OpenVPN – All traffic through VPN


Allow traffic from any device via VPN. The maximum convenience is connecting new devices without creating accounts, creating passwords, etc. Fast and encrypted connection.

All steps were performed on CentOS 7.

Install the EPEL repository if it is not already in the system and install the necessary packages:

yum install epel-release -y
yum install openvpn easy-rsa -y

Create a configuration file:

vim /etc/openvpn/server.conf

And copy the following into it:

port 1194

proto tcp
dev-type tun
dev tun

ca ca.crt
cert server.crt
key server.key

dh dh2048.pem

topology subnet

txqueuelen 250
keepalive 300 900

cipher AES-128-CBC
ncp-ciphers AES-128-GCM

user nobody
group nobody



status openvpn-status.log

push "redirect-gateway def1"
push "remote-gateway"
push "dhcp-option DNS"

Create a folder for keys and copy the necessary scripts to create them:

mkdir -p /etc/openvpn/easy-rsa/keys
cp -a /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

For convenience, we can immediately specify the information necessary for creating keys in environment variables so that we do not constantly enter it in the future:

vim /etc/openvpn/easy-rsa/vars

And we bring it to this form:

export KEY_CITY="Kiev"
export KEY_ORG="openvpn"
export KEY_EMAIL="[email protected]"
export KEY_OU="VPN"
export KEY_NAME="openvpn"
export KEY_CN=""

Copy the OpenSSL configuration:

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Go to the script folder for creating keys, and clear its contents for our future keys:

cd /etc/openvpn/easy-rsa
source ./vars

Create a root certificate:


Create a key and a public certificate:

./build-key-server server

Create a Diffie-Hellman key:


Let's go to the directory with the keys and certificates that we created:

cd /etc/openvpn/easy-rsa/keys

And copy the files we need to the OpenVPN directory:

cp -a dh2048.pem ca.crt server.crt server.key /etc/openvpn


It is important that after copying these files retain the permission


Create a certificate and a key for the client:

cd /etc/openvpn/easy-rsa
./build-key client

Further the configuration is given for iptables, if firewalld is used then you can disable it as follows:

yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables --flush

Add the rule to iptables and save:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables


Be sure to check the interface name is correct, in my case it is eth0


In the file "/etc/sysctl.conf" we enable packet forwarding:

net.ipv4.ip_forward = 1

And restart the network service:

systemctl restart network.service

Add the OpenVPN service to autorun and start it:

systemctl -f enable [email protected]
systemctl start [email protected]

Create a client configuration file for connecting to the server, immediately inserting the necessary keys and certificates:

vim openvpn.ovpn

And copy the following into it:

remote 1194


remote-cert-tls server

cipher AES-128-CBC

setenv opt ncp-ciphers AES-128-GCM

setenv opt block-outside-dns

dev tun

proto udp


FILE CONTENTS client.crt

FILE CONTENTS client.key

Then this file can be imported to client devices and connected to the server.

Tagged: Tags