Home » Blog » Setting Up an OpenVPN Server on CentOS Stream 9

Information

Setting Up an OpenVPN Server on CentOS Stream 9

Benhcmark Administrator

26/07/2025

2 Views 0

SaveSavedRemoved 0

A Step-by-Step Guide: How to Set Up Your Own OpenVPN Server on CentOS Stream 9

In an era of increasing digital surveillance and cybersecurity threats, taking control of your internet privacy has never been more critical. A Virtual Private Network (VPN) creates a secure, encrypted tunnel for your online activity, protecting your data from prying eyes on public Wi-Fi and securing remote access to your private network.

While many commercial VPN services exist, building your own OpenVPN server on a platform like CentOS Stream 9 offers unparalleled control, privacy, and cost-effectiveness. This guide will walk you through the entire process, from installation to client configuration, empowering you to create a robust and personal VPN.

Prerequisites for Your OpenVPN Server

Before we begin, ensure you have the following:

• A server running a fresh installation of CentOS Stream 9.
• Root or sudo access to the server.

Step 1: Installing OpenVPN and Essential Tools

First, we need to install the necessary software packages. OpenVPN is not available in the default CentOS repositories, so we must first enable the Extra Packages for Enterprise Linux (EPEL) repository.

1. Enable the EPEL Repository:

   sudo dnf install epel-release
   

2. Install OpenVPN and Easy-RSA:
   Easy-RSA is a command-line utility used to build and manage a Public Key Infrastructure (PKI), which is essential for generating the certificates and keys our VPN will use for authentication and encryption.

   sudo dnf install openvpn easy-rsa
   

Step 2: Building the Public Key Infrastructure (PKI)

With the software installed, our next task is to create the cryptographic foundation for our server. This involves setting up a Certificate Authority (CA) and generating server-side certificates and keys.

1. Create the PKI Directory:
   First, create a dedicated directory for your PKI and navigate into it.

   sudo mkdir /etc/openvpn/easy-rsa
   cd /etc/openvpn/easy-rsa
   

2. Initialize the PKI:
   This command sets up the basic PKI structure.

   sudo /usr/share/easy-rsa/3/easyrsa init-pki
   

3. Build the Certificate Authority (CA):
   The CA is the root of trust for your VPN. It signs the server and client certificates to verify their authenticity. You’ll be prompted to create a password for your CA—choose a strong password and store it securely, as you’ll need it to sign future certificate requests.

   sudo /usr/share/easy-rsa/3/easyrsa build-ca
   

4. Generate the Server Certificate and Key:
   Now, we’ll generate a certificate and a private key specifically for the OpenVPN server. Use the nopass option so the server can start automatically without requiring a password input.

   sudo /usr/share/easy-rsa/3/easyrsa build-server-full server nopass
   

5. Generate Diffie-Hellman Parameters:
   This step creates strong cryptographic parameters for the key exchange process, enhancing your server’s security. This command may take a few minutes to complete.

   sudo /usr/share/easy-rsa/3/easyrsa gen-dh
   

6. Copy Files to the OpenVPN Directory:
   For security and organization, copy the necessary files into the main OpenVPN server directory.

   sudo cp pki/ca.crt /etc/openvpn/server/
   sudo cp pki/private/server.key /etc/openvpn/server/
   sudo cp pki/issued/server.crt /etc/openvpn/server/
   sudo cp pki/dh.pem /etc/openvpn/server/
   

Step 3: Configuring the OpenVPN Server

Now we will create the server configuration file. This file tells the OpenVPN service how to operate.

Create and open a new configuration file:

sudo nano /etc/openvpn/server/server.conf

Paste the following configuration into the file. This is a solid, secure starting point.

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

• Key Configuration Points:
  • port 1194 and proto udp: This sets the standard port and protocol for OpenVPN.
  • ca, cert, key, dh: These lines point to the cryptographic files we generated earlier.
  • server 10.8.0.0...: This defines the virtual IP address pool for connecting clients.
  • push "redirect-gateway...": This crucial directive forces all client traffic through the VPN.
  • push "dhcp-option DNS...": These lines push public DNS servers (Google’s, in this case) to clients to prevent DNS leaks.

Step 4: Adjusting Network and Firewall Settings

To allow traffic to flow through our VPN server, we need to enable IP forwarding and configure the system firewall.

1. Enable IP Forwarding:
   This allows the server to route traffic from the VPN interface to the public internet.

   echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/99-openvpn.conf
   sudo sysctl -p /etc/sysctl.d/99-openvpn.conf
   

2. Configure FirewallD:
   We need to add rules to firewalld to allow OpenVPN traffic and enable Network Address Translation (NAT).

   # Allow the OpenVPN service
   sudo firewall-cmd --add-service=openvpn --permanent
   
   # Enable NAT for the VPN subnet
   sudo firewall-cmd --add-masquerade --permanent
   
   # Reload the firewall to apply changes
   sudo firewall-cmd --reload
   

   NAT is what allows your connected clients to use the server’s public IP address to access the internet, effectively masking their own.

Step 5: Starting and Enabling the OpenVPN Service

With all the configuration in place, it’s time to start the server.

sudo systemctl -f enable [email protected]
sudo systemctl start [email protected]

You can check the status to ensure it’s running correctly:

sudo systemctl status [email protected]

Step 6: Creating Client Configuration Files

Your server is running, but no one can connect yet. We need to generate a certificate and a configuration file for each client device.

1. Generate a Client Certificate and Key:
   Navigate back to your Easy-RSA directory and run the build-client-full command. Replace client1 with a unique name for each user or device.

   cd /etc/openvpn/easy-rsa
   sudo /usr/share/easy-rsa/3/easyrsa build-client-full client1 nopass
   

2. Create a Base Client Configuration File:
   We will create a template file that can be easily adapted for each client.

   mkdir -p ~/client-configs/files
   nano ~/client-configs/base.conf
   

   Paste the following into base.conf. Remember to replace YOUR_SERVER_IP with your server’s actual public IP address.

   client
   dev tun
   proto udp
   remote YOUR_SERVER_IP 1194
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   remote-cert-tls server
   verb 3
   

3. Generate the Final .ovpn File:
   Now, combine the base configuration with the client’s unique keys and certificates to create a single, portable .ovpn file.

   cat ~/client-configs/base.conf \
       <(echo -e '<ca>') \
       /etc/openvpn/easy-rsa/pki/ca.crt \
       <(echo -e '</ca>\n<cert>') \
       /etc/openvpn/easy-rsa/pki/issued/client1.crt \
       <(echo -e '</cert>\n<key>') \
       /etc/openvpn/easy-rsa/pki/private/client1.key \
       <(echo -e '</key>') \
       > ~/client-configs/files/client1.ovpn
   

The resulting file, ~/client-configs/files/client1.ovpn, is all you need. Securely transfer this file to your client device (e.g., laptop or smartphone) and import it into any OpenVPN-compatible client software.

Congratulations! You now have a fully functional, private, and secure OpenVPN server running on CentOS Stream 9, giving you complete control over your digital footprint.

Source: https://infotechys.com/install-configure-openvpn-server-centos-stream-9/