This guide will explain how to install and configure OpenVPN Server on RHEL / CentOS 8. A Virtual Private Network (VPN) allows you to traverse untrusted networks securely as if you were within a secure LAN network. OpenVPN is a full-featured, open-source Secure Socket Layer (SSL) VPN solution that supports a wide range of configurations.
With OpenVPN, you can easily set a secure tunnel that extends private network across a public network. All traffic being sent is encrypted and you can trust the information received on the other end. In this blog post, we will explore an easy way of installing and configuring OpenVPN server on RHEL / CentOS 8 server.
Install OpenVPN Server on RHEL / CentOS 8
There are two options of setting up OpenVPN server on RHEL / CentOS 8.
- Installing OpenVPN server manually – Time consuming
- Install OpenVPN server using automated scripts – Easy and quick
This guide will focus on using a trusted script to install and configure OpenVPN server. We will use openvpn-install script which let you set up your own VPN server in no more than a minute, even if you haven’t used OpenVPN before. It has been designed to be as unobtrusive and universal as possible.
Step 1: Add EPEL and Install git
Add EPEL repository to your RHEL / CentOS 8 system. It has openvpn package and dependencies required.
We also need git to pull the code from Github. Ensure it is installed.
sudo dnf -y install gitStep 2: Clone openvpn-install repository
Now clone the openvpn-install repository using git tool installed in Step one:
$ cd ~
$ git clone https://github.com/Nyr/openvpn-install.git
Cloning into 'openvpn-install'...
remote: Enumerating objects: 541, done.
remote: Counting objects: 100% (541/541), done.
remote: Compressing objects: 100% (260/260), done.
remote: Total 541 (delta 285), reused 535 (delta 281), pack-reused 0
Receiving objects: 100% (541/541), 170.51 KiB | 2.84 MiB/s, done.
Resolving deltas: 100% (285/285), done.Step 3: Run OpenVPN installer
Switch to the openvpn-install directory and run the installer script.
cd openvpn-install
chmod +x openvpn-install.sh
sudo ./openvpn-install.shYou will get a couple of prompts to change or confirm default settings for the installation.
Welcome to this OpenVPN "road warrior" installer!
Which protocol do you want for OpenVPN connections?
1) UDP (recommended)
2) TCP
Protocol [1-2]: 1
What port do you want OpenVPN listening to?
Port: 1194
Which DNS do you want to use with the VPN?
1) Current system resolvers
2) 1.1.1.1
3) Google
4) OpenDNS
5) Verisign
DNS [1-5]: 1
Finally, tell me your name for the client certificate.
Please, use one word only, no special characters.
Client name: neveropen
Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue…
Updating Subscription Management repositories.
Updating Subscription Management repositories.
.......................
You need to set:
- Server’s IP address to be used by VPN
- The hostname of Server if inside NAT
- OpenVPN protocol to be used – TCP or UDP
- OpenVPN port
- DNS Nameserver to be used with VPN
- Name of first client profile to create
If the installation was successful, you should receive message similar to one below.
....
Notice
------
Keypair and certificate request completed. Your files are:
* req: /etc/openvpn/server/easy-rsa/pki/reqs/neveropen.req
* key: /etc/openvpn/server/easy-rsa/pki/private/neveropen.key
Using configuration from /etc/openvpn/server/easy-rsa/pki/a2ce9d70/temp.4.1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'neveropen'
Certificate is to be certified until May 22 02:09:17 2033 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at:
* /etc/openvpn/server/easy-rsa/pki/issued/neveropen.crt
Notice
------
Inline file created:
* /etc/openvpn/server/easy-rsa/pki/inline/neveropen.inline
* Using Easy-RSA configuration:
/etc/openvpn/server/easy-rsa/pki/vars
* Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Using configuration from /etc/openvpn/server/easy-rsa/pki/936b8cd1/temp.3.1
Notice
------
An updated CRL has been created:
* /etc/openvpn/server/easy-rsa/pki/crl.pem
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/systemd/system/openvpn-iptables.service.
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /usr/lib/systemd/system/[email protected].
Finished!
The client configuration is available in: /root/neveropen.ovpn
New clients can be added by running this script again
The main OpenVPN server configuration file is,/etc/openvpn/server.conf you are free to tune it to your liking.
$ cat /etc/openvpn/server/server.conf
local 65.21.149.190
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 fddd:1194:1194:1194::/64
push "redirect-gateway def1 ipv6 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 185.12.64.1"
push "dhcp-option DNS 185.12.64.2"
push "block-outside-dns"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
A tun0 virtual interface will be created during the setup process. This is used by OpenVPN clients subnet.
$ ip addr | grep tun0
3: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0The default subnet for this interface is.10.8.0.0/24.OpenVPN server will be assigned 10.8.0.1 IP address:
Step 4: Generate OpenVPN user profile (.ovpn file)
After completing step 1 through 3, your VPN Server is ready for use. We need to generate VPN Profiles to be used by the users. The same script we used for the installation will be used for this. It manages the creation and revocation of user profiles.
Run script and select 1 to add new user.
$ sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 1
Tell me a name for the client certificate.
Please, use one word only, no special characters.
Name: user1
* Using Easy-RSA configuration:
/etc/openvpn/server/easy-rsa/pki/vars
* Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
.....................................................................................................................................................+++++
.....+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/163a2b91/temp.1.1'
-----
Notice
------
Keypair and certificate request completed. Your files are:
* req: /etc/openvpn/server/easy-rsa/pki/reqs/user1.req
* key: /etc/openvpn/server/easy-rsa/pki/private/user1.key
Using configuration from /etc/openvpn/server/easy-rsa/pki/163a2b91/temp.4.1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'user1'
Certificate is to be certified until May 22 02:12:46 2033 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at:
* /etc/openvpn/server/easy-rsa/pki/issued/user1.crt
Notice
------
Inline file created:
* /etc/openvpn/server/easy-rsa/pki/inline/user1.inline
user1 added. Configuration available in: /root/user1.ovpnThe .ovpn OpenVPN profile file is placed inside /root folder.
$ sudo ls /root/ | grep ovpn
neveropen.ovpn
user1.ovpnRevoking OpenVPN user profile
To revoke a user profile, run the script and select 2.
$ sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 2
Select the existing client certificate you want to revoke:
1) neveropen
2) user1
Select one client [1-2]: 2
Do you really want to revoke access for client user1? [y/N]: y
...
* IMPORTANT *
Revocation was successful. You must run 'gen-crl' and upload a new CRL to your
infrastructure in order to prevent the revoked certificate from being accepted.
* Using Easy-RSA configuration:
/etc/openvpn/server/easy-rsa/pki/vars
* Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Using configuration from /etc/openvpn/server/easy-rsa/pki/040a8fcd/temp.3.1
Notice
------
An updated CRL has been created:
* /etc/openvpn/server/easy-rsa/pki/crl.pem
user1 revokedUninstalling OpenVPN server on RHEL / CentOS 8
If you no longer need OpenVPN server, uninstallation can be done using the same installer script.
$ sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 3
Do you really want to remove OpenVPN? [y/N]: y
788
success
success
success
success
success
success
Updating Subscription Management repositories.
Updating Subscription Management repositories.
Dependencies resolved.
....
Complete!
OpenVPN removed!
Step 5: Connect to OpenVPN Server from the client
You can use the VPN client of your choice to configure OpenVPN client on your operating system. For those who want to use Official OpenVPN client, go to the downloads page and get the latest release then install it.
Once Installed, on Windows, navigate to the directory with the ovpn profile, right click on the file name and select “Start OpenVPN on this config file“
For Linux users, you can use NetworkManager and OpenVPN plugin to connect to OpenVPN server. Check my previous guide for how to:
Conclusion
You have successfully installed the OpenVPN server on RHEL/CentOS 8. The computers at each end of the VPN tunnel will encrypt the data entering the tunnel and is decrypted at the other end. Check OpenVPN documentation for more configuration options.
You can check other VPN related articles available in our blog.
