VPN is important for securely connecting to server’s resources over a public internet to its private network or network behind a firewall and linking multiple private networks across company branches.
In this tutorial, we set up OpenVPN in Centos 7 and configure VPN connection with Windows client.
Special note: HostAdvice’s hosting reviews allow you to consult with thousands of users before purchasing a hosting plan. If you are looking to purchase a CentOS 7 VPS plan, consult the VPS hosting reviews or Linux Hosting reviews.
Installation of Packages:
OpenVPN: Open source SSL VPN Solution
EPEL Repo: OpenVPN is available in Epel Repo and not available in the default Centos Repository
Easy-RSA: Used for creation and generation of keys and certificates in the vpn connection.
$ sudo yum install openvpn epel-release easy-rsa
Prepare Easy-RSA for Keys and Certificates Generation
Create a directory to save the keys and certificates
$ sudo mkdir -p /etc/openvpn/easy-rsa/keys
Copy the easy-rsa scripts into the openvpn easy-rsa directory
$ sudo cp -rf /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/
Special Note: In this case, we are using easy-rsa v3, which is the latest version at the time of making this tutorial
Change the ownership of the easy-rsa to the non-root user.
$ sudo chown -R linuxuser /etc/openvpn/easy-rsa/
Set up a new PKI by running the init-pki script
$ cd /etc/openvpn/easy-rsa $ ./easyrsa init-pki
Special Note: The pki dir is now /etc/opnevpn/easy-rsa/pki
Build Certificate Authority
$./easyrsa build-ca nopass
The nopass option is to enable signing of certificates without entering password. For critical applications which require high-level of security, then it’s recommended to remove the nopass option.
Special Note: Certificate file is now at /etc/openvpn/easy-rsa/pki/ca.crt
Generate server keys and certificates and sign their requests
$ ./easyrsa gen-req centos7-hostadvice nopass
Command Structure
./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME nopass
Note: Usually, the server keys are unencrypted by using the “nopass” argument . This is solely because the servers normally boot without any password input. This generates an unencrypted key, so protect its access and file permissions carefully.
Special Note: Server Keypair and certificate request files are now at
req: /etc/openvpn/easy-rsa/pki/reqs/centos7-hostadvice.req
key: /etc/openvpn/easy-rsa/pki/private/centos7-hostadvice.key
Import server certificate request into CA
On the CA, import the entity request file using a “short name”, in this case “c7ha”. This just copies the request file into reqs/ under the PKI dir to prepare it for review and signing.
$ ./easyrsa import-req pki/reqs/centos7-hostadvice.req c7ha
Command Structure
$ ./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME
Review and sign the server request
Review the sign request to confirm the details are as you had entered
$ ./easyrsa show-req c7ha
Command Structure:
$ ./easyrsa show-req UNIQUE_SHORT_FILE_NAME
Sign the request:
$ ./easyrsa sign-req server c7ha
Command Structure
$ ./easyrsa sign-req server UNIQUE_SHORT_FILE_NAME
Special Note: The signed certificate request is now found at /etc/openvpn/easy-rsa/pki/issued/c7ha.crt
Generate client keys and certificates and sign their requests
$ ./easyrsa gen-req win-client0
Command Structure
./easyrsa gen-req UNIQUE_CLIENT_SHORT_NAME
It’s recommended to create encrypted private keys by leaving out the additional nopass option after the name. The nopass option should only be included if automated VPN startup is required. Unencrypted private keys could be utilized by anyone who obtains a copy of the file. Encrypted keys offer stronger protection, but will require the passphrase on initial use.
Special Note: Server Keypair and certificate request files are now at
req: /etc/openvpn/easy-rsa/pki/reqs/win-client0.req
key: /etc/openvpn/easy-rsa/pki/private/win-client0.key
Import server certificate request into CA
On the CA, import the entity request file using a “short name”, in this case “w7c”. This just copies the request file into reqs/ under the PKI dir to prepare it for review and signing.
$ ./easyrsa import-req pki/reqs/win-client0.req w7c
Command Structure
$ ./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME
Review and sign the client request
Review the sign request to confirm the details are as you had entered
$ ./easyrsa show-req w7c
Command Structure:
./easyrsa show-req UNIQUE_SHORT_FILE_NAME
Sign the request:
./easyrsa sign-req client w7c
Command Structure
./easyrsa sign-req client UNIQUE_SHORT_FILE_NAME
Special Note: The signed certificate request is now found at /etc/openvpn/easy-rsa/pki/issued/w7c.crt
Generate Diffie-Hellman (DH) key exchange file
In the PKI’s OpenVPN server, the DH parameters are required during the TLS handshake with connecting clients.
$ ./easyrsa gen-dh
Special note: The dh exchange file is now located at /etc/openvpn/easy-rsa/pki/dh.pem
Copy the openssl config file into a version-less named file
$ cp openssl-1.0.cnf openssl.cnf
Reason: To prevent ssl from failing to load the configuration owing to being unable to detect its version
Generate static encryption key for TLS authentication
$ sudo openvpn --genkey --secret /etc/openvpn/hostadvicevpn.tlsauth
Configure openvpn
Copy the server.conf – openvpn config file into /etc/openvpn
$ sudo cp /usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf /etc/openvpn/
Edit the server.conf file
$ sudo vim /etc/openvpn/server.conf
Then uncomment and edit the following lines
ca easy-rsa/pki/ca.crt cert easy-rsa/pki/issued/c7ha.crt key easy-rsa/pki/private/centos7-hostadvice.key # This file should be kept secret dh easy-rsa/pki/dh.pem topology subnet server 10.128.0.0 255.255.255.0 # enter the network address for your server’s private network push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" tls-crypt hostadvicevpn.tlsauth user nobody group nobody log-append openvpn.log
Configure Firewalld and Routing
Check the active firewall zones in your server using the command:
$sudo firewall-cmd --get-active-zones
Add openpvn, port 1194 (for client connection) to firewalld
$ sudo firewall-cmd --permanent --zone=trusted --add-service=openvpn $ sudo firewall-cmd --permanent --zone=trusted --add-port=1194/udp
Add masquerade to enable forwarding routing to the openvpn subnet
$ sudo firewall-cmd --permanent --zone=trusted --add-masquerade $ PORTIN=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}') $ firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.128.0.0/24 -o $PORTIN -j MASQUERADE
Restart firewalld to effect the changes
$ sudo firewall-cmd --reload
Enable ip forwarding to allow all traffic from the client to the server’s ip address, as the client’s ip address remains hidden.
$ sudo vim /etc/sysctl.conf
Add the line:
net.ipv4.ip_forward = 1
Then save the file
Then restart the network service
$ sudo systemctl restart network
Start and enable openvpn service
$ sudo systemctl –f enable openvpn@server $ sudo systemctl start openvpn@server
Confirm openvpn running
$ sudo systemctl status openvpn@server
Configure Windows client for vpn connection
Download openvpn client for windows from https://openvpn.net/index.php/open-source/downloads.html
Create the C:\Program Files\OpenVPN\config\key.txt if it does not exist.
Go to Start, then right click on “Generate a Static OpenVPN Key” > Run As Administrator
The keys are generated and stored at C:\Program Files\OpenVPN\config\key.txt
Open the file, uncomment and change the following parameters:
remote <server ip-address> port 1194
Create the C:\Program Files\OpenVPN\log\client.log if it does not exist.
Go to Start > All Programs > OpenVPN > OpenVPN GUI, right click and select “Run as Administrator”
Looking to upgrade your Linux hosting account? Find the top Linux hosting services, as well as user and expert reviews on HostAdvice.
Check out the top 3 Linux hosting services
- Looking for the best windows hosting? Click this link and check all our recommendations.