Tuesday, March 10, 2015

Configure OpenVPN on CentOS 7 part 1

 after doing steps from


I faced some issues to connect internet


 nano /etc/sysconfig/network-scripts/ifcfg-eth0




save and exit

yum install epel-release

systemctl stop firewalld

systemctl disable firewalld

yum install iptables-services

systemctl enable iptables

systemctl start iptables

systemctl status iptables

systemctl stop iptables(stopping it to get the openvpn running first and then later enable and configure it)

yum install openvpn

cd /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/


server.conf should be there

cp server.conf /etc/openvpn/

cd /etc/openvpn

nano server.conf

find the line

;push "redirect-gateway def1 bypass-dhcp"

uncomment the line by removing the first semicolon

then find 2 lines starting with

;push "dhcp-option DNS 208...


;push "dhcp-option DNS 208...

uncomment them by removing ;

make them look like

push "dhcp-option DNS"
push "dhcp-option DNS"

then find the lines

;user nobody
;group nobody

uncomment those lines by removing ;

save and exit

yum install easy-rsa

mkdir -p  /etc/openvpn/easy-rsa/keys

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

cd easy-rsa

ls will show you the vars file

nano vars



make this section look like this

export KEY_CITY="Kolkata"
export KEY_ORG="Sourav"

export KEY_EMAIL="root@server1.sourav.com"
export KEY_OU="Sourav"

save and exit

source ./vars

run the script clean-all in the easy-rsa folder to clear any existing script


now run the script one by one


this script will prompt you to give input such as country code,just press enter and it will take the default values already wrote on the vars file,the default

values will be shown in square brackets will will take over if enter pressed with no inout

when asked for common name just put the server name on which vpn is being is being configures,in my case it is server1

now run another script

./build-key-server $( hostname )

take the default values by pressing enter

for challenge password give a challenge password

then just press y for signing the certificate

then press another y to commit

then run


now to go the keys folder

cd keys

ls will show you the keys

cp ca.crt server1.sourav.com.crt server1.sourav.com.key dh2048.pem /etc/openvpn/

cd ../.. to go to the openvpn folder

ls will show you the necessary key files and server.conf

now type

restorecon -Rv /etc/openvpn

to recursively restoring the security context of selinux

Now create a symbolic link by typing

ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service


nano server.conf


find server.crt

in my case

make it look like this

ca ca.crt

cert server1.sourav.com.crt

key server1.sourav.com.key

dh dh2048.pem

save and exit

now to forcefully enable (make it available after reboot) openvpn through systemd

systemctl -f enable openvpn@server.service

systemctl start openvpn@server.service

check the status of openvpn service

systemctl status openvpn@server.service

Sourav Bhattacharya

Linux Faculty for 7 years

No comments:

Post a Comment