Deven's Blog

Appearance

Installing & Configuring OpenVPN On CentOS

Background

I have mentioned before that I am hosting my own private cloud services to avoid using any of the big cloud services for privacy/security reasons. In order to keep my server more secure, I decided that any privileged access to the server would require a VPN connection. This is a significant additional level of security for a malicious actor to compromise my server(s).

Choosing A VPN Solution

My first plan was to use Wireguard. WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs). It aims to be lighter and better performing than IPsec and OpenVPN, two common tunneling protocols. The WireGuard protocol passes traffic over UDP.

I had this working for a few days and during that time I was traveling via train and working at various client sites where I was using their wireless Internet. This is how I discovered that a UDP VPN solution was not going to be ideal, because many public or shared WiFi networks block unknown UDP traffic. When I was on the train or using my customer's WiFi, I could not connect to the VPN!

I also (briefly) looked at EdgeVPN, but I decided that the small user-base and lack of any security audits were enough of a concern that I didn't want to use it long term. That said, EdgeVPN was VERY nice to use and also gave me access into computers on my home network, which was really convenient!

I finally decided that I would use OpenVPN. There are OpenVPN packages for the Linux distributions I have used, so it's quite easy to get. Installing is as simple as using your package manager (e.g. dnf, yum, apt, etc...) and then configuring it.

Configuring OpenVPN

As you might expect, properly configuring a VPN solution can be a daunting tasks, but as with most things in IT and especially Open Source, people have built tools and abstractions to make this process easier. The OpenVPN community produces a tool to help you with the management of certificates (Also known as Public-Key Infrastructure or PKI) in the form of EasyRSA.

EasyRSA simplifies a lot of the certificate work of running OpenVPN, but we can do one better. Stanislav has created a nice shell script which wraps EasyRSA and helps you build the server configuration and the client configurations. This makes configuring and running OpenVPN extremely simple.

Creating User Configurations

The openvpn-install.sh script handles this as well. Please refer to the link above for more details about how to use the script.

Once you have configured your server and created a <client>.ovpn file, you just need to have an OpenVPN client installed on your computer and import the <client>.ovpn file.

Thanks to Open Source contributors, this is about as simple as you can get with installing and configuring a VPN server.

Final thoughts

Do you like this method or hate it? Send me a message on Mastodon and perhaps we can improve this solution!!

Updated at: