How to Install OpenVPN on CentOS 8 VPS Server

In this tutorial, we will show you how to install OpenVPN on CentOS 8 VPS Server. OpenVPN is an open-source VPN Server that can be used for creating secure point-to-point Virtual Private Networks.

We will set up a VPN Server and use it to route traffic from connected clients out to the internet. Using this configuration we can browse the web or run Netflix through our VPS. This is a great way to get around firewalls that block IP’s at a country level.

The First thing you will need is a VPS. You can get a high-performance VPS from Contabo for only 4.99 a month. And we highly recommend them.

Once you have your VPS up and running, the next thing you will need is to install the Extra Packages for Enterprise Linux, aka EPEL repository.

At the time of this writeup, the current version of Epel is 8. We will use wget to grab the rpm from a mirror.

yum install epel-release


sudo dnf install epel-release

Install OpenVPN on CentOS 8 VPS Server

Since you have installed the EPEL repository, you will be able to use YUM to install the OpenVPN packages and required dependencies.

yum install openvpn

OpenVPN is now installed but there are a few more configuration tasks we need to complete before its usable.

Configuring OpenVPN on CentOS 6

You will need to create a configuration file for the OpenVPN server to use as well as create some certificates. In this tutorial, we will use self-signed certificates, but you can and should use proper certificates in production environments. For small installations, self-signed certificates will suffice.

Lastly, you will need to configure ipforwarding for your VPN traffic and permit that traffic through your IPTables firewall.

Create OpenVPN Server Configuration File

Open VPN comes with a sample configuration. We will use this as a basic template then modify it to suit our requirements. You need to copy the sample config file to OpenVPN’s directory in /etc.

cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
cd /etc/openvpn/

Next, we will need to edit the configuration file to configure OpenVPN for what we are trying to do. Using vi edit the file you copied to /etc/openvpn/server.conf

vi server.conf

I recommend running a VPN over TCP. You may experience better performance over UDP as its “connectionless”, but as I will be sending data over this connection that I rely on I want a connection-oriented protocol. This will also stop UDP flooding of the VPS Server. Comment out the ‘proto UDP’ line and uncomment the ‘proto tcp’ line.

# TCP or UDP server?
proto tcp
;proto udp

Next, we need to force all of our traffic up the VPN connection from our connected clients. You can configure split tunnelling which would allow connectivity to your plan as well resources over the VPN connection but we will cover that in another tutorial. For now, uncomment the following line in server.conf

push redirect-gateway def1 bypass-dhcp

Additionally, we will need to “push” what DNS server the client should use. Since all traffic will be routed up the VPN tunnel, clients would not be able to reach the local pan DNS resolver (usually their cable modem or router), so we need to provide a replacement. We will tell our users to query OpenDNS’s DNS servers for queries. Uncomment the following two lines from the server.conf

push 'dhcp-option DNS'
push 'dhcp-option DNS'

Lastly, we also need to tell OpenVPN What CA, Certificate, Key and Diffie–Hellman key to use. Modify these lines so they look like below, modifying for your key and certificate names.

ca /etc/openvpn/easy/keys/ca.crt
cert /etc/openvpn/easy/keys/
key /etc/openvpn/easy/keys/ # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/easy/keys/dh2048.pem

Save and exit the configuration file server.conf. That is all we need to edit. Since we used the sample config file all the other settings should work for us.

Setting up Certificates using easy-rsa

Now that the configuration file is updated we need to create certificates for the OpenVPN Server and our client to use. We will use easy-rsa to generate a CA, key, and self-signed certificate and our user’s certificates. Easy-rsa is also available from the EPEL repo. We need to use YUM again to install the easy-rsa package.

yum install easy-rsa

Next, we need to create the CA, Certificate and Key. You will need to copy some more sample file over first as we did above. Easy-rsa provides these files in /usr/share/easy-rsa/2.0 on CentOS 6, but on other distributions, it may be in another location.

mkdir -p /etc/openvpn/easy/keys
cd /usr/share/easy-rsa/2.0
cp -r * /etc/openvpn/easy/
cd /etc/openvpn/easy/

Now you need to edit the file “vars”. Easy-rsa uses this file to get defaults for the keys you’re going to use.
I recommend you use a 2048 bit key size or greater. 4096 may be overkill right now but if your paranoid use 4096. To balance speed and security use 2048. Do not use a 1024 bit key. These can be cracked.

Modify the line that says export KEY_SIZE=1024 to look like this:

export KEY_SIZE=2048

Also, modify all variables at bottom of the vars file. These are the default values for fields which will be placed in the certificate. Don’t leave any of these fields blank. Make your look something like this.

export KEY_COUNTRY="Your Country"
export KEY_PROVINCE="Your State"
export KEY_CITY="Your City"
export KEY_ORG="Your ORG"
export KEY_EMAIL='[email protected]'
export KEY_CN=OpenVPN-CA
export KEY_NAME=OpenVPN-CA
export KEY_OU=""

Save and exit the file (:wq if you’re using vi) and then you need to source the vars file to set the options as environment variables. When you source the file make sure you follow the correct syntax if you’re unfamiliar with this. The syntax is “. ./vars”, Notice the preceding dot.

. ./vars

If you make a mistake you can unset the variable by running the following command, then edit vars and source it again.

unset variable_name;

Next, you need to make sure the environment is clean before setting up your first CA. Run the following command to clean the /etc/openvpn/easy/keys directory of any existing keys. ***NOTE*** You only need to clean before creating your first key. Do not run clean again after creating your CA or you will delete it and any keys signed by it.


Creating the Server CA Certificate and Key

Now that the environment is set up for easy-rsa we can create the CA for OpenVPN to use by running the following command:


Next, we need to create the key for the OpenVPN Server to use.


Lastly, we need to generate our DH key.


Creating a client certificate

Open VPN Uses certificates for authentication. You will need to create a certificate and key for each client to use and then provide it to them.

./build-key clientname

Now you need to provide the Server CA, and the Client Certificate and Key. I usually gzip these and then email the gzip file to the client. We will use this file when we set up our client later in this tutorial.

tar zcvf tutor-vpn.tgz ca.crt clientname.crt clientname.key
echo "YourVPN Certificate is attached" | mailx -s "Your VPN Certificate" -a tutor-vpn.tgz [email protected]

Configure IPTables for OpenVPN

Now we need to tell IPTables to NAT the OpenVPN Client traffic and send it out our default ethernet interface which on this system is eth0. We also need to permit our OpenVPN traffic to the VPN server. We will need to open up the port TCP 1194, as we configured this OpenVPN Server to use TCP.

iptables -A INPUT -m tcp -p tcp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
service iptables save

Configure Kernel Networking

In addition to setting up IPTables, we need to tell the Linux kernel to forward IP 4 traffic. You can do this by editing the following line in that reads “net.ipv4.ip_forward = 0” in /etc/sysctl.conf to look like this:

# Controls IP packet forwarding
net.ipv4.ip_forward =1

To make these setting active you need to update sysctl.

Starting Open VPN

The configuration on the server is complete at this point. All that is left to do is start OpenVPN. Additionally, if you want the OpenVPN server to start automatically when your server is rebooted you can set it using chkconfig.

service openvpn start
chkconfig openvpn on

Configuring the Open VPN Client

Now that your server is all set up, you need to set up the client’s computer to connect to the new server. In our case we a MacBook Pro running OSX Mavericks. There is an awesome Mac OpenVPN Client called Viscosity that we really enjoy using. They have a free version you can use for 30 days, and to be honest the purchase price for the client is a very reasonable $9 USD.

The client will need the IP address or Fully Qualified Hostname of the VPN Server and the file you emailed them earlier.

Extracting the key and certificate

The client can simply click on the tgz file you emailed them and extract it using OSX’s building archive utility. Or you can do it from a command prompt as well. This will extract the three files the client will need when setting up their VPN Connection.

tar xvf tutor.tgz

Configuring the Viscosity OpenVPN Client

Next open Viscosity and then click the Viscosity icon in the menu bar and click “Preferences”. This will Open up the connection Window.

Setup OpenVPN on CentOS 8

Click the + icon and then click “New Connection”. This will open the configuration window where the client can configure the IP Address or Hostname of the Server. Leave everything else on this page as the defaults.

How to Install OpenVPN on CentOS 8 VPS Server

Now Click the Authentication tab, and configure the Server CA, Client Key and Certificate and then click Save.

How to Install OpenVPN on CentOS 8 VPS Server

Now Click the Viscosity icon in the menu bar and you should see an option that says Connect My Connection. Click this to connect to your VPN.

After you are connected, all your traffic is being routed up the tunnel so your source address will look like your servers IP address. To confirm, simply go to and ask what is my IP and it will tell you. You should see your Servers IP address.

That’s all there is to setting up OpenVPN on CentOS 6. We hope you have enjoyed this tutorial. Please leave comments if you have any questions or suggestions!

You May Also Like

About the Author: WPC Staff

WPCrons staff has long-term experience of WordPress & like to constantly spot problems and plotting how to solve them. We believe you don't need to be a nerd or a programmer or a network engineer to make a difference.

Leave a Reply

Thanks for choosing to leave a reply. Your opinions and comments are very important to us, and your email address will NOT be published. If you need a private conversation then use our contact form. Please add an avatar if you do not have and make the comment section more beautiful.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Accept! No, thanks!

Why my browser don’t show me the coupon?

By default, Google Chrome and some other browser block pop-ups from automatically showing up on your screen. When a pop-up is blocked, the address bar will be marked Pop-up blocked Pop-up blocked.

ComputerAndroidiPhone & iPad

  1. On your computer, open Chrome.
  2. At the top right, click More More and then Settings.
  3. Under “Privacy and security,” click Site settings.
  4. Click Pop-ups and redirects.
  5. At the top, turn the setting to Allowed or Blocked.

  1. On your Android phone or tablet, open the Chrome app Chrome.
  2. To the right of the address bar, tap More More Settings.
  3. Tap Site settings and then Pop-ups and redirects.
  4. Turn Pop-ups and redirects on or off.

  1. On your iPhone or iPad, open the Chrome app Chrome.
  2. Tap More More and then Settings Settings.
  3. Tap Content Settings and then Block Pop-ups.
  4. Turn Block Pop-ups on or off.

Share via


Subscribe to get FREE updates

Join 1000s of readers around the globe. Don’t worry. We also don’t like Spam. We are weekly.


We are using affiliate links & images from respective product sites in our articles occasionally, means that if you click on one of the links and purchase an item, we may receive a commission (at no additional cost to you). All the reviews & opinions (positive or negative) are 100% our own. We are not getting any money to write them. The trademarks mentioned in this website belong to the respective companies. All the articles are information purpose only, to help someone to educate & save money. In case any problem with the content, you can reach us anytime through our contact us page »