Setting up an OpenVPN server with CentOS and Viscosity
Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.
Running your own OpenVPN server will allow you to encrypt everything you do on the internet, so that you can safely do your online banking on the free WiFi at your favourite cafe. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server at home. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.
This guide will walk you through the steps involved in setting up an OpenVPN server on a CentOS host that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.
Preparation
For this guide, we assume:
- You have already installed the latest version of CentOS 7. Please refer to our Red Hat Guide For CentOS 8.
- You have root access to this installation
- Know the name of your network interfaces (instructions just below)
- This installation of CentOS is a fresh install
- You already have a copy of Viscosity installed on your client device
If you need to download and install a copy of CentOS, a copy can be found at https://www.centos.org/download/. We won't be covering the details of setting up a CentOS instance, many guides can be found online. If you are running a different version of CentOS, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.
If you don't have a copy of Viscosity already installed on your client, then please check out this setup guide for installing Viscosity (Mac | Windows).
To get the name of your Primary Network Interface (WAN Access), run the following on your CentOS Server: ip route | grep default | awk 'NR==1 {print $(NF-4)}'
If you have a second network interface for accessing machines on your local network, you will need the name of this as well when setting up the firewall and routing.
Support
Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.
For further information or help with CentOS, check out the community forums at https://www.centos.org/forums/
Accessing the Command Line Interface
The steps outlined in this guide are performed via the command line interface (i.e. terminal) on your CentOS server. If you are running this server remotely, you will need to use the SSH application to connect securely between your client device and the server (to "SSH into" your server). If you are setting up your OpenVPN server on a virtual private server (VPS), you may only be familiar with the web interface. Many VPS suppliers provide SSH access in addition to the web interface. Please consult your VPS provider for details.
If you're new to SSH, we have some instructions in our Introduction Guide.
CentOS Desktop
If you have local access to your CentOS server, then you can perform the steps of this guide directly, without SSHing in to the server. The steps need to be performed in a terminal window, so the first step is to open a terminal window in CentOS with root access. From the desktop, open the terminal app by clicking on the “Applications” drop down at the top left and selecting "Terminal" from the Favorites list. This opens a terminal window from which we can continue the rest of the setup.
Now that you have access to the terminal on the CentOS server, you need to change the user to root. Type into the terminal window:
su root
then enter your the root password when prompted. You will see that you are now logged in to the root account.
Getting Started
Once logged in to root, we need to ensure that CentOS's repository list is up to date by typing the following:
yum update -y
This will run through and update the preinstalled packages. If any updates are found, you will be asked if you want to continue. Confirm that you do by entering y
. You may be informed that you need to restart after the package upgrades complete. If so, make sure to log back in to the terminal as root after restarting.
Next we will need to install EPEL (Extra Packages for Enterprise Linux), as this contains the OpenVPN package.
yum install epel-release -y
Now that we have the extended packages we can go ahead and install OpenVPN. Type the following into the terminal:
yum install openvpn -y
Generating Configurations, Certificates and Keys
The next step is to generate your configurations for the server and your clients as well as certificates to go with them. You can do this easily by following the Creating Certificates and Keys Guide. You can either follow the section for Linux using the CentOS 7 RPM installer and copy your client configurations off the server (we recommend this), or generate everything on your PC or Mac and copy the server folder that is generated onto your CentOS server.
If you use the default DNS Server (10.8.0.1), you will need to setup a DNS server yourself, instructions are at the end of this article. We recommend instead using an existing DNS server, a publically available DNS server like Google's (8.8.8.8 and 8.8.4.4) is the easiest.
Once you have generated your Configurations, you will need to transfer the server configuration to your server, or transfer your client configurations off your server. If you have local access, a USB drive is the easiest. If not, we have some help on how to transfer files with SCP in our Introduction Guide.
IP Forwarding
In order to forward our requests passing through the VPN, we want the OpenVPN server to act like a router. As such, we need to enable IP forwarding.
- In the terminal, we can enable IP forwarding on the CentOS server by entering:
-
echo 1 > /proc/sys/net/ipv4/ip_forward
-
- To ensure that hosts on the home/office network can find the VPN server, we need to make the server respond to any ARP requests:
-
echo 1 > /proc/sys/net/ipv4/conf/ens33/proxy_arp
- where ens33 is the network interface of the home/office network if you have two network interfaces, or your Primary Network Interface (WAN) otherwise (See Preparation section for more information).
-
- Every time we reboot the server, these commands will be undone. To ensure that doesn't happen, we need to modify the sysctl.conf file:
-
nano /etc/sysctl.conf
-
- Add the following lines to the bottom of this file:
-
net.ipv4.ip_forward = 1
- and
-
net.ipv4.conf.ens33.proxy_arp = 1
-
- Press
ctrl
+x
to exit nano. Save the changes when prompted. - To enable the changes made to the sysctl.conf file, type:
-
sysctl -p /etc/sysctl.conf
-
DNS Server
If you are planning on encrypting all network traffic through your VPN server then it is recommended to enable your own DNS server.
- To install the DNS server, type:
-
yum install bind bind-utils bind-libs bind-chroot
-
- To set up the forwarding rules for our DNS server, we will modify the configuration file:
-
nano /etc/named.conf
-
- At the top you will see a braced collection of instructions labelled options. Insert the following two lines at the bottom of the list of options:
-
forwarders {8.8.8.8;8.8.4.4;}; #IP of upstream nameservers
forward only; #rely completely on our upstream nameservers - where we are using the Google DNS servers (you are free to use your DNS resolution service of choice).
-
- Add the VPN subnet (10.8.0.0/24) to the listen-on and allow-query parameters at the top of the options so that they now look like:
-
...
listen-on port 53 { 10.8.0.0/24;127.0.0.1; };
...
allow-query {10.8.0.0/24;localhost; };
...
-
- Press
ctrl
+x
to exit nano. Save the changes when prompted. - Set the conf file permissions to 644:
-
chmod 644 /etc/named.conf
-
As this conf file is sensitive to errors, we can check it by typing:
named-checkconf /etc/named.conf
If your configuration file contains no errors, this command will return nothing.
- Open the list of nameservers:
-
nano /etc/resolv.conf
-
- Set the server resolver to point to itself:
-
nameserver 127.0.0.1
-
- Press
ctrl
+x
to exit nano. Save the changes when prompted. - If your CentOS server is run on a router with a DHCP service, you need to ensure that the resolv.conf file does not get overwritten on DHCP lease renewal. Type:
-
nano /etc/sysconfig/network-scripts/ifcfg-ens33
- Replace ens33 with the name of your Primary Network Interface if it is different (See Preparation section for more information)
-
- Ensure that the following three parameters are set:
-
BOOTPROTO=dhcp
PEERDNS=no
TYPE=Ethernet
-
- Press
ctrl
+x
to exit nano. Save the changes when prompted. - To start the DNS server, type:
-
systemctl start named
-
- Enable DNS server auto start on system boot:
-
systemctl enable named
-
That's it, the DNS server is now set up.
Firewall Rules
We will use the default firewalld firewall installed by default on CentOS. If you are installing OpenVPN on a server that already has its own firewall setup, make sure to add the rules to allow our OpenVPN traffic. However, if this is just a simple standalone CentOS server, the firewall settings below should be enough to get your OpenVPN server up and running.
- Allow the openvpn service:
-
firewall-cmd --permanent --add-service=openvpn
-
firewall-cmd --add-service=openvpn
-
- Set the OpenVPN server to provide masquerade:
-
firewall-cmd --permanent --add-masquerade
-
firewall-cmd --add-masquerade
-
- Allow the OpenVPN port (1194):
-
firewall-cmd --permanent --add-port=1194/udp
-
- Restart the firewall with these new settings:
-
firewall-cmd --reload
-
Starting the OpenVPN Server
At this point the basics are complete. Your server configuration and files should be on your server copied from where you generated them.
First, copy the server configuration files to the OpenVPN directory:
sudo cp /path/to/configs/server/* /etc/openvpn/
Now start your server, and enable it to start after a reboot as well.
systemctl -f enable openvpn@server
systemctl start openvpn@server
To check the server status, enter:
systemctl -l status openvpn@server
To which it should reply with the status and in green you should see:
...
Active: active (running)
...
Your OpenVPN server is now up and running and ready for you to connect to it.
Router Setup
If your CentOS server is directly accessible, then you can skip this section. There is no router to configure.
However if your CentOS server is behind a router (such as on your home WiFi), then you will need to configure your router to permit VPN traffic. Due to the many different models of router and network configurations, we cannot provide a step by step guide on how to set up your router to allow VPN traffic. However there are a few settings you are likely to need to change, so we will outline them here.
As the the router will be directing all traffic to and from your OpenVPN server, you will need to set up port forwarding so that the OpenVPN server is externally accessible. Port forwarding may be under the section in your router management interface named 'Virtual Servers'. In general, you will want to forward any traffic incoming to the router on the OpenVPN port (1194). You will need to setup a rule to send any UDP traffic on these ports to the local IP address of your OpenVPN server (which is probably something in the range 192.168.0.x).
If you have set up port forwarding please also make a note of your external WAN IP address. This is the IP address assigned to your router by your Internet Service Provider (ISP). This address will be needed when configuring your connection in Viscosity below.
The other main router setting you will need to consider is static routing. Because you will have a VPN set up, there will be traffic sent to your router with a source or destination IP in the range 10.8.0.x. This traffic will need to have static routing in place to ensure that when a host recieves a request from the VPN client (on the 10.8.0.x subnet) and sends a response to that address, the router knows how to convert the 10.8.0.x IP address into an address it understands (i.e. 192.168.0.x). Thus you will need to setup a static routing rule that has the following properties:
Destination: 10.8.0.0 Subnet mask: 255.255.255.0 Default gateway: your-server-IP
where your-server-IP is the IP address of your OpenVPN server on the local network (something in the range 192.168.0.x).
Setting Up Viscosity
The final step is to setup Viscosity. Thanks to openvpn-generate, this is as easy as importing and connecting.
Importing
Copy your *.visz file you created with openvpn-generate to your Mac or Windows machine with Viscosity installed and double click the file. You should see a prompt that the config was imported successfully.
Connecting and Using Your VPN Connection
You are now ready to connect. Click on the Viscosity icon in the macOS menu bar or Windows system tray to open the Viscosity Menu, select the connection you imported, and Viscosity will connect.
To check that the VPN is up and running, you can open the Details window from the Viscosity Menu. This will allow you to view connection details, traffic and the OpenVPN log.
That's it, you've set up your very own OpenVPN server. Congratulations, you are now free to enjoy the benefits of operating your own OpenVPN server!