How to Install OpenVPN on CentOS 8?
VPN or virtual private network allows you to create your own internet in the World Wide Web. You can have loads of benefits form a VPN service.
- You can encrypt the traffic to protect your identity
- Change your location
- Access the sites which are not accessible in your country and many more.
In this tutorial, you would learn how to install OpenVPN on CentOS 8.
Step 1 – Disable SELinux
Disable the SELinux in your system and open the /etc/selinux/config file:
$ nano /etc/selinux/config
Change the line:
SELINUX=disabled
Save the file and restart the system.
Step 2 – Enable IP Forwarding
Enable IP forwarding in your system to allow your network system to accept and send the packet to other systems mentioned.
Edit the file /etc/sysctl.conf:
$ nano /etc/sysctl.conf
Add
net.ipv4.ip_forward = 1
Save the file and run the following command:
$ sysctl –p
Step 3 – Install OpenVPN Server
Install the EPEL repository in your system.
To install the latest version run the ELEP repository:
$ dnf install epel-release
When prompted to continue press ‘y’
Run the following command:
dnf install openvpn
After the process download easy-rsa for managing SSL certificates.
Run the following command for easy-rsa inside /etc/openvpn directory.
$ cd /etc/openvpn
$ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
Now extract the downloaded file by running this command:
$ tar -xvzf EasyRSA-unix-v3.0.6.tgz
Now rename the achieved directory to the easy-rsa
$ mv EasyRSA-v3.0.6 easy-rsa
Configure the Certificate Authority on your system by changing the directory to /etc/openvpn/easy-rsa and create a new Easy RSA’s configuration file:
$ cd /etc/openvpn/easy-rsa
$ nano vars
Then add your country, city, and preferred email address:
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY " COUNTRY"
set_var EASYRSA_REQ_PROVINCE " PROVINCE "
set_var EASYRSA_REQ_CITY " CITY "
set_var EASYRSA_REQ_ORG " CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "name@admin.net"
set_var EASYRSA_REQ_OU " admin EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT " admin CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"
Now run this command:
$ ./easyrsa init-pki
Build the CA certificates with the following command:
$ ./easyrsa build-ca
Enter the new CA key passphrase and provide the common name (CN).
Step 5 – Generate Server Certificate Files
Run this command to sign the server key:
$ ./easyrsa sign-req server admin-server
Verify the generated certificate:
$ openssl verify -CAfile pki/ca.crt pki/issued/admin-server.crt
If all of your steps were correct you will receive the following output:
pki/issued/admin-server.crt: OK
Generate a strong Diffie-Hellman key to use for the key exchange:
$ ./easyrsa gen-dh
When you have created all the certificates now it is time to copy them to the /etc/openvpn/server/ directory:
$ cp pki/ca.crt /etc/openvpn/server/
$ cp pki/dh.pem /etc/openvpn/server/
$ cp pki/private/tecadmin-server.key /etc/openvpn/server/
$ cp pki/issued/tecadmin-server.crt /etc/openvpn/server/
Step 6 – Generate Client Certificate and Key File
For client certificate and file key run:
$ ./easyrsa gen-req client nopass
Then sign the client key using your CA certificate:
$ ./easyrsa sign-req client client
Now copy all client certificate and key file to the /etc/openvpn/client/ directory:
$ cp pki/ca.crt /etc/openvpn/client/
$ cp pki/issued/client.crt /etc/openvpn/client/
$ cp pki/private/client.key /etc/openvpn/client/
Step 7 – Configure OpenVPN Server on linux vps server
Create a new OpenVPN configuration file inside /etc/openvpn/client/ directory:
$ nano /etc/openvpn/server/server.conf
Add the following lines:
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/admin-server.crt
key /etc/openvpn/server/admin-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nobody
log-append /var/log/openvpn.log
verb 3
save the file when you are done.
Step 8 – Start OpenVPN Service
OpenVPN is now installed and configured, reboot the system by using these commands:
$ systemctl start openvpn-server@server
$ systemctl enable openvpn-server@server
Verify the status of OpenVPN service by:
$ systemctl status openvpn-server@server
OpenVPN service started successfully will create a new network interface named tun0.
You can check it with the following:
$ ifconfig
Interface tun0 will show the following output:
eth0: flags=4163 mtu 1500
inet 104.245.36.127 netmask 255.255.255.0 broadcast 104.245.36.255
inet6 fe80::200:68ff:fef5:247f prefixlen 64 scopeid 0x20
ether 00:00:68:f5:24:7f txqueuelen 1000 (Ethernet)
RX packets 1926738 bytes 314886412 (300.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 174907 bytes 29557250 (28.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 216 bytes 40041 (39.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 216 bytes 40041 (39.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305 mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::4152:a673:b260:d9e6 prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 304 (304.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Step 9 – Generate Client Configuration File
Create a new OpenVPN client configuration file named client.ovpn.
$ nano /etc/openvpn/client/client.ovpn
Add the following lines:
client
dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
Save the file after completion.
Step 10 – Configure routing using Firewalld
OpenVPN service and tun0 interface to the trusted firewall zone:
$ firewall-cmd --permanent --add-service=openvpn
$ firewall-cmd --permanent --zone=trusted --add-service=openvpn
$ firewall-cmd --permanent --zone=trusted --add-interface=tun0
Add MASQUERADE on the default zone:
$ firewall-cmd --add-masquerade
$ firewall-cmd --permanent --add-masquerade
Run the following command to masquerade the internet traffic coming from VPN network (10.8.0.0/24).
$ tecadmin=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
$ firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $tecadmin -j MASQUERADE
Run this command to implement the changes:
$ firewall-cmd --reload
Step 11 – Connect OpenVPN from Clients
Log in to the client machine and install the OpenVPN package:
$ dnf install epel-release -y
$ dnf install openvpn -y
Run the following command to download all the client configuration file:
$ scp -r root@vpn-server-ip:/etc/openvpn/client .
Change the directory and run these commands to connect to OpenVPN server:
$ cd client
$ openvpn --config client.ovpn
You will have the following output:
Mon Feb 17 00:54:17 2020 VERIFY OK: depth=0, CN=tecadmin-server
Mon Feb 17 00:54:17 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mon Feb 17 00:54:17 2020 [tecadmin-server] Peer Connection Initiated with [AF_INET]104.245.36.127:1194
Mon Feb 17 00:54:18 2020 SENT CONTROL [tecadmin-server]: 'PUSH_REQUEST' (status=1)
Mon Feb 17 00:54:18 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: route options modified
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: peer-id set
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: data channel crypto options modified
Mon Feb 17 00:54:18 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Feb 17 00:54:18 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 17 00:54:18 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 17 00:54:18 2020 ROUTE_GATEWAY 45.58.38.1/255.255.255.0 IFACE=eth0 HWADDR=00:00:2d:3a:26:d9
Mon Feb 17 00:54:18 2020 TUN/TAP device tun0 opened
Mon Feb 17 00:54:18 2020 TUN/TAP TX queue length set to 100
Mon Feb 17 00:54:18 2020 /sbin/ip link set dev tun0 up mtu 1500
Mon Feb 17 00:54:18 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Check it with the following command:
$ ifconfig tun0
Output:
tun0: flags=4305 mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
inet6 fe80::c6b:2644:5142:8e7f prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 96 (96.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0
Congratulations! You have installed OpenVPN Server and Client on CentOS 8 server. Let us know if this article was helpful in the comments below!