Difference between revisions of "OpenVPN 2.3 or lower on Centos 6"

From vpsget wiki
Jump to: navigation, search
 
(30 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
This article is for deprecated OpenVPN version.
 +
<pre style="color: red">The actual KB article for the latest OpenVPN [2.3.6] version could be found here:
 +
</pre>
 +
==  [http://wiki.vpsget.com/index.php/OpenVPN_2.3.6_on_Centos_6 Redirection: <pre style="color: red"> OpenVPN 2.3.6 on Centos 6 </pre>]  ==
  
 +
 +
------------------------------------------------------------
 
== This guide shows how to install OpenVPN on Centos 6 '''x64''' ==
 
== This guide shows how to install OpenVPN on Centos 6 '''x64''' ==
 +
 +
<span style="color:#ff0000">Note: This guide is applicable to openvpn versions under 2.3</span>
  
 
Check out if tun/tap is active:
 
Check out if tun/tap is active:
Line 44: Line 52:
 
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
 
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
 
</pre>
 
</pre>
And save changes.
+
And save changes.<br/>
 
Create the certificate:
 
Create the certificate:
 
<pre>
 
<pre>
Line 65: Line 73:
 
./build-dh
 
./build-dh
 
</pre>
 
</pre>
Copy server config file '''server.conf''' from /usr/share/doc/openvpn-(version)/ to /etc/openvpn
+
Generate clients
 +
<pre>
 +
./build-key client1
 +
./build-key client2
 +
./build-key client3
 +
</pre>
 +
Copy server config file '''server.conf''' from /usr/share/doc/openvpn-2.2.2/ to /etc/openvpn
 +
<pre>
 +
cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
 +
</pre>
 +
Edit the file to get proper configuration. For example, specify path to ''ca, cert, key'', and push public DNS<br/>
 +
Example server config:
 
<pre>
 
<pre>
cp /usr/share/doc/openvpn-(version)/server.conf /etc/openvpn/
+
port 1194
 +
proto udp
 +
dev tun
 +
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
 +
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
 +
key /etc/openvpn/easy-rsa/2.0/keys/server.key
 +
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
 +
server 10.8.0.0 255.255.255.0
 +
ifconfig-pool-persist ipp.txt
 +
push "redirect-gateway def1 bypass-dhcp"
 +
push "dhcp-option DNS 8.8.8.8"
 +
push "dhcp-option DNS 8.8.4.4"
 +
keepalive 10 120
 +
comp-lzo
 +
persist-key
 +
persist-tun
 +
status openvpn-status.log
 +
log-append  /var/log/openvpn.log
 +
verb 3
 
</pre>
 
</pre>
Edit file to get proper configuration.
+
Client config sample file: '''/usr/share/doc/openvpn-2.0/'''<br/>
 +
Example client config:
 +
<pre>
 +
client
 +
dev tun
 +
proto udp
 +
remote xxx.xxx.xxx.xxx 1194
 +
resolv-retry infinite
 +
nobind
 +
persist-key
 +
persist-tun
 +
ca ca.crt
 +
cert client1.crt
 +
key client1.key
 +
comp-lzo
 +
verb 3
 +
</pre>
 +
Save client config file with ''.ovpn'' extention<br/>
 
Disable SELinux in '''/etc/selinux/config''' by changing
 
Disable SELinux in '''/etc/selinux/config''' by changing
 
<pre>
 
<pre>
Line 89: Line 143:
 
<pre>
 
<pre>
 
sysctl -p
 
sysctl -p
 +
</pre>
 +
Start OpenVPN
 +
<pre>
 +
service openvpn start
 
</pre>
 
</pre>
 
If no OpenVZ is used add the below line to firewall:
 
If no OpenVZ is used add the below line to firewall:
Line 99: Line 157:
 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
 
</pre>
 
</pre>
Change 123.123.123.123 to correct server IP.
+
Change 123.123.123.123 to correct server IP.<br/>
 
IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF, also its a good idea to add them to /etc/csf/csfpre.sh.
 
IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF, also its a good idea to add them to /etc/csf/csfpre.sh.
 
<pre>
 
<pre>
Line 114: Line 172:
 
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
 
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
 
</pre>
 
</pre>
 +
Change 123.123.123.123 to correct server IP.
 +
Save the changes
 +
<pre>
 +
iptables-save >/etc/sysconfig/iptables
 +
service iptables restart
 +
</pre>
 +
Make OpenVPN start at boot:
 +
<pre>
 +
chkconfig openvpn on
 +
</pre>
 +
Download client files from '''/etc/openvpn/easy-rsa/2.0/keys/'''<br/>
 +
Upload these files to OpenVPN directory on client machine.<br/>
 +
OpenVPN client is available on official site http://openvpn.net/index.php/
 +
 +
[http://wiki.vpsget.com/index.php/Configure_OpenVPN_client_on_Windows How to configure OpenVPN client on Windows]
 +
 +
[http://wiki.vpsget.com/index.php/Configure_OpenVPN_client_on_Android How to configure OpenVPN client on Android]
 +
 +
"[[Category:Linux]]"

Latest revision as of 11:08, 9 March 2015

This article is for deprecated OpenVPN version.

The actual KB article for the latest OpenVPN [2.3.6] version could be found here:

Redirection:
 OpenVPN 2.3.6 on Centos 6 


This guide shows how to install OpenVPN on Centos 6 x64

Note: This guide is applicable to openvpn versions under 2.3

Check out if tun/tap is active:

cat /dev/net/tun

If tun is active you should receive this:

cat: /dev/net/tun: File descriptor in bad state

Make sure you have these packages installed:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Download RPMForge Repo

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Build the rpm packages:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Install OpenVPN:

yum install openvpn -y

Copy the easy-rsa folder to /etc/openvpn/:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

Open up /etc/openvpn/easy-rsa/2.0/vars and change the below line:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

to:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

And save changes.
Create the certificate:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

Build CA:

./build-ca

Build key server:

./build-key-server server

Build Diffie Hellman

./build-dh

Generate clients

./build-key client1
./build-key client2
./build-key client3

Copy server config file server.conf from /usr/share/doc/openvpn-2.2.2/ to /etc/openvpn

cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/

Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS
Example server config:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Client config sample file: /usr/share/doc/openvpn-2.0/
Example client config:

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

Save client config file with .ovpn extention
Disable SELinux in /etc/selinux/config by changing

SELINUX=enforcing

to

SELINUX=disabled

Now enable IP forwarding. Open the file /etc/sysctl.conf and change

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1

Save changes using command:

sysctl -p

Start OpenVPN

service openvpn start

If no OpenVZ is used add the below line to firewall:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If OpenVZ is used add these rules to firewall:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123

Change 123.123.123.123 to correct server IP.
IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF, also its a good idea to add them to /etc/csf/csfpre.sh.

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

If the above rules cause you any problems or don’t seem to work (Especially on cPanel servers) then remove the rules above and use below:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Change 123.123.123.123 to correct server IP. Save the changes

iptables-save >/etc/sysconfig/iptables
service iptables restart

Make OpenVPN start at boot:

chkconfig openvpn on

Download client files from /etc/openvpn/easy-rsa/2.0/keys/
Upload these files to OpenVPN directory on client machine.
OpenVPN client is available on official site http://openvpn.net/index.php/

How to configure OpenVPN client on Windows

How to configure OpenVPN client on Android

""