How to install and configure OpenVPN Server on Rocky Linux 9.2

To Install And Configure OpenVPN Server On Rocky Linux 9.2

Introduction:

OpenVPN is an open source software for creating a virtual private network (VPN) that allows you to access protected network resources and browse the Internet securely. It is used to create secure point-to-point encrypted tunnels between two computers over an insecure network.

Installation Steps:

Step 1: Check the OS version by using the below command

[root@Linuxhelp ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"

Step 2: Install the epel release package by using the below command

[root@Linuxhelp ~]# dnf install epel-release
Rocky Linux 9 - BaseOS                                                                 4.6 kB/s | 4.1 kB     00:00    
Rocky Linux 9 - BaseOS                                                                 1.0 MB/s | 1.9 MB     00:01    
Rocky Linux 9 - AppStream                                                              4.3 kB/s | 4.5 kB     00:01    
Rocky Linux 9 - AppStream                                                              2.2 MB/s | 7.1 MB     00:03    
Rocky Linux 9 - Extras                                                                 2.6 kB/s | 2.9 kB     00:01    
Rocky Linux 9 - Extras                                                                 7.0 kB/s |  11 kB     00:01    
Dependencies resolved.
=======================================================================================================================
 Package                         Architecture              Version                     Repository                 Size
=======================================================================================================================
Installing:
 epel-release                    noarch                    9-7.el9                     extras                     19 k

Transaction Summary
=======================================================================================================================
Install  1 Package

Total download size: 19 k
Installed size: 26 k
Is this ok [y/N]: y
Downloading Packages:
epel-release-9-7.el9.noarch.rpm                                                         47 kB/s |  19 kB     00:00    
-----------------------------------------------------------------------------------------------------------------------
Total                                                                                   16 kB/s |  19 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                               1/1 
  Installing       : epel-release-9-7.el9.noarch                                                                   1/1 
  Running scriptlet: epel-release-9-7.el9.noarch                                                                   1/1 
Many EPEL packages require the CodeReady Builder (CRB) repository.
It is recommended that you run /usr/bin/crb enable to enable the CRB repository.

  Verifying        : epel-release-9-7.el9.noarch                                                                   1/1 

Installed:
  epel-release-9-7.el9.noarch                                                                                          

Complete!

Step 3: To setup VPN before that we can check our public IP address by using the below command

[root@Linuxhelp ~]# curl ifconfig.me

Step 4: Download the OpenVPN installer Scripts by using the below command
[root@Linuxhelp ~]# wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
--2023-10-26 07:57:06--  https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 40820 (40K) [text/plain]
Saving to: ‘openvpn-install.sh’
openvpn-install.sh            100%[================================================>]  39.86K  --.-KB/s    in 0.007s  
2023-10-26 07:57:07 (5.57 MB/s) - ‘openvpn-install.sh’ saved [40820/40820]

Step 4: Long list the files by using the below command

[root@Linuxhelp ~]# ll
total 44
-rw-------. 1 root root  1039 Aug 13 22:24 anaconda-ks.cfg
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Desktop
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Documents
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Downloads
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Music
-rw-r--r--. 1 root root 40820 Oct 26 07:57 openvpn-install.sh
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Pictures
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Public
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Templates
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Videos

Step 5: Set execute permission for the installer script by using the below command

[root@Linuxhelp ~]# chmod +x openvpn-install.sh

Step 6: Long list the files and check whether the installer script has executable permissions by using the below command

[root@Linuxhelp ~]# ll
total 44
-rw-------. 1 root root  1039 Aug 13 22:24 anaconda-ks.cfg
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Desktop
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Documents
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Downloads
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Music
-rwxr-xr-x. 1 root root 40820 Oct 26 07:57 openvpn-install.sh
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Pictures
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Public
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Templates
drwxr-xr-x. 2 root root     6 Aug 13 22:33 Videos

Step 7: Execute the installer script and Make sure you provide needed informations by using the below command

[root@Linuxhelp ~]# ./openvpn-install.sh 
./openvpn-install.sh: line 60: [[: 9.2: syntax error: invalid arithmetic operator (error token is ".2")
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: <***Public IP***>

Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n

What port do you want OpenVPN to listen to?
   1) Default: 1194
   2) Custom
   3) Random [49152-65535]
Port choice [1-3]: 1

What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
   1) UDP
   2) TCP
Protocol [1-2]: 1

What DNS resolvers do you want to use with the VPN?
   1) Current system resolvers (from /etc/resolv.conf)
   2) Self-hosted DNS Resolver (Unbound)
   3) Cloudflare (Anycast: worldwide)
   4) Quad9 (Anycast: worldwide)
   5) Quad9 uncensored (Anycast: worldwide)
   6) FDN (France)
   7) DNS.WATCH (Germany)
   8) OpenDNS (Anycast: worldwide)
   9) Google (Anycast: worldwide)
   10) Yandex Basic (Russia)
   11) AdGuard DNS (Anycast: worldwide)
   12) NextDNS (Anycast: worldwide)
   13) Custom
DNS [1-12]: 11

Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
Enable compression? [y/n]: n

Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.

Customize encryption settings? [y/n]: n
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Extra Packages for Enterprise Linux 9 - x86_64                                         5.5 MB/s |  19 MB     00:03    
Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - x86_64                   593  B/s | 2.5 kB     00:04    
Package epel-release-9-7.el9.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Last metadata expiration check: 0:00:04 ago on Thursday 26 October 2023 08:05:05 AM.
Package iptables-nft-1.8.8-6.el9_1.x86_64 is already installed.
Package policycoreutils-python-utils-3.5-1.el9.noarch is already installed.
Dependencies resolved.
=======================================================================================================================
 Package                      Architecture        Version                                    Repository           Size
=======================================================================================================================
Installing:
 openvpn                      x86_64              2.5.9-1.el9                                epel                654 k
Upgrading:
 ca-certificates              noarch              2023.2.60_v7.0.306-90.1.el9_2              baseos              835 k
 curl                         x86_64              7.76.1-23.el9_2.4                          baseos              294 k
 libcurl                      x86_64              7.76.1-23.el9_2.4                          baseos              283 k
Installing dependencies:
 pkcs11-helper                x86_64              1.27.0-6.el9                               epel                 62 k

Transaction Summary
=======================================================================================================================
Install  2 Packages
Upgrade  3 Packages

Total download size: 2.1 M
Downloading Packages:
(1/5): ca-certificates-2023.2.60_v7.0.306-90.1.el9_2.noarch.rpm                        1.5 MB/s | 835 kB     00:00    
(2/5): pkcs11-helper-1.27.0-6.el9.x86_64.rpm                                            97 kB/s |  62 kB     00:00    
(3/5): libcurl-7.76.1-23.el9_2.4.x86_64.rpm                                            1.7 MB/s | 283 kB     00:00    
(4/5): curl-7.76.1-23.el9_2.4.x86_64.rpm                                               1.5 MB/s | 294 kB     00:00    
(5/5): openvpn-2.5.9-1.el9.x86_64.rpm                                                  249 kB/s | 654 kB     00:02    
-----------------------------------------------------------------------------------------------------------------------
Total                                                                                  483 kB/s | 2.1 MB     00:04     
Extra Packages for Enterprise Linux 9 - x86_64                                         359 kB/s | 1.6 kB     00:00    
Importing GPG key 0x3228467C:
 Userid     : "Fedora (epel9) <epel@fedoraproject.org>"
 Fingerprint: FF8A D134 4597 106E CE81 3B91 8A38 72BF 3228 467C
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                               1/1 
  Upgrading        : libcurl-7.76.1-23.el9_2.4.x86_64                                                              1/8 
  Installing       : pkcs11-helper-1.27.0-6.el9.x86_64                                                             2/8 
  Running scriptlet: openvpn-2.5.9-1.el9.x86_64                                                                    3/8 
  Installing       : openvpn-2.5.9-1.el9.x86_64                                                                    3/8 
  Running scriptlet: openvpn-2.5.9-1.el9.x86_64                                                                    3/8 
  Upgrading        : curl-7.76.1-23.el9_2.4.x86_64                                                                 4/8 
  Running scriptlet: ca-certificates-2023.2.60_v7.0.306-90.1.el9_2.noarch                                          5/8 

Upgraded:
  ca-certificates-2023.2.60_v7.0.306-90.1.el9_2.noarch curl-7.76.1-23.el9_2.4.x86_64 libcurl-7.76.1-23.el9_2.4.x86_64
Installed:
  openvpn-2.5.9-1.el9.x86_64                             pkcs11-helper-1.27.0-6.el9.x86_64                            

Complete!
--2023-10-26 08:05:24--  https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
Resolving github.com (github.com)... 20.207.73.82
Connecting to github.com (github.com)|20.207.73.82|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231026%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231026T023524Z&X-Amz-Expires=300&X-Amz-Signature=a0d05853137e17b8c040f6cf11a9412cc3b798571095bc0197d2cbc5b4e70d4d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream [following]
--2023-10-26 08:05:25--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231026%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231026T023524Z&X-Amz-Expires=300&X-Amz-Signature=a0d05853137e17b8c040f6cf11a9412cc3b798571095bc0197d2cbc5b4e70d4d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68984 (67K) [application/octet-stream]
Saving to: ‘/root/easy-rsa.tgz’

/root/easy-rsa.tgz            100%[================================================>]  67.37K  --.-KB/s    in 0.01s   

2023-10-26 08:05:25 (5.26 MB/s) - ‘/root/easy-rsa.tgz’ saved [68984/68984]

Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /etc/systemd/system/openvpn-server@.service.
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: Linuxhelp.com
Client name: Linuxhelp

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 1

* Using SSL: openssl OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
-----

Notice
------
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/Linuxhelp.req
key: /etc/openvpn/easy-rsa/pki/private/Linuxhelp.key
Using configuration from /etc/openvpn/easy-rsa/pki/e80aefa1/temp.ff9a5102
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'Linuxhelp'
Certificate is to be certified until Jan 28 02:36:54 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa/pki/issued/Linuxhelp.crt

The configuration file has been written to /root/Linuxhelp.ovpn.
Download the .ovpn file and import it in your OpenVPN client.

Step 8: Enable and Start the OpenVPN service by using the below command

[root@Linuxhelp ~]# systemctl enable openvpn-server@server.service
[root@Linuxhelp ~]# systemctl start openvpn-server@server.service

Step 9: Check the status of the OpenVPN service by using the below command

[root@Linuxhelp ~]# systemctl status openvpn-server@server.service
● openvpn-server@server.service - OpenVPN service for server
     Loaded: loaded (/etc/systemd/system/openvpn-server@.service; enabled; preset: disabled)
     Active: active (running) since Thu 2023-10-26 08:05:29 IST; 3min 4s ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
   Main PID: 7143 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 22877)
     Memory: 1.3M
        CPU: 77ms
     CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
             └─7143 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-tim>

Oct 26 08:05:29 Linuxhelp openvpn[7143]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Oct 26 08:05:30 Linuxhelp openvpn[7143]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Oct 26 08:05:30 Linuxhelp openvpn[7143]: UDPv4 link local (bound): [AF_INET][undef]:1194
Oct 26 08:05:30 Linuxhelp openvpn[7143]: UDPv4 link remote: [AF_UNSPEC]
Oct 26 08:05:30 Linuxhelp openvpn[7143]: GID set to nobody
Oct 26 08:05:30 Linuxhelp openvpn[7143]: UID set to nobody
Oct 26 08:05:30 Linuxhelp openvpn[7143]: MULTI: multi_init called, r=256 v=256
Oct 26 08:05:30 Linuxhelp openvpn[7143]: IFCONFIG POOL IPv4: base=10.8.0.2 size=253
Oct 26 08:05:30 Linuxhelp openvpn[7143]: IFCONFIG POOL LIST
Oct 26 08:05:30 Linuxhelp openvpn[7143]: Initialization Sequence Completed

Conclusion:

We have reached the end of this article. In this guide, we have walked you through the steps required to install and configure OpenVPN server on Rocky Linux 9.2. Your feedback is much welcome.

FAQ
Q
Where can I find logs for OpenVPN troubleshooting?
A
OpenVPN logs can be found in /var/log/openvpn/openvpn.log. You can use this log to troubleshoot any issues.
Q
What is the default port for OpenVPN?
A
By default, Access Server comes configured with OpenVPN daemons listening on UDP port 1194 and TCP port 443.
Q
How to check the OpenVPN version?
A
To check the OpenVPN version use openvpn - -version
Q
Is IPv6 supported?
A
Full IPv6 transport and payload support is available in OpenVPN 2.3.x.
Q
What is the purpose of OpenVPN?
A
Open source OpenVPN uses VPN technologies to secure and encrypt data sent over the internet.