CentOS 8 Set Up OpenVPN Server In 5 Minutes

How do I set up an OpenVPN Server on CentOS 8 Linux server to shield my browsing activity from bad guys on public Wi-Fi, and more?

OpenVPN is an open-source and free virtual private network (VPN) software. It runs on Linux and Unix-like operating systems and released under the GNU GPL license. A VPN enables us to connect securely to an insecure public network such as a wifi network at the airport or hotel. Typically business and enterprise users need some sort VPN before you can access services hosted at your office. This tutorial provides step-by-step instructions for configuring an OpenVPN server on CentOS 8 Linux server.
Tutorial requirements
Operating system/appCentOS Linux 8
Root privileges required Yes
Difficulty Advanced (rss)
Estimated completion time 15m
Table of contents

Procedure: CentOS 8 Set Up OpenVPN Server In 5 Minutes

The steps are as follows:

Please note that {vivek@centos8:~ }$ is my shell prompt and is not part of actual commands. In other words, you need to copy and paste command after my shell prompt.

Step 1 – Update your system

Run the dnf command or yum command to install CentOS 8 security updates:
{vivek@centos8:~ }$ sudo dnf updateOR
{vivek@centos8:~ }$ sudo yum update
Next, install tar on CentOS and also install wget on CentOS 8
{vivek@centos8:~ }$ sudo yum install tar wget

Step 2 – Find and note down your server’s IPv4 or IPv6 address

Use the ip command as follows:
{vivek@centos8:~ }$ ip a
{vivek@centos8:~ }$ ip a show eth0


We can try the following dig command/host command to find out your public IP address from Linux command line:
{vivek@centos8:~ }$ dig +short myip.opendns.com @resolver1.opendns.com OR
{vivek@centos8:~ }$ dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2 }'
Sample outputs:

172.105.120.136

Please note down 172.105.120.136 IP address. You need to replace this one with your actual IPv4.

A note about your IPv4 and IPv6 address

Most cloud servers have two types of IP address:

  1. Public static IP address directly assigned to your box and routed from the Internet. For example, Linode, Digital Ocean, and others give you direct public IPv4/IPv6 address.
  2. Private static IP address directly attached to your server and your server is behind NAT with public IP address. For example, AWS EC2/Lightsail, Google Cloud and others provide you this kind of NAT public IP address.

The script will automatically detect your networking setup. All you have to do is provide a correct IPv4 or IPv6 address when asked for it. Hence, we used the above command to determine our IP address in advance.

Step 3 – Download and run centos-8-vpn.sh script

I am going to use the wget command:
{vivek@centos8:~ }$ wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O centos-8-vpn.sh
Make sure you set up permissions using the chmod command:
{vivek@centos8:~ }$ chmod +x centos-8-vpn.sh
One can view the script using a text editor such as vim/vi too :
{vivek@centos8:~ }$ vim centos-8-vpn.sh

Installing OpenVPN server on CentOS 8 Linux using the centos-8-vpn.sh

Now all you have to do is run shell script on Linux:
{vivek@centos8:~ }$ sudo ./centos-8-vpn.sh
Sample session from my Linode cloud server with direct public IPv4 address:

Sample session from AWS/Lightsail where my cloud server is behind NAT:

Desktop or Mobile client configuration

When VPN server configuration done, we can create a desktop/mobile client VPN configuration file. You will be prompted as follows:

Do you want to protect the VPN configuration file with a password?

How do I start/stop/restart OpenVPN server on CentOS 8 ?

#--- Stop the server ---#
{vivek@centos8:~ }$ sudo systemctl stop openvpn-server@server.service
#--- Start the server ---#
{vivek@centos8:~ }$ sudo systemctl start openvpn-server@server.service
#--- Restart the server ---#
{vivek@centos8:~ }$ sudo systemctl restart openvpn-server@server.service
#--- Get the server status ---#
{vivek@centos8:~ }$ sudo systemctl status openvpn-server@server.service

Step 4 – Connect an OpenVPN server using IOS/Android/Linux/MS-Windows client

On server your will find a client configuration file called ~/DesktopVPNClient.ovpn. All you have to do is copy this file to your local desktop using the scp command:
{vivek@centos8:~ }$ scp vivek@172.105.120.136:~/DesktopVPNClient.ovpn .
Next, provide this file to your OpenVPN client for connection purposes:

  1. Download Apple iOS client from Apple App store
  2. Grab Android client from Google Play store
  3. Apple MacOS (OS X) client
  4. Microsoft Windows 8/10 client

OpenVPN Linux desktop client configuration

First, install the openvpn client for your desktop, enter:
{vivek@centos8-client:~ }$ sudo yum install openvpn
For Debian/Ubuntu Linux try the apt command/apt-get command:
{vivek@debian-client:~ }$ sudo apt install openvpn
Next, copy DesktopVPNClient.ovpn as follows:
{vivek@centos8-client:~ }$ sudo cp DesktopVPNClient.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
{vivek@centos8-client:~ }$ sudo openvpn --client --config /etc/openvpn/desktop.conf
Our Linux desktop system will automatically connect when computer restart using openvpn script/service:
{vivek@centos8-client:~ }$ sudo systemctl start openvpn@client

Step 5 – Verify/test the connectivity

Execute the following commands after connecting to OpenVPN server from your Linux desktop client:
#Ping to the OpenVPN server gateway
{vivek@centos8-client:~ }$ ping 10.8.0.1
#Make sure routing setup working
{vivek@centos8-client:~ }$ ip route
#Must return public IP address of OpenVPN server
{vivek@centos8-client:~ }$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

Step 6 – How to add or remove OpenVPN client

Log in to your CentOS 8 Linux server and run the script again:
{vivek@centos8:~ }$ sudo ./centos-8-vpn.sh
You will see option as follows:

Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install

It looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke existing user
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]: 

Choose an option as per your needs.

A note about trouble shooting OpenVPN server and client issues

Check the OpenVPN server for errors using the journalctl command {vivek@centos8:~ }$ journalctl --identifier openvpn

Click to enlarge

Is firewall rule setup correctly on your server? Use the cat command to see rules:
{vivek@centos8:~ }$ sudo cat /etc/iptables/add-openvpn-rules.sh
Here are NAT rules:
#!/bin/sh
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 1194 -j ACCEPT
exit 0

Here is a sample iptables script to remove OpenVPN rules:
{vivek@centos8:~ }$ sudo cat /etc/iptables/rm-openvpn-rules.sh
Outputs:

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 1194 -j ACCEPT

Another option is to run iptables command and sysctl command commands to verify NAT rule setup on your server:
{vivek@centos8:~ }$ sudo iptables -t nat -L -n -v
{vivek@centos8:~ }$ sysctl net.ipv4.ip_forward


Insert the rules if not inserted from /etc/rc.local
{vivek@centos8:~ }$ sudo sh /etc/iptables/add-openvpn-rules.sh
{vivek@centos8:~ }$ sudo sysctl -w net.ipv4.ip_forward=1

Is OpenVPN server running and port is open? Use the ss command or netstat command and pidof command/ps command along with the grep command as follows:
{vivek@centos8:~ }$ netstat -tulpn | grep :1194 #1194 is the openvpn server port
{vivek@centos8:~ }$ ss -tulpn | grep :1194 #1194 is the openvpn server port
{vivek@centos8:~ }$ ps aux | grep openvpn #Is the openvpn server running?
{vivek@centos8:~ }$ ps -C openvpn #Is the openvpn server running?
{vivek@centos8:~ }$ pidof openvpn #Find the openvpn server PID


If not running, restart the OpenVPN server:
{vivek@centos8:~ }$ sudo systemctl restart openvpn-server@server.service
Look out for errors:
{vivek@centos8:~ }$ sudo systemctl status openvpn-server@server.service
Similarly, make sure openvpn-iptables service is running too and if not running load rules:
{vivek@centos8:~ }$ sudo systemctl status iptables-openvpn.service
{vivek@centos8:~ }$ sudo systemctl restart iptables-openvpn.service
{vivek@centos8:~ }$ sudo systemctl status iptables-openvpn.service

My firewall is running:

 iptables-openvpn.service - iptables rules for OpenVPN
   Loaded: loaded (/etc/systemd/system/iptables-openvpn.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sun 2020-12-27 10:18:17 UTC; 21min ago
 Main PID: 654 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4947)
   Memory: 0B
   CGroup: /system.slice/iptables-openvpn.service

Dec 27 10:18:16 centos-8-nixcraft systemd[1]: Starting iptables rules for OpenVPN...
Dec 27 10:18:17 centos-8-nixcraft systemd[1]: Started iptables rules for OpenVPN.

Can the Linux desktop client connect to the OpenVPN server machine? First you need to run a simple test to see if the OpenVPN server port (UDP 1194) accepts connections using the nc command or nmap command:
{vivek@centos8:~ }$ sudo nmap -sU -p 1194 172.105.120.136
The following output indicates that UDP port 1194 is open:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-27 16:07 IST
Nmap scan report for lixyz-328.members.linode.com (172.105.120.136)
Host is up (0.32s latency).

PORT     STATE         SERVICE
1194/udp open|filtered openvpn

Nmap done: 1 IP address (1 host up) scanned in 3.68 seconds

If not connected it means either a Linux desktop firewall or your home/office router is blocking access to the server. Make sure both client and server using the same protocol and port. For example, UDP port 1194.

A note about FirewallD on CentOS 8

By default, FirewallD will block access to UDP/1194, and the above script is not compatible with iptables rules on your OpenVPN server. First, find out if firewalld active or not on the server, run:
{vivek@centos8:~ }$ sudo systemctl is-enabled firewalld.service
If you see enabled, then add the following rules too:
## [-- eth0 is server interface with IPv4/IPv6 --] ##
## [-- tun0 is OpenVPN interface ##
## [-- 10.8.0.0/24 sub/net for OpenVPN --] ##
## [-- ADJUST VALUES AS PER YOUR SET UP WHEN TYPING THE FOLLOWING COMMANDS --] ##

{vivek@centos8:~ }$ sudo firewall-cmd --get-active-zones
{vivek@centos8:~ }$ sudo firewall-cmd --zone=trusted --add-interface=tun0
{vivek@centos8:~ }$ sudo firewall-cmd --permanent --zone=trusted --add-interface=tun0
{vivek@centos8:~ }$ sudo firewall-cmd --permanent --add-service openvpn
{vivek@centos8:~ }$ sudo firewall-cmd --permanent --zone=trusted --add-service openvpn
{vivek@centos8:~ }$ sudo firewall-cmd --reload
{vivek@centos8:~ }$ sudo firewall-cmd --list-services --zone=trusted
{vivek@centos8:~ }$ sudo firewall-cmd --add-masquerade
{vivek@centos8:~ }$ sudo firewall-cmd --add-masquerade --permanent
{vivek@centos8:~ }$ sudo firewall-cmd --query-masquerade
# note eth0 is where servers public ipv4/ipv6 assinged #
{vivek@centos8:~ }$ sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

See “How to set up a firewall using FirewallD on CentOS 8” for more info.

A note about AWS EC2 cloud CentOS 8 users

Make sure you open OpenVPN UDP port 1194 using security groups as explained here.

Conclusion

Congratulations! You just set up an OpenVPN server on CentOS 8 Linux server running in the cloud. For more information, please see the OpenVPN website here and the script site here for additional information.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 11 comments so far... add one

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
11 comments… add one
  • Juan Aug 9, 2020 @ 18:49

    All this steps in 5 minutes? OMG!!!

  • littleunixuser Nov 4, 2020 @ 7:03

    eeehhhh…. Are you a linux halfgod?
    I took a look at the script code, that cannot be a human.

  • f4l Nov 16, 2020 @ 10:08

    Hi I did this process step by step but at the end, I cant download the ovpn file

    this is what I get

    Client DesktopVPNClient added.
    cp: cannot create regular file ‘/home/root/DesktopVPNClient.ovpn’: No such file or directory
    ./centos-8-vpn.sh: line 1049: /home/root/DesktopVPNClient.ovpn: No such file or directory

  • David Dec 7, 2020 @ 23:35

    Thank you so much for your contribution..! After hours of trying without success, I used your script and within 5 minutes everything was set up, I just hope there’s nothing tricky about the script :P Thanks again, you saved my life..!

  • ziggy Dec 27, 2020 @ 4:10

    hrmm. This didnt work for me.
    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    netstat shows listening on port 1194. NC shows connection succedded. tcpdump listening on port 1194 shows connections inbound. Server logs show nothing???wth shouldnt i see a connection attempt in the server logs.

    Looking at var/log/openvpn/status.log and var/log/messages and i see nothing. bottom line connections are coming inbound to the server but there is nothing responding on the server side.

    IP route shows:

    default via 172.105.x.x dev eth0 proto static metric 100
    10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
    172.105.63.0/24 dev eth0 proto kernel scope link src 172.105.x.x metric 100

    Not sure whats going on here.

    • 🐧 Vivek Gite Dec 27, 2020 @ 11:16

      First, firewalld might be blocking access to OpenVPN udp/1194. Check for that. I updated this page with note about FirewallD. This should fix it.

      Second, enable NTP on CentOS 8. Check this forum thread about enabling NTP.

  • Vikrant Joshi Dec 27, 2020 @ 10:22

    Worked flawlessly but some observations for *Amazon EC2 VM users*:
    a) Those who are using CentOS 8 on AWS EC2, make sure you open port 1194 using the security group.

    b) FirewallD might create problems too. Either disable it or configure firewalld to open UDP port 1194 including NAT for 10.8.0.0/24. I recommend disabling FirewallD as security group is in place and this script will automatically set up NAT and open UDP port 1194 using the old good iptables.

    I hope this will save someone time.

    • 🐧 Vivek Gite Dec 27, 2020 @ 11:17

      The page has been updated to include notes about EC2 users. Thank you!

  • Fahad Feb 9, 2021 @ 12:24

    Hi, I got the server running successfully.

    but I have a small issue, I am trying to add the .ovpn to my Synology NAS but it won’t accept the file, perhaps it only accepts certain version of OVPN

    any solution for that ?

    and can you also share how to add port forwarding to it ?

    • Fahad Feb 9, 2021 @ 13:05

      I think its the TLS version issue.

      when I remove the TLS part from the config, it accepts the file but won’t connect the server

      any way to downgrade the TLS or someway to make it work on Synology ?

      • 🐧 Vivek Gite Feb 9, 2021 @ 16:24

        I am not aware of Synology VPN client set up. TLS version is not going to be problem for sure. Add a new user and when asked select “choose a password for the client”:

        sudo ./centos-8-vpn.sh

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz