CentOS 8 Set Up OpenVPN Server In 5 Minutes

How do I set up an OpenVPN Server on CentOS 8 Linux server to shield my browsing activity from bad guys on public Wi-Fi, and more?

OpenVPN is an open-source and free virtual private network (VPN) software. It runs on Linux and Unix-like operating systems and released under the GNU GPL license. A VPN enables us to connect securely to an insecure public network such as a wifi network at the airport or hotel. Typically business and enterprise users need some sort VPN before you can access services hosted at your office. This tutorial provides step-by-step instructions for configuring an OpenVPN server on CentOS 8 Linux server.

Procedure: CentOS 8 Set Up OpenVPN Server In 5 Minutes

The steps are as follows:

Please note that {vivek@centos8:~ }$ is my shell prompt and is not part of actual commands. In other words, you need to copy and paste command after my shell prompt.

Step 1 – Update your system

Run the dnf command or yum command to install CentOS 8 security updates:
{vivek@centos8:~ }$ sudo dnf updateOR
{vivek@centos8:~ }$ sudo yum update
Next, install tar on CentOS and also install wget on CentOS 8
{vivek@centos8:~ }$ sudo yum install tar wget

Step 2 – Find and note down your server’s IPv4 or IPv6 address

Use the ip command as follows:
{vivek@centos8:~ }$ ip a
{vivek@centos8:~ }$ ip a show eth0

We can try the following dig command/host command to find out your public IP address from Linux command line:
{vivek@centos8:~ }$ dig +short myip.opendns.com @resolver1.opendns.com OR
{vivek@centos8:~ }$ dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2 }'
Sample outputs:

Please note down IP address. You need to replace this one with your actual IPv4.

A note about your IPv4 and IPv6 address

Most cloud servers have two types of IP address:

  1. Public static IP address directly assigned to your box and routed from the Internet. For example, Linode, Digital Ocean, and others give you direct public IPv4/IPv6 address.
  2. Private static IP address directly attached to your server and your server is behind NAT with public IP address. For example, AWS EC2/Lightsail, Google Cloud and others provide you this kind of NAT public IP address.

The script will automatically detect your networking setup. All you have to do is provide a correct IPv4 or IPv6 address when asked for it. Hence, we used the above command to determine our IP address in advance.

Step 3 – Download and run centos-8-vpn.sh script

I am going to use the wget command:
{vivek@centos8:~ }$ wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O centos-8-vpn.sh
Make sure you set up permissions using the chmod command:
{vivek@centos8:~ }$ chmod +x centos-8-vpn.sh
One can view the script using a text editor such as vim/vi too :
{vivek@centos8:~ }$ vim centos-8-vpn.sh

Installing OpenVPN server on CentOS 8 Linux using the centos-8-vpn.sh

Now all you have to do is run shell script on Linux:
{vivek@centos8:~ }$ sudo ./centos-8-vpn.sh
Sample session from my Linode cloud server with direct public IPv4 address:

Sample session from AWS/Lightsail where my cloud server is behind NAT:

Desktop or Mobile client configuration

When VPN server configuration done, we can create a desktop/mobile client VPN configuration file. You will be prompted as follows:

Do you want to protect the VPN configuration file with a password?

How do I start/stop/restart OpenVPN server on CentOS 8 ?

#--- Stop the server ---#
{vivek@centos8:~ }$ sudo systemctl stop openvpn-server@server.service
#--- Start the server ---#
{vivek@centos8:~ }$ sudo systemctl start openvpn-server@server.service
#--- Restart the server ---#
{vivek@centos8:~ }$ sudo systemctl restart openvpn-server@server.service
#--- Get the server status ---#
{vivek@centos8:~ }$ sudo systemctl status openvpn-server@server.service

Step 4 – Connect an OpenVPN server using IOS/Android/Linux/MS-Windows client

On server your will find a client configuration file called ~/DesktopVPNClient.ovpn. All you have to do is copy this file to your local desktop using the scp command:
{vivek@centos8:~ }$ scp vivek@ .
Next, provide this file to your OpenVPN client for connection purposes:

  1. Download Apple iOS client from Apple App store
  2. Grab Android client from Google Play store
  3. Apple MacOS (OS X) client
  4. Microsoft Windows 8/10 client

OpenVPN Linux desktop client configuration

First, install the openvpn client for your desktop, enter:
{vivek@centos8:~ }$ sudo yum install openvpn
For Debian/Ubuntu Linux try the apt command/apt-get command:
{vivek@centos8:~ }$ sudo apt install openvpn
Next, copy DesktopVPNClient.ovpn as follows:
{vivek@centos8:~ }$ sudo cp DesktopVPNClient.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
{vivek@centos8:~ }$ sudo openvpn --client --config /etc/openvpn/desktop.conf
Our Linux desktop system will automatically connect when computer restart using openvpn script/service:
{vivek@centos8:~ }$ sudo systemctl start openvpn@client

Step 5 – Verify/test the connectivity

Execute the following commands after connecting to OpenVPN server from your Linux desktop:
{vivek@centos8:~ }$ ping #Ping to the OpenVPN server gateway
{vivek@centos8:~ }$ ip route #Make sure routing setup working
{vivek@centos8:~ }$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Must return public IP address of OpenVPN server

A note about trouble shooting OpenVPN server and client issues

Check the OpenVPN server for errors using the journalctl command {vivek@centos8:~ }$ journalctl --identifier openvpn

Click to enlarge

Is firewall rule setup correctly on your server? Use the cat command to see rules:
{vivek@centos8:~ }$ sudo cat /etc/iptables/add-openvpn-rules.sh
iptables -t nat -I POSTROUTING 1 -s -o eth0 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 1194 -j ACCEPT
exit 0

Here is a sample iptables script to remove OpenVPN rules:
{vivek@centos8:~ }$ sudo cat /etc/iptables/rm-openvpn-rules.sh

iptables -t nat -D POSTROUTING -s -o eth0 -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 1194 -j ACCEPT

Another option is to run iptables command and sysctl command commands to verify NAT rule setup on your server:
{vivek@centos8:~ }$ sudo iptables -t nat -L -n -v
{vivek@centos8:~ }$ sysctl net.ipv4.ip_forward

Insert the rules if not inserted from /etc/rc.local
{vivek@centos8:~ }$ sudo sh /etc/iptables/add-openvpn-rules.sh
{vivek@centos8:~ }$ sudo sysctl -w net.ipv4.ip_forward=1

Is OpenVPN server running and port is open? Use the ss command or netstat command and pidof command/ps command along with the grep command as follows:
{vivek@centos8:~ }$ netstat -tulpn | grep :1194 #1194 is the openvpn server port
{vivek@centos8:~ }$ ss -tulpn | grep :1194 #1194 is the openvpn server port
{vivek@centos8:~ }$ ps aux | grep openvpn #Is the openvpn server running?
{vivek@centos8:~ }$ ps -C openvpn #Is the openvpn server running?
{vivek@centos8:~ }$ pidof openvpn #Find the openvpn server PID

If not running, restart the OpenVPN server:
{vivek@centos8:~ }$ sudo systemctl restart openvpn-server@server.service
Look out for errors:
{vivek@centos8:~ }$ sudo systemctl status openvpn-server@server.service
Can the Linux desktop client connect to the OpenVPN server machine? First you need to run a simple test to see if the OpenVPN server port (UDP 1194) accepts connections using the nc command:
{vivek@centos8:~ }$ nc -vu 1194
Connection to 1194 port [udp/openvpn] succeeded!

If not connected it means either a Linux desktop firewall or your home/office router is blocking access to the server. Make sure both client and server using the same protocol and port. For example, UDP port 1194.


Congratulations! You just set up an OpenVPN server on CentOS 8 Linux server running in the cloud. For more information, please see the OpenVPN website here and the script site here for additional information.

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
2 comments… add one
  • Juan Aug 9, 2020 @ 18:49

    All this steps in 5 minutes? OMG!!!

  • littleunixuser Nov 4, 2020 @ 7:03

    eeehhhh…. Are you a linux halfgod?
    I took a look at the script code, that cannot be a human.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.