How to Setup OpenVPN on CentOS 7 with Firewalld

One of the safest ways to send data over the Internet is by using a VPN which is also known as a “Virtual Private Network.” When using a VPN, the data is encrypted and sent through a “private tunnel” over a public network (the Internet for instance). That ensures the integrity and confidentiality of the data exchanged between the VPN client and the VPN server since sniffing the packets would only reveal encrypted data.

Some of the common uses for a VPN include:

• Establishing a remote connection to a private business network;
• Securing your communications on a public Wi-Fi connection;
• Creating a private network for online gaming.

If you want to have anonymous access to the Internet from multiple remote locations around the globe, there are several VPN providers such as HideMyAss, ExpressVPN, and NordVPN who offers such services.

However, if you need to have your VPN server, here’s how to do it using OpenVPN on Linux CentOS 7.

How to Setup OpenVPN Using firewalld Instead of iptables

For this tutorial, I will be using a CentOS cloud server from DigitalOcean. By the way, if you’ve never heard of DigitalOcean, I strongly advise you have a look at them. You can deploy a fully functional VPS in just a few minutes, and they are insanely fast.

1. Installing OpenVPN and Easy RSA

So assuming you’re logged in as root, start by installing the EPEL repository:

# yum install -y wget
# mkdir /root/temp
# cd /root/temp
# wget https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm
# rpm -Uvh epel-release-7-8.noarch.rpm

Now that you have installed the EPEL repository, you can go ahead and install OpenVPN and Easy RSA:

yum install -y openvpn easy-rsa

2. Configuring Easy RSA

Create a directory to store your keys and certificates:

mkdir -p /etc/openvpn/easy-rsa/keys

Copy the Easy RSA scripts to the OpenVPN subdirectory:

cp -R /usr/share/easy-rsa/2.0/ /etc/openvpn/easy-rsa/

Edit the Easy RSA settings file:

vi /etc/openvpn/easy-rsa/2.0/vars

Find and modify these values:

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

Now find this line:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

And change it to:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

Once you’re done, save the file and quit the editor.

3. Generating the CA Certificates and Keys

Enter these commands to initialize Easy RSA:

cd /etc/openvpn/easy-rsa/2.0
chmod 0755 *
source ./vars
./clean-all

You can then build the CA certificate and key files:

./build-ca

Verify that the files have been created successfully:

# ls -al keys
total 20
drwx------ 2 root root 4096 Jul 30 20:14 .
drwxr-xr-x 3 root root 4096 Jul 30 20:09 ..
-rw-r--r-- 1 root root 1887 Jul 30 20:14 ca.crt
-rw------- 1 root root 1704 Jul 30 20:14 ca.key
-rw-r--r-- 1 root root 0 Jul 30 20:09 index.txt
-rw-r--r-- 1 root root 3 Jul 30 20:09 serial

4. Generating the VPN Client Certificate and Key

You can now go ahead and build the server certificate and key.

./build-key-server server

When asked to provide a challenge password for the key, leave it blank. Otherwise, the OpenVPN service won’t be able to start automatically since it will require you to enter the password each time:

A challenge password []: <= leave this blank

Again you can list the content of the “keys” directory to make sure that server.crt, server.csr and server.key files have been created:

# ls -al keys
total 56
drwx------ 2 root root 4096 Jul 30 20:18 .
drwxr-xr-x 3 root root 4096 Jul 30 20:09 ..
-rw-r--r-- 1 root root 5732 Jul 30 20:18 01.pem
-rw-r--r-- 1 root root 1887 Jul 30 20:14 ca.crt
-rw------- 1 root root 1704 Jul 30 20:14 ca.key
-rw-r--r-- 1 root root 160 Jul 30 20:18 index.txt
-rw-r--r-- 1 root root 21 Jul 30 20:18 index.txt.attr
-rw-r--r-- 1 root root 0 Jul 30 20:09 index.txt.old
-rw-r--r-- 1 root root 3 Jul 30 20:18 serial
-rw-r--r-- 1 root root 3 Jul 30 20:09 serial.old
-rw-r--r-- 1 root root 5732 Jul 30 20:18 server.crt
-rw-r--r-- 1 root root 1115 Jul 30 20:18 server.csr
-rw------- 1 root root 1704 Jul 30 20:18 server.key

Now you need to create a certificate and key for the VPN clients. I’d recommend that you create a different set of certificate and key for each VPN user:

./build-key johndoe

This time you really should enter a challenge password:

A challenge password []: ChooseASafePassword123

5. Building the Diffie Hellman Parameters

Enter this command to build the .pem file:

./build-dh

6. Copying Keys and Certificates

Copy the keys and certificates you’ve just generated to the OpenVPN configuration directory:

cd /etc/openvpn/easy-rsa/2.0/keys

cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

7. Creating the OpenVPN Configuration File

Copy the sample configuration file as a starting point:

cp /usr/share/doc/openvpn-2.3.13/sample/sample-config-files/server.conf /etc/openvpn/server.conf

Make sure that the user “nobody” will be able to read the configuration files, keys, and certificates:

cd /etc/openvpn

chmod 0644 dh2048.pem ca.crt server.crt server.key server.conf

Edit the configuration file:

vi /etc/openvpn/server.conf

Uncomment this line to route all the traffic through the VPN server:

push "redirect-gateway def1 bypass-dhcp"

Find the line that reads:

dev tun

And add the following settings:

dev tun

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

reneg-sec 0

Uncomment these lines:

; push "dhcp-option DNS 208.67.222.222"
; push "dhcp-option DNS 208.67.220.220"

And add your DNS values instead:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

If you want to use Google’s public DNS service, you can use 8.8.8.8 and 8.8.4.4.

Uncomment these lines:

user nobody
group nobody

Enable compression by uncommenting this line:

comp-lzo

Disable exit notification by setting explicit-exit-notify to “0”:

explicit-exit-notify 0

Save the file and quit the editor.

8. Enabling IP Forwarding and Routing

Edit /etc/sysctl.conf and add the following parameter:

net.ipv4.ip_forward = 1

Save and close the configuration file. Apply the new settings by using this command:

systemctl restart network.service

Now you need to configure Firewalld. Start by allowing the OpenVPN service to go through the firewall and make that setting permanent:

firewall-cmd --add-service openvpn

firewall-cmd --permanent --add-service openvpn

You can list the opened services to make sure that it’s been added correctly:

firewall-cmd --list-services

Example output:

dhcpv6-client openvpn ssh

Next, enable the masquerade and make it permanent:

firewall-cmd --add-masquerade

firewall-cmd --permanent --add-masquerade

Verify that masquerading is enabled:

# firewall-cmd --query-masquerade

yes

9. Starting the VPN Server

For OpenVPN to start when booting the server, issue these commands. Do not forget to use your server’s hostname instead of “server”:

systemctl -f enable openvpn@server.service

Now start the OpenVPN service:

systemctl start openvpn@server.service

The VPN server is now waiting for clients to connect.

How to Setup the OpenVPN Client for Windows

Download and install the latest version of OpenVPN for Windows here: https://openvpn.net/index.php/open-source/downloads.html

Leave all the default installation options.

Do not launch the OpenVPN GUI at the end of the installation. You need to set it up to run as an administrator first:

Now download the following files from your server to your Windows computer. You can use a software like WinSCP to connect as root and transfer the files to your computer by using the SCP protocol.

• /etc/openvpn/ca.crt
• /etc/openvpn/easy-rsa/2.0/keys/johndoe.crt
• /etc/openvpn/easy-rsa/2.0/keys/johndoe.csr
• /etc/openvpn/easy-rsa/2.0/keys/johndoe.key
• /usr/share/doc/openvpn-2.3.13/sample/sample-config-files/client.conf

Copy these five (5) files “C:\Program Files\OpenVPN\config\” on your Windows desktop.

Creating the OpenVPN Configuration file

Before you can establish a connection to a VPN server, you must create a client configuration with the “.ovpn” extension. To do so, rename C:\Program Files\OpenVPN\config\client.conf to client.ovpn. Edit the OVPN file and find the following line:

remote my-server-1 1194

Replace “my-server-1” by your VPN server’s IP address:

remote 123.123.123.123 1194

Find the SSL/TLS parameters:

ca ca.crt
cert client.crt
key client.key

Change them to reflect the filenames of your certificate and key files:

ca ca.crt
cert johndoe.crt
key johndoe.key

Add the following lines at the end of the file:

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0

Enable compression by uncommenting this line:

comp-lzo

Save and close the OVPN file.

Establishing a Connection to the OpenVPN Server

You can now execute the OpenVPN GUI on your Windows desktop. Remember that it must run as an administrator to work properly. Once OpenVPN is running on your desktop, you should see an icon like this in your taskbar:

Right-click the OpenVPN taskbar icon and it will display a list of available VPN configurations found (the OVPN files). Select the VPN server you wish to connect to and click “Connect.”

If you’ve done everything correctly, the OpenVPN GUI should soon display the IP address it received from the VPN server (10.8.0.x). Try accessing our IP to location tool to see if you’re browsing the web through the VPN.

Troubleshooting OpenVPN

If you have trouble connecting to the OpenVPN server, you can try to run it on a standard TCP port instead of UDP port 1194. Some ISP do not allow traffic on port 1194. To do so, edit /etc/openvpn/server.conf and make the following changes:

port 80
proto tcp
; proto udp

If the port 80 is already in use on your server, try finding an available port that your ISP won’t block. When you are done, restart OpenVPN:

service openvpn restart

Don’t forget to make the changes to your OVPN file too.

If you still encounter some problems, you can enable debugging in /etc/openvpn/server.conf:

log     openvpn.log
verb 4

Restart the OpenVPN service and look at the content of /etc/openvpn/openvpn.log while attempting to connect to the VPN server:

tail -f /etc/openvpn/openvpn.log

Once you’ve fixed the issue, don’t forget to disable logging.