How to Install and configure VPN-server (OpenVPN) in CentOS/RHEL 7

OpenVPN is a free implementation of the technology of virtual private network (VPN) with open source software to create encrypted channels, point-to-point or server-to-client between computers. It allows you to establish connections between computers behind a NAT firewall, without having to change their settings.


Connect the EPEL repository

To install OpenVPN – connect the EPEL repository (Extra Packages for Enterprise Linux):


Install OpenVPN


Setting up OpenVPN in simplest way

First of all bring OpenVPN to working condition, and then add the “features”. We need the private key, the certificate and the CA certificate. How to create them, you can read in this article.

Some OpenVPN clients do not know how to work over UDP, as for example the OpenVPN client to MikroTik routers, in this case, you want to write a proto udp instead of a string proto tcp. Authorization in the configuration file we included for users. That is to connect the client’s preferences, you will need to specify the username and password of an existing user.

Setting up the firewall

The first line will connect to OpenVPN server via UDP, TCP is the second.

Trial run OpenVPN server

Now, let’s run the OpenVPN server and try to connect to it:


OpenVPN client on CentOS 7

In the client config I have a string: ca /etc/pki/tls/certs/ca-bundle.crt it means to validate the server SSL certificate I use system trusted root certificates. If you have a server is OpenVPN – a self-signed certificate, then the client side, you must copy the CA certificate and specify it in the configuration file of the client, in the ca.
And the string “user” nobody “and group” nobody “we you commented out, because if they leave, then after the VPN connection is established, the client OpenVPN does not have enough rights to” get rid of “. He will leave the DNS server and routes changed.

After a successful connection, log on the server we have seen the following:

Keep in mind, if the client’s config register string auth-nocache authorization by login and password, then login with the password rekonnekta can be read from a file, and you will need to enter in the console.
The client connected to the server, the client-side try to ping the IP address of the server:

As we can see, everything is pinged. Then configure both client and server are correct. But it is better not to use settings, such as on the client side, in a file, we have system user name and password in clear text. This can be used for a short time, only during initial configuration.

Configuring masquerading on the server side

To clients in the world through our VPN server-side, we must configure the masquerading and forwarding the client’s default route on (keep in mind, it is desirable to send a DNS server). To do this, do the following:

Keep in mind, what linux client with default settings does not modify their DNS server when connecting to the OpenVPN to change it, do the following on the client:

But, just keep in mind that if you are pushing the external address of the OpenVPN server as DNS, appeal to it will go with the external address of the client. But if pushing the internal IP address of the OpenVPN server, there might be a problem that the local DNS server is listening to port 53 on this address. If an address appears in the system after the local DNS server is already running, you must run the systemctl reload named-chroot.service to the DNS server binded to appear in the IP system. To automate this, do the following on the server:


Configure auto-start OpenVPN

That’s how we run the OpenVPN is good only for the tests. Prepare to launch OpenVPN:

Handle server means that you use the configuration file with the name server.conf to the /etc/openvpn directory, in the case of a client, you need to run the following command:

In general, you can run multiple OpenVPN services on one machine, the main thing that had different configuration files, and to not use the same ports and IP addresses.
Let’s try to run the OpenVPN server:

As you can see, the service does not start. Let’s see why:

Okey, interesting. Take a look at the SELinux log:

Cool. Lack of OpenVPN’a to run the script. Give him these rights and try to start the service again:

Now the service has started successfully.
A little later I’ll enhance the post describing the work of OpenVPN with certificates.


  1. chcon -v –type=openvpn_exec_t /etc/openvpn/scripts/

    So you dont have to let openvpn run unconfined.

  2. josefchmelJosef
    21.12.2015 - 17:50

    Thank you for great article!

  3. On CentOs7,
    chcon -v –type=openvpn_exec_t /etc/openvpn/scripts/ wont work
    need to modify it to
    chcon -vt openvpn_exec_t /etc/openvpn/scripts/

  4. I have done everything in this article, but i am able to connect from internal network but cant connect from outside network, and also I dont have internet connectivity once i connect through VPN.

    Any help will be appriciated,

    Thanks in advance

    • $ firewall-cmd –permanent –zone=trusted –add-interface=tun0
      $ firewall-cmd –permanent –zone=trusted –add-masquerade
      $ firewall-cmd –reload
      May be this commands will help?

  5. Hello Wakko,

    Thanks for the quick reply,

    I have added the firewall and masquerade and also port forwarding on sysctl.conf.
    There is no effect, still no internet on the client side

    [root@centos7server-s3 ~]# firewall-cmd –zone=public –list-all
    public (default, active)
    interfaces: eth0 eth1
    services: dhcpv6-client openvpn ssh
    ports: 1194/tcp
    masquerade: no
    rich rules:

    [root@centos7server-s3 ~]# firewall-cmd –zone=trusted –list-all
    trusted (active)
    interfaces: tun0
    masquerade: yes
    rich rules:

    [root@centos7server-s3 ~]# sysctl -p
    net.ipv4.ip_forward = 1

  6. Hi there,

    I have my servers at location-A(different country), and I want to configure the server here

    I want to access the vm’s under the server at Location-A (different country) from Location-B (different country)

    I was configuring the Openvpn to access my servers at location-A from Location-B

    Any help or suggestion will be very helpful.

    Thanks in advance

Leave a Reply