Difference between revisions of "OpenVPN 2.3 or lower on Centos 6"

From vpsget wiki
Jump to: navigation, search
(No difference)

Revision as of 16:20, 11 June 2013

This guide shows how to install OpenVPN on Centos 6 x64

Note: This guide is applicable to openvpn versions under 2.3

Check out if tun/tap is active:

cat /dev/net/tun

If tun is active you should receive this:

cat: /dev/net/tun: File descriptor in bad state

Make sure you have these packages installed:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Download RPMForge Repo

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Build the rpm packages:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Install OpenVPN:

yum install openvpn -y

Copy the easy-rsa folder to /etc/openvpn/:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

Open up /etc/openvpn/easy-rsa/2.0/vars and change the below line:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

to:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

And save changes.
Create the certificate:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

Build CA:

./build-ca

Build key server:

./build-key-server server

Build Diffie Hellman

./build-dh

Generate clients

./build-key client1
./build-key client2
./build-key client3

Copy server config file server.conf from /usr/share/doc/openvpn-2.2.2/ to /etc/openvpn

cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/

Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS
Example server config:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Client config sample file: /usr/share/doc/openvpn-2.0/
Example client config:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

Save client config file with .ovpn extention
Disable SELinux in /etc/selinux/config by changing

SELINUX=enforcing

to

SELINUX=disabled

Now enable IP forwarding. Open the file /etc/sysctl.conf and change

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1

Save changes using command:

sysctl -p

Start OpenVPN

service openvpn start

If no OpenVZ is used add the below line to firewall:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If OpenVZ is used add these rules to firewall:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123

Change 123.123.123.123 to correct server IP.
IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF, also its a good idea to add them to /etc/csf/csfpre.sh.

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

If the above rules cause you any problems or don’t seem to work (Especially on cPanel servers) then remove the rules above and use below:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Change 123.123.123.123 to correct server IP. Save the changes

iptables-save >/etc/sysconfig/iptables
service iptables restart

Make OpenVPN start at boot:

chkconfig openvpn on

Download client files from /etc/openvpn/easy-rsa/2.0/keys/
Upload these files to OpenVPN directory on client machine.
OpenVPN client is available on official site http://openvpn.net/index.php/download.html ""