Set Up and Configure an OpenVPN Server on CentOS 7


8 min read 14-11-2024
Set Up and Configure an OpenVPN Server on CentOS 7

Introduction

OpenVPN is a powerful and versatile open-source VPN solution widely used for secure communication over the internet. Its flexibility and reliability make it a preferred choice for individuals and businesses alike, allowing them to establish secure connections between their devices and remote servers or networks. This article will provide a comprehensive guide on setting up and configuring an OpenVPN server on CentOS 7, covering every step from installation to advanced customization.

Prerequisites

Before diving into the configuration, ensure you meet the following prerequisites:

  • A CentOS 7 server with root access.
  • A domain name registered and pointed to your server's IP address. We'll use example.com throughout this guide.
  • Basic understanding of Linux commands and server administration.

Step 1: Install Required Packages

Begin by updating your CentOS 7 system and installing the essential packages:

sudo yum update
sudo yum install epel-release
sudo yum install openvpn easy-rsa

This command updates the package list, installs the EPEL repository for additional software, and finally installs OpenVPN and Easy-RSA, a toolkit for generating SSL certificates.

Step 2: Configure Easy-RSA

Navigate to the Easy-RSA directory:

cd /etc/openvpn/easy-rsa/

Next, create a vars.example file and rename it to vars:

cp vars.example vars

Open the vars file for editing:

nano vars

Within the vars file, you'll need to modify the following:

  • export KEY_COUNTRY="US": Replace "US" with your country code.
  • export KEY_PROVINCE="California": Replace "California" with your state or province.
  • export KEY_CITY="San Francisco": Replace "San Francisco" with your city.
  • export KEY_ORG="Example Inc": Replace "Example Inc" with your organization name.
  • export KEY_EMAIL="[email protected]": Replace "[email protected]" with your email address.
  • export KEY_OU="OpenVPN": This defines the organizational unit.
  • export KEY_CN="example.com": Set the common name, using your domain name.
  • export KEY_NAME="server": Use this to name your server certificate.
  • export KEY_EXPIRE="3650": Specify the certificate expiration time in days.

Save the changes and exit the editor.

Step 3: Generate Server Certificate

Execute the following command to generate the server certificate:

./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server

This process will prompt you for confirmation at various stages. Follow the instructions carefully, and you'll have a server certificate generated in the pki/issued directory.

Step 4: Configure OpenVPN Server

Create a new configuration file for your OpenVPN server:

sudo nano /etc/openvpn/server.conf

Add the following configuration directives to the server.conf file:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/issued/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 60
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
client-to-client
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 1
cipher AES-256-CBC
auth SHA256
user nobody
group nobody
comp-lzo

Explanation of the configuration:

  • port 1194: Specifies the port used for OpenVPN communication. You can use a different port, but 1194 is a standard port.
  • proto udp: Chooses the UDP protocol for faster connections.
  • dev tun: Selects a virtual network interface called tun for routing traffic.
  • ca /etc/openvpn/easy-rsa/pki/issued/ca.crt: Defines the path to the Certificate Authority (CA) certificate file.
  • cert /etc/openvpn/easy-rsa/pki/issued/server.crt: Specifies the path to the server certificate file.
  • key /etc/openvpn/easy-rsa/pki/private/server.key: Specifies the path to the server private key file.
  • dh /etc/openvpn/easy-rsa/pki/dh.pem: Specifies the path to the Diffie-Hellman key exchange file.
  • server 10.8.0.0 255.255.255.0: Sets up a private subnet for the VPN.
  • push "redirect-gateway def1 bypass-dhcp": Instructs clients to redirect their internet traffic through the VPN.
  • push "dhcp-option DNS 8.8.8.8": Specifies the primary DNS server for clients.
  • push "dhcp-option DNS 8.8.4.4": Specifies the secondary DNS server for clients.
  • keepalive 10 60: Sets the keepalive timer to send packets every 10 seconds and disconnect if no response is received after 60 seconds.
  • persist-key: Keeps the server key in memory to avoid re-loading.
  • persist-tun: Maintains the tunnel interface even after disconnection.
  • status /var/log/openvpn-status.log: Logs the status of the OpenVPN server to a specific file.
  • log /var/log/openvpn.log: Logs messages from the OpenVPN server.
  • verb 3: Sets the verbosity level to 3 for more detailed logs.
  • client-to-client: Allows clients to communicate with each other directly.
  • tls-auth /etc/openvpn/easy-rsa/pki/ta.key 1: Enables TLS authentication using a secret key file.
  • cipher AES-256-CBC: Selects a strong encryption cipher for data protection.
  • auth SHA256: Chooses SHA256 for message authentication.
  • user nobody: Sets the OpenVPN process to run as the nobody user.
  • group nobody: Sets the OpenVPN process to run as the nobody group.
  • comp-lzo: Enables LZO compression for improving performance.

Save the changes and exit the editor.

Step 5: Configure Firewall

Open the firewall configuration file:

sudo nano /etc/sysconfig/iptables

Add the following rule to allow UDP traffic on port 1194:

-A INPUT -p udp -m udp --dport 1194 -j ACCEPT

Save the changes and restart the firewall:

sudo service iptables restart

Step 6: Start OpenVPN Server

Start the OpenVPN server:

sudo service openvpn start

Verify the server is running:

sudo service openvpn status

Step 7: Generate Client Configuration

Now, we need to generate a configuration file for each client that will connect to the OpenVPN server.

Navigate to the Easy-RSA directory:

cd /etc/openvpn/easy-rsa/

Generate a client certificate:

./easyrsa gen-req client nopass
./easyrsa sign-req client client

This will generate a client certificate in the pki/issued directory.

Next, create a new directory for the client configuration:

mkdir /etc/openvpn/client-configs

Copy the CA certificate, the client certificate, and the client private key to this directory:

cp pki/issued/ca.crt /etc/openvpn/client-configs/ca.crt
cp pki/issued/client.crt /etc/openvpn/client-configs/client.crt
cp pki/private/client.key /etc/openvpn/client-configs/client.key

Finally, create a configuration file for the client:

sudo nano /etc/openvpn/client-configs/client.conf

Add the following configuration directives:

client
dev tun
proto udp
remote example.com 1194
resolv-retry infinite
no-pull-dns
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
verb 3

Explanation of the configuration:

  • client: Indicates that this is a client configuration.
  • dev tun: Selects a virtual network interface called tun for routing traffic.
  • proto udp: Chooses the UDP protocol for faster connections.
  • remote example.com 1194: Specifies the server hostname and port.
  • resolv-retry infinite: Keeps trying to resolve DNS servers until successful.
  • no-pull-dns: Disables pulling DNS servers from the server.
  • persist-key: Keeps the client key in memory to avoid re-loading.
  • persist-tun: Maintains the tunnel interface even after disconnection.
  • ca ca.crt: Defines the path to the Certificate Authority (CA) certificate file.
  • cert client.crt: Specifies the path to the client certificate file.
  • key client.key: Specifies the path to the client private key file.
  • verb 3: Sets the verbosity level to 3 for more detailed logs.

Save the changes and exit the editor.

Step 8: Connect Clients

Now, you can connect your clients to the OpenVPN server using the generated configuration file.

On each client machine, copy the client.conf file from the server and install the OpenVPN client software. Then, use the following command to connect:

openvpn --config client.conf

This will establish a secure VPN connection between the client and the server.

Step 9: Accessing the VPN

Once the client connects successfully, it will receive an IP address within the VPN subnet (10.8.0.0/24 in this example). This allows clients to access resources within the server's local network and access the internet securely through the VPN.

Troubleshooting

Here are some common troubleshooting tips:

  • Check the firewall: Make sure the firewall rules are configured correctly to allow UDP traffic on port 1194.
  • Verify server and client configuration: Ensure all configuration files are correctly configured and paths are accurate.
  • Check logs: Analyze the OpenVPN server and client logs (/var/log/openvpn.log and the client's log) for error messages.
  • Restart OpenVPN: Sometimes, restarting the OpenVPN server can resolve connectivity issues.
  • Test internet connection: Ensure both the server and the client have a stable internet connection.
  • Update packages: Outdated packages can cause compatibility problems. Update all packages on both the server and client.

Advanced Configuration

Here are some additional configuration options you can explore for more advanced customization:

  • Traffic shaping: Configure traffic shaping rules to prioritize specific types of traffic.
  • DNS servers: Specify custom DNS servers for clients.
  • Port forwarding: Set up port forwarding rules to allow access to specific services on the server.
  • Split tunneling: Configure OpenVPN to only route specific traffic through the VPN while other traffic goes through the client's default internet connection.
  • Static IP addresses: Assign static IP addresses to clients within the VPN subnet.
  • Authentication methods: Explore alternative authentication methods like username/password or certificates.
  • VPN management: Utilize tools like OpenVPN Access Server for easier client management and configuration.

Conclusion

Setting up and configuring an OpenVPN server on CentOS 7 offers a secure and reliable way to establish private networks and enhance internet privacy. This comprehensive guide has covered the essential steps from installation to advanced customization, empowering you to create a secure VPN environment for your needs.

Remember to regularly review your configuration, update packages, and stay informed about security vulnerabilities to maintain a secure VPN connection.

FAQs

1. What is OpenVPN, and how does it work?

OpenVPN is an open-source VPN software that creates a secure and encrypted tunnel between your device and a remote server. When you connect to an OpenVPN server, your internet traffic is routed through the server, effectively masking your IP address and encrypting your data. This ensures your online activity remains private and secure.

2. What are the benefits of using OpenVPN?

Using OpenVPN offers several advantages:

  • Increased privacy: OpenVPN encrypts your internet traffic, making it difficult for third parties to monitor your online activities.
  • Enhanced security: OpenVPN uses strong encryption protocols to protect your data from interception and unauthorized access.
  • Bypass censorship: OpenVPN can help you bypass internet censorship and access blocked websites or services.
  • Secure remote access: OpenVPN enables secure access to your home network or other remote servers.
  • Location spoofing: OpenVPN can help you appear to be located in a different country by connecting to a server in that country.

3. How do I choose the right OpenVPN server?

When selecting an OpenVPN server, consider the following factors:

  • Location: Choose a server located in a country that aligns with your privacy concerns.
  • Speed: Opt for a server with a fast and reliable internet connection.
  • Features: Select a server that offers features like traffic shaping, DNS servers, and advanced security settings.
  • Reputation: Choose a server with a strong reputation for security and reliability.

4. Is OpenVPN legal?

OpenVPN itself is legal. However, using it to engage in illegal activities, like accessing copyrighted content without authorization, can have legal consequences. It's crucial to use OpenVPN responsibly and within the bounds of the law.

5. How secure is OpenVPN?

OpenVPN is considered a very secure VPN protocol. It employs strong encryption algorithms, digital certificates, and advanced security features to protect your data and ensure privacy. However, the overall security of your OpenVPN connection depends on factors such as the server provider's security practices, the quality of your internet connection, and your own security measures.