VPN or virtual private network allows you to create your own internet in the World Wide Web. You can have loads of benefits form a VPN service.
- You can encrypt the traffic to protect your identity
- Change your location
- Access the sites which are not accessible in your country and many more.
In this tutorial, you would learn how to install OpenVPN on CentOS 8.
Step 1 – Disable SELinux
Disable the SELinux in your system and open the /etc/selinux/config file:
$ nano /etc/selinux/config
Change the line:
SELINUX=disabled
Save the file and restart the system.
Step 2 – Enable IP Forwarding
Enable IP forwarding in your system to allow your network system to accept and send the packet to other systems mentioned.
Edit the file /etc/sysctl.conf:
$ nano /etc/sysctl.conf
Add
net.ipv4.ip_forward = 1
Save the file and run the following command:
$ sysctl –p
Step 3 – Install OpenVPN Server
Install the EPEL repository in your system.
To install the latest version run the ELEP repository:
$ dnf install epel-release
When prompted to continue press ‘y’
Run the following command:
dnf install openvpn
After the process download easy-rsa for managing SSL certificates.
Run the following command for easy-rsa inside /etc/openvpn directory.
$ cd /etc/openvpn
$ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
Now extract the downloaded file by running this command:
$ tar -xvzf EasyRSA-unix-v3.0.6.tgz
Now rename the achieved directory to the easy-rsa
$ mv EasyRSA-v3.0.6 easy-rsa
Configure the Certificate Authority on your system by changing the directory to /etc/openvpn/easy-rsa and create a new Easy RSA’s configuration file:
$ cd /etc/openvpn/easy-rsa
$ nano vars
Then add your country, city, and preferred email address:
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY " COUNTRY"
set_var EASYRSA_REQ_PROVINCE " PROVINCE "
set_var EASYRSA_REQ_CITY " CITY "
set_var EASYRSA_REQ_ORG " CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "name@admin.net"
set_var EASYRSA_REQ_OU " admin EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT " admin CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"
Now run this command:
$ ./easyrsa init-pki
Build the CA certificates with the following command:
$ ./easyrsa build-ca
Enter the new CA key passphrase and provide the common name (CN).
Step 5 – Generate Server Certificate Files
Run this command to sign the server key:
$ ./easyrsa sign-req server admin-server
Verify the generated certificate:
$ openssl verify -CAfile pki/ca.crt pki/issued/admin-server.crt
If all of your steps were correct you will receive the following output:
pki/issued/admin-server.crt: OK
Generate a strong Diffie-Hellman key to use for the key exchange:
$ ./easyrsa gen-dh
When you have created all the certificates now it is time to copy them to the /etc/openvpn/server/ directory:
$ cp pki/ca.crt /etc/openvpn/server/
$ cp pki/dh.pem /etc/openvpn/server/
$ cp pki/private/tecadmin-server.key /etc/openvpn/server/
$ cp pki/issued/tecadmin-server.crt /etc/openvpn/server/
Step 6 – Generate Client Certificate and Key File
For client certificate and file key run:
$ ./easyrsa gen-req client nopass
Then sign the client key using your CA certificate:
$ ./easyrsa sign-req client client
Now copy all client certificate and key file to the /etc/openvpn/client/ directory:
$ cp pki/ca.crt /etc/openvpn/client/
$ cp pki/issued/client.crt /etc/openvpn/client/
$ cp pki/private/client.key /etc/openvpn/client/
Step 7 – Configure OpenVPN Server on linux vps server
Create a new OpenVPN configuration file inside /etc/openvpn/client/ directory:
$ nano /etc/openvpn/server/server.conf
Add the following lines:
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/admin-server.crt
key /etc/openvpn/server/admin-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nobody
log-append /var/log/openvpn.log
verb 3
save the file when you are done.
Step 8 – Start OpenVPN Service
OpenVPN is now installed and configured, reboot the system by using these commands:
$ systemctl start openvpn-server@server
$ systemctl enable openvpn-server@server
Verify the status of OpenVPN service by:
$ systemctl status openvpn-server@server
OpenVPN service started successfully will create a new network interface named tun0.
You can check it with the following:
$ ifconfig
Interface tun0 will show the following output:
eth0: flags=4163 mtu 1500
inet 104.245.36.127 netmask 255.255.255.0 broadcast 104.245.36.255
inet6 fe80::200:68ff:fef5:247f prefixlen 64 scopeid 0x20
ether 00:00:68:f5:24:7f txqueuelen 1000 (Ethernet)
RX packets 1926738 bytes 314886412 (300.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 174907 bytes 29557250 (28.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 216 bytes 40041 (39.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 216 bytes 40041 (39.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305 mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::4152:a673:b260:d9e6 prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 304 (304.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Step 9 – Generate Client Configuration File
Create a new OpenVPN client configuration file named client.ovpn.
$ nano /etc/openvpn/client/client.ovpn
Add the following lines:
client
dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
Save the file after completion.
Step 10 – Configure routing using Firewalld
OpenVPN service and tun0 interface to the trusted firewall zone:
$ firewall-cmd --permanent --add-service=openvpn
$ firewall-cmd --permanent --zone=trusted --add-service=openvpn
$ firewall-cmd --permanent --zone=trusted --add-interface=tun0
Add MASQUERADE on the default zone:
$ firewall-cmd --add-masquerade
$ firewall-cmd --permanent --add-masquerade
Run the following command to masquerade the internet traffic coming from VPN network (10.8.0.0/24).
$ tecadmin=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
$ firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $tecadmin -j MASQUERADE
Run this command to implement the changes:
$ firewall-cmd --reload
Step 11 – Connect OpenVPN from Clients
Log in to the client machine and install the OpenVPN package:
$ dnf install epel-release -y
$ dnf install openvpn -y
Run the following command to download all the client configuration file:
$ scp -r root@vpn-server-ip:/etc/openvpn/client .
Change the directory and run these commands to connect to OpenVPN server:
$ cd client
$ openvpn --config client.ovpn
You will have the following output:
Mon Feb 17 00:54:17 2020 VERIFY OK: depth=0, CN=tecadmin-server
Mon Feb 17 00:54:17 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Mon Feb 17 00:54:17 2020 [tecadmin-server] Peer Connection Initiated with [AF_INET]104.245.36.127:1194
Mon Feb 17 00:54:18 2020 SENT CONTROL [tecadmin-server]: 'PUSH_REQUEST' (status=1)
Mon Feb 17 00:54:18 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: timers and/or timeouts modified
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: --ifconfig/up options modified
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: route options modified
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: peer-id set
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: data channel crypto options modified
Mon Feb 17 00:54:18 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Feb 17 00:54:18 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 17 00:54:18 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 17 00:54:18 2020 ROUTE_GATEWAY 45.58.38.1/255.255.255.0 IFACE=eth0 HWADDR=00:00:2d:3a:26:d9
Mon Feb 17 00:54:18 2020 TUN/TAP device tun0 opened
Mon Feb 17 00:54:18 2020 TUN/TAP TX queue length set to 100
Mon Feb 17 00:54:18 2020 /sbin/ip link set dev tun0 up mtu 1500
Mon Feb 17 00:54:18 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Check it with the following command:
$ ifconfig tun0
Output:
tun0: flags=4305 mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
inet6 fe80::c6b:2644:5142:8e7f prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 96 (96.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0
Congratulations! You have installed OpenVPN Server and Client on CentOS 8 server. Let us know if this article was helpful in the comments below!
I'm fascinated by the IT world and how the 1's and 0's work. While I venture into the world of Technology, I try to share what I know in the simplest way with you. Not a fan of coffee, a travel addict, and a self-accredited 'master chef'.