Installing and Configuring OpenVPN Server on CentOS 7

This guide walks you through setting up a secure OpenVPN tunnel on CentOS 7.
Your network traffic is encrypted, ensuring a secure connection even on unsecured Wi-Fi networks.

🧠 Content Summary

It will install the necessary packages for OpenVPN installation, create a CA with Easy-RSA,
we will manage the certificates and finally prepare the client connection.

🔑 1. OpenVPN Installation and Easy-RSA Preparation

Update system packages:

sudo yum update -y

Description: Installs the latest packages and security patches.

Install EPEL repository:

sudo yum install epel-release -y

Description: OpenVPN comes from EPEL repository, this step is mandatory.

Install OpenVPN + wget:

sudo yum install -y openvpn wget

Description: Installs wget to download OpenVPN software and Easy-RSA.

Download Easy-RSA:

wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz

Description: Downloads the Easy-RSA archive for certificate generation.

Open archive:

tar xfz /tmp/easyrsa

Description: Extracts the downloaded Easy-RSA package.

Prepare the Easy-RSA directory:

sudo mkdir /etc/openvpn/easy-rsa
sudo cp -rf easy-rsa-old-2.3.3/easy-rsa/2.0/* /etc/openvpn/easy-rsa
sudo chown $USER /etc/openvpn/easy-rsa/

Description: Moves Easy-RSA files to the OpenVPN directory and adjusts ownership.

🔧 2. Server Configuration

Copy sample configuration:

sudo cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn

Description: Based on OpenVPN's default config file.

Open file:

sudo nano /etc/openvpn/server.conf

Description: The file where you will edit the VPN configuration.

Settings to be Edited (Explained)

Route all traffic through VPN:


push "redirect-gateway def1 bypass-dhcp"

Description: Routes all user traffic to the VPN tunnel.

Set DNS servers:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Description: Trusted DNS is used instead of ISP DNS.

Run as unauthorized user:

user nobody
group nobody

Description: Root privilege is not used when VPN is running → increases security.

Enable subnet topology:


topology subnet

Description: Allows a separate IP to be assigned to each client.

Client certificate verification:


remote-cert-eku "TLS Web Client Authentication"

Description: Verifies that the certificate coming to the server really belongs to the client.

enable tls-crypt:


tls-crypt myvpn.tlsauth

Description: Adds additional encryption to TLS packets. It is much safer against external attacks.

Generate tls-crypt key:

sudo openvpn --genkey --secret /etc/openvpn/myvpn.tlsauth

Description: Generates the TLS traffic encryption key.

🔐 3. Creating Certificate and Key

Edit the vars file:

sudo nano /etc/openvpn/easy-rsa/vars

Description: You define the certificate information here.

Example:

export KEY_COUNTRY="TR"
export KEY_PROVINCE="IST"
export KEY_CITY="Kadikoy"
export KEY_ORG="GenixNodeCloud"
export KEY_EMAIL="admin@ornek.com"
export KEY_CN="openvpn.ornek.com"
export KEY_NAME="server"
export KEY_OU="Teknik"

Description: This information is automatically written to the certificates.

Create CA:

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca

Description: Creates the root authority of the VPN. It is the most critical step.

Server certificate:


./build-key-server server

Description: Generates a certificate that verifies the identity of the server.

DH key generation:


./build-dh

Description: Generates Diffie-Hellman file for secure key exchange.

Client certificate:


./build-key client

Description: Generates the key and certificate for the client that will connect to the VPN.

Move required files:

cd /etc/openvpn/easy-rsa/keys
sudo cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

Description: All certificates required for the operation of the server are moved to the correct directory.

🌐 4. Firewalld NAT and Routing

Find active firewalld zone:

sudo firewall-cmd --get-active-zones

Description: Required to determine which zone to add OpenVPN to.

Allow OpenVPN service:

sudo firewall-cmd --zone=trusted --add-service openvpn --permanent

Description: Passes OpenVPN traffic through the firewall.

Enable NAT (for all client traffic):

sudo firewall-cmd --add-masquerade --permanent

Description: Client internet traffic exits through the server's IP.

Find the server's network interface:

SHARK=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')

Description: Determines which network interface the NAT operation exits from.

Add routing rule:

sudo firewall-cmd --permanent --direct --passthrough ipv4 \
-t nat -A POSTROUTING -s 10.8.0.0/24 -o $SHARK -j MASQUERADE

Description: Allows the VPN subnet to access the internet.

Firewalld reload:

sudo firewall-cmd --reload

Description: Activates the changes made.

Turn on IP forwarding:

sudo nano /etc/sysctl.conf

Add:


net.ipv4.ip_forward = 1

Apply:

sudo systemctl restart network.service

Description: The server becomes capable of forwarding VPN traffic.

🚀 5. Starting OpenVPN Service

Activate the service at startup:

sudo systemctl -f enable openvpn@server.service

Start service:

sudo systemctl start openvpn@server.service

Check status:

sudo systemctl status openvpn@server.service

Explanation: If you see active (running), it means the VPN server is active.

💻 6. Client Configuration

Files to be sent to the client:

ca.crt

client.crt

client.key

myvpn.tlsauth

Description: Without these 4 files the client cannot connect.

en-client.ovpn file:

client
tls-client
ca ca.crt
cert client.crt
key client.key
tls-crypt myvpn.tlsauth
remote-cert-eku "TLS Web Client Authentication"
proto udp
remote sunucu_ip 1194
dev tun
topology subnet
pull
user nobody
group nobody

Description: Defines how the client connects to the VPN.

❓ FAQ – Frequently Asked Questions

1. Is OpenVPN or WireGuard better?

OpenVPN is more flexible; WireGuard is faster.

2. Why should ca.key be kept?

It is the private key of the CA; If stolen, the entire VPN crashes.

3. Can port 1194 be changed?

Yes. You can specify a different port in server.conf.

4. Can I connect more than one client?

Yes, a new certificate is recommended for each client.

5. Why is DNS added specifically?

Since the VPN redirects all traffic, ISP DNSs become invalid.

🎉 Conclusion

Your OpenVPN server has been successfully set up. You can now encrypt all your internet traffic through a secure tunnel.

🧠 Content Summary​

🔑 1. OpenVPN Installation and Easy-RSA Preparation​

Update system packages:​

Install EPEL repository:​

Install OpenVPN + wget:​

Download Easy-RSA:​

Open archive:​

Prepare the Easy-RSA directory:​

🔧 2. Server Configuration​

Copy sample configuration:​

Open file:​

Settings to be Edited (Explained)​

Set DNS servers:​

Run as unauthorized user:​

Enable subnet topology:​

Client certificate verification:​

enable tls-crypt:​

Generate tls-crypt key:​

🔐 3. Creating Certificate and Key​

Edit the vars file:​

Create CA:​

Server certificate:​

DH key generation:​

Client certificate:​

Move required files:​

🌐 4. Firewalld NAT and Routing​

Find active firewalld zone:​

Allow OpenVPN service:​

Enable NAT (for all client traffic):​

Find the server's network interface:​

Add routing rule:​

Firewalld reload:​

Turn on IP forwarding:​

Add:​

Apply:​

🚀 5. Starting OpenVPN Service​

Activate the service at startup:​

Start service:​

Check status:​

💻 6. Client Configuration​

Files to be sent to the client:​

en-client.ovpn file:​

❓ FAQ – Frequently Asked Questions​

🎉 Conclusion​