Install OpenVPN on CentOS


This tutorial is for home users who have a spare system to run OpenVPN on. In this tutorial, Windows 7 is used for the client connecting to the VPN.

If you face a problem with this How-To , please reply with specific data and I will try to help.

At first, install Centos on your VPS and Forward UDP port 1194 to the VPN server. This is only necessary if your network has a firewall protecting it.

Add RPMForge Yum Repository

For x86 (32-bit) systems
For x64 (64-bit) systems
rpm -Uhv

Configure iptables
Create, chmod +x, and run the script.
  • Note: The following will work but you may wish to change the source address from to the network range of your choosing based on your network.
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/iptables -L -v
Configure Kernel

net.ipv4.ip_forward = 1
Make the changes active

  • sysctl -p
Install OpenVPN Server
Install openvpn

  • yum install openvpn
Configure openvpn to start on boot

  • chkconfig --levels 345 openvpn on
Generate RSA Keys
Copy the

  • cp -r /usr/share/doc/openvpn-2.1.4/easy-rsa/ /etc/openvpn/
Modify the
parameter settings

  • cd /etc/openvpn/easy-rsa/2.0/
  • Edit the bottom fields in

  • with your information
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

# This variable should point to
# the requested executables
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid. ?This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_CITY="Potsdam"
export KEY_ORG="Home"
export KEY_EMAIL=""
Make all files in the directory executable

  • chmod +x ./*
Build the Certificate Authority Key and use all defaults except the common name for the server

  • . ./vars./build-ca
Generating a 1024 bit RSA private key
writing new private key to 'ca.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Home CA]:openvpn
Name []:
Email Address []:
Generate the VPN server key

  • ./build-key-server server
Generating a 1024 bit RSA private key
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName ? ? ? ? ??:PRINTABLE:'US'
stateOrProvinceName ??:PRINTABLE:'NY'
localityName ? ? ? ? ?:PRINTABLE:'Potsdam'
organizationName ? ? ?:PRINTABLE:'Home'
commonName ? ? ? ? ? ?:PRINTABLE:'server'
emailAddress ? ? ? ? ?:IA5STRING:''
Certificate is to be certified until Apr 14 00:07:10 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Build the first client key (Repeat this process if you wish to have more than one client)

  • ./build-key client1
Generating a 1024 bit RSA private key
writing new private key to 'client1.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [Potsdam]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName ? ? ? ? ??:PRINTABLE:'US'
stateOrProvinceName ??:PRINTABLE:'NY'
localityName ? ? ? ? ?:PRINTABLE:'Potsdam'
organizationName ? ? ?:PRINTABLE:'Home'
commonName ? ? ? ? ? ?:PRINTABLE:'client1'
emailAddress ? ? ? ? ?:IA5STRING:''
Certificate is to be certified until Apr 14 00:07:42 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Build the remaining keys

  • ./build-dhopenvpn --genkey --secret keys/ta.key
Copy all keys into the OpenVPN directory

  • cp keys/ca.crt keys/ca.key keys/dh1024.pem keys/server.crt keys/server.csr keys/server.key keys/ta.key /etc/openvpn/
Copy the sample server configuration file and configure as necessary

  • cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key ?# This file should be kept secret
tls-auth ta.key 0
dh dh1024.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
user nobody
group nobody
status openvpn-status.log
verb 3
Start OpenVPN
Start the OpenVPN service

  • service openvpn start
Install the Client
Download and install the latest Windows client with all default options
Copy the following files from the
directory on the server to
C:\Program Files (x86)\OpenVPN\config\
on the client. (Note: The directory will be in "C:\Program Files" on a x86 Windows client)
  • ca.crt
  • client1.crt
  • client1.key
  • ta.key
in the same config directory as the keys
dev tun
proto udp
remote SERVER_DNS_OR_IP 1194
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
ns-cert-type server
verb 3
keepalive 10 120
route-method exe
route-delay 2
Run OpenVPN GUI (Right click and choose "Run as administrator" otherwise the client will not connect properly)
Double click the OpenVPN GUI icon in the notification area of the taskbar to connect.

Hope you can start and connect to the VPN. Thanks