* install EPEL 
<code bash>
yum install epel-release
</code>
  
  * install OpenVPN and EPEL
<code bash>
yum install openvpn easy-rsa -y
</code>
  * make config file for openvpn
<code bash>
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf  /etc/openvpn
vim /etc/openvpn/server.conf
</code>
  * Change config file. Set the DH file name and uncomment following 
<code bash>
dh file name to dh2048.pem
push "redirect-gateway def1 bypass-dhcp"

#replace with VPN DNS???
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#user unprivileged user
user nobody
group nobody

</code>
  * Generate keys and certificates
<code bash>
mkdir -p /etc/openvpn/easy-rsa/keys

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

</code>
Now, we’re going to edit the default values in the script. So we don’t have to type our information in each time. Open the file in vi editor.
<code bash>
vim /etc/openvpn/easy-rsa/vars
</code>
Change values that start with KEY_. Update the following values to be accurate for your organization.

Some of the important value that should be change carefully are,

KEY_NAME: You should enter server here; you could enter something else, but then you would also have to update the configuration files that reference  and
KEY_CN: Enter the domain or subdomain that resolves to your server

sample file below 
<code bash>
. . .
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="NL"
export KEY_PROVINCE="ZH"
export KEY_CITY="Den Haag"
export KEY_ORG="test"
export KEY_EMAIL="test@test.test"
export KEY_OU="Community"
# X509 Subject Field
export KEY_NAME="server"
. . .
export KEY_CN=vpn.test.com
. . .
</code>

  * note: OpenSSL configuration may not load due to the version being undetectable. To avoid this remove the version number from the openSSl file name.
<code bash>
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
</code>

  * Next, We are going to generate the keys and certificates. Move to easy-rsa directory and source in our new variables.

<code bash>
cd /etc/openvpn/easy-rsa
source ./vars
</code>
Then, we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.
<code bash>
./clean-all
</code>
 
When you build the certificate authority, you will be asked to enter all the information we put into the vars file, but you will see that your options are already set as the defaults. So, you can just press ENTER for each one.
<code bash>
./build-ca
</code>
Next, We will generate the key and certificate for the server. Please press ENTER for each question as for the above step
<code bash>
./build-key-server server
</code>
Now we will generate Diffie-Hellman key exchange file. This command will take few to complete:
<code bash>
./build-dh 
</code>
So, we completed the server keys and certificates generation process. Copy them all into our OpenVPN directory.
<code bash>
cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
</code>
For authenticate our clients will also need certificates. These keys and certificates will be shared with your clients, and it’s best to generate separate keys and certificates for each client you intend on connecting.

Make sure that if you do this you give them descriptive names, but for now we’re going to have one client so we’ll just call it client.
<code bash>
cd /etc/openvpn/easy-rsa
./build-key client
</code>
 That's it for keys and certificates.

  * change the firewall settings

Use the <code bash>firewall-cmd</code> command.

Assuming you're opening the firewall up to OpenVPN on the default zone, carry out the following commands. If you are running it on a non-default zone, then add <code bash>--zone=<zone></code> to the commands.

First, list what's currently open:
<code bash>
# firewall-cmd --list-services
http https ssh
</code>
Next, add the openvpn service:
<code bash>
# firewall-cmd --add-service openvpn
success
</code>
A quick check:
<code bash>
# firewall-cmd --list-services
http https openvpn ssh
</code>
The above will allow openvpn to work, which you can now test. However, it won't last over restarts. To make it permanent, add the <code bash>--permanent</code> option:
<code bash>
# firewall-cmd --permanent --add-service openvpn
success
</code>

Finally, add the masquerade:
<code bash>
# firewall-cmd --add-masquerade
success
</code>
And make it permanent after a restart:

<code bash>
# firewall-cmd --permanent --add-masquerade
success
</code>
Confirm it:
<code bash>
# firewall-cmd --query-masquerade
yes
</code>
// Note that if your incoming OpenVPN connection is in a different zone to your Internet facing connection the masquerade should be on the latter and you'll need to use the <code bash>--zone=<zone></code> option with the <code bash>--add-masquerade</code> commands. //