BestHub
Sign in
Information Security 21 min read

How to Build a Secure OpenVPN Server on CentOS and Ubuntu

This guide walks you through installing Easy‑RSA, generating CA, server and client certificates, configuring OpenVPN, enabling IP forwarding, adjusting firewalls, and setting up client connections on Linux, macOS and Windows, providing a complete end‑to‑end VPN deployment solution.

Linux Cloud Computing Practice
Linux Cloud Computing Practice
Linux Cloud Computing Practice
How to Build a Secure OpenVPN Server on CentOS and Ubuntu

This article explains how to set up a basic OpenVPN service on CentOS and Ubuntu using Easy‑RSA to manage the required PKI keys and certificates.

Generate Required Keys and Certificates

OpenVPN relies on Easy‑RSA for PKI management. Two major Easy‑RSA versions exist (2 and 3); the steps below cover both.

Easy‑RSA 2

Installation

On Ubuntu 16.04 install Easy‑RSA 2 via apt: # apt-get install -y easy-rsa After installation copy the scripts to a safe location:

# cp -r /usr/share/easy-rsa /root

Generate CA Key and Certificate

All operations are performed in /root/easy-rsa. Edit the vars file and set the required environment variables:

export KEY_COUNTRY="CN"
export KEY_PROVINCE="ZJ"
export KEY_CITY="HZ"
export KEY_ORG="MyCompany"
export KEY_EMAIL="[email protected]"

Apply the variables: # source ./vars Generate the CA certificate and key:

# ./build-ca

Generate VPN Server Key and Certificate

# ./build-key-server myvpn

This creates myvpn.crt and myvpn.key in the keys directory.

Generate Client Key and Certificate

# ./build-key hongling

Produces hongling.crt and hongling.key for each client.

Generate Diffie‑Hellman Parameters

# ./build-dh

The resulting dh2048.pem file is placed in the keys directory.

Easy‑RSA 3

Installation

On CentOS 7.5 ensure the EPEL repository is available: # yum repolist If missing, install it: # yum install -y epel-release Then install Easy‑RSA 3:

# yum install -y easy-rsa
# yum list installed easy-rsa

Copy the versioned directory to /root for safety:

# cp -r /usr/share/easy-rsa/3.0.3 /root/easyrsa

Generate CA Key and Certificate

Initialize the PKI directory: # ./easyrsa init-pki Build the CA:

# ./easyrsa build-ca

Generate VPN Server Key and Certificate

Create a request and sign it:

# ./easyrsa gen-req myvpn
# ./easyrsa sign-req server myvpn

Generate VPN Client Key and Certificate

# ./easyrsa gen-req hongling
# ./easyrsa sign-req client hongling

Generate Diffie‑Hellman Parameters

# ./easyrsa gen-dh

Install and Configure VPN Server

Installation

On Ubuntu: # apt-get install -y openvpn On CentOS (after enabling EPEL):

# yum install -y openvpn

Configuration

Copy the sample server.conf to /etc/openvpn/server and rename it to match your VPN name (e.g., myvpn.conf).

# cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/myvpn.conf

Place the CA certificate, server certificate/key, and DH parameters into the same directory:

# cp /root/easyrsa/pki/ca.crt /etc/openvpn/server
# cp /root/easyrsa/pki/issued/myvpn.crt /etc/openvpn/server
# cp /root/easyrsa/pki/private/myvpn.key /etc/openvpn/server
# cp /root/easyrsa/pki/dh.pem /etc/openvpn/server/

Edit myvpn.conf to reference the correct file names (replace cert server.crt and key server.key with cert myvpn.crt and key myvpn.key) and set dh dh.pem. Comment out any tls-auth lines if not using them.

Enable IP Forwarding

# sysctl -w net.inet.ip.forwarding=1

Add the following line to /etc/sysctl.conf to make it persistent:

net.ipv4.ip_forward=1

Configure Firewall

CentOS (firewalld)

Allow the OpenVPN service (default UDP 1194) or change the port as needed:

# firewall-cmd --permanent --add-service=openvpn
# firewall-cmd --reload

Ubuntu (UFW example)

Open the required port:

# ufw allow 1194/udp

Run as System Service

Enable and start the server instance:

# systemctl enable openvpn-server@myvpn
# systemctl start openvpn-server@myvpn

Check status with:

# systemctl status openvpn-server@myvpn

Configure Client

Create a directory for each client (e.g., /root/vpnclient/hongling) and copy the sample client configuration and the CA, client key, and client certificate into it:

# cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf /root/vpnclient/hongling/hongling.conf
# cp /root/easyrsa/pki/ca.crt /root/vpnclient/hongling
# cp /root/easyrsa/pki/private/hongling.key /root/vpnclient/hongling
# cp /root/easyrsa/pki/issued/hongling.crt /root/vpnclient/hongling

Adjust remote, cert, and key entries in the client config to match the server address and the client’s file names.

Client Installation and Execution

Linux

Run in foreground: # openvpn --config client.conf Run in background with a password file:

# echo "mypass" > /root/hongling/hongling.pass
# openvpn --config /root/hongling/hongling.conf --daemon --askpass /root/hongling/hongling.pass

Or start as a systemd service ( [email protected]) after placing files in /etc/openvpn/client and adding --askpass %i.pass to the ExecStart line.

macOS

Install the Tunnelblick client, drag the .conf file (with its certificates) into Tunnelblick’s configuration list, and click “Connect”.

Windows

Download the OpenVPN installer from the official site, install it, copy the client configuration and certificates into %USERPROFILE%\OpenVPN\config, then launch the OpenVPN GUI and connect.

After connecting, verify the tunnel by pinging the VPN gateway (default 10.8.0.1).

network securityCentOSVPNUbuntuOpenVPNEasy-RSA
Linux Cloud Computing Practice
Written by

Linux Cloud Computing Practice

Welcome to Linux Cloud Computing Practice. We offer high-quality articles on Linux, cloud computing, DevOps, networking and related topics. Dive in and start your Linux cloud computing journey!

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment