the web! You can easily do this by following the instructions below.

First add the following line to your /etc/openvpn/server.conf

push "redirect-gateway def1"

Next, create /etc/sysctl.d/98-openvpn.conf and add the following line

net.ipv4.ip_forward = 1

and reload sysctl

sysctl --system

and finally lets add an iptables rule to forward traffic through the VPN!

echo "iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/rc.local
echo "iptables -A FORWARD -s -j ACCEPT" >> /etc/rc.local
echo "iptables -A FORWARD -j REJECT" >> /etc/rc.local
echo "iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE" >> /etc/rc.local
. /etc/rc.local

Start OpenVPN and set to automatically start on boot

systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service

OpenVPN has now been installed and should be running. You next need to configure your OpenVPN client to connect to the server!