How to install OpenVPN server and client with Easy-RSA 3 on CentOS 8

How to install OpenVPN server and client with Easy-RSA 3 on CentOS 8

OpenVPN is an open source application that lets you create a secure private network over the public Internet. OpenVPN implements a virtual private network (VPN) to create a secure connection. OpenVPN uses the OpenSSL library to provide encryption. It provides multiple authentication mechanisms, such as certificate-based authentication, pre-shared keys, and username / password authentication.

In this tutorial, we will show you how to install and configure OpenVPN step by step on a CentOS 8 server. We will implement certificate-based OpenVPN authentication.


  • CentOS 8 server
  • Root privilege

What are we going to do?

  • Install OpenVPN and Easy-RSA
  • Configure Easy-RSA 3 Var
  • Constructing an OpenVPN key
  • Configure OpenVPN server
  • Configure firewall and enable port forwarding
  • Client settings
  • testing

Step 1-install OpenVPN and Easy-RSA

First, we will add the EPEL (Extra Package for Enterprise Linux) repository and install the latest OpenVPN package, then download the easy-rsa script to the CentOS 8 system.

Use the following dnf command to install the EPEL repository.

dnf install epel-release

After that, install the latest OpenVPN software package 2.4.7.

dnf install openvpn

After the installation is complete, go to “/ etc / openvpn” and use the wget command below to download the easy-rsa script.

cd /etc/openvpn/wget

Now unzip the “EasyRSA-unix-v3.0.6.tgz” file and rename the directory to “easy-rsa”.

tar -xf EasyRSA-unix-v3.0.6.tgzmv EasyRSA-v3.0.6/ easy-rsa/; rm -f EasyRSA-unix-v3.0.6.tgz

OpenVPN software package and easy-rsa script have been installed on CentOS 8 system.

Step 2-configure Easy-RSA 3

In this step, we will configure easy-rsa 3 by creating a new “vars” file. The “vars” file contains Easy-RSA 3 settings.

Go to the “/ etc / openvpn / easy-rsa /” directory and use the vim editor to create a new vars script.

cd /etc/openvpn/easy-rsa/vim vars

Paste the vars easy-rsa 3 configuration below.

set_var EASYRSA                 "$PWD"set_var EASYRSA_PKI             "$EASYRSA/pki"set_var EASYRSA_DN              "cn_only"set_var EASYRSA_REQ_COUNTRY     "ID"set_var EASYRSA_REQ_PROVINCE    "Jakarta"set_var EASYRSA_REQ_CITY        "Jakarta"set_var EASYRSA_REQ_ORG         "hakase-labs CERTIFICATE AUTHORITY"set_var EASYRSA_REQ_EMAIL       "[email protected]"set_var EASYRSA_REQ_OU          "HAKASE-LABS EASY CA"set_var EASYRSA_KEY_SIZE        2048set_var EASYRSA_ALGO            rsaset_var EASYRSA_CA_EXPIRE       7500set_var EASYRSA_CERT_EXPIRE     365set_var EASYRSA_NS_SUPPORT      "no"set_var EASYRSA_NS_COMMENT      "HAKASE-LABS CERTIFICATE AUTHORITY"set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"set_var EASYRSA_DIGEST          "sha256"

Save and exit.


  • Change the value of the variable as needed.
  • Increase “EASYRSA_KEY_SIZE” to improve security.

Now make the “vars” file executable by changing the permissions of the file.

chmod +x vars

easy-rsa 3 configuration is complete.

Configure Easy-RSA 3

Step 3-build the OpenVPN key

In this step, we will build an OpenVPN key based on the easy-rsa 3 ‘vars’ file we created. We will build CA keys, server and client keys, DH and CRL PEM files.

We will build all these keys using the “easiersa” command line. Go to the “/ etc / openvpn / easy-rsa /” directory.

cd /etc/openvpn/easy-rsa/3/

-Initialize and establish CA

Before building the server and client keys, we need to initialize the PKI (Public Key Infrastructure) directory and build the CA key.

Use the following command to initialize the PKI directory and build the CA key.

./easyrsa init-pki./easyrsa build-ca

Now enter the password for your CA key and you will get the ‘ca.crt’ and ‘ca.key’ files in the ‘pki’ directory.

Constructing an OpenVPN key

-Build server key

Now we are going to build the server key, then we will build a server key named “hakase-server”.

Use the following command to build the server key “hakase-server”.

./easyrsa gen-req hakase-server nopass

Building the server key


  • nopass = option to disable the password for the “hakase-server” key.

And use our CA certificate to sign the “hakase-server” key.

./easyrsa sign-req server hakase-server

You will be asked to enter your “CA” password, enter your password, and press Enter. You will get the “hakase-server.crt” certificate file under the “pki / issued /” directory.

easyrsa login requirements

Use OpenSSL commands to verify the certificate file and make sure there are no errors.

openssl verify -CAfile pki/ca.crt pki/issued/hakase-server.crt

All server certificate keys have been created. The server private key is located at “pki / private / hakase-server.key” and the server certificate is located at “pki / issued / hakase-server.crt”.

Private key

-Create customer key

Now we need to build the key for the client. We will generate a new client key named “client01”.

Use the following command to generate the “client01” key.

./easyrsa gen-req client01 nopass

Create customer key

Now, use our CA certificate to sign the “client01” key as shown below.

./easyrsa sign-req client client01

Type “Yes” to confirm the client certificate request, and then type the CA password.

easyrsa login request client client01

A client certificate named “client01” has been generated. Use the openssl command to verify the client certificate.

openssl verify -CAfile pki/ca.crt pki/issued/client01.crt

Make sure there are no errors.

Verify CA file

-Establish Diffie-Hellman key

Diffie-Hellman keys are required for increased security. We will generate a “2048” DH key based on the “vars” profile created at the top.

Use the following command to generate a Diffie-Hellman key.

./easyrsa gen-dh

The DH key has been generated and is located in the “pki” directory.

Generate Diffie-Hellman keys

-Optional: Generate CRL key

CRL (Certificate Revocation List) keys will be used to revoke client keys. If you have client certificates for multiple clients on your VPN server and you want to delete someone’s key, you can simply undo the operation using the easy-rsa command.

If you want to undo some keys, run the following command.

./easyrsa revoke someone

A CRL key is then generated.

./easyrsa gen-crl

The CRL PEM file has been generated under the “pki” directory-here is an example on my server.

Generate CRL keys

-Copy the certificate file

All certificates have been generated, now copy the certificate file and the PEM file.

Copy the server key and certificate.

cp pki/ca.crt /etc/openvpn/server/cp pki/issued/hakase-server.crt /etc/openvpn/server/cp pki/private/hakase-server.key /etc/openvpn/server/

Copy the client01 key and certificate.

cp pki/ca.crt /etc/openvpn/client/cp pki/issued/client01.crt /etc/openvpn/client/cp pki/private/client01.key /etc/openvpn/client/

Copy the DH and CRL keys.

cp pki/dh.pem /etc/openvpn/server/cp pki/crl.pem /etc/openvpn/server/

All certificates for the server and client have been copied to each directory.

Copy the certificate file

Step 4-configure OpenVPN

In this step, we will create a new configuration ‘server.conf’ for the OpenVPN server.

Go to the “/ etc / openvpn / server /” directory and use vim to create a new configuration file “server.conf”.

cd /etc/openvpn/server/vim server.conf

Paste the following OpenVPN server configuration here.

# OpenVPN Port, Protocol, and the Tunport 1194proto udpdev tun# OpenVPN Server Certificate - CA, server key and certificateca /etc/openvpn/server/ca.crtcert /etc/openvpn/server/hakase-server.crtkey /etc/openvpn/server/hakase-server.key#DH and CRL keydh /etc/openvpn/server/dh.pemcrl-verify /etc/openvpn/server/crl.pem# Network Configuration - Internal network# Redirect all Connection through OpenVPN Serverserver "redirect-gateway def1"# Using the DNS from https://dns.watchpush "dhcp-option DNS"push "dhcp-option DNS"#Enable multiple clients to connect with the same certificate keyduplicate-cn# TLS Securitycipher AES-256-CBCtls-version-min 1.2tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256auth SHA512auth-nocache# Other Configurationkeepalive 20 60persist-keypersist-tuncompress lz4daemonuser nobodygroup nobody# OpenVPN Loglog-append /var/log/openvpn.logverb 3

Save and exit.

An OpenVPN server configuration has been created.

Step 5-enable port forwarding and configure routing in firewalld

In this step, we will enable the port forwarding kernel module and configure the routing “firewall” for OpenVPN.

Enable the port forwarding kernel module by running the following command.

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.confsysctl -p

Next, configure routing using Firewalld for OpenVPN.

Enable port forwarding and configure routing in Firewalld

Add the OpenVPN service to the “Public” and “Trusted” firewall zones.

firewall-cmd --permanent --add-service=openvpnfirewall-cmd --permanent --zone=trusted --add-service=openvpn

After that, add “tun0” to the “Trusted” zone.

firewall-cmd --permanent --zone=trusted --add-interface=tun0

MASQUERADE is now enabled in the default Public area.

firewall-cmd --permanent --add-masquerade

Enable NAT for OpenVPN internal IP address “” to external IP address “SERVERIP”.

SERVERIP=$(ip route get | awk 'NR==1 {print $(NF-2)}')firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s -o $SERVERIP -j MASQUERADE

And reload firewalld.

firewall-cmd --reload

Reload firewall

Port forwarding and firewall routing configuration has been completed. Start the OpenVPN service and make it automatically start every time the system boots.

systemctl start [email protected]systemctl enable [email protected]

Start openvpn

After that, check the OpenVPN service using the following command.

netstat -plntusystemctl status [email protected]

You will get the following results.

OpenVPN successfully launched

As a result, the OpenVPN service has been started and is running on the UDP protocol using the default port “1194”.

Step 6-OpenVPN client setup

Go to the “/ etc / openvpn / client” directory and use vim to create a new openvpn client configuration file “client01.ovpn”.

cd /etc/openvpn/clientvim client01.ovpn

Paste the following OpenVPN client configuration here.

clientdev tunproto udpremote 1194ca ca.crtcert client01.crtkey client01.keycipher AES-256-CBCauth SHA512auth-nocachetls-version-min 1.2tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256resolv-retry infinitecompress lz4nobindpersist-keypersist-tunmute-replay-warningsverb 3

Save and exit.

Now compress the “/ etc / openvpn / client” directory into a “zip” or “tar.gz” file and use SCP to download the compressed file from your local computer.

Zip the “/ etc / openvpn / client” directory to a “client01.tar.gz” file.

cd /etc/openvpn/tar -czvf client01.tar.gz client/*

OpenVPN client settings

Now you can download the compressed OpenVPN file using FTP server or scp command as shown below.

scp [email protected]:/etc/openvpn/client01.tar.gz .

Step 7-connect to OpenVPN

Tested on the client.

-On Linux

Install OpenVPN software package. If you need GUI configuration, please install OpenVPN network-manager.

sudo apt install openvpn network-manager-openvpn network-manager-openvpn-gnome -y

If you want to connect using a terminal shell, run the OpenVPN command below.

openvpn --config client01.ovpn

When connecting to OpenVPN, open a new terminal tab and check the connection using the curl command.


You will then get the OpenVPN server IP address.

-On Mac OS

Download and install it.

Extract the “client01.tar.gz” file and rename the “client” directory to “client01.tblk”.

tar -xzvf client01.tar.gzmv client client01.tblk

Double-click “client01.tblk” and Tunnelblick will automatically detect the OpenVPN configuration and then import it.

Now connect via Tunnelblick on the top bar.

-On Windows

Download the openvpn client for Windows and import the configuration.