How to install and configure OpenVPN Server on Rocky Linux 9.2
To Install And Configure OpenVPN Server On Rocky Linux 9.2
Introduction:
OpenVPN is an open source software for creating a virtual private network (VPN) that allows you to access protected network resources and browse the Internet securely. It is used to create secure point-to-point encrypted tunnels between two computers over an insecure network.
Installation Steps:
Step 1: Check the OS version by using the below command
[root@Linuxhelp ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
Step 2: Install the epel release package by using the below command
[root@Linuxhelp ~]# dnf install epel-release
Rocky Linux 9 - BaseOS 4.6 kB/s | 4.1 kB 00:00
Rocky Linux 9 - BaseOS 1.0 MB/s | 1.9 MB 00:01
Rocky Linux 9 - AppStream 4.3 kB/s | 4.5 kB 00:01
Rocky Linux 9 - AppStream 2.2 MB/s | 7.1 MB 00:03
Rocky Linux 9 - Extras 2.6 kB/s | 2.9 kB 00:01
Rocky Linux 9 - Extras 7.0 kB/s | 11 kB 00:01
Dependencies resolved.
=======================================================================================================================
Package Architecture Version Repository Size
=======================================================================================================================
Installing:
epel-release noarch 9-7.el9 extras 19 k
Transaction Summary
=======================================================================================================================
Install 1 Package
Total download size: 19 k
Installed size: 26 k
Is this ok [y/N]: y
Downloading Packages:
epel-release-9-7.el9.noarch.rpm 47 kB/s | 19 kB 00:00
-----------------------------------------------------------------------------------------------------------------------
Total 16 kB/s | 19 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-9-7.el9.noarch 1/1
Running scriptlet: epel-release-9-7.el9.noarch 1/1
Many EPEL packages require the CodeReady Builder (CRB) repository.
It is recommended that you run /usr/bin/crb enable to enable the CRB repository.
Verifying : epel-release-9-7.el9.noarch 1/1
Installed:
epel-release-9-7.el9.noarch
Complete!
Step 3: To setup VPN before that we can check our public IP address by using the below command
[root@Linuxhelp ~]# curl ifconfig.me
Step 4: Download the OpenVPN installer Scripts by using the below command
[root@Linuxhelp ~]# wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
--2023-10-26 07:57:06-- https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 40820 (40K) [text/plain]
Saving to: ‘openvpn-install.sh’
openvpn-install.sh 100%[================================================>] 39.86K --.-KB/s in 0.007s
2023-10-26 07:57:07 (5.57 MB/s) - ‘openvpn-install.sh’ saved [40820/40820]
Step 4: Long list the files by using the below command
[root@Linuxhelp ~]# ll
total 44
-rw-------. 1 root root 1039 Aug 13 22:24 anaconda-ks.cfg
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Desktop
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Documents
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Downloads
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Music
-rw-r--r--. 1 root root 40820 Oct 26 07:57 openvpn-install.sh
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Pictures
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Public
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Templates
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Videos
Step 5: Set execute permission for the installer script by using the below command
[root@Linuxhelp ~]# chmod +x openvpn-install.sh
Step 6: Long list the files and check whether the installer script has executable permissions by using the below command
[root@Linuxhelp ~]# ll
total 44
-rw-------. 1 root root 1039 Aug 13 22:24 anaconda-ks.cfg
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Desktop
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Documents
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Downloads
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Music
-rwxr-xr-x. 1 root root 40820 Oct 26 07:57 openvpn-install.sh
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Pictures
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Public
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Templates
drwxr-xr-x. 2 root root 6 Aug 13 22:33 Videos
Step 7: Execute the installer script and Make sure you provide needed informations by using the below command
[root@Linuxhelp ~]# ./openvpn-install.sh
./openvpn-install.sh: line 60: [[: 9.2: syntax error: invalid arithmetic operator (error token is ".2")
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: <***Public IP***>
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n
What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 1
What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1
What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
13) Custom
DNS [1-12]: 11
Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
Enable compression? [y/n]: n
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Extra Packages for Enterprise Linux 9 - x86_64 5.5 MB/s | 19 MB 00:03
Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - x86_64 593 B/s | 2.5 kB 00:04
Package epel-release-9-7.el9.noarch is already installed.
Dependencies resolved.
Nothing to do.
Complete!
Last metadata expiration check: 0:00:04 ago on Thursday 26 October 2023 08:05:05 AM.
Package iptables-nft-1.8.8-6.el9_1.x86_64 is already installed.
Package policycoreutils-python-utils-3.5-1.el9.noarch is already installed.
Dependencies resolved.
=======================================================================================================================
Package Architecture Version Repository Size
=======================================================================================================================
Installing:
openvpn x86_64 2.5.9-1.el9 epel 654 k
Upgrading:
ca-certificates noarch 2023.2.60_v7.0.306-90.1.el9_2 baseos 835 k
curl x86_64 7.76.1-23.el9_2.4 baseos 294 k
libcurl x86_64 7.76.1-23.el9_2.4 baseos 283 k
Installing dependencies:
pkcs11-helper x86_64 1.27.0-6.el9 epel 62 k
Transaction Summary
=======================================================================================================================
Install 2 Packages
Upgrade 3 Packages
Total download size: 2.1 M
Downloading Packages:
(1/5): ca-certificates-2023.2.60_v7.0.306-90.1.el9_2.noarch.rpm 1.5 MB/s | 835 kB 00:00
(2/5): pkcs11-helper-1.27.0-6.el9.x86_64.rpm 97 kB/s | 62 kB 00:00
(3/5): libcurl-7.76.1-23.el9_2.4.x86_64.rpm 1.7 MB/s | 283 kB 00:00
(4/5): curl-7.76.1-23.el9_2.4.x86_64.rpm 1.5 MB/s | 294 kB 00:00
(5/5): openvpn-2.5.9-1.el9.x86_64.rpm 249 kB/s | 654 kB 00:02
-----------------------------------------------------------------------------------------------------------------------
Total 483 kB/s | 2.1 MB 00:04
Extra Packages for Enterprise Linux 9 - x86_64 359 kB/s | 1.6 kB 00:00
Importing GPG key 0x3228467C:
Userid : "Fedora (epel9) <epel@fedoraproject.org>"
Fingerprint: FF8A D134 4597 106E CE81 3B91 8A38 72BF 3228 467C
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : libcurl-7.76.1-23.el9_2.4.x86_64 1/8
Installing : pkcs11-helper-1.27.0-6.el9.x86_64 2/8
Running scriptlet: openvpn-2.5.9-1.el9.x86_64 3/8
Installing : openvpn-2.5.9-1.el9.x86_64 3/8
Running scriptlet: openvpn-2.5.9-1.el9.x86_64 3/8
Upgrading : curl-7.76.1-23.el9_2.4.x86_64 4/8
Running scriptlet: ca-certificates-2023.2.60_v7.0.306-90.1.el9_2.noarch 5/8
Upgraded:
ca-certificates-2023.2.60_v7.0.306-90.1.el9_2.noarch curl-7.76.1-23.el9_2.4.x86_64 libcurl-7.76.1-23.el9_2.4.x86_64
Installed:
openvpn-2.5.9-1.el9.x86_64 pkcs11-helper-1.27.0-6.el9.x86_64
Complete!
--2023-10-26 08:05:24-- https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
Resolving github.com (github.com)... 20.207.73.82
Connecting to github.com (github.com)|20.207.73.82|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231026%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231026T023524Z&X-Amz-Expires=300&X-Amz-Signature=a0d05853137e17b8c040f6cf11a9412cc3b798571095bc0197d2cbc5b4e70d4d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream [following]
--2023-10-26 08:05:25-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231026%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231026T023524Z&X-Amz-Expires=300&X-Amz-Signature=a0d05853137e17b8c040f6cf11a9412cc3b798571095bc0197d2cbc5b4e70d4d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68984 (67K) [application/octet-stream]
Saving to: ‘/root/easy-rsa.tgz’
/root/easy-rsa.tgz 100%[================================================>] 67.37K --.-KB/s in 0.01s
2023-10-26 08:05:25 (5.26 MB/s) - ‘/root/easy-rsa.tgz’ saved [68984/68984]
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /etc/systemd/system/openvpn-server@.service.
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: Linuxhelp.com
Client name: Linuxhelp
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1
* Using SSL: openssl OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
-----
Notice
------
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/Linuxhelp.req
key: /etc/openvpn/easy-rsa/pki/private/Linuxhelp.key
Using configuration from /etc/openvpn/easy-rsa/pki/e80aefa1/temp.ff9a5102
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'Linuxhelp'
Certificate is to be certified until Jan 28 02:36:54 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa/pki/issued/Linuxhelp.crt
The configuration file has been written to /root/Linuxhelp.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
Step 8: Enable and Start the OpenVPN service by using the below command
[root@Linuxhelp ~]# systemctl enable openvpn-server@server.service
[root@Linuxhelp ~]# systemctl start openvpn-server@server.service
Step 9: Check the status of the OpenVPN service by using the below command
[root@Linuxhelp ~]# systemctl status openvpn-server@server.service
● openvpn-server@server.service - OpenVPN service for server
Loaded: loaded (/etc/systemd/system/openvpn-server@.service; enabled; preset: disabled)
Active: active (running) since Thu 2023-10-26 08:05:29 IST; 3min 4s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 7143 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 22877)
Memory: 1.3M
CPU: 77ms
CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
└─7143 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-tim>
Oct 26 08:05:29 Linuxhelp openvpn[7143]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Oct 26 08:05:30 Linuxhelp openvpn[7143]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Oct 26 08:05:30 Linuxhelp openvpn[7143]: UDPv4 link local (bound): [AF_INET][undef]:1194
Oct 26 08:05:30 Linuxhelp openvpn[7143]: UDPv4 link remote: [AF_UNSPEC]
Oct 26 08:05:30 Linuxhelp openvpn[7143]: GID set to nobody
Oct 26 08:05:30 Linuxhelp openvpn[7143]: UID set to nobody
Oct 26 08:05:30 Linuxhelp openvpn[7143]: MULTI: multi_init called, r=256 v=256
Oct 26 08:05:30 Linuxhelp openvpn[7143]: IFCONFIG POOL IPv4: base=10.8.0.2 size=253
Oct 26 08:05:30 Linuxhelp openvpn[7143]: IFCONFIG POOL LIST
Oct 26 08:05:30 Linuxhelp openvpn[7143]: Initialization Sequence Completed
Conclusion:
We have reached the end of this article. In this guide, we have walked you through the steps required to install and configure OpenVPN server on Rocky Linux 9.2. Your feedback is much welcome.