This article will explain how to install OpenVPN on Centos 6.5 (x64) on routing mode.
Why routing mode? Well, it consumes less bandwidth than the bridging mode (some call this smaller overhead), leaving more bandwidth for useful traffic. Unless you don’t need to broadcast packets over the network you will be absolutely fine with this.

No broadcast functionality will stop Network Neighgbourhood and similar Windows services from working, but you will be able to map drives instead, and easily access Windows shares that way. You can even use this setup with a domain controller.

First, we need to install OpenVPN packages, type in CLI:

yum install openvpn easy-rsa net-tools bridge-utils -y

Then, let’s backup the original config file:

cp /etc/openvpn/server.conf /etc/openvpn/server.conf.original

edit the server.conf file and paste the following code:

vi /etc/openvpn/server.conf

port 4000
proto udp 
dev tun 
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
push "dhcp-option DNS"
push "route"
push "explicit-exit-notify 3"
keepalive 5 30
status /var/log/openvpn-online.log
log /var/log/openvpn
verb 3
user nobody
group nobody
mute 20

This will create the server on ip address (please replace this addres with the proper IP of your server in the LAN network and in this case also correct the push “route” line, if the domain isn’t, that listens on port 4000 UDP, and it will pull the connectin clients to domain. If you wish to use a DNS server of your preference (I recommend this) then correct it in the push “dhcp-option DNS” line.
Comment out the last line (client-to-client) if you want to isolate the clients from each other.

Creating the server certificates

This is the part that you do only once.

cp -R /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa 
cd /etc/openvpn/easy-rsa
mkdir keys
source ./vars

Enter the apropriate data. For future use, please mind that the CN (Common Name) parameter must be unique every time you create…let’s say ANY key. You can dig further to see why.

./build-key-server server

Enter required fields again


You can try to start the OpenVPN service now, and make it start on boot:

service openvpn start
chkconfig openvpn on

Creating the client setup

If you use a Windows box, you’ll need to download a client.

Here’s the config file for a client:


dev tun
proto udp
remote 4000
resolv-retry infinite
ca "c:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "c:\\Program Files\\OpenVPN\\config\\client1.crt"
key "c:\\Program Files\\OpenVPN\\config\\client1.key"
route-method exe
route-delay 2
remote-cert-tls server
tun-mtu-extra 32

Please replace the to the proper URL or IP address of your OpenVPN server.

This will create a VPN client that will try to (re)connect infinitelly until the connection is successful.

Creating client certificates

In this setup of installing OpenVPN on Centos, you will need certificates for the clients. In a simmilar way that you created server cerificates, you can create client certificates. On the linux box, type:

cd /etc/openvpn/easy-rsa
source ./vars

no need for ./clean-all here

./build-key-pass client1

Once again, answer all the questions, and the creation of the client certificates is done. You can name the client1 anyway you like, but don’t forget to adjust the file name in the client configurtion file.

Now you need to copy the files named client1.key, client1.crt and ca.crt from the /etc/openvpn/easy-rsa/2.0/keys directory on the server and put it in the c:\Program Files\OpenVPN\config folder. I usually use scp or WinSCP for this.

Last words

You might want to enable ip forwarding on your linux box, if the destination of the VPN clients isn’t just the CentOS box itself (for example, they’ll want to access the whole local network the VPN server is on).

vi /etc/sysctl.conf

and make sure that the option is set as follows:

net.ipv4.ip_forward = 1

Save, and let’s set SNAT for iptables:

iptables -t nat -A POSTROUTING -j SNAT –to-source
service iptables save

And now you can try to fire up your VPN connection.

Of course, if you need more clients, I suggest you make a different certificate of each client (otherwise with this setup one client would kick off the another when it connects – this is easily solvable but I do not advise it).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.