How to install and configure OpenVPN server on CentOS

OpenVPN is one of the open source applications that allows you to create your own Virtual Private Network. We are not going to cover all the topics regarding VPNs, but for short these are used to transfer data from point A to point B in a secure way. Of course this allows us to bypass some firewalls and proxies, so this is one of the reasons we chose to use TCP port 443 (which is the default port for HTTPS and it’s almost never filtered) instead of default port for OpenVPN which is UDP 1194.

I am going to set up a GNU/Linux machine, running CentOS 6 as the OpenVPN server.

OpenVPN Server Setup

Note: You must already have CentOS installed and you also must have a working connection, if you don’t know how to do this, check out How to install Red Hat in 50 easy steps!

1. Disable SELinux and reboot the system!

[root@centos ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@centos ~]# reboot && exit

2. Install the EPEL repository.

[root@centos ~]# rpm -ivh http://mirrors.n-ix.net/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

3. Update the packages:

[root@centos ~]# yum -y update

4. Install OpenVPN and easy-rsa:

Note: Since OpenVPN version 2.3.2 “easy-rsa” is no longer bundled with OpenVPN and you need to install it from a different source, fortunately it is also available in EPEL repository.
[root@centos ~]# yum -y install openvpn easy-rsa

5. Navigate to the easy-rsa tools directory:

[root@centos ~]# cd /usr/share/easy-rsa/2.0

6. Edit the vars file to match your data:

[root@centos 2.0]# vi vars

Find the following line

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

and replace it with:

export KEY_CONFIG=/usr/share/easy-rsa/2.0/openssl-1.0.0.cnf

You may edit any other variable to match your needs, but these are the only ones of interest:

export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="NewYork"
export KEY_ORG="VPN"
export KEY_EMAIL="[email protected]"
export KEY_OU="AlphaUnit"

7. Clean any previous info:

[root@centos 2.0]# ./clean-all

8. Source the variable environment:

[root@centos 2.0]# source ./vars

9. Build the Certificate of Authority:

[root@centos 2.0]# ./build-ca

10. Build the Diffie Hellman file (if you want more info about this, read the OpenVPN manual):

[root@centos 2.0]# ./build-dh

11. Create the Server Certificate and key:

[root@centos 2.0]# ./build-key-server openvpnserver

12. Copy the CA certificate file to OpenVPN configuration directory:

[root@centos 2.0]# cp keys/ca.crt /etc/openvpn/

13. Copy the server certificate to OpenVPN configuration directory:

[root@centos 2.0]# cp keys/openvpnserver.crt /etc/openvpn/

14. Copy the server key to OpenVPN configuration directory:

[root@centos 2.0]# cp keys/openvpnserver.key /etc/openvpn/

15. Copy the Diffie Hellman file to OpenVPN configuration directory:

[root@centos 2.0]# cp keys/dh1024.pem /etc/openvpn/

16. Create the OpenVPN configuration file

[root@centos 2.0]# vi /etc/openvpn/server.conf 

and append the following content to it (make sure you replace SERVER_IP_ADDRESS with the actual public IP address of your server):

local SERVER_IP_ADDRESS
port 443
proto tcp
dev tun
ca ca.crt
cert openvpnserver.crt
key openvpnserver.key
dh dh1024.pem
server 192.168.85.0 255.255.255.0
ifconfig-pool-persist ipp.txt
management localhost 7505
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
cipher AES-256-CBC
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3

17. Start the OpenVPN server:

[root@centos 2.0]# service openvpn restart

If everything is ok, you should see the following message:
Starting openvpn:                                          [  OK  ]

18. Make sure that openvpn interface is up and running

[root@centos 2.0]# ifconfig -a |grep -A 7 tun0

 

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.85.1  P-t-P:192.168.85.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

19. Enable IP forwarding and set proper rule in the firewall that masquerades the traffic routed through the Virtual Private Network

[root@centos 2.0]# echo "1" > /proc/sys/net/ipv4/ip_forward
Note: To make this change persistent after reboot, insert the following line in /etc/sysctl.conf
net.ipv4.ip_forward=1

 

[root@centos 2.0]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

 

[root@centos 2.0]# service iptables save

20. It is time to create several certificates/keys pairs for the clients

Note: You need to provide to each client the following:
  • ca.crt (Certificate of Authority) – this file is common
  • clientname.crt (client certificate) – this is private, not to be shared with anybody else
  • clientname.key (client private key) – this is private, not to be shared with anybody else

To create the client certificate, navigate to /usr/share/easy-rsa/2.0 if you happen to be inside a different directory and issue the following commands:

[root@centos 2.0]# source ./vars
[root@centos 2.0]# ./build-key clientname

Note: Repeat the last step to create a key/certificate pair for each client and provide the files to the client using a secure method (I suggest using SCP, SFTP email or FTPS)

OpenVPN is one of the open source applications that allows you to create your own Virtual Private Network. We are not going to cover all the topics regarding VPNs, but for short these are used to transfer data from point A to point B in a secure way. Of course this allows us to bypass some firealls, proxies, etc.

I am going to set up a GNU/Linux machine, running CentOS 6.2 as the OpenVPN server and a Windows machine as a client.

SERVER

1. Install the EPEL repository.


rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm

2. Update the packages:


yum -y update

3. Install OpenVPN:


yum -y install openvpn

4. Navigate to the certificate tools directory:


cd /usr/share/openvpn/easy-rsa/2.0

5. Copy the openssl-1.0.0 configuration file to openssl.cnf:


cp openssl-1.0.0.cnf openssl.cnf

6. Edit the vars file to match your data:


vim vars

You may edit any other variable to match your needs, but these are the only ones of interest:


 export KEY_COUNTRY="RO"
 export KEY_PROVINCE="BV"
 export KEY_CITY="Brasov"
 export KEY_ORG="ADesigns"
 export KEY_EMAIL="[email protected]"

6. Clean any previous info:


./clean-all

7. Source the variable environment:


source ./vars

8. Build the Certificate of Authority:


./build-ca

9. Build the Diffie Hellman file (if you want more info about this, read the OpenVPN manual):


./build-dh

10. Create the Server Certificate and key:


./build-key-server SERVER_NAME

11. Copy the CA certificate file to OpenVPN configuration directory:

 cp keys/ca.crt /etc/openvpn/ 

12. Copy the server certificate to OpenVPN configuration directory:

 cp keys/hebe.crt /etc/openvpn/ 

13. Copy the server key to OpenVPN configuration directory:

 cp keys/hebe.key /etc/openvpn/ 

14. Copy the Diffie Hellman file to OpenVPN configuration directory:

 cp keys/dh1024.pem /etc/openvpn/ 

15. Create the OpenVPN configuration file:

 vim /etc/openvpn/SERVER_NAME.conf 

and append the following content to it:

 local SERVER_IP_ADDRESS
 port 443
 proto tcp
 dev tun
 ca ca.crt
 cert SERVER_NAME.crt
 key SERVER_NAME.key
 dh dh1024.pem
 server 192.168.85.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 management localhost 7505
 push "redirect-gateway"
 push "dhcp-option DNS 8.8.8.8"
 push "dhcp-option DNS 8.8.4.4"
 #user nobody
 #group nobody
 cipher AES-256-CBC
 keepalive 10 120
 comp-lzo
 max-clients 10
 persist-key
 persist-tun
 status openvpn-status.log
 verb 3

16. Start the OpenVPN server:

 service openvpn restart 

If everything is ok, you should see the following message:
Starting openvpn:                                          [  OK  ]

CLIENT

Navigate to the OpenVPN site, go to the Community Section and download the Windows installer: http://openvpn.net/index.php/open-source/downloads.html

Create a new file called whatever.ovpn

client
dev tun
proto tcp-client
remote 83.103.190.171 443
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
ca “C:\\Program Files (x86)\\OpenVPN\\config\\ca.crt”
cert “C:\\Program Files (x86)\\OpenVPN\\config\\annamaria.crt”
key “C:\\Program Files (x86)\\OpenVPN\\config\\annamaria.key”
cipher AES-256-CBC
comp-lzo
verb 3

9 thoughts on “How to install and configure OpenVPN server on CentOS”

  1. After following this guide I can connect to the vpn but can’t connect to the internet. Any ideas on how to fix this would be appreciated! I noticed using the vpn I can connect to my server cp ip using Firefox but can’t connect to any websites.

    Reply
    • What do the logs say? check out these files in /etc/openvpn/
      openvpn-status.log
      openvpn.log

      You should use tail on these to see the messages:

      tail -n 30 /etc/openvpn/openvpn.log
      
      Reply
  2. I have followed all the steps and the Linux CentOS server seems to be operating as normal but when I try to connect to the server with OpenVPN GUI it just sticks on Current State: Connecting then it goes Reconnecting over and over again.

    Any ideas? Cheers!

    Reply
    • Also gives this error in the OpenVPN GUI console before trying to reconnect again.

      Fri Nov 06 14:24:20 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Fri Nov 06 14:24:20 2015 TLS Error: TLS handshake failed

      Reply

Leave a Reply to Rhys Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.