Setup OpenVPN Server on CentOS 8

In this guide, we are going to learn how to install and easily setup OpenVPN Server on CentOS 8. OpenVPN is a robust and highly flexible open-source VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It facilitates the extension of private network across a public network while maintaining security that would be achieved in a private network.

Setup OpenVPN Server on CentOS 8

Install EPEL Repository

The latest OpenVPN packages is provided by the EPEL repositories on CentOS 8 and other similar derivatives. EPEL can be installed on CentOS 8 by running the command below;

dnf install epel-release -y

Install OpenVPN on CentOS 8

Once the EPEL repos are in place, you can now install OpenVPN package on CentOS 8 by executing the command below;

dnf install openvpn

Install Easy-RSA CA Utility on CentOS 8

Easy-RSA package is a shell based CA utility that is used to generate SSL key-pairs that is used to secure VPN connections.

dnf install easy-rsa

Create OpenVPN Public Key Infrastructure

The first step in setting up an OpenVPN server is to create a PKI which consists of public and private keys for the OpenVPN server and connecting clients and a master Certificate Authority certificate and private key for signing the OpenVPN server and client certificates. If possible, you should create the PKI on a separate server running OpenVPN for security purposes.

Initialize the PKI

Easy-RSA is used for PKI management. The Easy-RSA scripts are installed under the /usr/share/easy-rsa directory.

To ensure that Easy-RSA any configuration made is not overwritten in case of an upgrade, copy the scripts to a different directory, preferably under /etc directory.

mkdir /etc/easy-rsa

cp -air /usr/share/easy-rsa/3/* /etc/easy-rsa/

Once the scripts are in place, navigate to the directory and initialize the PKI.

cd /etc/easy-rsa/

./easyrsa init-pki

Generate the Certificate Authority (CA) Certificate and Key

Next, generate the CA certificate and key that will be used to sign certificates by running the commands below within the Easy-RSA directory above.

./easyrsa build-ca

This will prompt you for the CA key passphrase and the server common name.

Using SSL: openssl OpenSSL 1.1.1c FIPS  28 May 2019

Enter New CA Key Passphrase: ENTER PASSWORD
Re-Enter New CA Key Passphrase: RE-ENTER PASSWORD 
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................+++++
.+++++
e is 65537 (0x010001)
Can't load /etc/easy-rsa/pki/.rnd into RNG
140160794502976:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/etc/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: Kifarunix-CA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/easy-rsa/pki/ca.crt

The CA certificate is stored at /etc/easy-rsa/pki/ca.crt.

Generate Diffie Hellman Parameters

While within the same Easy-RSA directory as in above, execute the command below to generate Diffie-Hellman key file that can be used for key exchange during the TLS handshake with connecting clients.

./easyrsa gen-dh

The command will take sometime to complete. It then stores the DH parameters on the /etc/easy-rsa/pki/dh.pem file.

Generate OpenVPN Server Certificate and Key

To generate a certificate and private key for the OpenVPN server, run the command below;

cd /etc/easy-rsa

./easyrsa build-server-full server nopass

When the command runs, you will be prompted to enter the CA key passphrase create above.

nopass disables the use of passphrase.

Generate Hash-based Message Authentication Code (HMAC) key

To generate TLS/SSL pre-shared authentication key that will be used to add an additional HMAC signature to all SSL/TLS handshake packets, to avoid DoS attack and UDP port flooding, run the command below;

openvpn --genkey --secret /etc/easy-rsa/pki/ta.key

Generate a Revocation Certificate

In order to invalidate a previously signed certificate, you need to generate a revocation certificate.

./easyrsa gen-crl

The Revocation certificate is stored as /etc/easy-rsa/pki/crl.pem.

Copy Server Certificates and Keys to Server Directory

Next, copy all generated certificates/keys to OpenVPN server configuration directory.

cp -rp /etc/easy-rsa/pki/{ca.crt,dh.pem,ta.key,crl.pem,issued,private} /etc/openvpn/server/

Generate OpenVPN Client Certificate and Key

To generate OpenVPN clients certificate and private key, run the command below;

cd /etc/easy-rsa

./easyrsa build-client-full koromicha nopass

where koromicha is the name of the client for which the certificate and keys are generated. Always use a unique common name for each client that you are generating certificate and keys for.

To generate for the second client,

./easyrsa build-client-full johndoe nopass

Copy Client Certificates and Keys to Client Directory

Create a directory for each client on OpenVPN client’s directory

mkdir /etc/openvpn/client/{koromicha,johndoe}

Next, copy all client generated certificates/keys and CA certificate to OpenVPN client configuration directory. You can

cp -rp /etc/easy-rsa/pki/{ca.crt,issued/koromicha.crt,private/koromicha.key} /etc/openvpn/client/koromicha

cp -rp /etc/easy-rsa/pki/{ca.crt,issued/johndoe.crt,private/johndoe.key} /etc/openvpn/client/johndoe/

Configure OpenVPN Server on CentOS 8

OpenVPN comes with a sample configuration file within its documentation directory. Copy the file to /etc/openvpn/server/ and modify it to suit your needs.

cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/

Open the config for modification.

vim /etc/openvpn/server/server.conf

The file is highly commented. Read the comments for every configuration options.

In the most basic form, below are our configuration options, with no comments.

port 1194
proto udp4
dev tun
ca ca.crt
cert issued/server.crt
key private/server.key  # This file should be kept secret
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 192.168.10.3"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth SHA512

Save and exit the configuration once done modifying.

Want to assign fixed/static IP addresses to your OpenVPN clients? Follow the guide below;

Assign Static IP Addresses for OpenVPN Clients

Create log directory;

mkdir /var/log/openvpn/

Explore the configuration and do further fine tuning to suit your needs.

Configure OpenVPN Server Routing

To ensure that traffic from the client is routed through the servers IP address (helps masks the the client IP address), you need to enable IP forwarding on the OpenVPN server;

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Run the command below to effect the changes without rebooting the server.

sysctl --system

Allow OpenVPN service port through firewall

firewall-cmd --add-port=1194/udp --permanent

Activate IP Masquerading

firewall-cmd --add-masquerade --permanent

Forward traffic received on the specified OpenVPN subnet, for example, the 10.8.0.0/24 in our case, to an interface via which packets are going to be sent.

To find the interface via which packets are sent through by running the command below;

ip route get 8.8.8.8

8.8.8.8 via 192.168.43.1 dev enp0s3 src 192.168.43.73 uid 0

The interface name and the subnet defined maybe different for your case. Replace them accordingly.

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE

Reload firewalld for the changes to take effect.

firewall-cmd --reload

Start and set OpenVPN run on system boot.

systemctl enable --now openvpn-server@server

When OpenVPN service runs, it will create a tunnelling interface, tun0;

ip add s

4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::2ed5:8f74:c456:96b7/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

Checking the logs;

tail /var/log/openvpn/openvpn.log

/sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDPv4 link local (bound): [AF_INET][undef]:1194
UDPv4 link remote: [AF_UNSPEC]
GID set to nobody
UID set to nobody
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
IFCONFIG POOL LIST
Initialization Sequence Completed

Your OpenVPN Server is now up and running. That brings us to the end of our guide on how to install and setup OpenVPN Server on CentOS 8.

You can now proceed to configure OpenVPN clients;

Install and Configure OpenVPN Client on CentOS 8/Ubuntu 18.04

Configure OpenVPN LDAP based Authentication.

Configure OpenVPN LDAP Based Authentication

Related Tutorial

Configure IPSEC VPN using StrongSwan on Ubuntu 18.04

Configure strongSwan VPN Client on Ubuntu 18.04/CentOS 8

Connect to Cisco VPN Using PCF file on Ubuntu