How to Install and Configure OpenVPN Server with Linux and Windows Clients in RHEL/CentOS 7

A Virtual Private Network is a technology solution used to provide privacy and security for inter-network connections. The most well-known case consists of people connecting to a remote server with traffic going through a...

Spread the love

A Virtual Private Network is a technology solution used to provide privacy and security for inter-network connections. The most well-known case consists of people connecting to a remote server with traffic going through a public or insecure network (such as the Internet).

Picture the following scenarios:

OpenVPN Network Diagram

OpenVPN Network Diagram

In this article we will explain how to set up a VPN server in a RHEL/CentOS 7 box using OpenVPN, a robust and highly flexible tunneling application that uses the encryption, authentication, and certification features of the OpenSSL library. For simplicity we will only consider a case where the OpenVPN server acts as a secure Internet gateway for a client.

For this setup, we’ve used three machines, the first one act as a OpenVPN server and other two (Linux and Windows) act as a clients to connect to remote OpenVPN Server.

Note: The same instructions also works on RHEL/CentOS 6 and Fedora systems..

Installing OpenVPN Server

To install OpenVPN in a RHEL/CentOS 7 server, you will first have to enable the EPEL repository and then install the package, along with easy-rsa – a small RSA key management package used primarily for key management and also for building web certificates.

# yum update && yum install epel-release
# yum install openvpn easy-rsa

When the installation completes, head over to the sample configuration files directory:

# cd /usr/share/doc/openvpn-*/sample/sample-config-files/

and copy the server.conf file to /etc/openvpn:

# cp server.conf /etc/openvpn

Now we’re ready to start configuring the server.

Generate Keys and Certificates

The easy-rsa package provides several scripts as utilities, located inside /usr/share/easy-rsa/2.0 after installation, to generate keys and certificates. For our convenience, we are going to copy those files into /etc/openvpn/rsa (you need to create this directory first). Enter y if prompted to overwrite the existing files:

# mkdir /etc/openvpn/rsa
# cp –rf /usr/share/easy-rsa/2.0/* /etc/openvpn/rsa
Generate OpenVPN Keys and Certificates

Generate OpenVPN Keys and Certificates

Next, we will use the parameters in /etc/openvpn/rsa/vars to indicate the values for our keys and certificates. Change the values according to your needs (fields are self-explanatory):

export KEY_SIZE=2048
export CA_EXPIRE=365
export KEY_EXPIRE=365
export KEY_CITY="VillaMercedes"
export KEY_ORG=""
export KEY_EMAIL="[email protected]"
export KEY_NAME="GabrielCanepa"

And source the file to export the variables and their values to the current environment (you will need them in the next step). You will see a message informing you the purpose of the clean-all script (also present in the same directory):

# source ./vars
Export Keys and Certificates

Export Keys and Certificates

Now run the following scripts from the keys directory, in the specified order.

# ./clean-all

The build-ca script will create a Certificate Authority (certificate + key) in /etc/openvpn/rsa/keys. Press Enter to accept the default values:

OpenVPN Certificate Authority Key

OpenVPN Certificate Authority Key

Next, we will create the key and the certificate for the server itself. As before, accept the default values and then press y to confirm the signing of the certificate:

# ./build-key-server server
Create Keys and Certificates for Server

Create Keys and Certificates for Server

Next, generate the Diffie-Hellman file used for information exchange to complement RSA (this will take quite some time). This will create a file named dh2048.pem inside /etc/openvpn/rsa/keys:


Finally, create separate certificate files for each client that will use your VPN server (change client to a name of your choosing):

# ./build-key client

The above step will create a certificate and key for a client. Follow the same steps as before to complete the process. Later on this tutorial we will download these files to a client that will use them to connect to the VPN server.

Configuring the OpenVPN Server

Let’s now dive into /etc/openvpn/server.conf:

1. Specify the length of the Diffie-Hellman parameters. Don’t use a value below 2048 if you don’t want to expose yourself to security threats:

dh /etc/openvpn/rsa/keys/dh2048.pem

2. All IP traffic (such as web browsing and and DNS lookups) should go through the VPN. Make sure the following line is uncommented:

push "redirect-gateway def1 bypass-dhcp"

3. As a consequence of #2, you need to specify at least two DNS servers that will be used to resolve names. The default ones are provided by and you can either use them or Google’s ( and

push "dhcp-option DNS"
push "dhcp-option DNS"

4. Finally, as a security measure, we will ensure that openvpn runs with the least privilege by changing the user and the group to nobody:

user nobody
group nobody

We also need to allow vpn traffic through the firewalld and enable masquerading:

# firewall-cmd --permanent --add-service=openvpn
# firewall-cmd --add-service=openvpn
# firewall-cmd --permanent --add-masquerade
# firewall-cmd --add-masquerade

And copy the certificate and key files to /etc/openvpn (the following command assumes your current working directory is /etc/openvpn/rsa/keys):

# cp ca.crt server.crt server.key ../../

Then enable the service:

# systemctl -f enable [email protected]
# systemctl start [email protected]

At this point it’s a good idea to check the status of the service.

# systemctl -l status [email protected] 

If it failed to start,

# journalctl --xn

will provide necessary debug information to troubleshoot any issues.

Facebook Comments
Spread the love

Posted by News Monkey