How to Install and Configure ocserv VPN on CentOS – Step‑by‑Step Guide
This tutorial walks you through installing ocserv on CentOS, creating a CA and server certificates, configuring routing groups and ocserv.conf, setting up sysctl and iptables firewall rules, managing VPN users, and controlling the service with occtl commands.
1. Install ocserv
ocserv is available in the EPEL repository and can be installed with yum.
# yum -y install epel-release
# yum -y install ocserv2. Create CA and certificates
Generate a CA directory, template, private key, and self‑signed certificate, then create server key and certificate.
# cd /etc/ocserv
# mkdir CA
# cd CA
# cat > ca.tmpl <<EOF
cn = "pugongying"
organization = "Test Qi"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
EOF
# certtool --generate-privkey --outfile ca-key.pem
# certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
# cat > server.tmpl <<EOF
cn = "192.168.56.24"
organization = "jq"
expiration_days = 36500
signing_key
encryption_key
tls_www_server
EOF
# certtool --generate-privkey --outfile server-key.pem
# certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem3. Create routing group directory
# mkdir -p /etc/ocserv/group
# cat > /etc/ocserv/group/ops <<EOF
route = 192.168.5.0/255.255.255.0
route = 172.17.134.0/255.255.255.0
# ... additional routes ...
EOF4. Modify ocserv.conf
Backup the original file and edit key parameters such as authentication method, ports, certificate paths, client limits, keepalive, rekey settings, DNS, and routing.
# cp /etc/ocserv/ocserv.conf{,_bak}
# vi /etc/ocserv/ocserv.conf
# Example excerpts:
auth = "plain[/etc/ocserv/ocpasswd]"
tcp-port = 443
run-as-user = ocserv
run-as-group = ocserv
server-cert = /etc/ocserv/CA/server-cert.pem
server-key = /etc/ocserv/CA/server-key.pem
ca-cert = /etc/ocserv/CA/ca-cert.pem
max-clients = 16
max-same-clients = 2
keepalive = 10800
rekey-time = 172800
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
ipv4-network = 192.168.5.0/24
dns = 192.168.5.15. Restart ocserv
# systemctl restart ocserv6. User management
# ocpasswd -c /etc/ocserv/ocpasswd test
Enter password: 123456
Re-enter password: 1234567. Kernel and firewall configuration
Adjust sysctl parameters for IPv4/IPv6 security and performance, then configure iptables (or firewalld) to NAT the VPN subnet and allow required ports.
# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 1
# ... other sysctl settings ...
# sysctl -p
# vi /etc/sysconfig/iptables
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.5.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
-A INPUT -j DROP
COMMIT8. ocserv management commands
# occtl -n show status
# occtl -n show users
# occtl disconnect user test
# occtl disconnect id 3Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.