Easy-RSA is a script that simplifies the process of creating and managing a public key infrastructure (PKI) for OpenVPN. It helps you to generate certificates and keys for your OpenVPN server and clients, and to sign and revoke them as needed. Easy-RSA 3 is the latest version of the script, which has been rewritten from scratch and offers more features and flexibility than the previous versions.
In this article, we will show you how to install and configure OpenVPN server and client with Easy-RSA 3 on CentOS 7. We will use the certificate-based authentication method, which is more secure and reliable than the other methods. We will also show you how to enable port-forwarding and configure firewalld to allow OpenVPN traffic.
Prerequisites
Before you start, you will need:
A CentOS 7 server with root access.
A CentOS 7 client machine that you want to connect to the VPN server.
A domain name or a public IP address for your VPN server.
A text editor of your choice, such as vim or nano.
Step 1 - Install OpenVPN and Easy-RSA on the Server
The first step is to install OpenVPN and Easy-RSA on the CentOS 7 server. To do so, we will use the EPEL (Extra Packages for Enterprise Linux) repository, which provides additional packages that are not available in the default CentOS repositories.
To install the EPEL repository, run the following command:
sudo yum install epel-release
Then, update the system packages:
sudo yum update
Next, install OpenVPN and Easy-RSA with the following command:
How to set up OpenVPN with Easy-RSA 3 on CentOS 7 server
CentOS 7 OpenVPN installation and configuration guide with Easy-RSA 3
Easy-RSA 3 OpenVPN tutorial for CentOS 7 users
How to create and manage OpenVPN certificates with Easy-RSA 3 on CentOS 7
How to secure your OpenVPN connection with Easy-RSA 3 on CentOS 7
How to install and use OpenVPN GUI client on CentOS 7 with Easy-RSA 3
How to troubleshoot OpenVPN issues on CentOS 7 with Easy-RSA 3
How to update OpenVPN and Easy-RSA 3 on CentOS 7
How to enable and disable OpenVPN service on CentOS 7 with Easy-RSA 3
How to backup and restore OpenVPN settings and certificates on CentOS 7 with Easy-RSA 3
How to customize OpenVPN server and client options with Easy-RSA 3 on CentOS 7
How to connect multiple devices to OpenVPN server on CentOS 7 with Easy-RSA 3
How to monitor and optimize OpenVPN performance on CentOS 7 with Easy-RSA 3
How to add and revoke OpenVPN users with Easy-RSA 3 on CentOS 7
How to configure firewall and routing rules for OpenVPN on CentOS 7 with Easy-RSA 3
How to integrate OpenVPN with LDAP or Active Directory on CentOS 7 with Easy-RSA 3
How to use OpenVPN for site-to-site VPN on CentOS 7 with Easy-RSA 3
How to use OpenVPN for remote access VPN on CentOS 7 with Easy-RSA 3
How to use OpenVPN for split tunneling on CentOS 7 with Easy-RSA 3
How to use OpenVPN for bridging networks on CentOS 7 with Easy-RSA 3
How to use OpenVPN for bypassing censorship and geo-restrictions on CentOS 7 with Easy-RSA 3
How to use OpenVPN for enhancing privacy and security on CentOS 7 with Easy-RSA 3
How to use OpenVPN for torrenting and streaming on CentOS 7 with Easy-RSA 3
How to use OpenVPN for gaming and VoIP on CentOS 7 with Easy-RSA 3
How to use OpenVPN for file sharing and collaboration on CentOS 7 with Easy-RSA 3
How to install and configure Pi-hole with OpenVPN on CentOS 7 with Easy-RSA 3
How to install and configure WireGuard with OpenVPN on CentOS 7 with Easy-RSA 3
How to install and configure SoftEther VPN with OpenVPN on CentOS 7 with Easy-RSA
sudo yum install openvpn easy-rsa
This will install OpenVPN 2.4.9 and Easy-RSA 3.0.8 on your server.
Step 2 - Configure Easy-RSA on the Server
The next step is to configure Easy-RSA on the server. Easy-RSA uses a file called vars to store the settings for your PKI, such as the country name, organization name, email address, etc. You need to edit this file according to your preferences before generating any certificates or keys.
To edit the vars file, go to the /usr/share/easy-rsa/3/ directory and make a copy of the vars.example file:
cd /usr/share/easy-rsa/3/
sudo cp vars.example vars
Then, open the vars file with your text editor:
sudo vim vars
You will see a lot of comments and examples in the file. You can delete them or leave them as they are. The important part is to set the values for the following variables:
EASYRSA_REQ_COUNTRY: The two-letter country code for your country.
EASYRSA_REQ_PROVINCE: The name of your state or province.
EASYRSA_REQ_CITY: The name of your city or locality.
EASYRSA_REQ_ORG: The name of your organization.
EASYRSA_REQ_EMAIL: The email address for your organization.
EASYRSA_REQ_OU: The name of your organizational unit.
For example, you can set them as follows:
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "My VPN Company"
set_var EASYRSA_REQ_EMAIL "admin@myvpn.com"
set_var EASYRSA_REQ_OU "My VPN Department"
Save and close the file when you are done.
Step 3 - Build OpenVPN Keys on the Server
The third step is to build OpenVPN keys on the server using Easy-RSA. You need to generate four types of keys: a CA (Certificate Authority) key and certificate, a server key and certificate, a client key and certificate, and a Diffie-Hellman key. You also need to generate a CRL (Certificate Revocation List) key for revoking certificates if needed.
To generate these keys, follow these steps:
Initialize a new PKI environment with the following command:
sudo ./easyrsa init-pki
Create a CA key and certificate with the following command:
sudo ./easyrsa build-ca
You will be asked to enter a passphrase for your CA key. Choose a strong passphrase and remember it. You will also be asked to confirm the common name for your CA certificate. You can press ENTER to accept the default value or enter a different one.
Create a server key and certificate with the following command:
sudo ./easyrsa gen-req server nopass
This will generate an unencrypted server key and a certificate request file named server.req in the pki/private/ and pki/reqs/ directories respectively. The nopass option means that no passphrase will be required for using the server key. This is useful for automated VPN startup, but less secure than using an encrypted key.
Sign the server certificate request with the CA key with the following command:
sudo ./easyrsa sign-req server server
You will be asked to enter the passphrase for your CA key and confirm that you want to sign the request. This will generate a signed server certificate named server.crt in the pki/issued/ directory.
Create a client key and certificate with the following command:
sudo ./easyrsa gen-req client nopass
This will generate an unencrypted client key and a certificate request file named client.req in the pki/private/ and pki/reqs/ directories respectively. The nopass option means that no passphrase will be required for using the client key. This is useful for automated VPN startup, but less secure than using an encrypted key.
Sign the client certificate request with the CA key with the following command:
sudo ./easyrsa sign-req client client
You will be asked to enter the passphrase for your CA key and confirm that you want to sign the request. This will generate a signed client certificate named client.crt in the pki/issued/ directory.
Create a Diffie-Hellman key with the following command:
sudo ./easyrsa gen-dh
This will generate a Diffie-Hellman key named dh.pem in the pki/ directory. This key is used for exchanging encryption keys between OpenVPN peers.
(Optional) Create a CRL key with the following command:
sudo ./easyrsa gen-crl
This will generate a CRL key named crl.pem in the pki/ directory. This key is used for revoking certificates if needed.
Step 4 - Configure OpenVPN on Server
The fourth step is to configure OpenVPN on Server . You need to create an OpenVPN configuration file that specifies how OpenVPN should operate , such as which port , protocol , cipher , compression , etc . to use . You also need to copy some of
the keys that you generated in Step 3 to /etc/openvpn directory .
To configure OpenVPN on Server , follow these steps :
1 . Create an OpenVPN configuration file named /etc/openvpn/server.conf with
the following content :
# Specify that this is an OpenVPN server
mode server
# Use tun device
dev tun
# Use UDP protocol
Step 5 - Enable Port-Forwarding and Configure Firewalld on Server
The fifth step is to enable port-forwarding and configure firewalld on the server. Port-forwarding allows OpenVPN to forward the traffic from the VPN clients to the internet, and vice versa. Firewalld is a firewall management tool that controls the network traffic on CentOS 7.
To enable port-forwarding, you need to edit the /etc/sysctl.conf file and uncomment the following line:
net.ipv4.ip_forward = 1
This will enable IP forwarding for IPv4 packets. Save and close the file when you are done.
Then, apply the changes with the following command:
sudo sysctl -p
To configure firewalld, you need to allow the OpenVPN port (1194 by default) and the UDP protocol in the public zone. You also need to add a masquerade rule to allow NAT (Network Address Translation) for the VPN clients.
To do so, run the following commands:
sudo firewall-cmd --add-service=openvpn --permanent
sudo firewall-cmd --add-masquerade --permanent
sudo firewall-cmd --reload
This will apply the firewalld rules permanently and reload them.
Step 6 - OpenVPN Client Setup
The sixth step is to set up the OpenVPN client on your CentOS 7 machine that you want to connect to the VPN server. You need to install OpenVPN and copy some of the keys that you generated in Step 3 from the server to the client.
To install OpenVPN on the client, run the following command:
sudo yum install openvpn
This will install OpenVPN 2.4.9 on your client.
To copy the keys from the server to the client, you can use scp (secure copy) command. You need to copy the following files from /usr/share/easy-rsa/3/pki/ directory on the server to /etc/openvpn/ directory on the client:
ca.crt: The CA certificate.
client.crt: The client certificate.
client.key: The client key.
To copy these files, run the following command on the client:
sudo scp root@server_ip:/usr/share/easy-rsa/3/pki/ca.crt,client.crt,client.key /etc/openvpn/
Replace server_ip with your VPN server's domain name or public IP address. You will be asked to enter your root password for the server and confirm that you want to connect.
Step 7 - Configure OpenVPN on Client
The final step is to configure OpenVPN on the client. You need to create an OpenVPN configuration file that specifies how OpenVPN should connect to the server, such as which port, protocol, cipher, compression, etc. to use. You also need to specify the location of the keys that you copied in Step 6.
To create an OpenVPN configuration file named /etc/openvpn/client.conf with
the following content:
# Specify that this is an OpenVPN client
client
# Use tun device
dev tun
# Use UDP protocol
proto udp
# Use port 1194
port 1194
# Use AES-256-CBC cipher
cipher AES-256-CBC
# Use LZO compression
comp-lzo
# Use TLS authentication
tls-client
# Use certificate-based authentication
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
# Specify remote server address
remote server_ip
# Enable connection persistence
persist-key
persist-tun
# Enable logging
verb 3
log /var/log/openvpn.log
Replace server_ip with your VPN server's domain name or public IP address. Save and close the file when you are done.
Conclusion
In this article, we have learned how to install and configure OpenVPN server and client with Easy-RSA 3 on CentOS 7. We have also learned how to enable port-forwarding and configure firewalld to allow OpenVPN traffic. We have shown you how to generate and manage certificates and keys for your OpenVPN server and clients using Easy-RSA 3. We have also shown you how to connect to the OpenVPN server from your CentOS 7 client machine.
OpenVPN is a powerful and versatile tool that can help you create a secure and private network over the public internet. It can be used for various purposes, such as remote access, site-to-site VPN, and bypassing censorship. Easy-RSA 3 is a script that simplifies the process of creating and managing a PKI for OpenVPN. It can help you to generate certificates and keys for your OpenVPN server and clients, and to sign and revoke them as needed.
We hope that this article has been helpful for you. If you have any questions or feedback, please feel free to leave a comment below.
3b9bd4fbbb