Install OpenVPN server CentOS 7

OpenVPN server CentOS 7

OpenVPN server CentOS 7

Today I will brief necessary steps for installing OpenVPN server CentOS 7. This will include custom server name and also rules for csf firewall which is widely used. The OpenVPN server name in this tutorial will be myvpnserver, associated domain will be, and server IP address is XXX.YYY.ZZZ.UUU . We will user a self-signed certificate for this case.

  1. First, we will add epel -release

    [bash]yum install epel-release[/bash]

  2. Then, install open-vpn server

    [bash]yum install openvpn easy-rsa -y[/bash]

  3. Next we will configure OpenVPN server

    1. First, we will copy the sample server.conf file as a starting point for our own configuration file (since we use myvpnserver as server name, we will use this name):

      [bash]cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/myvpnserver.conf[/bash]

    2. Edit the file:

      [bash]nano /etc/openvpn/myvpnserver.conf[/bash]

      • When we generate the keys, the default Diffie-Hellman encryption length for Easy RSA will be 2048 bytes, so we need to change the dh filename to dh2048.pem:

        [bash]dh dh2048.pem[/bash]

      • Uncomment the push “redirect-gateway def1 bypass-dhcp” line to tell clients to redirect all traffic through the OpenVPN:

        [bash]push "redirect-gateway def1 bypass-dhcp"[/bash]

      • We will use Google DNS for the OpenVPN server, so uncomment the push “dhcp-option DNS line:

        [bash]push "dhcp-option DNS"
        push "dhcp-option DNS"[/bash]

      • Update user and group to nobody so that OpenVPN runs with no privileges:

        [bash]user nobody
        group nobody[/bash]

      • Save the .conf file and exit.
    3. Next, we need to Generate Keys and Certificates for the OpenVPN server:
      • Create a directory for the keys:

        [bash]mkdir -p /etc/openvpn/easy-rsa/keys[/bash]

      • Copy the key and cert generation scripts to this folder so that we will use later:

        [bash]cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa[/bash]

      • Edit the /etc/openvpn/easy-rsa/vars file. The most important information to edit is KEY_NAME and KEY_CN to reflect the server name and domain name:

        [bash]# Don’t leave any of these fields blank.
        export KEY_COUNTRY="VN"
        export KEY_PROVINCE="HCM"
        export KEY_CITY="Ho Chi Minh"
        export KEY_ORG="YourORNAME-org"
        export KEY_EMAIL="[email protected]"
        export KEY_OU="YourOrgUnit"

        # X509 Subject Field
        export KEY_NAME="myvpnserver"

        # PKCS11 Smart Card
        # export PKCS11_MODULE_PATH="/usr/lib/"
        # export PKCS11_PIN=1234

        # If you’d like to sign all keys with the same Common Name, uncomment the KEY_CN export below
        # You will also need to make sure your OpenVPN server config has the duplicate-cn option set
        export KEY_CN=""[/bash]

      • Copy the openssl configuration file:

        [bash]cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf[/bash]

      • We will then start generating keys:

        [bash]cd /etc/openvpn/easy-rsa
        source ./vars
        ./build-key-server myvpnserver

      • Next, copy key and cert files to OpenVPN server:

        [bash]cd /etc/openvpn/easy-rsa/keys
        cp dh2048.pem ca.crt server.crt server.key /etc/openvpn[/bash]

      • Next, generate the key and cert for each client to connect. For example, we will generate the key and cert for user “client”:

        [bash]cd /etc/openvpn/easy-rsa
        ./build-key client[/bash]

  4. Setup routing rules for CSF firewall

    1. Enable IP forwarding by editing /etc/sysctl.conf and add the following line:

      [bash]net.ipv4.ip_forward = 1[/bash]

    2. Restart network service:

      [bash]systemctl restart network.service[/bash]

    3. Add pre-routing rules to CSF firewall by adding the following lines to /etc/csf/, remember to update your server IP:

      [bash]iptables -A INPUT -j ACCEPT -s -i tun0
      iptables -A OUTPUT -j ACCEPT -s -o tun0
      iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i tun0
      iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o tun0
      iptables -t nat –flush
      iptables -t nat -A POSTROUTING -o venet0 -s -j SNAT –to XXX.YYY.ZZZ.UUU[/bash]

    4. Restart CSF firewall:

      [bash]csf -r[/bash]

  5. Start OpenVPN

    [bash]systemctl -f enable [email protected]
    systemctl start [email protected][/bash]

  6. Configure and connect from a client

    1. First, copy client cert and key + ca from the following path to the client machine:


    2. We will need to create a configuration file (client.ovpn) for an OpenVPN client, telling it how to connect to the server. Remember to update client name (client), your server IP (XXX.YYY.ZZZ.UUU), and path to client’s key and certs (ca.crt, client.crt, client.key):

      dev tun
      proto udp
      remote XXX.YYY.ZZZ.UUU 1194
      resolv-retry infinite
      verb 3
      ca /path/to/ca.crt
      cert /path/to/client.crt
      key /path/to/client.key[/bash]

    3. Use the OpenVPN client software to connect to the server:
      • On MacOS: Usetunnelblick at We will need to place .ovpn file to the ~/Library/Application\ Support/Tunnelblick/Configurations/ folder
      • On Windows: Use OpenVPN binary: Remember to put .ovpn to the OpenVPN config C:\Program Files\OpenVPN\config folder
      • On Linux: we will install OpenVPN from OS official repositories and then invoke OpenVPN by executing:

        [bash]sudo openvpn –config ~/path/to/client.ovpn[/bash]

  7. Done and enjoy 🙂

About NhocConan

A super lazy guy who tries to write tech blog entries in English. He is lazy, so he can only write when he is in a good mood or when he is tired of coding.

Leave a comment

Your email address will not be published. Required fields are marked *