If you want to access the internet safely and securely but you are connected to an untrusted network such as a hotel WiFi, a Virtual Private Network (VPN) allows you to use untrusted networks privately.
In this tutorial, we are going to show you how to make your own Linux OpenVPN server by installing the latest version:”openvpn-2.3″
We are assuming that you have root permission, otherwise, you may start commands with “sudo”.
Installing OpenVPN 2.3
First, you have to install the OpenVPN app:
For CentOS you should add Epel repository:
yum install epel-release
yum install openvpn easy-rsa
Now that you have installed OpenVPN successfully, you have to create keys and certificates, follow this section step by step:
Step 1- Copy easy-rsa script generation to OpenVPN folder:
cp -R /usr/share/easy-rsa/ /etc/openvpn/
Then go to the easy-rsa directory and edit the “vars” file:
you may edit the values to your information here is the example:
Now it’s time to generate the new keys and certificates:
Run the above command and you will get the following message:
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
It’s recommended to run “./clean-all” right away to ensure that we have a clean certificate setup:
Now you have to generate a “Certificate Authority (ca)” file. you will be asked for country name etc. that you edited in the “vars” file. you can hit “Enter” to accept your default values.
Now move to the following directory:
And run the command below to create the “ca” files:
Step 2- Generating a server key and certificate.
Run the command below in the current directory:
You will be asked for information again you can accept your default values again.
You may leave the two following questions blank:
A challenge password : An optional company name :
Answer the two last questions with “Y”.
Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]
Step 3- Build a Diffie-Hellman key exchange.
Execute the following command in the current directory:
Please wait, it will take some time to generate the files.
Step 4- Generate client key and certificate.
Run the following command in the current directory to generate client key and certificate:
And like step 2 you have to leave two lines blank and answer two questions with “Y”:
Step 5- Move or copy the directory “/keys/” to “/etc/openvpn/”.
cp -R keys/ /etc/openvpn/
Now you have to create an OpenVPN configuration file to make some changes:
cd /etc/openvpn/ nano server.conf
Paste the configurations below (you may change the values of port etc.):
#change with your port port 1194 #You can use udp or tcp proto udp # "dev tun" will create a routed IP tunnel. dev tun #Certificate Configuration #ca certificate ca /etc/openvpn/keys/ca.crt #Server Certificate cert /etc/openvpn/keys/server.crt #Server Key and keep this is secret key /etc/openvpn/keys/server.key #See the size a dh key in /etc/openvpn/keys/ dh /etc/openvpn/keys/dh2048.pem #Internal IP will get when already connect server 10.1.1.0 255.255.255.0 #this line will redirect all traffic through our OpenVPN push "redirect-gateway def1" #Provide DNS servers to the client, you can use goolge DNS push "dhcp-option DNS 188.8.131.52" push "dhcp-option DNS 184.108.40.206" #Enable multiple client to connect with same key duplicate-cn keepalive 20 60 comp-lzo persist-key persist-tun #daemon log-append /var/log/myvpn/openvpn.log #Log Level verb 3
Save and exit (Ctrl+O and Ctrl+X)
Create a folder for the log file and active it:
mkdir -p /var/log/myvpn/
For configuring an OpenVPN server you need “iptables” firewall to trigger your preferred Port and give your client(s) access to the internet. you have to disable any other firewall that is already in use.
For disabling SELinux:
And change SELINUX line like below:
Then reboot the server to apply the changes.
Finding the ethernet interface name
before any firewall configuration you have to find out your ethernet interface name with the command below:
The output should be something like the picture below:
As you see you can find your Ethernet interface name where you see your public IP address. (e.g. “ens3”)
Install and Configure Iptables
Step 0- Disable Firewalld
You can disable Firewalld easily by executing:
systemctl mask firewalld
systemctl stop firewalld
Step 1- Installing the Iptables
For installing Iptables and it’s service, execute:
yum install iptables iptables-services
Step 2- Enable Iptables
systemctl enable iptables
systemctl start iptables
Step 3- Add rules to Iptables
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o ens3 -j MASQUERADE
Be sure that you replace the value of “10.1.1.0/24” and ethernet interface name with your preferred values.
Also add the following rule to allow SSH on your server:
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables-save > /etc/sysconfig/iptablesvpn
Step 4- Enable port forwarding
Simply execute the following two commands:
sysctl -w net.ipv4.ip_forward=1
Step 5- Restart OpenVPN
systemctl restart email@example.com
Creating connection for client
Now we have to create a “.ovpn” connection for the client, we are going to create our connection in ./openvpn/ directory you can create it anywhere you want:
Then paste the text below in your file, change IP and port values to yours:
client dev tun proto udp #Server IP and Port remote 192.168.1.100 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo
Now you have to add your “ca.crt” “client.crt” “client.key” contents in your connection.
Remove following red lines:
client dev tun proto udp #Server IP and Port remote 192.168.1.104 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo
Replace those three lines with something like below:
<ca> (insert ca.crt here) </ca> <cert> (insert client.crt here) <cert> <key> (insert client.key here) </key>
Now you have to copy the content of files and replace them with red lines:
ca.crt # cat /etc/openvpn/easy-rsa/2.0/keys/ca.crt Client.crt # cat /etc/openvpn/easy-rsa/2.0/keys/client.crt Client.key # cat /etc/openvpn/easy-rsa/2.0/keys/client.key
At the end you should have something like this:
<ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </ca> <cert> Certificate: . . . -----END CERTIFICATE----- . . . -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- . . . -----END PRIVATE KEY----- </key>
Save and exit.
You may find following tutorials useful if you want to connect to a VPN server from Windows or Linux. OpenVPN is available on most operating systems including smartphones (e.g. Android) and MacOS. All you need is to install an OpenVPN client and run the VPN connection file on your device.