A VPN allows you to connect to remote VPN servers, making your connection encrypted and secure and surf the web anonymously by keeping your traffic data private.
There are many commercial VPN providers you can choose from, but you can never be truly sure that the provider is not logging your activity. The safest option is to set up your own VPN server.
OpenVPN is a fully featured, open-source Secure Socket Layer (SSL) VPN solution. It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol.
Prerequisites to install OpenVPN on Centos 7
Two VPS running CentOS 7,
one to host the OpenVPN service and another to serve as your Certificate Authority (CA). It is not recommended to use your OpenVPN Server as your CA, this opens up your VPN to security vulnerabilities.
A regular (non-root) account with sudo privileges.
Installation
1. To install OpenVPN in an RHEL/CentOS 8/7 server, you will first have to enable the EPEL repository and then install the package. This comes with all the dependencies needed to install the OpenVPN package.
# yum update # yum install epel-release
2. Next, we will download OpenVPN’s installation script and set up the VPN. Before downloading and running the script, it’s important that you find your server’s Public IP address as this will come in handy when setting up the OpenVPN server. An easy way to do that is to use the curl command as shown:
$ curl ifconfig .me
3. OpenVPN has several example configuration files in its documentation directory. First, copy the sample server.conf file as a starting point for your own configuration file.
sudo cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn
4. Open the new file for editing with the text editor of your choice. We’ll use nano in our example, which you can download with the yum install nano command if you don’t have it on your server already:
sudo nano /etc/openvpn/server.conf
5. There are a few lines we need to change in this file, most of which just need to be uncommented by removing the semicolon, at the beginning of the line. The functions of these lines, and the other lines not mentioned in this tutorial, are explained in-depth in the comments above each one.
To get started, find and uncomment the line containing push “redirect-gateway def1 bypass-dhcp”. Doing this will tell your client to redirect all of its traffic through your OpenVPN server. Be aware that enabling this functionality can cause connectivity issues with other network services, like SSH:
/etc/openvpn/server.conf push “redirect-gateway def1 bypass-
Easy RSA uses a set of scripts that come installed with the program to generate keys and certificates. In order to avoid re-configuring every time you need to generate a certificate, you can modify Easy RSA’s configuration to define the default values it will use for the certificate fields, including your country, city, and preferred email address.
We’ll begin our process of generating keys and certificates by creating a directory where Easy RSA will store any keys and certs you generate:
sudo mkdir /etc/openvpn/easy-rsa/keys
The default certificate variables are set in the vars file in /etc/openvpn/easy-rsa, so open that file for editing:
sudo nano /etc/openvpn/easy-rsa/vars
Scroll to the bottom of the file and change the values that start with export KEY_ to match your information. The ones that matter the most are:
Before we configure our clients, let’s make sure the OpenVPN server is running as we hope it will.
Make sure to turn on TUN/TAP in the SSD Nodes dashboard.
$ sudo systemctl enable openvpn@server $ sudo systemctl start openvpn@server
You can double-check that OpenVPN is running with the systemctl status command:
$ sudo systemctl status openvpn@server
You will also need to set up iptables to properly direct traffic. First, look for the default interface.
$ sudo ip route | grep default
Your output will look like this:
default via 198.51.100.0 dev eth0 proto static
The eth0 field is what we’re looking for. And then we set up iptables. To ensure this rule is persistent between reboots, install the iptables-persistent package, which will prompt you to save existing rules. Choose Yes and your rules will be persisted moving forward.
Cloud servers will usually have 2 types of IP addresses:
A single Public IP address: If you have a VPS on Cloud platforms such as Linode, Cloudcone, or Digital Ocean, you will usually find a single Public IP address attached to it.
A private IP address behind NAT with a public IP: This is the case with an EC2 instance on AWS or a compute instance on Google Cloud.
Whichever the IP addressing scheme, the OpenVPN script will automatically detect your VPS network setup and all you have to do is to provide the associated Public or Private IP address.
When combined with HTTPS connections, this setup allows you to secure your wireless logins and transactions. You can circumvent geographical restrictions and censorship, and shield your location and any unencrypted HTTP traffic from the untrusted network.
OpenVPN is a full featured, open-source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations.