How to Install OpenVPN on CentOS 8?

How to Install OpenVPN on CentOS 8?, This tutorial is dedicated for you to be able to set up an OpenVPN connection on CentOS 8 without any problem.

Updated: 05 Mar, 23 by Susith Nonis 12 Min

VPN or virtual private network allows you to create your own internet in the World Wide Web. You can have loads of benefits form a VPN service.

  • You can encrypt the traffic to protect your identity
  • Change your location
  • Access the sites which are not accessible in your country and many more.

In this tutorial, you would learn how to install OpenVPN on CentOS 8.

Step 1 – Disable SELinux

Disable the SELinux in your system and open the /etc/selinux/config file:

$ nano /etc/selinux/config

Change the line:

SELINUX=disabled

Save the file and restart the system.

Step 2 – Enable IP Forwarding

Enable IP forwarding in your system to allow your network system to accept and send the packet to other systems mentioned.

Edit the file /etc/sysctl.conf:

$ nano /etc/sysctl.conf

Add

net.ipv4.ip_forward = 1

Save the file and run the following command:

$ sysctl –p

Step 3 – Install OpenVPN Server

Install the EPEL repository in your system.

To install the latest version run the ELEP repository:

$ dnf install epel-release

When prompted to continue press ‘y’

Run the following command:

dnf install openvpn

After the process download easy-rsa for managing SSL certificates.

Run the following command for easy-rsa inside /etc/openvpn directory.

$ cd /etc/openvpn

$ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz

Now extract the downloaded file by running this command:

$ tar -xvzf EasyRSA-unix-v3.0.6.tgz        

Now rename the achieved directory to the easy-rsa

$ mv EasyRSA-v3.0.6 easy-rsa

Configure the Certificate Authority on your system by changing the directory to /etc/openvpn/easy-rsa and create a new Easy RSA’s configuration file:

$ cd /etc/openvpn/easy-rsa

$ nano vars

Then add your country, city, and preferred email address:

set_var EASYRSA                 "$PWD"

set_var EASYRSA_PKI             "$EASYRSA/pki"

set_var EASYRSA_DN              "cn_only"

set_var EASYRSA_REQ_COUNTRY     " COUNTRY"

set_var EASYRSA_REQ_PROVINCE    " PROVINCE              "

set_var EASYRSA_REQ_CITY        " CITY "

set_var EASYRSA_REQ_ORG         " CERTIFICATE AUTHORITY"

set_var EASYRSA_REQ_EMAIL                   "name@admin.net"

set_var EASYRSA_REQ_OU          " admin EASY CA"

set_var EASYRSA_KEY_SIZE        2048

set_var EASYRSA_ALGO            rsa

set_var EASYRSA_CA_EXPIRE                     7500

set_var EASYRSA_CERT_EXPIRE     365

set_var EASYRSA_NS_SUPPORT                               "no"

set_var EASYRSA_NS_COMMENT                            " admin CERTIFICATE AUTHORITY"

set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"

set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"

set_var EASYRSA_DIGEST          "sha256"

Now run this command:

$ ./easyrsa init-pki

Build the CA certificates with the following command:

$ ./easyrsa build-ca

Enter the new CA key passphrase and provide the common name (CN).

Step 5 – Generate Server Certificate Files

Run this command to sign the server key:

$ ./easyrsa sign-req server admin-server

Verify the generated certificate:

$ openssl verify -CAfile pki/ca.crt pki/issued/admin-server.crt

If all of your steps were correct you will receive the following output:

pki/issued/admin-server.crt: OK

Generate a strong Diffie-Hellman key to use for the key exchange:

$ ./easyrsa gen-dh

When you have created all the certificates now it is time to copy them to the /etc/openvpn/server/ directory:

$ cp pki/ca.crt /etc/openvpn/server/

$ cp pki/dh.pem /etc/openvpn/server/

$ cp pki/private/tecadmin-server.key /etc/openvpn/server/

$ cp pki/issued/tecadmin-server.crt /etc/openvpn/server/

Step 6 – Generate Client Certificate and Key File

For client certificate and file key run:

$ ./easyrsa gen-req client nopass

Then sign the client key using your CA certificate:

$ ./easyrsa sign-req client client

Now copy all client certificate and key file to the /etc/openvpn/client/ directory:

$ cp pki/ca.crt /etc/openvpn/client/

$ cp pki/issued/client.crt /etc/openvpn/client/

$ cp pki/private/client.key /etc/openvpn/client/

Step 7 – Configure OpenVPN Server on linux vps server

Create a new OpenVPN configuration file inside /etc/openvpn/client/ directory:

$ nano /etc/openvpn/server/server.conf

Add the following lines:

port 1194

proto udp

dev tun

ca /etc/openvpn/server/ca.crt

cert /etc/openvpn/server/admin-server.crt

key /etc/openvpn/server/admin-server.key

dh /etc/openvpn/server/dh.pem

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1"

 

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"

duplicate-cn

cipher AES-256-CBC

tls-version-min 1.2

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

auth SHA512

auth-nocache

keepalive 20 60

persist-key

persist-tun

compress lz4

daemon

user nobody

group nobody

log-append /var/log/openvpn.log

verb 3

save the file when you are done.

Step 8 – Start OpenVPN Service

OpenVPN is now installed and configured, reboot the system by using these commands:

$ systemctl start openvpn-server@server

$ systemctl enable openvpn-server@server

Verify the status of OpenVPN service by:

$ systemctl status openvpn-server@server

OpenVPN service started successfully will create a new network interface named tun0.

 You can check it with the following:

$ ifconfig

Interface tun0 will show the following output:

eth0: flags=4163  mtu 1500

        inet 104.245.36.127  netmask 255.255.255.0  broadcast 104.245.36.255

        inet6 fe80::200:68ff:fef5:247f  prefixlen 64  scopeid 0x20

        ether 00:00:68:f5:24:7f  txqueuelen 1000  (Ethernet)

        RX packets 1926738  bytes 314886412 (300.2 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 174907  bytes 29557250 (28.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

lo: flags=73  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 216  bytes 40041 (39.1 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 216  bytes 40041 (39.1 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

tun0: flags=4305  mtu 1500

        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2

        inet6 fe80::4152:a673:b260:d9e6  prefixlen 64  scopeid 0x20

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 4  bytes 304 (304.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Step 9 – Generate Client Configuration File

Create a new OpenVPN client configuration file named client.ovpn.

$ nano /etc/openvpn/client/client.ovpn

Add the following lines:

client

dev tun

proto udp

remote vpn-server-ip 1194

ca ca.crt

cert client.crt

key client.key

cipher AES-256-CBC

auth SHA512

auth-nocache

tls-version-min 1.2

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite

compress lz4

nobind

persist-key

persist-tun

mute-replay-warnings

verb 3

Save the file after completion.

Step 10 – Configure routing using Firewalld

OpenVPN service and tun0 interface to the trusted firewall zone:

$ firewall-cmd --permanent --add-service=openvpn

$ firewall-cmd --permanent --zone=trusted --add-service=openvpn

$ firewall-cmd --permanent --zone=trusted --add-interface=tun0

Add MASQUERADE on the default zone:

$ firewall-cmd --add-masquerade

$ firewall-cmd --permanent --add-masquerade

Run the following command to masquerade the internet traffic coming from VPN network (10.8.0.0/24).

$ tecadmin=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')

$ firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $tecadmin -j MASQUERADE

Run this command to implement the changes:

$ firewall-cmd --reload

Step 11 – Connect OpenVPN from Clients

Log in to the client machine and install the OpenVPN package:

$ dnf install epel-release -y

$ dnf install openvpn -y

Run the following command to download all the client configuration file:

$ scp -r root@vpn-server-ip:/etc/openvpn/client .

Change the directory and run these commands to connect to OpenVPN server:

$ cd client

$ openvpn --config client.ovpn

You will have the following output:

Mon Feb 17 00:54:17 2020 VERIFY OK: depth=0, CN=tecadmin-server

Mon Feb 17 00:54:17 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

Mon Feb 17 00:54:17 2020 [tecadmin-server] Peer Connection Initiated with [AF_INET]104.245.36.127:1194

Mon Feb 17 00:54:18 2020 SENT CONTROL [tecadmin-server]: 'PUSH_REQUEST' (status=1)

Mon Feb 17 00:54:18 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: timers and/or timeouts modified

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: --ifconfig/up options modified

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: route options modified

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: peer-id set

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: adjusting link_mtu to 1625

Mon Feb 17 00:54:18 2020 OPTIONS IMPORT: data channel crypto options modified

Mon Feb 17 00:54:18 2020 Data Channel: using negotiated cipher 'AES-256-GCM'

Mon Feb 17 00:54:18 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Mon Feb 17 00:54:18 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Mon Feb 17 00:54:18 2020 ROUTE_GATEWAY 45.58.38.1/255.255.255.0 IFACE=eth0 HWADDR=00:00:2d:3a:26:d9

Mon Feb 17 00:54:18 2020 TUN/TAP device tun0 opened

Mon Feb 17 00:54:18 2020 TUN/TAP TX queue length set to 100

Mon Feb 17 00:54:18 2020 /sbin/ip link set dev tun0 up mtu 1500

Mon Feb 17 00:54:18 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5

Check it with the following command:

$ ifconfig tun0

Output: 

tun0: flags=4305  mtu 1500

        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5

        inet6 fe80::c6b:2644:5142:8e7f  prefixlen 64  scopeid 0x20

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 2  bytes 96 (96.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0

Congratulations! You have installed OpenVPN Server and Client on CentOS 8 server. Let us know if this article was helpful in the comments below!

Susith Nonis

Susith Nonis

I'm fascinated by the IT world and how the 1's and 0's work. While I venture into the world of Technology, I try to share what I know in the simplest way with you. Not a fan of coffee, a travel addict, and a self-accredited 'master chef'.