helper.sh
Auto
English
English 日本語 简体中文 繁體中文

OpenVPN guide

Install an OpenVPN client on CentOS 7 with login.txt auth and DNS helper hooks

A practical guide to using install_openvpn_client_centos7.sh to import the EPEL GPG key, install OpenVPN, place client.conf and login.txt, deploy update-resolv-conf, and enable openvpn-client@client on CentOS 7.

7 min read · 2026-04-02

Back to blog Open script page

What this guide is for

This flow is designed for CentOS 7 hosts that need an OpenVPN client with username/password authentication and a repeatable setup path.

Instead of handling yum, config paths, DNS helper files, and systemd commands manually every time, the helper.sh script turns the checklist into one controlled installation flow.

Step 1: Re-import the EPEL GPG key and install OpenVPN

The CentOS 7 flow starts by importing the EPEL 7 GPG key again, ensures epel-release is installed from the EPEL 7 archive when needed, refreshes yum metadata, and then installs the openvpn package.

This matters because importing the GPG key alone does not make the openvpn package available. The current helper script now handles the missing-repository case instead of stopping at "No package openvpn available".

  • sudo rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
  • sudo yum install -y https://dl.fedoraproject.org/pub/archive/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm
  • sudo yum clean all && sudo yum makecache
  • yum install -y openvpn
  • curl -fsSL helper.sh/install_openvpn_client_centos7.sh | sudo bash

Step 2: Prepare /etc/openvpn/client/client.conf and login.txt

The helper expects a local client.conf and login.txt, copies them into /etc/openvpn/client/, and tightens permissions before the service starts.

In client.conf, keep auth-user-pass login.txt so the client reads the credential file from the same target directory after deployment.

  • mkdir -p /etc/openvpn/client/
  • /etc/openvpn/client/client.conf
  • /etc/openvpn/client/login.txt
  • chmod 600 /etc/openvpn/client/login.txt

Step 3: Install the DNS helper and attach up/down hooks

The CentOS 7 helper script installs /etc/openvpn/update-resolv-conf, marks it executable, and ensures client.conf contains script-security 2 plus matching up and down hook lines.

By default, the DNS helper writes 10.7.7.53 and 114.114.114.114 into /etc/resolv.conf while the VPN is up, then falls back to the public resolver when the tunnel goes down.

  • /etc/openvpn/update-resolv-conf
  • chmod +x /etc/openvpn/update-resolv-conf
  • script-security 2
  • up /etc/openvpn/update-resolv-conf
  • down /etc/openvpn/update-resolv-conf
  • /var/log/openvpn-dns-update.log

What a successful installation run looks like

A healthy run on CentOS 7 should show the script detecting the host, importing the EPEL GPG key, installing epel-release when needed, refreshing yum metadata, installing openvpn plus pkcs11-helper, copying the client files, installing the DNS helper, and finally reporting openvpn-client@client as active.

Your real output is a good reference: the first attempt failed at "No package openvpn available", and the corrected run continued through epel-release installation, dependency resolution, service enablement, and an active systemd unit.

  • [OK] Detected system: CentOS Linux 7 (Core)
  • [OK] epel-release installed
  • [OK] yum metadata refreshed
  • [OK] OpenVPN installed
  • [OK] DNS helper installed to /etc/openvpn/update-resolv-conf
  • [OK] openvpn-client@client is active

Step 4: Enable the service, verify tun0, and decide whether to disable full tunnel mode

After the files are in place, enable and start openvpn-client@client, then confirm tun0 receives an address and the public IP changes when appropriate.

If you do not want a full tunnel, comment out redirect-gateway autolocal, add route-nopull, and declare only the subnets that should pass through the VPN.

  • systemctl enable openvpn-client@client
  • systemctl start openvpn-client@client
  • ip a
  • curl ipinfo.im/ip
  • route-nopull
  • route 10.7.0.0 255.255.0.0
  • route 10.2.0.0 255.255.0.0
  • route 192.168.1.0 255.255.255.0

Step 5: Add a daily restart only if the environment really needs it

A daily 05:00 restart can be added through cron if the remote side or route state becomes unreliable after long runtimes.

Treat that as an operational workaround, not the default answer. If the service keeps needing forced restarts, inspect the OpenVPN logs and server-side behavior instead of relying only on cron.

  • crontab -e
  • 0 5 * * * /usr/bin/systemctl restart openvpn-client@client

Related topics

OpenVPN client access and DNS handling

Set up OpenVPN client access on Ubuntu and CentOS 7 hosts, keep login files in the expected place, and handle DNS switching safely when private domains depend on the tunnel.

Open topic