In simple terms, a VPN connects your Mobile, Computer, and Tablet to another computer (server) over the internet and allows you to access the internet using that computer’s internet and also access the local network resource by bypassing internet censorship remotely. In this tutorial, we will show you how to install and configure the OpenVPN server on CentOS 8.
Step 1 – Disable SELinux
Before starting, it is a good idea to disable the SELinux in your system. To disable SELinux, open the /etc/selinux/config file: Change the following line: Save the file when you are finished. Next, restart your system to apply the SELinux changes.
Step 2 – Enable IP Forwarding
Next, you will need to enable IP forwarding in your system. IP forwarding allows your operating system to accept the incoming network packets and forward it to the other network if the destination is on another network. To enable the IP forwarding, edit the file /etc/sysctl.conf: Add the following line: Save the file when you are finished. Then, run the following command to apply the changes:
Step 3 – Install OpenVPN Server
By default, you will need to install the EPEL repository in your system in order to install the latest version of OpenVPN. Run the following command to install the ELEP repository: Once installed, run the following command to install the latest version of OpenVPN: Once the installation has been completed, you will also need to download easy-rsa for managing SSL certificates. Run the following command to download easy-rsa inside /etc/openvpn directory. Next, run the following command to extract the downloaded file: Next, rename the extracted directory to the easy-rsa:
Step 4 – Setup Certificate Authority
Easy RSA uses a set of scripts to generate keys and certificates. First, you will need to configure the Certificate Authority on your system. To do so, change the directory to /etc/openvpn/easy-rsa and create a new Easy RSA’s configuration file: Add the following lines including your country, city, and preferred email address: Save the file when you are finished. Next, run the following command to initiate the PKI directory. Output: Next, build the CA certificates with the following command: You should get the following output: The above command will generate two files named ca.key and ca.crt. These certificates will be used to sign your server and clients’ certificates.
Step 5 – Generate Server Certificate Files
Next, you will need to generate a keypair and certificate request for your server. Run the following command to generate the server key named tecadmin-server: You should get the following output:
Step 6 – Sign the Server Key Using CA
Next, you will need to sign the tecadmin-server key using your CA certificate: Run the following command to sign the server key: You should get the following output: Next, verify the generated certificate file with the following command: If everything is fine, you should get the following output: Next, run the following command to generate a strong Diffie-Hellman key to use for the key exchange: You should get the following output: After creating all certificate files, copy them to the /etc/openvpn/server/ directory:
Step 7 – Generate Client Certificate and Key File
Next, you will need to generate the key and certificate file for the client. First, run the following command to build the client key file: You should see the following output: Next, sign the client key using your CA certificate: You should get the following output: Next, copy all client certificate and key file to the /etc/openvpn/client/ directory:
Step 8 – Configure OpenVPN Server
Next, create a new OpenVPN configuration file inside /etc/openvpn/client/ directory: Add the following lines: Save the file when you are finished.
Step 9 – Start OpenVPN Service
OpenVPN is now installed and configured. You can now start the OpenVPN service and enable it to start after the system reboot using the following command: Run the following command to verify the status of OpenVPN service: You should get the following output: Once the OpenVPN service started successfully, it will create a new network interface named tun0. You can check it with the following command: You should get the new interface tun0 in the following output:
Step 10 – Generate Client Configuration File
Next, create a new OpenVPN client configuration file named client.ovpn. You will require this file to connect your OpenVPN server from the client system. Add the following lines: Save the file when you are finished.
Step 11 – Configure Routing using Firewalld
First, you will need to allow the OpenVPN service through firewalld. To do so, add the OpenVPN service and tun0 interface to the trusted firewall zone: Next, add the MASQUERADE on the default zone: Next, run the following command to masquerade the internet traffic coming from VPN network (10.8.0.0/24) to systems local network interface (eth0). Finally, run the following command to implement the changes:
Step 12 – Connect OpenVPN from Clients
First, log in to the client machine and install the OpenVPN package with the following command: Next, you will need to download the OpenVPN client configuration files from OpenVPN server to the client machine. On the client machine, run the following command to download all the client configuration file: Once downloaded, change the directory to client and run the following command to connect to OpenVPN server: You should see the following output: After successfull connection, OpenVPN will assign an IP address to your system. You can check it with the following command: Output: Congratulations! you have successfully installed and configured OpenVPN Server and Client on CentOS 8 server.
