Install and Configure OpenVPN on Rocky Linux 9: Best VPN Server

Install and Configure OpenVPN on Rocky Linux 9: Best VPN Server

This tutorial intends to show you how to Install and Configure OpenVPN on Rocky Linux 9. OpenVPN is an open-source connection protocol used to facilitate a secure tunnel between two points in a network. It is a trusted technology used by many virtual private networks, or VPNs, to make sure any data sent over the internet is encrypted and private. Now follow the guide steps below on the Orcacore website to learn how to Install and Configure OpenVPN on Rocky Linux 9.

To Install and Configure OpenVPN on Rocky Linux 9, log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our guide on Initial Server Setup with Rocky Linux 9.

Once you are done with the initial setup, follow the steps below to Install and Configure OpenVPN on Rocky Linux 9.

Enable IP Forwarding on Rocky Linux 9

First, you need to update your local package index with the following command:

sudo dnf update -y

To Install and Configure OpenVPN on Rocky Linux 9, you need to enable IP forwarding so that the incoming packets can be forwarded to different networks.

To enable IP forwarding, open the sysctl config file with your favorite text editor, here we use the vi editor:

sudo vi /etc/sysctl.conf

Add the following line to the file:

net.ipv4.ip_forward = 1

When you are done, save and close the file.

Install OpenVPN on Rocky Linux 9

The OpenVPN packages are available in the EPEL repository on Rocky Linux 9. So install the Epel repo on your server by using the command below to Install and Configure OpenVPN on Rocky Linux 9:

sudo dnf install epel-release -y

Now use the following command to install the OpenVPN server:

sudo dnf install -y openvpn

Install Easy RSA on Rocky Linux 9

To Install and Configure OpenVPN on Rocky Linux 9, you need to install Easy RSA which helps you set up an internal certificate authority for use with your VPN.

Download Easy RSA

Use wget to download Easy RSA on Rocky Linux 9. Find the download link of the easy-rsa in the latest version on the Releases page. And paste it in the following command:

# cd /etc/openvpn

# sudo wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.1/EasyRSA-3.1.1.tgz

When your download is completed, extract your file:

sudo tar -xvzf EasyRSA-3.1.1.tgz

Next, move your extracted file to a new directory named easy-rsa:

sudo mv EasyRSA-3.1.1 easy-rsa

Configure Easy RSA

To Install and Configure OpenVPN on Rocky Linux 9, you need to add and build an SSL certificate for your OpenVPN. First, navigate to your easy-rsa directory:

cd /etc/openvpn/easy-rsa

Then, open the vars file with your favorite text editor, here we use vi:

sudo vi vars

Add the following content to the file:

set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "USA"
set_var EASYRSA_REQ_PROVINCE "Newyork"
set_var EASYRSA_REQ_CITY "Newyork"
set_var EASYRSA_REQ_ORG "orca CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "admin@orcacore.com"
set_var EASYRSA_REQ_OU "orca EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "orca CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"

When you are done, save and close the file.

Note: You can change the value of country, city, province, and email according to your requirements.

Now, initiate the PKI directory with the following command:

./easyrsa init-pki

Finally, use the following command to build your OpenVPN CA certificates on Rocky Linux 9:

sudo ./easyrsa build-ca

You will be asked to enter a new CA and PEM pass phrase.

When you are done, proceed to the next step.

Generate Server Certificate Files

At this point, you can get your key pair and certificate request. To do this, run the following command:

sudo ./easyrsa gen-req orca-server nopass

Sign the Server Key With the CA

To sign your server key with the CA, run the following command.

sudo ./easyrsa sign-req server orca-server

Enter Yes and enter the CA passphrase that you have created.

Then, you need the Diffie-Hellman key for key exchanging purposes. Generate the key by running the following command:

sudo ./easyrsa gen-dh

This will take some time to complete. You will get the following output:

Next, copy all these files to the /etc/openvpn/server/ directory:

# cp pki/ca.crt /etc/openvpn/server/
# cp pki/dh.pem /etc/openvpn/server/
# cp pki/private/orca-server.key /etc/openvpn/server/
# cp pki/issued/orca-server.crt /etc/openvpn/server/

Generate Client Key and Certificate

At this point, you can get the client key by running the following command:

sudo ./easyrsa gen-req client nopass

Next sign your client key with the generated CA certificate:

sudo ./easyrsa sign-req client client

Enter Yes and enter the CA passphrase that you have created.

Then, copy these files to the /etc/openvpn/client/ directory:

# cp pki/ca.crt /etc/openvpn/client/
# cp pki/issued/client.crt /etc/openvpn/client/
# cp pki/private/client.key /etc/openvpn/client/

Configure OpenVPN Server File on Rocky Linux 9

At this point, you need to create and open a new config file in the OpenVPN server directory on Rocky Linux 9 with the following command:

sudo vi /etc/openvpn/server/server.conf

Then add the following content to the file:

Here we use Google’s public DNS servers. You can pick different DNS servers.

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/orca-server.crt
key /etc/openvpn/server/orca-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nobody
log-append /var/log/openvpn.log
verb 3

When you are done, save and close the file.

Manage OpenVPN Server

At this point, you need to start and enable your OpenVPN service on Rocky Linux 9 by using the following commands:

# sudo systemctl start openvpn-server@server
# sudo systemctl enable openvpn-server@server

Verify your OpenVPN service is active and running on your Rocky Linux server:

sudo systemctl status openvpn-server@server

At this point, a new network interface will be created upon the successful start of the OpenVPN server. Run the following command to see the details:

ifconfig

Configure OpenVPN Client File on Rocky Linux 9

To connect the client to the OpenVPN server, you need the client configuration file for that. To generate the client configuration file, run the following command:

sudo vi /etc/openvpn/client/client.ovpn

Add the following content to the file:

client
dev tun
proto udp
remote vpn-server-ip 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

When you are done, save and close the file.

Configure Routing on Rocky Linux 9

To install and configure OpenVPN on Rocky Linux 9, you need to allow OpenVPN to be installed through the firewall. To do this, run the following commands:

# sudo firewall-cmd --permanent --add-service=openvpn
# sudo firewall-cmd --permanent --zone=trusted --add-service=openvpn
# sudo firewall-cmd --permanent --zone=trusted --add-interface=tun0

# sudo firewall-cmd --add-masquerade
# sudo firewall-cmd --permanent --add-masquerade

Next, set the routing to forward the incoming traffic from the VPN to the local network:

# sudo routecnf=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
# sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $routecnf -j MASQUERADE

Reload the firewall to apply the changes:

sudo firewall-cmd --reload

Configure OpenVPN on a Client Machine

At this point, you can use the /etc/openvpn/client/client.ovpn file on any client machines to connect to your server.

Windows:

On Windows, you need to download the OpenVPN binaries from the OpenVPN community which come with a GUI.

Then, locate your “.ovpn” configuration file in the right directory, c:Program FilesOpenVPNconfig, and click connect in the GUI.

Note: OpenVPN GUI on Windows must be executed with administrative privileges.

macOS:

On macOS, the open-source application on the Tunnelblick gives an interface similar to the OpenVPN GUI on Windows and comes with OpenVPN and the required TUN/TAP drivers.

Locate your “.ovpn” configuration file into the ~/Library/Application Support/Tunnelblick/Configurations directory. and you can double-click on the “.ovpn” file.

Linux:

On Linux, you should install OpenVPN from your distribution’s official repositories. Then, you can use OpenVPN by running the following command:

sudo openvpn --config ~/path/to/client.ovpn

After you set up a successful client connection, you can verify that your traffic is being routed through the VPN by checking Google to tell your public IP. That’s it, with these guide steps you have learned to Install and Configure OpenVPN on Rocky Linux 9.

Conclusion

OpenVPN provides a powerful and secure solution for establishing encrypted connections to your network, ensuring data privacy and security. At this point, you have learned to Install and Configure OpenVPN on Rocky Linux 9.

Hope you enjoy it. You may also interested in these articles:

Install Varnish Cache with Nginx on Rocky Linux 9

Set up NTP Server and Client on Rocky Linux 9

Alternative Solutions for Setting Up a VPN on Rocky Linux 9

While OpenVPN is a robust and popular choice, alternative solutions exist for setting up a VPN on Rocky Linux 9. Here are two different approaches:

1. WireGuard:

WireGuard is a modern VPN protocol known for its speed, simplicity, and strong security. It’s designed to be much leaner than OpenVPN, resulting in better performance and easier configuration.

• Explanation: WireGuard uses state-of-the-art cryptography and operates at the kernel level, which contributes to its efficiency. Its configuration is simpler, relying on public-key cryptography and minimal configuration files. This can lead to faster connection speeds and reduced CPU usage compared to OpenVPN, especially on resource-constrained systems.

• Installation and Configuration Example:

  First, install WireGuard:

  sudo dnf install wireguard-tools kmod-wireguard
  sudo systemctl enable wg-quick@wg0

  Next, generate the keys for the server and client:

  wg genkey | tee server_private.key | wg pubkey > server_public.key
  wg genkey | tee client_private.key | wg pubkey > client_public.key

  Create the WireGuard server configuration file /etc/wireguard/wg0.conf:

  [Interface]
  Address = 10.6.0.1/24
  ListenPort = 51820
  PrivateKey = <server_private_key>
  PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
  
  [Peer]
  PublicKey = <client_public_key>
  AllowedIPs = 10.6.0.2/32

  Create the WireGuard client configuration file (e.g., client.conf):

  [Interface]
  PrivateKey = <client_private_key>
  Address = 10.6.0.2/32
  DNS = 8.8.8.8, 8.8.4.4
  
  [Peer]
  PublicKey = <server_public_key>
  Endpoint = <server_ip>:51820
  AllowedIPs = 0.0.0.0/0
  PersistentKeepalive = 25

  Start the WireGuard interface on the server:

  sudo wg-quick up wg0

  Finally, on the client machine configure and activate your client.conf with the proper command for your system.

2. SSH Tunneling with Dynamic Port Forwarding:

For simpler use cases where strong encryption is less critical and convenience is more important, SSH tunneling can provide a basic VPN-like functionality.

• Explanation: SSH tunneling leverages the existing SSH protocol to create an encrypted channel. Dynamic port forwarding allows you to route all your network traffic through the SSH server, acting as a rudimentary VPN. This is particularly useful for bypassing geo-restrictions or accessing resources on a remote network. However, it lacks some advanced features of dedicated VPN solutions like OpenVPN or WireGuard and might not be suitable for highly sensitive data.

• Configuration Example:

  No server-side configuration is usually required beyond having an SSH server running. On the client side, use the following command to create the tunnel:

  ssh -D 1080 user@server_ip

  This command establishes an SSH connection to server_ip as user and sets up a SOCKS proxy on port 1080 on your local machine. You then need to configure your web browser or other applications to use this SOCKS proxy (localhost:1080) to route traffic through the tunnel.

  For example, in Firefox, you would go to Preferences -> General -> Network Settings -> Settings and choose "Manual proxy configuration." Set SOCKS host to "localhost" and port to "1080," and select "SOCKS v5."

These alternative solutions offer different trade-offs in terms of security, performance, and ease of configuration. The best choice depends on your specific needs and technical expertise. WireGuard provides a modern and efficient VPN solution, while SSH tunneling offers a quick and simple way to create a basic encrypted tunnel for specific applications. Remember to always prioritize security best practices and choose the solution that best fits your requirements.