CentOS 5 & 6 OpenVPN Server

The following two tabs change content below.

Dave

Founder CEO at SMR Hosting LLC
Founder of SMR Hosting. avid privacy buff, volunteer at the Salvation Army, part time gamer and private IT consultant. I enjoy cooking and am an animal lover.

Setup an OpenVPN Server on CentOS 5 or CentOS 6

Lots of people ask me for advice on how to setup their own OpenVPN server. I have decided it is about time I write a blog about it. I will make this a multi part blog. We will get basic connectivity, add the ability to assign static IP addresses and finally setup a good default set of IP Tables to keep the riff raff out. update the server:

yum update

Verify Tun/Tap Is Installed:

cat /dev/net/tun

Should return a similar line:

cat: /dev/net/tun: File descriptor in bad state

Download LZO compression RPM configure RPMForge Repo:

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

If your on a 32 bit OS use the following RPMForge RPM: For CentOS 5:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm

For CentOS 6:

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm

For 64 bit OS use this package: For CentOS 5:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

For CentOS 6:

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Build these RPM packages:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*
Install OpenVPN:
yum install openvpn -y

Copy easy-rsa to /etc/openvpn/:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

CentOS 6 Only:

vi /etc/openvpn/easy-rsa/2.0/vars

Replace:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

With:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

Save with:

:q!

Create Certificate:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
Build Certificate Authority:
./build-ca
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter

Build the server key:

./build-key-server server
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y

Build Diffie Hellman (move mouse around while its building)

./build-dh

Create config:

touch /etc/openvpn/server.conf

Paste the following:

port 443 #- or 53 UDP
proto tcp #- use UDP if you chose 53 above
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

Save the file: start OpenVPN:

service openvpn restart

Enable Port Forwarding by setting ‘net.ipv4.ip_forward’ to 1:

vi /etc/sysctl.conf
net.ipv4.ip_forward = 1

make the modification permanent:

sysctl -p

Create basic iptables On dedicated Servers, XEN and KVM VPS's use:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

On OpenVZ VPS's use:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 203.0.113.3

OpenVZ 2nd line:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 203.0.113.3

Change 203.0.113.3 to your servers main IP address: Set OpenVPN to start on boot:

chkconfig openvpn on

Create a new user:

useradd Changeme -s /bin/false

Create a password for the user:

passwd Changeme

To delete users use:

userdel Changeme

Create a client.ovpn config with

client
dev tun
proto tcp # - or UDP
remote 203.0.113.3 443 # - Use server IP Port number
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
Dont forget to change 203.0.113.3 to your server's IP address
Download ca.crt from /etc/openvpn/easy-rsa/2.0/keys/ put it into the same directory as client.ovpn
OpenVPN for windows uses C:\Program Files\OpenVPN\configs or C:\Program Files(86)\OpenVPN\configs
Connect to your OpenVPN Server
If you have questions or comments let me know I will try to answer whatever I can.
If I made a mistake please post a correction so I can modify the post.
 
Need help installing VPN service on your Linux server? SMR Hosting offers
 
 
 

OpenVPN Server Tutorial

11 Responses to “CentOS 5 & 6 OpenVPN Server”

  1. steve says:

    Don’t you have to buld a dhXXXX.pem. I am new to this and trying to figure this out for me first time. Thanks very much.

  2. Fust says:

    Finally one that freaking works. I have tried to setup OpenVPN at least 5 or 6 times and this is the first time it actually worked like it was supposed to!

  3. Quibids says:

    Thanks for ones nice blog. I enjoy your writing.

  4. zai says:

    Hi, i try to install openvpn and follow the instruction given, but i can’t start openvpn. why this happen?

  5. zai says:

    Is that because i can’t run rpm? the error come like this
    [root@localhost openvpn]# rpm -Uvh lzo-*.rpm
    error: File not found by glob: lzo-*.rpm

  6. Dave says:

    what OS are you trying to install OpenVPN on?

  7. stan says:

    i believe i followed your steps correctly, but when i give the command
    service openvpn restart i get

    Shutting down openvpn: [ OK ]
    Starting openvpn: [FAILED]

    why is this, also next thing i don’t understand your next steps which says to create IP tables and from there below i don’t understand, i am a newbie.
    i am trying to install openvpn on my elastix server, centos 5.6 32 bit

Leave a Reply

Copyright © 2013, All Rights Reserved.
Usage of this site constitutes acceptance of the AUP, Terms of Service, Privacy Policy and VPN AUP.