CentOS 7 Set Up OpenVPN Server In Easy Way and route the traffic through VPN

Introduction OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as WiFi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass the geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN server on CentOS Linux 7 server.

Procedure: CentOS 7 Set Up OpenVPN Server In Easy Way

The steps are as follows:

Step 1 – Update your system

Run the yum command:
{shrini@centos7:~ }$ sudo yum update

Step 2 – Find and note down your IP address

Use the ip command as follows:
{shrini@centos7:~ }$ ip a
{shrini@centos7:~ }$ ip a show eth0


Another option is to run the following dig command/host command to find out your public IP address from Linux command line:
{shrini@centos7:~ }$ dig +short myip.opendns.com @resolver1.opendns.com
One can grab find IPv4 address using the dig and awk command:
{shrini@centos7:~ }$ dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'”‘ ‘{ print $2}’
For IPv6 version, try:
{shrini@centos7:~ }$ dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'”‘ ‘{ print $2}’

Finding out AWS/EC2 or Lighsail NAT IP address from the CLI

A note about IP address

Most cloud servers have two types of IP address: Public static IP address directly assigned to your box and routed from the Internet. For example, Linode, Digital Ocean, and others gives you direct public IP address.Private static IP address directly attached to your server and your server is behind NAT with public IP address. For example, AWS EC2/Lightsail give you this kind of NAT public IP address.The script will automatically detect your networking setup. All you have to do is provide correct IP address when asked for it.

Step 3 – Download and run centos7-vpn.sh script

I am going to use the wget command:

{shrini@centos7:~ }$ wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O centos7-vpn.sh


Setup permissions using the chmod command{shrini@centos7:~ }$ chmod +x centos7-vpn.sh
One can view the script using a text editor such as vim/vi :
{shrini@centos7:~ }$ vi centos7-vpn.sh

Run centos7-vpn.sh to install OpenVPN server

Now all you have to do is:
{shrini@centos7:~ }$ sudo ./centos7-vpn.sh
Sample session from AWS/Lightsail where my cloud server is behind NAT:

Sample session from Linode/DO server where cloud server has direct public IPv4 address:


To avoid problem always choose DNS as 1.1.1.1 or Google DNS. Those are fast DNS server and reached from anywhere on the Internet.

Route VPN clients Traffic through VPN.

Edit following line under below path…

#vi /etc/openvpn/server.conf

Comment below line and add the following line

push “redirect-gateway def1 bypass-dhcp” (Comment this line add below line)

push “redirect-gateway def1”

Save the file once it done

VPN client config

At the end of the installation, you need to provide a client name. We can choose client names such as desktop for desktop VPN client or ios for Apple iPhone and so on. We can also encrypt the private key with a password for added security. So every time you start a VPN session, you need to provide a password for added security reasons:

Do you want to protect the configuration file with a password?

How do I start/stop/restart OpenVPN server on CentOS 7 ?

{shrini@centos7:~ }$ sudo systemctl stop [email protected] #<— stop server
{shrini@centos7:~ }$ sudo systemctl start [email protected] #<— start server
{shrini@centos7:~ }$ sudo systemctl restart [email protected] #<— restart server
{shrini@centos7:~ }$ sudo systemctl status [email protected] #<— get server status

● [email protected] – OpenVPN service for server

   Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor preset: disabled)

   Active: active (running) since Tue 2021-02-09 17:09:55 UTC; 1s ago

 Main PID: 2241 (openvpn)

   Status: “Initialization Sequence Completed”

   CGroup: /system.slice/system-openvpn\x2dserver.slice/[email protected]

           └─2241 /usr/sbin/openvpn –status /run/openvpn-server/status-server.log –status-version 2 –suppress-timestamps –config server.conf

Feb 09 17:09:55 centos7 openvpn[2241]: setsockopt(IPV6_V6ONLY=0)

Feb 09 17:09:55 centos7 openvpn[2241]: UDPv6 link local (bound): [AF_INET6][undef]:1194

Feb 09 17:09:55 centos7 openvpn[2241]: UDPv6 link remote: [AF_UNSPEC]

Feb 09 17:09:55 centos7 openvpn[2241]: GID set to nobody

Feb 09 17:09:55 centos7 openvpn[2241]: UID set to nobody

Feb 09 17:09:55 centos7 openvpn[2241]: MULTI: multi_init called, r=256 v=256

Feb 09 17:09:55 centos7 openvpn[2241]: IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=112, base_ipv6=fd42:42:42:42::1000

Feb 09 17:09:55 centos7 openvpn[2241]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1

Feb 09 17:09:55 centos7 openvpn[2241]: IFCONFIG POOL LIST

Feb 09 17:09:55 centos7 openvpn[2241]: Initialization Sequence Completed

See “How to set up a firewall using FirewallD on CentOS 7 or 8” for more info.

Step 4 – Connect an OpenVPN server using IOS/Android/Linux/Windows client

You can locate “*.ovpn” file using the find command:
sudo find / -iname “*.ovpn” -ls

On server your will find a client configuration file called ~/desktop.ovpn. All you have to do is copy this file to your local desktop using the scp command:
{shrini@centos7:~ }$ scp [email protected]:~/deskcop.ovpn .
OR
{shrini@centos7:~ }$ scp [email protected]:~/deskcop.ovpn .
Next, provide this file to your OpenVPN client to connect:

  1. Apple app store: Apple iOS client
  2. Google play store: Android client
  3. Apple MacOS (OS X) client
  4. Windows 8/10 client

Linux Desktop: OpenVPN client configuration

First, install the openvpn client for your desktop as per your distro.

CentOS/RHEL/Oracle Linux desktop

Execute the yum command:
{shrini@centos7:~ }$ sudo yum install openvpn

Fedora Linux desktop

Run the dnf command:
{shrini@centos7:~ }$ sudo dnf install openvpn

Debian/Ubuntu Linux destkop

We need use the apt command/apt-get command:
{shrini@centos7:~ }$ sudo apt install openvpn
Next, copy desktop.ovpn as follows:
{shrini@centos7:~ }$ sudo cp desktop.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
{shrini@centos7:~ }$ sudo openvpn –client –config /etc/openvpn/desktop.conf
Your Linux system will automatically connect when computer restart using openvpn script/service:
{shrini@centos7:~ }$ sudo systemctl enable openvpn@client
{shrini@centos7:~ }$ sudo systemctl start openvpn@client

Step 5 – Verify/test the connectivity

Execute the following commands after connecting to OpenVPN server from your Linux desktop:
{shrini@centos7:~ }$ ping 10.8.0.1 #Ping to the OpenVPN server gateway
{shrini@centos7:~ }$ ip route #Make sure routing setup working
{shrini@centos7:~ }$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Must return public IP address of OpenVPN server

 

Step 6 – How to add additional OpenVPN client on a CentOS 7

First, log in to your openvpn based CentOS 7 server using the ssh command:
ssh shrini@your-centos7-server-ip

Run downloaded centos7-vpn.sh script again:
sudo ./centos7-vpn.sh
Sample session:

Welcome to OpenVPN-install!

The git repository is available at: https://github.com/angristan/openvpn-install

It looks like OpenVPN is already installed. 

What do you want to do?

   1) Add a new user

   2) Revoke existing user

   3) Remove OpenVPN

   4) Exit

Select an option [1-4]:

We can now add a new VPN user or delete existing VPN user.

A note about trouble shooting OpenVPN server and client issues

Check OpenVPN server for errors:
{shrini@centos7:~ }$ journalctl –identifier openvpn

Click to enlarge image

Is firewall rule setup correctly on your server? Use the cat command to see rules:
{shrini@centos7:~ }$ sudo cat /etc/iptables/add-openvpn-rules.sh

#!/bin/sh

iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o eth0 -j push “redirect-gateway def1 bypass-dhcp”MASQUERADE

iptables -I INPUT 1 -i tun0 -j ACCEPT

iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT

iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT

iptables -I INPUT 1 -i eth0 -p udp –dport 1194 -j ACCEPT

ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o eth0 -j MASQUERADE

ip6tables -I INPUT 1 -i tun0 -j ACCEPT

ip6tables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT

ip6tables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT

ip6tables -I INPUT 1 -i eth0 -p udp –dport 1194 -j ACCEPT

Another option is to run iptables command and sysctl command commands to verify NAT rule setup on your server:
{shrini@centos7:~ }$ sudo iptables -t nat -L -n -v
{shrini@centos7:~ }$ sysctl net.ipv4.ip_forward


Insert the rules if not inserted from/etc/iptables/add-openvpn-rules.sh
{shrini@centos7:~ }$ sudo sh /etc/iptables/add-openvpn-rules.sh
{shrini@centos7:~ }$ sudo sysctl -w net.ipv4.ip_forward=1
Is OpenVPN server running and port is open? Use the ss command or netstat command and pidof command/ps command:
{shrini@centos7:~ }$ netstat -tulpn | grep :1194 ## 1194 is the openvpn server port ##
{shrini@centos7:~ }$ ss -tulpn | grep :1194 ## 1194 is the openvpn server port ##
{shrini@centos7:~ }$ ps aux | grep openvpn ## is the openvpn server running? ##
{shrini@centos7:~ }$ ps -C openvpn ## is the openvpn server running? ##
{shrini@centos7:~ }$ pidof openvpn ## find the openvpn server PID ##


If not running, restart the OpenVPN server:
{shrini@centos7:~ }$ sudo systemctl restart [email protected]
Look out for errors:
{shrini@centos7:~ }$ sudo systemctl status [email protected]
Can the Linux desktop client connect to the OpenVPN CentOS 7 server machine? First you need to run a simple test to see if the OpenVPN server port (UDP 1194) accepts connections. Use the nmap command (replace 1.2.3.4 with actual server public IPv4):
{shrini@centos7:~ }$ sudo nmap -sU -p 1194 1.2.3.4
If not connected it means either a Linux desktop firewall or your router is blocking access to server. Make sure both client and server using same protocol and port, e.g. UDP port 1194.

A note about FirewallD on CentOS 7

Do you have FirewallD enabled on CentOS 7? Find out:
sudo systemctl is-enabled firewalld.service
If you see enabled, then type the following commands:

## [– eth0 is server interface with IPv4/IPv6 –] #### [– tun0 is OpenVPN interface #### [– 10.8.0.0/24 sub/net for OpenVPN –] #### [– ADJUST VALUES AS PER YOUR SET UP WHEN TYPING THE FOLLOWING COMMANDS –] ##sudo firewall-cmd –zone=trusted –add-interface=tun0sudo firewall-cmd –permanent –zone=trusted –add-interface=tun0sudo firewall-cmd –permanent –add-service openvpnsudo firewall-cmd –permanent –zone=trusted –add-service openvpnsudo firewall-cmd –reloadsudo firewall-cmd –list-services –zone=trustedsudo firewall-cmd –add-masqueradesudo firewall-cmd –add-masquerade –permanentsudo firewall-cmd –query-masqueradesudo firewall-cmd –permanent –direct –passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

A note about AWS EC2 cloud CentOS 7 users

Make sure you open OpenVPN UDP port 1194 using security groups as explained here.

Conclusion

Congratulations. You successfully set up an OpenVPN server on CentOS Linux 7.0 server running in the cloud. See the OpenVPN website here and script site here for additional information.

Comments are closed.