Home » Blog » How to Set Up an OpenVPN Server on Rocky Linux 8

Information

How to Set Up an OpenVPN Server on Rocky Linux 8

Benhcmark Administrator

01/09/2025

0 Views 0

SaveSavedRemoved 0

Secure Your Network: A Comprehensive Guide to Installing OpenVPN on Rocky Linux 8

In an era of increasing digital threats and privacy concerns, taking control of your internet connection is more important than ever. Setting up your own Virtual Private Network (VPN) is a powerful way to secure your data, encrypt your traffic, and ensure private remote access to your network resources. OpenVPN is a trusted, open-source solution that provides robust security and flexibility.

This guide will walk you through the complete process of installing and configuring an OpenVPN server on Rocky Linux 8. By following these steps, you can create a private, encrypted tunnel for your internet traffic, protecting you from prying eyes on public Wi-Fi and securing your remote work connections.

Prerequisites

Before we begin, ensure you have the following:

• A server running a fresh installation of Rocky Linux 8.
• Root or sudo privileges to execute administrative commands.
• Basic familiarity with the Linux command line.

First, it’s crucial to ensure your system is fully up-to-date. Open your terminal and run the following command:

sudo dnf update -y

Step 1: Install OpenVPN and Easy-RSA

The first step is to install the necessary software packages. We need OpenVPN for the server daemon and Easy-RSA, a tool that simplifies the process of creating and managing security certificates.

Install both packages from the default Rocky Linux repositories with this command:

sudo dnf install openvpn easy-rsa -y

Step 2: Set Up the Certificate Authority (CA)

A secure VPN relies on a chain of trust established by a Certificate Authority (CA). The CA is responsible for signing the certificates for both the server and the clients, ensuring that only authorized devices can connect.

1. Create a Directory for Easy-RSA:
   First, create a new directory for Easy-RSA to work in.

   sudo mkdir /etc/openvpn/easy-rsa
   sudo chown -R $USER:$USER /etc/openvpn/easy-rsa
   

2. Copy Easy-RSA Scripts:
   Next, copy the Easy-RSA 3 scripts into the directory you just created.

   cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
   

3. Initialize the Public Key Infrastructure (PKI):
   Navigate into the new directory and initialize the PKI, which sets up the underlying directory structure for your certificates.

   cd /etc/openvpn/easy-rsa/
   ./easyrsa init-pki
   

4. Build the Certificate Authority:
   Now, you will build the CA. This command creates the root certificate and key that will be used to sign all future requests.

   ./easyrsa build-ca nopass
   

   The nopass option is used here for simplicity. For a production environment, you should omit nopass and set a strong, secure passphrase for your CA key.

Step 3: Generate Server and Client Credentials

With the CA established, we can now generate the necessary certificates and keys for the OpenVPN server and its clients.

1. Generate the Server Certificate and Key:
   Create a certificate and private key for the OpenVPN server. We’ll name our server server.

   ./easyrsa build-server-full server nopass
   

   Using nopass here is recommended for the server so it can restart automatically without requiring manual password entry.

2. Generate Diffie-Hellman Parameters:
   The Diffie-Hellman protocol is used to securely exchange cryptographic keys over a public channel. This step generates the parameters needed for this exchange.

   ./easyrsa gen-dh
   

   This process may take several minutes to complete, as it involves complex cryptographic calculations.

3. Generate a Client Certificate and Key:
   Every device that connects to your VPN will need its own unique certificate and key. Let’s create credentials for a client named client1.

   ./easyrsa build-client-full client1
   

   You will be prompted to enter a secure passphrase for the client key. This passphrase will be required every time the client connects, adding an extra layer of security.

Step 4: Configure the OpenVPN Server

Now that all our cryptographic materials are ready, we can configure the OpenVPN server itself.

1. Copy Files to the OpenVPN Directory:
   Move the generated certificates and keys into the /etc/openvpn/server directory.

   sudo cp pki/ca.crt /etc/openvpn/server/
   sudo cp pki/issued/server.crt /etc/openvpn/server/
   sudo cp pki/private/server.key /etc/openvpn/server/
   sudo cp pki/dh.pem /etc/openvpn/server/
   

2. Create the Server Configuration File:
   OpenVPN provides a sample configuration file that we can adapt. Copy it and then open it for editing.

   sudo cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/
   sudo nano /etc/openvpn/server/server.conf
   

3. Modify the Configuration:
   Inside the server.conf file, find and modify the following lines. Ensure they point to the files we just created and uncomment them if necessary:

   ca ca.crt
   cert server.crt
   key server.key
   dh dh.pem
   

   Next, to enhance security, uncomment the user and group lines to drop privileges after startup:

   user nobody
   group nobody
   

   Finally, to route all client traffic through the VPN, uncomment the following line:

   push "redirect-gateway def1 bypass-dhcp"
   

   You can also push specific DNS servers to clients to prevent DNS leaks:

   push "dhcp-option DNS 208.67.222.222" # OpenDNS
   push "dhcp-option DNS 1.1.1.1"      # Cloudflare DNS
   

   Save and close the file.

Step 5: Configure Networking and Firewall

For the VPN to function correctly, we must enable IP forwarding on the server and configure the firewall to allow VPN traffic.

1. Enable IP Forwarding:
   This allows the server to route traffic from VPN clients to the internet.

   sudo nano /etc/sysctl.conf
   

   Add the following line to the bottom of the file:
   net.ipv4.ip_forward = 1

   Apply the change immediately without rebooting:

   sudo sysctl -p
   

2. Configure FirewallD:
   Rocky Linux 8 uses firewalld. We need to add rules to allow OpenVPN traffic and enable masquerading (NAT).

   sudo firewall-cmd --add-service=openvpn --permanent
   sudo firewall-cmd --add-masquerade --permanent
   sudo firewall-cmd --reload
   

   Masquerading allows the server to rewrite the source IP address of packets from VPN clients to its own IP, enabling them to communicate with the internet.

Step 6: Start and Enable the OpenVPN Service

With all the configuration in place, it’s time to start the OpenVPN server.

sudo systemctl start openvpn-server@server
sudo systemctl enable openvpn-server@server

The enable command ensures the VPN service will start automatically when the server boots. Verify that it is running correctly:

sudo systemctl status openvpn-server@server

You should see an “active (running)” status.

Step 7: Configure the Client

The final step is to create a configuration file (.ovpn) for your client device.

1. Create a Client Configuration Directory:
   It’s good practice to create a dedicated space for client files.

   mkdir -p ~/client-configs/files
   

2. Create a Base Configuration File:
   Create a new file named base.conf inside ~/client-configs.

   nano ~/client-configs/base.conf
   

   Paste the following configuration into the file. Replace your_server_ip with your server’s public IP address.

   client
   dev tun
   proto udp
   remote your_server_ip 1194
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   remote-cert-tls server
   verb 3
   user nobody
   group nobody
   

3. Generate the .ovpn File:
   We will now create a script to combine the base configuration with the client’s certificate and key into a single, portable .ovpn file.

   Create a script named make_config.sh:

   nano ~/client-configs/make_config.sh
   

   Paste the following content into the script:

   #!/bin/bash
   # First argument: Client Name
   
   cat ${HOME}/client-configs/base.conf \
       <(echo -e '<ca>') \
       /etc/openvpn/easy-rsa/pki/ca.crt \
       <(echo -e '</ca>\n<cert>') \
       /etc/openvpn/easy-rsa/pki/issued/${1}.crt \
       <(echo -e '</cert>\n<key>') \
       /etc/openvpn/easy-rsa/pki/private/${1}.key \
       <(echo -e '</key>') \
       > ${HOME}/client-configs/files/${1}.ovpn
   

   Make the script executable:

   chmod 700 ~/client-configs/make_config.sh
   

   Now, run the script to generate the configuration for client1:

   sudo ./make_config.sh client1
   

   Your complete client configuration file will be located at ~/client-configs/files/client1.ovpn.

Final Steps and Security Tips

You have now successfully set up a fully functional OpenVPN server. The final step is to securely transfer the client1.ovpn file to your client device (e.g., your laptop or smartphone) and import it into an OpenVPN client application.

• Security Tip: Never send client configuration files over insecure channels like email. Use secure methods like SCP or SFTP to transfer them.
• Certificate Revocation: If a client device is lost or an employee leaves, you must revoke their certificate to prevent unauthorized access. Use the ./easyrsa revoke client_name command.
• Updates: Regularly update your server and the OpenVPN package to protect against newly discovered vulnerabilities.

By hosting your own VPN, you gain unparalleled control over your digital privacy and security. You can now browse the web securely, access local network resources from anywhere, and rest assured that your data is encrypted and protected.

Source: https://kifarunix.com/setup-openvpn-server-on-rocky-linux-8/