OpenVPN 2.3 or lower on Centos 6
This guide shows how to install OpenVPN on Centos 6 x64
Note: This guide is applicable to openvpn versions under 2.3
Check out if tun/tap is active:
cat /dev/net/tun
If tun is active you should receive this:
cat: /dev/net/tun: File descriptor in bad state
Make sure you have these packages installed:
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
Download LZO RPM
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
Download RPMForge Repo
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Build the rpm packages:
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release*
Install OpenVPN:
yum install openvpn -y
Copy the easy-rsa folder to /etc/openvpn/:
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
Open up /etc/openvpn/easy-rsa/2.0/vars and change the below line:
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
to:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
And save changes.
Create the certificate:
cd /etc/openvpn/easy-rsa/2.0 chmod 755 * source ./vars ./vars ./clean-all
Build CA:
./build-ca
Build key server:
./build-key-server server
Build Diffie Hellman
./build-dh
Generate clients
./build-key client1 ./build-key client2 ./build-key client3
Copy server config file server.conf from /usr/share/doc/openvpn-2.2.2/ to /etc/openvpn
cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS
Example server config:
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3
Client config sample file: /usr/share/doc/openvpn-2.0/
Example client config:
client dev tun proto udp remote xxx.xxx.xxx.xxx 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3
Save client config file with .ovpn extention
Disable SELinux in /etc/selinux/config by changing
SELINUX=enforcing
to
SELINUX=disabled
Now enable IP forwarding. Open the file /etc/sysctl.conf and change
net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1
Save changes using command:
sysctl -p
Start OpenVPN
service openvpn start
If no OpenVZ is used add the below line to firewall:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
If OpenVZ is used add these rules to firewall:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
Change 123.123.123.123 to correct server IP.
IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF, also its a good idea to add them to /etc/csf/csfpre.sh.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123
If the above rules cause you any problems or don’t seem to work (Especially on cPanel servers) then remove the rules above and use below:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
Change 123.123.123.123 to correct server IP. Save the changes
iptables-save >/etc/sysconfig/iptables service iptables restart
Make OpenVPN start at boot:
chkconfig openvpn on
Download client files from /etc/openvpn/easy-rsa/2.0/keys/
Upload these files to OpenVPN directory on client machine.
OpenVPN client is available on official site http://openvpn.net/index.php/
How to configure OpenVPN client on Windows
How to configure OpenVPN client on Android
""