{"id":9410,"date":"2021-06-30T23:14:54","date_gmt":"2021-06-30T20:14:54","guid":{"rendered":"https:\/\/kifarunix.com\/?p=9410"},"modified":"2024-03-18T20:10:02","modified_gmt":"2024-03-18T17:10:02","slug":"install-and-configure-openvpn-client-on-rocky-linux-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-openvpn-client-on-rocky-linux-8\/","title":{"rendered":"Install and Configure OpenVPN Client on Rocky Linux 8"},"content":{"rendered":"\n

In this guide, we are going to learn how to install and configure OpenVPN Client on Rocky Linux 8. In order to connect to an\u00a0OpenVPN<\/a>\u00a0server to allow you access your intranet local resources, you simply would need an OpenVPN client. Note that the OpenVPN software can be configured to either work as the server or the client.<\/p>\n\n\n\n

Learn how to install and configure OpenVPN Server on Rocky Linux 8 by following the link below;<\/p>\n\n\n\n

Setup OpenVPN Server on Rocky Linux 8<\/a><\/p>\n\n\n\n

Installing OpenVPN Client on Rocky Linux 8<\/h2>\n\n\n\n

Install OpenVPN Client on Rocky Linux 8<\/h3>\n\n\n\n

Install OpenVPN client on Rocky Linux 8 by running the commands below;<\/p>\n\n\n\n

dnf epel-release -y<\/code><\/pre>\n\n\n\n
dnf info openvpn<\/code><\/pre>\n\n\n\n
\nAvailable Packages\nName         : openvpn\nVersion      : 2.4.11\nRelease      : 1.el8\nArchitecture : x86_64\nSize         : 543 k\nSource       : openvpn-2.4.11-1.el8.src.rpm\nRepository   : epel\nSummary      : A full-featured SSL VPN solution\nURL          : https:\/\/community.openvpn.net\/\nLicense      : GPLv2\nDescription  : OpenVPN is a robust and highly flexible tunneling application that uses all\n             : of the encryption, authentication, and certification features of the\n             : OpenSSL library to securely tunnel IP networks over a single UDP or TCP\n             : port.  It can use the Marcus Franz Xaver Johannes Oberhumers LZO library\n             : for compression\n<\/code><\/pre>\n\n\n\n
You can then install OpenVPN client by executing the command;<\/p>\n\n\n\n
dnf install openvpn<\/code><\/pre>\n\n\n\n
Configure OpenVPN Client on Rocky Linux 8<\/h3>\n\n\n\n
To be able to connect to OpenVPN server, you need to create the client\u2019s configuration containing the CA certificate, the client server certificate and the key.<\/p>\n\n\n\n
If you followed our guide on setting up OpenVPN server on Rocky Linux 8<\/a>, we described how to generate the clients certificate files and keys.<\/p>\n\n\n\n
Once you have generated the keys, copy them to the client and take a note of the path where they are stored.<\/p>\n\n\n\n
You also need to copy the HMAC key and the CA cert to the client.<\/p>\n\n\n\n
You can then create the OpenVPN client configuration.<\/p>\n\n\n\n
For example, to create an OpenVPN configuration file for the client, gentoo<\/strong>, whose certificates and keys are, gentoo.crt<\/strong> and gentoo.key<\/strong>;<\/p>\n\n\n\n
vim gentoo.ovpn<\/code><\/pre>\n\n\n\n
\nclient\ntls-client\npull\ndev tun\nproto udp4\nremote 192.168.60.19 1194\nresolv-retry infinite\nnobind\n#user nobody\n#group nogroup\npersist-key\npersist-tun\nkey-direction 1\nremote-cert-tls server\nauth-nocache\ncomp-lzo\nverb 3\nauth SHA512\ntls-auth ta.key 1\nca ca.crt\ncert gentoo.crt\nkey gentoo.key\n<\/code><\/pre>\n\n\n\n
Note that in this setup, the client certificate, the key, the CA certificate and the HMAC key are located on the same path as the OpenVPN client configuration itself, gentoo.ovpn.<\/p>\n\n\n\n
ls -1 .<\/code><\/pre>\n\n\n\n
ca.crt\ngentoo.crt\ngentoo.key\ngentoo.ovpn\nta.key<\/code><\/pre>\n\n\n\n
In order to avoid the issues with the paths to the certificates and the keys, you can put them inline on the configuration file;<\/p>\n\n\n\n
\nclient\ntls-client\npull\ndev tun\nproto udp4\nremote 192.168.60.19 1194\nresolv-retry infinite\nnobind\n#user nobody\n#group nogroup\npersist-key\npersist-tun\nkey-direction 1\nremote-cert-tls server\nauth-nocache\ncomp-lzo\nverb 3\nauth SHA512\n<tls-auth>\n-----BEGIN OpenVPN Static key V1-----\nfeb1af5407baa247d4e772c76aed6c75\n...\n-----END OpenVPN Static key V1-----\n<\/tls-auth>\n<ca>\n-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBAgIUX0VQrHTgLDabUUIOAf7tD9cGp4YwDQYJKoZIhvcNAQEL\n...\nWA9BBk2shVWfR849Lmkep+GPyqHpU47dZAz37ARB2Gfu3w==\n-----END CERTIFICATE-----\n<\/ca>\n<cert>\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n...\n\/7FvJaeLqmUHnvSs5eBlRZSgtOL19SCFkG0HXdnw3LtBaoHQXxgzOkDPW1+5\n-----END CERTIFICATE-----\n<\/cert>\n<key>\n-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+DI7kg6MsRoCs\n...\n6WdLcNtWKAcU294xJEZoOA8\/\n-----END PRIVATE KEY-----\n<\/key>\n<\/code><\/pre>\n\n\n\n
Do the same on all the client servers for every user that needs to connect to the vpn.<\/p>\n\n\n\n
If you noticed, the lines below are commented to avoid the error, ERROR: Linux route add command failed: external program exited with error status: 2<\/strong> by flushing created routes before adding them again on reconnection.<\/p>\n\n\n\n
#user nobody\n#group nogroup<\/strong><\/code><\/pre>\n\n\n\n
The OpenVPN client configuration file is now ready.<\/p>\n\n\n\n
Connecting to OpenVPN Server on Rocky Linux 8<\/h3>\n\n\n\n
You can then connect to OpenVPN server on demand or configure your server to establish VPN configuration file whenever the system reboots.<\/p>\n\n\n\n
Connect to OpenVPN on Command Line using openvpn command<\/h4>\n\n\n\n
To connect on demand, simple use the openvpn<\/code> command as;<\/p>\n\n\n\n
sudo openvpn client-config.ovpn<\/code><\/pre>\n\n\n\n
or<\/p>\n\n\n\n
sudo openvpn --config client-config.ovpn<\/code><\/pre>\n\n\n\n
Where client-config is the client’s openvpn configuration file, like gentoo.ovpn file above.<\/p>\n\n\n\n
If the connection to the OpenVPN server is successful, you should see an Initialization Sequence Completed<\/strong><\/code>.<\/p>\n\n\n\n
\nWed Jun 30 15:27:16 2021 OpenVPN 2.4.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH\/PKTINFO] [AEAD] built on Apr 21 2021\nWed Jun 30 15:27:16 2021 library versions: OpenSSL 1.1.1g FIPS  21 Apr 2020, LZO 2.08\nWed Jun 30 15:27:16 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\nWed Jun 30 15:27:16 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication\nWed Jun 30 15:27:16 2021 TCP\/UDP: Preserving recently used remote address: [AF_INET]192.168.60.19:1194\nWed Jun 30 15:27:16 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]\nWed Jun 30 15:27:16 2021 UDPv4 link local: (not bound)\nWed Jun 30 15:27:16 2021 UDPv4 link remote: [AF_INET]192.168.60.19:1194\nWed Jun 30 15:27:16 2021 TLS: Initial packet from [AF_INET]192.168.60.19:1194, sid=7ec70642 fdcdad40\nWed Jun 30 15:27:16 2021 VERIFY OK: depth=1, CN=Kifarunix-demo CA\nWed Jun 30 15:27:16 2021 VERIFY KU OK\nWed Jun 30 15:27:16 2021 Validating certificate extended key usage\nWed Jun 30 15:27:16 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\nWed Jun 30 15:27:16 2021 VERIFY EKU OK\nWed Jun 30 15:27:16 2021 VERIFY OK: depth=0, CN=server\nWed Jun 30 15:27:16 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1586', remote='link-mtu 1602'\nWed Jun 30 15:27:16 2021 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'\nWed Jun 30 15:27:16 2021 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'\nWed Jun 30 15:27:16 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA\nWed Jun 30 15:27:16 2021 [server] Peer Connection Initiated with [AF_INET]192.168.60.19:1194\nWed Jun 30 15:27:17 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)\nWed Jun 30 15:27:17 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 192.168.10.3,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'\nWed Jun 30 15:27:17 2021 OPTIONS IMPORT: timers and\/or timeouts modified\nWed Jun 30 15:27:17 2021 OPTIONS IMPORT: --ifconfig\/up options modified\nWed Jun 30 15:27:17 2021 OPTIONS IMPORT: route options modified\nWed Jun 30 15:27:17 2021 OPTIONS IMPORT: route-related options modified\nWed Jun 30 15:27:17 2021 OPTIONS IMPORT: --ip-win32 and\/or --dhcp-option options modified\nWed Jun 30 15:27:17 2021 OPTIONS IMPORT: peer-id set\nWed Jun 30 15:27:17 2021 OPTIONS IMPORT: adjusting link_mtu to 1625\nWed Jun 30 15:27:17 2021 OPTIONS IMPORT: data channel crypto options modified\nWed Jun 30 15:27:17 2021 Data Channel: using negotiated cipher 'AES-256-GCM'\nWed Jun 30 15:27:17 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key\nWed Jun 30 15:27:17 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key\nWed Jun 30 15:27:17 2021 ROUTE_GATEWAY 10.0.2.2\/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:98:30:73\nWed Jun 30 15:27:17 2021 TUN\/TAP device tun0 opened\nWed Jun 30 15:27:17 2021 TUN\/TAP TX queue length set to 100\nWed Jun 30 15:27:17 2021 \/sbin\/ip link set dev tun0 up mtu 1500\nWed Jun 30 15:27:17 2021 \/sbin\/ip addr add dev tun0 10.8.0.2\/24 broadcast 10.8.0.255\nWed Jun 30 15:27:17 2021 \/sbin\/ip route add 192.168.60.19\/32 via 10.0.2.2\nWed Jun 30 15:27:17 2021 \/sbin\/ip route add 0.0.0.0\/1 via 10.8.0.1\nWed Jun 30 15:27:17 2021 \/sbin\/ip route add 128.0.0.0\/1 via 10.8.0.1\nWed Jun 30 15:27:17 2021 Initialization Sequence Completed\n<\/code><\/pre>\n\n\n\n
To check the IP addresses;<\/p>\n\n\n\n
ip add show tun0<\/code><\/pre>\n\n\n\n
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100\n    link\/none \n    inet 10.8.0.2\/24 brd 10.8.0.255 scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::697:ce38:b852:540c\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever<\/code><\/pre>\n\n\n\n
Test connectivity to the VPN server;<\/p>\n\n\n\n
ping 10.8.0.1 -c 3<\/code><\/pre>\n\n\n\n
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.\n64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=2.71 ms\n64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=2.42 ms\n64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=1.95 ms\n\n--- 10.8.0.1 ping statistics ---\n3 packets transmitted, 3 received, 0% packet loss, time 46ms\nrtt min\/avg\/max\/mdev = 1.952\/2.362\/2.713\/0.316 ms<\/code><\/pre>\n\n\n\n
You should also be able to get internet access depending on your server routes setup.<\/p>\n\n\n\n
Running OpenVPN Client as Service<\/h4>\n\n\n\n
In order to establish connections automatically whenever the server reboots, you can enable OpenVPN client systemd service.<\/p>\n\n\n\n
Before you can do this, change the extension of your VPN config file from .ovpn<\/strong><\/code> to .conf<\/code><\/strong>. Replace the file names accordingly.<\/p>\n\n\n\n
cp gentoo.{ovpn,conf}<\/code><\/pre>\n\n\n\n
Copy the .conf<\/code><\/strong> file to OpenVPN client configurations directory, \/etc\/openvpn\/client<\/code><\/strong>.<\/p>\n\n\n\n
mv gentoo.conf \/etc\/openvpn\/client<\/code><\/strong><\/code><\/pre>\n\n\n\n
Next, disable SELinux (I dont recommend this though, -:));<\/p>\n\n\n\n
setenforce 0 && sed -i 's\/=enforcing\/=permissive\/' \/etc\/selinux\/config<\/code><\/pre>\n\n\n\n
Start OpenVPN client systemd service. Replace the name gentoo<\/strong> with the name of your .conf configuration file.<\/p>\n\n\n\n
systemctl start openvpn-client@gentoo<\/code><\/pre>\n\n\n\n
To check the status;<\/p>\n\n\n\n
systemctl status openvpn-client@gentoo<\/code><\/pre>\n\n\n\n
\n\u25cf openvpn-client@gentoo.service - OpenVPN tunnel for gentoo\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/openvpn-client@.service; disabled; vendor preset: disabled)\n   Active: active (running) since Wed 2021-06-30 15:48:47 EDT; 12s ago\n     Docs: man:openvpn(8)\n           https:\/\/community.openvpn.net\/openvpn\/wiki\/Openvpn24ManPage\n           https:\/\/community.openvpn.net\/openvpn\/wiki\/HOWTO\n Main PID: 39782 (openvpn)\n   Status: \"Initialization Sequence Completed\"\n    Tasks: 1 (limit: 11272)\n   Memory: 1.6M\n   CGroup: \/system.slice\/system-openvpn\\x2dclient.slice\/openvpn-client@gentoo.service\n           \u2514\u250039782 \/usr\/sbin\/openvpn --suppress-timestamps --nobind --config gentoo.conf\n\nJun 30 15:48:48 localhost.localdomain openvpn[39782]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key\nJun 30 15:48:48 localhost.localdomain openvpn[39782]: ROUTE_GATEWAY 10.0.2.2\/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:98:30:73\nJun 30 15:48:48 localhost.localdomain openvpn[39782]: TUN\/TAP device tun0 opened\nJun 30 15:48:48 localhost.localdomain openvpn[39782]: TUN\/TAP TX queue length set to 100\nJun 30 15:48:48 localhost.localdomain openvpn[39782]: \/sbin\/ip link set dev tun0 up mtu 1500\nJun 30 15:48:48 localhost.localdomain openvpn[39782]: \/sbin\/ip addr add dev tun0 10.8.0.2\/24 broadcast 10.8.0.255\nJun 30 15:48:48 localhost.localdomain openvpn[39782]: \/sbin\/ip route add 192.168.60.19\/32 via 10.0.2.2\nJun 30 15:48:48 localhost.localdomain openvpn[39782]: \/sbin\/ip route add 0.0.0.0\/1 via 10.8.0.1\nJun 30 15:48:48 localhost.localdomain openvpn[39782]: \/sbin\/ip route add 128.0.0.0\/1 via 10.8.0.1\nJun 30 15:48:48 localhost.localdomain openvpn[39782]: Initialization Sequence Completed\n<\/code><\/pre>\n\n\n\n
To enable it to run on system boot;<\/p>\n\n\n\n
systemctl enable openvpn-client@gentoo<\/code><\/pre>\n\n\n\n
You have successfully installed and setup OpenVPN client Rocky Linux 8.<\/p>\n\n\n\n
That brings us to the end of our tutorial on installing OpenVPN Client on Rocky Linux 8.<\/p>\n\n\n\n
Other tutorials<\/h3>\n\n\n\n
Assign Static IP Addresses for OpenVPN Clients<\/a><\/p>\n\n\n\n
Configure OpenVPN LDAP Based Authentication<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, we are going to learn how to install and configure OpenVPN Client on Rocky Linux 8. In order to connect to an\u00a0OpenVPN\u00a0server<\/p>\n","protected":false},"author":3,"featured_media":9411,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,282,321],"tags":[3774,3772,283,3773],"class_list":["post-9410","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-openvpn","category-vpn","tag-connect-to-openvpn-on-command-line","tag-install-openvpn-rocky-linux-8","tag-openvpn","tag-openvpn-systemd-service","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9410"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=9410"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9410\/revisions"}],"predecessor-version":[{"id":21753,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9410\/revisions\/21753"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9411"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=9410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=9410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=9410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}