DigitalOcean has a good tutorial on how to set up an OpenVPN server on CentOS 7. I was not able to follow step-by-step since the tutorial goes into setting up routing using iptables, instead of using the builtin firewall-cmd. Later, I had issues connecting to the server from a Windows machine, but was able to resolve that (included below).
Here’s an abriged version of the DigitalOcean tutorial, with the fixes.
yum install epel-release yum install openvpn easy-rsa
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn vim /etc/openvpn/server.conf # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York" export KEY_ORG="DigitalOcean" export KEY_EMAIL="firstname.lastname@example.org" export KEY_OU="Community" ... # X509 Subject Field export KEY_NAME="server" ... export KEY_CN=openvpn.example.com
Generating Keys and Certificates
mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca ./build-key-server server ./build-dh cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn cd /etc/openvpn/easy-rsa ./build-key client
Routing using firewall-cmd
firewall-cmd --permanent --add-service openvpn firewall-cmd --permanent --add-masquerade firewall-cmd --reload
Add the following line to
vim /etc/sysctl.conf net.ipv4.ip_forward = 1 systemctl restart firewalld systemctl restart network.service
Configuring your Windows client
Download the following lines from your server to your client:
For this example, we’ll save it locally to
Use notepad (or similar) to create a new file called client.ovpn with the following contents:
client dev tun proto udp remote your_server_ip 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 ca c:\\openvpn\\certs\\ca.crt cert c:\\openvpn\\certs\\client.crt key c:\\openvpn\\certs\\client.key
your_server_ip with the public IP of the server, and make sure to use double backslashes