How to Set Up and Configure an OpenVPN Server on CentOS

In the world of online privacy and security, setting up a VPN (Virtual Private Network) is essential for safeguarding your data and browsing activities. OpenVPN is a popular, open-source VPN solution that provides a robust framework for creating secure point-to-point or site-to-site connections. In this blog post, we’ll walk you through the steps to set up and configure an OpenVPN server on CentOS. Whether you’re a seasoned system administrator or just starting, this guide will help you understand the core steps to get you up and running.

Prerequisites

Before diving into the installation and configuration of OpenVPN, ensure that you have the following:

1. A CentOS Server: This guide assumes you’re using CentOS 7 or higher. If you’re using a different version or a derivative, make sure to adjust the commands accordingly.
2. Root Access: You will need administrative privileges. It’s best to log in as the root user or a user with sudo rights.
3. Firewall Access: You may need to adjust firewall settings to allow VPN traffic.
4. EPEL Repository: Ensure that the Extra Packages for Enterprise Linux (EPEL) repository is enabled.

Step 1: Install OpenVPN and EasyRSA

First, let’s install OpenVPN and EasyRSA for certificate management.

sudo yum install epel-release -y
sudo yum install openvpn easy-rsa -y

Step 2: Set Up the EasyRSA Environment

EasyRSA is a tool used to manage SSL certificates for OpenVPN. We’ll create a new directory for EasyRSA and initialize the PKI (Public Key Infrastructure).

make-cadir ~/easy-rsa
cd ~/easy-rsa
source vars
./clean-all
./build-ca

Step 3: Generate Server Certificates and Keys

Next, we’ll generate the server certificate and key:

./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key

This creates the server certificate, Diffie-Hellman parameters, and a shared secret key for additional security.

Step 4: Configure the OpenVPN Server

Now it’s time to configure OpenVPN. Navigate to the OpenVPN directory and copy the sample server configuration file:

cd /etc/openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
sudo gunzip server.conf.gz
sudo nano server.conf

Within this configuration file, modify the following lines as needed:

• Uncomment and set the paths for the certificates and keys you generated previously. For example:

ca /etc/openvpn/easy-rsa/3/pki/ca.crt
cert /etc/openvpn/easy-rsa/3/pki/issued/server.crt
key /etc/openvpn/easy-rsa/3/pki/private/server.key
dh /etc/openvpn/easy-rsa/3/pki/dh.pem

• Adjust the server directive to specify the VPN subnet.

server 10.8.0.0 255.255.255.0

• Uncomment the following lines to enable packet forwarding and push DNS configuration to clients:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"  # Google DNS
push "dhcp-option DNS 8.8.4.4"  # Google DNS

Step 5: Start and Enable the OpenVPN Service

Once configured, start the OpenVPN service and enable it to start at boot:

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Step 6: Adjust the Firewall (if applicable)

If your server has a firewall running (like firewalld), you’ll need to allow VPN traffic. Use the following commands to allow OpenVPN through the firewall:

sudo firewall-cmd --permanent --add-service=openvpn
sudo firewall-cmd --permanent --add-port=1194/udp
sudo firewall-cmd --reload

Step 7: Generate Client Certificates

Using EasyRSA, let’s create a certificate for a client:

cd ~/easy-rsa
source vars
./build-key client1

You can create multiple clients by repeating the last command with different client names.

Step 8: Configure the Client

Finally, we need to set up the client configuration. Navigate to the OpenVPN configuration directory and create a client configuration file.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client.ovpn

Edit the configuration file to point to the server and ensure the paths to the certificates and keys are correct.

Example edits include:

remote your_server_ip 1194
ca ca.crt
cert client1.crt
key client1.key

Step 9: Connect the Client to the VPN

Copy the necessary certificates and the client configuration file to your local machine. Use OpenVPN client software on your device to connect using the .ovpn config file.

Conclusion

You now have an operational OpenVPN server running on CentOS. With a secure connection established between your devices and the server, your online activities will remain private and protected. It’s crucial to keep your server updated and periodically review security practices to ensure the safety of your VPN solution.