OpenVPN 2.3 or lower on Centos 6

From vpsget wiki
Revision as of 16:22, 27 March 2013 by Vq (talk | contribs)
Jump to: navigation, search

This guide shows how to install OpenVPN on Centos 6 x64

Check out if tun/tap is active:

cat /dev/net/tun

If tun is active you should receive this:

cat: /dev/net/tun: File descriptor in bad state

Make sure you have these packages installed:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Download RPMForge Repo

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Build the rpm packages:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Install OpenVPN:

yum install openvpn -y

Copy the easy-rsa folder to /etc/openvpn/:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

Open up /etc/openvpn/easy-rsa/2.0/vars and change the below line:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

to:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

And save changes.
Create the certificate:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

Build CA:

./build-ca

Build key server:

./build-key-server server

Build Diffie Hellman

./build-dh

Copy server config file server.conf from /usr/share/doc/openvpn-2.2.2/ to /etc/openvpn

cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/

Edit file to get proper configuration.
Disable SELinux in /etc/selinux/config by changing

SELINUX=enforcing

to

SELINUX=disabled

Now enable IP forwarding. Open the file /etc/sysctl.conf and change

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1

Save changes using command:

sysctl -p

Start OpenVPN

service openvpn start

If no OpenVZ is used add the below line to firewall:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If OpenVZ is used add these rules to firewall:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123

Change 123.123.123.123 to correct server IP. IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF, also its a good idea to add them to /etc/csf/csfpre.sh.

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

If the above rules cause you any problems or don’t seem to work (Especially on cPanel servers) then remove the rules above and use below:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Change 123.123.123.123 to correct server IP. Save the changes

service iptables save
service iptables restart

Make OpenVPN start at boot:

chkconfig openvpn on

Generate clients

./build-key client1
./build-key client2
./build-key client3

Download client config sample file from /usr/share/doc/openvpn-2.0/ and edit it to required configuration
Download client files from /etc/openvpn/easy-rsa/2.0/keys/
Upload these files to OpenVPN directory on client machine.