Install OpenVPN on Centos 8

OpenVPN is virtual private network (VPN) software installed on a virtual private server (VPS). VPNS Take advantage of the network provided by the VPS without the need to connect through an SSH or RDP session. You can connect devices to the VPN server and use that network to mask your local area network.

OpenVPN Requirements

You will need root or administrator access to a server. You can install OpenVPN on a Linux, Windows VPS, or a dedicated server. Below are the steps to install OpenVPN. Note that you will need to use a command line interface to do this.

OpenVPN Preparation

Step 1: Update your system.

Sudo yum update

Step 2: Edit the SELinux Config File

nano /etc/selinux/config

Step 3: Set Selinux to disabled


  • ctrl + x
  • Press the key and
  • Press the ENTER key

Step 4: Edit the SYSCTL.CONF file

nano /etc/sysctl.conf

Step 5: Add the following line to the SYSCTL.CONF file to enable IP Forwarding

net.ipv4.ip\_forward = 1

  • ctrl + x
  • Press the key and
  • Press the ENTER key

Step 6: Apply the changes
sysctl -p
OpenVPN Installation
**Step 1:** Install the OpenVPN server
dnf install epel-release -y
dnf install openvpn -y
Setting the certificate authority
Step 1: Download Easy-RSA to manage SSL certificates
cd /etc/openvpn
tar -xvzf EasyRSA-unix-v3.0.6.tgz
mv EasyRSA-v3.0.6 easy-rsa
Step 2: Configure Certificate Authority
cd /etc/openvpn/easy-rsa
nano vars
Step 3: Add the following and replace anything with \ with your VPS hostname (it looks something like HQSRV-\. Additionally, replace the "set_var easyrsa_req_email" line with your email:
set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_PROVINCE    "Seatle"
set_var EASYRSA_REQ_CITY        "Seatle"
set_var EASYRSA_REQ_EMAIL       "<>"
set_var EASYRSA_REQ_OU          "<HOSTNAME> EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"
Step 4: Start the PKI directory
./easyrsa init-pki
Step 5: Build the CA certificate
./easyrsa build-ca
It will ask you to provide a password. Note the password externally and enter at the prompt. This passphrase will be required in future steps.
You will also be prompted to enter a common name. You can press ENTER to use the default name or enter a custom common name of your choice.
The command will then generate two files named ca.key and ca.crt . These certificates will be used to sign the server and client certificates.
Step 6: Generate the server certificate files. Replace the \ with the hostname of the server. It looks like "HQSRV-
./easyrsa gen-req <HOSTNAME> nopass
This will also ask for a common name. You can enter whatever you want. Some names you could use would be your username, host, or server. Alternatively, you can just hit "Enter" to use the default.
Step 7: Sign the server key using the ca. Replace the \ with the hostname of the server. It looks like "HQSRV-
./easyrsa sign-req server <HOSTNAME>
Type "yes", then press ENTER
Additionally, you will need to provide a passphrase. Use the passphrase you created in Step 5
Step 8: Check the generated certificate file with the following command. Replace the \ with the hostname of the server. It looks like "HQSRV- :
openssl verify -CAfile pki/ca.crt pki/issued/<HOSTNAME>.crt
It should look something like this:
pki/issued/<HOSTNAME>.crt: OK
Step 9: Generate a strong Diffie Hellman key to use for the key exchange:
./easyrsa gen-dh
Step 10: **Copy the certificate files to /etc/openvpn/server/ and **Replace the \ with the hostname of the server. It looks like "HQSRV-
cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/<HOSTNAME>.key /etc/openvpn/server/
cp pki/issued/<HOSTNAME>.crt /etc/openvpn/server/
Step 11: Build the client key file:
./easyrsa gen-req client nopass
Press ENTER or enter a common name of your choice.
Step 12: Sign the client key using the CA certificate:
./easyrsa sign-req client client
Type the word, 'Yes', then press ENTER to confirm
Enter the passphrase you wrote down in Step 5
Step 13: Copy all the client certificate and key files to the /etc/openvpn/client/ directory
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/
Configuring the OpenVPN server
Step 1 – Create a new OpenVPN configuration file inside the path /etc/openvpn/client/directory/file
nano /etc/openvpn/server/server.conf
Add the following in the text editor and replace anything labeled \ with your server hostname. It looks like "hqsrv-\
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/<HOSTNAME>.crt
key /etc/openvpn/server/<HOSTNAME>.key
dh /etc/openvpn/server/dh.pem
push "redirect-gateway def1"

push "dhcp-option DNS"
push "dhcp-option DNS"
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
keepalive 20 60
compress lz4
user nobody
group nobody
log-append /var/log/openvpn.log
verb 3
Now do the following to save your file:
  • ctrl + x
  • Press the key and
  • Press the ENTER key
Step 2: Start the OpenVPN server
systemctl start openvpn-server@server
systemctl enable openvpn-server@server
systemctl status openvpn-server@server
Step 3: Generate the client configuration file. This is needed to connect to the OpenVPN server from the client system.
nano /etc/openvpn/client/client.ovpn
Insert the following and replace \ with your Dedicated Primary servers IPv4 address
dev tun
proto udp
remote <Server IP> 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
resolv-retry infinite
compress lz4
verb 3
Now do the following to save your file:
  • ctrl + x
  • Press the key and
  • Press the ENTER key
Configure OpenVPN routing using Firewall
Step 1: Add the OpenVPN service and interface TUN0 to the Trusted Firewall zone:
firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0
Step 2: Add the masquerade in the default zone:
firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade
Step 3: Run the following command to masquerade the Internet traffic coming from the VPN. Replace \ with your server hostname. It looks like "HQSRV\. In this case, you would not need the dash between the "HQSRV" and the"
<HOSTNAME>ovpn=$(ip route get | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s -o $hqsrv702659ovpn -j MASQUERADE
Step 4: Implement the changes:
firewall-cmd --reload
Downloading the OVPN file
Step 1: You will need to download the OVPN directory to your local machine. You can do this in several different ways. The path of the file you need to download is the /etc/openvpn/client directory.
Open your local computer's terminal and type the following. Make sure to replace \ with your server's dedicated IPv4:
scp -r root@**\<SERVER IP>**:/etc/openvpn/client .
Alternatively, connect to your server via SFTP using FileZilla: 
Configuring your local OpenVPN client
Step 1: Install the OpenVPN client. If you have a Windows machine, you can install it here:

Step 2: Import the OpenVPN profile using the downloaded file, "Client.ovpn"

Step 3: Give your profile a name or leave it as the default. Click "Add" after importing the OVPN file.

Step 4 – Connect to your VPN to start using the network!

Step 5: You should be connected to your VPN. Your interface should look like this:

Step 6: Congratulations! They are all done!

No comments

Powered by Blogger.