OpenVPN 2.3.1 on Centos 6

From vpsget wiki
Jump to: navigation, search

This article is for deprecated OpenVPN version.

The actual KB article for the latest OpenVPN [2.3.10] version could be found here:

Click here: OpenVPN 2.3.10 on Centos 6.7 


>>Get OpenVPN Ready2Go VPS. $5.95 p/m 512RAM,20GB SAS,2Tb, Netherlands, EU
   remember to enable TUN/TAP in SolusVM CP after you got access.

How to install [deprecated] OpenVPN 2.3.1 on Centos 6

Tested: OpenVPN 2.3.2 and OpebVPN 2.3.2 on Centos 6 VPS.

Current guide should be applicable for openvpn 2.3 and higher.


It is recommended to install epel repository first

Make sure you have these packages installed: 

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM 

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Download RPMForge Repo
x64 

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

x32 

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Install openvpn 

yum install openvpn

From the version 2.3 easy-rsa is an independent project so it has to be downloaded separately, for example like this: 

cd /etc/openvpn
wget https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
tar -zxvf EasyRSA-2.2.2.tgz
cd EasyRSA-2.2.2

Open up /etc/openvpn/EasyRSA-2.2.2/vars and change the below line: 

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

to: 

export KEY_CONFIG=/etc/openvpn/EasyRSA-2.2.2/openssl-1.0.0.cnf

And save changes. Create the certificate: 

cd /etc/openvpn/EasyRSA-2.2.2
chmod 755 *
source ./vars
./vars
./clean-all

Build CA: 

./build-ca

Build key server: 

./build-key-server server

Build Diffie Hellman 

./build-dh

Generate clients 

./build-key client1
./build-key client2
./build-key client3

Copy server config file server.conf for openvpn-2.3.1 

cp /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/server.conf /etc/openvpn

for openvpn-2.3.2 

cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn

Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS
Example server config: 

port 1194
proto udp
dev tun
ca /etc/openvpn/EasyRSA-2.2.2/keys/ca.crt
cert /etc/openvpn/EasyRSA-2.2.2/keys/server.crt
key /etc/openvpn/EasyRSA-2.2.2/keys/server.key
dh /etc/openvpn/EasyRSA-2.2.2/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Save client config file with .ovpn extention
Disable SELinux in /etc/selinux/config by changing 

SELINUX=enforcing

to 

SELINUX=disabled

Now enable IP forwarding. Open the file /etc/sysctl.conf and change 

net.ipv4.ip_forward = 0

to 

net.ipv4.ip_forward = 1

Save changes using command: 

sysctl -p

Configure /etc/sysconfig/iptables.

Please note that you should change eth0 to your proper network device , it can be eth1 or venet0 if on vps . just check your network devices with ifconfig command. 

Sample config:

# Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:324]
-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Mar 28 11:52:05 2013
# Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013
*nat
:PREROUTING ACCEPT [6222:273716]
:POSTROUTING ACCEPT [306:22159]
:OUTPUT ACCEPT [306:22159]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Mar 28 11:52:05 2013

Start openvpn 

service openvpn start

start openvpn at system startup 

chkconfig openvpn on
chkconfig iptables on

If OpenVPN fails to start check if tun/tap in active: 

cat /dev/net/tun

If output is: 

cat: /dev/net/tun: File descriptor in bad state

than tun/tap in active, look /var/log/openvpn.log and /var/log/messages/
If output is: 

cat: /dev/net/tun: No such device

than try: 

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun

Download client files from /etc/openvpn/easy-rsa/2.0/keys/ Upload these files to OpenVPN directory on client machine. OpenVPN client is available on official site http://openvpn.net/index.php/ ""

How to configure OpenVPN client on Windows

How to configure OpenVPN client on Android

OpenVPN 2.3.1 Centos 6

This guide should be applicable for the openvpn 2.3.x on centos 6.


  • Add user (cert) to existent OpenVPN users DB:

You simply should source the vars before creating the key . Use one of the next ways: 

". vars"

or 

". ./vars"

or 

"source ./vars"

After that you can build key for new user: 

./build-key client_new



Also refer to this guide if you would like to install double vpn



""

Retrieved from "https://wiki.vpsget.com/index.php?title=OpenVPN_2.3.1_on_Centos_6&oldid=7146"