Install OpenVPN on Centos 8

OpenVPN is virtual private network (VPN) software installed on a virtual private server (VPS). VPNS Take advantage of the network provided by the VPS without the need to connect through an SSH or RDP session. You can connect devices to the VPN server and use that network to mask your local area network.

OpenVPN Requirements

You will need root or administrator access to a server. You can install OpenVPN on a Linux, Windows VPS, or a dedicated server. Below are the steps to install OpenVPN. Note that you will need to use a command line interface to do this.

OpenVPN Preparation

Step 1: Update your system.

Sudo yum update

Step 2: Edit the SELinux Config File

nano /etc/selinux/config

Step 3: Set Selinux to disabled

SELINUX=disabled

• ctrl + x
• Press the key and
• Press the ENTER key

Step 4: Edit the SYSCTL.CONF file

nano /etc/sysctl.conf

Step 5: Add the following line to the SYSCTL.CONF file to enable IP Forwarding

net.ipv4.ip\_forward = 1

• ctrl + x
• Press the key and
• Press the ENTER key

Step 6: Apply the changes

sysctl -p

OpenVPN Installation

**Step 1:** Install the OpenVPN server

dnf install epel-release -y
dnf install openvpn -y

Setting the certificate authority

Step 1: Download Easy-RSA to manage SSL certificates

cd /etc/openvpn
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
tar -xvzf EasyRSA-unix-v3.0.6.tgz
mv EasyRSA-v3.0.6 easy-rsa

Step 2: Configure Certificate Authority

cd /etc/openvpn/easy-rsa
nano vars

Step 3: Add the following and replace anything with \ with your VPS hostname (it looks something like HQSRV-\. Additionally, replace the "set_var easyrsa_req_email" line with your email:

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "USA"
set_var EASYRSA_REQ_PROVINCE    "Seatle"
set_var EASYRSA_REQ_CITY        "Seatle"
set_var EASYRSA_REQ_ORG         "<HOSTNAME> CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "<yourEmail@itinfs.com>"
set_var EASYRSA_REQ_OU          "<HOSTNAME> EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "<HOSTNAME> CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"

Step 4: Start the PKI directory

./easyrsa init-pki

Step 5: Build the CA certificate

./easyrsa build-ca

It will ask you to provide a password. Note the password externally and enter at the prompt. This passphrase will be required in future steps.

You will also be prompted to enter a common name. You can press ENTER to use the default name or enter a custom common name of your choice.

The command will then generate two files named ca.key and ca.crt . These certificates will be used to sign the server and client certificates.

Step 6: Generate the server certificate files. Replace the \ with the hostname of the server. It looks like "HQSRV-

./easyrsa gen-req <HOSTNAME> nopass

This will also ask for a common name. You can enter whatever you want. Some names you could use would be your username, host, or server. Alternatively, you can just hit "Enter" to use the default.

Step 7: Sign the server key using the ca. Replace the \ with the hostname of the server. It looks like "HQSRV-

./easyrsa sign-req server <HOSTNAME>

Type "yes", then press ENTER

Additionally, you will need to provide a passphrase. Use the passphrase you created in Step 5

Step 8: Check the generated certificate file with the following command. Replace the \ with the hostname of the server. It looks like "HQSRV- :

openssl verify -CAfile pki/ca.crt pki/issued/<HOSTNAME>.crt

It should look something like this:

pki/issued/<HOSTNAME>.crt: OK

Step 9: Generate a strong Diffie Hellman key to use for the key exchange:

./easyrsa gen-dh

Step 10: **Copy the certificate files to /etc/openvpn/server/ and **Replace the \ with the hostname of the server. It looks like "HQSRV-

cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/<HOSTNAME>.key /etc/openvpn/server/
cp pki/issued/<HOSTNAME>.crt /etc/openvpn/server/

Step 11: Build the client key file:

./easyrsa gen-req client nopass

Press ENTER or enter a common name of your choice.

Step 12: Sign the client key using the CA certificate:

./easyrsa sign-req client client

Type the word, 'Yes', then press ENTER to confirm

Enter the passphrase you wrote down in Step 5

Step 13: Copy all the client certificate and key files to the /etc/openvpn/client/ directory

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

Configuring the OpenVPN server

Step 1 – Create a new OpenVPN configuration file inside the path /etc/openvpn/client/directory/file

nano /etc/openvpn/server/server.conf

Add the following in the text editor and replace anything labeled \ with your server hostname. It looks like "hqsrv-\

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/<HOSTNAME>.crt
key /etc/openvpn/server/<HOSTNAME>.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nobody
log-append /var/log/openvpn.log
verb 3

Now do the following to save your file:

• ctrl + x
• Press the key and
• Press the ENTER key

Step 2: Start the OpenVPN server

systemctl start openvpn-server@server
systemctl enable openvpn-server@server
systemctl status openvpn-server@server

Step 3: Generate the client configuration file. This is needed to connect to the OpenVPN server from the client system.

nano /etc/openvpn/client/client.ovpn

Insert the following and replace \ with your Dedicated Primary servers IPv4 address

client
dev tun
proto udp
remote <Server IP> 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

Now do the following to save your file:

• ctrl + x
• Press the key and
• Press the ENTER key

Configure OpenVPN routing using Firewall

Step 1: Add the OpenVPN service and interface TUN0 to the Trusted Firewall zone:

firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0

Step 2: Add the masquerade in the default zone:

firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade

Step 3: Run the following command to masquerade the Internet traffic coming from the VPN. Replace \ with your server hostname. It looks like "HQSRV\. In this case, you would not need the dash between the "HQSRV" and the"

<HOSTNAME>ovpn=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $hqsrv702659ovpn -j MASQUERADE

Step 4: Implement the changes:

firewall-cmd --reload

Downloading the OVPN file

Step 1: You will need to download the OVPN directory to your local machine. You can do this in several different ways. The path of the file you need to download is the /etc/openvpn/client directory.

Open your local computer's terminal and type the following. Make sure to replace \ with your server's dedicated IPv4:

scp -r root@**\<SERVER IP>**:/etc/openvpn/client .

Alternatively, connect to your server via SFTP using FileZilla: 

Configuring your local OpenVPN client

Step 1: Install the OpenVPN client. If you have a Windows machine, you can install it here: https://openvpn.net/client-connect-vpn-for-windows/

Step 2: Import the OpenVPN profile using the downloaded file, "Client.ovpn"

Step 3: Give your profile a name or leave it as the default. Click "Add" after importing the OVPN file.

Step 4 – Connect to your VPN to start using the network!

Step 5: You should be connected to your VPN. Your interface should look like this:

Step 6: Congratulations! They are all done!