VPN is also required to access your corporate or enterprise or home server resources. You can bypass the geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN server on CentOS Linux 7 server. Procedure: CentOS 7 Set Up OpenVPN Server In 5 Minutes.
- On CentOS 8, you need to enable the EPEL repository in order to install the client. Sudo dnf install epel-release sudo dnf install openconnect. Then you can connect to VPN server from the command line like below.b flag will make it run in the background after the connection is established.
- AUTOINSTALL=y./openvpn-install.sh # or export AUTOINSTALL=y./openvpn-install.sh A default set of variables will then be set, by passing the need for user input. If you want to customise your installation, you can export them or specify them on the same line, as shown above.
Run Your Own OpenVPN Server
The article explains how to run your own OpenVPN server. We will setup one Certificate Authority Server and an OpenVPN server. We will also generate certificates for the clients. We will also learn how to manage revocation of client certificates using the Ansible roles.
Use the Ansible roles gavika.openvpn and gavika.easy_rsa to install and configure your OpenVPN server.
You can install the OpenVPN server on any public cloud or hosting provider or on-premise servers. The Ansible roles are designed to install the
OpenVPN server and a
Certificate Authority server.
At the moment these Ansible roles support
Ubuntu 18.04 and
System Architecture And Requirements
In order to run your OpenVPN server via these Ansible roles, you will need three machines:
- Controller machine. This is the machine from which you execute the Ansible playbooks. This could be your laptop or a machine in the cloud. You will designate a directory on this machine as a temporary pool of files.
- Certificate Authority server. You will create your own CA machine that signs the certificate requests. You will need SSH access to this machine from the controller machine. You will only need to turn this server on when required. It is recommended to shut down the CA server when not in use to improve the security. Also, saves cost.
- OpenVPN server. You will create your OpenVPN server on this machine. You will need SSH access to this machine from the controller machine. You will also need to ensure that UDP port 1194 is open on this machine. The Ansible playbook takes care of enabling the port on the machine itself. You are responsible to open the ports on the network firewall(such as AWS Security Groups, on-premise hardware or software firewall). You will have adjust your network firewalls too in case you change the defaults in Ansible playbook or inventory.
In addition to SSH access, the servers require a user with administrative privileges via sudo. Typically, cloud images of servers provide such user accounts on the server. On AWS, for the Ubuntu images, the user is typically called
ubuntu. On CentOS the user is typically called
centos. If you do not have such a username, create one. There's an Ansible role to create administrative user accounts too.
Once you have provisioned the servers, proceed to create the Ansible playbooks.
Installing The Ansible Roles
Our roles require Ansible 2.8 or higher. Ensure that the required version of Ansible is installed. If not, follow the instructions to install Ansible.
Create a directory to store the playbooks and inventory.
I create a directory called
my-openvpn-server-orchestration. You can name it whatever you want.
Next step is to install the Ansible roles from Ansible Galaxy.
If your target OS is CentOS, install the centos_base role too:
Preparing Ansible Inventory
Create the file
inventory.yml and add the following contents:
I prefer to use YAML formatted Ansible inventory file. Your mileage may vary. If you are using INI format for your inventory file, make sure to port the format as required.
dev-ca-01.example.com is our CA server and
dev-vpn-01.example.com. We are specifying the IP addresses of these hosts, in case the DNS is not setup yet. If the DNS resolves to the correct IP addresses, you can remove the
ansible_host key. Specifying
ansible_host is especially useful in test environments where there is no proper DNS system.
In this example we are using Ubuntu 18.04 for both the
OpenVPN servers. Ansible connects to these servers with the username
ubuntu. We also tell Ansible to use the Python interpreter from the location
usr/bin/python3. If Python 2 is installed on the servers, you don't have to mention the interpreter path. We also mention in our inventory that Ansible should use
If your OS has another administratnor user, adjust the value of
ansible_user. If the target host has Python 2 installed, remove the key
ansible_python_interpreter from your inventory.
Notice that the IP address of the OpenVPN server is mentioned in both
ansible_host is used to connect to the server via SSH by Ansible.
openvpn_server_ip_address is used to generate the client certificate.
Preparing The OpenVPN Server
Create the file
openvpn-server.yml with the following contents if your target host is Ubuntu 18.04:
If your target host is CentOS, ensure EPEL is enabled. Edit your
openvpn-server.yml like below
We are specifying that we want to create two client users
johndoe. We also specify the variables for the EasyRSA Public Key Infrastructure. On the
OpenVPN server, we will also setup PKI but not in the CA mode. We use the PKI on this server to generate certificate requests and to store the client configurations. Certificate signing is done on the CA server.
true causes the generated client configurations to be copied to the local pool. We also ensure that
easy_rsa_local_pool_directory is set to same value as in our
In this playbook, we are executing two roles.
gavika.easy_rsa to setup PKI and
gavika.openvpn to setup OpenVPN server.
Run the playbook:
Install Openvpn Server Centos
At this point, you should see the file
server.req in the path
/tmp/ca_openvpn_pool_example/server/ in the local pool. You should also see
johndoe.req in /tmp/ca_openvpn_pool_example/client/ in the local pool.
Preparing The CA Server
Create the file:
We want to run the playbook on the hosts group:
ca_server. This is exactly what we have in our inventory. The
vars section has a series of variables used in certificates. Adjust them to your liking. Some files have to be transferred between the CA server and the OpenVPN server. For this purpose, we use a directory on the controller machine(the machine on which you execute the Ansible playbooks, probably your laptop or a bastion host or a management host). In our example we use
/tmp/ca_openvpn_pool_example as the pool. You are free to choose a different directory.
true ensures we want to make this server a Certificate Authority.
Just like we did for OpenVPN playbook, adjust the CA playbook for CentOS 7:
Execute the playbook:
/path/to/my/private/key is your SSH private key used to connect to the CA server.
If the playbook ran successfully, your CA server is setup. At this point you should see the file
The certificate signing request for the server -
server.req will be uploaded to the CA server. The CA server imports the request and signs it. The signed certificate will be copied to the local pool. You should be able to see
/tmp/ca_openvpn_pool_example/issued/server/ local pool.
openvpn-server.yml playbook again:
openvpn service will be started. The playbook execution will also copy the generated client configuration files in
Connect To The OpenVPN Server
The gavika.openvpn role generates three files for each user.
<clientname>.ovpn: general purpose client configuration file
<clientname>-el.ovpn: use this on clients of the EL family such as RHEL, CentOS, Fedora.
<clientname>-update-resolv.ovpn: use this for clients that have an
update-resolv.conffile in their
openvpn package on the client machine:
Example command to connect to the
OpennVPN server on a Fedora client:
Example command to connect to the
OpennVPN server on an Ubuntu client:
If you see a message like:
then you have connected successfully. Try browsing the Internet from your browser. Or just check your Internet routed IP address from the command line:
The output should show your OpenVPN server's IP address.
If you want to revoke access to a client, edit your
ca-server.yml playbook and include the list of clients to be revoked:
In this example, we are revoking the certificate for the client
janedoe. Next step is to run the CA playbook:
When the playbook finishes executing, you should see the file
/tmp/ca_openvpn_pool_example/crl/ directory of the local pool.
Next, we run the OpenVPN playbook to update the Certificate Revocation List:
After the playbook executes successfully, the client
janedoe won't be able to connect to the OpenVPN server.
You can configure your OpenVPN server to:
- route all traffic via the OpenVPN server
- route traffic via OpenVPN server to specific IP addresses or networks.
If you want to route traffic to specific networks, change the Ansible variables like below:
false removes the
redirect-gateway field and that
bypass-dhcp flags in the OpenVPN server configuration.
openvpn_additional_configs allows you to write additional OpenVPN server configuration. In our example, we set two such additional configuration lines. Each
push line ensures that the client uses the OpenVPN connection to reach out to the corresponding IP address. In this example, when the client tries to reach the IP addresses
192.168.4.6, it uses the OpenVPN connection.
In today tutorial, we have decided to show how to install and configure freeradius on CentOS 7 linux.
Install Open Vpn Server On Centos 7 Free Online
Radius protocol has majority use in Authentication, Authorization and Accounting protocol. many administrator use this protocol to manage their users day by day.
In this tutorial, we install and configure freeradius to use mariadb database. also for managing freeradius, we install daloRADIUS web interface.
Here is our environment:
OS: CentOS 7 on VMWare
IP address: 192.168.1.128
1- Install and setup mariadb
To install mariadb, we create mariadb repository file and install required packages. here we install mariadb 10.5:
then put the following content in it:
now install mariadb:
then start mariadb service:
then do initial mariadb setup:
now we should create a user and database for freeradius in mariadb:
Note: change “radiuspassword” with your desired password.
2- Install apache and php
for a managing freeradius through daloRADIUS web interface we need to install apache and php:
then install apache:
3- Install and configure freeradius
after installing prerequisites, now we install freeradius and configure it.
freeradius and its dependencies is available through base centos 7 repository. so just issue this command:
then we import freeradius schema:
and create a soft link to available mods:
ok. now open etc/raddb/mods-available/sql and make change to be like the following:
then open /etc/raddb/clients.conf and change ipaddr and proto to be same as the following:
4- Install and configure daloRADIUS
now we install and configure daloRADIUS. its package is available in github. so download it and extract:
now import daloRadius tables into database:
then move its directory to apache root document:
change owner of daloRadius and set proper selinux policy:
now open daloRadius config file and set the following parameters:
5- Configure firewall
we need to open radius and web port. so issue these commands:
then reload firewall:
6- Start services
In rare circumstances, selinux policy manager may be crashed when we start freeradius server. so first update some selinux packages:
# yum update setools checkpolicy policycoreutils
now freeradius and daloRadius installation and configurations has been done. last thing is to start services:
then in your browser, point to this address: (remember to change IP address with your own)
default username and password of dolaRadius is:
to allow remote devices to authenticate their users through freeradius, we must define NAS. so click on Management>NAS>New NAS. then fill NAS IP/Host field with remote device IP address or hostname and choose a strong secret.
then define user accounts by navigating to Management>Users>New User.
then navigate to Management>Users>List Users and select created user and then click on Test Connectivity button.
Finally click on Perform Test to make sure created user will be authenticated successfully.
also to test freeradius, there is great tool called NTRadPing. you can download it from: