How do i set up OpenVPN Server on CentOS 8 Linux server to protect my browsing activities from attackers and intruders on public Wifi?
OpenVPN is a popular free open source virtual private network (VPN) software which enables us to connect securely to an insecure public network such as a Wi-Fi network at the airport or hotel.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform Installation tasks on their CentOS Server.
Today, we will show you the steps you need to take to configure an OpenVPN server on CentOS 8 Linux server.
As earlier stated, OpenVPN is a virtual private network (VPN) software with security of the system in mind.
It works on Linux and Unix-like operating systems and released under the GNU GPL license.
Basically, VPN is an important aspect of every businesses and enterprises for security purposes.
Now let us see how to set it up.
To set up an OpenVPN server, you can follow the steps below.
Start by logging into your Server via an ssh tool such as putty as the root user.
Once logged in, then ensure that the packages and software on the server is up to date. To do this, run the yum command or dnf command as shown below;
sudo yum update
OR
sudo dnf update
Next, install "tar" package from CentOS repository by running the wget command as seen below;
sudo yum install tar wget
With the "ip" commands shown below, you can display the Server's IPv4 or IPv6 address;
ip a
ip a show eth0
Alternatively, you can use the dig command / host command as shown below to display your Server's public IP address;
dig +short myip.opendns.com @resolver1.opendns.com
OR
dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2 }'
It is important to note the displayed IP address.
Generally, Servers consists of two types of IP address as outlined below;
1. Public static IP address: This is assigned directly to your machine box and routed from the internet. Most Server providers such as Linode, and Digital Ocean issue a public IPv4/IPv6 address automatically once you order from them.
2. Private static IP address: This is shipped with your server. Basically, the server is behind NAT with public IP address. For instance, Google Cloud and AWS EC2/Lightsail gives a NAT public IP address.
For CentOS 8, the OpenVPN script is "centos-8-vpn.sh" .
To download it, run the wget command as shown below;
wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O centos-8-vpn.sh
Next, give the script permissions by running the "chmod" command below;
chmod +x centos-8-vpn.sh
To view the script with the server text editor, run the "vim or vi" command below;
vim centos-8-vpn.sh
You can install it by using the "centos-8-vpn.sh" script downloaded in the previous step.
To do this, run the following command;
sudo ./centos-8-vpn.sh
Now your will be prompted to enter some information about your server such as the IP address, IPv6 support for NAT (y), Port to listen to (1194), Protocol (UDP), DNS (Cloudflare), Compression (y), Encryption settings customization (n), and then press any key to complete the process.
To stop openvpn service, run the following command;
sudo systemctl stop openvpn-server@server.service
To start openvpn service, run the following command;
sudo systemctl start openvpn-server@server.service
To restart openvpn service, run the following command;
sudo systemctl restart openvpn-server@server.service
Finally, to see if openvpn service is running or not, check its status by running the command as shown below;
sudo systemctl status openvpn-server@server.service
By default, OpenVPN comes with a client configuration file "~/DesktopVPNClient.ovpn".
Let's say, you server ip address is 109.261.324, you need to copy this file to your local desktop using the scp command as shown below;
scp root@109.261.324:~/DesktopVPNClient.ovpn
Now you can use this file to establish connection for the OpenVPN client.
You can download Apple iOS client from Apple App Store.
You can get an Android client from Google Play Store.
For Microsoft Windows 8/10 client
Start by installing the openvpn client for your desktop by running the command below;
sudo yum install openvpn
For Debian/Ubuntu Linux, use the apt command / apt-get command as seen below;
sudo apt install openvpn
Next, copy DesktopVPNClient.ovpn as shown follows;
sudo cp DesktopVPNClient.ovpn /etc/openvpn/client.conf
To test its connectivity, run the command below;
sudo openvpn --client --config /etc/openvpn/desktop.conf
To allow the system to connect automatically on boot, run the openvpn script/service by executing the command below;
sudo systemctl start openvpn@client
After making connection to the OpenVPN Server, run the following commands from your Linux desktop;
ping 10.8.0.1 #Ping to the OpenVPN server gateway
ip route #Make sure routing setup working
dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Must return public IP address of OpenVPN server
Sometimes, you can face some issues in the process of configuring OpenVPN server on your CentOS server.
It is important to check the OpenVPN server for errors using the journalctl command shown below;
journalctl --identifier openvpn
Also check that the firewall is set correctly for the service. To do this run the command below;
sudo cat /etc/iptables/add-openvpn-rules.sh
The output will look like this;
#!/bin/sh
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 1194 -j ACCEPT
exit 0
For instance, to remove OpenVPN rules, run the command below;
sudo cat /etc/iptables/rm-openvpn-rules.sh
Alternatively, you can run iptables command and sysctl command commands to verify NAT rule setup on your server;
sudo iptables -t nat -L -n -v
sysctl net.ipv4.ip_forward
If the rules is not inserted from the file "/etc/rc.local", then run the commands below;
sudo sh /etc/iptables/add-openvpn-rules.sh
sudo sysctl -w net.ipv4.ip_forward=1
To check if the OpenVPN server and port is running and open, use the ss command or netstat command and pidof command/ps command with the grep command as follows;
netstat -tulpn | grep :1194 #1194 is the openvpn server port
ss -tulpn | grep :1194 #1194 is the openvpn server port
ps aux | grep openvpn #Is the openvpn server running?
ps -C openvpn #Is the openvpn server running?
pidof openvpn #Find the openvpn server PID
In cases where Openvpn service is not running, you can try restarting the OpenVPN server by running the command below;
sudo systemctl restart openvpn-server@server.service
You can check errors by running the command below;
sudo systemctl status openvpn-server@server.service
To check if the Linux desktop client can connect to the OpenVPN server machine, you need to run a simple test to see if the OpenVPN server port (UDP 1194) accepts connections by running the nc command shown below;
nc -vu your_server_ip 1194
Note that "your_server_ip" should be replaced by your Server IP address.
Connection issues are mainly caused if the firewall is blocking access to the server. So ensure that both client and server are using the same protocol and port. For instance, UDP port 1194.
In this article, you will learn how to set up an OpenVPN server on CentOS 8 Linux server.