How do I install OpenVPN on CentOS?

Install it using yum install -y openvpn easy-rsa and configure it with the required certificates and firewall rules.

What port does OpenVPN use by default?

OpenVPN uses UDP port 1194 by default, but it can be changed in the configuration file.

How can I check if OpenVPN is running on CentOS?

Run sudo systemctl status openvpn@server to verify if the service is active.

Why is my OpenVPN client not connecting?

Check firewall settings, verify the client configuration, and ensure certificates match the server setup.

How do I enable OpenVPN to start on boot?

Use sudo systemctl enable openvpn@server to ensure OpenVPN starts automatically at system startup.

Installing OpenVPN on CentOS: Step-by-Step Guide

List of content you will read in this article:

OpenVPN is strong, flexible, and open-source VPN software for online privacy, secured data transmission, and remote access to private networks. OpenVPN on CentOS offers reliable flexibility for your VPN environment, whether for personal secure settings or business deployment. This guide covers the stepwise installation and configuration of OpenVPN on CentOS, with server setup and client configuration. By the end of this guide, you will have a fully functional VPN for encrypted communication and secured remote access.

Why Should You Use OpenVPN on CentOS?

OpenVPN is one of the most popular open-source VPN (Virtual Private Network) solutions around. This solution offers secure encrypted internet channels over which data can pass. Its flexibility comes in many ways. It can be used to establish secure remote access or site-to-site VPN tunnels.

When OpenVPN runs on CentOS, it creates a stable and safe environment that is perfect for businesses or individuals who wish to better their online privacy and security. Following are some good reasons for using it on CentOS:

Enhanced Security: OpenVPN uses strong encryption protocols (such as AES-256) to protect data from eavesdropping and cyber threats.
Remote Access: Enables users to securely connect to a private network from anywhere in the world.
Bypass Geo-Restrictions: Helps access region-restricted content and services by masking your IP address.
Reliable and Stable: CentOS is known for its stability, making it a great choice for hosting VPN servers with minimal downtime.
Customizable and Scalable: OpenVPN allows advanced configurations, supports multiple clients, and can be tailored to different networking needs.
Cost-Effective: As an open-source solution, OpenVPN is free to use, reducing the cost of implementing a secure VPN.

If you want to learn about the differences between VPN and VPS, read the article: VPN vs VPS

How to Install OpenVPN on CentOS

OpenVPN is an excellent open-source project for establishing secure and encrypted communications over the Internet. When OpenVPN is installed on CentOS, a private and protected network can be established for either personal or business needs. This tutorial will take you through the process of installation and configuration to ensure your seamless and secure setup.

Before starting the OpenVPN installation, ensure you have the following:

A CentOS server with root or sudo access
A stable internet connection
A basic understanding of Linux commands
A domain name or public IP address (recommended for easier client configuration)

Learn about how to install PPTP VPN on CentOS by reading the article below:

How to Install PPTP VPN on CentOS?

Update Your System

Before installing any software, update your CentOS system to ensure you have the latest packages and security patches. Run the following command:

sudo yum update -y

Install OpenVPN and Easy-RSA

OpenVPN and Easy-RSA (a tool for managing SSL certificates) are required to set up a secure VPN. Install them using:

sudo yum install -y epel-release

sudo yum install -y openvpn easy-rsa

Configure Easy-RSA and Generate Certificates

OpenVPN requires SSL/TLS certificates for secure authentication. Follow these steps to generate them:

Copy the Easy-RSA files to OpenVPN’s directory:

cp -r /usr/share/easy-rsa /etc/openvpn/

Navigate to the Easy-RSA directory:

cd /etc/openvpn/easy-rsa

Initialize the PKI (Public Key Infrastructure):

./easyrsa init-pki

Build the Certificate Authority (CA):

./easyrsa build-ca

You will be prompted to enter a common name for the CA. Press Enter to accept the default or provide a custom name. Generate a server certificate and key:

./easyrsa gen-req server nopass

This creates a private key for the VPN server. Sign the server certificate with the CA:

./easyrsa sign-req server server

Generate Diffie-Hellman parameters (used for secure key exchange):

./easyrsa gen-dh

Create a HMAC signature for additional security:

openvpn --genkey --secret /etc/openvpn/ta.key

Configure OpenVPN Server

Copy the sample OpenVPN configuration file:
cp

/usr/share/doc/openvpn*/sample-config-files/server.conf /etc/openvpn/server.conf

Edit the server configuration file using a text editor like nano:

nano /etc/openvpn/server.conf

Update the following lines:

port 1194

proto udp

dev tun

ca /etc/openvpn/easy-rsa/pki/ca.crt

cert /etc/openvpn/easy-rsa/pki/issued/server.crt

key /etc/openvpn/easy-rsa/pki/private/server.key

dh /etc/openvpn/easy-rsa/pki/dh.pem

tls-auth /etc/openvpn/ta.key 0

Ensure the paths to certificates and keys are correct.

Save and exit the file (CTRL + X, then Y, and Enter).

Enable Packet Forwarding

Enable IP forwarding to allow VPN traffic to flow properly. Open the sysctl configuration file:
_{nano /etc/sysctl.conf}

Add or uncomment the following line:

net.ipv4.ip_forward = 1

Apply the changes:

sysctl -p

Start and Enable OpenVPN

Start the OpenVPN service and enable it to run on system boot:

sudo systemctl start openvpn@server

sudo systemctl enable openvpn@server

Verify that OpenVPN is running:

sudo systemctl status openvpn@server

Configure Firewall Rules

If you have firewalld enabled, configure it to allow OpenVPN traffic:

sudo firewall-cmd --permanent --add-masquerade

sudo firewall-cmd --permanent --add-service=openvpn

sudo firewall-cmd --permanent --add-port=1194/udp

sudo firewall-cmd --reload

Create OpenVPN Client Configuration

Copy the required certificates and keys to the client:

scp /etc/openvpn/easy-rsa/pki/ca.crt user@client_ip:/home/user/

scp /etc/openvpn/easy-rsa/pki/issued/client.crt user@client_ip:/home/user/

scp /etc/openvpn/easy-rsa/pki/private/client.key user@client_ip:/home/user/

scp /etc/openvpn/ta.key user@client_ip:/home/user/

Create a client configuration file (client.ovpn):

client

dev tun

proto udp

remote SERVER_IP 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1

cipher AES-256-CBC

auth SHA256

compress lz4

verb 3

Replace SERVER_IP with the actual IP address of your OpenVPN server.

Connect to OpenVPN

On the client machine, use the following command to connect to the VPN:

sudo openvpn --config client.ovpn

If everything is configured correctly, you should see a successful connection message.

Enable Auto Start for OpenVPN on Boot

To ensure OpenVPN starts automatically at boot:

sudo systemctl enable openvpn@server

If you want to learn how to check the Debian version, read the article below:
How to check the Debian version?

Troubleshooting Common OpenVPN Issues on CentOS

Configuring an OpenVPN installation on CentOS provides a secure and private network, but sometimes issues arise and you may not be able to connect smoothly. Some of these issues include misconfigurations, firewall rules, or network-related issues.

By understanding the more common OpenVPN errors and their resolutions, you may be able to identify and resolve these issues quickly. Below is a list of some frequently occurring OpenVPN issues on CentOS with possible solutions.

Read the article below to learn about the differences between CentOS and Ubuntu

CentOS vs Ubuntu

Issue	Cause	Solution
OpenVPN service fails to start	Incorrect configuration, missing certificates, or permissions issues	Check logs using journalctl -xe and verify the configuration in /etc/openvpn/server.conf. Ensure certificates and keys exist and have proper permissions.
Client unable to connect	Firewall blocking OpenVPN traffic or incorrect client configuration	Ensure the firewall allows UDP port 1194 using firewall-cmd --permanent --add-port=1194/udp --reload. Verify that the client configuration file (client.ovpn) has the correct server IP.
No internet access after connecting	IP forwarding not enabled or incorrect NAT rules	Enable IP forwarding with echo 1 > /proc/sys/net/ipv4/ip_forward and apply NAT rules using firewall-cmd --permanent --add-masquerade.
Authentication failure	Incorrect client certificates or mismatched credentials	Ensure the client is using the correct ca.crt, client.crt, and client.key files. If using password authentication, verify the credentials in the OpenVPN server logs.
Slow VPN speed	High encryption overhead or network congestion	Try changing the encryption cipher in server.conf, use compression (compress lz4), or test different network routes.
DNS leaks after connecting	The client still using ISP’s DNS servers	Add push "dhcp-option DNS 8.8.8.8" in server.conf to enforce VPN DNS settings.
TLS handshake errors	Time mismatch between client and server	Ensure both server and client have synchronized system clocks using timedatectl set-ntp on.

Conclusion

You will be able to correctly deploy OpenVPN, set firewalls, enable IP forwarding, and resolve many common issues with the help of this stepwise guide. Having a properly installed and troubleshot VPN enhances a stable connection; therefore, OpenVPN on CentOS may help to establish remote access in a secure and encrypted way.

The stability of the VPN can be maintained by consistent monitoring, log reading, and tuning of the configuration. OpenVPN on CentOS is an inexpensive way to protect privacy online, either for personal or business purposes.

Category: CentOS VPN