OpenVPN on Centos 7

From vpsget wiki
Jump to: navigation, search

We'll show how to install OpenVPN server side and configure the client side.

  • Server side

Install EPEL

yum install epel-release

Install OpenVPN, text editor and iptables services

yum install openvpn easy-rsa nano iptables-services

Create the server conf file

nano /etc/openvpn/server.conf

Add the following lines:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
push "redirect-gateway def1"
ifconfig-pool-persist ipp.txt
keepalive 10 120
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Generate keys and certificates

  • NOTE : we suggest to use old easy-rsa 2 as it well documented

so most likely you'll need to wget olde easy rsa:

wget -O /usr/share/easy-rsa/2
tar xfz /usr/share/easy-rsa/2

#cp -rf /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa
cp -rf /usr/share/easy-rsa/easy-rsa-old-2.3.3/easy-rsa/2.0 /etc/openvpn/easy-rsa 
cd /etc/openvpn/easy-rsa
source ./vars
./build-key-server server
cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/

Generate client(s)

cd /etc/openvpn/easy-rsa
./build-key client1
./build-key client2
./build-key client3

Configure firewall (you may use firewalld but we prefer iptables)

systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables --flush
iptables -t nat -A POSTROUTING -s -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables.service

you may overwrite default iptables config or append. we'll overwrite here:

cp /etc/sysconfig/iptables.service  /etc/sysconfig/iptables
systemctl restart iptables.service

Enable forwarding

nano /etc/sysctl.conf

Append the following line

net.ipv4.ip_forward = 1


systemctl restart network.service

Start Openvpn

systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service


  • Client Side

Copy the client key files from /etc/openvpn/easy-rsa/keys/ to your pc. Create the folder for client let's call it user and put all files from keys folder into the user except the keys for another clients (do not copy user2.* files for example) Now create the config file, lets call it user.ovpn And put the next lines into this file:

dev tun
proto udp
remote <Your_VPN_SERVER_IP_ADDRESS> 1194
resolv-retry infinite
ca ca.crt
cert user.crt
key user.key
verb 4

#if you like to route all traffic via openvpn server:

remember that all user files (user crt, user.key, user,crt) and your *.ovpn config file should be located in one folder. Now you may use this config with your Linux/MAC PC. On Windows you need to install openvpn client first (free) and copy the folder with all files specified above into installed config folder (refer to the openvpn windows client docs). You may also use these files on your iPhone or Android phones. Just download OpenVPN app from market first (free).


  • Troubleshoot

In case you can connect but no Internet access available please check your iptables config. For any case we've also shared the alternate iptables config (no MASQUARADE used) /etc/sysconfig/iptables:

-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i venet0 -p gre -j ACCEPT
-A FORWARD -i tun+ -o venet0 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
:PREROUTING ACCEPT [6222:273716]
:OUTPUT ACCEPT [306:22159]

Remember to restart iptables:

systemctl start iptables.service
systemctl stop iptables.service

For diagnostic/logs view:

systemctl status iptables.service
systemctl status openvpn@server.service
tail -f /var/log/openvpn.log  
ss -tulpn

View connected clients/stats:

cat /etc/openvpn/openvpn-status.log 

Add more OpenVPN Clients:

cd /etc/openvpn/easy-rsa
source ./vars
./build-key clientXXx