A virtual private network (VPN) encrypts all network traffic, hiding users and protecting them from untrusted networks. It can provide a secure connection to the corporate network, bypass geo-restrictions, and let you surf the web using public Wi-Fi networks while keeping your data private.

What Is OpenVPN?

OpenVPN is the most famous VPN protocol that is used in most of the large domestic and foreign sites and companies, and sometimes this protocol alone is enough, we will discuss the reasons for this.

Due to the fact that there is filtering in our dear country of Iran, like in other countries of the world, many users use VPN to bypass it, and whether it is right or wrong depends on the user.

Unlock your potential with a Linux VPS. Buy Linux VPS now and master OpenVPN on CentOS 7!

Configure OpenVPN on centos 7

A virtual private network (VPN) allows you to browse untrusted networks as if you were on a private network. It allows you to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network, such as WiFi in a hotel or coffee shop.

This setting allows you to secure your login and wireless transactions when connecting with HTTPS connections. and protect any unencrypted HTTP traffic from an untrusted network.

OpenVPN is a complete open source and secure VPN solution with open source (SSL) that includes a wide range of settings. In this tutorial, you will set up OpenVPN on a CentOS 7 server and then configure it to be accessible from a client device.

Prerequisites

• A server running CentOS 7 or CentOS 8
• A user account having root (sudo) privileges.
• The ability to access the command line/terminal window
• A domain name or subdomain that points to your server.
• A client computer that will connect to the OpenVPN server.

Step 1: install OpenVPN

Run the following command to update the CentOS repository and packages:

yum update -y

The OpenVPN package is not available in the CentOS default repository. OpenVPN, on the other hand, is accessible through the Extra Packages for Enterprise Linux (EPEL) repository. Run the following command to activate the EPEL repository:

yum install epel-release -y

Update the repositories once more:

yum update -y

With the following command, you can now install OpenVPN:

yum install -y openvpn

Step 2: Setup Easy RSA

The next step is to create a Public Key Infrastructure (PKI). Install simple RSA, a command-line application for building and administering a PKI Certificate Authority (CA).

Easy RSA assists you in establishing an internal certificate authority (CA) and creating SSL key pairs to safeguard VPN connections.

Use the wget command to get the simple RSA package. If you don’t have wget installed on your CenOS machine, run:

yum install -y wget

The most recent version of the CLI tool at the time of writing is 3.1.6, which we shall download. To use a different version, see simple RSA’s GitHub release page.

wget https://github.com/OpenVPN/easy-rsa/archive/refs/tags/v3.1.6.tar.gz

Following that, extract the downloaded archive:

tar -xf v3.1.6.tar.gz

Make and place the following files in a new openvpn directory:

cd /etc/openvpn/

Then, under the path /etc/openvpn, create a subfolder called easy-rsa:

mkdir /etc/openvpn/easy-rsa

Delete the extracted directory and replace it with /etc/openvpn/easy-rsa:

mv /root/easy-rsa-3.1.6 /etc/openvpn/easy-rsa

To see whether you successfully migrated everything from the easy-rsa-3.1.6 directory, cd /etc/openvpn/easy-rsa and use ls to display the contents.

Step 3: Configure OpenVPN

After installing OpenVPN and Easy RSA, you may proceed to setup the OpenVPN server.

The guidelines in this part will assist you in completing the basic setup. You may change it to suit your requirements.

Return to the root directory before performing any of the instructions. In the terminal window, type cd and press Enter.

To begin, copy the example server.conf file from the OpenVPN documentation directory:

cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn

If you can’t find the OpenVPN example configuration file, use the find command to locate it:

find / -name server.conf

Then, using your preferred text editor, open the copied configuration file:

vi etc/openvpn/server.conf

The command displays the example OpenVPN configuration file. The file’s comments begin with a hashtag # or a semicolon ;.

To complete the basic setup, remove the semicolons from the following lines.

• topology subnet (makes the OpenVPN installation function as a subnetwork)
• push "redirect-gateway def1 bypass-dhcp" (instructs the client to redirect traffic through the OpenVPN server)
• push "dhcp-option DNS 208.67.222.222" (uses an OpenDNS resolver to connect to OpenVPN)
• push "dhcp-option DNS 208.67.220.220" (uses an OpenDNS resolver to connect to OpenVPN)
• user nobody (runs OpenVPN with no privileges)
• group nobody (runs OpenVPN with no privileges)

Then, in order to allow TLS authentication, create a static encryption key. Locate the line tls-auth ta.key 0 and comment it by inserting ; in front of it. Then, beneath it, add a new line:

tls-crypt myvpn.tlsauth

Nota bene: The configuration file defines the DNS servers to use when connecting to OpenVPN. It is configured by default to utilize OpenDNS resolvers, which is how we left it. You may also alter the DNS resolvers by adjusting the push “dhcp-option DNS 208.67.222.222” and push “dhcp-option DNS 208.67.220.220” lines.

The configuration file should be saved and exited.

Finally, use the following command to produce the static encryption key indicated in the file:

openvpn --genkey --secret /etc/openvpn/myvpn.tlsauth

Step 4: Generate Keys and Certificates

It uses a set of scripts installed with the program to generate keys and certificates. In order to avoid reconfiguration every time you need to generate a certificate, you can change the Easy RSA configuration to define the default values ​​used for the certificate fields, including your desired country, city, and email address. We’ll start the process of generating keys and certificates by creating a directory where Easy RSA will store your generated keys and certificates:

sudo mkdir /etc/openvpn/easy-rsa/keys

The default certificate variables are set in the vars file in /etc/openvpn/easy-rsa, so open that file for editing:

sudo nano /etc/openvpn/easy-rsa/vars

Scroll to the bottom of the file and change the values ​​starting with KEY_ export to match your information. The most important things:

KEY_CN: Enter the domain or subdomain that resolves to your server here.

KEY_NAME: You must enter the server here. If you enter something else, you must also update the corresponding server.key and

server.crt configuration files.

Other variables in this file you may want to change:

KEY_COUNTRY: For this variable, enter the two-letter abbreviation of your country of residence.

KEY_PROVINCE: This should be the name or abbreviation of your state of residence.

KEY_CITY: Here, enter the name of the city where you live.

KEY_ORG: This should be the name of your organization or company.

KEY_EMAIL: Enter the email address you want to connect to the security certificate.

KEY_OU: This should be the name of the “Organizational Unit” that you belong to, typically either the name of your group or team.

The rest of the variables can safely be ignored outside of specific use cases. After making your changes, the file should look like this:

. . .
# These are the default values for fields
# which will be placed in the certificate.
# Don’t leave any of these fields blank.
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”NY”
export KEY_CITY=”New York”
export KEY_ORG=”Famaserver.com”
export KEY_EMAIL=”[email protected]”
export [email protected]
export KEY_CN=openvpn.example.com
export KEY_NAME=”server”
export KEY_OU=”Community”
. . .

Save and close the file.

To start generating keys and certificates, enter the new variables you set in the vars file into the simple rsa folder and resource:

cd /etc/openvpn/easy-rsa
source ./vars

Run the easy RSA clean script to delete the keys and certificates in this folder and generate the license key:

./clean-all

Next, build the certificate authority with the build-ca script. You will be asked to enter values ​​for the certificate fields, but if you set the variables in the WARS file, all your options will already be set to default. You can press ENTER to accept each default:

./build-ca

This script creates a file called ca.key. This is the private key used to sign your server and client certificates. If lost, you can no longer trust any certificates from this CA, and if someone is able to access this file, they can sign new certificates and gain access to your VPN without your knowledge. . For this reason, OpenVPN recommends storing the ca.key in a location that may be offline and should only be activated when generating new certificates.
Next, generate a server key and license using the build-key-server script:

./build-key-server server

As with the CA build, you will see the values ​​set as default so you can enter ENTER in these fields. In addition, you will be asked to enter a challenge password and an optional company name. If you enter a challenge password, you will be prompted when connecting to the VPN on the client side. If you don’t want to set a challenge password, just leave this line blank and press ENTER. Finally, enter Y to commit the changes.
The last part of creating server keys and certificates is generating a Diffie-Hellman key exchange file. To do this, use the build-dh script:

./build-dh

this might take several minutes.
After you’ve finished generating your server by creating the key exchange file, copy the server keys and certificates from the hotkeys directory to the OpenVpn directory:

 cd /etc/openvpn/easy-rsa/keys
sudo cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

Each client also needs a certificate to authenticate the OpenVPN server. These keys and certificates are generated on the server and then you will have to copy them to your client, which we will do in the next step. It is recommended that you generate separate keys and licenses for each client you intend to connect to your VPN.
Since we’ll only be deploying one client here, we’ll call it client, but you can change it to a more descriptive name if you like:

 cd /etc/openvpn/easy-rsa
./build-key client

Finally, copy the opened version OpenSSL configuration file, openssl-1.0.0.cnf, to a version name, openssl.cnf. Failure to do so can result in an error where OpenSSL cannot load the configuration because it cannot detect its own version:

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Now that you have all the necessary keys and certificates created for your server and client, you can move on to setting up routing between the two devices.

Step 5: Firewall and Routing Configuration

Set Firewall Rules

Begin by inspecting your active firewalled zone:

firewall-cmd --get-active-zones

Your firewalled zone will be shown in the output. It is public in the example below.

Add the openvpn service to the list of services allowed by firewalld in the active zone. In our scenario, the active zone is open to the public. Modify the command appropriately if your active zone is trusted.

firewall-cmd --zone=public --add-service openvpn

Then, execute the following command to make the aforementioned adjustments permanent:

firewall-cmd --zone=public --add-service openvpn --permanent

To check whether the openvpn service has been added, execute the following command:

firewall-cmd --list-services --zone=public

Then, to the runtime instance, add a masquerade:

firewall-cmd --add-masquerade

Additionally, make it permanent:

firewall-cmd --add-masquerade --permanent

Verify that the masquerade has been added by running:

firewall-cmd --query-masquerade

The output should respond with yes.

In this article, we reviewed the steps for setting up a VPN server on the CentOS operating system.

By implementing these steps and settings, users can access their personal network remotely and use secure and encrypted communication to transfer information.

Similar to above training: