{"id":5458,"date":"2020-04-15T23:09:28","date_gmt":"2020-04-15T20:09:28","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5458"},"modified":"2020-06-14T10:11:01","modified_gmt":"2020-06-14T07:11:01","slug":"install-and-configure-openvpn-client-on-centos-8-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-openvpn-client-on-centos-8-ubuntu-18-04\/","title":{"rendered":"Install and Configure OpenVPN Client on CentOS 8\/Ubuntu 18.04"},"content":{"rendered":"\n

In order to connect to an OpenVPN<\/a> server to allow you access your intranet local resources, you simply would need an OpenVPN client. In this guide, we are going to learn how to install and configure OpenVPN Client on CentOS 8\/Ubuntu 18.04. Note that the OpenVPN software can be configured to either work as the server or the client.<\/p>\n\n\n\n

Learn how to install and configure OpenVPN Server on CentOS 8 by following the link below;<\/p>\n\n\n\n

Setup OpenVPN Server on CentOS 8<\/a><\/p>\n\n\n\n

Install and Configure OpenVPN Client on CentOS 8\/Ubuntu 18.04<\/h2>\n\n\n\n

To demonstrate the communication of two servers on different Intranets, we have two servers, Ubuntu 18.04 and CentOS 8 which cannot communicate as they are on different LAN networks only reachable via the OpenVPN Server. The two servers have NAT interfaces only attached.<\/p>\n\n\n\n

Install OpenVPN Client on Ubuntu 18.04<\/h3>\n\n\n\n

OpenVPN maintains several OpenVPN (OSS) software repositories from which the latest and stable release version of OpenVPN client can be installed from. You however need to manually create these sources list as shown below;<\/p>\n\n\n\n

Install OpenVPN repository signing key.<\/p>\n\n\n\n

wget -O - https:\/\/swupdate.openvpn.net\/repos\/repo-public.gpg| sudo apt-key add -<\/code><\/pre>\n\n\n\n
Next, install the sources list for Ubuntu 18.04.<\/p>\n\n\n\n
echo \"deb http:\/\/build.openvpn.net\/debian\/openvpn\/stable $(lsb_release -sc) main\" | sudo tee \/etc\/apt\/sources.list.d\/openvpn-aptrepo.list<\/code><\/pre>\n\n\n\n
Update your package cache.<\/p>\n\n\n\n
apt update<\/code><\/pre>\n\n\n\n
Install OpenVPN Client on Ubuntu 18.04<\/p>\n\n\n\n
apt install openvpn<\/code><\/pre>\n\n\n\n
You can then verify the version by running the command below;<\/p>\n\n\n\n
openvpn --version<\/code><\/pre>\n\n\n\n
Install OpenVPN Client on CentOS 8<\/h3>\n\n\n\n
On CentOS 8, the latest OpenVPN, version 2.4.8 as of this writing, is provided by the EPEL repos.<\/p>\n\n\n\n
dnf info openvpn<\/code><\/pre>\n\n\n\n
Name         : openvpn\nVersion      : 2.4.8<\/strong>\nRelease      : 1.el8\nArch         : x86_64\nSize         : 540 k\nSource       : openvpn-2.4.8-1.el8.src.rpm\nRepo         : epel<\/strong>\nSummary      : A full-featured SSL VPN solution\nURL          : https:\/\/community.openvpn.net\/\nLicense      : GPLv2\n...<\/code><\/pre>\n\n\n\n
To install OpenVPN client on CentOS 8, you need to install EPEL repos, if you have not;<\/p>\n\n\n\n
dnf install epel-release<\/code><\/pre>\n\n\n\n
You can then install OpenVPN client by executing the command;<\/p>\n\n\n\n
dnf install openvpn<\/code><\/pre>\n\n\n\n
Configure OpenVPN Client on CentOS 8\/Ubuntu 18.04<\/a><\/h3>\n\n\n\n
To be able to connect to OpenVPN server, you need to create the client’s configuration containing the CA certificate, the client server certificate and the key.<\/p>\n\n\n\n
If you followed our guide on setting up OpenVPN server on CentOS 8<\/a>, we described how to generate the clients certificate files and keys.<\/p>\n\n\n\n
Once you have generated the keys, copy them to the client and take a note of the path where they are stored.<\/p>\n\n\n\n
You also need to copy the HMAC key and the CA cert to the client.<\/p>\n\n\n\n
You can then create the OpenVPN client configuration.<\/p>\n\n\n\n
For example, to create an OpenVPN configuration file for the client, koromicha<\/strong>, whose certificates and keys are, koromicha.crt<\/strong> and koromicha.key<\/strong>;<\/p>\n\n\n\n
vim koromicha.ovpn<\/code><\/pre>\n\n\n\n
client\ntls-client\npull\ndev tun\nproto udp4\nremote 192.168.2.132 1194<\/strong>\nresolv-retry infinite\nnobind\n#user nobody\n#group nogroup\npersist-key\npersist-tun\nkey-direction 1\nremote-cert-tls server\nauth-nocache\ncomp-lzo\nverb 3\nauth SHA512\ntls-auth ta.key 1<\/strong>\nca ca.crt\ncert koromicha.crt\nkey koromicha.key<\/strong><\/code><\/pre>\n\n\n\n
Note that in this setup, the client certificate, the key, the CA certificate and the HMAC key are located on the same path as the OpenVPN client configuration itself, koromicha.ovpn.<\/p>\n\n\n\n
ls<\/code><\/pre>\n\n\n\n
ca.crt koromicha.crt koromicha.key koromicha.ovpn ta.key<\/strong><\/code><\/pre>\n\n\n\n
In order to avoid the issues with the paths to the certificates and the keys, you can put them inline on the configuration file;<\/p>\n\n\n\n
client\ntls-client\npull\ndev tun\nproto udp4\nremote 192.168.2.132 1194\nresolv-retry infinite\nnobind\n#user nobody\n#group nogroup\npersist-key\npersist-tun\nkey-direction 1\nremote-cert-tls server\nauth-nocache\ncomp-lzo\nverb 3\nauth SHA512\n<tls-auth>\n-----BEGIN OpenVPN Static key V1-----\nfeb1af5407baa247d4e772c76aed6c75\n...\n-----END OpenVPN Static key V1-----\n<\/tls-auth>\n<ca>\n-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBAgIUX0VQrHTgLDabUUIOAf7tD9cGp4YwDQYJKoZIhvcNAQEL\n...\nWA9BBk2shVWfR849Lmkep+GPyqHpU47dZAz37ARB2Gfu3w==\n-----END CERTIFICATE-----\n<\/ca>\n<cert>\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n...\n\/7FvJaeLqmUHnvSs5eBlRZSgtOL19SCFkG0HXdnw3LtBaoHQXxgzOkDPW1+5\n-----END CERTIFICATE-----\n<\/cert>\n<key>\n-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+DI7kg6MsRoCs\n...\n6WdLcNtWKAcU294xJEZoOA8\/\n-----END PRIVATE KEY-----\n<\/key><\/code><\/pre>\n\n\n\n
Do the same on all the  client servers for every user that needs to connect to the vpn.<\/p>\n\n\n\n
If you noticed, the lines below are commented to avoid the error, ERROR: Linux route add command failed: external program exited with error status: 2<\/strong> by flushing created routes before adding them again on reconnection.<\/p>\n\n\n\n
#user nobody\n#group nogroup<\/strong><\/code><\/pre>\n\n\n\n
The OpenVPN client configuration file is now ready.<\/p>\n\n\n\n
You can then connect to OpenVPN server on demand or configure your server to establish VPN configuration file whenever the system reboots.<\/p>\n\n\n\n
To connect on demand, simple use the openvpn command as;<\/p>\n\n\n\n
sudo openvpn client.ovpn<\/code><\/pre>\n\n\n\n
or<\/p>\n\n\n\n
sudo openvpn --config client.ovpn<\/code><\/pre>\n\n\n\n
If the connection to the OpenVPN server is successful, you should see an Initialization Sequence Completed<\/code>.<\/p>\n\n\n\n
...\nWed Apr 14 15:23:19 2020 ROUTE_GATEWAY 10.0.2.2\/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:8d:b0:f8\nWed Apr 14 15:23:19 2020 TUN\/TAP device tun0 opened\nWed Apr 14 15:23:19 2020 TUN\/TAP TX queue length set to 100\nWed Apr 14 15:23:19 2020 \/sbin\/ip link set dev tun0 up mtu 1500\nWed Apr 14 15:23:19 2020 \/sbin\/ip addr add dev tun0 10.8.0.3\/24 broadcast 10.8.0.255\nWed Apr 14 15:23:19 2020 \/sbin\/ip route add 192.168.2.132\/32 via 10.0.2.2\nWed Apr 14 15:23:19 2020 \/sbin\/ip route add 0.0.0.0\/1 via 10.8.0.1\nWed Apr 14 15:23:19 2020 \/sbin\/ip route add 128.0.0.0\/1 via 10.8.0.1\nWed Apr 14 15:23:19 2020 Initialization Sequence Completed<\/strong><\/code><\/pre>\n\n\n\n
To check the IP addresses;<\/p>\n\n\n\n
[koromicha@centos8 ~]$ ip add show tun0<\/strong>\n6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100\n    link\/none \n    inet 10.8.0.3\/24 brd 10.8.0.255 <\/strong>scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::8d65:4038:acb0:b954\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever<\/code><\/pre>\n\n\n\n
koromicha@ubuntu1804:~$ ip add show tun0<\/strong>\n10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100\n    link\/none \n    inet 10.8.0.2\/24 brd 10.8.0.255<\/strong> scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::bd3d:27ff:84d5:e587\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n
Test connectivity between the two remote servers;<\/p>\n\n\n\n
koromicha@ubuntu1804:~$ ping 10.8.0.3 -c 4\nPING 10.8.0.3 (10.8.0.3) 56(84) bytes of data.\n64 bytes from 10.8.0.3: icmp_seq=1 ttl=64 time=3.78 ms\n64 bytes from 10.8.0.3: icmp_seq=2 ttl=64 time=3.59 ms\n64 bytes from 10.8.0.3: icmp_seq=3 ttl=64 time=3.61 ms\n64 bytes from 10.8.0.3: icmp_seq=4 ttl=64 time=3.30 ms\n\n--- 10.8.0.3 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3007ms\nrtt min\/avg\/max\/mdev = 3.307\/3.576\/3.786\/0.172 ms<\/code><\/pre>\n\n\n\n
[koromicha@centos8 ~]$ ping 10.8.0.2 -c 4\nPING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.\n64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=6.77 ms\n64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=1.57 ms\n64 bytes from 10.8.0.2: icmp_seq=3 ttl=64 time=4.37 ms\n64 bytes from 10.8.0.2: icmp_seq=4 ttl=64 time=13.6 ms\n\n--- 10.8.0.2 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 15ms\nrtt min\/avg\/max\/mdev = 1.571\/6.572\/13.577\/4.443 ms<\/code><\/pre>\n\n\n\n
You should also be able to get internet access depending on your server routes setup.<\/p>\n\n\n\n
Running OpenVPN Client as a Systemd Service<\/h3>\n\n\n\n
In order to establish connections automatically whenever the server reboots, you can enable OpenVPN client systemd service.<\/p>\n\n\n\n
Before you can do this, change the extension of your VPN config file from .ovpn<\/strong><\/code> to .conf<\/code><\/strong>. Replace the file names accordingly.<\/p>\n\n\n\n
cp koromicha.ovpn koromicha.conf<\/code><\/pre>\n\n\n\n
Copy the .conf<\/code><\/strong> file to OpenVPN client configurations directory, \/etc\/openvpn\/client<\/code><\/strong>.<\/p>\n\n\n\n
cp koromicha.conf \/etc\/openvpn\/client<\/code><\/strong><\/code><\/pre>\n\n\n\n
Next, start OpenVPN client systemd service. Replace the name koromicha<\/strong> with the name of your .conf configuration file.<\/p>\n\n\n\n
systemctl start openvpn-client@koromicha<\/strong><\/code><\/pre>\n\n\n\n
To check the status;<\/p>\n\n\n\n
systemctl status openvpn-client@koromicha<\/code><\/pre>\n\n\n\n
\u25cf openvpn-client@koromicha.service - OpenVPN tunnel for koromicha\n   Loaded: loaded (\/lib\/systemd\/system\/openvpn-client@.service; disabled; vendor preset: enabled)\n   Active: active (running) since Wed 2020-04-14 16:00:35 EAT; 8s ago\n     Docs: man:openvpn(8)\n           https://community.openvpn.net\/openvpn\/wiki\/Openvpn24ManPage\n           https:\/\/community.openvpn.net\/openvpn\/wiki\/HOWTO\n Main PID: 6877 (openvpn)\n   Status: \"Initialization Sequence Completed\"\n    Tasks: 1 (limit: 2300)\n   CGroup: \/system.slice\/system-openvpn\\x2dclient.slice\/openvpn-client@koromicha.service\n           \u2514\u25006877 \/usr\/sbin\/openvpn --suppress-timestamps --nobind --config koromicha.conf\n\nElb 14 16:00:37 ubuntu1804.kifarunix-demo.com openvpn[6877]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key\nElb 14 16:00:37 ubuntu1804.kifarunix-demo.com openvpn[6877]: ROUTE_GATEWAY 10.0.2.2\/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:4b:ff:18\nElb 14 16:00:37 ubuntu1804.kifarunix-demo.com openvpn[6877]: TUN\/TAP device tun0 opened\nElb 14 16:00:37 ubuntu1804.kifarunix-demo.com openvpn[6877]: TUN\/TAP TX queue length set to 100\nElb 14 16:00:37 ubuntu1804.kifarunix-demo.com openvpn[6877]: \/sbin\/ip link set dev tun0 up mtu 1500\nElb 14 16:00:37 ubuntu1804.kifarunix-demo.com openvpn[6877]: \/sbin\/ip addr add dev tun0 10.8.0.2\/24 broadcast 10.8.0.255\nElb 14 16:00:37 ubuntu1804.kifarunix-demo.com openvpn[6877]: \/sbin\/ip route add 192.168.2.132\/32 via 10.0.2.2\nElb 14 16:00:37 ubuntu1804.kifarunix-demo.com openvpn[6877]: \/sbin\/ip route add 0.0.0.0\/1 via 10.8.0.1\nElb 14 16:00:37 ubuntu1804.kifarunix-demo.com openvpn[6877]: \/sbin\/ip route add 128.0.0.0\/1 via 10.8.0.1\nElb 14 16:00:37 ubuntu1804.kifarunix-demo.com openvpn[6877]: Initialization Sequence Completed<\/code><\/pre>\n\n\n\n
To enable it to run on system boot;<\/p>\n\n\n\n
systemctl enable openvpn-client@koromicha<\/code><\/pre>\n\n\n\n
You have successfully installed and setup OpenVPN client on Ubuntu 18.04 and CentOS 8. That brings us to the end of our tutorial on how to install and configure OpenVPN Client on CentOS 8\/Ubuntu 18.04.<\/p>\n\n\n\n
Related Tutorials<\/h3>\n\n\n\n
Assign Static IP Addresses for OpenVPN Clients<\/a><\/p>\n\n\n\n
Configure strongSwan VPN Client on Ubuntu 18.04\/CentOS 8<\/a><\/p>\n\n\n\n
Configure IPSEC VPN using StrongSwan on Ubuntu 18.04<\/a><\/p>\n\n\n\n
Install and Configure OpenVPN Server FreeBSD 12<\/a><\/p>\n\n\n\n
Install and Setup OpenVPN Server on Fedora 29\/CentOS 7<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In order to connect to an OpenVPN server to allow you access your intranet local resources, you simply would need an OpenVPN client. In this<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,282,34,321],"tags":[1142,283,1433,1434,67,323,1431],"class_list":["post-5458","post","type-post","status-publish","format-standard","hentry","category-howtos","category-openvpn","category-security","category-vpn","tag-centos-8","tag-openvpn","tag-openvpn-client","tag-openvpn-client-centos-8","tag-ubuntu-18-04","tag-vpn","tag-vpn-client-ubuntu-18-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5458"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5458"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5458\/revisions"}],"predecessor-version":[{"id":6177,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5458\/revisions\/6177"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}