What this guide is for
This flow is designed for CentOS 7 hosts that need an OpenVPN client with username/password authentication and a repeatable setup path.
Instead of handling yum, config paths, DNS helper files, and systemd commands manually every time, the helper.sh script turns the checklist into one controlled installation flow.
Step 1: Re-import the EPEL GPG key and install OpenVPN
The CentOS 7 flow starts by importing the EPEL 7 GPG key again, ensures epel-release is installed from the EPEL 7 archive when needed, refreshes yum metadata, and then installs the openvpn package.
This matters because importing the GPG key alone does not make the openvpn package available. The current helper script now handles the missing-repository case instead of stopping at "No package openvpn available".
- sudo rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
- sudo yum install -y https://dl.fedoraproject.org/pub/archive/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm
- sudo yum clean all && sudo yum makecache
- yum install -y openvpn
- curl -fsSL helper.sh/install_openvpn_client_centos7.sh | sudo bash
Step 2: Prepare /etc/openvpn/client/client.conf and login.txt
The helper expects a local client.conf and login.txt, copies them into /etc/openvpn/client/, and tightens permissions before the service starts.
In client.conf, keep auth-user-pass login.txt so the client reads the credential file from the same target directory after deployment.
- mkdir -p /etc/openvpn/client/
- /etc/openvpn/client/client.conf
- /etc/openvpn/client/login.txt
- chmod 600 /etc/openvpn/client/login.txt
Step 3: Install the DNS helper and attach up/down hooks
The CentOS 7 helper script installs /etc/openvpn/update-resolv-conf, marks it executable, and ensures client.conf contains script-security 2 plus matching up and down hook lines.
By default, the DNS helper writes 10.7.7.53 and 114.114.114.114 into /etc/resolv.conf while the VPN is up, then falls back to the public resolver when the tunnel goes down.
- /etc/openvpn/update-resolv-conf
- chmod +x /etc/openvpn/update-resolv-conf
- script-security 2
- up /etc/openvpn/update-resolv-conf
- down /etc/openvpn/update-resolv-conf
- /var/log/openvpn-dns-update.log
What a successful installation run looks like
A healthy run on CentOS 7 should show the script detecting the host, importing the EPEL GPG key, installing epel-release when needed, refreshing yum metadata, installing openvpn plus pkcs11-helper, copying the client files, installing the DNS helper, and finally reporting openvpn-client@client as active.
Your real output is a good reference: the first attempt failed at "No package openvpn available", and the corrected run continued through epel-release installation, dependency resolution, service enablement, and an active systemd unit.
- [OK] Detected system: CentOS Linux 7 (Core)
- [OK] epel-release installed
- [OK] yum metadata refreshed
- [OK] OpenVPN installed
- [OK] DNS helper installed to /etc/openvpn/update-resolv-conf
- [OK] openvpn-client@client is active
Step 4: Enable the service, verify tun0, and decide whether to disable full tunnel mode
After the files are in place, enable and start openvpn-client@client, then confirm tun0 receives an address and the public IP changes when appropriate.
If you do not want a full tunnel, comment out redirect-gateway autolocal, add route-nopull, and declare only the subnets that should pass through the VPN.
- systemctl enable openvpn-client@client
- systemctl start openvpn-client@client
- ip a
- curl ipinfo.im/ip
- route-nopull
- route 10.7.0.0 255.255.0.0
- route 10.2.0.0 255.255.0.0
- route 192.168.1.0 255.255.255.0
Step 5: Add a daily restart only if the environment really needs it
A daily 05:00 restart can be added through cron if the remote side or route state becomes unreliable after long runtimes.
Treat that as an operational workaround, not the default answer. If the service keeps needing forced restarts, inspect the OpenVPN logs and server-side behavior instead of relying only on cron.
- crontab -e
- 0 5 * * * /usr/bin/systemctl restart openvpn-client@client