How to Install OpenVPN Server on Linux
In this article we will cover the installation and configuration of the OpenVPN server based on Linux CentOS, and show how to connect two remote computers (or offices) behind NAT into one network using OpenVPN server. We will also use certificates for encrypted connection. If you are a Windows user, check out the guide about configuring VPN in Windows server operating system.
- What is OpenVPN
- How to Install OpenVPN and Easy-RSA
- How to Configure Easy-RSA and Issue a Certificate
- How to Create Keys and Certificates for the OpenVPN Server
- How to Configure OpenVPN Server
- How to Configure Firewall with OpenVPN
- How to Connect Computers and Networks using OpenVPN
What is Open VPN
Virtual Private Network (VPN) – a set of technologies that allow you to build a secure network over public networks or the Internet. With a VPN, you can consolidate Internet-divided segments of networks into a single local network.
OpenVPN – one of the implementations of open source VPN technology based on SSL/TLS. With the help of OpenVPN it is possible to connect in a single network both remote offices and separate local PCs, which are behind firewall with Network Address Translation (NAT).
How to Install OpenVPN and Easy-RSA
First thing you need to do is to connect the Extra Packages for Enterprise Linux (EPEL) repository and update the system:
sudo yum install epel-release -y sudo yum update -y
When the system is updated, you need to use the yum package manager to install OpenVPN and Easy-RSA to implement a Public Key Infrastructure (PKI) infrastructure on the VPN server.
sudo yum install openvpn easy-rsa -y
How to Configure Easy-RSA and Issue a Certificate
Copy all the Easy-RSA scripts into /etc/openvpn/:
sudo cp -r /usr/share/easy-rsa /etc/openvpn/
Let’s go to /etc/openvpn/easy-rsa/3/ and create a file named vars there:
cd /etc/openvpn/easy-rsa/3/ sudo nano vars
Let’s fill this file with the following parameters (you can edit the location and company parameters for yourself):
set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "CA" set_var EASYRSA_REQ_CITY "LA" set_var EASYRSA_REQ_ORG "MyCompany" set_var EASYRSA_REQ_EMAIL "email@example.com". set_var EASYRSA_REQ_OU "IT Department" set_var EASYRSA_KEY_SIZE 4096 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7500 set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "CERTIFICATE AUTHORITY" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" set_var EASYRSA_DIGEST "sha512"
Press Ctrl+x to exit the file then y to save it and then hit Enter. The file must be executable, so next step is to execute the following:
sudo chmod +x vars
How to Create Keys and Certificates for the OpenVPN Server
Before creating the key, we need to initialize the Public Key Infrastructure (PKI) directory and create the CA key:
cd /etc/openvpn/easy-rsa/3/ sudo ./easyrsa init-pki
Now let’s create a CA key:
sudo ./easyrsa build-ca
After running the command, we will need to specify a password to generate the certificates and key. The password will be required in the future to sign the certificates.
After that the system will ask to enter Distinguished Name (DN) enter your server and domain name for example server.domain.com and create a server key with nopass option which disables the password for domain.com:
sudo ./easyrsa gen-req server.domain.com nopass
During the certificate issuance process, you will be asked to enter Common Name, just press Enter to continue.
Sign the domain.com key using our CA certificate:
sudo ./easyrsa sign-req server server.domain.com
First you need to confirm the request by typing “yes”. After that you will need to enter the password that we set when the CA certificate was issued:
To make sure that the certificates were generated without errors, run the command:
sudo openssl verify -CAfile pki/ca.crt pki/issued/server.domain.com.crt
The output must be “pki/issued/server.domain.com.crt: OK“
Now all OpenVPN server certificates are created.
- The root certificate is located: ‘pki/ca.crt‘
- The server private key is located: ‘pki/private/server.domain.com.key‘
- The server certificate is located: ‘pki/issued/server.domain.com.crt‘
To generate a client key, you need to execute the following command and specify the client name (“admin” in our example):
sudo ./easyrsa gen-req admin nopass
As with the server key, you must sign it using a CA certificate:
sudo ./easyrsa sign-req client admin
Similar to the server certificate we need to type “yes” and enter CA password. Now the certificate for the user is created.
Additionally, you must generate a Diffy-Hellman key to be used for key exchange:
sudo ./easyrsa gen-dh
Note that it’s been generated for a long time.
After that we need to generate a TLS certificate:
sudo openvpn --genkey --secret ta.key
If we plan to revoke client certificates in the future, we need to generate a CRL key:
sudo ./easyrsa gen-crl
To revoke a certificate, you must execute a command:
sudo ./easyrsa revoke admin
Where “admin” is the certificate name.
So all necessary certificates are created, let’s copy them into working directories:
cp pki/ca.crt /etc/openvpn/server/ cp pki/issued/server.domain.com.crt /etc/openvpn/server/ cp pki/private/server.domain.com.key /etc/openvpn/server/ cp pki/private/dh.pem /etc/openvpn/server/ cp pki/private/ta.key /etc/openvpn/server/ cp pki/crl.pem /etc/openvpn/server/
cp pki/issued/admin.crt /etc/openvpn/client/ cp pki/private/admin.key /etc/openvpn/client/
How to Configure OpenVPN Server
Let’s move on to the settings of the OpenVPN configuration file. First let’s create the OpenVPN configuration file named server.conf:
sudo cd /etc/openvpn/ && nano server.conf
Change the contents of the file to the following:
# Specify port, protocol and device port 1194 proto udp dev tun # Specify path to server certificates ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.domain.com.crt key /etc/openvpn/server/server.domain.com.key # Paths to CRL and DH keys dh /etc/openvpn/server/dh.pem crl-verify /etc/openvpn/server/crl.pem # Specify the network IP and mask which the VPN clients will enter server 10.0.2.0 255.255.255.0 push "redirect-gateway def1" # Enter the target DNS servers push "dhcp-option DNS 188.8.131.52" push "dhcp-option DNS 184.108.40.206" # Allow users to connect with the same key duplicate-cn # TLS security tls-auth /etc/openvpn/server/ta.key 0 cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache # Other config keepalive 20 60 persist-key persist-tun comp-lzo yes daemon user nobody group nobody # Log file path log-append /var/log/openvpn.log verb 3
Then we save the file. I specified the default UDP port 1194 for the VPN server, but for OpenVPN you can specify any free port on the server.
How to Configure Firewall with OpenVPN
What remains is to configure firewall rules to allow connection and routing between segments.
If you are using Firewalld, you must first activate the kernel module forwarding:
sudo echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf sudo sysctl -p
Add the openvpn service to Firewalld, and the tun0 interface to the trusted zone.
sudo firewall-cmd --permanent --add-service=openvpn sudo firewall-cmd --permanent --zone=trusted --add-interface=tun0
Activate ‘MASQUERADE’ for the trusted Firewalld zone:
sudo firewall-cmd --permanent --zone=trusted --add-masquerade
sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.0.2.0/24 -o IP server -j MASQUERADE sudo firewall-cmd -reload
If you are using iptables without Firewalld, you need to execute the following:
sudo iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE sudo iptables -A INPUT -p tcp -dport 1194 -j ACCEPT sudo service iptables save
Let’s run OpenVPN service and let it start when Linux boots up:
sudo systemctl start openvpn@server sudo systemctl enable openvpn@server
Let’s check if port 1194 is available:
sudo lsof -i:1194
Let’s check the IP settings of the network interface:
sudo ip a
3: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
inet 10.0.2.1 peer 10.0.2.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::932a:e40b:ac2f:6b2/64 scope link flags 800
valid_lft forever preferred_lft forever
As you can see, the network specified in the configuration has been added to the tun0.
These are the minimum settings you need to make for OpenVPN to work.
How to Connect Computers and Networks using OpenVPN
How to connect to the OpenVPN server from two remote computers that are connected to the Internet via NAT, and organize a private network between them? To connect a Windows computer to the OpenVPN server you will need the official client from that can be downloaded from the official site. The installation is straightforward, so we will focus on the configuration.
After you have installed the client, you need to go to the configuration file, which you need to create along the way:
Create a file with the name Client.ovpn and add the following content to it:
client dev tun proto udp remote publicVPNserverIP 1194 resolv-retry infinite nobind block-outside-dns perist-key persist-tun mute-replay-warnings remote-cert-tls server tls-client auth SHA512 tls-auth "C:\Program Files\OpenVPN\config.key" 1 remote-cert-eku "TLS Web Server Authentication" ca "C:\Program Files\OpenVPN\config\ca.crt". cert "C:\Program Files\OpenVPN\config\admin.crt". key "C:\Program Files\OpenVPN\config\admin.key". cipher AES-256-CBC comp-lzo verb 3
As you can see we need the client, security and server certificates and keys we created earlier to configure. They need to be downloaded from the OpenVPN server and placed in a C:\Program Files\OpenVPN\config\ directory.
After that we connect through the shortcut Open VPN client in the tray:
I connected and got the next IP for my PC:
IPv4 address . . . . . . . . . . . . . . . . . . . . . . . : 10.0.2.17
Subnet mask . . . . . . . . . . . . . . . : 255.255.255.252
On the second computer behind the NAT, we need to do the same thing by first creating a certificate for the second user. After connection the second computer has IP address in the same network:
IPv4 address . . . . . . . . . . . . . . . . . . . . . . . . . : 10.0.2.8
Subnet mask . . . . . . . . . . . . . . . . . : 255.255.255.252
Once connected, both computers are on the same network and ping each other. Both connected VPN clients can exchange packets and transfer files directly to each other. This way, we were able to combine two PCs located in different parts of the world into one local network.
On your OpenVPN server you can create an unlimited number of keys and certificates for users. If you need a new certificate, run the following commands in /etc/openvpn/easy-rsa/3:
sudo ./easyrsa gen-req client name nopass sudo ./easyrsa sign-req client name
Remember to periodically revoke client certificates if they are not used to keep your network secure.