In order to connect to an OpenVPN server to allow you access your intranet local resources, you simply would need an OpenVPN client. In this guide, we are going to learn how to install and configure OpenVPN Client on Rocky Linux 8. Note that the OpenVPN software can be configured to either work as the server or the client.
Learn how to install and configure OpenVPN Server on Rocky Linux 8 by following the link below;
Setup OpenVPN Server on Rocky Linux 8
Install and Configure OpenVPN Client on Rocky Linux 8
Install OpenVPN Client on Rocky Linux 8
Install OpenVPN client on Rocky Linux 8 by running the commands below;
dnf epel-release -y
dnf info openvpn
Available Packages Name : openvpn Version : 2.4.11 Release : 1.el8 Architecture : x86_64 Size : 543 k Source : openvpn-2.4.11-1.el8.src.rpm Repository : epel Summary : A full-featured SSL VPN solution URL : https://community.openvpn.net/ License : GPLv2 Description : OpenVPN is a robust and highly flexible tunneling application that uses all : of the encryption, authentication, and certification features of the : OpenSSL library to securely tunnel IP networks over a single UDP or TCP : port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library : for compression
You can then install OpenVPN client by executing the command;
dnf install openvpn
Configure OpenVPN Client on Rocky Linux 8
To be able to connect to OpenVPN server, you need to create the client’s configuration containing the CA certificate, the client server certificate and the key.
If you followed our guide on setting up OpenVPN server on Rocky Linux 8, we described how to generate the clients certificate files and keys.
Once you have generated the keys, copy them to the client and take a note of the path where they are stored.
You also need to copy the HMAC key and the CA cert to the client.
You can then create the OpenVPN client configuration.
For example, to create an OpenVPN configuration file for the client, gentoo, whose certificates and keys are, gentoo.crt and gentoo.key;
vim gentoo.ovpn
client tls-client pull dev tun proto udp4 remote 192.168.60.19 1194 resolv-retry infinite nobind #user nobody #group nogroup persist-key persist-tun key-direction 1 remote-cert-tls server auth-nocache comp-lzo verb 3 auth SHA512 tls-auth ta.key 1 ca ca.crt cert gentoo.crt key gentoo.key
Note that in this setup, the client certificate, the key, the CA certificate and the HMAC key are located on the same path as the OpenVPN client configuration itself, gentoo.ovpn.
ls -1 .
ca.crt
gentoo.crt
gentoo.key
gentoo.ovpn
ta.key
In order to avoid the issues with the paths to the certificates and the keys, you can put them inline on the configuration file;
client tls-client pull dev tun proto udp4 remote 192.168.60.19 1194 resolv-retry infinite nobind #user nobody #group nogroup persist-key persist-tun key-direction 1 remote-cert-tls server auth-nocache comp-lzo verb 3 auth SHA512 <tls-auth> -----BEGIN OpenVPN Static key V1----- feb1af5407baa247d4e772c76aed6c75 ... -----END OpenVPN Static key V1----- </tls-auth> <ca> -----BEGIN CERTIFICATE----- MIIDTjCCAjagAwIBAgIUX0VQrHTgLDabUUIOAf7tD9cGp4YwDQYJKoZIhvcNAQEL ... WA9BBk2shVWfR849Lmkep+GPyqHpU47dZAz37ARB2Gfu3w== -----END CERTIFICATE----- </ca> <cert> Certificate: Data: Version: 3 (0x2) Serial Number: ... /7FvJaeLqmUHnvSs5eBlRZSgtOL19SCFkG0HXdnw3LtBaoHQXxgzOkDPW1+5 -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+DI7kg6MsRoCs ... 6WdLcNtWKAcU294xJEZoOA8/ -----END PRIVATE KEY----- </key>
Do the same on all the client servers for every user that needs to connect to the vpn.
If you noticed, the lines below are commented to avoid the error, ERROR: Linux route add command failed: external program exited with error status: 2 by flushing created routes before adding them again on reconnection.
#user nobody #group nogroup
The OpenVPN client configuration file is now ready.
Connecting to OpenVPN Server on Rocky Linux 8
You can then connect to OpenVPN server on demand or configure your server to establish VPN configuration file whenever the system reboots.
Connect to OpenVPN on Command Line using openvpn command
To connect on demand, simple use the openvpn
command as;
sudo openvpn client-config.ovpn
or
sudo openvpn --config client-config.ovpn
Where client-config is the client’s openvpn configuration file, like gentoo.ovpn file above.
If the connection to the OpenVPN server is successful, you should see an Initialization Sequence Completed
.
Wed Jun 30 15:27:16 2021 OpenVPN 2.4.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021 Wed Jun 30 15:27:16 2021 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 Wed Jun 30 15:27:16 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Wed Jun 30 15:27:16 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Wed Jun 30 15:27:16 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.60.19:1194 Wed Jun 30 15:27:16 2021 Socket Buffers: R=[212992->212992] S=[212992->212992] Wed Jun 30 15:27:16 2021 UDPv4 link local: (not bound) Wed Jun 30 15:27:16 2021 UDPv4 link remote: [AF_INET]192.168.60.19:1194 Wed Jun 30 15:27:16 2021 TLS: Initial packet from [AF_INET]192.168.60.19:1194, sid=7ec70642 fdcdad40 Wed Jun 30 15:27:16 2021 VERIFY OK: depth=1, CN=Kifarunix-demo CA Wed Jun 30 15:27:16 2021 VERIFY KU OK Wed Jun 30 15:27:16 2021 Validating certificate extended key usage Wed Jun 30 15:27:16 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Jun 30 15:27:16 2021 VERIFY EKU OK Wed Jun 30 15:27:16 2021 VERIFY OK: depth=0, CN=server Wed Jun 30 15:27:16 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1586', remote='link-mtu 1602' Wed Jun 30 15:27:16 2021 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC' Wed Jun 30 15:27:16 2021 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256' Wed Jun 30 15:27:16 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Wed Jun 30 15:27:16 2021 [server] Peer Connection Initiated with [AF_INET]192.168.60.19:1194 Wed Jun 30 15:27:17 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Wed Jun 30 15:27:17 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 192.168.10.3,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: timers and/or timeouts modified Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: --ifconfig/up options modified Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: route options modified Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: route-related options modified Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: peer-id set Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: adjusting link_mtu to 1625 Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: data channel crypto options modified Wed Jun 30 15:27:17 2021 Data Channel: using negotiated cipher 'AES-256-GCM' Wed Jun 30 15:27:17 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jun 30 15:27:17 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jun 30 15:27:17 2021 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:98:30:73 Wed Jun 30 15:27:17 2021 TUN/TAP device tun0 opened Wed Jun 30 15:27:17 2021 TUN/TAP TX queue length set to 100 Wed Jun 30 15:27:17 2021 /sbin/ip link set dev tun0 up mtu 1500 Wed Jun 30 15:27:17 2021 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 Wed Jun 30 15:27:17 2021 /sbin/ip route add 192.168.60.19/32 via 10.0.2.2 Wed Jun 30 15:27:17 2021 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Wed Jun 30 15:27:17 2021 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Wed Jun 30 15:27:17 2021 Initialization Sequence Completed
To check the IP addresses;
ip add show tun0
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::697:ce38:b852:540c/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Test connectivity to the VPN server;
ping 10.8.0.1 -c 3
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=2.71 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=2.42 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=1.95 ms
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 46ms
rtt min/avg/max/mdev = 1.952/2.362/2.713/0.316 ms
You should also be able to get internet access depending on your server routes setup.
Running OpenVPN Client as Service
In order to establish connections automatically whenever the server reboots, you can enable OpenVPN client systemd service.
Before you can do this, change the extension of your VPN config file from .ovpn
to .conf
. Replace the file names accordingly.
cp gentoo.{ovpn,conf}
Copy the .conf
file to OpenVPN client configurations directory, /etc/openvpn/client
.
mv gentoo.conf /etc/openvpn/client
Next, disable SELinux (I dont recommend this though, -:));
setenforce 0 && sed -i 's/=enforcing/=permissive/' /etc/selinux/config
Start OpenVPN client systemd service. Replace the name gentoo with the name of your .conf configuration file.
systemctl start [email protected]
To check the status;
systemctl status [email protected]
● [email protected] - OpenVPN tunnel for gentoo Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; vendor preset: disabled) Active: active (running) since Wed 2021-06-30 15:48:47 EDT; 12s ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 39782 (openvpn) Status: "Initialization Sequence Completed" Tasks: 1 (limit: 11272) Memory: 1.6M CGroup: /system.slice/system-openvpn\x2dclient.slice/[email protected] └─39782 /usr/sbin/openvpn --suppress-timestamps --nobind --config gentoo.conf Jun 30 15:48:48 localhost.localdomain openvpn[39782]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jun 30 15:48:48 localhost.localdomain openvpn[39782]: ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:98:30:73 Jun 30 15:48:48 localhost.localdomain openvpn[39782]: TUN/TAP device tun0 opened Jun 30 15:48:48 localhost.localdomain openvpn[39782]: TUN/TAP TX queue length set to 100 Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip link set dev tun0 up mtu 1500 Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip route add 192.168.60.19/32 via 10.0.2.2 Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Jun 30 15:48:48 localhost.localdomain openvpn[39782]: Initialization Sequence Completed
To enable it to run on system boot;
systemctl enable [email protected]
You have successfully installed and setup OpenVPN client Rocky Linux 8.
That brings us to the end of our tutorial on how to install and configure OpenVPN Client on Rocky Linux 8.
Other tutorials
Assign Static IP Addresses for OpenVPN Clients
Configure OpenVPN LDAP Based Authentication