This guide will explain how to install and configure OpenVPN Server on RHEL / CentOS 8. A Virtual Private Network (VPN) allows you to traverse untrusted networks securely as if you were within a secure LAN network. OpenVPN is a full-featured, open-source Secure Socket Layer (SSL) VPN solution that supports a wide range of configurations.
With OpenVPN, you can
easily set a secure tunnel that extends private network across a public
network. All traffic being sent is encrypted and you can trust the information
received on the other end. In this blog post, we will explore an easy way of
installing and configuring OpenVPN server on RHEL / CentOS 8 server.
Install OpenVPN Server on
RHEL / CentOS 8
There are two options
of setting up OpenVPN server on RHEL / CentOS 8.
1. Installing OpenVPN
server manually – Time consuming
2. Install OpenVPN server
using automated scripts – Easy and quick
This guide will focus
on using a trusted script to install and configure OpenVPN server. We will use openvpn-install script which let you set up your own VPN
server in no more than a minute, even if you haven’t used OpenVPN before. It
has been designed to be as unobtrusive and universal as possible.
Step 1: Add EPEL and
Install git
Add EPEL repository to
your RHEL / CentOS 8 system. It has openvpn package and dependencies required.
How to Install EPEL Repository on RHEL / CentOS 8
We also need git to
pull the code from Github. Ensure it is installed.
sudo dnf -y install git
Step 2:
Clone openvpn-install repository
Now
clone the openvpn-install repository using git tool installed in
Step one:
$ cd ~
$ git clone https://github.com/Nyr/openvpn-install.git
Cloning into 'openvpn-install'…
remote: Enumerating objects: 360, done.
remote: Total 360 (delta 0), reused 0 (delta 0), pack-reused 360
Receiving objects: 100% (360/360), 104.04 KiB | 263.00 KiB/s, done.
Resolving deltas: 100% (180/180), done.
Step 3: Run OpenVPN
installer
Switch to the openvpn-install directory and run the installer script.
$ chmod +x openvpn-install.sh
$ sudo ./openvpn-install.sh
You will get a couple
of prompts to change or confirm default settings for the installation.
Welcome to this OpenVPN "road warrior" installer!
I need to ask you a few questions before
starting the setup.
You can leave the default options and
just press enter if you are ok with them.
First, provide the IPv4 address of the
network interface you want OpenVPN
listening to.
IP address: 192.168.122.198
This server is behind NAT. What is the
public IPv4 address or hostname?
Public IP address / hostname: vpn.example.com
Which protocol do you want for OpenVPN
connections?
1) UDP (recommended)
2) TCP
Protocol [1-2]: 1
What port do you want OpenVPN listening
to?
Port: 1194
Which DNS do you want to use with the
VPN?
1) Current system resolvers
2) 1.1.1.1
3) Google
4) OpenDNS
5) Verisign
DNS [1-5]: 1
Finally, tell me your name for the
client certificate.
Please, use one word only, no special
characters.
Client name: computingforgeeks
Okay, that was all I needed. We are
ready to set up your OpenVPN server now.
Press any key to continue…
Updating Subscription Management
repositories.
Updating Subscription Management
repositories.
Extra Packages for Enterprise Linux 7 -
x86_64 189
kB/s | 16 MB 01:24
Last metadata expiration check: 0:00:54
ago on Wed 20 Mar 2019 07:23:31 PM EAT.
Package epel-release-7-11.noarch is
already installed.
Dependencies resolved.
Nothing to do.
Complete!
Updating Subscription Management
repositories.
Updating Subscription Management
repositories.
Waiting for process with pid 1906 to
finish.
Package iptables-1.8.0-11.el8.x86_64 is
already installed.
Package openssl-1:1.1.1-6.el8.x86_64 is
already installed.
Package
ca-certificates-2018.2.24-6.el8.noarch is already installed.
Dependencies resolved.
Package Arch Version Repository Size
Installing:
openvpn x86_64 2.4.7-1.el7 epel
522 k
Installing dependencies:
pkcs11-helper x86_64 1.11-3.el7 epel
56 k
libnsl x86_64 2.28-18.el8 rhel-8-for-x86_64-baseos-beta-rpms 84 k
compat-openssl10 x86_64 1:1.0.2o-3.el8
rhel-8-for-x86_64-baseos-beta-rpms 1.1 M
Transaction Summary
Install
4 Packages
Total download size: 1.8 M
Installed size: 4.6 M
Downloading Packages:
(1/4):
pkcs11-helper-1.11-3.el7.x86_64.rpm
34 kB/s | 56 kB 00:01
(2/4):
openvpn-2.4.7-1.el7.x86_64.rpm
191 kB/s |
522 kB 00:02
(3/4):
libnsl-2.28-18.el8.x86_64.rpm
26 kB/s | 84 kB 00:03
(4/4):
compat-openssl10-1.0.2o-3.el8.x86_64.rpm
.......................
You need to set:
·
Server’s IP address to be used by VPN
·
The hostname of Server if inside NAT
·
OpenVPN protocol to be used – TCP or UDP
·
OpenVPN port
·
DNS Nameserver to be used with VPN
·
Name of first client profile to create
If the installation
was successful, you should receive message similar to one below.
..............
Check that the request matches the
signature
Signature ok
The Subject's Distinguished Name is as
follows
commonName :ASN.1 12:'computingforgeeks'
Certificate is to be certified until Mar
17 16:24:47 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1
FIPS 11 Sep 2018
Using configuration from
/etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Can't load
/etc/openvpn/easy-rsa/pki/.rnd into RNG
140135296710464:error:2406F079:random
number generator:RAND_load_file:Cannot open
file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
An updated CRL has been created.
CRL file:
/etc/openvpn/easy-rsa/pki/crl.pem
788
success
success
success
success
success
success
612
Created symlink
/etc/systemd/system/multi-user.target.wants/openvpn@server.service →
/usr/lib/systemd/system/openvpn@.service.
Finished!
Your client configuration is available
at: /root/computingforgeeks.ovpn
If you want to add more clients, you
simply need to run this script again!
The main OpenVPN
server configuration file is,/etc/openvpn/server.conf you are free to tune it to your liking.
$ cat
/etc/openvpn/server.conf
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1
bypass-dhcp"
push "dhcp-option DNS 192.168.122.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
A tun0 virtual interface will be created during the setup
process. This is used by OpenVPN clients subnet.
$ ip addr | grep tun0
3: tun0:
mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.8.0.1/24 brd 10.8.0.255
scope global tun0
The default subnet for
this interface is.10.8.0.0/24.OpenVPN server will be assigned 10.8.0.1 IP address:
Step 3: Generate OpenVPN
user profile (.ovpn file)
After completing step
1 through 3, your VPN Server is ready for use. We need to generate VPN Profiles
to be used by the users. The same script we used for the installation will
be used for this. It manages the creation and revocation of user profiles.
Run script and
select 1 to add new user.
$ sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 1
Tell me a name for the client
certificate.
Please, use one word only, no special
characters.
Client name: user1
Using SSL: openssl OpenSSL 1.1.1
FIPS 11 Sep 2018
Can't load
/etc/openvpn/easy-rsa/pki/.rnd into RNG
139966006863680:error:2406F079:random
number generator:RAND_load_file:Cannot open
file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
Generating a RSA private key
……………………………………………………………………..+++++
……………………………………….+++++
writing new private key to
'/etc/openvpn/easy-rsa/pki/private/user1.key.SeCj8ncgaH'
Using configuration from
/etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Can't load
/etc/openvpn/easy-rsa/pki/.rnd into RNG
139828629223232:error:2406F079:random
number generator:RAND_load_file:Cannot open
file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
Check that the request matches the
signature
Signature ok
The Subject's Distinguished Name is as
follows
commonName :ASN.1 12:'user1'
Certificate is to be certified until Mar
17 16:48:32 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Client user1 added, configuration is
available at: /root/user1.ovpn
The .ovpn OpenVPN profile file is placed inside /root folder.
$ sudo ls /root/ | grep ovpn
computingforgeeks.ovpn
user1.ovpn
Revoking OpenVPN user
profile
To revoke a user
profile, run the script and select 2.
$ sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 2
Select the existing client certificate
you want to revoke:
1) computingforgeeks
2) user1
Select one client [1-2]: 2
Do you really want to revoke access for
client user1? [y/N]: y
Using configuration from
/etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Can't load
/etc/openvpn/easy-rsa/pki/.rnd into RNG
140410149218112:error:2406F079:random
number generator:RAND_load_file:Cannot open
file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
Revoking Certificate
FAC5CC0C127D1242CC55BD31B7FB27D3.
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1
FIPS 11 Sep 2018
Using configuration from
/etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Can't load
/etc/openvpn/easy-rsa/pki/.rnd into RNG
139874879330112:error:2406F079:random
number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:90:Filename=/etc/openvpn/easy-rsa/pki/.rnd
An updated CRL has been created.
CRL file:
/etc/openvpn/easy-rsa/pki/crl.pem
Certificate for client user1 revoked!
Uninstalling OpenVPN
server on RHEL/CentOS 8
If you no longer need OpenVPN
server, uninstallation can be done using the same installer script.
$ sudo ./openvpn-install.sh
Looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 3
Do you really want to remove OpenVPN?
[y/N]: y
788
success
success
success
success
success
success
Updating Subscription Management
repositories.
Updating Subscription Management
repositories.
Dependencies resolved.
....
Complete!
OpenVPN removed!
Step 4: Connect to
OpenVPN Server from the client
You can use the VPN
client of your choice to configure OpenVPN client on your operating system. For
those who want to use Official OpenVPN client, go to the downloads
page and get the
latest release then install it.
Once Installed, on
Windows, navigate to the directory with the ovpn profile, right click on the file name and select “Start
OpenVPN on this config file“
For CentOS Linux
users, you can use NetworkManager and openvpn plugin to connect to OpenVPN
server.
Install NetworkManager on CentOS 7
CentOS 7 comes with NetworkManager installed and running, you
only need to install openvpn plugin for you to be able to import .ovpn profile.
sudo yum install NetworkManager-openvpn NetworkManager-openvpn-gnomeHow to Import OpenVPN profile (.ovpn) using nmcli
Once you have installed the required packages and you have
OpenVPN profile generated, continue to import the profile.
In this example, I assume OpenVPN profile name is called myopenvpn.ovpn and is located under
your $HOME. Import the profile using the command:
$ cd ~/$ sudo nmcli connection import type openvpn file myopenvp.ovpnConnection 'myopenvp' (464b7c20-8999-4699-a4d7-3233cd7ea91e) successfully added.You can confirm if the profile was imported successfully using
the command:
$ nmcli connection showTo start using the profile, bring it up using:
$ nmcli connection up myopenvpnConnection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/27)To check the connection details using:
$ nmcli connection show $ nmcli connection show | egrep -i 'IP4|IPV6'Depending on how you configured your OpenVPN server routes push,
you can check ones populated on the server:
$ ip routeTry access any network on the route to see if it’s working.
Conclusion
You have successfully
installed the OpenVPN server on RHEL/CentOS 8. The computers at each end of the
VPN tunnel will encrypt the data entering the tunnel and is decrypted at the
other end. Check OpenVPN
documentation for
more configuration options.
