How to Setup OpenVPN on CentOS 7 with FirewalldPosted on Updated on
One of the safest ways to send data over the Internet is by using a VPN which is also known as a “Virtual Private Network.” When using a VPN, the data is encrypted and sent through a “private tunnel” over a public network (the Internet for instance). That ensures the integrity and confidentiality of the data exchanged between the VPN client and the VPN server since sniffing the packets would only reveal encrypted data.
Some of the common uses for a VPN include:
- Establishing a remote connection to a private business network;
- Securing your communications on a public Wi-Fi connection;
- Creating a private network for online gaming.
If you want to have anonymous access to the Internet from multiple remote locations around the globe, there are several VPN providers such as HideMyAss, ExpressVPN, and NordVPN who offers such services.
However, if you need to have your VPN server, here’s how to do it using OpenVPN on Linux CentOS 7.
How to Setup OpenVPN Using firewalld Instead of iptables
For this tutorial, I will be using a CentOS cloud server from DigitalOcean. By the way, if you’ve never heard of DigitalOcean, I strongly advise you have a look at them. You can deploy a fully functional VPS in just a few minutes, and they are insanely fast.
1. Installing OpenVPN and Easy RSA
So assuming you’re logged in as root, start by installing the EPEL repository:
# yum install -y wget # mkdir /root/temp # cd /root/temp # wget https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm # rpm -Uvh epel-release-7-8.noarch.rpm
Now that you have installed the EPEL repository, you can go ahead and install OpenVPN and Easy RSA:
yum install -y openvpn easy-rsa
2. Configuring Easy RSA
Create a directory to store your keys and certificates:
mkdir -p /etc/openvpn/easy-rsa/keys
Copy the Easy RSA scripts to the OpenVPN subdirectory:
cp -R /usr/share/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
Edit the Easy RSA settings file:
Find and modify these values:
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="email@example.com" export KEY_OU="MyOrganizationalUnit"
Now find this line:
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
And change it to:
Once you’re done, save the file and quit the editor.
3. Generating the CA Certificates and Keys
Enter these commands to initialize Easy RSA:
cd /etc/openvpn/easy-rsa/2.0 chmod 0755 * source ./vars ./clean-all
You can then build the CA certificate and key files:
Verify that the files have been created successfully:
# ls -al keys total 20 drwx------ 2 root root 4096 Jul 30 20:14 . drwxr-xr-x 3 root root 4096 Jul 30 20:09 .. -rw-r--r-- 1 root root 1887 Jul 30 20:14 ca.crt -rw------- 1 root root 1704 Jul 30 20:14 ca.key -rw-r--r-- 1 root root 0 Jul 30 20:09 index.txt -rw-r--r-- 1 root root 3 Jul 30 20:09 serial
4. Generating the VPN Client Certificate and Key
You can now go ahead and build the server certificate and key.
When asked to provide a challenge password for the key, leave it blank. Otherwise, the OpenVPN service won’t be able to start automatically since it will require you to enter the password each time:
A challenge password : <= leave this blank
Again you can list the content of the “keys” directory to make sure that server.crt, server.csr and server.key files have been created:
# ls -al keys total 56 drwx------ 2 root root 4096 Jul 30 20:18 . drwxr-xr-x 3 root root 4096 Jul 30 20:09 .. -rw-r--r-- 1 root root 5732 Jul 30 20:18 01.pem -rw-r--r-- 1 root root 1887 Jul 30 20:14 ca.crt -rw------- 1 root root 1704 Jul 30 20:14 ca.key -rw-r--r-- 1 root root 160 Jul 30 20:18 index.txt -rw-r--r-- 1 root root 21 Jul 30 20:18 index.txt.attr -rw-r--r-- 1 root root 0 Jul 30 20:09 index.txt.old -rw-r--r-- 1 root root 3 Jul 30 20:18 serial -rw-r--r-- 1 root root 3 Jul 30 20:09 serial.old -rw-r--r-- 1 root root 5732 Jul 30 20:18 server.crt -rw-r--r-- 1 root root 1115 Jul 30 20:18 server.csr -rw------- 1 root root 1704 Jul 30 20:18 server.key
Now you need to create a certificate and key for the VPN clients. I’d recommend that you create a different set of certificate and key for each VPN user:
This time you really should enter a challenge password:
A challenge password : ChooseASafePassword123
5. Building the Diffie Hellman Parameters
Enter this command to build the .pem file:
6. Copying Keys and Certificates
Copy the keys and certificates you’ve just generated to the OpenVPN configuration directory:
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
7. Creating the OpenVPN Configuration File
Copy the sample configuration file as a starting point:
cp /usr/share/doc/openvpn-2.3.13/sample/sample-config-files/server.conf /etc/openvpn/server.conf
Make sure that the user “nobody” will be able to read the configuration files, keys, and certificates:
chmod 0644 dh2048.pem ca.crt server.crt server.key server.conf
Edit the configuration file:
Uncomment this line to route all the traffic through the VPN server:
push "redirect-gateway def1 bypass-dhcp"
Find the line that reads:
And add the following settings:
Uncomment these lines:
; push "dhcp-option DNS 188.8.131.52" ; push "dhcp-option DNS 184.108.40.206"
And add your DNS values instead:
push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168"
If you want to use Google’s public DNS service, you can use 22.214.171.124 and 126.96.36.199.
Uncomment these lines:
user nobody group nobody
Enable compression by uncommenting this line:
Disable exit notification by setting explicit-exit-notify to “0”:
Save the file and quit the editor.
8. Enabling IP Forwarding and Routing
Edit /etc/sysctl.conf and add the following parameter:
net.ipv4.ip_forward = 1
Save and close the configuration file. Apply the new settings by using this command:
systemctl restart network.service
Now you need to configure Firewalld. Start by allowing the OpenVPN service to go through the firewall and make that setting permanent:
firewall-cmd --add-service openvpn
firewall-cmd --permanent --add-service openvpn
You can list the opened services to make sure that it’s been added correctly:
dhcpv6-client openvpn ssh
Next, enable the masquerade and make it permanent:
firewall-cmd --permanent --add-masquerade
Verify that masquerading is enabled:
# firewall-cmd --query-masquerade
9. Starting the VPN Server
For OpenVPN to start when booting the server, issue these commands. Do not forget to use your server’s hostname instead of “server”:
systemctl -f enable firstname.lastname@example.org
Now start the OpenVPN service:
systemctl start email@example.com
The VPN server is now waiting for clients to connect.
How to Setup the OpenVPN Client for Windows
Download and install the latest version of OpenVPN for Windows here: https://openvpn.net/index.php/open-source/downloads.html
Leave all the default installation options.
Do not launch the OpenVPN GUI at the end of the installation. You need to set it up to run as an administrator first:
Now download the following files from your server to your Windows computer. You can use a software like WinSCP to connect as root and transfer the files to your computer by using the SCP protocol.
Copy these five (5) files “C:\Program Files\OpenVPN\config\” on your Windows desktop.
Creating the OpenVPN Configuration file
Before you can establish a connection to a VPN server, you must create a client configuration with the “.ovpn” extension. To do so, rename C:\Program Files\OpenVPN\config\client.conf to client.ovpn. Edit the OVPN file and find the following line:
remote my-server-1 1194
Replace “my-server-1” by your VPN server’s IP address:
remote 188.8.131.52 1194
Find the SSL/TLS parameters:
ca ca.crt cert client.crt key client.key
Change them to reflect the filenames of your certificate and key files:
ca ca.crt cert johndoe.crt key johndoe.key
Add the following lines at the end of the file:
tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0
Enable compression by uncommenting this line:
Save and close the OVPN file.
Establishing a Connection to the OpenVPN Server
You can now execute the OpenVPN GUI on your Windows desktop. Remember that it must run as an administrator to work properly. Once OpenVPN is running on your desktop, you should see an icon like this in your taskbar:
Right-click the OpenVPN taskbar icon and it will display a list of available VPN configurations found (the OVPN files). Select the VPN server you wish to connect to and click “Connect.”
If you’ve done everything correctly, the OpenVPN GUI should soon display the IP address it received from the VPN server (10.8.0.x). Try accessing our IP to location tool to see if you’re browsing the web through the VPN.
If you have trouble connecting to the OpenVPN server, you can try to run it on a standard TCP port instead of UDP port 1194. Some ISP do not allow traffic on port 1194. To do so, edit /etc/openvpn/server.conf and make the following changes:
port 80 proto tcp ; proto udp
If the port 80 is already in use on your server, try finding an available port that your ISP won’t block. When you are done, restart OpenVPN:
service openvpn restart
Don’t forget to make the changes to your OVPN file too.
If you still encounter some problems, you can enable debugging in /etc/openvpn/server.conf:
log openvpn.log verb 4
Restart the OpenVPN service and look at the content of /etc/openvpn/openvpn.log while attempting to connect to the VPN server:
tail -f /etc/openvpn/openvpn.log
Once you’ve fixed the issue, don’t forget to disable logging.
4 Comments on “How to Setup OpenVPN on CentOS 7 with Firewalld”!
Great article guys. Thanks a lot.
Do you have some guide for Openvpn and Ubuntu by some chance? I need to setup vpn for a client of mine but he has Ubuntu 16.04 and I don’t think that I can implement the instructions from this tutorial for Ubuntu.
On Ubuntu, you will have to use “apt-get” to install packages instead of Yum. As for the configuration, it’s going to be quite similar.
When trying to start the OpenVPN server, I received a TLS-related error. Essentially, there is no ‘ta.key’ file. Another tutorial may be able to help you setup TLS, but this reddit question got me up and running quickly: https://www.reddit.com/r/OpenVPN/comments/5wihmg/warning_cannot_stat_file_takey/. Essentially, just comment out the line ‘tbs-auth ta.key’ in your server.conf file.
To avoid the “ta-key” error try this:
openvpn –genkey –secret ta.key
Explained in the example config file.