Home VPN An Easiest Way To Install And Configure OpenVPN Server In Linux

An Easiest Way To Install And Configure OpenVPN Server In Linux

By sk
Published: Last Updated on 3.9K views

This guide describes how to install and configure OpenVPN server in RPM and DEB based systems. In this guide, we are going to use a script called openvpn-install that automates the entire OpenVPN server installation and configuration process. This script helps you to setup your own VPN server in few minutes, even if you haven't used OpenVPN before.

Let us get started.

Install And Configure OpenVPN Server In Linux

For the purpose this guide, I will be using two systems that are running with CentOS 7 64bit edition. One acts as OpenVPN server, an another one acts as openVPN client. The following is my test boxes details.

OpenVPN server:

  • OS : CentOS 7 64bit minimal edition
  • IP : 192.168.43.150/24
  • Hostname : vpnserver.ostechnix.local

OpenVPN Client:

  • OS : CentOS 7 64bit minimal edition
  • IP : 192.168.43.199/24

First, we will see server side configuration.

OpenVPN Server installation and configuration

Download the openvpn-install script from its GitHub page.

wget https://git.io/vpn -O openvpn-install.sh

Then, run the script using the following command as root user:

bash openvpn-install.sh

You will be asked to answer a series of questions. Answer them accordingly.

Make sure the IP address of the VPN server is correct. If you use multiple IP addresses, enter the IP of the network interface you want OpenVPN listening to.

Welcome to this quick OpenVPN "road warrior" installer

I need to ask you a few questions before starting the setup
 You can leave the default options and just press enter if you are ok with them

First I need to know the IPv4 address of the network interface you want OpenVPN
 listening to.
 IP address: 192.168.43.150

Select which protocol do you want to use. I want to use tcp port, hence I selected number 2.

Which protocol do you want for OpenVPN connections?
 1) UDP (recommended)
 2) TCP
Protocol [1-2]: 2

Enter the port number.

What port do you want OpenVPN listening to?
Port: 1194

Enter the DNS server details do you want to use with the VPN. I want to use Google DNS resolvers, so I selected the option 2.

Which DNS do you want to use with the VPN?
 1) Current system resolvers
 2) Google
 3) OpenDNS
 4) NTT
 5) Hurricane Electric
 6) Verisign
DNS [1-6]: 2

We have reached the final step. Enter your client certificate name. The name should be single word, and shouldn't contain any special characters.

Finally, tell me your name for the client certificate
Please, use one word only, no special characters
Client name: client

Press ENTER key to start the OPENVPN server installation.

Okay, that was all I needed. We are ready to setup your OpenVPN server now
Press any key to continue...

Npw, this script will start to install all necessary packages to setup OpenVPN server. Anslo, it will create all necessary keys and certificates to authenticate with the VPN clients. This will take a few minutes.

Finally, the script will ask you if you have any External IP address. If you don't have any, just ignore by leaving it blank and press ENTER key.

If your server is NATed (e.g. LowEndSpirit), I need to know the external IP
If that's not the case, just ignore this and leave the next field blank
External IP: 

Finished!

Your client configuration is available at /root/client.ovpn
If you want to add more clients, you simply need to run this script again!

OpenVPN server installation and configuration is completed. As you see in the last output, the client configuration details is stored in a file /root/client.ovpn. You need to copy this file to all your VPN client systems.

I copied the client.ovpn file to my VPN client

scp client.ovpn root@192.168.43.199:/etc/openvpn/

Next, we need to configure the OpenVPN client.

OpenVPN client Configuration

Make sure you have copied the client.ovpn file from your VPN server system. I already have copied this file to /etc/openvpn/ directory of my VPN client system.

Install OpenVPN package using the distribution package manager.

yum install openvpn

Next, run the following command to establish secure connection with VPN server.

openvpn --config /etc/openvpn/client.ovpn

Sample output:

Wed Apr 5 18:50:44 2017 Unrecognized option or missing parameter(s) in /etc/openvpn/client.ovpn:14: block-outside-dns (2.3.14)
Wed Apr 5 18:50:44 2017 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
Wed Apr 5 18:50:44 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Wed Apr 5 18:50:44 2017 Control Channel Authentication: tls-auth using INLINE static key file
Wed Apr 5 18:50:44 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 5 18:50:44 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 5 18:50:44 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Apr 5 18:50:44 2017 Attempting to establish TCP connection with [AF_INET]192.168.43.150:1194 [nonblock]
Wed Apr 5 18:50:45 2017 TCP connection established with [AF_INET]192.168.43.150:1194
Wed Apr 5 18:50:45 2017 TCPv4_CLIENT link local: [undef]
Wed Apr 5 18:50:45 2017 TCPv4_CLIENT link remote: [AF_INET]192.168.43.150:1194
Wed Apr 5 18:50:45 2017 TLS: Initial packet from [AF_INET]192.168.43.150:1194, sid=c6fb554e 362eb192
Wed Apr 5 18:50:45 2017 VERIFY OK: depth=1, CN=ChangeMe
Wed Apr 5 18:50:45 2017 Validating certificate key usage
Wed Apr 5 18:50:45 2017 ++ Certificate has key usage 00a0, expects 00a0
Wed Apr 5 18:50:45 2017 VERIFY KU OK
Wed Apr 5 18:50:45 2017 Validating certificate extended key usage
Wed Apr 5 18:50:45 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Apr 5 18:50:45 2017 VERIFY EKU OK
Wed Apr 5 18:50:45 2017 VERIFY OK: depth=0, CN=server
Wed Apr 5 18:50:45 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Apr 5 18:50:45 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 5 18:50:45 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Apr 5 18:50:45 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 5 18:50:45 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Apr 5 18:50:45 2017 [server] Peer Connection Initiated with [AF_INET]192.168.43.150:1194
Wed Apr 5 18:50:48 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Apr 5 18:50:48 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'
Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: --ifconfig/up options modified
Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: route options modified
Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: route-related options modified
Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Apr 5 18:50:48 2017 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:28:98:6b
Wed Apr 5 18:50:48 2017 TUN/TAP device tun0 opened
Wed Apr 5 18:50:48 2017 TUN/TAP TX queue length set to 100
Wed Apr 5 18:50:48 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Apr 5 18:50:48 2017 /usr/sbin/ip link set dev tun0 up mtu 1500
Wed Apr 5 18:50:48 2017 /usr/sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Wed Apr 5 18:50:48 2017 /usr/sbin/ip route add 192.168.43.150/32 dev enp0s3
Wed Apr 5 18:50:48 2017 /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Wed Apr 5 18:50:48 2017 /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Wed Apr 5 18:50:48 2017 Initialization Sequence Completed

Now, check if tun0(VPN interface) is created, and check the VPN interface IP address using 'ip addr' command:

ip addr

Sample output:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host 
 valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 link/ether 08:00:27:28:98:6b brd ff:ff:ff:ff:ff:ff
 inet 192.168.43.199/24 brd 192.168.43.255 scope global dynamic enp0s3
 valid_lft 42359sec preferred_lft 42359sec
 inet6 fe80::a00:27ff:fe28:986b/64 scope link 
 valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
 link/none 
 inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
 valid_lft forever preferred_lft forever

As you can see in the above output, Our VPN server automatically assigned an IP address 10.8.0.2 to the VPN client.

Now, try to ping the VPN server from your VPN client system:

ping -c3 10.8.0.1

Sample output:

PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.05 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=1.94 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=2.49 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 1.057/1.832/2.495/0.594 ms

Congratulations! We have now successfully installed and configured OpenVPN server and client in CentOS. This method is same for DEB based systems such as Ubuntu and Linux Mint. Unlike the manual installation, this script makes the the openvpn installation and configuration much easier.

Cheers!

Resource:

You May Also Like

10 comments

Maximilian Haefner June 12, 2017 - 2:39 am

Very nice and easy guide!
Helped me a lot, but how can I build my .ovpn files, so that they need an authentication before opening the tunnel?

Reply
EDA January 19, 2018 - 1:43 am

Yes. Very well done. The install script works perfectly.

Question: who actually created openvpn-install.sh?

Thanks very much for your nice work.

Reply
SK January 19, 2018 - 11:47 am

Here is the GitHub profile of the developer. https://github.com/Nyr

Reply
shetu May 5, 2018 - 12:22 am

I can not ping host vpn server

Reply
nickchanger September 23, 2018 - 3:23 pm

Hi
I tried to install the scripts on an server (my own (vpn-)server abroad, running debian) and on openwrt on my router (linksys wrt1900acs).
Both scripts worked and I see the gateway by checking ip addr on my router.
But I get no Internet connection on router or laptop (behind router). I think I have to do further “mapping” between WAN-Connection and tun0 on router. Can anybody help?

Reply
Susana April 16, 2019 - 2:47 am

This is awesome. And very very easy. Now, can we add user authentication to this? How can we do it?

Thank you so much

Reply
kriss April 28, 2019 - 1:05 pm

Perfect script! I added linux user authentication
configuration in: server.conf / client.ovpn appropriate entries:
server:
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
client:
auth-user-pass

Reply
kriss April 28, 2019 - 1:11 pm

I installed on the ARM Odroid – HC1 platform!
Unfortunately, I do not know if the script will work on Ubuntu / Linux Mint because as I see in these versions of linux there is no rc.local file?
I have to check it out 🙂

Reply
Susana June 26, 2019 - 11:17 pm

Hi,

I already used this script a lot of times, and it always worked wonderfully, except for now.

openvpn-install.sh: line 1: –2019-06-26: command not found
openvpn-install.sh: line 2: syntax error near unexpected token ‘(‘
openvpn-install.sh: line 2: ‘A resolver git.io (git.io)…52.203.53.176, 52.200.233.201, 52.7.169.168, …’

Can you please help?

Reply
sk June 27, 2019 - 3:21 pm

Hi,

I deleted this setup along time ago.So, I can’t help now. Please look at the issues page and see if it helps to solve your problem. https://github.com/angristan/openvpn-install/issues

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More