How do i set up OpenVPN Server on CentOS 8 Linux server to protect my browsing activities from attackers and intruders on public Wifi?
OpenVPN is a popular free open source virtual private network (VPN) software which enables us to connect securely to an insecure public network such as a Wi-Fi network at the airport or hotel.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform Installation tasks on their CentOS Server.
Today, we will show you the steps you need to take to configure an OpenVPN server on CentOS 8 Linux server.
What you need to set up an OpenVPN Server on your Machine?
As earlier stated, OpenVPN is a virtual private network (VPN) software with security of the system in mind.
It works on Linux and Unix-like operating systems and released under the GNU GPL license.
Basically, VPN is an important aspect of every businesses and enterprises for security purposes.
Now let us see how to set it up.
Steps to configure OpenVPN Server on CentOS 8?
To set up an OpenVPN server, you can follow the steps below.
i. Updating the System
Start by logging into your Server via an ssh tool such as putty as the root user.
Once logged in, then ensure that the packages and software on the server is up to date. To do this, run the yum command or dnf command as shown below;
sudo yum updateOR
sudo dnf updateNext, install "tar" package from CentOS repository by running the wget command as seen below;
sudo yum install tar wgetii. Find your Server's IPv4 or IPv6 address
With the "ip" commands shown below, you can display the Server's IPv4 or IPv6 address;
ip a
ip a show eth0Alternatively, you can use the dig command / host command as shown below to display your Server's public IP address;
dig +short myip.opendns.com @resolver1.opendns.comOR
dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2 }'It is important to note the displayed IP address.
More about IPv4 and IPv6 address
Generally, Servers consists of two types of IP address as outlined below;
1. Public static IP address: This is assigned directly to your machine box and routed from the internet. Most Server providers such as Linode, and Digital Ocean issue a public IPv4/IPv6 address automatically once you order from them.
2. Private static IP address: This is shipped with your server. Basically, the server is behind NAT with public IP address. For instance, Google Cloud and AWS EC2/Lightsail gives a NAT public IP address.
iii. How to download and run Openvpn?
For CentOS 8, the OpenVPN script is "centos-8-vpn.sh" .
To download it, run the wget command as shown below;
wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O centos-8-vpn.shNext, give the script permissions by running the "chmod" command below;
chmod +x centos-8-vpn.shTo view the script with the server text editor, run the "vim or vi" command below;
vim centos-8-vpn.shHow to install OpenVPN server on CentOS 8?
You can install it by using the "centos-8-vpn.sh" script downloaded in the previous step.
To do this, run the following command;
sudo ./centos-8-vpn.shNow your will be prompted to enter some information about your server such as the IP address, IPv6 support for NAT (y), Port to listen to (1194), Protocol (UDP), DNS (Cloudflare), Compression (y), Encryption settings customization (n), and then press any key to complete the process.
How to start, Stop, and Restart an OpenVPN Server on CentOS 8?
To stop openvpn service, run the following command;
sudo systemctl stop openvpn-server@server.serviceTo start openvpn service, run the following command;
sudo systemctl start openvpn-server@server.service
To restart openvpn service, run the following command;
sudo systemctl restart openvpn-server@server.serviceFinally, to see if openvpn service is running or not, check its status by running the command as shown below;
sudo systemctl status openvpn-server@server.serviceiv. How to initialize an OpenVPN server connection using IOS/Android/Linux/MS-Windows client?
By default, OpenVPN comes with a client configuration file "~/DesktopVPNClient.ovpn".
Let's say, you server ip address is 109.261.324, you need to copy this file to your local desktop using the scp command as shown below;
scp root@109.261.324:~/DesktopVPNClient.ovpnNow you can use this file to establish connection for the OpenVPN client.
Important notes.
You can download Apple iOS client from Apple App Store.
You can get an Android client from Google Play Store.
For Microsoft Windows 8/10 client
How to configure OpenVPN Linux desktop client?
Start by installing the openvpn client for your desktop by running the command below;
sudo yum install openvpnFor Debian/Ubuntu Linux, use the apt command / apt-get command as seen below;
sudo apt install openvpnNext, copy DesktopVPNClient.ovpn as shown follows;
sudo cp DesktopVPNClient.ovpn /etc/openvpn/client.confTo test its connectivity, run the command below;
sudo openvpn --client --config /etc/openvpn/desktop.confTo allow the system to connect automatically on boot, run the openvpn script/service by executing the command below;
sudo systemctl start openvpn@clientv. How to Test and Verify OpenVPN connectivity?
After making connection to the OpenVPN Server, run the following commands from your Linux desktop;
ping 10.8.0.1 #Ping to the OpenVPN server gateway
ip route #Make sure routing setup working
dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Must return public IP address of OpenVPN server Common issues with OpenVPN server and client setup?
Sometimes, you can face some issues in the process of configuring OpenVPN server on your CentOS server.
It is important to check the OpenVPN server for errors using the journalctl command shown below;
journalctl --identifier openvpnAlso check that the firewall is set correctly for the service. To do this run the command below;
sudo cat /etc/iptables/add-openvpn-rules.shThe output will look like this;
#!/bin/sh
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 1194 -j ACCEPT
exit 0For instance, to remove OpenVPN rules, run the command below;
sudo cat /etc/iptables/rm-openvpn-rules.shAlternatively, you can run iptables command and sysctl command commands to verify NAT rule setup on your server;
sudo iptables -t nat -L -n -v
sysctl net.ipv4.ip_forwardIf the rules is not inserted from the file "/etc/rc.local", then run the commands below;
sudo sh /etc/iptables/add-openvpn-rules.sh
sudo sysctl -w net.ipv4.ip_forward=1To check if the OpenVPN server and port is running and open, use the ss command or netstat command and pidof command/ps command with the grep command as follows;
netstat -tulpn | grep :1194 #1194 is the openvpn server port
ss -tulpn | grep :1194 #1194 is the openvpn server port
ps aux | grep openvpn #Is the openvpn server running?
ps -C openvpn #Is the openvpn server running?
pidof openvpn #Find the openvpn server PIDIn cases where Openvpn service is not running, you can try restarting the OpenVPN server by running the command below;
sudo systemctl restart openvpn-server@server.serviceYou can check errors by running the command below;
sudo systemctl status openvpn-server@server.serviceTo check if the Linux desktop client can connect to the OpenVPN server machine, you need to run a simple test to see if the OpenVPN server port (UDP 1194) accepts connections by running the nc command shown below;
nc -vu your_server_ip 1194Note that "your_server_ip" should be replaced by your Server IP address.
Connection issues are mainly caused if the firewall is blocking access to the server. So ensure that both client and server are using the same protocol and port. For instance, UDP port 1194.
