+370 5 205 5502 sales@monovm.com

This tutorial is dedicated for you to be able to set up an OpenVPN connection on CentOS 8 without any problem.

07

Sep, 20

step By Step Guide for Installing OpenVPN on CentOS 8

 VPN or virtual private network allows you to create your own internet in the World Wide Web. You can have loads of benefits form a VPN service.

  • You can encrypt the traffic to protect your identity
  • Change your location
  • Access the sites which are not accessible in your country and many more.

In this tutorial, you would learn how to install OpenVPN on CentOS 8.

Step 1 – Disable SELinux

Disable the SELinux in your system and open the /etc/selinux/config file:

$ nano /etc/selinux/config

Change the line:

SELINUX=disabled

Save the file and restart the system.

Step 2 – Enable IP Forwarding

Enable IP forwarding in your system to allow your network system to accept and send the packet to other systems mentioned.

Edit the file /etc/sysctl.conf:

$ nano /etc/sysctl.conf

Add

net.ipv4.ip_forward = 1

Save the file and run the following command:

$ sysctl –p

Step 3 – Install OpenVPN Server

Install the EPEL repository in your system.

To install the latest version run the ELEP repository:

$ dnf install epel-release

When prompted to continue press ‘y’

Run the following command:

dnf install openvpn

After the process download easy-rsa for managing SSL certificates.

Run the following command for easy-rsa inside /etc/openvpn directory.

$ cd /etc/openvpn

$ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz

Now extract the downloaded file by running this command:

$ tar -xvzf EasyRSA-unix-v3.0.6.tgz        

Now rename the achieved directory to the easy-rsa

$ mv EasyRSA-v3.0.6 easy-rsa

Configure the Certificate Authority on your system by changing the directory to /etc/openvpn/easy-rsa and create a new Easy RSA’s configuration file:

$ cd /etc/openvpn/easy-rsa

$ nano vars

Then add your country, city, and preferred email address:

set_var EASYRSA                 "$PWD"

set_var EASYRSA_PKI             "$EASYRSA/pki"

set_var EASYRSA_DN              "cn_only"

set_var EASYRSA_REQ_COUNTRY     " COUNTRY"

set_var EASYRSA_REQ_PROVINCE    " PROVINCE              "

set_var EASYRSA_REQ_CITY        " CITY "

set_var EASYRSA_REQ_ORG         " CERTIFICATE AUTHORITY"

set_var EASYRSA_REQ_EMAIL                   "name@admin.net"

set_var EASYRSA_REQ_OU          " admin EASY CA"

set_var EASYRSA_KEY_SIZE        2048

set_var EASYRSA_ALGO            rsa

set_var EASYRSA_CA_EXPIRE                     7500

set_var EASYRSA_CERT_EXPIRE     365

set_var EASYRSA_NS_SUPPORT                               "no"

set_var EASYRSA_NS_COMMENT                            " admin CERTIFICATE AUTHORITY"

set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"

set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"

set_var EASYRSA_DIGEST          "sha256"

Now run this command:

$ ./easyrsa init-pki

Build the CA certificates with the following command:

$ ./easyrsa build-ca

Enter the new CA key passphrase and provide the common name (CN).

Step 5 – Generate Server Certificate Files

Run this command to sign the server key:

$ ./easyrsa sign-req server admin-server

Verify the generated certificate:

$ openssl verify -CAfile pki/ca.crt pki/issued/admin-server.crt

If all of your steps were correct you will receive the following output:

pki/issued/admin-server.crt: OK

Generate a strong Diffie-Hellman key to use for the key exchange:

$ ./easyrsa gen-dh

When you have created all the certificates now it is time to copy them to the /etc/openvpn/server/ directory:

$ cp pki/ca.crt /etc/openvpn/server/

$ cp pki/dh.pem /etc/openvpn/server/

$ cp pki/private/tecadmin-server.key /etc/openvpn/server/

$ cp pki/issued/tecadmin-server.crt /etc/openvpn/server/

Step 6 – Generate Client Certificate and Key File

For client certificate and file key run:

$ ./easyrsa gen-req client nopass

Then sign the client key using your CA certificate:

$ ./easyrsa sign-req client client

Now copy all client certificate and key file to the /etc/openvpn/client/ directory:

$ cp pki/ca.crt /etc/openvpn/client/

$ cp pki/issued/client.crt /etc/openvpn/client/

$ cp pki/private/client.key /etc/openvpn/client/

Step 7 – Configure OpenVPN Server on linux vps server

Create a new OpenVPN configuration file inside /etc/openvpn/client/ directory:

$ nano /etc/openvpn/server/server.conf

Add the following lines:

port 1194

proto udp

dev tun

ca /etc/openvpn/server/ca.crt

cert /etc/openvpn/server/admin-server.crt

key /etc/openvpn/server/admin-server.key

dh /etc/openvpn/server/dh.pem

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1"

 

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"

duplicate-cn

cipher AES-256-CBC

tls-version-min 1.2

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

auth SHA512

auth-nocache

keepalive 20 60

persist-key

persist-tun

compress lz4

daemon

user nobody

group nobody

log-append /var/log/openvpn.log

verb 3

save the file when you are done.

Step 8 – Start OpenVPN Service

OpenVPN is now installed and configured, reboot the system by using these commands:

$ systemctl start openvpn-server@server

$ systemctl enable openvpn-server@server

Verify the status of OpenVPN service by:

$ systemctl status openvpn-server@server

OpenVPN service started successfully will create a new network interface named tun0.

 You can check it with the following:

$ ifconfig

Interface tun0 will show the following output:

eth0: flags=4163  mtu 1500

        inet 104.245.36.127  netmask 255.255.255.0  broadcast 104.245.36.255

        inet6 fe80::200:68ff:fef5:247f  prefixlen 64  scopeid 0x20

        ether 00:00:68:f5:24:7f  txqueuelen 1000  (Ethernet)

        RX packets 1926738  bytes 314886412 (300.2 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 174907  bytes 29557250 (28.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

lo: flags=73  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 216  bytes 40041 (39.1 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 216  bytes 40041 (39.1 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

tun0: flags=4305  mtu 1500

        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2

        inet6 fe80::4152:a673:b260:d9e6  prefixlen 64  scopeid 0x20

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 4  bytes 304 (304.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Step 9 – Generate Client Configuration File

Create a new OpenVPN client configuration file named client.ovpn.

$ nano /etc/openvpn/client/client.ovpn

Add the following lines:

client

dev tun

proto udp

remote vpn-server-ip 1194

ca ca.crt

cert client.crt

key client.key

cipher AES-256-CBC

auth SHA512

auth-nocache

tls-version-min 1.2

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite

compress lz4

nobind

persist-key

persist-tun

mute-replay-warnings

verb 3

Save the file after completion.

Step 10 – Configure routing using Firewalld

OpenVPN service and tun0 interface to the trusted firewall zone:

$ firewall-cmd --permanent --add-service=openvpn

$ firewall-cmd --permanent --zone=trusted --add-service=openvpn

$ firewall-cmd --permanent --zone=trusted --add-interface=tun0

Add MASQUERADE on the default zone:

$ firewall-cmd --add-masquerade

$ firewall-cmd --permanent --add-masquerade

Run the following command to masquerade the internet traffic coming from VPN network (10.8.0.0/24).

$ tecadmin=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')

$ firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $tecadmin -j MASQUERADE

Run this command to implement the changes:

$ firewall-cmd --reload

Step 11 – Connect OpenVPN from Clients

Log in to the client machine and install the OpenVPN package:

$ dnf install epel-release -y

$ dnf install openvpn -y

Run the following command to download all the client configuration file:

$ scp -r root@vpn-server-ip:/etc/openvpn/client .

Change the directory and run these commands to connect to OpenVPN server:

$ cd client

$ openvpn --config client.ovpn

You will have the following output:

Mon Feb 17 00:54:17 2020 VERIFY OK: depth=0, CN=tecadmin-server

Mon Feb 17 00:54:17 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

Mon Feb 17 00:54:17 2020 [tecadmin-server] Peer Connection Initiated with [AF_INET]104.245.36.127:1194

Mon Feb 17 00:54:18 2020 SENT CONTROL [tecadmin-server]: 'PUSH_REQUEST' (status=1)

Mon Feb 17 00:54:18 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: timers and/or timeouts modified

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: --ifconfig/up options modified

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: route options modified

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: peer-id set

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: adjusting link_mtu to 1625

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: data channel crypto options modified

Mon Feb 17 00:54:18 2020 Data Channel: using negotiated cipher 'AES-256-GCM'

Mon Feb 17 00:54:18 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Mon Feb 17 00:54:18 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Mon Feb 17 00:54:18 2020 ROUTE_GATEWAY 45.58.38.1/255.255.255.0 IFACE=eth0 HWADDR=00:00:2d:3a:26:d9

Mon Feb 17 00:54:18 2020 TUN/TAP device tun0 opened

Mon Feb 17 00:54:18 2020 TUN/TAP TX queue length set to 100

Mon Feb 17 00:54:18 2020 /sbin/ip link set dev tun0 up mtu 1500

Mon Feb 17 00:54:18 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5

Check it with the following command:

$ ifconfig tun0

Output: 

tun0: flags=4305  mtu 1500

        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5

        inet6 fe80::c6b:2644:5142:8e7f  prefixlen 64  scopeid 0x20

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 2  bytes 96 (96.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0

Congratulations! You have installed OpenVPN Server and Client on CentOS 8 server. Let us know if this article was helpful in the comments below!

susith nonis

I'm fascinated by the IT world and how the 1's and 0's work. While I veture into the world of Technology I try to share what I know in the simplest way to you. Hope you like it.