How to Set Up a Linux VPN Server from a Windows Client

VPN is important for securely connecting to server’s resources over a public internet to its private network or network behind a firewall and linking multiple private networks across company branches.

In this tutorial, we set up OpenVPN in Centos 7 and configure VPN connection with Windows client.

Special note: HostAdvice's hosting reviews allow you to consult with thousands of users before purchasing a hosting plan. If you are looking to purchase a CentOS 7 VPS plan, consult the VPS hosting reviews or Linux Hosting reviews.

Installation of Packages:

OpenVPN: Open source SSL VPN Solution

EPEL Repo: OpenVPN is available in Epel Repo and not available in the default Centos Repository

Easy-RSA: Used for creation and generation of keys and certificates in the vpn connection.

$ sudo yum install openvpn epel-release easy-rsa

Installation of Packages screenshot

Prepare Easy-RSA for Keys and Certificates Generation

Create a directory to save the keys and certificates

$ sudo mkdir -p /etc/openvpn/easy-rsa/keys

Copy the easy-rsa scripts into the openvpn easy-rsa directory

$ sudo cp -rf /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/

Special Note: In this case, we are using easy-rsa v3, which is the latest version at the time of making this tutorial

Change the ownership of the easy-rsa to the non-root user.

$ sudo chown -R linuxuser /etc/openvpn/easy-rsa/

Set up a new PKI by running the init-pki script

$ cd /etc/openvpn/easy-rsa
$ ./easyrsa init-pki

Set up a new PKI by running the init-pki script screenshot

Special Note: The pki dir is now /etc/opnevpn/easy-rsa/pki

Build Certificate Authority

$./easyrsa build-ca nopass

The nopass option is to enable signing of certificates without entering password. For critical applications which require high-level of security, then it’s recommended to remove the nopass option.

Build Certificate Authority (nopass) - screenshot

Special Note: Certificate file is now at /etc/openvpn/easy-rsa/pki/ca.crt

Generate server keys and certificates and sign their requests

$ ./easyrsa gen-req centos7-hostadvice nopass

Command Structure

./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME nopass

Note: Usually, the server keys are unencrypted by using the "nopass" argument . This is solely because the servers normally boot without any password input. This generates an unencrypted key, so protect its access and file permissions carefully.

./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME nopass screenshot

Special Note: Server Keypair and certificate request files are now at
req: /etc/openvpn/easy-rsa/pki/reqs/centos7-hostadvice.req
key: /etc/openvpn/easy-rsa/pki/private/centos7-hostadvice.key

Import server certificate request into CA

On the CA, import the entity request file using a "short name", in this case “c7ha”. This just copies the request file into reqs/ under the PKI dir to prepare it for review and signing.

$ ./easyrsa import-req pki/reqs/centos7-hostadvice.req c7ha

Command Structure

$ ./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME

Import server certificate request into CA screenshot

Review and sign the server request

Review the sign request to confirm the details are as you had entered

$ ./easyrsa show-req c7ha

Command Structure:

$ ./easyrsa show-req UNIQUE_SHORT_FILE_NAME

Review and sign the server request screenshot

Sign the request:

$ ./easyrsa sign-req server c7ha

Command Structure

$ ./easyrsa sign-req server UNIQUE_SHORT_FILE_NAME
Special Note: The signed certificate request is now found at /etc/openvpn/easy-rsa/pki/issued/c7ha.crt

Generate client keys and certificates and sign their requests

$ ./easyrsa gen-req win-client0

Command Structure

./easyrsa gen-req UNIQUE_CLIENT_SHORT_NAME

It’s recommended to create encrypted private keys by leaving out the additional nopass option after the name. The nopass option should only be included if automated VPN startup is required. Unencrypted private keys could be utilized by anyone who obtains a copy of the file. Encrypted keys offer stronger protection, but will require the passphrase on initial use.

Generate client keys and certificates and sign their requests screenshot

Special Note: Server Keypair and certificate request files are now at
req: /etc/openvpn/easy-rsa/pki/reqs/win-client0.req
key: /etc/openvpn/easy-rsa/pki/private/win-client0.key

Import server certificate request into CA

On the CA, import the entity request file using a "short name", in this case “w7c”. This just copies the request file into reqs/ under the PKI dir to prepare it for review and signing.

$ ./easyrsa import-req pki/reqs/win-client0.req w7c

Command Structure

$ ./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME

Import server certificate request into CA screenshot

Review and sign the client request

Review the sign request to confirm the details are as you had entered

$ ./easyrsa show-req w7c

Command Structure:

./easyrsa show-req UNIQUE_SHORT_FILE_NAME

Review and sign the client request screenshot

Sign the request:

./easyrsa sign-req client w7c

Command Structure

./easyrsa sign-req client UNIQUE_SHORT_FILE_NAME

sign the client request - screenshot

Special Note: The signed certificate request is now found at /etc/openvpn/easy-rsa/pki/issued/w7c.crt

Generate Diffie-Hellman (DH) key exchange file

In the PKI’s OpenVPN server, the DH parameters are required during the TLS handshake with connecting clients.

$ ./easyrsa gen-dh

Generate Diffie-Hellman (DH) key exchange file screenshot

Generate Diffie-Hellman (DH) key exchange file screenshot

Generate Diffie-Hellman (DH) key exchange file screenshot - part 2

Special note: The dh exchange file is now located at /etc/openvpn/easy-rsa/pki/dh.pem

Copy the openssl config file into a version-less named file

$ cp openssl-1.0.cnf openssl.cnf

Reason: To prevent ssl from failing to load the configuration owing to being unable to detect its version

Generate static encryption key for TLS authentication

$ sudo openvpn --genkey --secret /etc/openvpn/hostadvicevpn.tlsauth

Configure openvpn

Copy the server.conf – openvpn config file into /etc/openvpn

$ sudo cp /usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf /etc/openvpn/

Edit the server.conf file

$ sudo vim /etc/openvpn/server.conf

Then uncomment and edit the following lines

ca easy-rsa/pki/ca.crt
cert easy-rsa/pki/issued/c7ha.crt
key easy-rsa/pki/private/centos7-hostadvice.key  # This file should be kept secret
dh easy-rsa/pki/dh.pem
topology subnet
server 10.128.0.0 255.255.255.0 # enter the network address for your server’s private network
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4"
tls-crypt hostadvicevpn.tlsauth
user nobody
group nobody
log-append  openvpn.log

Configure Firewalld and Routing

Check the active firewall zones in your server using the command:

$sudo firewall-cmd --get-active-zones

Add openpvn, port 1194 (for client connection) to firewalld

$ sudo firewall-cmd --permanent --zone=trusted --add-service=openvpn
$ sudo firewall-cmd --permanent --zone=trusted --add-port=1194/udp

Add masquerade to enable forwarding routing to the openvpn subnet

$ sudo firewall-cmd --permanent --zone=trusted --add-masquerade
$ PORTIN=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
$ firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.128.0.0/24 -o $PORTIN -j MASQUERADE

Restart firewalld to effect the changes

$ sudo firewall-cmd --reload

Enable ip forwarding to allow all traffic from the client to the server’s ip address, as the client’s ip address remains hidden.

$ sudo vim /etc/sysctl.conf

Add the line:

net.ipv4.ip_forward = 1

Then save the file

Configure Firewalld and Routing screenshot

Then restart the network service

$ sudo systemctl restart network

Start and enable openvpn service

$ sudo systemctl –f enable openvpn@server
$ sudo systemctl start openvpn@server

Confirm openvpn running

$ sudo systemctl status openvpn@server

Configure Windows client for vpn connection

Download openvpn client for windows from https://openvpn.net/index.php/open-source/downloads.html

Configure Windows client for vpn connection

Create the C:\Program Files\OpenVPN\config\key.txt if it does not exist.

Go to Start, then right click on “Generate a Static OpenVPN Key” > Run As Administrator

start menu - screenshot

The keys are generated and stored at C:\Program Files\OpenVPN\config\key.txt

The keys are generated and stored at C:\Program Files\OpenVPN\config\key.txt (screenshot)

Open the file, uncomment and change the following parameters:

remote <server ip-address>
port 1194

Create the C:\Program Files\OpenVPN\log\client.log if it does not exist.

Go to Start > All Programs > OpenVPN > OpenVPN GUI, right click and select “Run as Administrator”

start menu screenshot OpenVPN GUI, Utilities screenshot

Looking to upgrade your Linux hosting account? Find the top Linux hosting services, as well as user and expert reviews on HostAdvice.

Check out the top 3 Linux hosting services

Was this article helpful?